Guide · 14.04.26
How to Know What Changed on Your Linux System
A baseline-first workflow to move from uncertainty to evidence-backed change visibility.
Direct Answer
Short answer
If you want to know what changed on Linux, you need a trusted reference and a comparison step. Without both, you can inspect files and logs forever and still miss important context.
The practical sequence is: capture state, explicitly set baseline trust, then compare current state to that baseline. This turns “something feels off” into a concrete drift list you can review. For command-level choice between fast and deep checks, use Preflight vs Compare.
AI Extract
Key takeaway
- When to use this: after installs, automation runs, remote sessions, or any event where unexpected change risk increases.
- What works: baseline + compare + focused triage.
- What fails: ad-hoc spot checks without a trusted reference point.
- This page does not claim: that drift detection alone proves compromise or replaces endpoint protection.
Definitions
Terms that matter for change visibility
- Baseline: an operator-approved reference state.
- Drift: observed differences between current state and baseline.
- Compare: command that computes drift and returns structured output.
- Preflight: quick readiness check, useful before sensitive actions but not a full drift inventory.
Workflow
Run a repeatable baseline-first sequence
auditwalk scan run
auditwalk baseline set --scan-id <scan_id>
auditwalk preflight run
auditwalk compare run --format jsonWhy this order matters:
scan runcaptures observed state facts.baseline setmarks what you explicitly trust as the reference.preflight rungives a fast confidence check before risky actions.compare rungives the full drift set for triage.
Triage
What changed vs what matters
| Drift type | Initial interpretation | Next action |
|---|---|---|
| Expected package/config updates | Likely routine change | Document and keep baseline continuity |
| Unexpected startup/persistence artifacts | Potential high-risk drift | Run deeper compare scope and investigate before proceeding |
| Unknown binaries or scripts in sensitive paths | Unresolved trust condition | Treat as unresolved until validated |
Limits
Avoid false confidence
- Baseline quality matters; a poor baseline makes compare output less useful.
- Compare output needs operator context; “modified” is a signal, not an automatic verdict.
- Use drift evidence as one layer in a broader defensive model, not a standalone guarantee.
Sources
References
Related
Keep reading
Preflight vs Compare: When to Use Each on Linux What to Do After Suspected System Drift System Integrity Monitoring for Individuals and Small TeamsBy: AuditWalk Team · Reviewed: 14.04.26 · Last updated: 14.04.26 · Source class: official standards + product docs