Novell Home

Using RPM Verify to Monitor Changes to System Files

Novell Cool Solutions: Feature
By Kirk Coombs

Digg This - Slashdot This

Posted: 20 Oct 2005
 

Applies To:

  • SUSE Linux
  • SUSE Linux Enterprise Server
  • Open Enterprise Server
  • Novell Linux Desktop

Purpose

It is important for administrators of critical server systems to be able to track changes to files on their systems. Tracking file changes helps detect accidental or malicious modifications such as viruses, root kits, or hacking activity. RPM, the package management system used for all Novell Linux distributions, provides an easy mechanism for tracking these changes. When a package is installed, the RPM database stores information about each file belonging to that package including the size, date, and MD5 sum among others. This data can later be compared to the existing files on the system to detect any changes.

Syntax

Verifications are performed with the rpm command and the -V flag. This command should be executed as root so that all file attributes can be read from the system without file permissions getting in the way. For example:

...to verify all files in the RPM database:

# rpm -Va

...to verify all files belonging to a package, packagename:

# rpm -V packagename

...to verify all files belonging a particular RPM file (local, FTP, HTTP):

# rpm -V path_to_the_file.rpm

All applicable files are checked, and any discrepancies are shown. The output is a string of eight characters, followed by an optional attribute marker. The string of eight characters indicates changes in size, permissions, MD5 sum, etc. They are listed in Table 1. The attribute marker indicates if the file is marked as a special type of file, such as a configuration or documentation file. The marker types are listed in Table 2.

Table 1

S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mis-match
L readLink(2) path mis-match
U User ownership differs
G Group ownership differs
T mTime differs

Table 2

c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not included in the package payload).
l %license license file.
r %readme readme file.

For example:

S.5....T c /etc/isdn/isdn.conf

This example shows that the configuration file, /etc/isdn/isdn.conf, has a different size, MD5 sum, and modified time than the RPM database has on record. In this case, this is probably okay--it is a configuration file and it is normal for them to change.

Example Use

The files on a system will never exactly match the RPM database. This is mainly due to changes in configuration files, but can be a result of other software changes as well. It is recommended to create a list of changed files after a system has been initially installed and configured. Later, this list can be compared against a new check to show any changes since the system was initially installed. For example, on a fresh SLES 9 system rpm -Va may return something similar to the following:

# rpm -Va > original_files
# cat original_files
missing    /etc/opt/gnome/gconf/preconf
missing    /etc/opt/gnome/gconf/preconf/schemas
missing    /etc/opt/gnome/gconf/su
missing    /etc/opt/gnome/gconf/su/schemas
--snip--
S.5....T c /etc/openldap/slapd.conf
.....UG. c /var/lib/ldap/DB_CONFIG
S.5....T c /etc/postfix/main.cf
S.5....T c /etc/postfix/master.cf
S.5....T c /etc/postfix/sasl_passwd
.M...... c /etc/fetchmailrc
S.5....T c /etc/named.conf
.M...... g /var/lib/named/dev/log

Later a file such a /etc/ntp.conf may be modified. 

Now, a new rpm -Va command, coupled with a diff against the original dump shows the change:

# rpm -Va > changes
# diff original_files changes
47a48
> S.5....T c
/etc/ntp.conf

If these checks are performed and unexpected files are modified it may be a sign that further investigation is needed.

Offline Checks

RPM verifications are an easy way to monitor changes to a system, but offer no guarantees that all malicious intrusions are detected. This is especially true in the case of root kits, which change fundamental system commands to hide themselves. If a root kit has modified the proper commands, it may cause the RPM verify command to produce incorrect results. In order to be sure essential files have not been modified by a root kit it is necessary to do an offline check. This check is performed by the installation media used to install the system.

  1. Insert disk 1 of the installation media and boot the system.
  2. When the GRUB boot screen appears, select Installation.
  3. When the YaST installation program launches Accept the license agreement.
  4. Select the desired language and choose Accept.
  5. A dialog appears prompting for the installation type. Choose Repair Installed System.
  6. Select Expert Tools.
  7. Select Verify Installed Software.

The files of the installed system are scanned, and a report is generated which is very similar to the output of rpm -Va (see Figure 1).

Figure 1


Final Thoughts

RPM verify is a powerful tool for monitoring file system changes. When used on critical systems it can prove to be valuable in detecting system attacks and accidental changes. It is important to remember, however, that it is no replacement for good sense, firewalls, anti virus tools, and other security measures.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell