[Yum] idea for system verification via python+rpm

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
 An idea has occurred on the rhl-devel list - the idea was originally
jeff johnson's in one form or another but I kinda expanded on that a bit
and I thought if someone on here was interested in doing some coding and
security-minded they might want to work on this.

The idea is this rpm -V is a great utility to check files vs your rpmdb
knowledge of the files - but it falls apart for serious security checks
b/c a cracker could just change your rpmdb and fool rpm -V.

So let's try this out.
You have a large set of rpm headers on a remote, trusted, secure site.
They are keyed on name-epoch-version-release-architecture.

With that info you should be able to identify any header versus any
package.

I run a program on my system asking it to check the validity of the
files in the package.

It queries my local rpmdb to see which name-epoch-ver-rel-arch I have
installed.

It then goes to this remote site and asks for the header corresponding
to that rpm.

It gets the header. The rpm header has a complete list of files and
dirs. It also has the original md5sum, ownerships and permissions for
each file and dir.

So it reads that info from the header, performs md5sum checks and
permission look-ups on each file on your disk that is listed in the
header.

Compares the two and tells you what differences there are.

Now the advantage of this is that if your rpmdb is cracked or
compromised in some way you'll be able to tell. You'll be asking for the
rpm version from your rpmdb but that won't harm you.

ie: if your rpmdb is cracked and they modify the information on the
package you're asking to look up then there are only a small number of
ways they could modify that info.

1. they could remove that package from the rpmdb - but then if you
expected the package to be installed and it wasn't you'd know something
is wrong
2. they could return a different package version - if the remote header
site didn't have the header for that version of the package then you'd
know something is wrong. if the remote repository does have the header
for that version and the files' md5sum/permissions don't match then
you'd know something is wrong.
3. they could change the md5sum and permission information in the rpmdb
for that package - but you don't care you're getting that informatiom
from a remote trusted server.

So does anyone think that'd be useful?
Does anyone want to work on that?

-sv
[Index of Archives]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux