View Other Properties

Contents

View Other Properties

How to List RPM Packages Across All Linux Devices

Using Kolide, you can easily view and query Linux RPM Packages across your fleet.

Introduction

RPM is the primary method of software installation on Red Hat variants of Linux.

The RPM Project describes RPM as...

The RPM Package Manager (RPM) is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating computer software packages. Each software package consists of an archive of files along with information about the package like its version, a description, and the like. There is also a library API, permitting advanced developers to manage such transactions from programming languages such as C or Python.

RPM is a core component of many Linux distributions, such as Red Hat Enterprise Linux, the Fedora Project, SUSE Linux Enterprise, openSUSE, CentOS, Tizen, Mageia and many others.

For more information about RPM Package Manager please refer to the official project page: RPM Package Manager

What Linux RPM Package Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Linux RPM Packages from Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Linux RPM Packages Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

arch Text

Architecture(s) supported

name Text

RPM package name

release Text

RPM package release

sha1 Text

SHA1 hash of the RPM package contents

size Bigint

RPM package size in bytes

source Text

Source RPM package name (optional)

version Text

The text representation of the version

version_major Bigint

version's semver major version (ex: 4.2.1 would yield 4)

version_minor Bigint

version's semver minor version (ex: 4.2.1 would yield 2)

version_patch Bigint

version's semver patch version (ex: 4.2.1 would yield 1)

version_subpatch Bigint

version's numeric status fourth position number (ex: 4.2.1.6 would yield 6)

version_pre Text

version's semver pre-release version (ex: 1.2.3-prerelease+build would yield pre-release)

version_build Text

version's semver build version (ex: 1.2.3-prerelease+build would yield build)

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

What Can You Do With This Information?

Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:

Search for required package (Zoom) from single source
Kolide SQL
SELECT device_name, name, version FROM linux_rpm_packages WHERE name = 'zoom'
Example Results
device_name name version
airstream zoom 5.7.31792.0820
daves-pc zoom 5.7.31792.0820
crusher999 zoom 5.8.3.145
bambox zoom 5.9.0.1273
Verify required linux package is installed on device (ClamAV) across sources
Kolide SQL
WITH 
-- Linux packages can come from two different sources (rpm_packages, and debian_packages)
-- We combine two queries using a UNION ALL and matching the columns
union_linux_packages AS (
  SELECT 
    device_name, 
    'dpkg' AS source, 
    name, 
    version 
  FROM linux_debian_packages 
  UNION ALL
  SELECT 
    device_name, 
    'rpm' AS source, 
    name, 
    version 
  FROM linux_rpm_packages
)
SELECT * FROM union_linux_packages WHERE name = 'clamav'
Example Results
device_name name version source
bambox clamav 0.103.6+dfsg-0+deb11u1 dpkg
pancake clamav 0.103.6+dfsg-0ubuntu0.21.10.1 dpkg
Dave-thinkpad-x1 clamav 0.103.6+dfsg-0ubuntu0.20.04.1 dpkg
jeff-pc clamav 0.103.6+dfsg-0ubuntu0.20.04.1 dpkg
crayoneater clamav 0.103.6+dfsg-0ubuntu0.20.04.1 dpkg
Airstream clamav 0.103.6 rpm
Check whether installed package is up to date with latest release (Zoom)
Kolide SQL
WITH 
-- Linux packages can come from two different sources (rpm_packages, and debian_packages)
-- We combine two queries using a UNION ALL and matching the columns
union_linux_packages AS (
  SELECT 
    device_name, 
    'dpkg' AS source, 
    name, 
    version AS installed_version,
    version_major AS installed_version_major,
    version_minor AS installed_version_minor,
    version_patch AS installed_version_patch,
    version_subpatch AS installed_version_subpatch
  FROM linux_debian_packages 
  UNION ALL
  SELECT 
    device_name, 
    'rpm' AS source, 
    name, 
    version AS installed_version,
    version_major AS installed_version_major,
    version_minor AS installed_version_minor,
    version_patch AS installed_version_patch,
    version_subpatch AS installed_version_subpatch
  FROM linux_rpm_packages
),
zoom_latest_prompted AS (
  SELECT 
  version AS latest_prompted_version,
  CAST(version_major AS int) AS latest_major,
  CAST(version_minor AS int) AS latest_minor,
  CAST(version_patch AS int) AS latest_patch,
  CAST(version_build AS int) AS latest_build
   FROM zoom_latest_releases 
  WHERE platform = 'linux' AND release_type = 'latest_prompted_release'
),
merge_data AS (
SELECT 
  ulp.*, zlp.*
FROM union_linux_packages ulp, zoom_latest_prompted zlp
WHERE name = 'zoom'
)
-- Evaluate installed version against latest_prompted_release
SELECT device_name, installed_version, latest_prompted_version,
  CASE WHEN (
      installed_version_major <  latest_major
   OR installed_version_major <=  latest_major AND installed_version_minor <  latest_minor
   OR installed_version_major <=  latest_major AND installed_version_minor <=  latest_minor AND installed_version_patch <  latest_patch
   OR installed_version_major <=  latest_major AND installed_version_minor <=  latest_minor AND installed_version_patch <=  latest_patch AND installed_version_subpatch <  latest_build
   ) THEN 'true' ELSE 'false' END AS zoom_requires_update
 FROM merge_data;
Example Results
device_name installed_version latest_prompted_version zoom_requires_update
airstream 5.7.31792.0820 5.10.4 (2845) true
daves-pc 5.7.31792.0820 5.10.4 (2845) true
conference-room-zoom 5.10.4.2845 5.10.4 (2845) false
Bambox 5.9.0.1273 5.10.4 (2845) true

Why Should I Collect Linux RPM Packages?

Since RPM is the standard method for installing software on RHEL variants of Linux, it is an important service to monitor for Linux administrators. Given the wide range of possible software that can be installed via RPM, it is important to regularly audit the list of installed packages on a machine.

RPM packages are cataloged and tracked to allow:

  • Reviewing installed packages to verify desired device configuration
  • Discovering potential malicious software
  • Identifying out-of-date or otherwise vulnerable software packages

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

RPM package installations may reveal a partial list of the applications installed on your device. This could include software used for personal or sensitive reasons.

When you use Kolide to list Linux RPM Package data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.

Share this story:

Related Device Properties:

New
NPM Packages
developers, software, packages
New
Python Packages
developers, software, packages
New
Linux Debian Packages
debian, software, packages
View full list of Kolide's Device Properties
Book A Demo
Book A Demo