Archive for the tag 'Verify'

SBDavid

How to verify user defaults

How to verify user defaults.

If you want to view the defaults, type the useradd command with the -D option as follows:

# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREAT_MAIL_SPOOL=yes

You can also use the -D option to change defaults. When run with this flag, useradd refrains from actually creating a new user account; instead, it saves any additionally supplied options as the new default values in /etc/login.defs. Not all useradd options can be used.

To set any of the defaults, give the -D option first; then add any of the defaults you want to set. For example, to set the default home directory location to /home/everyone and the default shell to /bin/tcsh, type the following:

# useradd -D -b /home/everyone -s /bin/tcsh
SBDavid

Verify Package Integrity Using RPM

Verify Package Integrity Using RPM

The RPM package management system includes the ability to verify the integrity of installed packages by comparing the installed files with information about the files taken from the package metadata stored in the RPM database.

Although an attacker could corrupt the RPM database (analogous to attacking the AIDE database as described above), this check can still reveal modification of important files. To determine which files on the system differ from what is expected by the RPM database:

# rpm -qVa

A ā€œcā€ in the second column indicates that a file is a configuration file (and may be expected to change). In order to exclude configuration files from this list, run:

# rpm -qVa | awk ‘$2!=”c” {print $0}’

Using RPM Verify to Monitor Changes to System Files

It is important for administrators of critical server systems to be able to track changes to files on their systems. Tracking file changes helps detect accidental or malicious modifications such as viruses, root kits, or hacking activity. RPM, the package management system used for all RPM based Linux distributions, provides an easy mechanism for tracking these changes. When a package is installed, the RPM database stores information about each file belonging to that package including the size, date, and MD5 sum among others. This data can later be compared to the existing files on the system to detect any changes.

Verifications are performed with the rpm command and the -V flag. This command should be executed as root so that all file attributes can be read from the system without file permissions getting in the way. For example:

To verify all files in the RPM database:

# rpm -Va

To verify all files belonging to a package, packagename:

# rpm -V packagename

To verify all files belonging a particular RPM file (local, FTP, HTTP):

# rpm -V path_to_the_file.rpm

All applicable files are checked, and any discrepancies are shown. The output is a string of eight characters, followed by an optional attribute marker. The string of eight characters indicates changes in size, permissions, MD5 sum, etc.

S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mis-match
L readLink(2) path mis-match
U User ownership differs
G Group ownership differs
T mTime differs

For example:

S.5….T c /etc/wvdial.conf

This example shows that the configuration file, /etc/wvdial.conf, has a different size, MD5 sum, and modified time than the RPM database has on record. In this case, this is probably okay–it is a configuration file and it is normal for them to change.