[CentOS] Good md5sum snapshot tool?

Thu Jun 4 21:13:54 UTC 2009
Nifty Cluster Mitch <niftycluster at niftyegg.com>

On Wed, Jun 03, 2009 at 04:51:53PM -0500, Les Mikesell wrote:
> Sean Carolan wrote:
> > I have a server that is undergoing some patching soon and would like
> > to make note of any files that have changed after the patching is
> > complete.  Can you recommend a tool that uses md5sum snapshots to do a
> > quick before and after test, showing anything that's changed on a
> > particular file system?
> 
> I always like brute force - and the ability to undo things...  If you 
> have space somewhere to rsync (-aH) a backup copy of the filesystems 
> before the changes, repeating the rsync with -aHvn --delete, (don't 
> forget that -n) will show what is different afterwards.

I am looking at Aide mentioned by a previous reply
because I do not know the details of how it works.
On first glance I should be running it...
Add tripwire to the list of tools too.

Brute force will not work for a lot of objects.
Consider that "prelink" can change the MD5sum of many
objects and cause false triggers for rsync and other
simple tools.

Tools like aide and tripwire will find ALL the changes from the update
so the number of changes may be very large depending on the patching
process.  In looking at aide while typing it is also clear to me that any
interesting tool must also track file+dir ownership, file+dir permissions,
SELinux context as well if the job is to be done correctly.  Context for
each file, each user and the policy itself.

It is quite easy to find / -type f and build your own
list of md5 checksums.   No scripting will be needed to
check it.   See the  --check flag for md5sum
and also use split to build smaller chunks.

    $ md5sum /etc/passwd > /tmp/foo
    $ md5sum -c /tmp/foo
    /etc/passwd: OK

    $ find /etc -type f -print0 | xargs -0 md5sum > /tmp/foo
    $ md5sum --check  /tmp/foo 
    $ md5sum --check  /tmp/foo | egrep -v "\ OK$"

Interesting tools should also look for 'extra' files.

RPM is not too bad for some checks.

  rpm -qVa

And

  find / -type f | ----slice and dice---| rpm -qf 

Something like this might be important... in all $PATH areas etc...
along the lines of...
  # touch /tmp/isthisownedbyapackage
  # rpm -qf /tmp/isthisownedbyapackage
  file /tmp/isthisownedbyapackage is not owned by any package



-- 
	T o m  M i t c h e l l 
	Found me a new hat, now what?