A crude system verification method
Suppose that you have a system that you are not entirely confidant of, and you want to look to see if bits of it have been modified from stock. The easiest way is to use your packaging system's verification support, but let us suppose that your package system doesn't have support for this (or at least that the support is optional and not installed at the moment).
If you happen to have another theoretically identical system lying
around (as we do), you can do a crude system verification with rsync
:
rsync -n -a --delete -IOc root@hostA:/usr/ /usr/
Here hostA should be the machine that you want to verify, not the
machine that you want to verify it against. It also assumes that you
can do ssh root logins to hostA.
Some of these options are not obvious; -O
makes rsync
ignore changed
directory times, while -I
and -c
forces rsync
to always checksum
files to check to see if they're different, instead of trusting the size
and the timestamp.
(Package systems generally don't reset the directory modification time
when they update programs in a directory, so directories like /usr/bin
can naturally have different timestamps on different machines. Ignoring
them saves you from drowning in noise.)
This isn't likely to work on Linux machines that use prelinking, because prelinking can create different binaries even on machines with identical package sets.
Disclaimer: as a crude verification method, this should only be used if you are mostly confidant in the system to start with. If you are not, remember the zeroth law of compromised systems.
Comments on this page:
|
|