Question: In some scenarios which it is suspected that the files in the system from an rpm installation, have been altered, changed, or tampered with. For example, the system was hacked and a binary file of ssh tampered with. How to check if changes were made on it comparing since the installation?
To verify and check if the files installed on a system with rpm or yum altered since installation using the following command:
# rpm -V [PACKAGE_NAME]
If you have any of the files altered in the rpm since the installation, it will be listed in the above commands output. Each line will start with a specific flag indicating the alteration. The meaning of each flag is mentioned in below table:
Flag | Meaning |
---|---|
S | file Size differs |
M | Mode differs (includes permissions and file type) |
5 | MD5 sum differs |
D | Device major/minor number mismatch |
L | readLink(2) path mismatch |
U | User ownership differs |
G | Group ownership differs |
T | mTime differs |
Example
1. There is a suspicion that SSH server has been tampered. So let’s first check the rpm that distributes the file:
# yum provides */sshd openssh-server
So openssh-server is the rpm which provides the ssh binaries in the system.
2. Next, check for any alterations in the files provided by openssh-server rpm:
# rpm -V openssh-server
If any of the file was tampered with, it would be listed in the above command output. Something similar to below:
S.5....T. /usr/sbin/sshd
The falgs here means that the SSH server binary file has been tampered with:
S file Size differs 5 MD5 sum differs T mTime differs
The file has a different size, MD5 checksum, and modification timestamp from the one distributed with the RPM.
3. Here we can try to re-install the package using yum to get the original distributed files from the repositories:
# yum reinstall openssh-server
In this particular eg. the SSH server needs to be restarted.
# service sshd restart
For systemd based ditributions use systemctl to restart the service:
# systemctl restart sshd