How to check for modified config files on a Debian system?

Question

How to find all Debian managed configuration files which have been changed from the default?

The question goes here. The answer goes below. – Dennis Williamson Dec 02 '09 at 22:29 — Dennis Williamson, Dec 02 '09 at 22:29
I moved the answer you provided into your answer. – Zoredache Dec 02 '09 at 22:44 — Zoredache, Dec 02 '09 at 22:44

score 91 · Answer 1 · edited Jun 24 '14 at 14:20

91

To find all Debian managed configuration files which have been changed from the default you can use a command like this.

dpkg-query -W -f='${Conffiles}\n' '*' | awk 'OFS="  "{print $2,$1}' | md5sum -c 2>/dev/null | awk -F': ' '$2 !~ /OK/{print $1}'

Edit (works with localized systems):

dpkg-query -W -f='${Conffiles}\n' '*' | awk 'OFS="  "{print $2,$1}' | LANG=C md5sum -c 2>/dev/null | awk -F': ' '$2 !~ /OK/{print $1}' | sort | less

Edit (works with packages with OK in the filename):

dpkg-query -W -f='${Conffiles}\n' '*' | awk 'OFS="  "{print $2,$1}' | LANG=C md5sum -c 2>/dev/null | awk -F': ' '$2 !~ /OK$/{print $1}' | sort | less

edited Jun 24 '14 at 14:20

Community

1

answered Dec 02 '09 at 22:27

malclocke

1,641
1
12
6

Works like charm on Ubuntu 10.4, I would upvote you a thousand times:-) – Ludwig Weinzierl May 02 '10 at 19:30
works great. you could use `md5sum --quiet` though to avoid filtering OK files with `awk` (and thus the localization issues?). By the way: you don't know how to include untracked files within /etc? Like those in /etc/apache2/sites-available for instance? – sfussenegger May 31 '13 at 10:02
1

Would be interesting to know how my answer (`debsums -ec`) actually works, because it seems to get a lot less results than this. – naught101 Jul 21 '13 at 22:59
Also, apparently the only conf files are checked for package versions are then ones that come up in `debsums -ec`: if I use [this method to re-instate package versions](http://superuser.com/a/622367/48920), then some of the files listed via this method aren't changed. – naught101 Jul 21 '13 at 23:20
As an [additional check](https://muzso.hu/2011/09/06/files-to-go-through-after-a-debian-upgrade) to see what config changes might be pending or obsolete `find /etc -type f \( -iname '*.ucf-dist' -o -iname '*.ucf-old' -o -iname '*.dpkg-old' -o -iname '*.dpkg-dist' \) -print | sort` – sphakka Oct 24 '19 at 15:10
This can be nicely combined with https://a3nm.net/git/mybin/file/debdiffconf.html to see our actual changes over those modified configuration files. – Jaime Hablutzel Nov 01 '21 at 04:05

naught101 · Answer 2 · 2013-07-21T10:59:51.677

60

from man debsums:

  debsums -ce
          List changed configuration files.

edited Jul 21 '13 at 10:59

answered Jul 21 '13 at 10:50

naught101

873
8
11

2

This is by far the simplest and best answer. – mfisch Dec 19 '13 at 15:53
2

Only debsums is not installed by default and you may not want to install it. – Alexis Wilke Jul 16 '16 at 21:08
2

@AlexisWilke: it's 218kb and has minimal dependencies... – naught101 Jul 18 '16 at 02:03
Where have you been for the last decade?!?! I used to use rpm -Va on redhat systems a decade ago to do something similar. I've been needing this one. Thanks. – Dan Garthwaite Dec 30 '19 at 16:13

score 12 · Answer 3 · edited Sep 25 '19 at 07:53

12

Sorry to necro, but while @naught101's answer was correct for modified files, it didn't help for added files. @Graeme's solution is nice, but depends on etckeeper; I don't want to modify the filesystem.

find /etc -type f | grep -vFf <(debsums -e -r /etc | sed 's/[[:space:]]*OK$//')

Find files in /etc/ that debsums does not report as valid. This means either untracked files or files that are not "OK" (hashes don't match).

edited Sep 25 '19 at 07:53

Mikko Rantalainen

858
12
27

answered Jan 11 '15 at 22:33

blast_hardcheese

221
2
2

One should also run `debsums --list-missing` to check if one or more packages are missing checksums of included files. Nowadays the output should be empty. – Mikko Rantalainen Sep 22 '19 at 16:53

score 9 · Answer 4 · edited Apr 13 '17 at 12:14

9

I generally like to setup etckeeper on the system pretty much immediately. With something like etckeeper I can find not only when the file is different, but I can actually get a diff of exactly how it is different.

See:

edited Apr 13 '17 at 12:14

Community

1

answered Dec 02 '09 at 22:49

Zoredache

128,755
40
271
413

score 6 · Answer 5 · answered Apr 08 '13 at 15:45

6

Or debsums -e | grep FAILED which will also show all missing conffiles

(from the debsums package)

answered Apr 08 '13 at 15:45

Wookey

61
1
1

score 2 · Answer 6 · answered Jun 28 '18 at 15:37

2

This might be overkill but since somebody mentioned etckeeper and while I was investigating that I came across this other gem that might be more useful if you are attempting to figure out things "after the fact".

http://devstructure.com/blueprint/

Blueprint is a simple configuration management tool that reverse-engineers servers. It figures out what you’ve done manually, stores it locally in a Git repository, generates code that’s able to recreate your efforts, and helps you deploy those changes to production.

answered Jun 28 '18 at 15:37

dragon788

756
6
10

Not clear from their homepage (looks a bit outdated) if Python-3 is supported. Did anybody try? – sphakka Oct 24 '19 at 16:09
Judging from the GitHub repo last being active several years ago I wouldn't bet too much money on it working in Python3 out of the box, but it seems pretty well written, so it might not be a huge amount of effort to add in Python3 support. – dragon788 Oct 24 '19 at 19:24

Graeme · Answer 7 · 2014-02-01T21:32:20.013

This departs a little from the original question in that it will also give ADDED config files as opposed to just those modified. Although files not included in any deb package will also be caught. Both behaviours may well be desirable.

It depends on having used etckeeper with git vcs ideally from the get go, although it should also work if you specifically add and commit previously changed files after the first commit. Note that one gotcha here is that Ubuntu configures etckeeper to use Bazaar by default (Canonical sponsor Bazaar), rather than the git default set by the etckeeper developers.

The idea is to get a list of all commits that aren't made automatically after and apt run. Then list the files changed in all but the very first commit:

filter_sed="/committing changes in \/etc after apt run\$/d"

etckeeper vcs log --oneline |
  sed "$filter_sed; \$d; s/ .*//" |
  xargs etckeeper vcs show --name-only --format=format: |
  sort |
  uniq |
  sed "/^\$/d"

The filter string could also be extended to encompass other commits if they are named consistently. Might be good for installs directly from a deb file or from source code.

A notable file that this picks up for me is my xorg.conf - you currently have to add this to /etc/X11 yourself if you need it. Also my default/grub changes are picked up, it seems this is copied from /usr/share by a post install script rather than being listed as part of a package. If a change has been made to a file like this, dpkg related methods won't reveal it.

FYI, `git log` now has a an `--invert-grep` option which allows filtering out uninteresting commits without the use of `sed`. — Neil Mayhew, Sep 19 '16 at 16:15

How to check for modified config files on a Debian system?

7 Answers7