backup - use rpm -V against backed-up database -
rpm(1) provides -v option verify installed files against installation database, can used detect modified or missing files. might used form of intrusion detection (or @ least part of audit). however, of course possible rpm database installed may modified hacker hide tracks (see http://www.sans.org/security-resources/idfaq/rpm.php, last sentence)
it looks should possible rpm database /var/lib/rpm after every install (to external medium) , use during audit using --dbpath. such backup have updated fo course after every install or upgrade etc.
is feasible? there resources detail methods, pitfalls, suggestions etc this?
yes feasible. use "rpm -va --dbpath /some/where/else" point saved database directory.
copy /var/lib/rpm/packages saved /some/where/else directory, , run "rpm --rebuilddb --dbpath /some/where/else" regenerate indices.
note can verify files using original packaging "rpm -vp some*.rpm" less hassle (and more secure ro offline media storing packages) saving copies of installed /var/lib/rpm/packages rpmdb.
Comments
Post a Comment