Dec 6th, 2010
Using RPM Verify to Monitor Changes to System Files
Using RPM Verify to Monitor Changes to System Files
It is important for administrators of critical server systems to be able to track changes to files on their systems. Tracking file changes helps detect accidental or malicious modifications such as viruses, root kits, or hacking activity. RPM, the package management system used for all RPM based Linux distributions, provides an easy mechanism for tracking these changes. When a package is installed, the RPM database stores information about each file belonging to that package including the size, date, and MD5 sum among others. This data can later be compared to the existing files on the system to detect any changes.
Verifications are performed with the rpm command and the -V flag. This command should be executed as root so that all file attributes can be read from the system without file permissions getting in the way. For example:
To verify all files in the RPM database:
To verify all files belonging to a package, packagename:
To verify all files belonging a particular RPM file (local, FTP, HTTP):
All applicable files are checked, and any discrepancies are shown. The output is a string of eight characters, followed by an optional attribute marker. The string of eight characters indicates changes in size, permissions, MD5 sum, etc.
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mis-match
L readLink(2) path mis-match
U User ownership differs
G Group ownership differs
T mTime differs
For example:
This example shows that the configuration file, /etc/wvdial.conf, has a different size, MD5 sum, and modified time than the RPM database has on record. In this case, this is probably okay–it is a configuration file and it is normal for them to change.