Continuing on with the series, this article looks at some of the powerful tooling available with the Linux 'rpm' command.
RPM - the Red Hat Package Manager, is a lower level tool (as compared to 'yum') that allows you to examine the packages installed on a Linux system.
The main use in terms of Linux patching is to extract information about installed packages to help with troubleshooting.
rpm provides some useful querying functionality.
This includes :
rpm -qa <package name> - lists info about a package rpm -qc <package name> - lists the config files associated with a package (really cool!) rpm -qf <file name> - lists the owning package for a file
Let's look at some examples :
rpm -qa is like a (very) cut down version of : 'yum info' - but could be very useful in scripting situations ...
[root@server-to-be-patched yum.repos.d]# rpm -qa ntp ntp-4.2.6p5-15.0.1.el6_10.x86_64 [root@server-to-be-patched yum.repos.d]# yum info ntp Loaded plugins: security, ulninfo, versionlock Installed Packages Name : ntp Arch : x86_64 Version : 4.2.6p5 Release : 15.0.1.el6_10 Size : 1.6 M Repo : installed From repo : patching_ol6_latest Summary : The NTP daemon and utilities URL : http://www.ntp.org License : (MIT and BSD and BSD with advertising) and GPLv2 Description : The Network Time Protocol (NTP) is used to synchronize a computer's : time with another reference time source. This package includes ntpd : (a daemon which continuously adjusts system time) and utilities used : to query and configure the ntpd daemon. : : Perl scripts ntp-wait and ntptrace are in the ntp-perl package and : the ntpdate program is in the ntpdate package. The documentation is : in the ntp-doc package.
More powerful is : rpm -qc, which is used to list the configuration files etc. associated with a package - very cool!
Some examples :
[root@server-to-be-patched yum.repos.d]# rpm -qc ntp /etc/ntp.conf /etc/ntp/crypto/pw /etc/sysconfig/ntpd [root@server-to-be-patched yum.repos.d]# rpm -qc wget /etc/wgetrc [root@server-to-be-patched yum.repos.d]# rpm -qc yum /etc/logrotate.d/yum /etc/yum.conf /etc/yum/version-groups.conf [root@server-to-be-patched yum.repos.d] rpm -qc nfs-utils /etc/nfsmount.conf /etc/rc.d/init.d/nfs /etc/rc.d/init.d/nfslock /etc/rc.d/init.d/rpcgssd /etc/rc.d/init.d/rpcidmapd /etc/rc.d/init.d/rpcsvcgssd /etc/request-key.d/id_resolver.conf /etc/sysconfig/nfs /var/lib/nfs/etab /var/lib/nfs/rmtab /var/lib/nfs/state /var/lib/nfs/xtab
To find out which package owns a particular file, use the : rpm -qf command :
[root@server-to-be-patched etc]# rpm -qf hosts setup-2.8.14-20.el6_4.1.noarch [root@server-to-be-patched etc]# rpm -qf yum.conf yum-3.2.29-69.0.1.el6.noarch [root@server-to-be-patched network-scripts]# pwd /etc/sysconfig/network-scripts [root@server-to-be-patched network-scripts]# rpm -qf ifup initscripts-9.03.49-1.0.1.el6.x86_64
The last item we'll look at here is : rpm -Va --> this verifies the state of the packages installed on a system.
When run, the command produces a set of flags (8 characters) which define the state of a package (or packages) - data that is retrieved from the RPM database. Before the name of the file is displayed, any extra information on the type of file is also displayed.
(From the 'rpm' man page)
Each of the 8 characters denotes the result of a comparison of attribute(s) of the file to the value of those attribute(s) recorded in the database.
A single "." (period) means the test passed, while a single "?" (question mark) indicates the
test could not be performed (e.g. file permissions prevent reading).
Otherwise, the (mnemonically emBoldened) character denotes failure of the corresponding --verify test :
S --> file Size differs M --> Mode differs (includes permissions and file type) 5 --> digest (formerly MD5 sum) differs D --> Device major/minor number mismatch L --> readLink(2) path mismatch U --> User ownership differs G --> Group ownership differs T --> mTime differs P --> caPabilities differ
Then for the file type :
c --> configuration file. d --> documentation file. g --> ghost file (i.e. the file contents are not included in the package payload). l --> license file. r --> readme file.
Let's look at an example :
[root@server-to-be-patched network-scripts]# rpm -Va .......T. c /etc/yum/pluginconf.d/versionlock.list ....L.... c /etc/pam.d/fingerprint-auth ....L.... c /etc/pam.d/password-auth ....L.... c /etc/pam.d/smartcard-auth ....L.... c /etc/pam.d/system-auth S.5....T. c /etc/security/limits.conf .M....... /var/lib/nfs/rpc_pipefs ..5....T. /etc/ld.so.conf.d/kernel-3.8.13-68.3.4.el6uek.x86_64.conf .......T. /lib/modules/3.8.13-68.3.4.el6uek.x86_64/modules.alias.bin .......T. /lib/modules/3.8.13-68.3.4.el6uek.x86_64/modules.builtin.bin .......T. /lib/modules/3.8.13-68.3.4.el6uek.x86_64/modules.dep.bin .......T. /lib/modules/3.8.13-68.3.4.el6uek.x86_64/modules.symbols.bin
So, if we look at the first line, as an example, the flags tell us that :
/etc/yum/pluginconf.d/versionlock.list --> the file has a changed 'mTime' (modify time) from the initial package and that the file is a config 'c' file.
There are many more options to 'rpm'. It's a useful tool - much more than just as a pre-yum package installer.
A useful thing to know about - so I hope this introduction to some of it's abilities is useful to you.
In the next article, we'll be examining the Cataloging of a Linux system - both before and after patching.
This is important for both change analysis and auditing purposes.