Hello Reader,
When I first started doing Digital Forensics and Incident Response (DFIR) back in 2000, one challenge I faced was verifying the integrity of Linux executables. Often, systems didn't record file hashes during installation, and sometimes we didn't even have a reliable set of installation media to compare against.
To solve this problem, I initially wrote a lengthy Perl script. The script went through each installed package on the local system, comparing the file hashes on disk against the original package hashes, and then validating these against the official distribution hashes.
Today, this task is much simpler. On Linux systems using RPM (like RedHat, Fedora, or CentOS), you can quickly verify a file's integrity with a single command:
rpm -Vf /path/to/file
What does this command do?
rpm -V
(orrpm --verify
) checks the integrity of installed packages.-f
identifies the installed package that owns the specified file and then verifies the file against the original installed version.
Example Output:
Running the command might give you output like this:
S.5....T. c /etc/httpd/conf/httpd.conf
Here's what those verification flags mean:
Flag | Meaning |
---|---|
S | File size differs |
M | Mode (permissions) differs |
5 | MD5 checksum differs |
D | Device number mismatch |
L | Symlink path differs |
U | User ownership differs |
G | Group ownership differs |
T | Modification time differs |
P | Capabilities differ |
. | Test passed (no changes) |
If the command produces no output, the file exactly matches what's included in the installed RPM package.
Quick Example:
rpm -Vf /usr/bin/bash
This command verifies the integrity of the bash
executable against the installed bash
RPM package.
Also Read: Daily Blog #779: Sunday Funday 3/16/25
Post a Comment