Jim K wrote,
>Just a thought, is there any command that would show what program had
>last accessed a file?
No. The closest you can get is probably to run your suspicious software
under the control of strace or something similar. This will report all
system calls made by the process, including attempts to open files. (I
believe this was exactly how skype's suspicious behavior was discovered.)
If you have kernel 2.6.13 or later, there is a set of system calls known
collectively as "inotify", which provide a way for programs to monitor
files and receive notification whenever somebody does something to a
monitored file (such as try to read from it). This could be used to write
a program to raise an alarm whenever something reads from /etc/passwd.
Unfortunately, my system (Slackware 11, which shipped with a 2.4 kernel)
includes no such software, nor any easy way to write such software (the
necessary header files and libc support are missing). Newer distros
might not be crippled like this...if anybody out there knows of a decent
user interface for inotify, this would be an ideal occasion to mention it.
- Neil Parker
_______________________________________________
EUGLUG mailing list
[email protected]
http://www.euglug.org/mailman/listinfo/euglug
