rpm -V verify purposerpm -Vf doesn't report a changed fileHow can I verify that a PGP key is imported into RPM?rpm --upgrade not upgrading?RPM package naming conventionRPM subpackage nameHow to verify the RPM database?How to verify one file of a package, not the RPM itselfRPM command stuck/FREEZE when installing RPM filerpm --verify does not inform about missing fileBuild “shadow” RPM database?rpm mock - complex rpm building
What is the command to reset a PC without deleting any files
Crop image to path created in TikZ?
Could a US political party gain complete control over the government by removing checks & balances?
What happens when a metallic dragon and a chromatic dragon mate?
Is it legal to have the "// (c) 2019 John Smith" header in all files when there are hundreds of contributors?
What do the Banks children have against barley water?
Is a vector space a subspace of itself?
What are the advantages and disadvantages of running one shots compared to campaigns?
How can I fix this gap between bookcases I made?
How can I add custom success page
Can a planet have a different gravitational pull depending on its location in orbit around its sun?
Can I find out the caloric content of bread by dehydrating it?
When blogging recipes, how can I support both readers who want the narrative/journey and ones who want the printer-friendly recipe?
New order #4: World
How to answer pointed "are you quitting" questioning when I don't want them to suspect
What to wear for invited talk in Canada
Where else does the Shulchan Aruch quote an authority by name?
Calculate Levenshtein distance between two strings in Python
Copycat chess is back
"listening to me about as much as you're listening to this pole here"
Extreme, but not acceptable situation and I can't start the work tomorrow morning
Why is my log file so massive? 22gb. I am running log backups
COUNT(*) or MAX(id) - which is faster?
Is every set a filtered colimit of finite sets?
rpm -V verify purpose
rpm -Vf doesn't report a changed fileHow can I verify that a PGP key is imported into RPM?rpm --upgrade not upgrading?RPM package naming conventionRPM subpackage nameHow to verify the RPM database?How to verify one file of a package, not the RPM itselfRPM command stuck/FREEZE when installing RPM filerpm --verify does not inform about missing fileBuild “shadow” RPM database?rpm mock - complex rpm building
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I am told I should do rpm -Va because:
operating system must be configured so that the cryptographic hash of system files and commands matches vendor values... Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection
So a rpm -Va | grep '^..5' is done and if anything comes back that is supposed to be a problem.
From a clean install from DVD I can successfully meet that criteria.
However, I am also told to configure files such as /etc/ssh/sshd_config and /etc/audit/audit.rules not to mention some obvious other ones to make a system functional, and changing these of course results in these files not matching vendor values, thus the rpm -Va comes back with mainly S.5....T
Can someone explain the purpose or rationale of this? As well as how grep '^..5' is supposed to work? Is there a way to make this work such that -- yeah, I changed a .conf file, but have rpm be updated to not flag specified packages as having been altered?
security rpm
edited Mar 28 at 19:22
Jeff Schaller♦
44.7k1163145
asked Mar 28 at 17:58
ronron
1,1802818
add a comment |
I am told I should do rpm -Va because:
operating system must be configured so that the cryptographic hash of system files and commands matches vendor values... Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection
So a rpm -Va | grep '^..5' is done and if anything comes back that is supposed to be a problem.
From a clean install from DVD I can successfully meet that criteria.
However, I am also told to configure files such as /etc/ssh/sshd_config and /etc/audit/audit.rules not to mention some obvious other ones to make a system functional, and changing these of course results in these files not matching vendor values, thus the rpm -Va comes back with mainly S.5....T
Can someone explain the purpose or rationale of this? As well as how grep '^..5' is supposed to work? Is there a way to make this work such that -- yeah, I changed a .conf file, but have rpm be updated to not flag specified packages as having been altered?
security rpm
edited Mar 28 at 19:22
Jeff Schaller♦
44.7k1163145
asked Mar 28 at 17:58
ronron
1,1802818
add a comment |
I am told I should do rpm -Va because:
operating system must be configured so that the cryptographic hash of system files and commands matches vendor values... Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection
So a rpm -Va | grep '^..5' is done and if anything comes back that is supposed to be a problem.
From a clean install from DVD I can successfully meet that criteria.
However, I am also told to configure files such as /etc/ssh/sshd_config and /etc/audit/audit.rules not to mention some obvious other ones to make a system functional, and changing these of course results in these files not matching vendor values, thus the rpm -Va comes back with mainly S.5....T
Can someone explain the purpose or rationale of this? As well as how grep '^..5' is supposed to work? Is there a way to make this work such that -- yeah, I changed a .conf file, but have rpm be updated to not flag specified packages as having been altered?
security rpm
edited Mar 28 at 19:22
Jeff Schaller♦
44.7k1163145
asked Mar 28 at 17:58
ronron
1,1802818
I am told I should do rpm -Va because:
operating system must be configured so that the cryptographic hash of system files and commands matches vendor values... Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection
So a rpm -Va | grep '^..5' is done and if anything comes back that is supposed to be a problem.
From a clean install from DVD I can successfully meet that criteria.
However, I am also told to configure files such as /etc/ssh/sshd_config and /etc/audit/audit.rules not to mention some obvious other ones to make a system functional, and changing these of course results in these files not matching vendor values, thus the rpm -Va comes back with mainly S.5....T
Can someone explain the purpose or rationale of this? As well as how grep '^..5' is supposed to work? Is there a way to make this work such that -- yeah, I changed a .conf file, but have rpm be updated to not flag specified packages as having been altered?
security rpm
security rpm
edited Mar 28 at 19:22
Jeff Schaller♦
44.7k1163145
asked Mar 28 at 17:58
ronron
1,1802818
edited Mar 28 at 19:22
Jeff Schaller♦
44.7k1163145
asked Mar 28 at 17:58
ronron
1,1802818
edited Mar 28 at 19:22
Jeff Schaller♦
44.7k1163145
edited Mar 28 at 19:22
Jeff Schaller♦
44.7k1163145
edited Mar 28 at 19:22
Jeff Schaller♦
44.7k1163145
44.7k1163145
asked Mar 28 at 17:58
ronron
1,1802818
asked Mar 28 at 17:58
ronron
1,1802818
asked Mar 28 at 17:58
ronron
1,1802818
1,1802818
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
To take the easy part first, the grep '^..5 portion investigates the output for lines that start with any two characters followed by a 5. That 5 represents (from man rpm):
5 digest (formerly MD5 sum) differs
as a fairly good indicator that the corresponding file has changed.
Next, I would encourage any rpm -Va | grep ... investigation to ignore config files. These are files, like you point out, that are intended to be changed by the system administrator. Luckily, they are indicated in the rpm -Va output with a c marker:
The format of the output is a string of 9 characters, a possible attribute marker:
c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not included in the package payload).
l %license license file.
r %readme readme file.
from the package header, followed by the file name.
... so I would consider something along the lines of:
sudo rpm -Va | awk '/^..5/ && $2 != "c"'
... which ties together the grep ^..5 idea along with ignoring files that are classified as configuration files. Alternatively, you could capture every flagged line of output and then "whitelist" config files where you've accepted the risk of change -- then, you're alerted when a presumed-static config file changes.
Without repackaging the RPM's, I do not know of a way to update the digest in the RPM database to indicate that you've changed a config file, which is why I suggest the above workarounds.
answered Mar 28 at 19:30
Jeff Schaller♦Jeff Schaller
44.7k1163145
I've just discovered meuh's answer here which goes into more detail regarding an RPM being able to exclude certain files from future verification.
– Jeff Schaller♦
Mar 28 at 19:32
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f509282%2frpm-v-verify-purpose%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
To take the easy part first, the grep '^..5 portion investigates the output for lines that start with any two characters followed by a 5. That 5 represents (from man rpm):
5 digest (formerly MD5 sum) differs
as a fairly good indicator that the corresponding file has changed.
Next, I would encourage any rpm -Va | grep ... investigation to ignore config files. These are files, like you point out, that are intended to be changed by the system administrator. Luckily, they are indicated in the rpm -Va output with a c marker:
The format of the output is a string of 9 characters, a possible attribute marker:
c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not included in the package payload).
l %license license file.
r %readme readme file.
from the package header, followed by the file name.
... so I would consider something along the lines of:
sudo rpm -Va | awk '/^..5/ && $2 != "c"'
... which ties together the grep ^..5 idea along with ignoring files that are classified as configuration files. Alternatively, you could capture every flagged line of output and then "whitelist" config files where you've accepted the risk of change -- then, you're alerted when a presumed-static config file changes.
Without repackaging the RPM's, I do not know of a way to update the digest in the RPM database to indicate that you've changed a config file, which is why I suggest the above workarounds.
answered Mar 28 at 19:30
Jeff Schaller♦Jeff Schaller
44.7k1163145
I've just discovered meuh's answer here which goes into more detail regarding an RPM being able to exclude certain files from future verification.
– Jeff Schaller♦
Mar 28 at 19:32
add a comment |
To take the easy part first, the grep '^..5 portion investigates the output for lines that start with any two characters followed by a 5. That 5 represents (from man rpm):
5 digest (formerly MD5 sum) differs
as a fairly good indicator that the corresponding file has changed.
Next, I would encourage any rpm -Va | grep ... investigation to ignore config files. These are files, like you point out, that are intended to be changed by the system administrator. Luckily, they are indicated in the rpm -Va output with a c marker:
The format of the output is a string of 9 characters, a possible attribute marker:
c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not included in the package payload).
l %license license file.
r %readme readme file.
from the package header, followed by the file name.
... so I would consider something along the lines of:
sudo rpm -Va | awk '/^..5/ && $2 != "c"'
... which ties together the grep ^..5 idea along with ignoring files that are classified as configuration files. Alternatively, you could capture every flagged line of output and then "whitelist" config files where you've accepted the risk of change -- then, you're alerted when a presumed-static config file changes.
Without repackaging the RPM's, I do not know of a way to update the digest in the RPM database to indicate that you've changed a config file, which is why I suggest the above workarounds.
answered Mar 28 at 19:30
Jeff Schaller♦Jeff Schaller
44.7k1163145
I've just discovered meuh's answer here which goes into more detail regarding an RPM being able to exclude certain files from future verification.
– Jeff Schaller♦
Mar 28 at 19:32
add a comment |
To take the easy part first, the grep '^..5 portion investigates the output for lines that start with any two characters followed by a 5. That 5 represents (from man rpm):
5 digest (formerly MD5 sum) differs
as a fairly good indicator that the corresponding file has changed.
Next, I would encourage any rpm -Va | grep ... investigation to ignore config files. These are files, like you point out, that are intended to be changed by the system administrator. Luckily, they are indicated in the rpm -Va output with a c marker:
The format of the output is a string of 9 characters, a possible attribute marker:
c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not included in the package payload).
l %license license file.
r %readme readme file.
from the package header, followed by the file name.
... so I would consider something along the lines of:
sudo rpm -Va | awk '/^..5/ && $2 != "c"'
... which ties together the grep ^..5 idea along with ignoring files that are classified as configuration files. Alternatively, you could capture every flagged line of output and then "whitelist" config files where you've accepted the risk of change -- then, you're alerted when a presumed-static config file changes.
Without repackaging the RPM's, I do not know of a way to update the digest in the RPM database to indicate that you've changed a config file, which is why I suggest the above workarounds.
answered Mar 28 at 19:30
Jeff Schaller♦Jeff Schaller
44.7k1163145
To take the easy part first, the grep '^..5 portion investigates the output for lines that start with any two characters followed by a 5. That 5 represents (from man rpm):
5 digest (formerly MD5 sum) differs
as a fairly good indicator that the corresponding file has changed.
Next, I would encourage any rpm -Va | grep ... investigation to ignore config files. These are files, like you point out, that are intended to be changed by the system administrator. Luckily, they are indicated in the rpm -Va output with a c marker:
The format of the output is a string of 9 characters, a possible attribute marker:
c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not included in the package payload).
l %license license file.
r %readme readme file.
from the package header, followed by the file name.
... so I would consider something along the lines of:
sudo rpm -Va | awk '/^..5/ && $2 != "c"'
... which ties together the grep ^..5 idea along with ignoring files that are classified as configuration files. Alternatively, you could capture every flagged line of output and then "whitelist" config files where you've accepted the risk of change -- then, you're alerted when a presumed-static config file changes.
Without repackaging the RPM's, I do not know of a way to update the digest in the RPM database to indicate that you've changed a config file, which is why I suggest the above workarounds.
answered Mar 28 at 19:30
Jeff Schaller♦Jeff Schaller
44.7k1163145
answered Mar 28 at 19:30
Jeff Schaller♦Jeff Schaller
44.7k1163145
answered Mar 28 at 19:30
Jeff Schaller♦Jeff Schaller
44.7k1163145
answered Mar 28 at 19:30
Jeff Schaller♦Jeff Schaller
44.7k1163145
44.7k1163145
I've just discovered meuh's answer here which goes into more detail regarding an RPM being able to exclude certain files from future verification.
– Jeff Schaller♦
Mar 28 at 19:32
add a comment |
I've just discovered meuh's answer here which goes into more detail regarding an RPM being able to exclude certain files from future verification.
– Jeff Schaller♦
Mar 28 at 19:32
I've just discovered meuh's answer here which goes into more detail regarding an RPM being able to exclude certain files from future verification.
– Jeff Schaller♦
Mar 28 at 19:32
I've just discovered meuh's answer here which goes into more detail regarding an RPM being able to exclude certain files from future verification.
– Jeff Schaller♦
Mar 28 at 19:32
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f509282%2frpm-v-verify-purpose%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
-rpm, security
