Skip to content

Verify File Hashes with RPM

An XCCDF Rule

Description

Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands matches vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:

$ rpm -Va --noconfig | grep '^..5'
If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file:
$ rpm -qf FILENAME
                    
The package can be reinstalled from a yum repository using the command:
$ sudo yum reinstall PACKAGENAME
                    
Alternatively, the package can be reinstalled from trusted media using the command:
$ sudo rpm -Uvh PACKAGENAME
                    

warning alert: Warning

This rule can take a long time to perform the check and might consume a considerable amount of resources depending on the number of packages present on the system. It is not a problem in most cases, but especially systems with a large number of installed packages can be affected. See https://access.redhat.com/articles/6999111.

Rationale

The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.

ID
xccdf_org.ssgproject.content_rule_rpm_verify_hashes
Severity
High
References
Updated



Remediation - Ansible

- name: 'Set fact: Package manager reinstall command'
  set_fact:
    package_manager_reinstall_cmd: yum reinstall -y
  when: ansible_distribution in [ "Fedora", "RedHat", "CentOS", "OracleLinux" ]
  tags:
  - CJIS-5.10.4.1

Remediation - Shell Script


# Find which files have incorrect hash (not in /etc, because of the system related config files) and then get files names
files_with_incorrect_hash="$(rpm -Va --noconfig | grep -E '^..5' | awk '{print $NF}' )"

if [ -n "$files_with_incorrect_hash" ]; then
    # From files names get package names and change newline to space, because rpm writes each package to new line