Verifying Signed Packages
All Red Hat Enterprise Linux packages are signed with the Red Hat GPG key. GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) locks the package while the public key unlocks and verifies the package. If the public key distributed by Red Hat Enterprise Linux does not match the private key during RPM verification, the package may have been
altered and therefore cannot be trusted.
If the disc is mounted in /mnt/cdrom, use the following command to import it into the keyring (a database of trusted keys on the system):
rpm –import /mnt/cdrom/RPM-GPG-KEY
To display a list of all keys installed for RPM verification, execute the following command:
The output will look similar to the following:
gpg-pubkey-db42a60e-37ea5438
To display details about a specific key, use the rpm -qi command followed by the output from the previous command, as in this example:
rpm -qi gpg-pubkey-db42a60e-37ea5438
Verifying Installed Packages
Over the course of a system’s normal usage, files get changed. This could be as innocent as simply changing a configuration file in the /etc directory or as problematic as a file being corrupted by a power failure. To assist in the detection of these changes, RPM allows users and administrators to verify the integrity of an installed package.
The command
or
Will verify all installed packages. RPM then computes the MD5 checksum of all files on the disk and compares them to the stored MD5 sums from the original RPMs. The output of the command is a line indicating any files that differ from the versions that were originally installed and a code indicating how the file has changed.
Verifying Which Ports Are Listening
After configuring network services, it is important to pay attention to which ports are actuallylistening on the system’s network interfaces. Any open ports can be evidence of an intrusion.
There are two basic approaches for listing the ports that are listening on the network. The less reliable approach is to query the network stack by typing commands such as netstat -an or lsof -i.
Or
This method is less reliable since these programs do not connect to the machine from the network, but rather check to see what is running on the system.
For this reason, these applications are frequent targets for replacement by attackers. In this way, crackers attempt to cover their tracks if they open unauthorized network ports.
A more reliable way to check which ports are listening on the network is to use a port scanner such as nmap.
root@:~# nmap -sT -O localhost
Starting Nmap 4.76 ( http://nmap.org ) at 2009-10-08 11:31 EDT
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
3128/tcp open squid-http
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.22
Network Distance: 0 hops
OS detection performed.
Please report any incorrect results at http://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 3.15 seconds
Verifying Signed Packages using GNU Privacy Guard
GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) locks the package while the public key unlocks and verifies the package. If the public key distributed by OS does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted.
Assuming the disc is mounted in /mnt/cdrom, use the following command to import it into the keyring (a database of trusted keys on the system)
rpm –import /mnt/cdrom/RPM-GPG-KEY
To verify all the downloaded packages at once, issue the following command:
rpm -K /tmp/updates/*.rpm
For each package, if the GPG key verifies successfully, the command returns gpg OK.
