Quantcast
Username/Email:  Password: 
Home

Tech Tip: Determining What's Been Changed on RPM Based Systems

Jun 25, 2009  By Vijay Avarachen
 in

As a consultant, I am often faced with an unfamiliar Linux system (usually RHEL). I always find it useful to understand which files that shipped with rpm packages have been modified, since it's usually a good indicator of what customizations have been performed on the system. To determine the modified files, I simply run: 

  % rpm -qa | xargs rpm --verify --nomtime | less

  # Sample output:

  missing     /usr/local/src
  .M......    /bin/ping6
  .M......    /usr/bin/chage
  .M......    /usr/bin/gpasswd
  ....L...  c /etc/pam.d/system-auth
  .M......    /usr/bin/chfn
  .M......    /usr/bin/chsh
  S.5.....  c /etc/rc.d/rc.local
  S.5.....  c /etc/sysctl.conf
  S.5.....  c /etc/ssh/sshd_config
  S.5.....  c /etc/updatedb.conf

The following is taken from the rpm man pages (Verify Options section): 

  c %config configuration file.
  d %doc documentation file.
  g %ghost file (i.e. the file contents are not
    included in the package payload).
  l %license license file.
  r %readme readme file.

  S file Size differs
  M Mode differs (includes permissions and file type)
  5 MD5 sum differs
  D Device major/minor number mismatch
  L readLink(2) path mismatch
  U User ownership differs
  G Group ownership differs
  T mTime differs

Using this trick, I can quickly determine what configuration files have been modified as well as any metadata modifications (ownership, link etc.).

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

checkroot: verify package signatures

Elmar Stellnberger's picture
Submitted by Elmar Stellnberger (not verified) on Jul 04, 2009.

rpm --verify -a will detect file system errors but may not reaveal traces of an intruder/cracker (use checkroot for this: http://wwwu.edu.uni-klu.ac.at/estellnb/checkroot/)

Shorter

Anonymous's picture
Submitted by Anonymous (not verified) on Jun 25, 2009.

Good tip, just one thing, why not shorten your command a bit:
rpm -Va --nomtime | less
Or am I missing something?

diff with installed file

Tom H's picture
Submitted by Tom H (not verified) on Jun 25, 2009.

Getting a diff with the original file (before user modification) is more difficult.

I've used rpm2cpio and cpio to extract files from the original rpm so I could get a diff of the line-by-line changes made.

http://www.brandonhutchinson.com/cpio_command.html

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <pre> <ul> <ol> <li> <dl> <dt> <dd> <i> <b>
  • Lines and paragraphs break automatically.
  • Use to create page breaks.

More information about formatting options