This document discusses how package management databases like RPM can provide useful evidence during Linux forensic examinations. It describes how RPM stores file metadata that can be queried to identify file ownership and validate installed packages. Examples are provided of using RPM to find modified or orphaned files, as well as techniques like directly validating the filesystem against package files to avoid issues with a compromised RPM database. The document encourages developing shell scripts to efficiently extract relevant RPM information.
Red Hat Certified Engineer (RHCE) EX294 Exam QuestionsStudy Material
Do you want to succeed in attaining Red Hat Certified Engineer (RHCE) in one shot? Dumpspedia can do that for you. It’s no joke! We have fantastic set of several RedHat Practice Test Questions Answers to choose from. All of them extracted directly from Red Hat Certified Engineer (RHCE) exam for Red Hat Enterprise Linux 8 Test Questions. EX294 Test Questions are verified and authentic with possibilities highest as they come to be on your actual exam. We put your satisfaction on top while making a perfect collection of valid EX294 Practice Questions. Join us on our website to have a better insight.
https://www.dumpspedia.com/EX294-dumps-questions.html
When your whole system is unresponsive, how to investigate on this failure ?
We'll see how to get a memory dump for offline analysis with kdump system.
Then how to analyze it with crash utility.
And finally, how to use crash on a running system to modify the kernel memory (at your own risks !)
Red Hat Certified Engineer (RHCE) EX294 Exam QuestionsStudy Material
Do you want to succeed in attaining Red Hat Certified Engineer (RHCE) in one shot? Dumpspedia can do that for you. It’s no joke! We have fantastic set of several RedHat Practice Test Questions Answers to choose from. All of them extracted directly from Red Hat Certified Engineer (RHCE) exam for Red Hat Enterprise Linux 8 Test Questions. EX294 Test Questions are verified and authentic with possibilities highest as they come to be on your actual exam. We put your satisfaction on top while making a perfect collection of valid EX294 Practice Questions. Join us on our website to have a better insight.
https://www.dumpspedia.com/EX294-dumps-questions.html
When your whole system is unresponsive, how to investigate on this failure ?
We'll see how to get a memory dump for offline analysis with kdump system.
Then how to analyze it with crash utility.
And finally, how to use crash on a running system to modify the kernel memory (at your own risks !)
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing EventsDevOps_Fest
The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic's new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
This talk shows you what can you do to discover changes, events, and potential security breaches as soon as possible on interactive dashboards. Additionally, we are combining Auditd events with logs, which are security-relevant, and explore them in Elastic's free SIEM.
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Valeriy Kravchuk
Bpftrace is a relatively new eBPF-based open source tracer for modern Linux versions (kernels 5.x.y) that is useful for analyzing production performance problems and troubleshooting software. Basic usage of the tool, as well as bpftrace one liners and advanced scripts useful for MariaDB DBAs are presented. Problems of MariaDB Server dynamic tracing with bpftrace and some possible solutions and alternative tracing tools are discussed.
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...NETWAYS
The simpler the backup, the higher is the chance that the backups will be done by users. So let’s look for simple backup methods.
Two known command-line backup tools of this kind are rdiff-backup and rsnapshot. Both tools allow easy-to-setup backups, and impress with a direct file-level access to the last backup copy.
Although the two tools share the same main idea – “incremental forever backups” – they differ in how they reach this goal. While rdiff-backup stores old versions of a file by only saving the changes (increments) compared to the following version, rsnapshot creates a new backup file whenever a file has changed since the last backup. This fact leads to different advantages and disadvantages: while rdiff-backup is very space-efficient, a restore of an older version of a file might take longer. Rsnapshot on the other hand allows fast restores even for older versions, but as a downside it needs more backup space to store the same amount of data.
So which tool should I use? rdiff-backup or rsnapshot? Well, it depends…
In this talk we will explain how rdiff-backup and rsnapshot work in detail, and show different use-cases. Along with that knowledge, you will find the right answer for you which tool to choose.
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
Presented at SHARE Denver 2009. Why is Linux auditing needed? What can it do for me? How does it work? What events get audited? How do I make sense of all the data?
aptly is a swiss army knife for Debian repository management: it allows to mirror remote repositories, take snapshots, pull new versions of packages along with dependencies, publish snapshots.
http://www.aptly.info/
The Linux audit framework as shipped with many Linux distributions system provides a framework that reliably collects information about any security-relevant events. The audit records can be examined to determine whether any violation of the security policies has been committed, and by whom. Linux audit helps make your system more secure by providing you with a means to analyze what is happening on your system in great detail. It does not, however, provide additional security itself—it does not protect your system from code malfunctions or any kind of exploits. Instead, Audit is useful for tracking these issues and helps you take additional security measures to prevent them. This session provides a basic understanding of how audit works, how it can be set up, and how to use various utilities to display, query and archive the audit trail and how Linux Audit can be part of any overall Defense in Depth strategy.
DevOps Fest 2020. Philipp Krenn. Scale Your Auditing EventsDevOps_Fest
The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic's new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
This talk shows you what can you do to discover changes, events, and potential security breaches as soon as possible on interactive dashboards. Additionally, we are combining Auditd events with logs, which are security-relevant, and explore them in Elastic's free SIEM.
Tracing MariaDB server with bpftrace - MariaDB Server Fest 2021Valeriy Kravchuk
Bpftrace is a relatively new eBPF-based open source tracer for modern Linux versions (kernels 5.x.y) that is useful for analyzing production performance problems and troubleshooting software. Basic usage of the tool, as well as bpftrace one liners and advanced scripts useful for MariaDB DBAs are presented. Problems of MariaDB Server dynamic tracing with bpftrace and some possible solutions and alternative tracing tools are discussed.
OSBConf 2015 | Backups with rdiff backup and rsnapshot by christoph mitasch &...NETWAYS
The simpler the backup, the higher is the chance that the backups will be done by users. So let’s look for simple backup methods.
Two known command-line backup tools of this kind are rdiff-backup and rsnapshot. Both tools allow easy-to-setup backups, and impress with a direct file-level access to the last backup copy.
Although the two tools share the same main idea – “incremental forever backups” – they differ in how they reach this goal. While rdiff-backup stores old versions of a file by only saving the changes (increments) compared to the following version, rsnapshot creates a new backup file whenever a file has changed since the last backup. This fact leads to different advantages and disadvantages: while rdiff-backup is very space-efficient, a restore of an older version of a file might take longer. Rsnapshot on the other hand allows fast restores even for older versions, but as a downside it needs more backup space to store the same amount of data.
So which tool should I use? rdiff-backup or rsnapshot? Well, it depends…
In this talk we will explain how rdiff-backup and rsnapshot work in detail, and show different use-cases. Along with that knowledge, you will find the right answer for you which tool to choose.
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
Presented at SHARE Denver 2009. Why is Linux auditing needed? What can it do for me? How does it work? What events get audited? How do I make sense of all the data?
aptly is a swiss army knife for Debian repository management: it allows to mirror remote repositories, take snapshots, pull new versions of packages along with dependencies, publish snapshots.
http://www.aptly.info/
The Linux audit framework as shipped with many Linux distributions system provides a framework that reliably collects information about any security-relevant events. The audit records can be examined to determine whether any violation of the security policies has been committed, and by whom. Linux audit helps make your system more secure by providing you with a means to analyze what is happening on your system in great detail. It does not, however, provide additional security itself—it does not protect your system from code malfunctions or any kind of exploits. Instead, Audit is useful for tracking these issues and helps you take additional security measures to prevent them. This session provides a basic understanding of how audit works, how it can be set up, and how to use various utilities to display, query and archive the audit trail and how Linux Audit can be part of any overall Defense in Depth strategy.
WINDOWS MANAGEMENT INSTRUMENTATION – A FRONTDOOR FOR MALWARES!
Windows Management Instrumentation is an implementation of web based enterprise management. WMI was a packaged along with the OS since Windows 2000. In the recent version of Windows it has been bundled by default. Ever since the “protection” has been increased, attackers have been looking for alternative ways to do remote code execution, steal passwords and run with system privileges. There has been an increase in malware binaries which specifically use WMI for various privilege escalation purposes without getting detected. WMI was specifically abused by malware authors to target financial sector. It is easy to create a process on a remote machine with a WMI client. Since 2013 there has been various reports of malware using WMI to gather system data before executing predominant payload. This talk will give an introduction to WMI and demonstrate the various ways that WMI can be used as an attacker’s swiss army knife, how malware authors are using this to leverage their exploits, how the present day tools can be used and how to protect against these type of attacks.
In this presentation I discuss the need for better understanding of the human investigation process. I demonstrate the tool agnostic investigation simulator I developed to observe and collet investigation data, and discuss results from some of these experiments.
Author: Jameel Nabbo
Company: UITSEC
This guide contain a practical hands on Linux privilege escalation techniques and methods. based on a real penetration testing experience.
Advanced Level Training on Koha / TLS (ToT)Ata Rehman
Advanced Level Training on Koha / Total Library Solution - TLS - (ToT), December 4-8, 2017 – PASTIC, Islamabad
All training material provided during this training can be found at: https://drive.google.com/drive/folders/1hwWGHV1iHgcpjK_tw6-Xgf-ZVUPchIS_
These are the slides from a presentation I gave in 1999 at the Seattle Area System Administrators Guild monthly meeting. I haven't done this in a while, so I can't say how much of this is no longer valid, but it may prove useful to someone as a reference.
Using filesystem capabilities with rsyncHazel Smith
As presented at the FLOSS UK Unconference 2015.
Updated 2015-02-08: added details of caveats, primarily the fact that CAP_DAC_READ_SEARCH does exactly what it says on the tin, and covering precautions like ensuring that password authentication is *never* allowed for the backuphelper user.
I’ve been keeping a collection of Linux commands that are particularly useful; some are from websites I’ve visited, others from experience
I hope you find these are useful as I have. I’ll periodically add to the list, so check back occasionally.
Code testing and Continuous Integration are just the first step in a source code to production process. Combined with infrastructure-as-code tools such as Puppet the whole process can be automated, and tested!
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
PHP Frameworks: I want to break free (IPC Berlin 2024)
SANS @Night There's Gold in Them Thar Package Management Databases
1. THERE’S GOLD IN
THEM THAR PACKAGE
MANAGEMENT DATABASES!
Phil Hagen
phil@lewestech.com
@PhilHagen
plus.google.com/+PhilHagen
Image: flickr.com/matthigh
2. WHY ARE WE HERE?
Goals:
Describe the value of package management databases during
the course of a Linux system forensic examination
Provide information with immediate benefit!
2
3. WHO IS THIS GUY?
Forensic/infosec consultant
Former DoD/IC contractor, USAF
Comm Officer (USAFA CompSci)
Course lead, FOR572: Advanced
Network Forensics Analysis
Linux guy since Slackware needed
a stack of floppies and an
unsupported SCSI controller
meant bootstrapping a kernel
compilation
3
4. OPEN SOURCE: INFINITE POWER
(ITTY BITTY LIVING SPACE)
Downloading and compiling source code is an amazingly powerful
aspect of most open-source software
Not viable for the large scale of a production environment
Does not address dependencies
No common install/uninstall process
Fun for the lab or a hobbyist environment, but a headache in
an operational environment
4
5. PACKAGE MANAGEMENT
SOFTWARE TO THE RESCUE!
Dependencies, file manifests, install/uninstall/upgrade scripts
Generally makes software management less of a headache!
Many solutions in widespread use among various distributions:
opkg (fork of ipkg): Embedded devices like QNAP NAS, etc.
dpkg: Debian and Ubuntu
tgz: Slackware
RPM: RedHat, CentOS, Fedora,many more
(part of Linux Standard Base)
5
6. …STILL NOT END-ALL/BE-ALL
Most incorporate higher-layer software to handle automatic
inclusion of dependencies and other “meta” functions and avoid the
much-feared “dependency hell” or “RPM hell”
apt-get / aptitude
YUM
RedHat Network
Not focusing on this higher-layer software
Some useful artifacts available - bad guys
known to “yum install nmap”
6
7. SCOPE FOR THIS PRESENTATION
Just looking at RPM
Most concepts apply to other package management standards
Notably dpkg
All examples created and tested on CentOS 6.5
Ideally: Same OS as subject (RPM library versions, etc)
Technically: Same version of RPM, BDB, related libraries
May have some success with unmatched versions, but beware!!
Presentation notes (including all commands) published soon
http://stuffphilwrites.com
7
8. SOURCES FOR RPM EVIDENCE
Populates Berkeley database
Lives in /var/lib/rpm/
Includes metadata for every
RPM-controlled file
User/Group ownership
Mode (aka permissions)
MD5 (er… SHA256)
checksum
File size
Major/minor number (For
entries in /dev/)
Symbolic link string (aka
“target”) for symlinks
Modification time
/var/log/yum.log
May have useful timestamped
history of install/remove/
upgrade actions
/var/log/rpmpkgs*
8
9. PRACTICAL USAGE
1. Mount all partitions from subject filesystem under /mnt/subject/
$ mount | grep subject
/dev/mapper/vg_centos6vm-lv_root on /mnt/
subject type ext4 (ro,noload)
/dev/mapper/loop0p1 on /mnt/subject/boot type
ext4 (ro,noload)
2. Run RPM commands with “--root /mnt/subject” option
Don’t trust the rpm(1) binary from a suspect system!
Note: This performs a chroot(2) for all operations - needs root
user privileges for validation (not query) actions
9
10. USE CASE:
FILE ORIGIN
$ rpm -qf filename
Identifies what package owns the specified file
Useful to answer “where did this file come from?” or to identify a file
as package-less
$ rpm --root /mnt/subject -qf /usr/sbin/sshd
openssh-server-5.3p1-94.el6.x86_64
$ rpm --root /mnt/subject -qf /etc/mail.rc Remember
chroot!
mailx-12.4-7.el6.x86_64
$ rpm --root /mnt/subject -qf /etc/crypttab
file /etc/crypttab is not owned by any package
10
11. USE CASE:
PACKAGE VALIDATION (1)
$ rpm -V packagename
Verifies contents of specified package
Compares expected (database) to actual (filesystem)
Displays files that failed =1 check, noting which checks failed
SM5DLUGT (Size, mode, MD5 (or SHA256!), major/minor nos,
link target, user, group, mtime)
Shows “?” in output if user running command lacks
permission to check (e.g. read access to generate checksums)
11
12. USE CASE:
PACKAGE VALIDATION (2)
WARNING!!!
Packages can include “verification scripts” which will execute
when the “-V” option is used!
You’re not planning to run arbitrary, unknown code on your
forensic workstation/VM, are you?
The chroot action needs root - these will execute as a
child to the sudo process!
Use the “--noscripts option with “-V” to prevent this
12
13. USE CASE:
PACKAGE VALIDATION (3)
Some files are expected to change after installation: config files!
Still show changes after installation, but denoted with a “c”
character
Missing files also noted in output as such
$ sudo rpm --root /mnt/subject
-V openssh-server --noscripts
no output
$ sudo rpm --root /mnt/subject
-V sudo --noscripts
S.5....T. c /etc/sudoers
13
14. USE CASE:
PACKAGE VALIDATION (4)
$ sudo rpm
S.5....T.
.M.......
S.5....T.
....L....
....L....
....L....
....L....
..5....T.
--root /mnt/subject -Va --noscripts
c /etc/sudoers
/proc
c /etc/maven/maven2-depmap.xml
c /etc/pam.d/fingerprint-auth
c /etc/pam.d/password-auth
c /etc/pam.d/smartcard-auth
c /etc/pam.d/system-auth
c /usr/lib64/security/
classpath.security
$ rpm -root /mnt/subject —V postfix --noscripts
missing
c /etc/postfix/master.cf
14
15. COOL FEATURE ALERT!
Many packages are GPG-signed
Independently verify package
without using compromised or
untrusted system
However: RPM database contents
not signed: Trojaned RPM package
reports no anomalies!
How can we use this great
feature to our advantage?
15
16. VALIDATE FILESYSTEM
AGAINST A PACKAGE FILE (1)
The “-p” option runs validation checks between filesystem contents and
RPM package file contents
Signed package files can be GPG-verified!
Avoids an untrusted RPM database entirely
Prevents false negative validation from compromised RPM installations
Relatively simple process:
1. Download trusted binary RPM file
2. Validate RPM file using GPG
3. Validate filesystem contents against package contents
16
17. VALIDATE FILESYSTEM
AGAINST A PACKAGE FILE (2)
Consider a system with a compromised RPM database, or a trojaned
installation of the Apache web server software
$ rpm --root /mnt/subject -V httpd --noscripts
S.5....T c /etc/httpd/conf/httpd.conf
$ wget http://mirror.centos.org/centos-5/5.10/os/
x86_64/CentOS/httpd-2.2.3-82.el5.centos.x86_64.rpm
$ rpm -K httpd-2.2.3-82.el5.centos.x86_64.rpm
httpd-2.2.3-82.el5.centos.x86_64.rpm: (sha1) dsa sha1
md5 gpg OK
$ rpm --root /mnt/subject -Vp
httpd-2.2.3-82.el5.centos.x86_64.rpm --noscripts
S.5....T c /etc/httpd/conf/httpd.conf
S.5....T
/usr/sbin/httpd
17
18. REAL-WORLD USE CASES (1)
Find all non-config files owned by an RPM that fails a verification check
$ sudo rpm --root /mnt/subject -Va --noscripts |
grep -v c
...
S.5....T
/var/www/awstats/lang/awstats-tt-tr.txt
S.5....T
/var/www/awstats/lang/awstats-tt-tw.txt
S.5....T
/var/www/awstats/lang/awstats-tt-ua.txt
.......T
/var/www/awstats/lib/blacklist.txt
S.5....T
/var/www/awstats/lib/browsers.pm
S.5....T
/var/www/awstats/lib/browsers_phone.pm
...
18
19. REAL-WORLD USE CASES (2)
File only config files owned by an RPM, which fail checksum verification
$ sudo rpm --root /mnt/subject -Va --noscripts |
grep ^..5..... c
S.5....T c /etc/pam.d/sshd
S.5....T c /etc/ssh/sshd_config
S.5....T c /etc/openldap/slapd.conf
S.5....T c /etc/sysconfig/ldap
S.5..... c /etc/sysconfig/saslauthd
S.5..... c /etc/security/limits.conf
S.5....T c /etc/logrotate.conf
SM5....T c /etc/snmp/snmpd.conf
S.5....T c /etc/sysconfig/snmpd.options
...
19
20. REAL-WORLD USE CASES (3A)
Find all files not owned by an RPM (This is going to be slow!)
$ cat find_orphans.sh
for file in $( sudo find /mnt/subject/etc -type f ); do
file=$( echo $file | sed -e 's//mnt/subject//' )
rpm --root /mnt/subject -qf $file 21 |
grep 'package$|directory$' |
sed -E 's/^(error: )?file (.*)(: No such file or
directory| is not owned by any package)/2/'
done
$ ./find_orphans.sh
/etc/crypttab
/etc/sysconfig/network
/etc/sysconfig/keyboard
/etc/sysconfig/iptables
...
20
21. REAL-WORLD USE CASES (3B)
Find all files not owned by an RPM (This is going to be slow!)
$ ./find_orphans.sh
/etc/crypttab
/etc/sysconfig/network
/etc/sysconfig/keyboard
/etc/sysconfig/iptables
...
21
22. COOL PARTY TRICK (1)
!
Use the “--queryformat” option to output only relevant/useful fields
from the RPM database
Provides 150 different tags that can be output for package or for each file
in a package
Available tags vary by version - online documentation is terrible
Use “--querytags” for listing specific to your version of RPM
!
Consider “RPMDBtoTimeline”…
22
23. COOL PARTY TRICK (2)*
$ for pkg in $( rpm --root /mnt/subject -qa ) ; do
rpm --root /mnt/subject -q $pkg --queryformat
[%{FILEDIGESTS}|%{FILENAMES}|0|%{FILEMODES:perms}|
%{FILEUSERNAME}|%{FILEGROUPNAME}|%{FILESIZES}|0|
%{FILEMTIMES}|0|0n] | sed -e 's/^|/0|/'
-e 's/|0|d/|0|d/d/' -e ’s/|0|-/|0|r/r/'
done
...
4398551f...a13988cf|/usr/share/doc/gamin-0.1.10/
callbacks.gif|0|r/rrw-r—r—|root|root|4514|0|1183556209|0|0
0|/usr/lib64/libmenuw.so.5|0|lrwxrwxrwx|root|root|15|0|
1282146079|0|0
0|/usr/share/cracklib|0|d/drwxr-xr-x|root|root|4096|0|
1308983949|0|0
...
* “Cool” claim not valid at all parties. YMMV.
23
24. IN CONCLUSION
RPM is a pretty cool way to eliminate known files from a Linux
system examination
Know the shortcomings in the RPM package database so you can
mitigate them
With a little shell scripting,
you can develop useful tools to
quickly and consistently
minimize input data