검색

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

9.2.2. RPM as an IDS

download PDF
The RPM Package Manager (RPM) is another program that can be used as a host-based IDS. RPM contains various options for querying packages and their contents. These verification options can be invaluable to an administrator who suspects that critical system files and executables have been modified.
The following list details some RPM options that can verify file integrity on a Red Hat Enterprise Linux system. Refer to the System Administrators Guide for complete information about using RPM.

Important

Some of the commands in the following list require the importation of the Red Hat GPG public key into the system's RPM keyring. This key verifies that packages installed on the system contain an Red Hat package signature, which ensures that the packages originated from Red Hat. The key can be imported by issuing the following command as root (substituting <version> with the version of RPM installed on the system):
rpm --import /usr/share/doc/rpm-<version>/RPM-GPG-KEY
rpm -V package_name
The -V option verifies the files in the installed package called package_name. If it shows no output and exits, this means that none of the files have been modified in any way since the last time the RPM database was updated. If there is an error, such as the following
S.5....T c /bin/ps
then the file has been modified in some way and you must assess whether to keep the file (such as with modified configuration files in the /etc/ directory) or delete the file and reinstall the package that contains it. The following list defines the elements of the 8-character string (S.5....T in the above example) that notifies of a verification failure.
  • . — The test has passed this phase of verification
  • ? — The test has found a file that could not be read, which is most likely a file permission issue
  • S — The test has encountered a file that that is smaller or larger than it was when originally installed on the system
  • 5 — The test has found a file whose md5 checksum does not match the original checksum of the file when first installed
  • M — The test has detected a file permission or file type error on the file
  • D — The test has encountered a device file mismatch in major/minor number
  • L — The test has found a symbolic link that has been changed to another file path
  • U — The test has found a file that had its user ownership changed
  • G — The test has found a file that had its group ownership changed
  • T — The test has encountered mtime verification errors on the file
rpm -Va
The -Va option verifies all installed packages and finds any failure in its verification tests (much like the -V option, but more verbose in its output since it is verifying every installed package).
rpm -Vf /bin/ls
The -Vf option verifies individual files in an installed package. This can be useful when performing a quick verification of a suspect file.
rpm -K application-1.0.i386.rpm
The -K option is useful for checking the md5 checksum and the GPG signature of an RPM package file. This is useful for checking whether a package about to be installed is signed by Red Hat or any organization for which you have the GPG public key imported into a GPG keyring. A package that has not been properly signed triggers an error message similar to the following:
application-1.0.i386.rpm (SHA1) DSA sha1 md5 (GPG) NOT OK
		  (MISSING KEYS: GPG#897da07a)
Exercise caution when installing packages that are unsigned as they are not approved by Red Hat, Inc and could contain malicious code.
RPM can be a powerful tool, as evidenced by its many verification tools for installed packages and RPM package files. It is strongly recommended that the contents of the RPM database directory (/var/lib/rpm/) be backed up to read-only media, such as CD-ROM, after installation of Red Hat Enterprise Linux. Doing so allows verification of files and packages against the read-only database, rather than against the database on the system, as malicious users may corrupt the database and skew the results.
Red Hat logoGithubRedditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

© 2024 Red Hat, Inc.