<div dir="ltr">while rpm's verify options are useful in many cases, they are not in this one. The use case is, Admin A takes ownership of server-C from admin B, admin-B might have infested server-C with all kinds of "custom" code (and even worse, scripts executing as root). How does admin-A ensure no custom code (scripts are probably even harder?) is running on server-C.<div>
This looks to me like it needs collaboration from the auditing subsystem (whenever a process starts), and selinux (detecting/blocking) executables not meeting signing requests, or at least logging what happened</div><div>
<br></div><div>Does fedora have the tools to accomplish such a task today, if not what's missing</div><div><br></div><div>Regards<br><br><div class="gmail_quote">On Sat, May 9, 2009 at 10:12 PM, Mathieu Bridon (bochecha) <span dir="ltr"><<a href="mailto:bochecha@fedoraproject.org">bochecha@fedoraproject.org</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div><div></div><div class="h5">Hi,<br>
<br>
> Is there any technology in fedora, that enables me to ensure that ALL<br>
> running code on a certain server (even code not installed from RPMs, such as<br>
> say by a legacy admin), has been signed by redhat, and to warn me about<br>
> un-signed code that is running or about to run. I am interested to verify a<br>
> server is in a "known-good" state<br>
<br>
</div></div>I don't know of any « One True Solution », but you could use things like :<br>
$ rpm -qaV<br>
-> this will list all files modified _after_ they were installed via RPM<br>
$ rpm -qf <some file><br>
-> this will tell you the package that this file belongs to<br>
<br>
You can then use the « --queryformat » option of RPM to get various<br>
informations about a package, for example where did it come from.<br>
<br>
For files installed not using RPM, I'm not sure how to verify this,<br>
but as Fedora only provides files in RPMs, I'm pretty confident that<br>
no file outside a RPM will be signed by Fedora.<br>
<br>
For RedHat, I have no idea, but you are on a Fedora mailing-list ;)<br>
<br>
<br>
----------<br>
<br>
Mathieu Bridon (bochecha)<br>
<font color="#888888"><br>
--<br>
fedora-devel-list mailing list<br>
<a href="mailto:fedora-devel-list@redhat.com">fedora-devel-list@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/fedora-devel-list" target="_blank">https://www.redhat.com/mailman/listinfo/fedora-devel-list</a><br>
</font></blockquote></div><br></div></div>