[PLUG] RPM Question

Paul Heinlein heinlein at madboa.com
Wed Dec 12 21:17:42 UTC 2007


On Wed, 12 Dec 2007, Galen Seitz wrote:

> Daniel.Roberts at sanofi-aventis.com wrote:
>> Hello All
>>
>> On a redhat system..how can I figure out when rpm was last run?
>> I am trying to figure out if someone besides myself is running RPM...or
>> possibly how if at all a package which I thought got installed has now
>> been removed ed..
>
> This isn't exactly what you want, but it's a start.  This command will
> show all installed packages, sorted by install time.
>
> rpm -qa --last

I'm unsure if you're actually interested in knowing when someone runs 
the rpm binary or not. The Red Hat packaging system can be accessed 
via some shared libraries, so keeping an eye on /bin/rpm won't 
necessarily be an accurate way of knowing when there's been rpm-like 
activity.

It'd probably be more useful to keep an eye on the /var/lib/rpm 
directory or one or more of the database files it contains.

If you have SELinux installed and configured, you can have the audit 
daemon keep an eye on certain files. See /usr/share/doc/audit-* and 
the sample rules files there for information on monitoring a certain 
file or directory.

-- 
Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/



More information about the PLUG mailing list