Audit files on a Debian box

All the files installed by a package can by seen by looking at the list cat /var/lib/dpkg/info/*.list. Most packages include md5sums for the file content which can be seen by look at cat /var/lib/dpkg/info/*.md5sums. Some packages do not include these sums though.

If you install the package debsums you can run the program like debsums -a this will check the md5sum of all the installed files and configurations.

Please note that some packages do not install the configuration files or content. Instead these files are created by those packages at install time. These files will not be in the file list associated with the package or the md5sums list. As far as the package system is concerned, these are data files that it doesn't own.

Likewise if that server was to be replaced with a new server, you want to make sure all of the configuration differences (compared to the base install) have been transferred (or ignored if no longer relevant - e.g. a rouge "Port" line being added to sshd_config).

I think you should install the etckeeper package first thing after you install the system. This package basically puts /etc into a version control system of your choosing (I prefer git). With this in place you can see exactly what changed when. It easy easy to clone this repository over to a new system and then do diffs against the new system. So you can see exactly what is different been a source and destination system in a single command.


cruft / etckeeper / debsums

Package: cruft
Description-en: program that finds any cruft built up on your system
 cruft is a program to look over your system for anything that shouldn't
 be there, but is; or for anything that should be there, but isn't..
 It bases most of its results on dpkg's database, as well as a list of
 `extra files' that can appear during the lifetime of various packages.
 cruft is still in pre-release; your assistance in improving its accuracy
 and performance is appreciated.

Package: debsums
Description-en: tool for verification of installed package files against MD5 checksums
 debsums can verify the integrity of installed package files against
 MD5 checksums installed by the package, or generated from a .deb
 archive.

Package: etckeeper
Description-en: store /etc in git, mercurial, bzr or darcs
 The etckeeper program is a tool to let /etc be stored in a git, mercurial,
 bzr or darcs repository. It hooks into APT to automatically commit changes
 made to /etc during package upgrades. It tracks file metadata that version
 control systems do not normally support, but that is important for /etc, such
 as the permissions of /etc/shadow. It's quite modular and configurable, while
 also being simple to use if you understand the basics of working with version
 control.