Checking modification dates and inode numbers

The only way to know if someone has been in your system is to check for changes.

Checking modification dates and inode numbers
By Aeleen Frisch

Unless your hacker likes to make himself known, the only way to know if someone has been in your system is to check for changes. In this tip from Essential System Administration, O'Reilly and Associates, Aeleen Frisch advises where to look for system alterations.

If you want to perform more careful monitoring of the system files, you should compare not only file ownership and protection, but also modification dates and inode numbers. For these two items you can use the ls command with the options -lsid for the application files and directories. These options display the file's inode number, size (in both blocks and bytes), owners, protection modes, modification date and name. For example:

$ ls -lsid /ect/rc*

690 3 -rwxr-xr-x 1 root root 1324 Mar 20 12:58 /etc/rc0

691 4 -rwxr-xr-x 1 root root 1655 Mar 20 12:58 /etc/rc2

692 1 drwxr-xr-x 2 root root 272 Jul 22 07:33 /etc/rc2.d

704 2 -rwxr-xr-x 1 root root 874 Mar 20 12:58 /etc/rc3

705 1 drwxr-xr-x 2 root root 32 Mar 13 16:14 /etc/rc3.d

The -d option allows the information on directories themselves to be displayed, rather than listing their contents.

If you check this data regularly, comparing it against a previously saved file of the expected output, you will catch any changes very quickly and it will be more difficult for someone to modify any file without detection (although, unfortunately, far from impossible -- rigging file modification times is not really very hard). This method inevitably requires that you update the saved data file every time you make a change yourself, or you will have to wade through lots of false positives when examining the output. As always, it is important that the data file be kept in a secure location to prevent it from being modified.


Related book

Essential System Administration, Second Edition
Author : Aeleen Frisch
Publisher : O'Reilly & Associates
ISBN/CODE : 1565921275
Cover Type : Soft Cover
Pages : 788
Published : Sept. 1995
Summary:
Essential System Administration takes an in-depth look at the fundamentals of UNIX system administration in a real-world, heterogeneous environment. Whether you are a beginner or an experienced administrator, you'll quickly be able to apply its principles and advice to your everyday problems.


This was first published in February 2001

Dig deeper on Enterprise Risk Management: Metrics and Assessments

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close