Archive for the tag 'Integrity'

SBDavid

Verify Package Integrity Using RPM

Verify Package Integrity Using RPM

The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database.

Although an attacker could corrupt the RPM database (analogous to attacking the AIDE database as described above), this check can still reveal modification of important files. To determine which files on the system differ from what is expected by the RPM database:

# rpm -qVa

A “c” in the second column indicates that a file is a configuration file (and may be expected to change). In order to exclude configuration files from this list, run:

# rpm -qVa | awk ‘$2!=”c” {print $0}’

Implement Periodic Execution of Integrity Checking

By default, AIDE does not install itself for periodic execution.

Implement checking with whatever frequency is required by your security policy.
A once-daily check may be suitable for many environments. For example, to
implement a daily execution of AIDE at 4:05am, add the following line to /etc/crontab:

05 4 * * * root /usr/sbin/aide –check

AIDE output may be an indication of an attack against your system, or it may
be the result of something innocuous such as an administrator’s configuration
change or a software update.

SBDavid

Software Integrity Checking

Software Integrity Checking

The AIDE (Advanced Intrusion Detection Environment) software is included with the system to provide software integrity checking. It is designed to be a replacement for the well-known Tripwire integrity checker.

The RPM software also includes the ability to compare the hashes of installed files with those in its own metadata database. Integrity checking cannot prevent intrusions into your system, but can detect that they have occurred. Such integrity checking software should be configured before the system is deployed and able to provides services to users.

Ideally, the integrity checking database would be built before the system is connected to any network,though this may prove impractical due to registration and software updates.