LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page [SOLVED] Questions regarding rpm -Va
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-19-2013, 07:40 PM   #1
munkz
Member
 
Registered: Aug 2013
Location: A couch
Distribution: linux
Posts: 69

Rep: Reputation: 2
Questions regarding rpm -Va

Hi,

I am in the process of getting a better understanding of securing a linux system based on what is installed.

I started with rkhunter, setting it to use rpm for package verification. This was done a fresh installation that had only been updated a few secs before I ran the commands listed below.

To start, rkhunter was letting me know that rpm was having some issues verifying the files.

Sample of what the full log entry looks like
Code:
[14:05:27]   /usr/bin/basename                               [ Warning ]
[14:05:27] Warning: Package manager verification has failed:
[14:05:27]          File: /usr/bin/basename
[14:05:27]          Try running the command 'prelink /usr/bin/basename' to resolve dependency errors.
[14:05:27]          The file hash value has changed
[14:05:27]          The file size has changed
[14:05:27]   /usr/bin/bash                                   [ Warning ]
[14:05:28] Warning: Package manager verification has failed:
[14:05:28]          File: /usr/bin/bash
[14:05:28]          Try running the command 'prelink /usr/bin/bash' to resolve dependency errors.
[14:05:28]          The file hash value has changed
[14:05:28]          The file size has changed
[14:05:28]   /usr/bin/cat                                    [ Warning ]
[14:05:28] Warning: Package manager verification has failed:
[14:05:28]          File: /usr/bin/cat
[14:05:28]          Try running the command 'prelink /usr/bin/cat' to resolve dependency errors.
[14:05:28]          The file hash value has changed
[14:05:28]          The file size has changed
[14:05:28]   /usr/bin/chattr                                 [ Warning ]
[14:05:28] Warning: Package manager verification has failed:
[14:05:28]          File: /usr/bin/chattr
[14:05:28]          Try running the command 'prelink /usr/bin/chattr' to resolve dependency errors.
full list of files shown effected in the manner listed above
Code:
[14:05:27]   /usr/bin/basename                               [ Warning ]
[14:05:27]   /usr/bin/bash                                   [ Warning ]
[14:05:28]   /usr/bin/cat                                    [ Warning ]
[14:05:28]   /usr/bin/chattr                                 [ Warning ]
[14:05:29]   /usr/bin/chmod                                  [ Warning ]
[14:05:30]   /usr/bin/chown                                  [ Warning ]
[14:05:30]   /usr/bin/cp                                     [ Warning ]
[14:05:31]   /usr/bin/cut                                    [ Warning ]
[14:05:31]   /usr/bin/date                                   [ Warning ]
[14:05:32]   /usr/bin/df                                     [ Warning ]
[14:05:33]   /usr/bin/dirname                                [ Warning ]
[14:05:34]   /usr/bin/du                                     [ Warning ]
[14:05:34]   /usr/bin/echo                                   [ Warning ]
[14:05:35]   /usr/bin/env                                    [ Warning ]
[14:05:36]   /usr/bin/groups                                 [ Warning ]
[14:05:37]   /usr/bin/head                                   [ Warning ]
[14:05:37]   /usr/bin/id                                     [ Warning ]
[14:05:38]   /usr/bin/killall                                [ Warning ]
[14:05:39]   /usr/bin/less                                   [ Warning ]
[14:05:39]   /usr/bin/ls                                     [ Warning ]
[14:05:40]   /usr/bin/lsattr                                 [ Warning ]
[14:05:40]   /usr/bin/md5sum                                 [ Warning ]
[14:05:41]   /usr/bin/mktemp                                 [ Warning ]
[14:05:42]   /usr/bin/mv                                     [ Warning ]
[14:05:43]   /usr/bin/pstree                                 [ Warning ]
[14:05:44]   /usr/bin/pwd                                    [ Warning ]
[14:05:45]   /usr/bin/readlink                               [ Warning ]
[14:05:46]   /usr/bin/runcon                                 [ Warning ]
[14:05:46]   /usr/bin/sha1sum                                [ Warning ]
[14:05:47]   /usr/bin/sha224sum                              [ Warning ]
[14:05:48]   /usr/bin/sha256sum                              [ Warning ]
[14:05:48]   /usr/bin/sha384sum                              [ Warning ]
[14:05:49]   /usr/bin/sha512sum                              [ Warning ]
[14:05:50]   /usr/bin/sort                                   [ Warning ]
[14:05:50]   /usr/bin/stat                                   [ Warning ]
[14:05:51]   /usr/bin/tail                                   [ Warning ]
[14:05:52]   /usr/bin/test                                   [ Warning ]
[14:05:52]   /usr/bin/touch                                  [ Warning ]
[14:05:53]   /usr/bin/tr                                     [ Warning ]
[14:05:54]   /usr/bin/uname                                  [ Warning ]
[14:05:54]   /usr/bin/uniq                                   [ Warning ]
[14:05:55]   /usr/bin/users                                  [ Warning ]
[14:05:56]   /usr/bin/wc                                     [ Warning ]
[14:05:56]   /usr/bin/which                                  [ Warning ]
[14:05:57]   /usr/bin/who                                    [ Warning ]
[14:05:57]   /usr/bin/whoami                                 [ Warning ]
[14:05:58]   /usr/bin/gawk                                   [ Warning ]
[14:06:00]   /usr/sbin/chroot                                [ Warning ]
[14:06:03]   /usr/sbin/lsof                                  [ Warning ]
Seeing the above, I wanted to see if what rpm was reporting. Being that this was a new installation, it seemed like possible false positives. That said, I grab'ed a few of the above files to see what was going on.

In short, I can not really figure out whats going on. Yet. Any ideas?
 
Old 11-19-2013, 10:58 PM   #2
munkz
Member
 
Registered: Aug 2013
Location: A couch
Distribution: linux
Posts: 69

Original Poster
Rep: Reputation: 2
HI,

So I think it was related to prelink. Going off information in a post over at http://lists.centos.org/pipermail/ce...er/049222.html . While I am not sure if what I did is the best thing to do in a case checking all the system files is what is wanted. Any way, this got rid of the issue of the unverifiable files :

Code:
/usr/sbin/prelink -av -mR
Hope this helps anyone else that comes across this.
 
Old 11-20-2013, 01:55 PM   #3
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Gentoo
Posts: 2,125

Rep: Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781Reputation: 781
I've run into that problem with prelink too and had to undo the modifications. As it modifies the system binaries in order to speed up loading and execution, it is pretty well guaranteed to conflict with security checks designed to verify their integrity.
 
1 members found this post helpful.
Old 11-20-2013, 02:00 PM   #4
munkz
Member
 
Registered: Aug 2013
Location: A couch
Distribution: linux
Posts: 69

Original Poster
Rep: Reputation: 2
Until I hear other wise, I have turned off prelink. I dont see a small speed increase for dynamic libs or what ever being worth the freak out it caused. Nothing was matching rpm's db.

A two week wait for prelink to rebuild might throw off times for matching stat times with file changes as well. From a security stand point it seems like a nightmare.
Still learning though..
 
  


Reply

Tags
fedora, rkhunter warning, rpm



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
3 questions about rpm shaybery Linux - Software 8 02-03-2009 05:14 PM
cannot build source rpm/ rpm questions kpachopoulos Fedora 3 07-24-2005 09:15 AM
Some RPM questions hcclnoodles Linux - General 6 08-03-2004 08:00 PM
Some RPM questions hcclnoodles Linux - General 1 08-03-2004 10:18 AM
binary vs source RPM (and other RPM questions) calimer Linux - Software 4 06-22-2003 12:33 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:50 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration