Tech Tip: Determining What's Been Changed on RPM Based Systems
As a consultant, I am often faced with an unfamiliar Linux system (usually RHEL). I always find it useful to understand which files that shipped with rpm packages have been modified, since it's usually a good indicator of what customizations have been performed on the system. To determine the modified files, I simply run:
% rpm -qa | xargs rpm --verify --nomtime | less # Sample output: missing /usr/local/src .M...... /bin/ping6 .M...... /usr/bin/chage .M...... /usr/bin/gpasswd ....L... c /etc/pam.d/system-auth .M...... /usr/bin/chfn .M...... /usr/bin/chsh S.5..... c /etc/rc.d/rc.local S.5..... c /etc/sysctl.conf S.5..... c /etc/ssh/sshd_config S.5..... c /etc/updatedb.conf
The following is taken from the rpm man pages (Verify Options section):
c %config configuration file. d %doc documentation file. g %ghost file (i.e. the file contents are not included in the package payload). l %license license file. r %readme readme file. S file Size differs M Mode differs (includes permissions and file type) 5 MD5 sum differs D Device major/minor number mismatch L readLink(2) path mismatch U User ownership differs G Group ownership differs T mTime differs
Using this trick, I can quickly determine what configuration files have been modified as well as any metadata modifications (ownership, link etc.).
- Linux Kernel Testing and Debugging
- What's Your i-Name?
- Wanted: Your Embedded Linux Projects
- NSA: Linux Journal is an "extremist forum" and its readers get flagged for extra surveillance
- RSS Feeds
- Tails above the Rest, Part III
- UNIX under the Desktop
- Tech Tip: Really Simple HTTP Server with Python
- Why Python?
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"