Verify File Hashes with RPM
An XCCDF Rule
Description
Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands matches vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:
$ rpm -Va --noconfig | grep '^..5'If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file:
$ rpm -qf FILENAMEThe package can be reinstalled from a zypper repository using the command:
$ sudo zypper reinstall PACKAGENAMEAlternatively, the package can be reinstalled from trusted media using the command:
$ sudo rpm -Uvh PACKAGENAME
warning alert: Warning
This rule can take a long time to perform the check and might consume a considerable
amount of resources depending on the number of packages present on the system. It is not a
problem in most cases, but especially systems with a large number of installed packages
can be affected.
Rationale
The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.
- ID
- xccdf_org.ssgproject.content_rule_rpm_verify_hashes
- Severity
- High
- References
- Updated
Remediation - Shell Script
# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"
if [ -n "$files_with_incorrect_hash" ]; then
# From files names get package names and change newline to space, because rpm writes each package to new line
Remediation - Ansible
- name: 'Set fact: Package manager reinstall command'
set_fact:
package_manager_reinstall_cmd: zypper reinstall -y
when: ansible_distribution in [ "Fedora", "RedHat", "CentOS", "OracleLinux" ]
tags:
- CCE-85788-8