How to List RPM Packages Across All Linux Devices
Using Kolide, you can easily view and query Linux RPM Packages across your fleet.
Introduction
RPM is the primary method of software installation on Red Hat variants of Linux.
The RPM Project describes RPM as...
The RPM Package Manager (RPM) is a powerful command line driven package management system capable of installing, uninstalling, verifying, querying, and updating computer software packages. Each software package consists of an archive of files along with information about the package like its version, a description, and the like. There is also a library API, permitting advanced developers to manage such transactions from programming languages such as C or Python.
RPM is a core component of many Linux distributions, such as Red Hat Enterprise Linux, the Fedora Project, SUSE Linux Enterprise, openSUSE, CentOS, Tizen, Mageia and many others.
For more information about RPM Package Manager please refer to the official project page: RPM Package Manager
What Linux RPM Package Data Can Kolide Collect?
Kolide's endpoint agent bundles in osquery to efficiently collect Linux RPM Packages from Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
Linux RPM Packages Schema
| Column | Type | Description | |
|---|---|---|---|
| id | Primary Key |
Unique identifier for the object |
|
| device_id | Foreign Key |
Device associated with the entry |
|
| device_name | Text |
Display name of the device associated with the entry |
|
| arch | Text |
Architecture(s) supported |
|
| name | Text |
RPM package name |
|
| release | Text |
RPM package release |
|
| sha1 | Text |
SHA1 hash of the RPM package contents |
|
| size | Bigint |
RPM package size in bytes |
|
| source | Text |
Source RPM package name (optional) |
|
| version | Text |
The text representation of the version |
|
| version_major | Bigint |
|
|
| version_minor | Bigint |
|
|
| version_patch | Bigint |
|
|
| version_subpatch | Bigint |
|
|
| version_pre | Text |
|
|
| version_build | Text |
|
|
| collected_at | Timestamp |
Time the row of data was first collected in the database |
|
| updated_at | Timestamp |
Time the row of data was last changed in the database |
|
What Can You Do With This Information?
Kolide enables you to write your own queries against the data the agent collects. This allows you to build your own reports and API endpoints. For example, you can:
SELECT device_name, name, version FROM linux_rpm_packages WHERE name = 'zoom'| device_name | name | version |
|---|---|---|
| airstream | zoom | 5.7.31792.0820 |
| daves-pc | zoom | 5.7.31792.0820 |
| crusher999 | zoom | 5.8.3.145 |
| bambox | zoom | 5.9.0.1273 |
WITH
-- Linux packages can come from two different sources (rpm_packages, and debian_packages)
-- We combine two queries using a UNION ALL and matching the columns
union_linux_packages AS (
SELECT
device_name,
'dpkg' AS source,
name,
version
FROM linux_debian_packages
UNION ALL
SELECT
device_name,
'rpm' AS source,
name,
version
FROM linux_rpm_packages
)
SELECT * FROM union_linux_packages WHERE name = 'clamav'| device_name | name | version | source |
|---|---|---|---|
| bambox | clamav | 0.103.6+dfsg-0+deb11u1 | dpkg |
| pancake | clamav | 0.103.6+dfsg-0ubuntu0.21.10.1 | dpkg |
| Dave-thinkpad-x1 | clamav | 0.103.6+dfsg-0ubuntu0.20.04.1 | dpkg |
| jeff-pc | clamav | 0.103.6+dfsg-0ubuntu0.20.04.1 | dpkg |
| crayoneater | clamav | 0.103.6+dfsg-0ubuntu0.20.04.1 | dpkg |
| Airstream | clamav | 0.103.6 | rpm |
WITH
-- Linux packages can come from two different sources (rpm_packages, and debian_packages)
-- We combine two queries using a UNION ALL and matching the columns
union_linux_packages AS (
SELECT
device_name,
'dpkg' AS source,
name,
version AS installed_version,
version_major AS installed_version_major,
version_minor AS installed_version_minor,
version_patch AS installed_version_patch,
version_subpatch AS installed_version_subpatch
FROM linux_debian_packages
UNION ALL
SELECT
device_name,
'rpm' AS source,
name,
version AS installed_version,
version_major AS installed_version_major,
version_minor AS installed_version_minor,
version_patch AS installed_version_patch,
version_subpatch AS installed_version_subpatch
FROM linux_rpm_packages
),
zoom_latest_prompted AS (
SELECT
version AS latest_prompted_version,
CAST(version_major AS int) AS latest_major,
CAST(version_minor AS int) AS latest_minor,
CAST(version_patch AS int) AS latest_patch,
CAST(version_build AS int) AS latest_build
FROM zoom_latest_releases
WHERE platform = 'linux' AND release_type = 'latest_prompted_release'
),
merge_data AS (
SELECT
ulp.*, zlp.*
FROM union_linux_packages ulp, zoom_latest_prompted zlp
WHERE name = 'zoom'
)
-- Evaluate installed version against latest_prompted_release
SELECT device_name, installed_version, latest_prompted_version,
CASE WHEN (
installed_version_major < latest_major
OR installed_version_major <= latest_major AND installed_version_minor < latest_minor
OR installed_version_major <= latest_major AND installed_version_minor <= latest_minor AND installed_version_patch < latest_patch
OR installed_version_major <= latest_major AND installed_version_minor <= latest_minor AND installed_version_patch <= latest_patch AND installed_version_subpatch < latest_build
) THEN 'true' ELSE 'false' END AS zoom_requires_update
FROM merge_data;| device_name | installed_version | latest_prompted_version | zoom_requires_update |
|---|---|---|---|
| airstream | 5.7.31792.0820 | 5.10.4 (2845) | true |
| daves-pc | 5.7.31792.0820 | 5.10.4 (2845) | true |
| conference-room-zoom | 5.10.4.2845 | 5.10.4 (2845) | false |
| Bambox | 5.9.0.1273 | 5.10.4 (2845) | true |
Why Should I Collect Linux RPM Packages?
Since RPM is the standard method for installing software on RHEL variants of Linux, it is an important service to monitor for Linux administrators. Given the wide range of possible software that can be installed via RPM, it is important to regularly audit the list of installed packages on a machine.
RPM packages are cataloged and tracked to allow:
- Reviewing installed packages to verify desired device configuration
- Discovering potential malicious software
- Identifying out-of-date or otherwise vulnerable software packages
End-User Privacy Consideration
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
RPM package installations may reveal a partial list of the applications installed on your device. This could include software used for personal or sensitive reasons.
When you use Kolide to list Linux RPM Package data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.
