find changes in config files (debian/ubuntu)

11 Feb

want to know which files in /etc have been changed on your debian-like Linux system?

one part can be done with the package debsums, which compares the md5sums delivered with a debian-package with those of the current files:

$ sudo debsums -a -s
debsums: checksum mismatch apache2.2-common file /etc/apache2/sites-available/default
debsums: checksum mismatch apache2.2-common file /etc/apache2/ports.conf

Note 1: this does NOT cover configuration files that are not part of the .deb-package itself, e.g. those manually created by a user AND as well those built by a package’s configuration/post-install scripts. You have been warned!

Note 2: debsums can give hints about a compromised system, but it’s absolutely no guarantee that a non-suspicious output comes from a clean system – if the system’s compromised, an attacker could as well change the md5sums-database of a package (residing in /var/lib/dpkg/info/PKGNAME.md5sums)

Leave a Reply

Your email address will not be published. Required fields are marked *