I have a server that is undergoing some patching soon and would like to make note of any files that have changed after the patching is complete. Can you recommend a tool that uses md5sum snapshots to do a quick before and after test, showing anything that's changed on a particular file system?
Aide
It is included in CentOS 5.
Regards, Tim
On Wed, Jun 3, 2009 at 11:18 PM, Sean Carolan scarolan@gmail.com wrote:
I have a server that is undergoing some patching soon and would like to make note of any files that have changed after the patching is complete. Can you recommend a tool that uses md5sum snapshots to do a quick before and after test, showing anything that's changed on a particular file system? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Sean Carolan wrote:
I have a server that is undergoing some patching soon and would like to make note of any files that have changed after the patching is complete. Can you recommend a tool that uses md5sum snapshots to do a quick before and after test, showing anything that's changed on a particular file system?
I always like brute force - and the ability to undo things... If you have space somewhere to rsync (-aH) a backup copy of the filesystems before the changes, repeating the rsync with -aHvn --delete, (don't forget that -n) will show what is different afterwards.
On Wed, Jun 03, 2009 at 04:51:53PM -0500, Les Mikesell wrote:
Sean Carolan wrote:
I have a server that is undergoing some patching soon and would like to make note of any files that have changed after the patching is complete. Can you recommend a tool that uses md5sum snapshots to do a quick before and after test, showing anything that's changed on a particular file system?
I always like brute force - and the ability to undo things... If you have space somewhere to rsync (-aH) a backup copy of the filesystems before the changes, repeating the rsync with -aHvn --delete, (don't forget that -n) will show what is different afterwards.
I am looking at Aide mentioned by a previous reply because I do not know the details of how it works. On first glance I should be running it... Add tripwire to the list of tools too.
Brute force will not work for a lot of objects. Consider that "prelink" can change the MD5sum of many objects and cause false triggers for rsync and other simple tools.
Tools like aide and tripwire will find ALL the changes from the update so the number of changes may be very large depending on the patching process. In looking at aide while typing it is also clear to me that any interesting tool must also track file+dir ownership, file+dir permissions, SELinux context as well if the job is to be done correctly. Context for each file, each user and the policy itself.
It is quite easy to find / -type f and build your own list of md5 checksums. No scripting will be needed to check it. See the --check flag for md5sum and also use split to build smaller chunks.
$ md5sum /etc/passwd > /tmp/foo $ md5sum -c /tmp/foo /etc/passwd: OK
$ find /etc -type f -print0 | xargs -0 md5sum > /tmp/foo $ md5sum --check /tmp/foo $ md5sum --check /tmp/foo | egrep -v "\ OK$"
Interesting tools should also look for 'extra' files.
RPM is not too bad for some checks.
rpm -qVa
And
find / -type f | ----slice and dice---| rpm -qf
Something like this might be important... in all $PATH areas etc... along the lines of... # touch /tmp/isthisownedbyapackage # rpm -qf /tmp/isthisownedbyapackage file /tmp/isthisownedbyapackage is not owned by any package
Nifty Cluster Mitch wrote:
I have a server that is undergoing some patching soon and would like to make note of any files that have changed after the patching is complete. Can you recommend a tool that uses md5sum snapshots to do a quick before and after test, showing anything that's changed on a particular file system?
I always like brute force - and the ability to undo things... If you have space somewhere to rsync (-aH) a backup copy of the filesystems before the changes, repeating the rsync with -aHvn --delete, (don't forget that -n) will show what is different afterwards.
I am looking at Aide mentioned by a previous reply because I do not know the details of how it works. On first glance I should be running it... Add tripwire to the list of tools too.
Brute force will not work for a lot of objects. Consider that "prelink" can change the MD5sum of many objects and cause false triggers for rsync and other simple tools.
Tools like aide and tripwire will find ALL the changes from the update so the number of changes may be very large depending on the patching process. In looking at aide while typing it is also clear to me that any interesting tool must also track file+dir ownership, file+dir permissions, SELinux context as well if the job is to be done correctly. Context for each file, each user and the policy itself.
It is quite easy to find / -type f and build your own list of md5 checksums. No scripting will be needed to check it. See the --check flag for md5sum and also use split to build smaller chunks.
$ md5sum /etc/passwd > /tmp/foo $ md5sum -c /tmp/foo /etc/passwd: OK $ find /etc -type f -print0 | xargs -0 md5sum > /tmp/foo $ md5sum --check /tmp/foo $ md5sum --check /tmp/foo | egrep -v "\ OK$"Interesting tools should also look for 'extra' files.
RPM is not too bad for some checks.
rpm -qVa
And
find / -type f | ----slice and dice---| rpm -qf
Something like this might be important... in all $PATH areas etc... along the lines of... # touch /tmp/isthisownedbyapackage # rpm -qf /tmp/isthisownedbyapackage file /tmp/isthisownedbyapackage is not owned by any package
If you are going to that much work, maybe you have found a tool to track configuration changes too. I'd like to find some sane way to have a master starting config (probably all of /etc) checked into subversion or a similar tool, then be able to treat any number of similar machines as branches with an easy way to diff either points in time on one machine or between different machines. Knowing if changes were the result of local edits or package updates would be a plus, but not absolutely necessary.
On 06/03/2009 10:51 PM, Les Mikesell wrote:
I always like brute force - and the ability to undo things... If you have space somewhere to rsync (-aH) a backup copy of the filesystems before the changes, repeating the rsync with -aHvn --delete, (don't forget that -n) will show what is different afterwards.
an lvm snapshot might be a better way to achieve this ( and cheaper ) if you have the capability, just remember to have space for the cow delta, and plan how long you want to keep the snapshot around.
On Wed, Jun 3, 2009 at 10:18 PM, Sean Carolan scarolan@gmail.com wrote:
I have a server that is undergoing some patching soon and would like to make note of any files that have changed after the patching is complete. Can you recommend a tool that uses md5sum snapshots to do a quick before and after test, showing anything that's changed on a particular file system?
Simple but effective: find . -type f -exec md5sum {} ; | sort > /tmp/previous
Do the same after with a different file name and use diff
Cheers Didi
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Wed, Jun 3, 2009 at 3:18 PM, Sean Carolan scarolan@gmail.com wrote:
I have a server that is undergoing some patching soon and would like to make note of any files that have changed after the patching is complete. Can you recommend a tool that uses md5sum snapshots to do a quick before and after test, showing anything that's changed on a particular file system?
I use md5deep for that. http://md5deep.sourceforge.net/. aide is useful for particular files oyu are going to keep track of over a long time (doing daily checks etc).
md5deep/aide/etc will break if you have prelink turned on.. especially if you are doing updates. prelink sort of moves around library pointers in the binary which changes the checksums. rpm is smart enough to deal with this and aide is getting that smarts.. but not with the shipped version.
Stephen John Smoogen wrote:
On Wed, Jun 3, 2009 at 3:18 PM, Sean Carolan scarolan@gmail.com wrote:
I have a server that is undergoing some patching soon and would like to make note of any files that have changed after the patching is complete. Can you recommend a tool that uses md5sum snapshots to do a quick before and after test, showing anything that's changed on a particular file system?
I use md5deep for that. http://md5deep.sourceforge.net/. aide is useful for particular files oyu are going to keep track of over a long time (doing daily checks etc).
md5deep/aide/etc will break if you have prelink turned on.. especially if you are doing updates. prelink sort of moves around library pointers in the binary which changes the checksums. rpm is smart enough to deal with this and aide is getting that smarts.. but not with the shipped version.
How much of a gain to you get from prelink anyway? I suppose it also breaks the way backuppc does pooling of identical files where if you update a library all of the files linking to it would change and require new backup instances to be saved.
On 06/04/2009 11:17 PM, Stephen John Smoogen wrote:
md5deep/aide/etc will break if you have prelink turned on..
iirc, aide is prelink aware. And tracks changes to depending lib chains.
On Thu, Jun 4, 2009 at 4:46 PM, Karanbir Singh mail-lists@karan.org wrote:
On 06/04/2009 11:17 PM, Stephen John Smoogen wrote:
md5deep/aide/etc will break if you have prelink turned on..
iirc, aide is prelink aware. And tracks changes to depending lib chains.
The patches for this just went in. The version shipped upstream didn't have the patches when I discussed this with Steve Grubb last year. It may have changed in that time. His statement was to turn off prelink.
-
Didi -
Karanbir Singh -
Les Mikesell -
Nifty Cluster Mitch -
Sean Carolan -
Stephen John Smoogen -
Tim Verhoeven