Validating Package Consistency by md5sum for Linux

Occasionally you just want a bit of piece of mind about your server or Linux install. You may suspect there is somebody who has hacked your server or even something changed by a package install that shouldn’t have been. Heres a couple of ideas on how to do a quick ‘health’ check on he md5sum of binary packages.

Debian based people should install dlocate and use that

apt-get install dlocate
dlocate -md5check openssh-server

To force a fail try something like this:

mv /usr/share/man/man5/sshd_config.5.gz /usr/share/man/man5/sshd_config.5.gz-old
echo Boo > /usr/share/man/man5/sshd_config.5.gz
dlocate -md5check openssh-server

For Redhat/Centos etc based servers you can use yum

rpm -qvV openssh

Again you can force a fail by changing a file

mv /usr/share/doc/openssh-4.3p2/CREDITS /usr/share/doc/openssh-4.3p2/CREDITS-old
echo Boo >/usr/share/doc/openssh-4.3p2/CREDITS
rpm -qvV openssh

For less verbosity just drop the lower case v (so its rpm -qV )

What does this output tell you?

If any file in the package has changed, there will be a list of 9 items. A “dot” means no change. A “dot” replaced by a letter has these meanings:

S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs
P caPabilities differ

If you get any file flagged with a “5”, it will almost certainly also have a “T” and “S” flag as well.

Credits: Courtesy of New Zealand Linux and fedoraforum.org

Share on Facebook