Keeping track of filesystem changes on Linux

Solution 1:

Most package managers will tell you exactly what files they installed:

dpkg -L <pkgname>
rpm -ql <pkgname>

This won't, however, tell you anything about modifications their postinstall scripts may have made. I would argue that actually trying to diff a filesystem snapshot after install is overkill. There are a number of tools for tracking file access that may be of help.

  • InstallWatch will track filesystem changes during an install.
  • Any host-based intrusion detection system will complain loudly after installing a package. I use samhain.
  • The kernel's audit interface can be set to track this stuff for you.

Solution 2:

How to Set Up and Use Tripwire.
Tripwire uses a checksum list of critical files to detect Intrusions.

You could use something similar
(either Tripwire itself or a script that generates checksums of files
before and after your change activity)

MD5 checksums are quite fast and already available as md5sum.

Solution 3:

Find what's been modified:
In addition to what Instyle said, you could also use find to locate files modified in the past say 10 minutes:

find / -mmin -10

Revision control:
You could also put /etc under version control with subversion. Here is a blog entry about that.

Snapshots:
You also could use lvm snapshots, this might be overkill to however.

Solution 4:

if you are Debian/Ubuntu user try etckeeper