Short tip: list of modified RPM packages

If you want to have a short overview about which files of installed RPM packages has been altered, you probably don’t want to deal with AIDE – a short script should be enough:

#!/bin/sh
for i in $(rpm -qa|tr "n" " ")
do
        RESULT="$(rpm -vV $i)"
        if [ "$?" != "0" ]; then
                echo "$i has been changed:"
                echo "$RESULT"
                echo ""
        fi
done

Of course you should have a detailed look at the file list – modified files don’t have to be the result of an attack:

rootfiles-8.1-6.1.el6.noarch has been changed:
.........  c /root/.bash_logout
S.5....T.  c /root/.bash_profile
.........  c /root/.bashrc
.........  c /root/.cshrc
.........  c /root/.tcshrc

In this case, the bash profile of root has been modified.

Leave a Reply