In the event of an intrusion, you can use your RPM database like you
would use tripwire
, but only if you can be sure it too hasn't been
modified. You should copy the RPM database to a floppy, and keep this
copy off-line at all times. The Debian distribution likely has
something similar.
The files /var/lib/rpm/fileindex.rpm
and
/var/lib/rpm/packages.rpm
most likely won't fit on a single floppy.
But if compressed, each should fit on a seperate floppy.
Now, when your system is compromised, you can use the command:
root# rpm -Va
to verify each file on the system. See the rpm
man page, as there are
a few other options that can be included to make it less verbose.
Keep in mind you must also be sure your RPM binary has not been
compromised.
This means that every time a new RPM is added to the system, the RPM database will need to be rearchived. You will have to decide the advantages versus drawbacks.