Verify File Hashes with RPM

Docs > Datadog Security > OOTB Rules > Verify File Hashes with RPM

Classification:

compliance

Framework:

Control:

Description

Without cryptographic integrity protections, system executables and files can be altered by unauthorized users without detection. The RPM package management system can check the hashes of installed software packages, including many that are important to system security. To verify that the cryptographic hash of system files and commands match vendor values, run the following command to list which files on the system have hashes that differ from what is expected by the RPM database:

$ rpm -Va | grep '^..5'

A “c” in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If the file was not expected to change, investigate the cause of the change using audit logs or other means. The package can then be reinstalled to restore the file. Run the following command to determine which package owns the file:

$ rpm -qf *FILENAME*

The package can be reinstalled from a yum repository using the command:

$ sudo yum reinstall *PACKAGENAME*

Alternatively, the package can be reinstalled from trusted media using the command:

$ sudo rpm -Uvh *PACKAGENAME*

Rationale

The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.

Remediation

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: "Set fact: Package manager reinstall command (dnf)"
 set\_fact:
 package\_manager\_reinstall\_cmd: dnf reinstall -y
 when: ansible\_distribution == "Fedora"
 tags:
 - rpm\_verify\_hashes
 - high\_severity
 - unknown\_strategy
 - high\_complexity
 - medium\_disruption
 - NIST-800-53-CM-6(d)
 - NIST-800-53-CM-6(3)
 - NIST-800-53-SI-7(1)
 - NIST-800-171-3.3.8
 - NIST-800-171-3.4.1
 - PCI-DSS-Req-11.5
 - CJIS-5.10.4.1
 - DISA-STIG-RHEL-07-010020

- name: "Set fact: Package manager reinstall command (yum)"
 set\_fact:
 package\_manager\_reinstall\_cmd: yum reinstall -y
 when: ansible\_distribution == "RedHat" or ansible\_distribution == "OracleLinux"
 tags:
 - rpm\_verify\_hashes
 - high\_severity
 - unknown\_strategy
 - high\_complexity
 - medium\_disruption
 - NIST-800-53-CM-6(d)
 - NIST-800-53-CM-6(3)
 - NIST-800-53-SI-7(1)
 - NIST-800-171-3.3.8
 - NIST-800-171-3.4.1
 - PCI-DSS-Req-11.5
 - CJIS-5.10.4.1
 - DISA-STIG-RHEL-07-010020

- name: "Read files with incorrect hash"
 shell: "rpm -Va | grep -E '^..5.\* /(bin|sbin|lib|lib64|usr)/' | sed -r 's;^.\*\\s+(.+);\\1;g'"
 register: files\_with\_incorrect\_hash
 changed\_when: False
 when: package\_manager\_reinstall\_cmd is defined
 check\_mode: no
 tags:
 - rpm\_verify\_hashes
 - high\_severity
 - unknown\_strategy
 - high\_complexity
 - medium\_disruption
 - NIST-800-53-CM-6(d)
 - NIST-800-53-CM-6(3)
 - NIST-800-53-SI-7(1)
 - NIST-800-171-3.3.8
 - NIST-800-171-3.4.1
 - PCI-DSS-Req-11.5
 - CJIS-5.10.4.1
 - DISA-STIG-RHEL-07-010020

- name: "Reinstall packages of files with incorrect hash"
 shell: "{{package\_manager\_reinstall\_cmd}} $(rpm -qf '{{item}}')"
 with\_items: "{{ files\_with\_incorrect\_hash.stdout\_lines }}"
 when: package\_manager\_reinstall\_cmd is defined and (files\_with\_incorrect\_hash.stdout\_lines | length > 0)
 tags:
 - rpm\_verify\_hashes
 - high\_severity
 - unknown\_strategy
 - high\_complexity
 - medium\_disruption
 - NIST-800-53-CM-6(d)
 - NIST-800-53-CM-6(3)
 - NIST-800-53-SI-7(1)
 - NIST-800-171-3.3.8
 - NIST-800-171-3.4.1
 - PCI-DSS-Req-11.5
 - CJIS-5.10.4.1
 - DISA-STIG-RHEL-07-010020