Cyberithub

How to Perform RPM Hardening in Linux (RHEL/ CentOS/ Rocky Linux)

Advertisements

In this tutorial we will learn about how to harden installed rpms as well as new rpms in Linux machines. Many times due to compromise in System security, attackers tend to install few of the rpm packages to either infect or get hold of the System. This will go unnoticed even by the antivirus we use in our Linux Servers. So to deal with a situation like this, it is always recommended to perform rpm hardening by running a script through cron job which will take care of the valid rpm packages and will also prevent any extra rpm package installation. Check also Security Hardening System Design Guide.

To demonstrate this, here we are going to create two scripts each of which does the following Job:-

Advertisements

rpm.sh ->  This script will match all the installed rpms on the server with a hardening list which is already created and placed on the same server. If it finds any mismatched or extra rpms on the server which are not present in the hardening list, it will delete those extra rpms from the server.

add_rpm.sh -> This script will add new rpms in the hardening list. For example let’s say we have installed two new rpms in our server. So the next time when rpm.sh is executed it will uninstall both of the added rpm since we have not added it in the hardening list. Therefore, we will add the new rpms in the hardening list whenever we install them on the server.

Advertisements

How to Perform RPM Hardening in Linux(RHEL/CentOS/Rocky Linux)

How to Perform RPM Hardening in Linux(RHEL/CentOS/Rocky Linux)

Also Read: How to Setup a Virtual Linux Host Using rkt and Vagrant

Let’s get started with the tutorial. First thing first, we will create the hardening list. To do so, follow below step.

Advertisements

Step 1: Create hardening List

Execute below command to list down all the installed rpm and store it in a .csv file as shown below.

Advertisements
[root@cyberithub ~]# rpm -qa  > rpm.csv
[root@cyberithub ~]# ls
rpm.csv

Modify the list using below command. It will add “;;;;” at the end of each line in the list.

[root@cyberithub ~]# sed -i 's/$/;;;;/' rpm.csv

 

Step 2: Create hardening Script

In the below script, we are creating a function called remove_packages(). This function will check the rpm packages from hardening list rpm.csv and will compare with the current installed rpm to see if there is any mismatch in the rpm packages. If there is, then it will remove all those packages which are not available in the hardening list rpm.csv file. Finally, we are calling this function by using remove_packages as shown below.

You can decide to run this file manually every time or it is much better to create a cron job and run this once on daily basis to verify all the rpm packages.

[root@cyberithub ~]# vi rpm.sh
#!/bin/bash

WHITELIST=/root/rpm.csv
TEMPFILE=/tmp/installed_rpm
ERASED_PACKAGES=/tmp/erase_rpm

function remove_packages ()
{
  rpm -qa > $TEMPFILE
  for i in `cat $WHITELIST`
  do
    PKG_NAME=`/bin/echo $i | cut -d';' -f 1`
    grep -v "^$PKG_NAME" $TEMPFILE > $TEMPFILE.o
    cp $TEMPFILE.o $TEMPFILE
  done
if [ -s $TEMPFILE ]
then
   for i in `cat $TEMPFILE`
do
   printf "%s \n" $i >> $ERASED_PACKAGES
done
   echo -n "remove ( `cat $ERASED_PACKAGES` ) ... "
   rpm -e `cat $ERASED_PACKAGES`
   if [ $? -ne 0 ]
   then
      echo  "failed to `cat $ERASED_PACKAGES`"
   return 1
  fi
fi
}

####MAIN
remove_packages

Install few extra rpm on the server only after rpm.csv is created as shown above.

 

Step 3: Install New RPMs

Next we will Install two new rpms (it can be any number of packages) on the server.

[root@cyberithub ~]# dnf install tcpdump
Last metadata expiration check: 1:28:06 ago on Wed 09 Feb 2022 09:53:31 PM IST.
Dependencies resolved.
==================================================================================================================================
Package                     Architecture               Version                               Repository                     Size
==================================================================================================================================
Installing:
tcpdump                     x86_64                     14:4.9.3-2.el8                        appstream                     452 k

Transaction Summary
==================================================================================================================================
Install  1 Package

Total download size: 452 k
Installed size: 1.1 M
Is this ok [y/N]: y
Downloading Packages:
tcpdump-4.9.3-2.el8.x86_64.rpm                                                                    116 kB/s | 452 kB     00:03
----------------------------------------------------------------------------------------------------------------------------------
Total                                                                                             116 kB/s | 452 kB     00:03

Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing        :                                                                                                          1/1
Running scriptlet: tcpdump-14:4.9.3-2.el8.x86_64                                                                            1/1
Installing       : tcpdump-14:4.9.3-2.el8.x86_64                                                                            1/1
Running scriptlet: tcpdump-14:4.9.3-2.el8.x86_64                                                                            1/1
Verifying        : tcpdump-14:4.9.3-2.el8.x86_64                                                                            1/1

Installed:
tcpdump-14:4.9.3-2.el8.x86_64

Complete!

Then we also need to install vim-enhanced package by using dnf install vim-enhanced command as shown below.

[root@cyberithub ~]#  dnf install vim-enhanced
Last metadata expiration check: 1:30:08 ago on Wed 09 Feb 2022 09:53:31 PM IST.
Dependencies resolved.
==================================================================================================================================
Package                          Architecture             Version                              Repository                   Size
==================================================================================================================================
Installing:
vim-enhanced                     x86_64                   2:8.0.1763-16.el8                    appstream                   1.4 M
Installing dependencies:
gpm-libs                         x86_64                   1.20.7-17.el8                        appstream                    39 k
vim-common                       x86_64                   2:8.0.1763-16.el8                    appstream                   6.3 M
vim-filesystem                   noarch                   2:8.0.1763-16.el8                    appstream                    49 k

Transaction Summary
==================================================================================================================================
Install  4 Packages
Total download size: 7.8 M
Installed size: 30 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): gpm-libs-1.20.7-17.el8.x86_64.rpm                                                           13 kB/s |  39 kB     00:03
(2/4): vim-enhanced-8.0.1763-16.el8.x86_64.rpm                                                    329 kB/s | 1.4 MB     00:04
(3/4): vim-filesystem-8.0.1763-16.el8.noarch.rpm                                                   35 kB/s |  49 kB     00:01
(4/4): vim-common-8.0.1763-16.el8.x86_64.rpm                                                      886 kB/s | 6.3 MB     00:07
----------------------------------------------------------------------------------------------------------------------------------
Total                                                                                             1.1 MB/s | 7.8 MB     00:07
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing        :                                                                                                          1/1
Installing       : vim-filesystem-2:8.0.1763-16.el8.noarch                                                                  1/4
Installing       : vim-common-2:8.0.1763-16.el8.x86_64                                                                      2/4
Installing       : gpm-libs-1.20.7-17.el8.x86_64                                                                            3/4
Running scriptlet: gpm-libs-1.20.7-17.el8.x86_64                                                                            3/4
Installing       : vim-enhanced-2:8.0.1763-16.el8.x86_64                                                                    4/4
Running scriptlet: vim-enhanced-2:8.0.1763-16.el8.x86_64                                                                    4/4
Running scriptlet: vim-common-2:8.0.1763-16.el8.x86_64                                                                      4/4
Verifying        : gpm-libs-1.20.7-17.el8.x86_64                                                                            1/4
Verifying        : vim-common-2:8.0.1763-16.el8.x86_64                                                                      2/4
Verifying        : vim-enhanced-2:8.0.1763-16.el8.x86_64                                                                    3/4
Verifying        : vim-filesystem-2:8.0.1763-16.el8.noarch                                                                  4/4

Installed:
gpm-libs-1.20.7-17.el8.x86_64                vim-common-2:8.0.1763-16.el8.x86_64      vim-enhanced-2:8.0.1763-16.el8.x86_64
vim-filesystem-2:8.0.1763-16.el8.noarch

Complete!

 

Step 4: Execute Script

Before running rpm.sh script, we need to provide executable permission on it by using chmod +x rpm.sh command.

[root@cyberithub ~]# chmod +x rpm.sh

Then we can execute the script by using ./rpm.sh and verify its working.

[root@cyberithub ~]# ./rpm.sh
remove ( vim-filesystem-8.0.1763-16.el8.noarch
tcpdump-4.9.3-2.el8.x86_64
vim-common-8.0.1763-16.el8.x86_64
vim-enhanced-8.0.1763-16.el8.x86_64
gpm-libs-1.20.7-17.el8.x86_64  ) ...

If you observe the output, tcpdump and vim(along with dependent packages) packages has been removed from the server. There will be few more files created at the end of script execution in /tmp folder as shown below.

[root@cyberithub ~]# ll /tmp/
-rw-r--r-- 1 root root 170 Feb  9 23:28 erase_rpm
-rw-r--r-- 1 root root 165 Feb  9 23:28 installed_rpm
-rw-r--r-- 1 root root 165 Feb  9 23:28 installed_rpm.o

erase_rpm -> All deleted packages are stored here.

installed_rpm -> Unmatched packages installed on the server are stored here.

installed_rpm.o ->  Intermediate file during the script execution

 

Step 5: Add New Packages

We now will write and observe the script which will add any new packages in the hardening list that are being installed on the server.

[root@cyberithub ~]# vi add_rpm.sh
#!/bin/bash

HARDENING_FILE=/root/rpm.csv
ADDON_FILE=/root/add_rpm

FULL_RPM=$1

function add_rpm_to_list
{
  ALREADY_EXISTING=`cat ${HARDENING_FILE} | grep -c "^$1;"`
  if [ "${ALREADY_EXISTING}" -eq 0 ]
  then
     echo "$1;;;;" >> ${HARDENING_FILE}
     echo "$1 was added to hardeninglist at `date`" >> ${ADDON_FILE}
  fi
}

####MAIN
BASE_RPM=`basename "${FULL_RPM}"`
RPM=`echo "${BASE_RPM}" | awk -F\- {'print $1'}`
add_rpm_to_list ${RPM}
exit 0

Now provide the execute permission by using chmod +x add_rpm.sh command as shown below.

[root@cyberithub ~]# chmod +x add_rpm.sh

Let’s execute the script now. We will pass the package name as CLI argument to this script.

[root@cyberithub ~]# ./add_rpm.sh tcpdump-4.9.3-1.el8.x86_64.rpm

Now check if the rpm is added in the hardening list or not by using grep tcpdump rpm.csv command as shown below.

[root@cyberithub ~]# grep tcpdump rpm.csv
tcpdump;;;;

It successfully got added in the list. We have created one more file to keep track of all the rpms that gets added in the list.

[root@cyberithub ~]# ls
add_rpm  add_rpm.sh  rpm.csv  rpm.sh
[root@cyberithub ~]# cat add_rpm
tcpdump was added to hardeninglist at Wed Feb  9 23:58:23 IST 2022

Leave a Comment