RPM Verify Error for File Integrity Check: What it means and How to Suppress the Error ?

  • Integrity of the system need to be protected at all costs. For this, system administrator need to do periodic checks in the machine/system.
  • Term Integrity of the system is a cumulative broad topic, where the whole integrity of the machine can  be determined by  individual level checks done on different sections areas (files, authentication, authorization, auditing, network)
  • One of such checks, is the integrity of the files delivered by the rpm. Integrity of files means, no modification should be allowed to happen/occur to  the files in any form, after the files is placed in the machine by the rpm

RPM Verify Error : What it means?

  • Integrity of the files delivered by a rpm , can be done using rpm -V <installed-rpm-name>
  • If there is no impact to the integrity, output of the rpm -V will be empty for that rpm
[root@n-server pam.d]# rpm -V linux-data-hub-01-2022.noarch
SM5..UGT. /opt/pam/basic_pam.c
missing     /opt/pam/simple_pam.c
  • In the above command snippet, when verification is done, it can be seen that we got some output, and below snippet shows how to infer the output

RPM Verify Error for Installed Packages: What it means and How to Suppress the Error ?

  • We can infer that our file "/opt/pam/basic_pam.c", Size, Mode, MD5, User, Group, Time got changed
  • File /opt/pam/simple_pam.c is missing
  • Hence the integrity of the  rpm linux-data-hub-01-2022.noarch, is lost

How to Suppress the Error ?

  • In some cases, it is imperative that the mode or permission of content of the file will get changed. And those files can be considered as config
  • In other cases, we can do partial verification. We can mention in the rpm spec not to verify some checks on the file delivered by rpm

RPM Spec under discussion

  • I'm reusing the rpm spec used in another article, which can be seen here

Test Script for Error Simulation

  • Im Using below test script which will apply the required changes to simulate the error scenario and will do the checks
rpmbuild --ba /root/***/Linux/rpm/rpm_verify_error_suppress.spec
rpm -Uvh /root/rpmbuild/RPMS/noarch/linux-data-hub-01-2022.noarch.rpm --force
#To simulate "missing" error
rm -rf /opt/pam/simple_pam.c
#To simulate User, Group modification
chown abhi:abhi /opt/pam/basic_pam.c
#To simulate Md5, Size, time modification
echo "test" >> /opt/pam/basic_pam.c
#To simulate mode modification
chmod 777 /opt/pam/basic_pam.c
#To simulate Group modification
chown abhi /opt/Readme.md

 rpm -V linux-data-hub-01-2022.noarch
  • In the above script,
    • Im building rpm and installing the rpm
    • A file (/opt/pam/simple_pam.c) delivered by the rpm is removed to simulate the "missing" error
    • The ownership (user and group) and mode of file /opt/pam/basic_pam.c is changed
    • Dummy content is appended to file /opt/pam/basic_pam.c to simulate md5 ,size and time modification
    • The user ownership  of  /opt/Readme.md is changed
    • rpm integrity check is done

Once rpm integrity is done with the below changes, errors can be seen, which is matching to modification done by our test script

[root@n-server rpm]# rpm -V linux-data-hub-01-2022.noarch
.....U... /opt/Readme.md
SM5..UGT. /opt/pam/basic_pam.c
missing /opt/pam/simple_pam.c

Modification to be done in SPEC to suppress this error

  • In the files macro, we can use some inbuilt rpm macro to suppress this error by controlling the checks.
  • Below snippet shows the changes done to the existing  spec file under macro %files and the explanation for each change
%files
%defattr(500,root,root,-)
# Verify only whether group of the file is changed
%attr(500,root,root) %verify(group) /opt/Readme.md
# Dont Verify size, user, group, mode, md5, time
%attr(500,root,root) %verify(not size user group mode md5 mtime) /opt/pam/basic_pam.c
# Marked the file as config and gave missing ok macro, so that even if the file is removed, it will not show as missing
%config(missingok)%attr(500,root,root) /opt/pam/simple_pam.c

Verification of the new SPEC

  • Same test script is re-executed to create rpm with new spec changes, and do to same modification to the files which we have done earlier
  • Upon verifying the integrity, it can be seen that, there is no output (no error), eventhough the files are modified and deleted
[root@n-server rpm]# rpm -V linux-data-hub-01-2022.noarch
[root@n-server rpm]#

Search on LinuxDataHub

Leave a Comment