Tech Tip: Determining What's Been Changed on RPM Based Systems

 in

As a consultant, I am often faced with an unfamiliar Linux system (usually RHEL). I always find it useful to understand which files that shipped with rpm packages have been modified, since it's usually a good indicator of what customizations have been performed on the system. To determine the modified files, I simply run:

  % rpm -qa | xargs rpm --verify --nomtime | less

  # Sample output:

  missing     /usr/local/src
  .M......    /bin/ping6
  .M......    /usr/bin/chage
  .M......    /usr/bin/gpasswd
  ....L...  c /etc/pam.d/system-auth
  .M......    /usr/bin/chfn
  .M......    /usr/bin/chsh
  S.5.....  c /etc/rc.d/rc.local
  S.5.....  c /etc/sysctl.conf
  S.5.....  c /etc/ssh/sshd_config
  S.5.....  c /etc/updatedb.conf

The following is taken from the rpm man pages (Verify Options section):

  c %config configuration file.
  d %doc documentation file.
  g %ghost file (i.e. the file contents are not
    included in the package payload).
  l %license license file.
  r %readme readme file.

  S file Size differs
  M Mode differs (includes permissions and file type)
  5 MD5 sum differs
  D Device major/minor number mismatch
  L readLink(2) path mismatch
  U User ownership differs
  G Group ownership differs
  T mTime differs

Using this trick, I can quickly determine what configuration files have been modified as well as any metadata modifications (ownership, link etc.).

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

checkroot: verify package signatures

Elmar Stellnberger's picture

rpm --verify -a will detect file system errors but may not reaveal traces of an intruder/cracker (use checkroot for this: http://wwwu.edu.uni-klu.ac.at/estellnb/checkroot/)

Shorter

Anonymous's picture

Good tip, just one thing, why not shorten your command a bit:
rpm -Va --nomtime | less
Or am I missing something?

diff with installed file

Tom H's picture

Getting a diff with the original file (before user modification) is more difficult.

I've used rpm2cpio and cpio to extract files from the original rpm so I could get a diff of the line-by-line changes made.

http://www.brandonhutchinson.com/cpio_command.html

Geek Guide
The DevOps Toolbox

Tools and Technologies for Scale and Reliability
by Linux Journal Editor Bill Childers

Get your free copy today

Sponsored by IBM

Webcast
8 Signs You're Beyond Cron

Scheduling Crontabs With an Enterprise Scheduler
On Demand
Moderated by Linux Journal Contributor Mike Diehl

Sign up and watch now

Sponsored by Skybot