In this tutorial we will learn about how to harden installed rpms as well as new rpms in Linux machines. Many times due to compromise in System security, attackers tend to install few of the rpm packages to either infect or get hold of the System. This will go unnoticed even by the antivirus we use in our Linux Servers. So to deal with a situation like this, it is always recommended to perform rpm hardening by running a script through cron job which will take care of the valid rpm packages and will also prevent any extra rpm package installation. Check also Security Hardening System Design Guide.
To demonstrate this, here we are going to create two scripts each of which does the following Job:-
rpm.sh -> This script will match all the installed rpms on the server with a hardening list which is already created and placed on the same server. If it finds any mismatched or extra rpms on the server which are not present in the hardening list, it will delete those extra rpms from the server.
add_rpm.sh -> This script will add new rpms in the hardening list. For example let’s say we have installed two new rpms in our server. So the next time when rpm.sh is executed it will uninstall both of the added rpm since we have not added it in the hardening list. Therefore, we will add the new rpms in the hardening list whenever we install them on the server.
How to Perform RPM Hardening in Linux(RHEL/CentOS/Rocky Linux)
Also Read: How to Setup a Virtual Linux Host Using rkt and Vagrant
Let’s get started with the tutorial. First thing first, we will create the hardening list. To do so, follow below step.
Step 1: Create hardening List
Execute below command to list down all the installed rpm and store it in a .csv file as shown below.
[root@cyberithub ~]# rpm -qa > rpm.csv [root@cyberithub ~]# ls rpm.csv
Modify the list using below command. It will add “;;;;” at the end of each line in the list.
[root@cyberithub ~]# sed -i 's/$/;;;;/' rpm.csv
Step 2: Create hardening Script
In the below script, we are creating a function called remove_packages(). This function will check the rpm packages from hardening list rpm.csv and will compare with the current installed rpm to see if there is any mismatch in the rpm packages. If there is, then it will remove all those packages which are not available in the hardening list rpm.csv file. Finally, we are calling this function by using remove_packages as shown below.
You can decide to run this file manually every time or it is much better to create a cron job and run this once on daily basis to verify all the rpm packages.
[root@cyberithub ~]# vi rpm.sh
#!/bin/bash
WHITELIST=/root/rpm.csv
TEMPFILE=/tmp/installed_rpm
ERASED_PACKAGES=/tmp/erase_rpm
function remove_packages ()
{
rpm -qa > $TEMPFILE
for i in `cat $WHITELIST`
do
PKG_NAME=`/bin/echo $i | cut -d';' -f 1`
grep -v "^$PKG_NAME" $TEMPFILE > $TEMPFILE.o
cp $TEMPFILE.o $TEMPFILE
done
if [ -s $TEMPFILE ]
then
for i in `cat $TEMPFILE`
do
printf "%s \n" $i >> $ERASED_PACKAGES
done
echo -n "remove ( `cat $ERASED_PACKAGES` ) ... "
rpm -e `cat $ERASED_PACKAGES`
if [ $? -ne 0 ]
then
echo "failed to `cat $ERASED_PACKAGES`"
return 1
fi
fi
}
####MAIN
remove_packages
Install few extra rpm on the server only after rpm.csv is created as shown above.
Step 3: Install New RPMs
Next we will Install two new rpms (it can be any number of packages) on the server.
[root@cyberithub ~]# dnf install tcpdump
Last metadata expiration check: 1:28:06 ago on Wed 09 Feb 2022 09:53:31 PM IST.
Dependencies resolved.
==================================================================================================================================
Package Architecture Version Repository Size
==================================================================================================================================
Installing:
tcpdump x86_64 14:4.9.3-2.el8 appstream 452 k
Transaction Summary
==================================================================================================================================
Install 1 Package
Total download size: 452 k
Installed size: 1.1 M
Is this ok [y/N]: y
Downloading Packages:
tcpdump-4.9.3-2.el8.x86_64.rpm 116 kB/s | 452 kB 00:03
----------------------------------------------------------------------------------------------------------------------------------
Total 116 kB/s | 452 kB 00:03
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: tcpdump-14:4.9.3-2.el8.x86_64 1/1
Installing : tcpdump-14:4.9.3-2.el8.x86_64 1/1
Running scriptlet: tcpdump-14:4.9.3-2.el8.x86_64 1/1
Verifying : tcpdump-14:4.9.3-2.el8.x86_64 1/1
Installed:
tcpdump-14:4.9.3-2.el8.x86_64
Complete!
Then we also need to install vim-enhanced package by using dnf install vim-enhanced command as shown below.
[root@cyberithub ~]# dnf install vim-enhanced
Last metadata expiration check: 1:30:08 ago on Wed 09 Feb 2022 09:53:31 PM IST.
Dependencies resolved.
==================================================================================================================================
Package Architecture Version Repository Size
==================================================================================================================================
Installing:
vim-enhanced x86_64 2:8.0.1763-16.el8 appstream 1.4 M
Installing dependencies:
gpm-libs x86_64 1.20.7-17.el8 appstream 39 k
vim-common x86_64 2:8.0.1763-16.el8 appstream 6.3 M
vim-filesystem noarch 2:8.0.1763-16.el8 appstream 49 k
Transaction Summary
==================================================================================================================================
Install 4 Packages
Total download size: 7.8 M
Installed size: 30 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): gpm-libs-1.20.7-17.el8.x86_64.rpm 13 kB/s | 39 kB 00:03
(2/4): vim-enhanced-8.0.1763-16.el8.x86_64.rpm 329 kB/s | 1.4 MB 00:04
(3/4): vim-filesystem-8.0.1763-16.el8.noarch.rpm 35 kB/s | 49 kB 00:01
(4/4): vim-common-8.0.1763-16.el8.x86_64.rpm 886 kB/s | 6.3 MB 00:07
----------------------------------------------------------------------------------------------------------------------------------
Total 1.1 MB/s | 7.8 MB 00:07
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : vim-filesystem-2:8.0.1763-16.el8.noarch 1/4
Installing : vim-common-2:8.0.1763-16.el8.x86_64 2/4
Installing : gpm-libs-1.20.7-17.el8.x86_64 3/4
Running scriptlet: gpm-libs-1.20.7-17.el8.x86_64 3/4
Installing : vim-enhanced-2:8.0.1763-16.el8.x86_64 4/4
Running scriptlet: vim-enhanced-2:8.0.1763-16.el8.x86_64 4/4
Running scriptlet: vim-common-2:8.0.1763-16.el8.x86_64 4/4
Verifying : gpm-libs-1.20.7-17.el8.x86_64 1/4
Verifying : vim-common-2:8.0.1763-16.el8.x86_64 2/4
Verifying : vim-enhanced-2:8.0.1763-16.el8.x86_64 3/4
Verifying : vim-filesystem-2:8.0.1763-16.el8.noarch 4/4
Installed:
gpm-libs-1.20.7-17.el8.x86_64 vim-common-2:8.0.1763-16.el8.x86_64 vim-enhanced-2:8.0.1763-16.el8.x86_64
vim-filesystem-2:8.0.1763-16.el8.noarch
Complete!
Step 4: Execute Script
Before running rpm.sh script, we need to provide executable permission on it by using chmod +x rpm.sh command.
[root@cyberithub ~]# chmod +x rpm.sh
Then we can execute the script by using ./rpm.sh and verify its working.
[root@cyberithub ~]# ./rpm.sh
remove ( vim-filesystem-8.0.1763-16.el8.noarch
tcpdump-4.9.3-2.el8.x86_64
vim-common-8.0.1763-16.el8.x86_64
vim-enhanced-8.0.1763-16.el8.x86_64
gpm-libs-1.20.7-17.el8.x86_64 ) ...
If you observe the output, tcpdump and vim(along with dependent packages) packages has been removed from the server. There will be few more files created at the end of script execution in /tmp folder as shown below.
[root@cyberithub ~]# ll /tmp/
-rw-r--r-- 1 root root 170 Feb 9 23:28 erase_rpm
-rw-r--r-- 1 root root 165 Feb 9 23:28 installed_rpm
-rw-r--r-- 1 root root 165 Feb 9 23:28 installed_rpm.o
erase_rpm -> All deleted packages are stored here.
installed_rpm -> Unmatched packages installed on the server are stored here.
installed_rpm.o -> Intermediate file during the script execution
Step 5: Add New Packages
We now will write and observe the script which will add any new packages in the hardening list that are being installed on the server.
[root@cyberithub ~]# vi add_rpm.sh
#!/bin/bash
HARDENING_FILE=/root/rpm.csv
ADDON_FILE=/root/add_rpm
FULL_RPM=$1
function add_rpm_to_list
{
ALREADY_EXISTING=`cat ${HARDENING_FILE} | grep -c "^$1;"`
if [ "${ALREADY_EXISTING}" -eq 0 ]
then
echo "$1;;;;" >> ${HARDENING_FILE}
echo "$1 was added to hardeninglist at `date`" >> ${ADDON_FILE}
fi
}
####MAIN
BASE_RPM=`basename "${FULL_RPM}"`
RPM=`echo "${BASE_RPM}" | awk -F\- {'print $1'}`
add_rpm_to_list ${RPM}
exit 0
Now provide the execute permission by using chmod +x add_rpm.sh command as shown below.
[root@cyberithub ~]# chmod +x add_rpm.sh
Let’s execute the script now. We will pass the package name as CLI argument to this script.
[root@cyberithub ~]# ./add_rpm.sh tcpdump-4.9.3-1.el8.x86_64.rpm
Now check if the rpm is added in the hardening list or not by using grep tcpdump rpm.csv command as shown below.
[root@cyberithub ~]# grep tcpdump rpm.csv
tcpdump;;;;
It successfully got added in the list. We have created one more file to keep track of all the rpms that gets added in the list.
[root@cyberithub ~]# ls add_rpm add_rpm.sh rpm.csv rpm.sh [root@cyberithub ~]# cat add_rpm tcpdump was added to hardeninglist at Wed Feb 9 23:58:23 IST 2022