[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Watching a directory, was Re: how would you do this?

On Thu, Aug 19, 2021 at 10:45:44PM -0500, David Wright wrote:
> On Thu 19 Aug 2021 at 08:01:24 (-0400), songbird wrote:
> > David Wright wrote:
> > > On Wed 18 Aug 2021 at 20:55:12 (-0400), songbird wrote:
> > >>   let's suppose you have a directory where there are
> > >> various scripts, libraries, programs, data, etc.
> > >> 
> > >>   you want to know exactly which other scripts, libraries,
> > >> etc. use them and to log each caller to know the name so
> > >> it can be tracked down (location would be nice too, but 
> > >> that could be found later if needed).
> > >> 
> > >>   i don't need to keep the information in a database as
> > >> just having the log file will be enough.
> > >> 
> > >>   how would you do this?
> > >> 
> > >>   this isn't a homework assignment i'm just curious how
> > >> easy or hard this would be to accomplish.
> > >
> > > Easy.
> > >
> > > $ inotifywait -m -e access --timefmt "%F %T" --format "%T %f" the-directory/
> > >
> > > To try it, just type in that line, using a sensible directory name.
> > > (The package name to install first is inotify-tools.)
> > >
> > > Change the formats to taste. Pipe into a   while IFS=$'\n' read Filename ; do
> > > loop if you want to do something with the output. See:
> > >
> > >   https://lists.debian.org/debian-user/2021/03/msg01494.html
> > >
> > > for a real script (waiting on close-writeable-file, rather than just
> > > access) that I use a lot for stealing files from FireFox's cache
> > > (~/.cache/mozilla/firefox/foo.bar.profile/cache2/entries/).
> > 
> >   thanks!  very interesting!  :)
> > 
> >   thank you to others who replied also.  :)
> > 
> >   i was wondering if there was a general tool available as on
> > debian-devel they are talking about usr-merge and if there was a
> > simple way to find out who's using /bin and such instead of 
> > /usr/bin,
> 
> No, that's a different problem. My solution addresses a directory,
> hence the change in Subject line. You'd have to dive deeper into
> inotify and inotify_add_watch, to see whether you can specify the
> inode of the /bin symlink separately from that for /usr/bin.
> 
> $ ls -Glidg /bin /usr/bin
>     12 lrwxrwxrwx 1     7 Apr  3  2020 /bin -> usr/bin
> 261634 drwxr-xr-x 2 69632 Aug 11 19:10 /usr/bin
> $ 
> 
> > but also the idea of being able to set up a honeypot
> > on your own system and see if any programs or processes you 
> > haven't done yourself are accessing it.  might give you a
> > warning of being hacked, but of course there are other things
> > going on in a system which you expect to access things so it
> > is an interesting way to find out what is happening...
> > 
> >   after many years and a lot of different things being set up
> > i think it is a good idea to keep an eye on what is happening.
> > especially with how things are going these days.
> 
> Cheers,
> David.
> 

There is an "auditd" package - a Red Hat origin tool/subsystem. It's available
on Bullseye, but, I have not tried it recently. It might be what you are looking
for.

Regards,
didar

--
Reply to: