← Articles

How to Check Configuration File Changes

How to Check Configuration File Changes

Need to check configuration file changes on your Linux server? Want to monitor config file modifications, detect unauthorized changes, and track configuration history? This guide shows you how to check configuration file changes using built-in commands and automated monitoring with Zuzia.app.

For comprehensive configuration monitoring strategies, see Server Configuration Drift Monitoring Guide. For troubleshooting configuration issues, see Configuration Drift Causing Issues.

Why Checking Configuration Changes Matters

Configuration files control system and application behavior. When configuration files change unexpectedly, services can malfunction, security settings can be altered, and system behavior can change. Checking configuration file changes helps you detect unauthorized modifications, track configuration history, maintain configuration integrity, and ensure configurations remain correct.

Method 1: Check File Modification Times

Check file modification times to detect when files were changed:

View File Modification Times

# Check file modification time
stat /etc/ssh/sshd_config

# View modification time for config files
find /etc -type f -mtime -1 -ls

# Check for recently modified files
find /etc -type f -newer /tmp/reference-time -ls

# View configuration file history
ls -lt /etc/ssh/ | head -10

Detect Recent Changes

# Find recently modified config files
find /etc -type f -mtime -1

# Check for files modified today
find /etc -type f -newermt "$(date +%Y-%m-%d)" -ls

# View modification times
stat /etc/ssh/sshd_config /etc/nginx/nginx.conf | grep Modify

Method 2: Compare Configuration Files

Compare configuration files with previous versions to detect changes:

Compare with Previous Versions

# Compare current config with previous
diff /etc/ssh/sshd_config /backup/sshd_config.baseline

# Compare multiple config files
diff -r /etc/nginx/ /backup/nginx-baseline/

# Check for configuration differences
diff /etc/ssh/sshd_config /backup/sshd_config.baseline | head -20

# Compare with last known good state
diff /etc/ssh/sshd_config /backup/sshd_config-$(date +%Y%m%d).txt

Detect Configuration Changes

# Check if config matches expected configuration
diff /etc/ssh/sshd_config /policies/ssh-policy.conf

# Verify configuration consistency
md5sum /etc/ssh/sshd_config /backup/sshd_config.baseline

# Check for unexpected modifications
find /etc -type f -newer /tmp/last-check -exec diff {} /backup/{}.baseline \;

Method 3: Monitor Configuration File Integrity

Monitor configuration file integrity to detect unauthorized changes:

Check File Checksums

# View file checksums
md5sum /etc/ssh/sshd_config

# Compare checksums
md5sum /etc/ssh/sshd_config /backup/sshd_config.baseline

# Verify configuration file integrity
md5sum -c /backup/config-checksums.txt

# Track checksum changes
md5sum /etc/ssh/sshd_config > /tmp/checksum-current.txt
diff /tmp/checksum-baseline.txt /tmp/checksum-current.txt

Use AIDE for File Integrity

# Check for configuration changes
sudo aide --check

# Update AIDE database after authorized changes
sudo aide --update

# Verify file integrity
sudo aide --check | grep -i "changed\|added\|removed"

Method 4: Automated Configuration Change Monitoring with Zuzia.app

While manual configuration checks work for audits, production Linux servers require automated configuration change monitoring that continuously tracks file modifications, detects unauthorized changes, and alerts you when configurations are altered.

How Zuzia.app Configuration Change Monitoring Works

Zuzia.app automatically monitors configuration files through scheduled command execution and file comparison. The platform checks file modification times, compares with baselines, detects changes, and sends alerts when modifications are detected.

Setting Up Configuration Change Monitoring

  1. Add Scheduled Task for File Monitoring

    • Command: find /etc -type f -mtime -1 | wc -l
    • Frequency: Every 6 hours
    • Alert when: Configuration files modified
  2. Configure Critical File Monitoring

    • Command: md5sum /etc/ssh/sshd_config /etc/sudoers | diff - /backup/config-checksums.txt
    • Frequency: Every 12 hours
    • Alert when: Critical files changed
  3. Set Up Configuration Comparison

    • Command: diff /etc/ssh/sshd_config /backup/sshd_config.baseline | head -20
    • Frequency: Once daily
    • Alert when: Configuration differences detected

Custom Configuration Monitoring Commands

Add these commands as scheduled tasks:

# Check for configuration changes
find /etc -type f -mtime -1

# Compare critical configurations
diff /etc/ssh/sshd_config /backup/sshd_config.baseline

# Verify configuration checksums
md5sum /etc/ssh/sshd_config /etc/sudoers

# Monitor system configuration
sysctl -a | diff - /backup/sysctl-baseline.txt

Best Practices

1. Monitor Configurations Regularly

Use Zuzia.app for continuous configuration monitoring. Set up alerts before configuration issues become critical. Review configuration changes regularly.

2. Maintain Configuration Baselines

Keep accurate configuration baselines. Store baselines in version control. Update baselines when authorized changes occur.

3. Track All Configuration Changes

Monitor all configuration modifications. Track authorized changes. Detect unauthorized changes. Document change procedures.

Troubleshooting

Unauthorized Changes Detected

When unauthorized changes are detected:

  1. Review current configuration: cat /etc/ssh/sshd_config
  2. Compare with baseline: diff /backup/sshd_config.baseline /etc/ssh/sshd_config
  3. Restore from backup if needed: cp /backup/sshd_config.baseline /etc/ssh/sshd_config

Configuration File Modified

When configuration files are modified:

  1. Check modification time: stat /etc/ssh/sshd_config | grep Modify
  2. Review changes: diff /backup/sshd_config.baseline /etc/ssh/sshd_config
  3. Verify changes are authorized
  4. Restore if unauthorized

FAQ

How often should I check configuration file changes?

For production servers, check configuration changes every 6-12 hours. Zuzia.app can check configurations automatically and alert when changes are detected.

What configuration files should I monitor?

Monitor all production configuration files, especially security configurations (SSH, firewall, sudo), service configurations, and application configurations.

Can Zuzia.app detect unauthorized configuration changes?

Yes, Zuzia.app can detect unauthorized changes by comparing current configurations with baselines, monitoring file modifications, tracking configuration checksums, and alerting when changes are detected.

Related guides, recipes, and problems

We use cookies to ensure the proper functioning of our website.