Verify suspected package tampering and broken shell behavior by
combining rpm integrity checks with
dnf inspection and repair workflows. Confirm
ownership of key files, detect modifications, and restore
expected state safely.
A teammate reports:
“bash completion stopped working and a binary might be
modified.”
You need to confirm what is installed, identify which package
owns key files, verify whether packaged files were modified,
and restore expected state using safe
rpm/dnf workflows.
Start with evidence. Use rpm to determine what
the system believes is installed and whether it matches the
packaged baseline, then use dnf only for
targeted repair.
bash.rpm -qi.dnf reinstall.
dnf repoquery to confirm repository source.
rpm is your source of truth for “what is installed
right now” and “what files should exist for that package.”
rpm -V shows drift from the packaged baseline.
That drift can be legitimate (especially config files), but
it is still evidence you must account for.
rpm -qf) to move from a
symptom on disk to the package you can repair.
dnf for controlled repair after you have
verified drift, not as your first instinct.
bash.
rpm -q bashThis is your baseline. If the package is not installed, you have a different problem than “modified files.”
bash-5.1.8-6.el9.x86_64bash.
rpm -qi bashMetadata confirms what release you are on and gives context for troubleshooting and audit trails.
Name : bash
Version : 5.1.8
Release : 6.el9
Architecture: x86_64
Summary : The GNU Bourne Again shellbash.
rpm -ql bash | headUse this to confirm whether a file should exist and where the package places configuration and helper scripts.
/bin/bash
/etc/bashrc
/usr/share/doc/bash/etc/bashrc.
rpm -qf /etc/bashrcThis maps a file back to its owning RPM and is often the first step before a targeted repair.
bash-5.1.8-6.el9.x86_64bash.
rpm -V compares installed files to RPM
metadata. Output indicates differences (size, permissions,
mtime, checksum) and flags config files with c.
sudo rpm -V bash
In this example, /etc/bashrc is a config file and
was modified. That is not automatically malicious, but it is
evidence you should account for before restoring baselines.
S.5....T. c /etc/bashrc
(size and mtime differ: /etc/bashrc was modified)bash to restore packaged files.
Reinstall restores packaged files, but config file handling depends on packaging rules. Validate shell behavior after changes.
sudo dnf reinstall -y bashUse this when integrity checks show drift and you need to re-apply the packaged baseline.
Last metadata expiration check: 0:02:11 ago on Sun 04 Jan 2026.
Dependencies resolved.
Reinstalling:
bash.x86_64 5.1.8-6.el9 baseos
Complete!rpm -V bashA clean verify run typically produces no output. If you still see unexpected drift, narrow down which files are changing and why.
(no output)bash.
dnf list bashSanity check: what your repos expose versus what is installed.
Installed Packages
bash.x86_64 5.1.8-6.el9 @baseos
Available Packages
bash.x86_64 5.1.8-6.el9 baseosrepoquery to show repository info for httpd.
dnf repoquery --info httpd
Useful when you need more detail than dnf list,
including confirming which repository a package is sourced from.
Name : httpd
Version : 2.4.57
Release : 8.el9
Repo : appstreamsudo dnf clean metadata
Use this when repo metadata is stale or you want to force a
fresh metadata view on the next dnf operation.
0 files removedYou are not in a “modified files” situation yet. Confirm the correct host, confirm repos, then determine whether bash is intentionally absent or removed unexpectedly.
The file may be locally created, dropped by a script, or part of a non-RPM install. Do not assume reinstall will fix it.
That’s a bigger signal than a single config drift. Consider widening scope: check other core packages and preserve evidence before mass repairs.
End with a clean repo view and a known integrity state for the package you touched.
rpm -V bash
dnf list bash
sudo dnf clean metadata
rpm -V bash is clean (or only shows expected config
drift), dnf list bash looks sane, and metadata cleanup
completes without errors.
rpm -q <pkg>
: Print the installed package version (or report not installed).
rpm -qi <pkg>
: Display package metadata (version, release, summary, install info).
rpm -ql <pkg>
: List files installed by a package.
rpm -qf <path>
: Find the owning package for a file path.
rpm -V <pkg>
: Verify packaged files against RPM metadata.
c
: Marks config files (may legitimately differ from packaged baseline).
dnf reinstall <pkg>
: Reinstall a package from repos to restore packaged files.
dnf list <pkg>
: Show installed and available versions of a package.
dnf repoquery --info <pkg>
: Show detailed repo metadata for a package, including source repo.
dnf clean
: Clean cached data to force fresh repo information.
metadata : Remove repo metadata only.all : Remove metadata and cached packages.