问题
rpm(1) provides a -V option to verify installed files against the installation database, which can be used to detect modified or missing files. This might be used as a form of intrusion detection (or at least part of an audit). However, it is of course possible that the rpm database installed may be modified by a hacker to hide their tracks (see http://www.sans.org/security-resources/idfaq/rpm.php, last sentence)
It looks like it should be possible to back up the rpm database /var/lib/rpm after every install (to some external medium) and to use that during an audit using --dbpath. Such a backup would have to be updated fo course after every install or upgrade etc.
Is this feasible? Are there any resources that detail methods, pitfalls, suggestions etc for this?
回答1:
Yes feasible. Use "rpm -Va --dbpath /some/where/else" to point to some saved database directory.
Copy /var/lib/rpm/Packages to the saved /some/where/else directory, and run "rpm --rebuilddb --dbpath /some/where/else" to regenerate the indices.
Note that you can also verify files using the original packaging like "rpm -Vp some*.rpm" which is often less hassle (and more secure with RO offline media storing packages) than saving copies of the installed /var/lib/rpm/Packages rpmdb.
来源:https://stackoverflow.com/questions/29382775/use-rpm-v-against-backed-up-database