When administering Debian systems, tracking configuration file modifications is crucial for system consistency and security. The package management system maintains pristine copies of configuration files, allowing comparison with current versions.
The most straightforward method involves dpkg-query:
dpkg-query -W -f='${Conffiles}\n' '*' | awk 'OFS=" "{print $2,$1}' | md5sum -c 2>/dev/null | awk -F': ' '$2 !~ /OK/{print $1}'
This command:
- Lists all conffiles from installed packages
- Compares MD5 checksums against package database
- Filters to show only modified files
For more comprehensive checking, install and use debsums:
apt install debsums
debsums -ac
Key options:
-a Check all packages
-c Show only changed files
-e Exclude files with expected changes
For deeper verification including permissions and ownership:
dpkg --verify | awk '$1 !~ /c/{print $2}'
The output columns represent:
5 = MD5 sum
S = File size
L = Symlink
T = Modification time
D = Device
U = User
G = Group
M = Mode (permissions)
To check specific packages (e.g., nginx):
debsums -s nginx
To generate a report of all modified files:
dpkg-query -W -f='${Package}\t${Conffiles}\n' '*' |
awk -F'\t' '{print $2}' |
xargs -I{} sh -c 'for f in {}; do [ -f "$f" ] && md5sum "$f"; done' > current.md5
dpkg-query -W -f='${Package}\t${Conffiles}\n' '*' |
awk -F' ' '$3{print $3" "$2}' |
md5sum -c --quiet 2>/dev/null
Create a cron job for weekly checks:
#!/bin/bash
OUTPUT_FILE="/var/log/config_changes_$(date +%Y%m%d).log"
debsums -cep > "$OUTPUT_FILE"
[ -s "$OUTPUT_FILE" ] && mail -s "Config Changes Detected" admin@example.com < "$OUTPUT_FILE"
For files that change legitimately (like certificates), update their hashes:
dpkg --force-confmiss --configure -a
Or update specific package configuration:
dpkg-reconfigure package_name
Tracking modified configuration files is a common sysadmin task, particularly when troubleshooting or auditing a Debian system. The package manager maintains records of original configuration files, which we can leverage to identify changes.
The most straightforward method uses dpkg-query to compare installed files against their original checksums:
dpkg-query -W -f='${Conffiles}\n' '*' |
awk 'OFS=" "{print $2,$1}' |
md5sum -c 2>/dev/null |
awk -F': ' '$2 !~ /OK/{print $1}'
This pipeline:
- Lists all conffiles from installed packages
- Reformats the output for md5sum
- Verifies checksums
- Filters only modified files
Debian packages store MD5 checksums of configuration files in /var/lib/dpkg/info/<package>.md5sums. The verification process compares these against current files.
For a more user-friendly option, install and use debsums:
apt install debsums
debsums -ac
Key flags:
-a: Check all packages-c: Only show changed files-s: Skip missing files
Some files may show as modified when they've actually been legitimately altered by package maintainers. To verify:
apt-get download <package>
dpkg -e <package>.deb /tmp/extract
diff -u /tmp/extract/<config-file> /etc/<config-file>
For production systems, consider setting up regular checks:
#!/bin/bash
MODIFIED=$(mktemp)
dpkg-query -W -f='${Conffiles}\n' '*' |
awk 'OFS=" "{print $2,$1}' |
md5sum -c 2>/dev/null |
awk -F': ' '$2 !~ /OK/{print $1}' > $MODIFIED
if [ -s $MODIFIED ]; then
mail -s "Modified config files on $(hostname)" admin@example.com < $MODIFIED
fi
rm $MODIFIED
For configuration management integration:
# Generate baseline
find /etc -type f -exec md5sum {} + > /var/lib/config-baseline.md5
# Compare later
md5sum -c /var/lib/config-baseline.md5 2>/dev/null | grep -v ": OK"