Currently to verify package integrity, the command
rpm --verify is run. In reading the
rpm manual (http://ftp.rpm.org/max-rpm/s1-rpm-verify-output.html), there is no indication as to the veracity of the verification process.
It is my understanding solutions such as AIDE and Tripwire expect a known good state and are unable to attest integrity when packages have been updated and/or upgraded.
- What alternatives are there to assure the integrity of packages post installation as well as subsequent updates and upgrades?
- How can corruptions by omission or commission be detected and identified?
- What options are there if a known good state is unknown?