By Aeleen Frisch
Unless your hacker likes to make himself known, the only way to know if someone has been in your system is to check for changes. In this tip from Essential System Administration, O'Reilly and Associates, Aeleen Frisch advises where to look for system alterations.
If you want to perform more careful monitoring of the system files, you should compare not only file ownership and protection, but also modification dates and inode numbers. For these two items you can use the ls command with the options -lsid for the application files and directories. These options display the file's inode number, size (in both blocks and bytes), owners, protection modes, modification date and name. For example:
$ ls -lsid /ect/rc*
690 3 -rwxr-xr-x 1 root root 1324 Mar 20 12:58 /etc/rc0
691 4 -rwxr-xr-x 1 root root 1655 Mar 20 12:58 /etc/rc2
692 1 drwxr-xr-x 2 root root 272 Jul 22 07:33 /etc/rc2.d
704 2 -rwxr-xr-x 1 root root 874 Mar 20 12:58 /etc/rc3
705 1 drwxr-xr-x 2 root root 32 Mar 13 16:14 /etc/rc3.d
The -d option allows the information on directories themselves to be displayed, rather than listing their contents.
If you check this data regularly, comparing it against a previously saved file of the expected output, you will catch any changes very quickly and it will be more difficult for someone to modify any file without detection (although, unfortunately, far from impossible -- rigging file modification times is not really very hard). This method inevitably requires that you update the saved data file every time you make a change yourself, or you will have to wade through lots of false positives when examining the output. As always, it is important that the data file be kept in a secure location to prevent it from being modified.
Related book Essential System Administration, Second Edition
Author : Aeleen Frisch
Publisher : O'Reilly & Associates
ISBN/CODE : 1565921275
Cover Type : Soft Cover
Pages : 788
Published : Sept. 1995
Essential System Administration takes an in-depth look at the fundamentals of UNIX system administration in a real-world, heterogeneous environment. Whether you are a beginner or an experienced administrator, you'll quickly be able to apply its principles and advice to your everyday problems.