What if you want to verify that the files associated with a package haven’t been corrupted or compromised? For example, if you suspect your system has been accessed by a non-authorized user, you can verify that the files from a package have not been changed with the RPM verify feature. Of course, if the unauthorized user altered the RPM database, the results may not be accurate. It is always best to back up to a known secure state of the file system if you suspect foul play.
If the verify function is used, file properties such as file size, MD5 sum, file permissions, file type, and file ownership are compared to the original values stored in the RPM database. To verify that the files are associated with a package, use the following command:
rpm -V <package name>
If no output is returned, the files from the package have not been modified since installation. If a file, such as a configuration file, has been modified, the output is similar to.
Output from rpm -V httpd
.M.....T c /etc/httpd/conf/httpd.conf
To verify the files from all the packages installed, use the rpm -Va command. The output is similar to Listing
Sample Output from rpm -Va
....L... c /etc/pam.d/system-auth
..5....T c /etc/inittab
S.5....T c /etc/ntp/ntpservers
S.5....T c /etc/audit.rules
The c to the left of the filename indicates that the file is a configuration file. Other possible attribute markers included for documentation files, g for ghost files (file contents are not included in the package payload), l for license files, and r for readme files.
The letters, numbers, and dots at the beginning of each line detail how the file differs from the original state of the file. if a file is no longer installed, the word missing appears instead of the sequence of codes. Otherwise the eight letters, numbers, and dots represent eight different tests performed to verify the file. the codes that appear in the sequence in the order in which they appear if any of the tests fail. If a dot is shown instead of a code letter or number, the test passed.
RPM Verification Codes
S File size has changed
M Mode has changed, including file permissions and file type
5 MD5 sum has changed
D Device major or minor number has changed
L The path of the symbolic link has changed
U The owner of the file has changed
G The group of the file has changed
T The last modified time has changed