Hi All,

Continuing on with the series, this article looks at some of the powerful tooling available with the Linux 'rpm' command.

RPM - the Red Hat Package Manager, is a lower level tool (as compared to 'yum') that allows you to examine the packages installed on a Linux system.

The main use in terms of Linux patching is to extract information about installed packages to help with troubleshooting.

rpm querying


rpm provides some useful querying functionality.

This includes :

rpm -qa <package name>  -  lists info about a package

rpm -qc <package name>  -  lists the config files associated with a package (really cool!)

rpm -qf  <file name>    - lists the owning package for a file

Let's look at some examples :

rpm -qa is like a (very) cut down version of : 'yum info' - but could be very useful in scripting situations ...

[root@server-to-be-patched yum.repos.d]# rpm -qa ntp
ntp-4.2.6p5-15.0.1.el6_10.x86_64


[root@server-to-be-patched yum.repos.d]# yum info ntp
Loaded plugins: security, ulninfo, versionlock
Installed Packages
Name        : ntp
Arch        : x86_64
Version     : 4.2.6p5
Release     : 15.0.1.el6_10
Size        : 1.6 M
Repo        : installed
From repo   : patching_ol6_latest
Summary     : The NTP daemon and utilities
URL         : http://www.ntp.org
License     : (MIT and BSD and BSD with advertising) and GPLv2
Description : The Network Time Protocol (NTP) is used to synchronize a computer's
            : time with another reference time source. This package includes ntpd
            : (a daemon which continuously adjusts system time) and utilities used
            : to query and configure the ntpd daemon.
            :
            : Perl scripts ntp-wait and ntptrace are in the ntp-perl package and
            : the ntpdate program is in the ntpdate package. The documentation is
            : in the ntp-doc package.

More powerful is : rpm -qc, which is used to list the configuration files etc. associated with a package - very cool!

Some examples :

[root@server-to-be-patched yum.repos.d]# rpm -qc ntp
/etc/ntp.conf
/etc/ntp/crypto/pw
/etc/sysconfig/ntpd
   
[root@server-to-be-patched yum.repos.d]# rpm -qc wget
/etc/wgetrc
    
[root@server-to-be-patched yum.repos.d]# rpm -qc yum
/etc/logrotate.d/yum
/etc/yum.conf
/etc/yum/version-groups.conf
    
[root@server-to-be-patched yum.repos.d] rpm -qc nfs-utils
/etc/nfsmount.conf
/etc/rc.d/init.d/nfs
/etc/rc.d/init.d/nfslock
/etc/rc.d/init.d/rpcgssd
/etc/rc.d/init.d/rpcidmapd
/etc/rc.d/init.d/rpcsvcgssd
/etc/request-key.d/id_resolver.conf
/etc/sysconfig/nfs
/var/lib/nfs/etab
/var/lib/nfs/rmtab
/var/lib/nfs/state
/var/lib/nfs/xtab

To find out which package owns a particular file, use the : rpm -qf command :

[root@server-to-be-patched etc]# rpm -qf hosts
setup-2.8.14-20.el6_4.1.noarch

[root@server-to-be-patched etc]# rpm -qf yum.conf
yum-3.2.29-69.0.1.el6.noarch
   
[root@server-to-be-patched network-scripts]# pwd
/etc/sysconfig/network-scripts
[root@server-to-be-patched network-scripts]# rpm -qf ifup
initscripts-9.03.49-1.0.1.el6.x86_64

The last item we'll look at here is : rpm -Va --> this verifies the state of the packages installed on a system.

When run, the command produces a set of flags (8 characters) which define the state of a package (or packages) - data that is retrieved from the RPM database. Before the name of the file is displayed, any extra information on the type of file is also displayed.

(From the 'rpm' man page)

Each of the 8 characters denotes the result of a comparison of attribute(s) of the file to the value of those attribute(s) recorded in the database.
A single "." (period) means the test passed, while a single "?" (question mark) indicates the
test could not be performed (e.g. file permissions prevent reading).
Otherwise, the (mnemonically emBoldened) character denotes failure of the corresponding --verify test :

   S  --> file Size differs
   M  --> Mode differs (includes permissions and file type)
   5   --> digest (formerly MD5 sum) differs
   D  --> Device major/minor number mismatch
   L   --> readLink(2) path mismatch
   U  --> User ownership differs
   G  --> Group ownership differs
   T   -->  mTime differs
   P   --> caPabilities differ

Then for the file type :

   c    -->  configuration file.
   d    --> documentation file.
   g    -->  ghost file (i.e. the file contents are not included in the package payload).
   l     -->  license file.
   r     -->  readme file.

Let's look at an example :

[root@server-to-be-patched network-scripts]# rpm -Va
.......T.  c /etc/yum/pluginconf.d/versionlock.list
....L....  c /etc/pam.d/fingerprint-auth
....L....  c /etc/pam.d/password-auth
....L....  c /etc/pam.d/smartcard-auth
....L....  c /etc/pam.d/system-auth
S.5....T.  c /etc/security/limits.conf
.M.......    /var/lib/nfs/rpc_pipefs
..5....T.    /etc/ld.so.conf.d/kernel-3.8.13-68.3.4.el6uek.x86_64.conf
.......T.    /lib/modules/3.8.13-68.3.4.el6uek.x86_64/modules.alias.bin
.......T.    /lib/modules/3.8.13-68.3.4.el6uek.x86_64/modules.builtin.bin
.......T.    /lib/modules/3.8.13-68.3.4.el6uek.x86_64/modules.dep.bin
.......T.    /lib/modules/3.8.13-68.3.4.el6uek.x86_64/modules.symbols.bin

So, if we look at the first line, as an example, the flags tell us that :

/etc/yum/pluginconf.d/versionlock.list --> the file has a changed 'mTime' (modify time) from the initial package and that the file is a config 'c' file.

There are many more options to 'rpm'. It's a useful tool - much more than just as a pre-yum package installer.

A useful thing to know about - so I hope this introduction to some of it's abilities is useful to you.

In the next article, we'll be examining the Cataloging of a Linux system - both before and after patching.

This is important for both change analysis and auditing purposes.