Librarium Whitehat
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one


For those of us who use a linux distribution that uses rpm for it's package management program are probably very used to using the rpm command. Especially for the installing and uninstalling of packages. But the rpm command has some other handy functions, here we will be looking at the verification functionality of this command. Details of each package rpm installs are stored, and rpm can verify packages to see if these details have been changed and which have been changed.

How Is It Done?
Well this part is simple, just use the -V switch. You can either do a specific package ( rpm -V <package name> ) or you can do every single package ( rpm -Va ). There are other switches you can use to help trim down the output you get, these are..
What Am I Seeing?
The output you will get from running these commands should look something like this;
S.5....T c /etc/inetd.conf
.M....G. c /var/named/chroot/dev/null
.M...... c /var/named/chroot/dev/random
.....U.. c /var/named/chroot/etc/rndc.key
....L... c /etc/localtime
Now if you get a "." then it means that the test was passed, anything else is an indicator to show you which test failed.
Checking Specific Files
This functionality can also be used to check a file you may be suspicious of. If you want to check the ls command for example, you would first check the package it came with (rpm -qf /bin/ls), then you verify that package (rpm -V coreutils-xxx). If you get nothing back then the file still matches the stored details, if you get something back though, you now know how to see what has changed.

Final Thoughts
While this functionality is useful and can help, I must say that it does not negate the need for a proper host based IDS with the full suite of system checks. This verification function should be seen as an additional defense against attacks, not the total defense. Anyway, try it out, have fun, and don't forget the man pages.