monitor remote rpm database

Ed Wilts ewilts at ewilts.org
Wed Dec 29 15:04:28 UTC 2004


On Wed, Dec 29, 2004 at 08:18:41PM +0530, Mulley, Nikhil wrote:
> But how it can be spoofed , as  I see that no user has write
> permissions on /var/lib/rpm Hmmmm. I know you are taking about local
> sudo users who can have anything with the system ...  but what is the
> necessary change that you would suggest at /etc/sudoers file so that
> no one except genuine root has write permissions on to these files 

If you don't trust the users, the sudoers file should not allow the
users to get a root shell - they should be restricted to very specific
procedures that you have audited to make sure they can't do anything
they're not supposed to do.

If you're after security auditing, the rpm database is not the right
place.  If your system has been penetrated and a bad guy has taken over
your system, the rpm database is likely one of the priorities for hiding
his/her tracks.

If you really need a security audit as to what changes have happened on
the system, look at something like tripwire instead.  If rpm database
listings are good enough, then rpm is certainly much simpler to work
with.

-- 
Ed Wilts, RHCE
Mounds View, MN, USA
mailto:ewilts at ewilts.org
Member #1, Red Hat Community Ambassador Program




More information about the redhat-list mailing list