Cyberithub

How to Check and Log Malicious RPM Installation in 3 Easy Steps

Advertisements

In this article, I will take you through the steps to check and log Malicious RPM Installation in 3 Easy Steps. In Linux, logging is one of the most important functionality which is used to streamline the monitoring of events by maintaining set of log files as record. It is a strong troubleshooting tool which comes first in the picture whenever there is any functionality failure or any error occurs. Analyzing log files is the first thing a developer or an administrator does whenever there is an issue. More about Security Hardening in RHEL.

How to Check and Log Malicious RPM Installation in 3 Easy Steps

How to Check and Log Malicious RPM Installation in 3 Easy Steps

Also Read: How to Install netcat(nc) command on Linux(Ubuntu 18.04/20.04) in 7 Easy Steps

Advertisements

By default Linux provides a centralized repository for storing the log files which can be found in the directory /var/logs and subdirectories. There are log files generated for everything in Linux e.g system, database, kernel, process management, boot etc.  You would find bunch of logs and directories inside this path which may vary from machine to machine depending on the configuration set up.

[root@cyberithub ~]# cd /var/log/
[root@cyberithub log]# ls -lhtr
total 42M
drwxr-xr-x. 2 chrony chrony 4.0K Mar  2  2021 chrony
drwxr-xr-x. 2 root   root   4.0K Jun  2  2021 tuned
drwx------. 2 root   root   4.0K Sep 10 20:17 private
-rw-rw----. 1 root   utmp      0 Sep 10 20:17 btmp
-rw-------. 1 root   root      0 Sep 10 20:18 spooler-20210922
-rw-------. 1 root   root      0 Sep 10 20:18 maillog-20210922
drwxr-xr-x. 2 root   root   4.0K Sep 10 20:21 anaconda
-rw-------. 1 root   root    20K Sep 22 13:24 secure-20210922
-rw-r--r--. 1 root   root   1.6K Sep 22 14:16 hawkey.log-20210922
-rw-------. 1 root   root   6.4K Sep 22 15:01 cron-20210922
-rw-------. 1 root   root    22M Sep 22 15:49 messages-20210922
-rw-------  1 root   root    65K Sep 22 15:50 boot.log-20210922
drwxr-x---. 2 sssd   sssd   4.0K Sep 22 15:50 sssd
-rw-------  1 root   root      0 Sep 22 15:50 spooler
-rw-------  1 root   root      0 Sep 22 15:50 maillog
drwx------. 2 root   root   4.0K Sep 22 22:55 audit
drwx------. 3 root   root   4.0K Nov  2 19:01 samba
drwxr-xr-x  2 root   root   4.0K Feb  2 20:31 supervisor
-rw-r--r--  1 root   root   1.4K Feb  2 22:31 hawkey.log
-rw-r--r--. 1 root   root    66K Feb 22 15:41 dnf.librepo.log
-rw-r--r--. 1 root   root    27K Feb 22 15:41 dnf.rpm.log
-rw-r--r--. 1 root   root   194K Feb 22 15:41 dnf.log
-rw-------. 1 root   root    30K Feb 22 18:23 boot.log
-rw-------  1 root   root   5.3K Feb 22 18:23 cron
-rw-r--r--. 1 root   root    12K Feb 22 18:23 kdump.log
-rw-r-----. 1 root   root    56K Feb 22 18:23 firewalld
-rw-rw-r--. 1 root   utmp    37K Feb 22 18:25 wtmp
-rw-rw-r--. 1 root   utmp   286K Feb 22 18:25 lastlog
-rw-------  1 root   root   5.5K Feb 22 18:25 secure
-rw-------  1 root   root    20M Feb 22 18:25 messages

In Linux, there are system log files and application log files. In this tutorial we will focus on application log files. We will develop a simple application and generate it’s log files. It can be generated in default folder i.e /var/log or we can generated customized log files in different folder. We will generate customized log files in our tutorial.

Advertisements

We will develop a tool which basically will scan the packages installed in our machine and alert for any unwanted packages which might have got installed (mistakenly or as virus) in the log file. Such tools are very crucial to secure and protect our system and applications from any sort of vulnerability. We will require below 3 files to serve our purpose. You can definitely modify the files based on the level of security you want to put to safe guard your applications and system.

 

Step 1: Create whitelist.csv 

This file will be used to store list of installed rpm packages. If any other package is found installed in the system which is not part of the whitelist, it will be consider as vulnerability and an error will be reported. This will be passed as an input file to app.sh script.

Advertisements

Execute “rpm -qa” and store the output in whitelist.csv file like below. It will be a long listed file as it stores all the OS packages as well as application packages.

[root@cyberithub ~]# rpm -qa > whitelist.csv
libsss_nss_idmap-2.4.0-9.el8_4.2.x86_64
gettext-0.19.8.1-17.el8.x86_64
geolite2-city-20180605-1.el8.noarch
firewalld-filesystem-0.8.2-7.el8_4.noarch
fontpackages-filesystem-1.44-22.el8.noarch
systemd-239-45.el8_4.3.x86_64
trousers-0.3.15-1.el8.x86_64
tigervnc-license-1.11.0-6.el8.noarch
libldb-2.2.0-2.el8.x86_64
ncurses-base-6.1-7.20180224.el8.noarch
polkit-0.115-11.el8_4.1.x86_64
iproute-5.9.0-4.el8.x86_64
dnf-data-4.4.2-11.el8.noarch
kernel-modules-4.18.0-305.17.1.el8_4.x86_64
----------------------------------------------------------

 

Step 2: Create log.sh Script 

Next we need to create a log functionality script called log.sh under /root directory. In this script, we are creating a function called log() which we are going to use in our application script called app.sh in next step. Below script will basically check the argument passed with the log function and then add the messages based on message type whether it is ERROR, WARNING and INFO. We will see few of the use cases in below section to understand this further in real time.

Advertisements
[root@cyberithub ~]# vi log.sh
#!/bin/bash

function log(){
 if [[ $1 == "-e" ]]; then
  shift
  msgType="ERROR: "
 fi
 if [[ $1 == "-w" ]]; then
  shift
  msgType="WARNING: "
 fi
 if [[ $1 == "-i" ]]; then
  shift
  msgType="INFO: "
 fi
 if [[ $1 == "-p" ]]; then
  echo "$*"
 fi

 echo -n "`date +"%Y-%m-%dT%H:%M:%S.%6N%:z"`, $msgType " >> $logFile
 echo "$*" >> $logFile

}

Description:-

-e -> To capture error messages
-i ->  To capture info messages
-w -> To capture warning messages
Shift ->  To move the command line argument to one position left
$* -> To capture all the command line arguments passed to the script.

 

Step 3: Create app.sh Script

Functionality of this script is to parse the whitelist.csv file. If any extra installed package is encountered in the machine, it will log the package entry as error in the log file. Next we write the logic for our application and define the log path where log files will get generated. You can enable the debug mode by uncommenting the set -x statement.

We are generating the log files in the folder /var/log/cyberithub/. This path can be changed depending on where we want to store our logs. Create a temporary file /tmp/temp_file which is the requirement for the script execution.

[root@cyberithub ~]# vi app.sh
#!/bin/bash

#set -x
#include log.sh
. /root/log.sh

#Call log function
log

mkdir -p /var/log/cyberithub/
logFile=/var/log/cyberithub/application.log
CSV_FILE=$1
TEMPFILE=/tmp/temp_file


function package_check(){
 rpm -qa > $TEMPFILE
 while read line
 do
   PACKAGE_NAME=`/bin/echo $line | cut -d';' -f 1`
   grep -v "^$PACKAGE_NAME" $TEMPFILE > $TEMPFILE.o
   cp $TEMPFILE.o $TEMPFILE
 done < $CSV_FILE
 if [ -s $TEMPFILE ]
   then
    for i in `cat $TEMPFILE`
   do
    log -e "New Installed Package Found $i..."
   done
 fi

rm -rf $TEMPFILE.o $TEMPFILE
log -w "Info message implementation"
log -w "Warning message implementation"
}

##MAIN
# Check CSV File
if [ ! -f "${CSV_FILE}" ]; then
  log -e "Input file not found"
  exit 1
fi

#Check file type
if [ "${CSV_FILE}" != *.csv  ]; then
  log -e "Input file should be a .csv file"
  exit 1
fi

package_check

We need to change the file permission before executing the script.

[root@cyberithub ~]# chmod 755 *

Now install few extra rpm packages on the machine.

[root@cyberithub ~]# yum install net-tools -y
[root@cyberithub ~]# yum install tcpdump -y
[root@cyberithub ~]# yum install telnet -y

Use case 1: When whitelist.csv is not passed as input

[root@cyberithub ~]# ./app.sh
[root@cyberithub ~]# cd /var/log/cyberithub/
[root@cyberithub cyberithub]# cat application.log
2022-02-22T19:10:12.151834+05:30, ERROR:  Input file not found

 

Use case 2: When wrong file format is passed as input

[root@cyberithub ~]# ./app.sh whitelist
[root@ cyberithub ~]# cd /var/log/cyberithub/
[root@ cyberithub cyberithub]# cat application.log
2022-02-22T19:10:12.151834+05:30, ERROR:  Input file not found
2022-02-22T19:14:23.926123+05:30, ERROR:  Input file should be a .csv file

 

Use case 3: When correct input file is passed

[root@ cyberithub ~]# ./app.sh whitelist.csv
[root@ cyberithub ~]# cd /var/log/cyberithub/
[root@ cyberithub cyberithub]# cat application.log
2022-02-22T19:10:12.151834+05:30, ERROR:  Input file not found
2022-02-22T19:14:23.926123+05:30, ERROR:  Input file should be a .csv file
2022-02-22T19:48:20.905768+05:30, ERROR:  New Installed Package Found telnet-0.17-76.el8.x86_64...
2022-02-22T19:48:20.906775+05:30, ERROR:  New Installed Package Found tcpdump-4.9.3-2.el8.x86_64...
2022-02-22T19:48:20.907791+05:30, ERROR:  New Installed Package Found net-tools-2.0-0.52.20160912git.el8.x86_64...
2022-02-22T19:48:20.909619+05:30, WARNING:  Info message implementation
2022-02-22T19:48:20.910591+05:30, WARNING:  Warning message implementation

Leave a Comment