Ask Your Question
1

integrity check on kernel for security

asked 2017-10-22 12:17:01 -0600

MysticDoor gravatar image

Hi, I want check the integrity of some packages... for example the kernel-core. As I know the kernel /boot/vmlinuz-4.11.8-300.fc26.x86_64 is a part of kernel-core:

[root@mypc ~]# rpm -ql kernel-core|grep -i boot
/boot/.vmlinuz-4.11.8-300.fc26.x86_64.hmac
/boot/System.map-4.11.8-300.fc26.x86_64
/boot/config-4.11.8-300.fc26.x86_64
/boot/initramfs-4.11.8-300.fc26.x86_64.img
/boot/vmlinuz-4.11.8-300.fc26.x86_64

then with the command rpm -V -v kernel-core I shoudl check the integrity of full kernel. But:

[root@mypc ~]# rpm -V -v kernel-core|grep -i boot
[root@mypc ~]#

Anyone could explain me why this ?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
2

answered 2017-10-22 12:45:10 -0600

villykruse gravatar image

updated 2017-10-23 00:30:35 -0600

For some reason, these files are marked as %ghost in the rpm .spec file, which means that rpm -V does not check these files. What you can do is:

rpm -ql --dump kernel-core | grep boot

Notice the long string of hexadecimal numbers in the fourth field. This is the sha256sum for each file. You can then compare that with the output of

sha256sum /boot/vmlinuz* /boot/config* /boot/System.map*

The initramfs is almost always recreated after installation, and would therefore not match.

Why the files are %ghost I have no idea.

Edit:

Actually, the real boot files are also found in

 /lib/modules/*/System.map
 /lib/modules/*/config
 /lib/modules/*/vmlinuz
 /lib/modules/*/.vmlinuz.hmac
edit flag offensive delete link more
0

answered 2017-10-22 13:21:47 -0600

MysticDoor gravatar image

ok, it works... but there is a strange thing. I have download the original rpm kernel-core but when I extract the rpm with rpm2cpio package | cpio -idvm I cant find the kernel files... I mean all files that should be installed on /boot...

edit flag offensive delete link more

Comments

1

Interesting. It turns out that the boot files are also found here.

/lib/modules/*/System.map
 /lib/modules/*/config
 /lib/modules/*/vmlinuz
 /lib/modules/*/.vmlinuz.hmac

By the way, your answer should really have been a comment.

villykruse gravatar imagevillykruse ( 2017-10-23 00:10:28 -0600 )edit

wow! I am very surprised.. then that mean the files are copied from /lib/modules/blah to /boot.. Well the last question, how can I check the security of initramfs ? I mean IMHO that file is the perfect place where to hide a kernel rootkit or an evil module. Then to check the security I need of unpack it and check the hash of every module ?

MysticDoor gravatar imageMysticDoor ( 2017-10-23 15:40:26 -0600 )edit
2

That is where UEFI secure boot comes in and checks the bootloader, the kernel, and all kernel modules at boot time.

villykruse gravatar imagevillykruse ( 2017-10-24 00:54:19 -0600 )edit

Thank you very much! I learned a lot!

MysticDoor gravatar imageMysticDoor ( 2017-10-24 15:11:20 -0600 )edit

Question Tools

1 follower

Stats

Asked: 2017-10-22 12:17:01 -0600

Seen: 256 times

Last updated: Oct 23 '17