On Wed, 09 Aug 2006 14:15:13 +1200 Christopher Sawtell <[EMAIL PROTECTED]> wrote:
> On Wednesday 09 August 2006 13:34, Steve Holdoway wrote: > > On Wed, 09 Aug 2006 13:17:11 +1200 > > > > Phill Coxon <[EMAIL PROTECTED]> wrote: > > [ ... ] > > > > Which leads to a second question: > > > > > > ** Is there any way to monitor a file and log which processes or > > > scripts access and / or modify it? > > > > > > Thanks! > > > > One I didn't mention last night... fcheck. If your distro doesn't > > support it, then there's always > > http://www.geocities.com/fcheck2000/FCheck_2.07.59.tar.gz > Don't you have to have a pristine system to start from, a bit like > Tripwire? Not really - it monitors changes in files, so any starting point will be a start. eg... one of my entries PROGRESS: validating integrity of /etc/ STATUS: WARNING: [server] /etc/mail/trusted-users [Times: Jun 02 02:18 2006 - Jul 16 20:33 2006, GIDs: 0 - 1002] At least it gives you an idea of when it's happening, which is an improvement. > > > Steve > > PS. Yes, you're right to be paranoid (: > Indeed!! > > Also look at the inotify kernel facility. > file:///usr/src/linux/Documentation/filesystems/inotify.txt > http://www.linuxjournal.com/article/8478 > > Pity you havn't got root privs. Can't do much along this particular road > without them. > > -- > CS If you've got physical access, we can fix that... (:
