← Rules Catalog
mediumsystemunverified

Ensure cryptographic hashes of system files match vendor values

rpm-file-hash-verify · RHEL ≥ 8 · 1 impl

Description

System files installed by RPM must have cryptographic hashes matching the vendor database (rpm -Va shows no unexpected '5' hash-mismatch on binaries).

Rationale

A changed hash on a packaged binary or library can indicate tampering or a trojaned system file.

Check → Remediate

Checkcommand
# rpm -Va flags file changes; '5' in col-3 = hash mismatch. Ignore config (c)
# and documentation, and missing files. Any hash-mismatch on a non-config
# file is a finding.
bad=$(rpm -Va --nomtime --nosize --nolinkto 2>/dev/null | awk '$1 ~ /^..5/ && $2 != "c" {print}' | head -5)
if [ -n "$bad" ]; then
  echo "FAIL: system files with hash mismatch:"; echo "$bad"
  exit 1
fi
echo "OK: no unexpected file-hash mismatches"
exit 0
expected_exit:
0
Remediatemanual
note:
Investigate each rpm -Va hash mismatch; reinstall the affected package (dnf reinstall <pkg>) after confirming it is not an authorized change.

Framework references

STIG

V-257823 / RHEL-09-214030

NIST 800-53

SI-7CM-6
#rpm#integrity#hash#stig