RPM verification
To display a list of all keys installed for RPM verification run rpm -qa
The output will look similar to the following:
[centos@centos ~]$ sudo rpm -qa gpg-pubkey*
gpg-pubkey-c105b9de-4e0fd3a3
gpg-pubkey-6b8d79e6-3f49313d
[centos@centos ~]$
To check the details run rpm -qi
[centos@centos ~]$ rpm -qi gpg-pubkey-c105b9de-4e0fd3a3
Name : gpg-pubkey Relocations: (not relocatable)
Version : c105b9de Vendor: (none)
Release : 4e0fd3a3 Build Date: Fri 04 Nov 2011 09:37:15 PM IST
Install Date: Fri 04 Nov 2011 09:37:15 PM IST Build Host: localhost
Group : Public Keys Source RPM: (none)
Size : 0 License: pubkey
Signature : (none)
Summary : gpg(CentOS-6 Key (CentOS 6 Official Signing Key) )
Description :
If the GPG key verifies successfully, the command returns gpg OK
[centos@centos ~]$ rpm -K ./Downloads/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
./Downloads/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK
[centos@centos ~]$
How to install Red Hat GPG key for RPM verification.
If the Red Hat GPG key is not installed, install it from a secure, static location, such as a Red Hat installation CD-ROM or DVD.
All Red Hat Enterprise Linux packages are signed with the Red Hat GPG key. GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) locks the package while the public key unlocks and verifies the package. If the public key distributed by Red Hat Enterprise Linux does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted.
use the following command to import it into the keyring (a database of trusted keys on the system):
rpm –import /mnt/cdrom/RPM-GPG-KEY
To display a list of all keys installed for RPM verification, execute the following command:
It is extremely important to verify the signature of the RPM files before installing them to ensure that they have not been altered from the original source of the packages. To verify all the downloaded packages at once, issue the following command:
rpm -K /tmp/updates/*.rpm
Enabling Source Address Verification
To prevent remote host from spofing incoming packets as if they had come from the local machine.
Solution:
Trun on source address verification in the Linux kernel.
echo 1 > /pro/sys/net/ipv4/default/rp_filter
A quick method is to add this line to /etc/sysctl.conf
net.ipv4.conf.all.rp_filter = 1
And then run the sysctl command to read the configuration.
DESCRIPTION
sysctl is used to modify kernel parameters at runtime. The parameters available are those listed under /proc/sys/. Procfs is required for sysctl support in Linux. You can use sysctl to both read and write sysctl data.
EXAMPLES
/sbin/sysctl -a
/sbin/sysctl -n kernel.hostname
/sbin/sysctl -w kernel.domainname=”example.com”
/sbin/sysctl -p /etc/sysctl.conf
-w Use this option when you want to change a sysctl setting.
-p Load in sysctl settings from the file specified or /etc/sysctl.conf if none given. Specifying - as filename means reading data from standard input.
-a Display all values currently available.
-A Display all values currently available in table form.
