Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-257823 | RHEL-09-214030 | SV-257823r991589_rule | Medium |
Description |
---|
The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system. |
STIG | Date |
---|---|
Red Hat Enterprise Linux 9 Security Technical Implementation Guide | 2024-06-04 |
Check Text ( C-61564r925454_chk ) |
---|
The following command will list which files on the system have file hashes different from what is expected by the RPM database: $ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' If there is output, this is a finding. |
Fix Text (F-61488r925455_fix) |
---|
Given output from the check command, identify the package that provides the output and reinstall it. The following trimmed example output shows a package that has failed verification, been identified, and been reinstalled: $ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' S.5....T. /usr/bin/znew $ sudo dnf provides /usr/bin/znew [...] gzip-1.10-8.el9.x86_64 : The GNU data compression program [...] $ sudo dnf reinstall gzip [...] $ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' [no output] |