Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Anyone know if there is an `rpm --verify` type of capability with OSQuery? I think not but maybe I’m missing a way to do this. Could be a good first contribution task for me :thinking_face:
<http://ftp.rpm.org/max-rpm/ch-rpm-verify.html>

I don’t know if there’s a table quite like rpm verify. There is a `rpm_package_files` and a `rpm_packages` table.

I suspect one could construct SQL to use the sha from `rpm_package_files`, the file table, and the `hash` table to create that functionality. I have no idea how performant it would be.

As a side note, osquery does not shell out to collect information.

I’ll have a play and see what I can do. Mostly collecting that info into OpenSearch so may be able to pull together similar or better using this plus  FIM.