Hello Reader,
In my previous blog post, I explained how to use the rpm tool to validate a file on disk against the local RPM metadata. But what if you suspect that an entire package—not just a single file—has been tampered with?
This is where we can leverage a powerful feature I mentioned earlier: extracting metadata directly from the Linux distribution’s repository. Since this remote repository should be unaffected by any local security incidents, it allows you to verify that packages like the core system utilities in this example remain unaltered by a potential threat actor.
Step 1: Identify the Repository URL
To fetch the official package version, you first need to determine the correct repository URL. You can do this using the dnf repoquery command:
dnf repoquery --location coreutils (you can specify any package name)This will return a URL similar to:
https://ftp.redhat.com/pub/redhat/linux/enterprise/9/en/os/x86_64/Packages/coreutils-8.32-31.el9.x86_64.rpm
Step 2: Extract the Official Package Hash
Now that you have the package URL, you can use rpm to retrieve its metadata, including file hashes, without downloading the full package:
rpm -q --dump -p https://ftp.redhat.com/pub/redhat/linux/enterprise/9/en/os/x86_64/Packages/coreutils-8.32-31.el9.x86_64.rpm
Step 3: Compare Local vs. Repository Hashes
To ensure your package is untouched, compare:
- The hash of the local file (e.g.,
/bin/ls) - The hash stored in the local RPM database
- The hash from the official repository package
If all three hashes match, you can be highly confident that your package has not been altered.
Of course, this assumes there isn’t a worst-case scenario where the original distribution’s repository has been compromised—but let’s hope it never comes to that!
By following these steps, you can verify system integrity efficiently using native Linux tools.
Also Read: Self Validating Linux Executables
Post a Comment