mediumsystemunverified
Ensure cryptographic hashes of system files match vendor values
rpm-file-hash-verify · RHEL ≥ 8 · 1 impl
Description
System files installed by RPM must have cryptographic hashes matching the vendor database (rpm -Va shows no unexpected '5' hash-mismatch on binaries).
Rationale
A changed hash on a packaged binary or library can indicate tampering or a trojaned system file.
Check → Remediate
Checkcommand
# rpm -Va flags file changes; '5' in col-3 = hash mismatch. Ignore config (c)
# and documentation, and missing files. Any hash-mismatch on a non-config
# file is a finding.
bad=$(rpm -Va --nomtime --nosize --nolinkto 2>/dev/null | awk '$1 ~ /^..5/ && $2 != "c" {print}' | head -5)
if [ -n "$bad" ]; then
echo "FAIL: system files with hash mismatch:"; echo "$bad"
exit 1
fi
echo "OK: no unexpected file-hash mismatches"
exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Investigate each rpm -Va hash mismatch; reinstall the affected package (dnf reinstall <pkg>) after confirming it is not an authorized change.
Framework references
STIG
V-257823 / RHEL-09-214030
NIST 800-53
SI-7CM-6
#rpm#integrity#hash#stig