|
| 1 | +<div class="flex-container"> |
| 2 | + <img src="https://github.com/ProfessionalLinuxUsersGroup/img/blob/main/Assets/Logos/ProLUG_Round_Transparent_LOGO.png?raw=true" width="64" height="64"></img> |
| 3 | + <p> |
| 4 | + <h1>Unit 7 Bonus - Auditing Installed Packages and Verifying Integrity</h1> |
| 5 | + </p> |
| 6 | +</div> |
| 7 | + |
| 8 | +> **NOTE:** This is an **optional** bonus section. You **do not** need to read it, but if you're interested in digging deeper, this is for you. |
| 9 | +
|
| 10 | +This bonus explores how you can audit and verify software integrity on your system |
| 11 | +using package tools, hashes, and file validation -- going deeper into real-world |
| 12 | +sysadmin practice. |
| 13 | + |
| 14 | +This is more of a bonus lab. We're going beyond just _installing_ packages. |
| 15 | +We're going to audit, validate, and verify that the software on our system is |
| 16 | +trustworthy and unmodified. |
| 17 | +We'll explore how to detect unexpected changes using built-in tools, dig into package |
| 18 | +metadata, and get a taste of real-world security practices like intrusion detection |
| 19 | +and system baselining through package auditing. |
| 20 | + |
| 21 | +In modern enterprise environments, packages may be tampered with, misconfigured, or out-of-date. |
| 22 | + |
| 23 | +A responsible sysadmin needs tools and methods to answer questions like: |
| 24 | + |
| 25 | +- Was this package installed from a trusted source? |
| 26 | +- Have any of the installed files been modified? |
| 27 | +- Which files belong to which packages? |
| 28 | +- Can I detect and recover from unexpected changes? |
| 29 | + |
| 30 | +Let's get into it. |
| 31 | + |
| 32 | +## Verifying Package Integrity |
| 33 | + |
| 34 | +--- |
| 35 | + |
| 36 | +Start by finding a package you know is installed and used in your environment -- for example, `sshd`: |
| 37 | + |
| 38 | +```bash |
| 39 | +rpm -qi openssh-server |
| 40 | +``` |
| 41 | + |
| 42 | +Now, check the integrity of the package's files: |
| 43 | + |
| 44 | +```bash |
| 45 | +rpm -V openssh-server |
| 46 | +``` |
| 47 | + |
| 48 | +- `-V`: Stands for **verify**. |
| 49 | + - This option checks timestamps, permissions, ownership, and hashes of installed files. |
| 50 | + |
| 51 | +If you don't see any output, that's a good thing. |
| 52 | + |
| 53 | +`rpm -V` only reports files that have been altered in some way from what the package database expects. |
| 54 | +If there is no output, it means all files match the expected checksums, sizes, permissions, etc.. |
| 55 | + |
| 56 | +If this command **does** have output, being able to interpret the output is important. |
| 57 | +Each character in the output has its own meaning: |
| 58 | + |
| 59 | +- `S` - Size differs. |
| 60 | +- `M` - Mode differs (permissions). |
| 61 | +- `5` - MD5 checksum mismatch. |
| 62 | +- `T` - Modification time differs. |
| 63 | + |
| 64 | +This is a great way to verify the integrity of installed packages. |
| 65 | +It's also helpful in troubleshooting when a package isn't working as expected. |
| 66 | + |
| 67 | + |
| 68 | +## Auditing a File in a Package |
| 69 | + |
| 70 | +--- |
| 71 | + |
| 72 | +Let's say you suspect something has been changed or tampered with. |
| 73 | +Let's get all files from a package. |
| 74 | + |
| 75 | +- Run `rpm -ql` to list the files that were installed with a package: |
| 76 | + |
| 77 | + ```bash |
| 78 | + rpm -ql openssh-server |
| 79 | + ``` |
| 80 | + |
| 81 | +- Now pick one file and manually generate its sha256 hash: |
| 82 | + |
| 83 | + ```bash |
| 84 | + sha256sum /usr/sbin/sshd |
| 85 | + ``` |
| 86 | + |
| 87 | +- Download the original `.rpm` package to compare its hash. |
| 88 | + |
| 89 | + ```bash |
| 90 | + dnf download openssh-server |
| 91 | + ``` |
| 92 | + |
| 93 | + - This will download the `openssh-server-<version>.rpm` package in the current directory. |
| 94 | + - These `.rpm` packages are not stored on the system by default. |
| 95 | + |
| 96 | +- You can inspect the file of your choice with `rpm -qp --dump`: |
| 97 | + |
| 98 | + ```bash |
| 99 | + rpm -qp --dump openssh-server*.rpm | grep ^/usr/sbin/sshd |
| 100 | + ``` |
| 101 | + |
| 102 | + This will output a bunch of information about the file. |
| 103 | + The `sha256` hash will be in the fourth column, so we can use `awk` to extract that: |
| 104 | + |
| 105 | + ```bash |
| 106 | + rpm -qp --dump openssh-server*.rpm | grep ^/usr/sbin/sshd | awk '{print $4}' |
| 107 | + ``` |
| 108 | + |
| 109 | +- Compare your version's hash to the original RPM file's hash: |
| 110 | + |
| 111 | + ```bash |
| 112 | + sha256sum /usr/sbin/sshd |
| 113 | + ``` |
| 114 | + |
| 115 | +If the hashes are different, the file has been modified. |
| 116 | + |
| 117 | +## Bonus Challenge 💡 |
| 118 | + |
| 119 | +--- |
| 120 | + |
| 121 | +1. Run this one-liner to verify all installed packages: |
| 122 | + ```bash |
| 123 | + rpm -Va |
| 124 | + ``` |
| 125 | + - This will verify every file from every package and report anything suspicious. |
| 126 | +1. Narrow the scope. Only show actual modified files: |
| 127 | + |
| 128 | + ```bash |
| 129 | + rpm -Va | grep -v '^..5' |
| 130 | + ``` |
| 131 | + |
| 132 | + - This removes lines where only the MD5 checksum differs (which could be expected in some config files). |
| 133 | + - You’ll now see files where size, mode, owner, or timestamp changed — higher confidence indicators of real change. |
| 134 | + |
| 135 | +1. Investigate a suspicious result. If you see something like: |
| 136 | + |
| 137 | + ```bash |
| 138 | + .M....... c /etc/ssh/sshd_config |
| 139 | + ``` |
| 140 | + |
| 141 | + That means: |
| 142 | + |
| 143 | + - The permissions (`M`) have changed. |
| 144 | + - It's a config file (`c`). |
| 145 | + |
| 146 | +1. Check the file in question: |
| 147 | + |
| 148 | + ```bash |
| 149 | + ls -l /etc/ssh/sshd_config |
| 150 | + ``` |
| 151 | + |
| 152 | +1. Compare that to what you expected: |
| 153 | + ```bash |
| 154 | + rpm -q --qf '%{NAME} %{VERSION}-%{RELEASE}\n' -f /etc/ssh/sshd_config |
| 155 | + ``` |
| 156 | + |
| 157 | +Then you can reinstall the package or extract the original file from the `.rpm` file. |
| 158 | + |
| 159 | +### Reflection Questions |
| 160 | + |
| 161 | +--- |
| 162 | + |
| 163 | +- What happens if you manually modify a file, then verify with `rpm -V`? |
| 164 | +- Can you identify if changes were made outside of DNF/RPM? |
| 165 | +- What types of files are typically most important to verify? |
| 166 | + |
| 167 | + |
| 168 | +### Example of Real-World Security Tools |
| 169 | + |
| 170 | +--- |
| 171 | + |
| 172 | +Large enterprises often use tools like AIDE (Advanced Intrusion Detection Environment) or Tripwire to baseline their systems and detect changes over time. |
| 173 | + |
| 174 | +AIDE can be installed easily with `dnf`, so you can play around with it if you want. |
| 175 | +To set up AIDE on your system (as root): |
| 176 | + |
| 177 | +```bash |
| 178 | +dnf install aide -y |
| 179 | + |
| 180 | +aide --init |
| 181 | + |
| 182 | +# Copy the default database to use as your database |
| 183 | +cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz |
| 184 | + |
| 185 | +# Then, to run a check with aide (this will take a few minutes): |
| 186 | +aide --check |
| 187 | +``` |
| 188 | + |
| 189 | +AIDE compares the current state of the system to a known baseline. |
| 190 | + |
| 191 | +This is foundational to change management, compliance, and intrusion detection. |
| 192 | + |
| 193 | +## Resources |
| 194 | + |
| 195 | +--- |
| 196 | + |
| 197 | +- [RPM Man Page](https://man7.org/linux/man-pages/man8/rpm.8.html) |
| 198 | +- [AIDE Documentation](https://aide.github.io/) |
| 199 | +- [Verifying RPM Packages](https://access.redhat.com/solutions/14303) |
| 200 | +- [Using sha256sum](https://man7.org/linux/man-pages/man1/sha256sum.1.html) |
0 commit comments