{"description": "Without cryptographic integrity protections, system executables and files can be altered by\nunauthorized users without detection. The RPM package management system can check the hashes\nof installed software packages, including many that are important to system security.\n\nTo verify that the cryptographic hash of system files and commands matches vendor values, run\nthe following command to list which files on the system have hashes that differ from what is\nexpected by the RPM database:\n<pre>$ rpm -Va --noconfig | grep '^..5'</pre>\n\nIf the file was not expected to change, investigate the cause of the change using audit logs\nor other means. The package can then be reinstalled to restore the file. Run the following\ncommand to determine which package owns the file:\n<pre>$ rpm -qf <i>FILENAME</i></pre>\n\nThe package can be reinstalled from a apt_get repository using the command:\n<pre>$ sudo apt_get reinstall <i>PACKAGENAME</i></pre>\n\nAlternatively, the package can be reinstalled from trusted media using the command:\n<pre>$ sudo rpm -Uvh <i>PACKAGENAME</i></pre>", "rationale": "The hashes of important files like system executables should match the\ninformation given by the RPM database. Executables with erroneous hashes could\nbe a sign of nefarious activity on the system.", "severity": "high", "references": {"cis-csc": ["11", "2", "3", "9"], "cjis": ["5.10.4.1"], "cobit5": ["APO01.06", "BAI03.05", "BAI06.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS06.02"], "cui": ["3.3.8", "3.4.1"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.312(b)", "164.312(c)(1)", "164.312(c)(2)", "164.312(e)(2)(i)"], "isa-62443-2009": ["4.3.4.3.2", "4.3.4.3.3", "4.3.4.4.4"], "isa-62443-2013": ["SR 3.1", "SR 3.3", "SR 3.4", "SR 3.8", "SR 7.6"], "iso27001-2013": ["A.11.2.4", "A.12.1.2", "A.12.2.1", "A.12.5.1", "A.12.6.2", "A.14.1.2", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4"], "nist": ["CM-6(d)", "CM-6(c)", "SI-7", "SI-7(1)", "SI-7(6)", "AU-9(3)"], "nist-csf": ["PR.DS-6", "PR.DS-8", "PR.IP-1"], "pcidss": ["Req-11.5"], "srg": ["SRG-OS-000480-GPOS-00227"], "ism": ["1409"], "pcidss4": ["11.5.2"]}, "control_references": {"ism": ["1409"], "pcidss4": ["11.5.2"]}, "components": [], "identifiers": {}, "ocil_clause": "there is output", "ocil": "The following command will list which files on the system have file hashes different from what\nis expected by the RPM database.\n<pre>$ rpm -Va --noconfig | awk '$1 ~ /..5/'</pre>", "oval_external_content": null, "fixtext": "Run the following command to determine which package owns the file:\n\n$ rpm -qf [FILE]\n\nThe package can be reinstalled from a repository using the command:\n\n$ sudo apt_get reinstall [PACKAGE]\n\nAlternatively, the package can be reinstalled from trusted media using the command:\n\n$ sudo rpm -Uvh [PATH TO RPM]", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must be configured so that the cryptographic hash of system files and commands matches vendor values.", "warnings": [{"general": "This rule can take a long time to perform the check and might consume a considerable\namount of resources depending on the number of packages present on the system. It is not a\nproblem in most cases, but especially systems with a large number of installed packages\ncan be affected."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 Must Be Configured In Accordance With The Security Configuration Settings Based On Dod Security Configuration Or Implementation Guidance, Including Stigs, Nsa Configuration Guides, Ctos, And Dtms.", "vuldiscussion": "The hashes of important files like system executables should match the\ninformation given by the RPM database. Executables with erroneous hashes could\nbe a sign of nefarious activity on the system.", "checktext": "The following command will list which files on the system\nhave file hashes different from what is expected by the RPM database.\n $ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != \"c\"'\n\nIf there is output, then this is a finding.", "fixtext": "Given output from the check command, identify the package that provides the output and reinstall it. The following trimmed example output shows a package that has failed verification, been identified, and been reinstalled:\n\n$ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != \"c\"'\nS.5....T.    /usr/bin/znew\n$ sudo dnf provides /usr/bin/znew\n[...]\ngzip-1.10-8.el9.x86_64 : The GNU data compression program\n[...]\n$ sudo dnf reinstall gzip\n[...]\n$ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != \"c\"'\n[no output]"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not bootc"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_bootc"], "bash_conditional": null, "fixes": {}, "title": "Verify File Hashes with RPM", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/rule.yml", "template": null}