[CentOS] Good md5sum snapshot tool?

Les Mikesell lesmikesell at gmail.com
Thu Jun 4 21:58:54 UTC 2009


Nifty Cluster Mitch wrote:
> 
>>> I have a server that is undergoing some patching soon and would like
>>> to make note of any files that have changed after the patching is
>>> complete.  Can you recommend a tool that uses md5sum snapshots to do a
>>> quick before and after test, showing anything that's changed on a
>>> particular file system?
>> I always like brute force - and the ability to undo things...  If you 
>> have space somewhere to rsync (-aH) a backup copy of the filesystems 
>> before the changes, repeating the rsync with -aHvn --delete, (don't 
>> forget that -n) will show what is different afterwards.
> 
> I am looking at Aide mentioned by a previous reply
> because I do not know the details of how it works.
> On first glance I should be running it...
> Add tripwire to the list of tools too.
> 
> Brute force will not work for a lot of objects.
> Consider that "prelink" can change the MD5sum of many
> objects and cause false triggers for rsync and other
> simple tools.
> 
> Tools like aide and tripwire will find ALL the changes from the update
> so the number of changes may be very large depending on the patching
> process.  In looking at aide while typing it is also clear to me that any
> interesting tool must also track file+dir ownership, file+dir permissions,
> SELinux context as well if the job is to be done correctly.  Context for
> each file, each user and the policy itself.
> 
> It is quite easy to find / -type f and build your own
> list of md5 checksums.   No scripting will be needed to
> check it.   See the  --check flag for md5sum
> and also use split to build smaller chunks.
> 
>     $ md5sum /etc/passwd > /tmp/foo
>     $ md5sum -c /tmp/foo
>     /etc/passwd: OK
> 
>     $ find /etc -type f -print0 | xargs -0 md5sum > /tmp/foo
>     $ md5sum --check  /tmp/foo 
>     $ md5sum --check  /tmp/foo | egrep -v "\ OK$"
> 
> Interesting tools should also look for 'extra' files.
> 
> RPM is not too bad for some checks.
> 
>   rpm -qVa
> 
> And
> 
>   find / -type f | ----slice and dice---| rpm -qf 
> 
> Something like this might be important... in all $PATH areas etc...
> along the lines of...
>   # touch /tmp/isthisownedbyapackage
>   # rpm -qf /tmp/isthisownedbyapackage
>   file /tmp/isthisownedbyapackage is not owned by any package

If you are going to that much work, maybe you have found a tool to track 
configuration changes too.  I'd like to find some sane way to have a 
master starting config (probably all of /etc) checked into subversion or 
a similar tool, then be able to treat any number of similar machines as 
branches with an easy way to diff either points in time on one machine 
or between different machines.  Knowing if changes were the result of 
local edits or package updates would be a plus, but not absolutely 
necessary.

-- 
   Les Mikesell
    lesmikesell at gmail.com



More information about the CentOS mailing list