Saturday, December 5, 2009

Unintrusive RPM Distro Audit

As a consultant, I am often faced with an unfamiliar Linux system (usually RHEL). I always find it useful to understand which files that shipped with rpm packages have been modified, since it is usually a good indicator of what customizations have been performed on the system. To determine the modified files, I simply run:

% rpm -qa | xargs rpm --verify --nomtime | less

# Sample output:

missing /usr/local/src
.M...... /bin/ping6
.M...... /usr/bin/chage
.M...... /usr/bin/gpasswd
....L... c /etc/pam.d/system-auth
.M...... /usr/bin/chfn
.M...... /usr/bin/chsh
S.5..... c /etc/rc.d/rc.local
S.5..... c /etc/sysctl.conf
S.5..... c /etc/ssh/sshd_config
S.5..... c /etc/updatedb.conf

The following is taken from the rpm man pages (Verify Options section):

c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not
included in the package payload).
l %license license file.
r %readme readme file.

S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs

Using this trick, I can quickly determine what configuration files have been modified as well as any metadata modifications (ownership, link etc.).


No comments:

Post a Comment