8

After installing an update/a new package there seems to be no standarized way to explore the changes made to the file system. A simple utililty creating a filelist of the whole system before and after installing something would help a lot, since diffing the two file lists would reveal the changes made to the file system. It would be also a great tool to detect which config files are modified by a particular gui settings panel. What's the most effective way to solve this problem?

Thanks for your help.

  • This concept is handy for creating multi-stage docker images where complex install scripts setup multiple pieces of software. – Geordie Oct 28 '19 at 21:45

7 Answers7

10

Most package managers will tell you exactly what files they installed:

dpkg -L <pkgname>
rpm -ql <pkgname>

This won't, however, tell you anything about modifications their postinstall scripts may have made. I would argue that actually trying to diff a filesystem snapshot after install is overkill. There are a number of tools for tracking file access that may be of help.

  • InstallWatch will track filesystem changes during an install.
  • Any host-based intrusion detection system will complain loudly after installing a package. I use samhain.
  • The kernel's audit interface can be set to track this stuff for you.
Insyte
  • 9,394
  • 3
  • 28
  • 45
3

How to Set Up and Use Tripwire.
Tripwire uses a checksum list of critical files to detect Intrusions.

You could use something similar
(either Tripwire itself or a script that generates checksums of files
before and after your change activity)

MD5 checksums are quite fast and already available as md5sum.

nik
  • 7,100
  • 2
  • 25
  • 30
3

Find what's been modified:
In addition to what Instyle said, you could also use find to locate files modified in the past say 10 minutes:

find / -mmin -10

Revision control:
You could also put /etc under version control with subversion. Here is a blog entry about that.

Snapshots:
You also could use lvm snapshots, this might be overkill to however.

Kyle Brandt
  • 83,619
  • 74
  • 305
  • 448
1

if you are Debian/Ubuntu user try etckeeper

user16233
  • 149
  • 2
1

There is many such utilities. I use afick.

wazoox
  • 6,918
  • 4
  • 31
  • 63
  • not helpful. only tell us about the Changes, but not about which process/user/script did the change – Farhan Oct 16 '12 at 15:33
  • @Farhan "not helpful." Is a pretty bold claim. It's a worldwide community. Even if it doesn't answer the OP's exact needs, the OP needs are the smallest minority of visitor's needs. This is exactly what I was looking for. Unfortunately 90% of the Google results were inotify related and _not helpful_ to me. This is why it's good to give answers that may help people other than the OP. – Bruno Bronosky Oct 02 '17 at 21:45
0

I'll come at this from another angle, since you didn't say exactly who you would be modifying the systems. Depending on your environment, maybe the right solution is not to allow changes to occur on the local system. Using a configuration management system like puppet in conjunction with revision control, all the changes would be recorded on a central system, and then applied as appropriate.

Chad Huneycutt
  • 2,116
  • 1
  • 16
  • 14
0

This is not specific to the OP's question (changes made by package manager), but I found this utility that helps me know what files have changed system wide.

I use this because I have a tendency to start with fresh VMs and make lots of changes to build it out like I need. Once complete, I decide if I should create an AWS AMI, or write chef cookbooks/recipes, etc. Sometimes it's a Raspberry Pi and then there is a whole other host of challenges.

What I have found to be the simplest is hashdeep

Bruno Bronosky
  • 4,529
  • 3
  • 26
  • 34