Title

RHEL 9 must be configured so that the cryptographic hashes of system files match vendor values. (Cat II impact)

Discussion

The hashes of important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system.

Check Content

The following command will list which files on the system have file hashes different from what is expected by the RPM database: $ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' If there is output, this is a finding.

Fix Text

Given output from the check command, identify the package that provides the output and reinstall it. The following trimmed example output shows a package that has failed verification, been identified, and been reinstalled: $ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' S.5....T. /usr/bin/znew $ sudo dnf provides /usr/bin/znew [...] gzip-1.10-8.el9.x86_64 : The GNU data compression program [...] $ sudo dnf reinstall gzip [...] $ rpm -Va --noconfig | awk '$1 ~ /..5/ && $2 != "c"' [no output]

Additional Identifiers

Rule ID: SV-257823r925456_rule

Vulnerability ID: V-257823

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.