rpm -V verify purpose The Next CEO of Stack Overflowrpm -Vf doesn't report a changed fileHow can I verify that a PGP key is imported into RPM?rpm --upgrade not upgrading?RPM package naming conventionRPM subpackage nameHow to verify the RPM database?How to verify one file of a package, not the RPM itselfRPM command stuck/FREEZE when installing RPM filerpm --verify does not inform about missing fileBuild “shadow” RPM database?rpm mock - complex rpm building
Rotate a column
Help understanding this unsettling image of Titan, Epimetheus, and Saturn's rings?
Why is quantifier elimination desirable for a given theory?
Proper way to express "He disappeared them"
How many extra stops do monopods offer for tele photographs?
What connection does MS Office have to Netscape Navigator?
Would a grinding machine be a simple and workable propulsion system for an interplanetary spacecraft?
RigExpert AA-35 - Interpreting The Information
Is wanting to ask what to write an indication that you need to change your story?
Axiom Schema vs Axiom
Would this house-rule that treats advantage as a +1 to the roll instead (and disadvantage as -1) and allows them to stack be balanced?
Would be okay to drive on this tire?
"misplaced omit" error when >centering columns
Is it my responsibility to learn a new technology in my own time my employer wants to implement?
Are police here, aren't itthey?
Is micro rebar a better way to reinforce concrete than rebar?
How to edit “Name” property in GCI output?
0 rank tensor vs 1D vector
Do I need to write [sic] when a number is less than 10 but isn't written out?
Example of a Mathematician/Physicist whose Other Publications during their PhD eclipsed their PhD Thesis
Is a distribution that is normal, but highly skewed considered Gaussian?
How to get from Geneva Airport to Metabief, Doubs, France by public transport?
Reference request: Grassmannian and Plucker coordinates in type B, C, D
How to install OpenCV on Raspbian Stretch?
rpm -V verify purpose
The Next CEO of Stack Overflowrpm -Vf doesn't report a changed fileHow can I verify that a PGP key is imported into RPM?rpm --upgrade not upgrading?RPM package naming conventionRPM subpackage nameHow to verify the RPM database?How to verify one file of a package, not the RPM itselfRPM command stuck/FREEZE when installing RPM filerpm --verify does not inform about missing fileBuild “shadow” RPM database?rpm mock - complex rpm building
I am told I should do rpm -Va because:
operating system must be configured so that the cryptographic hash of system files and commands matches vendor values... Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection
So a rpm -Va | grep '^..5' is done and if anything comes back that is supposed to be a problem.
From a clean install from DVD I can successfully meet that criteria.
However, I am also told to configure files such as /etc/ssh/sshd_config and /etc/audit/audit.rules not to mention some obvious other ones to make a system functional, and changing these of course results in these files not matching vendor values, thus the rpm -Va comes back with mainly S.5....T
Can someone explain the purpose or rationale of this? As well as how grep '^..5' is supposed to work? Is there a way to make this work such that -- yeah, I changed a .conf file, but have rpm be updated to not flag specified packages as having been altered?
security rpm
edited 2 days ago
Jeff Schaller♦
44.4k1162143
asked 2 days ago
ronron
1,1802817
add a comment |
I am told I should do rpm -Va because:
operating system must be configured so that the cryptographic hash of system files and commands matches vendor values... Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection
So a rpm -Va | grep '^..5' is done and if anything comes back that is supposed to be a problem.
From a clean install from DVD I can successfully meet that criteria.
However, I am also told to configure files such as /etc/ssh/sshd_config and /etc/audit/audit.rules not to mention some obvious other ones to make a system functional, and changing these of course results in these files not matching vendor values, thus the rpm -Va comes back with mainly S.5....T
Can someone explain the purpose or rationale of this? As well as how grep '^..5' is supposed to work? Is there a way to make this work such that -- yeah, I changed a .conf file, but have rpm be updated to not flag specified packages as having been altered?
security rpm
edited 2 days ago
Jeff Schaller♦
44.4k1162143
asked 2 days ago
ronron
1,1802817
add a comment |
I am told I should do rpm -Va because:
operating system must be configured so that the cryptographic hash of system files and commands matches vendor values... Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection
So a rpm -Va | grep '^..5' is done and if anything comes back that is supposed to be a problem.
From a clean install from DVD I can successfully meet that criteria.
However, I am also told to configure files such as /etc/ssh/sshd_config and /etc/audit/audit.rules not to mention some obvious other ones to make a system functional, and changing these of course results in these files not matching vendor values, thus the rpm -Va comes back with mainly S.5....T
Can someone explain the purpose or rationale of this? As well as how grep '^..5' is supposed to work? Is there a way to make this work such that -- yeah, I changed a .conf file, but have rpm be updated to not flag specified packages as having been altered?
security rpm
edited 2 days ago
Jeff Schaller♦
44.4k1162143
asked 2 days ago
ronron
1,1802817
I am told I should do rpm -Va because:
operating system must be configured so that the cryptographic hash of system files and commands matches vendor values... Without cryptographic integrity protections, system command and files can be altered by unauthorized users without detection
So a rpm -Va | grep '^..5' is done and if anything comes back that is supposed to be a problem.
From a clean install from DVD I can successfully meet that criteria.
However, I am also told to configure files such as /etc/ssh/sshd_config and /etc/audit/audit.rules not to mention some obvious other ones to make a system functional, and changing these of course results in these files not matching vendor values, thus the rpm -Va comes back with mainly S.5....T
Can someone explain the purpose or rationale of this? As well as how grep '^..5' is supposed to work? Is there a way to make this work such that -- yeah, I changed a .conf file, but have rpm be updated to not flag specified packages as having been altered?
security rpm
security rpm
edited 2 days ago
Jeff Schaller♦
44.4k1162143
asked 2 days ago
ronron
1,1802817
edited 2 days ago
Jeff Schaller♦
44.4k1162143
asked 2 days ago
ronron
1,1802817
edited 2 days ago
Jeff Schaller♦
44.4k1162143
edited 2 days ago
Jeff Schaller♦
44.4k1162143
edited 2 days ago
Jeff Schaller♦
44.4k1162143
44.4k1162143
asked 2 days ago
ronron
1,1802817
asked 2 days ago
ronron
1,1802817
asked 2 days ago
ronron
1,1802817
1,1802817
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
To take the easy part first, the grep '^..5 portion investigates the output for lines that start with any two characters followed by a 5. That 5 represents (from man rpm):
5 digest (formerly MD5 sum) differs
as a fairly good indicator that the corresponding file has changed.
Next, I would encourage any rpm -Va | grep ... investigation to ignore config files. These are files, like you point out, that are intended to be changed by the system administrator. Luckily, they are indicated in the rpm -Va output with a c marker:
The format of the output is a string of 9 characters, a possible attribute marker:
c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not included in the package payload).
l %license license file.
r %readme readme file.
from the package header, followed by the file name.
... so I would consider something along the lines of:
sudo rpm -Va | awk '/^..5/ && $2 != "c"'
... which ties together the grep ^..5 idea along with ignoring files that are classified as configuration files. Alternatively, you could capture every flagged line of output and then "whitelist" config files where you've accepted the risk of change -- then, you're alerted when a presumed-static config file changes.
Without repackaging the RPM's, I do not know of a way to update the digest in the RPM database to indicate that you've changed a config file, which is why I suggest the above workarounds.
answered 2 days ago
Jeff Schaller♦Jeff Schaller
44.4k1162143
I've just discovered meuh's answer here which goes into more detail regarding an RPM being able to exclude certain files from future verification.
– Jeff Schaller♦
2 days ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f509282%2frpm-v-verify-purpose%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
To take the easy part first, the grep '^..5 portion investigates the output for lines that start with any two characters followed by a 5. That 5 represents (from man rpm):
5 digest (formerly MD5 sum) differs
as a fairly good indicator that the corresponding file has changed.
Next, I would encourage any rpm -Va | grep ... investigation to ignore config files. These are files, like you point out, that are intended to be changed by the system administrator. Luckily, they are indicated in the rpm -Va output with a c marker:
The format of the output is a string of 9 characters, a possible attribute marker:
c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not included in the package payload).
l %license license file.
r %readme readme file.
from the package header, followed by the file name.
... so I would consider something along the lines of:
sudo rpm -Va | awk '/^..5/ && $2 != "c"'
... which ties together the grep ^..5 idea along with ignoring files that are classified as configuration files. Alternatively, you could capture every flagged line of output and then "whitelist" config files where you've accepted the risk of change -- then, you're alerted when a presumed-static config file changes.
Without repackaging the RPM's, I do not know of a way to update the digest in the RPM database to indicate that you've changed a config file, which is why I suggest the above workarounds.
answered 2 days ago
Jeff Schaller♦Jeff Schaller
44.4k1162143
I've just discovered meuh's answer here which goes into more detail regarding an RPM being able to exclude certain files from future verification.
– Jeff Schaller♦
2 days ago
add a comment |
To take the easy part first, the grep '^..5 portion investigates the output for lines that start with any two characters followed by a 5. That 5 represents (from man rpm):
5 digest (formerly MD5 sum) differs
as a fairly good indicator that the corresponding file has changed.
Next, I would encourage any rpm -Va | grep ... investigation to ignore config files. These are files, like you point out, that are intended to be changed by the system administrator. Luckily, they are indicated in the rpm -Va output with a c marker:
The format of the output is a string of 9 characters, a possible attribute marker:
c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not included in the package payload).
l %license license file.
r %readme readme file.
from the package header, followed by the file name.
... so I would consider something along the lines of:
sudo rpm -Va | awk '/^..5/ && $2 != "c"'
... which ties together the grep ^..5 idea along with ignoring files that are classified as configuration files. Alternatively, you could capture every flagged line of output and then "whitelist" config files where you've accepted the risk of change -- then, you're alerted when a presumed-static config file changes.
Without repackaging the RPM's, I do not know of a way to update the digest in the RPM database to indicate that you've changed a config file, which is why I suggest the above workarounds.
answered 2 days ago
Jeff Schaller♦Jeff Schaller
44.4k1162143
I've just discovered meuh's answer here which goes into more detail regarding an RPM being able to exclude certain files from future verification.
– Jeff Schaller♦
2 days ago
add a comment |
To take the easy part first, the grep '^..5 portion investigates the output for lines that start with any two characters followed by a 5. That 5 represents (from man rpm):
5 digest (formerly MD5 sum) differs
as a fairly good indicator that the corresponding file has changed.
Next, I would encourage any rpm -Va | grep ... investigation to ignore config files. These are files, like you point out, that are intended to be changed by the system administrator. Luckily, they are indicated in the rpm -Va output with a c marker:
The format of the output is a string of 9 characters, a possible attribute marker:
c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not included in the package payload).
l %license license file.
r %readme readme file.
from the package header, followed by the file name.
... so I would consider something along the lines of:
sudo rpm -Va | awk '/^..5/ && $2 != "c"'
... which ties together the grep ^..5 idea along with ignoring files that are classified as configuration files. Alternatively, you could capture every flagged line of output and then "whitelist" config files where you've accepted the risk of change -- then, you're alerted when a presumed-static config file changes.
Without repackaging the RPM's, I do not know of a way to update the digest in the RPM database to indicate that you've changed a config file, which is why I suggest the above workarounds.
answered 2 days ago
Jeff Schaller♦Jeff Schaller
44.4k1162143
To take the easy part first, the grep '^..5 portion investigates the output for lines that start with any two characters followed by a 5. That 5 represents (from man rpm):
5 digest (formerly MD5 sum) differs
as a fairly good indicator that the corresponding file has changed.
Next, I would encourage any rpm -Va | grep ... investigation to ignore config files. These are files, like you point out, that are intended to be changed by the system administrator. Luckily, they are indicated in the rpm -Va output with a c marker:
The format of the output is a string of 9 characters, a possible attribute marker:
c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not included in the package payload).
l %license license file.
r %readme readme file.
from the package header, followed by the file name.
... so I would consider something along the lines of:
sudo rpm -Va | awk '/^..5/ && $2 != "c"'
... which ties together the grep ^..5 idea along with ignoring files that are classified as configuration files. Alternatively, you could capture every flagged line of output and then "whitelist" config files where you've accepted the risk of change -- then, you're alerted when a presumed-static config file changes.
Without repackaging the RPM's, I do not know of a way to update the digest in the RPM database to indicate that you've changed a config file, which is why I suggest the above workarounds.
answered 2 days ago
Jeff Schaller♦Jeff Schaller
44.4k1162143
answered 2 days ago
Jeff Schaller♦Jeff Schaller
44.4k1162143
answered 2 days ago
Jeff Schaller♦Jeff Schaller
44.4k1162143
answered 2 days ago
Jeff Schaller♦Jeff Schaller
44.4k1162143
44.4k1162143
I've just discovered meuh's answer here which goes into more detail regarding an RPM being able to exclude certain files from future verification.
– Jeff Schaller♦
2 days ago
add a comment |
I've just discovered meuh's answer here which goes into more detail regarding an RPM being able to exclude certain files from future verification.
– Jeff Schaller♦
2 days ago
I've just discovered meuh's answer here which goes into more detail regarding an RPM being able to exclude certain files from future verification.
– Jeff Schaller♦
2 days ago
I've just discovered meuh's answer here which goes into more detail regarding an RPM being able to exclude certain files from future verification.
– Jeff Schaller♦
2 days ago
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f509282%2frpm-v-verify-purpose%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
