while rpm's verify options are useful in many cases, they are not in this one. The use case is, Admin A takes ownership of server-C from admin B, admin-B might have infested server-C with all kinds of "custom" code (and even worse, scripts executing as root). How does admin-A ensure no custom code (scripts are probably even harder?) is running on server-C.
This looks to me like it needs collaboration from the auditing subsystem (whenever a process starts), and selinux (detecting/blocking) executables not meeting signing requests, or at least logging what happened
Does fedora have the tools to accomplish such a task today, if not what's missing
Regards
On Sat, May 9, 2009 at 10:12 PM, Mathieu Bridon (bochecha) <bochecha@xxxxxxxxxxxxxxxxx> wrote:
I don't know of any « One True Solution », but you could use things like :Hi,
> Is there any technology in fedora, that enables me to ensure that ALL
> running code on a certain server (even code not installed from RPMs, such as
> say by a legacy admin), has been signed by redhat, and to warn me about
> un-signed code that is running or about to run. I am interested to verify a
> server is in a "known-good" state
$ rpm -qaV
-> this will list all files modified _after_ they were installed via RPM
$ rpm -qf <some file>
-> this will tell you the package that this file belongs to
You can then use the « --queryformat » option of RPM to get various
informations about a package, for example where did it come from.
For files installed not using RPM, I'm not sure how to verify this,
but as Fedora only provides files in RPMs, I'm pretty confident that
no file outside a RPM will be signed by Fedora.
For RedHat, I have no idea, but you are on a Fedora mailing-list ;)
----------
Mathieu Bridon (bochecha)
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
