RPM Package Inspection for Fun and Profit

6a00d8341c562c53ef01538f8abd65970b-800wi"Whats in the box" — David Mills

Lets face it, one of your users needs to have a package installed on a system, you tend to do it for them. That is, as long as the package looks safe. Sure, your not going to install an rpm that is clearly dangerous, but as long as the package name looks reasonable and you trust the user, you might actually just go ahead an install it for them without thinking much about it. Hell, I know that I have done the exact same thing from time to time. And I have done it with an unsigned package.

"Sure you need this Oracle thing installed on this database server?"

 "You got it directly from Oracle right?"

But honestly, this is a very bad practice as you have no idea what the RPM is installing, and what its pre and post scripts might be doing to your system. Using the command below, you can inspect a packages post and pre install scripts to see if they are doing anything funny. In this instance I am taking a look at the dropbox package for my little Eeepc.

[root@localhost ~]# rpm -qp –scripts /root/Downloads/nautilus-dropbox-1.6.0-1.fedora.i386.rpm

If you have already installed a package and want to see what its pre and post install scripts did. You can run the command above using the installed package name. Note that you will drop the "P" from the command. See my sendmail example below.

[root@localhost ~]#rpm -q –scripts sendmail-8.14.8-2.fc20.i686


In addition to checking the pre and post scripts, you also want to check to see if the rpm has any triggers. What are triggers you ask? Well they are extensions to the normal install scripts, and they may often call for the installation of another package or the execution of a command. Just look at all the triggers that fire when you install sendmail.

[root@localhost ~]# rpm -q –triggers sendmail-8.14.8-2.fc20.i686
triggerun scriptlet (using /bin/sh) — sendmail < 8.14.5-3
/usr/bin/systemd-sysv-convert –save sendmail >/dev/null 2>&1 ||:
/bin/systemctl enable sendmail.service >/dev/null 2>&1
/bin/systemctl enable sm-client.service >/dev/null 2>&1
/sbin/chkconfig –del sendmail >/dev/null 2>&1 || :
/bin/systemctl try-restart sendmail.service >/dev/null 2>&1 || :
/bin/systemctl try-restart sm-client.service >/dev/null 2>&1 || :
# workaround for systemd rhbz#738022
/bin/systemctl is-active sendmail.service >/dev/null 2>&1 && \
        ! /bin/systemctl is-active sm-client.service >/dev/null 2>&1 && \
        /bin/systemctl start sm-client.service >/dev/null 2>&1 || :

Obviously you also want to check to see what files are actually part of a package. This can be accomplished with the query and list arguments seen below. Add the "P" argument if the rpm is not already installed. In this case I have already installed sendmail, so I exclude the "P" from the command.


[root@localhost ~]# rpm -ql sendmail-8.14.8-2.fc20.i686


So whats the moral of the story here. Well its really not that hard to take a minute and look under the covers and make sure that the packages that you are installing are not harming your systems. Is definetly worth 5 minutes of your time. Might just save your behind.


Related articles

RHEL6 – Simple Postfix Configuration
RHEL6 – Common Postfix Server Roles
Configure sendmail as a client for SMTPs
Sendmail Server

Quick and Dirty Yum Security Plugin Overview

Maneki-neko-mountain-tummy-13745890The YUM security plugin is a package that allows you to search specifically for security patches applicable to a Redhat/Centos server.  This functionality comes in very handy when having to cross reference CVEs to Redhat Security Advisories (RHSAs). If you work closely with anyone in an information security role, you already know how vital functionality is.

Before you can begin you need to make sure that you have the plugin installed.  Use the command below to install it.

# yum -y install yum-plugin-security


Then you can use the plugin to get a overview of the security updates availible for your system.

# yum updateinfo
Updates Information Summary: available
3 Security notice(s)
         1 Important Security notice(s)
         2 Moderate Security notice(s)
12 Bugfix notice(s)
1 Enhancement notice(s)


You can get a specific list of updates, sorted by security advisories, bug fixes, and enhancement advisories.

# yum updateinfo list


To get more specific information on a RHSA and the CVEs that it applies to, you can search by RHSA as seen below.

# yum updateinfo RHSA-2014:0771


Need to see what patches are required to address a certain CVE, then this next command is for you. Trust me this one is useful as it gives you a list of all required packages that address that CVE.

# yum updateinfo list –cve=CVE-2013-6378
Loaded plugins: amazon-id, rhui-lb, security
RHSA-2014:0771 Important/Sec. kernel-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. kernel-firmware-2.6.32-431.20.3.el6.noarch
RHSA-2014:0771 Important/Sec. kernel-headers-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. perf-2.6.32-431.20.3.el6.x86_64


Want to see a list of all fixes by severity. Then you can use the command below. Note that I am using important as my severity as there are no critical updates that are applicable to my test system at this time.

yum updateinfo list –sec-severity=Important
RHSA-2014:0771 Important/Sec. kernel-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. kernel-firmware-2.6.32-431.20.3.el6.noarch
RHSA-2014:0771 Important/Sec. kernel-headers-2.6.32-431.20.3.el6.x86_64
RHSA-2014:0771 Important/Sec. perf-2.6.32-431.20.3.el6.x86_64


You can also search for security fixes by package name as shown below.

# yum updateinfo list kernel
RHSA-2014:0771 Important/Sec. kernel-2.6.32-431.20.3.el6.x86_64


You can also use YUM to apply only security related updates. See below. This is useful if you are in a pinch and need to quickly apply all security updates to make your Infosec Team happy.

# yum –security update

Related articles

Using Yum Update to Apply Security Patches Only
YFD plugin updated

How to Use Hpacucli in ESXi

Miracle_WhipWow just stumbled into this one today as I was dreading having to reboot my ESXi 4.1 boxes just to see a few new local disks.

Apparently you can install hpacucli in ESXi very easily, and whats even better is that you can install it directly on a datastore and use the install on any host that has access to that datastore. No need to reinstall on each and every host in your cluster. No need to reboot to configure your disks.

Anyway here is the link to the how to, its obviously written by a Windows Guy, but it works easy enough.



Update: Apparently HP now provides an official version of hpacucli for ESXi 5 as part of HP ESXi Utilities Offline Bundle for VMware ESXi 5.0.

Also note that I found that my HP servers with the P400 card did not detect the new logical drives, even after a rescan. Apparently a reboot is required. However my HP boxes with the P410 card did detect the new logical drives after a rescan and no reboot was required.


ProLiant System Management Homepage

Prod-shot-170x190 The HP Systems management homepage is a web based utility for managing and monitoring Proliant Servers. It can be installed via the ProLiant Support Pack DVD (on linux its just an rpm). Once installed you can modify the default settings via the perl script, hpSMHSetup.pl located in /usr/local/hp.

To access your server's homepage navigate to https://<yourhostname>:2381 in your browser. You must include the https:// part of the url. Use your root user and password to access.

From the homepage you can monitor system, subsystems and status views of your server. Any critical, major, minor, or warning alerts will appear in the Overall Status Summary.