Well, I actually enjoyed the original response from John. He is taking the effort to explain instead of complain. He also goes back to the core of matters (ps and netstat are just that, lsof is not). He advises to use a CD as a hash-key-reference and as such is making perfect sense. You rather failed to explain the shortcoming of that approach. If you still feel this is unsatisfactorily we would very much appreciate the rationale and the real-life, practical (command-line-options-and-all) alternative to the one proposed. Kurt Seifried wrote:
The message just indicates that netstat can't determine the name of the process - you are probably fine.
Try cross checking the output of "ps axfu" as root with the output of "netstat -ap", also as root
Or just run lsof and look for the connections =).
netstat will (or should) give you the PIDs even when it can't identify the process by name. "ps axfu" will give you a list of running processes (by name and PID). You can then check the PIDs that netstat can't identify with the list that ps prints out.
To verify an installed package against a RPM, use:
rpm -Vp packagename.rpm
This of course is trivial for an attacker to circumvent, the RPM database is not really protected at all.
execute this from the directory the rpm package is in (i.e. from /cdrom/suse/a1 or whatever). If nothing is printed out, this indicates that everything is ok.
Ok that's a little better but still an attacker can beat it (replace the rpm binary for example).
Burning updated packages onto CD-R discs is a Really Good Idea. If you do this, you have some assurance that the rpm package you are using to verify the installed files has not been altered.
This is why the packages should all by GnuPG signed. Then as long as no-one tampers with the rpm binary or root's keyring you can keep the binaries at ftp.badcrackerz.org and still easily verify that they haven't been modified.