On Wed, Jun 03, 2009 at 04:51:53PM -0500, Les Mikesell wrote:
Sean Carolan wrote:
I have a server that is undergoing some patching soon and would like to make note of any files that have changed after the patching is complete. Can you recommend a tool that uses md5sum snapshots to do a quick before and after test, showing anything that's changed on a particular file system?
I always like brute force - and the ability to undo things... If you have space somewhere to rsync (-aH) a backup copy of the filesystems before the changes, repeating the rsync with -aHvn --delete, (don't forget that -n) will show what is different afterwards.
I am looking at Aide mentioned by a previous reply because I do not know the details of how it works. On first glance I should be running it... Add tripwire to the list of tools too.
Brute force will not work for a lot of objects. Consider that "prelink" can change the MD5sum of many objects and cause false triggers for rsync and other simple tools.
Tools like aide and tripwire will find ALL the changes from the update so the number of changes may be very large depending on the patching process. In looking at aide while typing it is also clear to me that any interesting tool must also track file+dir ownership, file+dir permissions, SELinux context as well if the job is to be done correctly. Context for each file, each user and the policy itself.
It is quite easy to find / -type f and build your own list of md5 checksums. No scripting will be needed to check it. See the --check flag for md5sum and also use split to build smaller chunks.
$ md5sum /etc/passwd > /tmp/foo $ md5sum -c /tmp/foo /etc/passwd: OK
$ find /etc -type f -print0 | xargs -0 md5sum > /tmp/foo $ md5sum --check /tmp/foo $ md5sum --check /tmp/foo | egrep -v "\ OK$"
Interesting tools should also look for 'extra' files.
RPM is not too bad for some checks.
rpm -qVa
And
find / -type f | ----slice and dice---| rpm -qf
Something like this might be important... in all $PATH areas etc... along the lines of... # touch /tmp/isthisownedbyapackage # rpm -qf /tmp/isthisownedbyapackage file /tmp/isthisownedbyapackage is not owned by any package