0

A security audit team has set up File intergrity management solution on some of the linux servers handled by the company I work with. They are questioning us about some alerts they've got regarding /var/lib/rpm/__db.xxx files being deleted and altered.

I have to give them the reason for these files being changed/deleted. Can someone explain what these files are and why they are frequently changed.

eranga
  • 164
  • 1
  • 11

1 Answers1

0

What, yes; why, no. You will have to determine if this is authorized.

Given this is the rpm db, the only reason for changes is installing or upgrading packages. Check when package installs are scheduled. See if the events in yum.log line up with the file auditing. Review login history to see if anyone gained root around that time.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • The server does not have internet connectivity to do any auto updates, nothing in the yum.log. I was wondering if there are any other reason than installation or upgrading that change these files. – eranga Aug 28 '17 at 06:03
  • If not the usual expected use, its possible someone is doing something misguided or malicious. But that could be anything, from installing with the `rpm` binary to installing a rootkit. Ask those with admin on the host what they have been doing. Start auditing access to root and to those files. Look for cleanup scripts removing the database files not touched in a while. – John Mahowald Aug 28 '17 at 13:25