[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
System integrity verification (using RPM)
- From: clmail2000 <clmail2000 yahoo com>
- To: rpm-list redhat com
- Subject: System integrity verification (using RPM)
- Date: Thu, 7 Aug 2003 21:25:16 -0700 (PDT)
Hello,
Although it is not very likely that my RHL 7.2 box has been
compromised as it has rarely been online, I want to check this.
Being a newcomer, I am not sure as to how to best do so.
I am primarily concerned with the integrity of the files from
the initial installation and any cracker intrusions; I can check
the other files I have installed manually. I have already run
chkrootkit and it did not find anything. For the system
installation and other files installed by rpm, I verified that the
present rpm package is indeed the one I had originally installed,
and then I tried running "rpm -Va" as root which correctly caught
certain changes I have made but also returned a number of other
changes I am not able to reconcile. Let me describe these
discrepancies in the hope that someone can provide some enlightenment.
a. It complains about a missing file called /var/tmp/vi.recover.
I have not used vi or any of its incarnations on this box, so
what is the significance of this?
b. There are also two files, /var/lib/rpm/__db.001 and
/var/lib/rpm/__db.002, flagged as having changed user and group
ownership, but which I cannot even find. What are they for?
c. There are a large number of device files flagged for a change in
the user ownership: e.g. /dev/apm_bios, /dev/audio, /dev/dsp.
The listings for these files are shown below.
crw------- 1 cl root 10, 134 Aug 30 2001 apm_bios
crw------- 1 cl root 14, 4 Aug 30 2001 audio
crw------- 1 cl root 14, 3 Aug 30 2001 dsp
(cl is my username on this system.)
I have neither explicitly created nor modified these files and
do not know how they originated. The present OS was installed on
June 11, 2002. I think the earlier dates may stem from when those
files were created and then copied onto the RH installation CD.
But I have no idea why they have this (unusual?) user.group
ownership. I noticed that the other device files which were not
flagged have root.root ownership.
d. There are also a number of files which it has flagged as having
changed in some way but which neither I nor any other user has
explicitly changed. What I find most odd is that when I list and
look at the contents of these files, they do not appear to have
been changed since their installation - at least to my
inexperienced eye. For example, on some files the modification
time does not seem to have changed when that was the attribute
flagged - unless the mtime listed has been compromised.
How easy is it to tamper with the file attributes and their
listing when chkrootkit cannot detect any root kits?
Listed below is a sampling of the output I find puzzling.
.......T c /etc/krb5.conf
S.5....T /boot/kernel.h-2.4.7
.M...... /dev/shm
SM5....T c /usr/X11R6/lib/X11/fonts/75dpi/encodings.dir
S.5....T c /etc/krb.conf
.M...... /usr/lib/gimp/1.2/modules/libcolorsel_gtk.a
.......T c /etc/pam_smb.conf
..5....T /var/lib/wnn/zh_CN/dic/sys/basic.dic
S.5....T c /etc/printcap
S.5....T c /etc/pam.d/system-auth
S.5....T c /etc/openldap/ldap.conf
..5....T c /etc/inittab
S.5....T c /usr/share/a2ps/afm/fonts.map
SM5....T /usr/X11R6/lib/X11/fonts/Type1/encodings.dir
SM5....T c /usr/X11R6/lib/X11/fonts/100dpi/encodings.dir
S.5....T /usr/share/AbiSuite/fonts/fonts.dir
.M.....T /usr/share/icons/locolor/32x32/apps/ktimemon.png
.......T /usr/share/apps/kfind/icons/locolor/22x22/actions/archive.png
S.5....T c /etc/ldap.conf
.......T c /etc/yp.conf
.M...... g /var/spool/at/.SEQ
S.5....T c /etc/mail/statistics
What is the significance of all this?
(For the /var/spool/at/.SEQ file above owned by daemon.daemon,
I cannot even ascertain what the "g" means.)
It would be much appreciated if someone could tell me whether I should
be concerned and whether there are better ways to check one's system.
Thanks in advance,
Charles
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[]