How to find that who has installed RPM packages?

Latest response

Hi all,
Is there any solution to audit system and find the user that he has installed RPM packages on system and also scheduling some alarms to send alerts when a user has installed RPM packages.

Responses

Any, ordinary user installing an rpm will be stopped by the following: "error: can't create transaction lock on /var/lib/rpm/.rpm.lock (Permission denied)".

Did you provide the superuser password to users installing software or do they use sudo. In the latter case you could prevent this by specific lists of allowed commands in the sudoers file.

Regards, Siem Korteweg

As Siem has said, they would have installed as root or using sudo. Depending on how you have sudo setup, you may have a sudo audit item executing rpm/yum tied to a specific user, or a user switching to root at that time in /var/log/secure.

To determine when the package was installed use the following:

rpm -qa --last | less

You should also find install/update/removal events logged in /var/log/yum.log. This is probably good spot to log/alert from if you are using a SIEM such as Splunk/ELK.

Once you have the time it was installed you can correlate events in /var/log/secure etc. to hopefully line it up with a user.

Not sure how I forgot to mention 'yum history' in the above post. You can most likely get the information you need using the following:

yum history

This will give you the logged in user that executed the transaction, so if they used sudo to switch to root for the install you should still be fine.

This command will return a list of transactions, you can get further information on the specific transaction using

yum history info 118

Where 118 is the transaction ID. This will also provide the command line that was used to call yum.

Full documentation is here, apologies for not mentioning this in my previous post:
http://yum.baseurl.org/wiki/YumHistory

Hi Davoud Teimouri,

There are some good things Pixeldrift & Siem mentioned ... you can consider the use of "aide" and have regularly scheduled "aide" scans, but you'd have to spend some time to tailor aide or at minimum parsing the results because it will inform you of many changes. Alternatively, you could do checks of /var/log/yum.log but it gets rotated over time based on logrotate directives. aide needs to either be tamed in it's setup, or in it's reading of output.

You could have a recurring job check the number of packages on a system and report back to you -but this will nag you when you do system updates, push errata, patches, bug fixes etc.

You could look (scripting) for matches against /var/log/yum.log for that day, and email you a report with those results. as PixelDrift mentioned,

These are some options, there's other options.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.