对备份的数据库使用rpm -V [英] use rpm -V against backed-up database

问题描述

rpm(1)提供了-V选项，可以根据安装数据库验证已安装的文件，该文件可用于检测已修改或丢失的文件. 这可以用作入侵检测的一种形式(或至少是审计的一部分).但是，当然，黑客可能会修改安装的rpm数据库以隐藏其踪迹(请参见 http://www.sans.org/security-resources/idfaq/rpm.php ，最后一句话)

rpm(1) provides a -V option to verify installed files against the installation database, which can be used to detect modified or missing files. This might be used as a form of intrusion detection (or at least part of an audit). However, it is of course possible that the rpm database installed may be modified by a hacker to hide their tracks (see http://www.sans.org/security-resources/idfaq/rpm.php, last sentence)

在每次安装(到某些外部介质)之后，似乎应该有可能备份rpm数据库/var/lib/rpm，并在使用--dbpath进行审核的过程中使用该数据库.每次安装或升级后，此类备份都必须进行更新.

It looks like it should be possible to back up the rpm database /var/lib/rpm after every install (to some external medium) and to use that during an audit using --dbpath. Such a backup would have to be updated fo course after every install or upgrade etc.

这可行吗?是否有任何资源详细说明此方法，陷阱，建议等?

Is this feasible? Are there any resources that detail methods, pitfalls, suggestions etc for this?

推荐答案

是可行的.使用"rpm -Va --dbpath/some/where/else"指向 一些保存的数据库目录.

Yes feasible. Use "rpm -Va --dbpath /some/where/else" to point to some saved database directory.

将/var/lib/rpm/Packages复制到保存的/some/where/else目录中， 并运行"rpm --rebuilddb --dbpath/some/where/else"重新生成 索引.

Copy /var/lib/rpm/Packages to the saved /some/where/else directory, and run "rpm --rebuilddb --dbpath /some/where/else" to regenerate the indices.

请注意，您也可以使用原始包装来验证文件 例如"rpm -Vp some * .rpm"，通常麻烦程度较小(而更多 使用RO脱机媒体存储程序包保护)，而不是保存副本 /var/lib/rpm/Packages rpmdb的版本.

Note that you can also verify files using the original packaging like "rpm -Vp some*.rpm" which is often less hassle (and more secure with RO offline media storing packages) than saving copies of the installed /var/lib/rpm/Packages rpmdb.

这篇关于对备份的数据库使用rpm -V的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！