1.15. Verifying RPM-Installed Files

Problem

You have installed some RPM packages, perhaps long ago, and want to check whether any files have changed since the installation.

Solution

# rpm -Va [packages]

Debian Linux has a similar tool called debsums .

Discussion

If your system uses RPM packages for installing software, this command conveniently compares the installed files against the RPM database. It notices changes in file size, ownership, timestamp, MD5 checksum, and other attributes.

The output is a list of (possibly) problematic files, one per line, each preceded by a string of characters with special meaning. For example:

$ rpm -Va
SM5....T c /etc/syslog.conf
.M......   /var/lib/games/trojka.scores
missing    /usr/lib/perl5/5.6.0/Net/Ping.pm
..?.....   /usr/X11R6/bin/XFree86
.....U..   /dev/audio
S.5....T   /bin/ls

The first line indicates that syslog.conf has an unexpected size (S), permissions (M), checksum (5), and timestamp (T). This is perhaps not surprising, since syslog.conf is a configuration file you’d be likely to change after installation. In fact, that is exactly what the “c” means: a configuration file. Similarly, troijka.scores is a game score file likely to change. The file Ping.pm has apparently been removed, and XFree86 could not be checked (?) because we didn’t run rpm as root. The last two files definitely deserve investigation: /dev/audio has a new owner (U), and /bin/ls has been modified.

This technique is valid only if your RPM database and rpm command have not been compromised by an attacker. Also, it checks only those files installed from RPMs.

See Also

rpm(8) lists the full set of file attributes checked.

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.