Guaranteeing running code is signed

Mathieu Bridon (bochecha) bochecha at fedoraproject.org
Sat May 9 19:12:00 UTC 2009


Hi,

> Is there any technology in fedora, that enables me to ensure that ALL
> running code on a certain server (even code not installed from RPMs, such as
> say by a legacy admin), has been signed by redhat, and to warn me about
> un-signed code that is running or about to run. I am interested to verify a
> server is in a "known-good" state

I don't know of any « One True Solution », but you could use things like :
$ rpm -qaV
  -> this will list all files modified _after_ they were installed via RPM
$ rpm -qf <some file>
  -> this will tell you the package that this file belongs to

You can then use the « --queryformat » option of RPM to get various
informations about a package, for example where did it come from.

For files installed not using RPM, I'm not sure how to verify this,
but as Fedora only provides files in RPMs, I'm pretty confident that
no file outside a RPM will be signed by Fedora.

For RedHat, I have no idea, but you are on a Fedora mailing-list ;)


----------

Mathieu Bridon (bochecha)




More information about the fedora-devel-list mailing list