LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-23-2002, 06:20 PM   #1
klickibunti
LQ Newbie
 
Registered: Aug 2002
Distribution: Red Hat Psyche
Posts: 18

Rep: Reputation: 0
rpm --verify -a > rpmcheck.txt Question


Hello

Here is a short descripten (from man rpm)

S file Size differs

M Mode differs (includes permissions and file type)

5 MD5 sum differs

D Device major/minor number mis-match

L readLink(2) path mis-match

U User ownership differs

G Group ownership differs

T mTime differs

.....U.. /dev/fd1u1120
missing /dev/dri/card2
S.5....T c /etc/syslog.conf
S.5....T c /etc/ldap.conf
missing /var/log/mars_nwe.log
.....U.. /dev/audio1
S.5....T c /etc/sysconfig/rhn/rhn-applet
..5....T c /etc/mime.types
.M...... /dev/shm


at my system there are 283 warnings about the rpm security. I believe that hackers have root access - or is this a rpm bug? at your system, are there also so much errors or is all ok?

thanx for help

cheers klickibunti
 
Old 08-24-2002, 11:06 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599
Please consider what "normal" usage could have changed these attributes and read and investigate properly before drawing this conclusion. For example file permissions under /dev may be subject to the rules set up with PAM wrt to base permissions/ logins; look in /etc/security.

If you have configured your system to a stable state you could "chattr +iu" critical system config files so they aren't changed unnecessarily every time. Don't forget to unset these bits before installing/upgrading/removing tho.

Also you should know the rpm database is also subject to erm, self-inflicted corruption and isn't tamper-proof. If you didn't read your results from an off-site rpm database there isn't much value in it for these purposes. Please consider using Aide, Tripwire, Samhain or equal product to check for integrity errors on your system (save those db's off-site ok). These products will detect "new" files as well, so you can quickly see if there's a hidden dir somewhere. Also you could consider using Chkrootkit. Even tho it can only detect what it *knows* about wrt rootkits, it's better than nothing.
 
Old 08-25-2002, 02:24 PM   #3
klickibunti
LQ Newbie
 
Registered: Aug 2002
Distribution: Red Hat Psyche
Posts: 18

Original Poster
Rep: Reputation: 0
thanx a lot for your answer. such relevant commands like netstat an ps are unchanged. Chkrootkid detect nothing... i will install tools like tripwire

greetz
klickibunti
 
Old 08-26-2002, 01:39 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599
On a final note, plz realize installing integrity detection usually should be done on a pristine system, I mean pre-network connected state to be absolutely sure.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to verify signature ? visu Linux - Newbie 5 05-07-2009 06:25 PM
verify before continue - how to? babag Programming 8 05-05-2005 06:28 AM
Verify a CD-ROM VorlonInfoTech Linux - Hardware 1 03-07-2005 03:37 AM
rpm --verify -a question linuxtesting2 Red Hat 1 05-15-2004 01:39 AM
rpm --verify net-tools gives pre link errors abefroman Fedora - Installation 0 04-11-2004 11:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:00 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration