You have installed some RPM packages, perhaps long ago, and want to check whether any files have changed since the installation.
If your system uses RPM packages for installing software, this command conveniently compares the installed files against the RPM database. It notices changes in file size, ownership, timestamp, MD5 checksum, and other attributes.
The output is a list of (possibly) problematic files, one per line, each preceded by a string of characters with special meaning. For example:
$ rpm -Va SM5....T c /etc/syslog.conf .M...... /var/lib/games/trojka.scores missing /usr/lib/perl5/5.6.0/Net/Ping.pm ..?..... /usr/X11R6/bin/XFree86 .....U.. /dev/audio S.5....T /bin/ls
The first line indicates that syslog.conf has an unexpected size (S), permissions (M), checksum (5), and timestamp (T). This is perhaps not surprising, since syslog.conf is a configuration file you’d be likely to change after installation. In fact, that is exactly what the “c” means: a configuration file. Similarly, troijka.scores is a game score file likely to change. The file Ping.pm has apparently been removed, and XFree86 could not be checked (?) because we didn’t run rpm as root. The last two files definitely deserve investigation: /dev/audio has a new owner (U), and /bin/ls has been modified.
This technique is valid only if your RPM database and rpm command have not been compromised by an attacker. Also, it checks only those files installed from RPMs.
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.