Hi All , Happy Holidays :)
I want to know how can I monitor remote machines rpm database , so that when ever a user on that machine installs a new rpm on the system, thinking that I have root access to the remote machine . when I tried to search in install.log which is in /root directory , it is created only when te distribution is installed and thereby not updated , Where is the path of the rpm database (gdbm) files that rpm maintains and how do I read them ( what could be the keys to read the gdbm files) and from them generate the reports and send a mail to root or a groupmail.
Regards, Nikhil. °v° /(_)\ ^ ^
Hi , Oops Sorry I lately found that rpm does not use gdbm and it uses Berkely Database and stores the file in /var/lib/rpm
[root@linuxbox123 root]# cd /var/lib/rpm/ [root@linuxbox123 rpm]# ls Basenames __db.001 __db.003 Filemd5s Installtid Packages Provideversion Requirename Sha1header Triggername Conflictname __db.002 Dirnames Group Name Providename Pubkeys Requireversion Sigmd5 [root@linuxbox123 rpm]# cd Packages bash: cd: Packages: Not a directory [root@linuxbox123 rpm]# ls Basenames __db.001 __db.003 Filemd5s Installtid Packages Provideversion Requirename Sha1header Triggername Conflictname __db.002 Dirnames Group Name Providename Pubkeys Requireversion Sigmd5 [root@linuxbox123 rpm]# file Packages Packages: Berkeley DB (Hash, version 8, native byte-order) [root@linuxbox123 rpm]# pwd /var/lib/rpm [root@linuxbox123 rpm]#
Can anybody please tell me , if so , what could be the keys to read these files :-??
On Wed, 29 Dec 2004 19:40:01 +0530, mnikhil m mnikhil.juno@gmail.com wrote:
Hi All , Happy Holidays :)
I want to know how can I monitor remote machines rpm database , so that when ever a user on that machine installs a new rpm on the system, thinking that I have root access to the remote machine . when I tried to search in install.log which is in /root directory , it is created only when te distribution is installed and thereby not updated , Where is the path of the rpm database (gdbm) files that rpm maintains and how do I read them ( what could be the keys to read the gdbm files) and from them generate the reports and send a mail to root or a groupmail.
Regards, Nikhil. °v° /(_)\ ^ ^
Hi, Now ....I tried to go to /var/log and there I found rpm log files [root@linuxbox123 root]# cd /var/log [root@linuxbox123 log]# ls *rpm* rpmpkgs rpmpkgs.1 rpmpkgs.2 rpmpkgs.3 rpmpkgs.4 [root@linuxbox123 log]#
after diffing each file I found the difference of the files / packages that were installed
[root@linuxbox123 log]# diff rpmpkgs rpmpkgs.4 212d211 < j2re-1.4.0_03-fcs.i386.rpm 324d322 < mutt-1.4.1-4.i386.rpm [root@linuxbox123 log]# But my question stands as when did the exact change/or installation happen , and what is the significance of numerical extensions .1,.2,.3 in each of the files as I tried to diff rpmpkgs and rpmpkgs.1 , I found no difference :( ( little confused here..) [root@linuxbox123 log]# diff rpmpkgs rpmpkgs.1 [root@linuxbox123 log]# then I simply did long listing and found that 'rpmpkgs' file is the latest file , Should I suppose it or not ? ( Noticing the Date)
[root@linuxbox123 log]# ls -l *rpm* -rw-r--r-- 1 root root 14953 Dec 29 04:03 rpmpkgs -rw-r--r-- 1 root root 14953 Dec 25 04:02 rpmpkgs.1 -rw-r--r-- 1 root root 14931 Dec 18 04:03 rpmpkgs.2 -rw-r--r-- 1 root root 14931 Dec 11 04:02 rpmpkgs.3 -rw-r--r-- 1 root root 14904 Dec 4 04:02 rpmpkgs.4 so simply diffing them would have the solution .. What do you say guys ???
Regards, Nikhil.
On Wed, 29 Dec 2004 19:58:16 +0530, mnikhil m mnikhil.juno@gmail.com wrote:
Hi , Oops Sorry I lately found that rpm does not use gdbm and it uses Berkely Database and stores the file in /var/lib/rpm
[root@linuxbox123 root]# cd /var/lib/rpm/ [root@linuxbox123 rpm]# ls Basenames __db.001 __db.003 Filemd5s Installtid Packages Provideversion Requirename Sha1header Triggername Conflictname __db.002 Dirnames Group Name Providename Pubkeys Requireversion Sigmd5 [root@linuxbox123 rpm]# cd Packages bash: cd: Packages: Not a directory [root@linuxbox123 rpm]# ls Basenames __db.001 __db.003 Filemd5s Installtid Packages Provideversion Requirename Sha1header Triggername Conflictname __db.002 Dirnames Group Name Providename Pubkeys Requireversion Sigmd5 [root@linuxbox123 rpm]# file Packages Packages: Berkeley DB (Hash, version 8, native byte-order) [root@linuxbox123 rpm]# pwd /var/lib/rpm [root@linuxbox123 rpm]#
Can anybody please tell me , if so , what could be the keys to read these files :-??
On Wed, 29 Dec 2004 19:40:01 +0530, mnikhil m mnikhil.juno@gmail.com wrote:
Hi All , Happy Holidays :)
I want to know how can I monitor remote machines rpm database , so that when ever a user on that machine installs a new rpm on the system, thinking that I have root access to the remote machine . when I tried to search in install.log which is in /root directory , it is created only when te distribution is installed and thereby not updated , Where is the path of the rpm database (gdbm) files that rpm maintains and how do I read them ( what could be the keys to read the gdbm files) and from them generate the reports and send a mail to root or a groupmail.
Regards, Nikhil. °v° /(_)\ ^ ^
On Wednesday 29 December 2004 10:28 am, mnikhil m wrote:
But my question stands as when did the exact change/or installation happen , and what is the significance of numerical extensions .1,.2,.3 in each of the files as I tried to diff
Hi,
Ok, I just found out about /var/log/rpmpkgs. I didn't know this file existed at all. I turns out that this file is placed by a job running via /etc/ cron.daily (see the rpm script there). It is basically the output of:
rpm -qa (q for query....a for all)
The files with extensions you see are created by logrotate via:
/etc/logrotate.d/rpm
which basically rotates the file based on the rules specified in the above configuration file.
I haven't think of a way to keep track if rpm's installed by the users...Probably you'll need to create a script which will compare (using diff) the rpmpkgs file with the previous day one...something like that. And if you want to know WHEN exactly was it installed (hour, minute) that's another thing. You'll have to investigate further (Google etc..).
HTH, Jorge
Yup George :) I came to know that crons does them the other day , when I was traversing through /etc/logrotate.d /etc/crons.daily
Hey I got the thing that this below command will list the diff itself To report in a more human-readable format: # rpm -qa --last
var/log/rpmpkgs is created on a daily basis with an rpm listing. It's then rotated weekly. See /etc/cron.daily/rpm and /etc/logrotate.d/rpm. You could customize these reports if you wanted to. To simply see what's changed this week:
# diff /var/log/rpmpkgs /var/log/rpmpkgs.1
On Thu, 30 Dec 2004 00:46:06 -0400, Jorge Fábregas fabregasj@prtc.net wrote:
On Wednesday 29 December 2004 10:28 am, mnikhil m wrote:
But my question stands as when did the exact change/or installation happen , and what is the significance of numerical extensions .1,.2,.3 in each of the files as I tried to diff
Hi,
Ok, I just found out about /var/log/rpmpkgs. I didn't know this file existed at all. I turns out that this file is placed by a job running via /etc/ cron.daily (see the rpm script there). It is basically the output of:
rpm -qa (q for query....a for all)
The files with extensions you see are created by logrotate via:
/etc/logrotate.d/rpm
which basically rotates the file based on the rules specified in the above configuration file.
I haven't think of a way to keep track if rpm's installed by the users...Probably you'll need to create a script which will compare (using diff) the rpmpkgs file with the previous day one...something like that. And if you want to know WHEN exactly was it installed (hour, minute) that's another thing. You'll have to investigate further (Google etc..).
HTH, Jorge
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
Now I am looking at other alternative http://www.tripwire.org/ as someone informed me that the rpm database can be spoofed.
On Thu, 30 Dec 2004 11:18:26 +0530, mnikhil m mnikhil.juno@gmail.com wrote:
Yup George :) I came to know that crons does them the other day , when I was traversing through /etc/logrotate.d /etc/crons.daily
Hey I got the thing that this below command will list the diff itself To report in a more human-readable format: # rpm -qa --last
var/log/rpmpkgs is created on a daily basis with an rpm listing. It's then rotated weekly. See /etc/cron.daily/rpm and /etc/logrotate.d/rpm. You could customize these reports if you wanted to. To simply see what's changed this week:
# diff /var/log/rpmpkgs /var/log/rpmpkgs.1
On Thu, 30 Dec 2004 00:46:06 -0400, Jorge Fábregas fabregasj@prtc.net wrote:
On Wednesday 29 December 2004 10:28 am, mnikhil m wrote:
But my question stands as when did the exact change/or installation happen , and what is the significance of numerical extensions .1,.2,.3 in each of the files as I tried to diff
Hi,
Ok, I just found out about /var/log/rpmpkgs. I didn't know this file existed at all. I turns out that this file is placed by a job running via /etc/ cron.daily (see the rpm script there). It is basically the output of:
rpm -qa (q for query....a for all)
The files with extensions you see are created by logrotate via:
/etc/logrotate.d/rpm
which basically rotates the file based on the rules specified in the above configuration file.
I haven't think of a way to keep track if rpm's installed by the users...Probably you'll need to create a script which will compare (using diff) the rpmpkgs file with the previous day one...something like that. And if you want to know WHEN exactly was it installed (hour, minute) that's another thing. You'll have to investigate further (Google etc..).
HTH, Jorge
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
On Thursday 30 December 2004 1:49 am, mnikhil m wrote:
Now I am looking at other alternative http://www.tripwire.org/ as someone informed me that the rpm database can be spoofed.
I use rkhunter. Take a look at:
Gr8 Man , by this way can you also please point me to the docs of this , how to setup and howto .... :)
On Thu, 30 Dec 2004 01:57:29 -0400, Jorge Fábregas fabregasj@prtc.net wrote:
On Thursday 30 December 2004 1:49 am, mnikhil m wrote:
Now I am looking at other alternative http://www.tripwire.org/ as someone informed me that the rpm database can be spoofed.
I use rkhunter. Take a look at:
http://www.rootkit.nl/projects/rootkit_hunter.html
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
mnikhil m wrote:
Gr8 Man , by this way can you also please point me to the docs of this , how to setup and howto .... :)
On Thu, 30 Dec 2004 01:57:29 -0400, Jorge Fábregas fabregasj@prtc.net wrote:
On Thursday 30 December 2004 1:49 am, mnikhil m wrote:
Now I am looking at other alternative http://www.tripwire.org/ as someone informed me that the rpm database can be spoofed.
I use rkhunter. Take a look at:
Download and go. It also installs a .daily cron. Oh, it must be installed as root.
So far, no bad guys.
James McKenzie
On Wed, 29 Dec 2004, mnikhil m wrote:
I want to know how can I monitor remote machines rpm database , so that when ever a user on that machine installs a new rpm on the system, thinking that I have root access to the remote machine . when I tried to search in install.log which is in /root directory , it is created only when te distribution is installed and thereby not updated , Where is the path of the rpm database (gdbm) files that rpm maintains and how do I read them ( what could be the keys to read the gdbm files) and from them generate the reports and send a mail to root or a groupmail.
You may want to look into Dconf
http://dag.wieers.com/home-made/dconf/
and change the default config file to only include the RPM database output (if that is what you're only interested in).
Kind regards, -- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- [all I want is a warm bed and a kind word and unlimited power]
-
Dag Wieers -
James McKenzie -
Jorge Fábregas -
Nikhil