Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mis-match
L readLink(2) path mis-match
U User ownership differs
G Group ownership differs
T mTime differs
.....U.. /dev/fd1u1120
missing /dev/dri/card2
S.5....T c /etc/syslog.conf
S.5....T c /etc/ldap.conf
missing /var/log/mars_nwe.log
.....U.. /dev/audio1
S.5....T c /etc/sysconfig/rhn/rhn-applet
..5....T c /etc/mime.types
.M...... /dev/shm
at my system there are 283 warnings about the rpm security. I believe that hackers have root access - or is this a rpm bug? at your system, are there also so much errors or is all ok?
Please consider what "normal" usage could have changed these attributes and read and investigate properly before drawing this conclusion. For example file permissions under /dev may be subject to the rules set up with PAM wrt to base permissions/ logins; look in /etc/security.
If you have configured your system to a stable state you could "chattr +iu" critical system config files so they aren't changed unnecessarily every time. Don't forget to unset these bits before installing/upgrading/removing tho.
Also you should know the rpm database is also subject to erm, self-inflicted corruption and isn't tamper-proof. If you didn't read your results from an off-site rpm database there isn't much value in it for these purposes. Please consider using Aide, Tripwire, Samhain or equal product to check for integrity errors on your system (save those db's off-site ok). These products will detect "new" files as well, so you can quickly see if there's a hidden dir somewhere. Also you could consider using Chkrootkit. Even tho it can only detect what it *knows* about wrt rootkits, it's better than nothing.
On a final note, plz realize installing integrity detection usually should be done on a pristine system, I mean pre-network connected state to be absolutely sure.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.