== A crude system verification method

Suppose that you have a system that you are not entirely confidant
of, and you want to look to see if bits of it have been modified from
stock. The easiest way is to use your [[packaging system's verification
support ../linux/RPMVerificationI]], but let us suppose that your package
system doesn't have support for this (or at least that the support is
optional and not installed at the moment).

If you happen to have another theoretically identical system lying
around (as we do), you can do a crude system verification with _rsync_:

> _rsync -n -a --delete -IOc root@hostA:/usr/ /usr/_

Here hostA should be the machine that you want to verify, not the
machine that you want to verify it against. It also assumes that you
can do ssh root logins to hostA.
Some of these options are not obvious; _-O_ makes _rsync_ ignore changed
directory times, while _-I_ and _-c_ forces _rsync_ to always checksum
files to check to see if they're different, instead of trusting the size
and the timestamp.

(Package systems generally don't reset the directory modification time
when they update programs in a directory, so directories like _/usr/bin_
can naturally have different timestamps on different machines. Ignoring
them saves you from drowning in noise.)

This isn't likely to work on Linux machines that use [[prelinking
../linux/PrelinkingIntro]], because prelinking can create different
binaries even on machines with identical package sets.

Disclaimer: as a crude verification method, this should only be
used if you are mostly confidant in the system to start with. If
you are not, remember the [[zeroth law of compromised systems
CompromisedMachinesLaw]].