On Mon, Apr 04, 2022 at 08:32:01AM -0700, Eric Thomas wrote: > I want to have a high degree of confidence in my system's state > (packages that have been added, configs that have changed, permissions > changed, etc). I've read about "read only filesystems" and the > pro's/con's [here](http://geodsoft.com/howto/harden/OpenBSD/no_changes.htm). > > Aside from that, is there a way to... > > 1. ...hash the file system in some way and monitor for changes? OR > 2. ...somehow review changes that have taken place (a log somewhere)? > > The goal is to concretely know whether the state of the system has > changed, then point to what EXACTLY has changed. > > Anyone doing something similar?
Yes, in fact, *everyone* else is. /etc/changelist lists files that are monitored. You will get an email if they change, e.g., if a program surprisingly becomes setuid. I imagine that this is documented someplace.
