SlideShare a Scribd company logo

SANS @Night There's Gold in Them Thar Package Management Databases

P
Phil Hagen
Technology
1 of 25
Download to read offline
THERE’S GOLD IN 
 THEM THAR PACKAGE MANAGEMENT DATABASES! Phil Hagen phil@lewestech.com
 @PhilHagen
 plus.google.com/+PhilHagen Image: flickr.com/matthigh
WHY ARE WE HERE? Goals: Describe the value of package management databases during the course of a Linux system forensic examination Provide information with immediate benefit! 2
WHO IS THIS GUY? Forensic/infosec consultant Former DoD/IC contractor, USAF Comm Officer (USAFA CompSci) Course lead, FOR572: Advanced Network Forensics Analysis Linux guy since Slackware needed a stack of floppies and an unsupported SCSI controller meant bootstrapping a kernel compilation 3
OPEN SOURCE: INFINITE POWER (ITTY BITTY LIVING SPACE) Downloading and compiling source code is an amazingly powerful aspect of most open-source software Not viable for the large scale of a production environment Does not address dependencies No common install/uninstall process Fun for the lab or a hobbyist environment, but a headache in an operational environment 4
PACKAGE MANAGEMENT SOFTWARE TO THE RESCUE! Dependencies, file manifests, install/uninstall/upgrade scripts Generally makes software management less of a headache! Many solutions in widespread use among various distributions: opkg (fork of ipkg): Embedded devices like QNAP NAS, etc. dpkg: Debian and Ubuntu tgz: Slackware RPM: RedHat, CentOS, Fedora,many more
 (part of Linux Standard Base) 5
…STILL NOT END-ALL/BE-ALL Most incorporate higher-layer software to handle automatic inclusion of dependencies and other “meta” functions and avoid the much-feared “dependency hell” or “RPM hell” apt-get / aptitude YUM RedHat Network Not focusing on this higher-layer software Some useful artifacts available - bad guys 
 known to “yum install nmap” 6
SCOPE FOR THIS PRESENTATION Just looking at RPM Most concepts apply to other package management standards Notably dpkg All examples created and tested on CentOS 6.5 Ideally: Same OS as subject (RPM library versions, etc) Technically: Same version of RPM, BDB, related libraries May have some success with unmatched versions, but beware!! Presentation notes (including all commands) published soon http://stuffphilwrites.com 7
SOURCES FOR RPM EVIDENCE Populates Berkeley database Lives in /var/lib/rpm/ Includes metadata for every RPM-controlled file User/Group ownership Mode (aka permissions) MD5 (er… SHA256) checksum File size Major/minor number (For entries in /dev/) Symbolic link string (aka “target”) for symlinks Modification time /var/log/yum.log May have useful timestamped history of install/remove/ upgrade actions /var/log/rpmpkgs* 8
PRACTICAL USAGE 1. Mount all partitions from subject filesystem under /mnt/subject/ $ mount | grep subject
 /dev/mapper/vg_centos6vm-lv_root on /mnt/ subject type ext4 (ro,noload)
 /dev/mapper/loop0p1 on /mnt/subject/boot type ext4 (ro,noload) 2. Run RPM commands with “--root /mnt/subject” option Don’t trust the rpm(1) binary from a suspect system! Note: This performs a chroot(2) for all operations - needs root user privileges for validation (not query) actions 9
USE CASE:
 FILE ORIGIN $ rpm -qf filename Identifies what package owns the specified file Useful to answer “where did this file come from?” or to identify a file as package-less $ rpm --root /mnt/subject -qf /usr/sbin/sshd
 openssh-server-5.3p1-94.el6.x86_64 $ rpm --root /mnt/subject -qf /etc/mail.rc
 Remember chroot! mailx-12.4-7.el6.x86_64 $ rpm --root /mnt/subject -qf /etc/crypttab
 file /etc/crypttab is not owned by any package 10
USE CASE:
 PACKAGE VALIDATION (1) $ rpm -V packagename Verifies contents of specified package Compares expected (database) to actual (filesystem) Displays files that failed =1 check, noting which checks failed SM5DLUGT (Size, mode, MD5 (or SHA256!), major/minor nos, link target, user, group, mtime) Shows “?” in output if user running command lacks permission to check (e.g. read access to generate checksums) 11
USE CASE:
 PACKAGE VALIDATION (2) WARNING!!! Packages can include “verification scripts” which will execute when the “-V” option is used! You’re not planning to run arbitrary, unknown code on your forensic workstation/VM, are you? The chroot action needs root - these will execute as a child to the sudo process! Use the “--noscripts option with “-V” to prevent this 12
USE CASE: PACKAGE VALIDATION (3) Some files are expected to change after installation: config files! Still show changes after installation, but denoted with a “c” character Missing files also noted in output as such $ sudo rpm --root /mnt/subject 
 -V openssh-server --noscripts
 no output $ sudo rpm --root /mnt/subject 
 -V sudo --noscripts
 S.5....T. c /etc/sudoers 13
USE CASE: PACKAGE VALIDATION (4) $ sudo rpm S.5....T. .M....... S.5....T. ....L.... ....L.... ....L.... ....L.... ..5....T. --root /mnt/subject -Va --noscripts
 c /etc/sudoers
 /proc
 c /etc/maven/maven2-depmap.xml
 c /etc/pam.d/fingerprint-auth
 c /etc/pam.d/password-auth
 c /etc/pam.d/smartcard-auth
 c /etc/pam.d/system-auth
 c /usr/lib64/security/
 classpath.security $ rpm -root /mnt/subject —V postfix --noscripts
 missing c /etc/postfix/master.cf 14
COOL FEATURE ALERT! Many packages are GPG-signed Independently verify package without using compromised or untrusted system However: RPM database contents not signed: Trojaned RPM package reports no anomalies! How can we use this great feature to our advantage? 15
VALIDATE FILESYSTEM
 AGAINST A PACKAGE FILE (1) The “-p” option runs validation checks between filesystem contents and RPM package file contents Signed package files can be GPG-verified! Avoids an untrusted RPM database entirely Prevents false negative validation from compromised RPM installations Relatively simple process: 1. Download trusted binary RPM file 2. Validate RPM file using GPG 3. Validate filesystem contents against package contents 16
VALIDATE FILESYSTEM
 AGAINST A PACKAGE FILE (2) Consider a system with a compromised RPM database, or a trojaned installation of the Apache web server software $ rpm --root /mnt/subject -V httpd --noscripts
 S.5....T c /etc/httpd/conf/httpd.conf $ wget http://mirror.centos.org/centos-5/5.10/os/ x86_64/CentOS/httpd-2.2.3-82.el5.centos.x86_64.rpm
 $ rpm -K httpd-2.2.3-82.el5.centos.x86_64.rpm
 httpd-2.2.3-82.el5.centos.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK
 $ rpm --root /mnt/subject -Vp httpd-2.2.3-82.el5.centos.x86_64.rpm --noscripts
 S.5....T c /etc/httpd/conf/httpd.conf
 S.5....T /usr/sbin/httpd 17
REAL-WORLD USE CASES (1) Find all non-config files owned by an RPM that fails a verification check $ sudo rpm --root /mnt/subject -Va --noscripts | 
 grep -v c 
 ...
 S.5....T /var/www/awstats/lang/awstats-tt-tr.txt
 S.5....T /var/www/awstats/lang/awstats-tt-tw.txt
 S.5....T /var/www/awstats/lang/awstats-tt-ua.txt
 .......T /var/www/awstats/lib/blacklist.txt
 S.5....T /var/www/awstats/lib/browsers.pm
 S.5....T /var/www/awstats/lib/browsers_phone.pm
 ... 18
REAL-WORLD USE CASES (2) File only config files owned by an RPM, which fail checksum verification $ sudo rpm --root /mnt/subject -Va --noscripts | 
 grep ^..5..... c 
 S.5....T c /etc/pam.d/sshd
 S.5....T c /etc/ssh/sshd_config
 S.5....T c /etc/openldap/slapd.conf
 S.5....T c /etc/sysconfig/ldap
 S.5..... c /etc/sysconfig/saslauthd
 S.5..... c /etc/security/limits.conf
 S.5....T c /etc/logrotate.conf
 SM5....T c /etc/snmp/snmpd.conf
 S.5....T c /etc/sysconfig/snmpd.options
 ... 19
REAL-WORLD USE CASES (3A) Find all files not owned by an RPM (This is going to be slow!) $ cat find_orphans.sh
 for file in $( sudo find /mnt/subject/etc -type f ); do
 file=$( echo $file | sed -e 's//mnt/subject//' )
 rpm --root /mnt/subject -qf $file 21 | 
 grep 'package$|directory$' | 
 sed -E 's/^(error: )?file (.*)(: No such file or directory| is not owned by any package)/2/'
 done $ ./find_orphans.sh
 /etc/crypttab
 /etc/sysconfig/network
 /etc/sysconfig/keyboard
 /etc/sysconfig/iptables
 ... 20
REAL-WORLD USE CASES (3B) Find all files not owned by an RPM (This is going to be slow!) $ ./find_orphans.sh
 /etc/crypttab
 /etc/sysconfig/network
 /etc/sysconfig/keyboard
 /etc/sysconfig/iptables
 ... 21
COOL PARTY TRICK (1) ! Use the “--queryformat” option to output only relevant/useful fields from the RPM database Provides 150 different tags that can be output for package or for each file in a package Available tags vary by version - online documentation is terrible Use “--querytags” for listing specific to your version of RPM ! Consider “RPMDBtoTimeline”… 22
COOL PARTY TRICK (2)* $ for pkg in $( rpm --root /mnt/subject -qa ) ; do
 rpm --root /mnt/subject -q $pkg --queryformat 
 [%{FILEDIGESTS}|%{FILENAMES}|0|%{FILEMODES:perms}|
 %{FILEUSERNAME}|%{FILEGROUPNAME}|%{FILESIZES}|0|
 %{FILEMTIMES}|0|0n] | sed -e 's/^|/0|/' 
 -e 's/|0|d/|0|d/d/' -e ’s/|0|-/|0|r/r/' 
 done
 ...
 4398551f...a13988cf|/usr/share/doc/gamin-0.1.10/ callbacks.gif|0|r/rrw-r—r—|root|root|4514|0|1183556209|0|0
 0|/usr/lib64/libmenuw.so.5|0|lrwxrwxrwx|root|root|15|0| 1282146079|0|0
 0|/usr/share/cracklib|0|d/drwxr-xr-x|root|root|4096|0| 1308983949|0|0
 ... * “Cool” claim not valid at all parties. YMMV. 23
IN CONCLUSION RPM is a pretty cool way to eliminate known files from a Linux system examination Know the shortcomings in the RPM package database so you can mitigate them With a little shell scripting,
 you can develop useful tools to
 quickly and consistently
 minimize input data
SANS @Night There's Gold in Them Thar Package Management Databases

Recommended

Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLubomir Rintel
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisBuland Singh
 
Ex200
Ex200Ex200
Ex200teguh imanto
 
Red Hat Certified Engineer (RHCE) EX294 Exam Questions
Red Hat Certified Engineer (RHCE) EX294 Exam QuestionsRed Hat Certified Engineer (RHCE) EX294 Exam Questions
Red Hat Certified Engineer (RHCE) EX294 Exam QuestionsStudy Material
 
Kernel crashdump
Kernel crashdumpKernel crashdump
Kernel crashdumpAdrien Mahieux
 
Linux audit framework
Linux audit frameworkLinux audit framework
Linux audit frameworkTorstein Hansen
 
ch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemyushiang fu
 
Deploying and maintaining your software with RPM/APT
Deploying and maintaining your software with RPM/APTDeploying and maintaining your software with RPM/APT
Deploying and maintaining your software with RPM/APTJoshua Thijssen
 

Recommended

Linux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLinux Kernel Debugging Essentials workshop
Linux Kernel Debugging Essentials workshopLubomir Rintel
 
Kernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisKernel_Crash_Dump_Analysis
Kernel_Crash_Dump_AnalysisBuland Singh
 
Ex200
Ex200Ex200
Ex200teguh imanto
 
Red Hat Certified Engineer (RHCE) EX294 Exam Questions
Red Hat Certified Engineer (RHCE) EX294 Exam QuestionsRed Hat Certified Engineer (RHCE) EX294 Exam Questions
Red Hat Certified Engineer (RHCE) EX294 Exam QuestionsStudy Material
 
Kernel crashdump
Kernel crashdumpKernel crashdump
Kernel crashdumpAdrien Mahieux
 
Linux audit framework
Linux audit frameworkLinux audit framework
Linux audit frameworkTorstein Hansen
 
ch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemch8-pv1-the-virtual-filesystem
ch8-pv1-the-virtual-filesystemyushiang fu
 
Deploying and maintaining your software with RPM/APT
Deploying and maintaining your software with RPM/APTDeploying and maintaining your software with RPM/APT
Deploying and maintaining your software with RPM/APTJoshua Thijssen
 
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing EventsDevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing EventsDevOps_Fest
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Valeriy Kravchuk
 
Kdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisKdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisBuland Singh
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactAlessandro Selli
 
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...NETWAYS
 
50 Most Frequently Used UNIX Linux Commands -hmftj
50 Most Frequently Used UNIX Linux Commands -hmftj50 Most Frequently Used UNIX Linux Commands -hmftj
50 Most Frequently Used UNIX Linux Commands -hmftjLGS, GBHS&IC, University Of South-Asia, TARA-Technologies
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
 
Ansible ex407 and EX 294
Ansible ex407 and EX 294Ansible ex407 and EX 294
Ansible ex407 and EX 294IkiArif1
 
50 most frequently used unix
50 most frequently used unix50 most frequently used unix
50 most frequently used unixTeja Bheemanapally
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
aptly: Debian repository management tool
aptly: Debian repository management toolaptly: Debian repository management tool
aptly: Debian repository management toolAndrey Smirnov
 
Bundling Packages and Deploying Applications with RPM
Bundling Packages and Deploying Applications with RPMBundling Packages and Deploying Applications with RPM
Bundling Packages and Deploying Applications with RPMAlexander Shopov
 
DiUS Computing Lca Rails Final
DiUS Computing Lca Rails FinalDiUS Computing Lca Rails Final
DiUS Computing Lca Rails FinalRobert Postill
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentationOlehLevytskyi1
 
Samba 4 - debian instalacao
Samba 4 - debian instalacaoSamba 4 - debian instalacao
Samba 4 - debian instalacaoEduardo Charquero
 
Audit
AuditAudit
AuditMark Ellzey Thomas
 
Audit commands by shift
Audit commands by shiftAudit commands by shift
Audit commands by shiftGary Smith
 
The Linux Audit Framework
The Linux Audit FrameworkThe Linux Audit Framework
The Linux Audit FrameworkGary Smith
 
Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationMohammed Farrag
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 
Logs, Logs, Every Where, Nor Any Byte to Grok
Logs, Logs, Every Where, Nor Any Byte to GrokLogs, Logs, Every Where, Nor Any Byte to Grok
Logs, Logs, Every Where, Nor Any Byte to GrokPhil Hagen
 
(Fios#02) 2. elk 포렌식 분석
(Fios#02) 2. elk 포렌식 분석(Fios#02) 2. elk 포렌식 분석
(Fios#02) 2. elk 포렌식 분석INSIGHT FORENSIC
 

More Related Content

What's hot

DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing EventsDevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing EventsDevOps_Fest
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Valeriy Kravchuk
 
Kdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisKdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisBuland Singh
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactAlessandro Selli
 
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...NETWAYS
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
 
Ansible ex407 and EX 294
Ansible ex407 and EX 294Ansible ex407 and EX 294
Ansible ex407 and EX 294IkiArif1
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
aptly: Debian repository management tool
aptly: Debian repository management toolaptly: Debian repository management tool
aptly: Debian repository management toolAndrey Smirnov
 
Bundling Packages and Deploying Applications with RPM
Bundling Packages and Deploying Applications with RPMBundling Packages and Deploying Applications with RPM
Bundling Packages and Deploying Applications with RPMAlexander Shopov
 
DiUS Computing Lca Rails Final
DiUS Computing Lca Rails FinalDiUS Computing Lca Rails Final
DiUS Computing Lca Rails FinalRobert Postill
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentationOlehLevytskyi1
 
Audit commands by shift
Audit commands by shiftAudit commands by shift
Audit commands by shiftGary Smith
 
The Linux Audit Framework
The Linux Audit FrameworkThe Linux Audit Framework
The Linux Audit FrameworkGary Smith
 
Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationMohammed Farrag
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenLex Yu
 

What's hot (20)

DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing EventsDevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
 
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021
 
Kdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysisKdump and the kernel crash dump analysis
Kdump and the kernel crash dump analysis
 
Linux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compactLinux Capabilities - eng - v2.1.5, compact
Linux Capabilities - eng - v2.1.5, compact
 
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...
 
50 Most Frequently Used UNIX Linux Commands -hmftj
50 Most Frequently Used UNIX Linux Commands -hmftj50 Most Frequently Used UNIX Linux Commands -hmftj
50 Most Frequently Used UNIX Linux Commands -hmftj
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive
 
Ansible ex407 and EX 294
Ansible ex407 and EX 294Ansible ex407 and EX 294
Ansible ex407 and EX 294
 
50 most frequently used unix
50 most frequently used unix50 most frequently used unix
50 most frequently used unix
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
aptly: Debian repository management tool
aptly: Debian repository management toolaptly: Debian repository management tool
aptly: Debian repository management tool
 
Bundling Packages and Deploying Applications with RPM
Bundling Packages and Deploying Applications with RPMBundling Packages and Deploying Applications with RPM
Bundling Packages and Deploying Applications with RPM
 
DiUS Computing Lca Rails Final
DiUS Computing Lca Rails FinalDiUS Computing Lca Rails Final
DiUS Computing Lca Rails Final
 
Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentation
 
Samba 4 - debian instalacao
Samba 4 - debian instalacaoSamba 4 - debian instalacao
Samba 4 - debian instalacao
 
Audit
AuditAudit
Audit
 
Audit commands by shift
Audit commands by shiftAudit commands by shift
Audit commands by shift
 
The Linux Audit Framework
The Linux Audit FrameworkThe Linux Audit Framework
The Linux Audit Framework
 
Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administration
 
Crash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_TizenCrash_Report_Mechanism_In_Tizen
Crash_Report_Mechanism_In_Tizen
 

Viewers also liked

Logs, Logs, Every Where, Nor Any Byte to Grok
Logs, Logs, Every Where, Nor Any Byte to GrokLogs, Logs, Every Where, Nor Any Byte to Grok
Logs, Logs, Every Where, Nor Any Byte to GrokPhil Hagen
 
(Fios#02) 2. elk 포렌식 분석
(Fios#02) 2. elk 포렌식 분석(Fios#02) 2. elk 포렌식 분석
(Fios#02) 2. elk 포렌식 분석INSIGHT FORENSIC
 
WMI - A FRONT DOOR FOR MALWARES
WMI - A FRONT DOOR FOR MALWARESWMI - A FRONT DOOR FOR MALWARES
WMI - A FRONT DOOR FOR MALWARESSanthosh Kumar
 
Windows スクリプトセミナー WMI編 VBScript&WMI
Windows スクリプトセミナー WMI編 VBScript&WMIWindows スクリプトセミナー WMI編 VBScript&WMI
Windows スクリプトセミナー WMI編 VBScript&WMIjunichi anno
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckNorth Texas Chapter of the ISSA
 
SOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation LabyrinthSOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation Labyrinthchrissanders88
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Huntingchrissanders88
 

Viewers also liked (8)

Logs, Logs, Every Where, Nor Any Byte to Grok
Logs, Logs, Every Where, Nor Any Byte to GrokLogs, Logs, Every Where, Nor Any Byte to Grok
Logs, Logs, Every Where, Nor Any Byte to Grok
 
(Fios#02) 2. elk 포렌식 분석
(Fios#02) 2. elk 포렌식 분석(Fios#02) 2. elk 포렌식 분석
(Fios#02) 2. elk 포렌식 분석
 
WMI - A FRONT DOOR FOR MALWARES
WMI - A FRONT DOOR FOR MALWARESWMI - A FRONT DOOR FOR MALWARES
WMI - A FRONT DOOR FOR MALWARES
 
Windows スクリプトセミナー WMI編 VBScript&WMI
Windows スクリプトセミナー WMI編 VBScript&WMIWindows スクリプトセミナー WMI編 VBScript&WMI
Windows スクリプトセミナー WMI編 VBScript&WMI
 
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin FalckLuncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
Luncheon 2016-07-16 - Topic 2 - Advanced Threat Hunting by Justin Falck
 
SOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation LabyrinthSOC2016 - The Investigation Labyrinth
SOC2016 - The Investigation Labyrinth
 
Abstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat HuntingAbstract Tools for Effective Threat Hunting
Abstract Tools for Effective Threat Hunting
 
Computer forensics ppt
Computer forensics pptComputer forensics ppt
Computer forensics ppt
 

Similar to SANS @Night There's Gold in Them Thar Package Management Databases

Install tomcat 5.5 in debian os and deploy war file
Install tomcat 5.5 in debian os and deploy war fileInstall tomcat 5.5 in debian os and deploy war file
Install tomcat 5.5 in debian os and deploy war fileNguyen Cao Hung
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Vincent Batts
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalationJameel Nabbo
 
Andresen 8 21 02
Andresen 8 21 02Andresen 8 21 02
Andresen 8 21 02FNian
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guideCraig Cannon
 
Advanced Level Training on Koha / TLS (ToT)
Advanced Level Training on Koha / TLS (ToT)Advanced Level Training on Koha / TLS (ToT)
Advanced Level Training on Koha / TLS (ToT)Ata Rehman
 
Introduction to JumpStart
Introduction to JumpStartIntroduction to JumpStart
Introduction to JumpStartScott McDermott
 
MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)Masami Hiramatsu
 
FreeBSD Jail Complete Example
FreeBSD Jail Complete ExampleFreeBSD Jail Complete Example
FreeBSD Jail Complete ExampleMohammed Farrag
 
Linux Troubleshooting
Linux TroubleshootingLinux Troubleshooting
Linux TroubleshootingKeith Wright
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsyncHazel Smith
 
Linux Common Command
Linux Common CommandLinux Common Command
Linux Common CommandJeff Yang
 
Really useful linux commands
Really useful linux commandsReally useful linux commands
Really useful linux commandsMichael J Geiser
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Praguetomasbart
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierCarlos Sanchez
 
Linux basic for CADD biologist
Linux basic for CADD biologistLinux basic for CADD biologist
Linux basic for CADD biologistAjay Murali
 

Similar to SANS @Night There's Gold in Them Thar Package Management Databases (20)

Install tomcat 5.5 in debian os and deploy war file
Install tomcat 5.5 in debian os and deploy war fileInstall tomcat 5.5 in debian os and deploy war file
Install tomcat 5.5 in debian os and deploy war file
 
Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]Slackware Demystified [SELF 2011]
Slackware Demystified [SELF 2011]
 
Unix Administration 2
Unix Administration 2Unix Administration 2
Unix Administration 2
 
Linux advanced privilege escalation
Linux advanced privilege escalationLinux advanced privilege escalation
Linux advanced privilege escalation
 
Andresen 8 21 02
Andresen 8 21 02Andresen 8 21 02
Andresen 8 21 02
 
Ch23 system administration
Ch23 system administration Ch23 system administration
Ch23 system administration
 
Linux filesystemhierarchy
Linux filesystemhierarchyLinux filesystemhierarchy
Linux filesystemhierarchy
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
Advanced Level Training on Koha / TLS (ToT)
Advanced Level Training on Koha / TLS (ToT)Advanced Level Training on Koha / TLS (ToT)
Advanced Level Training on Koha / TLS (ToT)
 
Introduction to JumpStart
Introduction to JumpStartIntroduction to JumpStart
Introduction to JumpStart
 
MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)MINCS - containers in the shell script (Eng. ver.)
MINCS - containers in the shell script (Eng. ver.)
 
FreeBSD Jail Complete Example
FreeBSD Jail Complete ExampleFreeBSD Jail Complete Example
FreeBSD Jail Complete Example
 
Linux Troubleshooting
Linux TroubleshootingLinux Troubleshooting
Linux Troubleshooting
 
Using filesystem capabilities with rsync
Using filesystem capabilities with rsyncUsing filesystem capabilities with rsync
Using filesystem capabilities with rsync
 
Linux Common Command
Linux Common CommandLinux Common Command
Linux Common Command
 
Really useful linux commands
Really useful linux commandsReally useful linux commands
Really useful linux commands
 
Rpm Introduction
Rpm IntroductionRpm Introduction
Rpm Introduction
 
Docker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in PragueDocker and friends at Linux Days 2014 in Prague
Docker and friends at Linux Days 2014 in Prague
 
Continuous Delivery: The Next Frontier
Continuous Delivery: The Next FrontierContinuous Delivery: The Next Frontier
Continuous Delivery: The Next Frontier
 
Linux basic for CADD biologist
Linux basic for CADD biologistLinux basic for CADD biologist
Linux basic for CADD biologist
 

Recently uploaded

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

Recently uploaded (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

SANS @Night There's Gold in Them Thar Package Management Databases

  • 1. THERE’S GOLD IN 
 THEM THAR PACKAGE MANAGEMENT DATABASES! Phil Hagen phil@lewestech.com
 @PhilHagen
 plus.google.com/+PhilHagen Image: flickr.com/matthigh
  • 2. WHY ARE WE HERE? Goals: Describe the value of package management databases during the course of a Linux system forensic examination Provide information with immediate benefit! 2
  • 3. WHO IS THIS GUY? Forensic/infosec consultant Former DoD/IC contractor, USAF Comm Officer (USAFA CompSci) Course lead, FOR572: Advanced Network Forensics Analysis Linux guy since Slackware needed a stack of floppies and an unsupported SCSI controller meant bootstrapping a kernel compilation 3
  • 4. OPEN SOURCE: INFINITE POWER (ITTY BITTY LIVING SPACE) Downloading and compiling source code is an amazingly powerful aspect of most open-source software Not viable for the large scale of a production environment Does not address dependencies No common install/uninstall process Fun for the lab or a hobbyist environment, but a headache in an operational environment 4
  • 5. PACKAGE MANAGEMENT SOFTWARE TO THE RESCUE! Dependencies, file manifests, install/uninstall/upgrade scripts Generally makes software management less of a headache! Many solutions in widespread use among various distributions: opkg (fork of ipkg): Embedded devices like QNAP NAS, etc. dpkg: Debian and Ubuntu tgz: Slackware RPM: RedHat, CentOS, Fedora,many more
 (part of Linux Standard Base) 5
  • 6. …STILL NOT END-ALL/BE-ALL Most incorporate higher-layer software to handle automatic inclusion of dependencies and other “meta” functions and avoid the much-feared “dependency hell” or “RPM hell” apt-get / aptitude YUM RedHat Network Not focusing on this higher-layer software Some useful artifacts available - bad guys 
 known to “yum install nmap” 6
  • 7. SCOPE FOR THIS PRESENTATION Just looking at RPM Most concepts apply to other package management standards Notably dpkg All examples created and tested on CentOS 6.5 Ideally: Same OS as subject (RPM library versions, etc) Technically: Same version of RPM, BDB, related libraries May have some success with unmatched versions, but beware!! Presentation notes (including all commands) published soon http://stuffphilwrites.com 7
  • 8. SOURCES FOR RPM EVIDENCE Populates Berkeley database Lives in /var/lib/rpm/ Includes metadata for every RPM-controlled file User/Group ownership Mode (aka permissions) MD5 (er… SHA256) checksum File size Major/minor number (For entries in /dev/) Symbolic link string (aka “target”) for symlinks Modification time /var/log/yum.log May have useful timestamped history of install/remove/ upgrade actions /var/log/rpmpkgs* 8
  • 9. PRACTICAL USAGE 1. Mount all partitions from subject filesystem under /mnt/subject/ $ mount | grep subject
 /dev/mapper/vg_centos6vm-lv_root on /mnt/ subject type ext4 (ro,noload)
 /dev/mapper/loop0p1 on /mnt/subject/boot type ext4 (ro,noload) 2. Run RPM commands with “--root /mnt/subject” option Don’t trust the rpm(1) binary from a suspect system! Note: This performs a chroot(2) for all operations - needs root user privileges for validation (not query) actions 9
  • 10. USE CASE:
 FILE ORIGIN $ rpm -qf filename Identifies what package owns the specified file Useful to answer “where did this file come from?” or to identify a file as package-less $ rpm --root /mnt/subject -qf /usr/sbin/sshd
 openssh-server-5.3p1-94.el6.x86_64 $ rpm --root /mnt/subject -qf /etc/mail.rc
 Remember chroot! mailx-12.4-7.el6.x86_64 $ rpm --root /mnt/subject -qf /etc/crypttab
 file /etc/crypttab is not owned by any package 10
  • 11. USE CASE:
 PACKAGE VALIDATION (1) $ rpm -V packagename Verifies contents of specified package Compares expected (database) to actual (filesystem) Displays files that failed =1 check, noting which checks failed SM5DLUGT (Size, mode, MD5 (or SHA256!), major/minor nos, link target, user, group, mtime) Shows “?” in output if user running command lacks permission to check (e.g. read access to generate checksums) 11
  • 12. USE CASE:
 PACKAGE VALIDATION (2) WARNING!!! Packages can include “verification scripts” which will execute when the “-V” option is used! You’re not planning to run arbitrary, unknown code on your forensic workstation/VM, are you? The chroot action needs root - these will execute as a child to the sudo process! Use the “--noscripts option with “-V” to prevent this 12
  • 13. USE CASE: PACKAGE VALIDATION (3) Some files are expected to change after installation: config files! Still show changes after installation, but denoted with a “c” character Missing files also noted in output as such $ sudo rpm --root /mnt/subject 
 -V openssh-server --noscripts
 no output $ sudo rpm --root /mnt/subject 
 -V sudo --noscripts
 S.5....T. c /etc/sudoers 13
  • 14. USE CASE: PACKAGE VALIDATION (4) $ sudo rpm S.5....T. .M....... S.5....T. ....L.... ....L.... ....L.... ....L.... ..5....T. --root /mnt/subject -Va --noscripts
 c /etc/sudoers
 /proc
 c /etc/maven/maven2-depmap.xml
 c /etc/pam.d/fingerprint-auth
 c /etc/pam.d/password-auth
 c /etc/pam.d/smartcard-auth
 c /etc/pam.d/system-auth
 c /usr/lib64/security/
 classpath.security $ rpm -root /mnt/subject —V postfix --noscripts
 missing c /etc/postfix/master.cf 14
  • 15. COOL FEATURE ALERT! Many packages are GPG-signed Independently verify package without using compromised or untrusted system However: RPM database contents not signed: Trojaned RPM package reports no anomalies! How can we use this great feature to our advantage? 15
  • 16. VALIDATE FILESYSTEM
 AGAINST A PACKAGE FILE (1) The “-p” option runs validation checks between filesystem contents and RPM package file contents Signed package files can be GPG-verified! Avoids an untrusted RPM database entirely Prevents false negative validation from compromised RPM installations Relatively simple process: 1. Download trusted binary RPM file 2. Validate RPM file using GPG 3. Validate filesystem contents against package contents 16
  • 17. VALIDATE FILESYSTEM
 AGAINST A PACKAGE FILE (2) Consider a system with a compromised RPM database, or a trojaned installation of the Apache web server software $ rpm --root /mnt/subject -V httpd --noscripts
 S.5....T c /etc/httpd/conf/httpd.conf $ wget http://mirror.centos.org/centos-5/5.10/os/ x86_64/CentOS/httpd-2.2.3-82.el5.centos.x86_64.rpm
 $ rpm -K httpd-2.2.3-82.el5.centos.x86_64.rpm
 httpd-2.2.3-82.el5.centos.x86_64.rpm: (sha1) dsa sha1 md5 gpg OK
 $ rpm --root /mnt/subject -Vp httpd-2.2.3-82.el5.centos.x86_64.rpm --noscripts
 S.5....T c /etc/httpd/conf/httpd.conf
 S.5....T /usr/sbin/httpd 17
  • 18. REAL-WORLD USE CASES (1) Find all non-config files owned by an RPM that fails a verification check $ sudo rpm --root /mnt/subject -Va --noscripts | 
 grep -v c 
 ...
 S.5....T /var/www/awstats/lang/awstats-tt-tr.txt
 S.5....T /var/www/awstats/lang/awstats-tt-tw.txt
 S.5....T /var/www/awstats/lang/awstats-tt-ua.txt
 .......T /var/www/awstats/lib/blacklist.txt
 S.5....T /var/www/awstats/lib/browsers.pm
 S.5....T /var/www/awstats/lib/browsers_phone.pm
 ... 18
  • 19. REAL-WORLD USE CASES (2) File only config files owned by an RPM, which fail checksum verification $ sudo rpm --root /mnt/subject -Va --noscripts | 
 grep ^..5..... c 
 S.5....T c /etc/pam.d/sshd
 S.5....T c /etc/ssh/sshd_config
 S.5....T c /etc/openldap/slapd.conf
 S.5....T c /etc/sysconfig/ldap
 S.5..... c /etc/sysconfig/saslauthd
 S.5..... c /etc/security/limits.conf
 S.5....T c /etc/logrotate.conf
 SM5....T c /etc/snmp/snmpd.conf
 S.5....T c /etc/sysconfig/snmpd.options
 ... 19
  • 20. REAL-WORLD USE CASES (3A) Find all files not owned by an RPM (This is going to be slow!) $ cat find_orphans.sh
 for file in $( sudo find /mnt/subject/etc -type f ); do
 file=$( echo $file | sed -e 's//mnt/subject//' )
 rpm --root /mnt/subject -qf $file 21 | 
 grep 'package$|directory$' | 
 sed -E 's/^(error: )?file (.*)(: No such file or directory| is not owned by any package)/2/'
 done $ ./find_orphans.sh
 /etc/crypttab
 /etc/sysconfig/network
 /etc/sysconfig/keyboard
 /etc/sysconfig/iptables
 ... 20
  • 21. REAL-WORLD USE CASES (3B) Find all files not owned by an RPM (This is going to be slow!) $ ./find_orphans.sh
 /etc/crypttab
 /etc/sysconfig/network
 /etc/sysconfig/keyboard
 /etc/sysconfig/iptables
 ... 21
  • 22. COOL PARTY TRICK (1) ! Use the “--queryformat” option to output only relevant/useful fields from the RPM database Provides 150 different tags that can be output for package or for each file in a package Available tags vary by version - online documentation is terrible Use “--querytags” for listing specific to your version of RPM ! Consider “RPMDBtoTimeline”… 22
  • 23. COOL PARTY TRICK (2)* $ for pkg in $( rpm --root /mnt/subject -qa ) ; do
 rpm --root /mnt/subject -q $pkg --queryformat 
 [%{FILEDIGESTS}|%{FILENAMES}|0|%{FILEMODES:perms}|
 %{FILEUSERNAME}|%{FILEGROUPNAME}|%{FILESIZES}|0|
 %{FILEMTIMES}|0|0n] | sed -e 's/^|/0|/' 
 -e 's/|0|d/|0|d/d/' -e ’s/|0|-/|0|r/r/' 
 done
 ...
 4398551f...a13988cf|/usr/share/doc/gamin-0.1.10/ callbacks.gif|0|r/rrw-r—r—|root|root|4514|0|1183556209|0|0
 0|/usr/lib64/libmenuw.so.5|0|lrwxrwxrwx|root|root|15|0| 1282146079|0|0
 0|/usr/share/cracklib|0|d/drwxr-xr-x|root|root|4096|0| 1308983949|0|0
 ... * “Cool” claim not valid at all parties. YMMV. 23
  • 24. IN CONCLUSION RPM is a pretty cool way to eliminate known files from a Linux system examination Know the shortcomings in the RPM package database so you can mitigate them With a little shell scripting,
 you can develop useful tools to
 quickly and consistently
 minimize input data