Installing packages via rpm usually provides a lot of comfort. Simply installing an rpm deploys all files related to that package wherever they need to go across the system. Some packages distribute hundreds of files into different sections of the filesystem, some of them are configuration files, others are binary files. In most cases, all those files are silently managed and updated by rpm(8). Most of the time rpm is not used directly to manage packages, but rather a high-level package manager like yum or dnf is used.
In some cases it is interesting to take a look under the hood to verify the state of a system. The low-level package manager rpm(8) provides functionality to verify the state of installed rpm packages. It can be very useful to verify that no essential files have been modified.
Verify an installed rpm
To verify the state of all files installed with a certain rpm, the rpm(8) command provides the “–verify” parameter.
$ rpm --verify RPM-NAME
The –verify parameter causes rpm to verify all the files of a given package against the specification of the rpm when it was installed/updated. The output of the above command will present a list of files and directories that differ from the rpm specification. As part of the output, their deviation from the specification of the rpm is shown as well. There are a number of deviations to be expected. Configuration files for example are expected to show changes compared to the rpm’s initially deployed files.
Each line starts with a 9 character string representing the results of 9 different comparisons. An explanation for the comparison results can be found in the rpm(8) man page in the “VERIFY OPTIONS” section. Each character represents a different property that is verified by rpm. Comparisons that succeed are represented with “.”.
S file Size differs M Mode differs (includes permissions and file type) 5 digest (formerly MD5 sum) differs D Device major/minor number mismatch L readlink(2) path mismatch U User ownership differs G Group ownership differs T mTime differs P caPabilities differ
The following example shows the output of the verify command for the openssh-server rpm. The only modified file, as expected, is the sshd_config.
$ rpm --verify openssh-server S.5....T. c /etc/ssh/sshd_config
As the flags indicate the file shows a different file size (“S”) indicating that the change made changed the size of the file, The “5” indicates the change in the file’s checksum, as the config file was changed. Finally, the “T” indicates a change in the modification date with corresponds with the change of the configuration file. The “.” between and after the flags show that the other checks succeeded.
The letter “c” after the flags is an attribute marker, “c” being the marker for config files. The complete list of attribute markers can be found in the rpm(8) man page in the “VERIFY OPTIONS” section.
In case of a missing file, the 9 character comparison results are replaced by the string “missing”.
Verify all installed rpm’s
It is also possible to check all of the rpm’s that are installed on a system using the “–all” option. Sadly it does not indicate which package the reported differences are related to. Nevertheless this option can be helpful to get an overview of all changes on a system.
$ rpm --verify --all
The above command will show the same list of changes as the example before but for all the rpm’s installed on the system. It is possible to disable different aspects of the verification. For example, the “–noconfig” option disables the verification of configuration files. This is a very helpful command as configuration files are often modified.
The below command will retrieve a list of all installed rpm’s. For each installed rpm, the loop calls “rpm –verify –noconfig ” to identify differences. The “wc -l” counts the number of changes. If more than 1 file changed, the rpm name and the number of changed files is shown in the console output.
$ for I in $(rpm -qa); do C=$(rpm --verify --noconfig ${I} | wc -l); if [ ${C} -gt 0 ]; then echo "${C} ${I}"; fi ; done
The output could simply be sorted to get the rpm’s with the most files differing or just the rpm name.
With the following command, not the number of changed files is shown but the changes themselves. It’s similar to the command above but with slightly different output. Instead of counting the number of changed files it stores the output of the verify in a variable and the output shows the complete output of the “rpm –verify” command.
for I in $(rpm -qa); do C=$(rpm --verify --noconfig ${I}); if [ "${C}" != "" ]; then echo -e "*** ${I}\n${C}"; fi ; done
Read more of my posts on my blog at https://blog.tinned-software.net/.