PERFORM FILE SYSTEM VALIDATION WITH RPM

A number of programs exist that perform file system validation. For instance, both the Tripwire and AIDE programs perform comprehensive checks on your system to determine if someone has changed, added, or removed files. Both programs use sophisticated means of determining a file's "identity," including inode data, md5sums, and other hashes.

However, every RPM-based system already features a basic file system integrity checker--the rpm tool itself. Of course, that's not to say that more advanced integrity checkers aren't necessary, particularly when it comes to servers and other critical machines. But on a basic machine where you want to perform a quick validation of the file system, rpm can suffice nicely.

Here's an example:

# rpm -Va

This verifies every file installed as an rpm package on your system. The rpm database keeps information on each file it installs, so it knows if something has changed.

When you run rpm, it returns a listing of files with codes in front of them that looks something like this:

S.5....T c /etc/sudoers
missing /boot/kernel.h-2.4.18

This obviously tells us that the kernel header file (kernel.h-2.4.18) is missing, and it shows that the sudoers file has changed.

The column of codes are the letters SM5DLUGT; if the letter shows up, it means that the value of the file has changed. Those letters represent Size, Mode, MD5 checksum, Device major and minor numbers, Symlink destination, Owner, Group, and modification Time, respectively. In our example, we can see that the sudoers file has changed size, md5sum value, and modification time since installation.

In addition, note the letter c behind the status column; this marks the file as a configuration file. So in this case, you can assume that the reason for the change is that you configured sudoers.