[wplug] System file permission, owner and group auditing utility

Jonathan Billings jsbillings at gmail.com
Mon Apr 11 11:14:00 EDT 2005


On Apr 11, 2005 11:06 AM, Poyner, Brandon <bpoyner at ccac.edu> wrote:
> You can run a 'rpm -Va' to verify all rpm packages.  It's far from a complete audit but it's one utility you can use.  It returns information on files that differ from the RPM installed versions.  If somebody has modified the RPM database or installed their own RPM on top of your RPM this won't be of much use.
> 
>        S file Size differs
>        M Mode differs (includes permissions and file type)
>        5 MD5 sum differs
>        D Device major/minor number mismatch
>        L readLink(2) path mismatch
>        U User ownership differs
>        G Group ownership differs
>        T mTime differs

You should realize that if you are using the signatures stored in the
RPM database as a mechanism for determining whether a system has been
hacked or not, hackers could just as easily install a trojaned 'rpm'
binary, or even install an RPM package (with the appropriate
signatures) to obscure their intrusion

-- 
  Jonathan Billings
jsbillings at gmail.com


More information about the wplug mailing list