[ale] Diff the whole file system?

Brian Mathis brian.mathis+ale at betteradmin.com
Fri Mar 23 14:43:54 EDT 2012


On Fri, Mar 23, 2012 at 9:10 AM, James Sumners <james.sumners at gmail.com> wrote:
> I have a situation where I'm being forced to allow a remote installer
> to have root level sudo access to install their company's product
> (don't like it, but it's out of my hands). Technically, I have the
> system setup such that they should not need such access, but I can't
> change the monkey's script. Anyway, I'd like to be able to sort of
> "snapshot" my file system before I let them in so that I can go back
> and look at a before and after difference. Do any of you know of such
> a tool? Could this be done with rsync?
>
> I've read that LVM supports snapshots at the block level. Seeing as
> they are block level snapshots I don't see how that will help me
> figure out what the installer changed. I'd be able to revert the
> changes, but not study them.
>
> James Sumners


The standard RHEL replacement for Tripwire is AIDE.  It's good enough
for detecting what files have changed, but doesn't have diffs.

You mention LVM snapshots, and that's really the best way to go.  You
can take the LVM snapshot and mount it somewhere, then you can do all
your diffs between that and the live filesystem.  LVM snapshots would
be quite useless if there was no ability to access the snapshot in
some way, and they don't require double the disk space like other
methods.

The only issue with LVM snapshots is that you need enough free PEs in
the VG to hold the changes made to the filesystem.  Most OS installers
do not keep any free PEs.  You can view free PEs using 'vgdisplay'.
If you don't have any free, you could shrink an LV to free up some
space, or add an additional disk to the VG.


❧ Brian Mathis



More information about the Ale mailing list