Loading
Tech Tip: Determining What's Been Changed on RPM Based Systems
As a consultant, I am often faced with an unfamiliar Linux system (usually RHEL). I always find it useful to understand which files that shipped with rpm packages have been modified, since it's usually a good indicator of what customizations have been performed on the system. To determine the modified files, I simply run:
% rpm -qa | xargs rpm --verify --nomtime | less # Sample output: missing /usr/local/src .M...... /bin/ping6 .M...... /usr/bin/chage .M...... /usr/bin/gpasswd ....L... c /etc/pam.d/system-auth .M...... /usr/bin/chfn .M...... /usr/bin/chsh S.5..... c /etc/rc.d/rc.local S.5..... c /etc/sysctl.conf S.5..... c /etc/ssh/sshd_config S.5..... c /etc/updatedb.conf
The following is taken from the rpm man pages (Verify Options section):
c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not
included in the package payload).
l %license license file.
r %readme readme file.
S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs
Using this trick, I can quickly determine what configuration files have been modified as well as any metadata modifications (ownership, link etc.).
______________________
- 100% disappointed with the decision to go all digital.
- Linux--The Internet Appliance?
- Kernel Korner - The New Work Queue Interface in the 2.6 Kernel
- Kernel Korner - I/O Schedulers
- UpFront
- Readers' Choice Awards 2011
- Why Python?
- Real-Time Linux Kernel Scheduler
- Solaris-Zones: Linux IT Marbles Get a New Bag
- You Need A Budget
- Search
3 hours 38 min ago - Question
4 hours 2 min ago - for the record
4 hours 4 min ago - That's disappointing. Thanks
6 hours 27 min ago - Well spotted. I've corrected
7 hours 56 min ago - This is a great program. We
10 hours 56 min ago - No Air for Linux
12 hours 46 min ago - HEWLETT PACKARD created
12 hours 56 min ago - HEWLETT PACKARD created
12 hours 59 min ago - very helpful :)
13 hours 20 min ago
Comments
checkroot: verify package signatures
rpm --verify -a will detect file system errors but may not reaveal traces of an intruder/cracker (use checkroot for this: http://wwwu.edu.uni-klu.ac.at/estellnb/checkroot/)
Shorter
Good tip, just one thing, why not shorten your command a bit:
rpm -Va --nomtime | less
Or am I missing something?
diff with installed file
Getting a diff with the original file (before user modification) is more difficult.
I've used rpm2cpio and cpio to extract files from the original rpm so I could get a diff of the line-by-line changes made.
http://www.brandonhutchinson.com/cpio_command.html