November 18, 2009, 1:16 PM — To get started on the task of determining whether files on your system look the way they did when they were first installed, you should take a look at the /var/sadm/install/contents file on your Solaris system. This file was initially created when your Solaris system was installed and is updated any time you install a new package or remove an old one. As a result, this file contains details about most of the commands and configuration files on your system -- at least all those that arrived as part of the initial OS installation or a package add operation. For files that shouldn't be changing, such as system system executables, you can check file sizes and contents as well as permissions and ownership.
Depending on the type of file you're looking at, different information will be stored in the contents file, but most files will look like what I've shown below. In these examples, I've inserted spaces in the system output to align the file information for the two files -- /usr/bin/date and /etc/inet/hosts -- with the field descriptors to make it a little easier to identify what is what:
+-- file type | path f class mode owner group size cksum modtime package /usr/bin/date f none 0555 root bin 11056 63512 1106444884 SUNWcsu path e class mode owner group size cksum modtime package /etc/inet/hosts e hosts 0444 root sys 61 4625 1204210814 SUNWcsr
These lines shown above indicate that the two files are of different file "classes" as far as the system is concerned. A file in the class "f" is a standard executable. Class "e" files are editable files, expected to change size after installation.
If we now compare the current state of the two files with the data from the /var/sadm/contents file, we can see that the date command still matches its original sum while the hosts file has grown.