As a consultant, I am often faced with an unfamiliar Linux system (usually RHEL). I always find it useful to understand which files that shipped with rpm packages have been modified, since it is usually a good indicator of what customizations have been performed on the system. To determine the modified files, I simply run:
% rpm -qa | xargs rpm --verify --nomtime | less
# Sample output:
....L... c /etc/pam.d/system-auth
S.5..... c /etc/rc.d/rc.local
S.5..... c /etc/sysctl.conf
S.5..... c /etc/ssh/sshd_config
S.5..... c /etc/updatedb.conf
The following is taken from the rpm man pages (Verify Options section):
c %config configuration file.
d %doc documentation file.
g %ghost file (i.e. the file contents are not
included in the package payload).
l %license license file.
r %readme readme file.
S file Size differs
M Mode differs (includes permissions and file type)
5 MD5 sum differs
D Device major/minor number mismatch
L readLink(2) path mismatch
U User ownership differs
G Group ownership differs
T mTime differs
Using this trick, I can quickly determine what configuration files have been modified as well as any metadata modifications (ownership, link etc.).