Verify Package Integrity Using RPM

RPM is a great utility used to install, upgrade and verify software packages on your Red Hat system. It's the verify feature that we are most interested in as this can be used to check our files and make sure they have not been modified or replaced.

I was trying to check the package integrity using RPM. Unfortunately I was having hard time to read the output.

For example, how should I interpret the output.?

S.5....T.    /etc/init/serial.conf
.M.......    /usr/lib
.M....G..    /usr/sbin/cvuqdisk
missing     /lib/modules/2.6.32-300.25.1.el6uek.x86_64/extra


Herewith I'm sharing a way of interpreting the output of the command.
# rpm -qVa | awk '$2 != "c" {print $0}'

To explain the switches of the above command. The first is the "-V" switch which allows you to check the integrity of all files associated with a specific package. The output we receive may look like the above published output.

The only files that get listed are the files that fail the verification. Any files that are not listed are assumed to be OK. On the left of this output we have the reason why this particular file failed the verify check. A legend of the results would be as followed:

S = size change
M = permissions change
5 = MD5 changed
L = Symlink changed
D = Device change
U = User change
G = Group change
T = Date/Time change
missing = file is gone

When reviewing RPM's output, keep an eye out for very strange entries like a change in the MD5 value but the date/time stamp and/or file size is reported as being the same. This could be caused by an attacker who has modified or replaced files but is trying to cover their tracks. But for other files we need to check carefully to see whether the integrity has been compromised or not.

In order to analyze the results for example, in the above output, it says the file has been modified. But for configuration files this is common and it needs to be modified to suit the requirement. But we should ensure that it has been modified correctly and they are legitimate.