How to check for modified config files on a Debian system?

To find all Debian managed configuration files which have been changed from the default you can use a command like this.

dpkg-query -W -f='${Conffiles}\n' '*' | awk 'OFS="  "{print $2,$1}' | md5sum -c 2>/dev/null | awk -F': ' '$2 !~ /OK/{print $1}'

Edit (works with localized systems):

dpkg-query -W -f='${Conffiles}\n' '*' | awk 'OFS="  "{print $2,$1}' | LANG=C md5sum -c 2>/dev/null | awk -F': ' '$2 !~ /OK/{print $1}' | sort | less

Edit (works with packages with OK in the filename):

dpkg-query -W -f='${Conffiles}\n' '*' | awk 'OFS="  "{print $2,$1}' | LANG=C md5sum -c 2>/dev/null | awk -F': ' '$2 !~ /OK$/{print $1}' | sort | less

from man debsums:

  debsums -ce
          List changed configuration files.

Sorry to necro, but while @naught101's answer was correct for modified files, it didn't help for added files. @Graeme's solution is nice, but depends on etckeeper; I don't want to modify the filesystem.

find /etc -type f | grep -vFf <(debsums -e -r /etc | sed 's/[[:space:]]*OK$//')

Find files in /etc/ that debsums does not report as valid. This means either untracked files or files that are not "OK" (hashes don't match).

I generally like to setup etckeeper on the system pretty much immediately. With something like etckeeper I can find not only when the file is different, but I can actually get a diff of exactly how it is different.

See:

• Using revision control for server configuration files?
• What tool do you recommend to track changes on a Linux/Unix server.

Or debsums -e | grep FAILED which will also show all missing conffiles

(from the debsums package)