[vox-tech] rpmverify
Matthew Holland
vox-tech@lists.lugod.org
Sun, 23 Jun 2002 20:33:22 -0700
Sorry, this is a bit long... if you don't want to read it all,
concentrate on the excerpt from the man page for rpm. Essentially, its
behavior is that you say
# rpm --verify package
and it responds with silence if nothing has changed. If something has
changed, it prints a semi-cryptic string of characters for each file
that has changed, the meaning of which is documented in the rpm man
page. So if you wanted to check all of the packages installed on the
machine, you would write a script that gets a list of installed packages
(using 'rpm -qa'), and then runs 'rpm --verify ...' on each package.
You'll get a list of files that have changed and how... it's up to you
to decide which changes constitute "damage", but obviously it's abnormal
for binaries to change, and normal for things like configuration files
to change (but you knew that :)
Check out the documentation below.
Matt
An excerpt from RPM(8):
VERIFY OPTIONS
The general form of an rpm verify command is
rpm {-V|--verify} [select-options] [--nodeps] [--nofiles]
[--nomd5] [--noscripts]
Verifying a package compares information about the
installed files in the package with information about the
files taken from the package metadata stored in the rpm
database. Among other things, verifying compares the
size, MD5 sum, permissions, type, owner and group of each
file. Any discrepencies are displayed. Files that were
not installed from the package, for example, documentation
files excluded on installation using the "--excludedocs"
option, will be silently ignored.
The package selection options are the same as for package
querying (including package manifest files as arguments).
Other options that can be used only in verify mode are:
--nodeps
Don't verify dependencies.
--nofiles
Don't verify files.
--nomd5
Don't verify file MD5 checksums.
--noscripts
Don't execute the %verifyscript scriptlet (if any).
The format of the output is a string of 8 characters, a
possible "c" denoting a configuration file, and then the
file name. Each of the 8 characters denotes the result of
a comparison of attribute(s) of the file to the value of
those attribute(s) recorded in the database. A single "."
(period) means the test passed, while a single "?" indi?
cates the test could not be performed (e.g. file permis?
sions prevent reading). Otherwise, the (mnemonically
emBoldened) character denotes failure of the corresponding
--verify test:
S file Size differs
M Mode differs (includes permissions and file type)
--verify test:
S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mis-match
L readLink(2) path mis-match
U User ownership differs
G Group ownership differs
T mTime differs
-----
I've never used rpmverify, but here's the usage "documentation", such as
it is. Looks like maybe this is meant to fill the role of the script I
suggested above, and then some.
# rpmverify --help
Usage: rpmverify [OPTION...]
Query options (with -q or --query):
-c, --configfiles list all configuration files
-d, --docfiles list all documentation files
--dump dump basic file information
-l, --list list files in package
--queryformat=QUERYFORMAT use the following query format
-s, --state display the states of the listed files
-v, --verbose display a verbose file listing
-a, --all query/verify all packages
-f, --file query/verify package(s) owning file
-g, --group query/verify package(s) in group
-p, --package query/verify a package file (i.e. a
binary
*.rpm file)
--querytags display known query tags
--specfile query a spec file
--whatrequires query/verify the package(s) which
require a
dependency
--whatprovides query/verify the package(s) which
provide a
dependency
Verify options (with -V or --verify):
--nomd5[|=0x1] don't verify MD5 digest of files
--nofiles[|=0x10000] don't verify files in package
--nodeps[|=0x20000] don't verify package dependencies
--noscript[|=0x40000] don't execute %verifyscript (if any)
-a, --all query/verify all packages
-f, --file query/verify package(s) owning file
-g, --group query/verify package(s) in group
-p, --package query/verify a package file (i.e. a
binary
*.rpm file)
--querytags display known query tags
--specfile query a spec file
--whatrequires query/verify the package(s) which
require a
dependency
--whatprovides query/verify the package(s) which
provide a
dependency
Common options for all rpm modes:
--version print the version of rpm being used
--quiet provide less detailed output
-v, --verbose provide more detailed output
--define='<name> <body>' define macro <name> with value <body>
--eval=<expr>+ print macro expansion of <expr>+
-r, --root=<dir> use <dir> as the top level directory
(default:
"/")
--macros=<file:...> read <file:...> instead of default macro
file(s)
--rcfile=<file:...> read <file:...> instead of default rpmrc
file(s)
--showrc display final rpmrc and macro
configuration
Options implemented via popt alias/exec:
Help options:
-?, --help Show this help message
--usage Display brief usage message
On Sunday, June 23, 2002, at 07:52 PM, msimons@moria.simons-clan.com
wrote:
> While working on Richard's Redhat system I tried looking for a
> program approximately equivalent to "debsums" for identifying which
> packages should be reinstalled due to damage to their files. I found
> a program called "rpmverify" which seems to do more than debsums, but
> I could not find a man page and some quick searches on google showed
> no useful documentation.
>
> - Where is there information about rpmverify?
> - What other ways are there to check for files changed from the packaged
> versions exist on Redhat?
>
> Thanks,
> Mike
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech