Open Source

Perform file system validation with rpm in Linux

This tip provides examples of rpm system validation messages and how to interpret them.

Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

A number of programs exist that perform file system validation. For instance, both the Tripwire and AIDE programs perform comprehensive checks on your system to determine if someone has changed, added, or removed files. Both programs use sophisticated means of determining a file's "identity," including inode data, md5sums, and other hashes.

However, every RPM-based system already features a basic file system integrity checker—the rpm tool itself. Of course, that's not to say that more advanced integrity checkers aren't necessary, particularly when it comes to servers and other critical machines. But on a basic machine where you want to perform a quick validation of the file system, rpm can suffice nicely.

Here's an example:

# rpm -Va

This verifies every file installed as an rpm package on your system. The rpm database keeps information on each file it installs, so it knows if something has changed.

When you run rpm, it returns a listing of files with codes in front of them that looks something like this:

S.5....T c /etc/sudoers
missing    /boot/kernel.h-2.4.18

This obviously tells us that the kernel header file (kernel.h-2.4.18) is missing, and it shows that the sudoers file has changed.

The column of codes are the letters SM5DLUGT; if the letter shows up, it means that the value of the file has changed. Those letters represent Size, Mode, MD5 checksum, Device major and minor numbers, Symlink destination, Owner, Group, and modification Time, respectively. In our example, we can see that the sudoers file has changed size, md5sum value, and modification time since installation.

In addition, note the letter c behind the status column; this marks the file as a configuration file. So in this case, you can assume that the reason for the change is that you configured sudoers.


Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

Editor's Picks