Product SiteDocumentation Site

1.3.2. Package Integrity

This section describes a few commands that should be run regulary after updates (or via cron) to verify your system is in a valid and good state.
Package Integrity Check
CompleteStepRequirementDescription
Dependency VerificationShouldVerify all package dependencies have been met using this command: /bin/rpm -Va --nofiles --nomd5. Fix any errors printed from that command. [4]
Source VerificationShouldVerify all packages installed from this system are from an upstream repository and still valid. /usr/bin/package-cleanup --orphans [5]
Service RestartsShouldMake sure older versions of applications are no longer running in memory and have all been restarted. python needs-restarting.py [6]


[4] This may also be part of a regularly run cron job instead of running it after every update.

[5] This command will go through all rpms on your host and make sure they are on a valid yum repository. This is important for two reasons. First it will alert admins to any rpms that have been installed manually via rpm -i. Second it will alert admins about packages that may now be obsolete or otherwise un supported and possibly out of date and insecure.

[6] This command goes through all programs running in memory and looks to see if they have any bad file descriptors open. This is important for updates that may not have restarted their applications. For example, if a security update comes out for apache, but no one restarts httpd. It's possible that even though the package has been updated, the older insecure version is still running in memory and serving your customers. Newer versions of yum-utils may have this installed already. If not you can get it from here: http://yum.baseurl.org/gitweb?p=yum-utils.git;a=blob;f=needs-restarting.py