I am running CentOS 6.3.
I have a tool that monitors md5sum hashes for system binaries, and emails me whenever there is a change. Obviously whenever I run updates to the system via yum, this md5sum check indicates that the hash has changed.
This morning, I woke up to a strange email, finding that /usr/bin/gpg and co have changed:
/usr/bin/gpg: FAILED
/usr/bin/gpg2: FAILED
/usr/bin/gpg-agent: FAILED
/usr/bin/gpgconf: FAILED
/usr/bin/gpg-connect-agent: FAILED
/usr/bin/gpg-error: FAILED
/usr/bin/gpgkey2ssh: FAILED
/usr/bin/gpgsplit: FAILED
/usr/bin/gpgv: FAILED
/usr/bin/gpgv2: FAILED
/sbin/cryptsetup: FAILED
I am looking now the package(s) that actually contains these binaries so that I can run a yum info on it and perform an md5sum comparison on what's on my system vs. what's currently available in the CentOS repositories I currently use.
There are no cron jobs that run at the time this email was sent, so I'm very perplexed as to how this could happen other than a security breach.
However, on the flip side, this server is very new (~2 weeks old), is fully up-to-date, and over the last 2 days, we have finished putting it into production. An application firewall that sits on top of IP Tables is in place monitoring logs, failed login attempts, etc..., and all services on this machine are operating normally. I'd be extremely surprised if there actually was a breach in security.
I'm not finding anything suspicious in the logs.
So...
- What CentOS package contains the /usr/bin/gpg binaries? Every time I search on Google, I'm inundated with results of people using gpg to check the gpg signatures on other RPMs, so I'm having a hard time drilling down my search.
- Is there any (sane) reason for me to think this server has NOT been breached?
