Loading
Tech Tip: Determining What's Been Changed on RPM Based Systems
As a consultant, I am often faced with an unfamiliar Linux system (usually RHEL). I always find it useful to understand which files that shipped with rpm packages have been modified, since it's usually a good indicator of what customizations have been performed on the system. To determine the modified files, I simply run:
% rpm -qa | xargs rpm --verify --nomtime | less # Sample output: missing /usr/local/src .M...... /bin/ping6 .M...... /usr/bin/chage .M...... /usr/bin/gpasswd ....L... c /etc/pam.d/system-auth .M...... /usr/bin/chfn .M...... /usr/bin/chsh S.5..... c /etc/rc.d/rc.local S.5..... c /etc/sysctl.conf S.5..... c /etc/ssh/sshd_config S.5..... c /etc/updatedb.conf
The following is taken from the rpm man pages (Verify Options section):
c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not
included in the package payload).
l %license license file.
r %readme readme file.
S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs
Using this trick, I can quickly determine what configuration files have been modified as well as any metadata modifications (ownership, link etc.).
______________________
- Hack and / - Temper Temper
- Calculating Day of the Week
- Hack and / - Password Cracking with GPUs, Part II: Get Cracking
- Validate an E-Mail Address with PHP, the Right Way
- OpenLDAP Everywhere Reloaded, Part I
- RSS Feeds
- Hack and / - Password Cracking with GPUs, Part I: the Setup
- Networking Poll
- Tales From the Server Room: Zoning Out
- Boot with GRUB
- Really nice :-)
Something
4 hours 5 min ago - Have you experimented with
4 hours 7 min ago - Awesome..
4 hours 28 min ago - Good One..
4 hours 47 min ago - Nice One...
4 hours 51 min ago - very good web: ---(
4 hours 55 min ago - very good web: ---(
5 hours 1 min ago - very good web: ---(
5 hours 3 min ago - very good web: ---(
5 hours 7 min ago - very good web: ---(
5 hours 9 min ago
Comments
checkroot: verify package signatures
rpm --verify -a will detect file system errors but may not reaveal traces of an intruder/cracker (use checkroot for this: http://wwwu.edu.uni-klu.ac.at/estellnb/checkroot/)
Shorter
Good tip, just one thing, why not shorten your command a bit:
rpm -Va --nomtime | less
Or am I missing something?
diff with installed file
Getting a diff with the original file (before user modification) is more difficult.
I've used rpm2cpio and cpio to extract files from the original rpm so I could get a diff of the line-by-line changes made.
http://www.brandonhutchinson.com/cpio_command.html