Is there any sensible way to diff two filesystems?
On occassion, you have a box that is working, and, say, perform an update and it no longer works. You have dozens of other machines that are (theoretically) identical, save for user data [and information tied to the specific hardware, and, say, ssh keys and so on]. Is there any way to determine what is different between the failed machine and one of the good machines?
I've tried mounting volumes and running ls -l or md5deep and recording the results and diffing that. Heck, I've even tried mounting two filesystems and just plain diffing them (with a graphical tool, mind you). The results have not been as useful as I'd expect.
Part of me wonders about having a database of files on each machine and what their md5sums are, with a cron job to update it on occasion, but I'm not even sure that would be as useful in practice as it sounds in theory.
So, is there any sensible way to diff two filesystems (or even, diff one filesystem against itself at a different time)?
Use
rsyncwith--dry-runoption.For monitoring local changes, use tripwire.
There is a tool called fsdiff [I could not find the homepage] that will compare a filesystem to its transcript. A free, multi-platform tool called radmind includes it and claims,
What if someone installs a malicious kernel module, how would AIDE, Radmind or Tripwire detect those changes? I would think offline diffs would be the only way to highlight those issues.