Checking modification dates and inode numbers

Checking modification dates and inode numbers
By Aeleen Frisch

Unless your hacker likes to make himself known, the only way to know if someone has been in your system is to check for changes. In this tip from Essential System Administration, O'Reilly and Associates, Aeleen Frisch advises where to look for system alterations.

If you want to perform more careful monitoring of the system files, you should compare not only file ownership and protection, but also modification dates and inode numbers. For these two items you can use the ls command with the options -lsid for the application files and directories. These options display the file's inode number, size (in both blocks and bytes), owners, protection modes, modification date and name. For example:

$ ls -lsid /ect/rc*

690 3 -rwxr-xr-x 1 root root 1324 Mar 20 12:58 /etc/rc0

691 4 -rwxr-xr-x 1 root root 1655 Mar 20 12:58 /etc/rc2

692 1 drwxr-xr-x 2 root root 272 Jul 22 07:33 /etc/rc2.d

704 2 -rwxr-xr-x 1 root root 874 Mar 20 12:58 /etc/rc3

705 1 drwxr-xr-x 2 root root 32 Mar 13 16:14 /etc/rc3.d

The -d option allows the information on directories themselves to be displayed, rather than listing their contents.

If you check this data regularly, comparing it against a previously saved file of the expected output, you will catch any changes very quickly and it will be more difficult for someone

    Requires Free Membership to View

    Login

to modify any file without detection (although, unfortunately, far from impossible -- rigging file modification times is not really very hard). This method inevitably requires that you update the saved data file every time you make a change yourself, or you will have to wade through lots of false positives when examining the output. As always, it is important that the data file be kept in a secure location to prevent it from being modified.

Related book

Essential System Administration, Second Edition
Author : Aeleen Frisch
Publisher : O'Reilly & Associates
ISBN/CODE : 1565921275
Cover Type : Soft Cover
Pages : 788
Published : Sept. 1995
Summary:
Essential System Administration takes an in-depth look at the fundamentals of UNIX system administration in a real-world, heterogeneous environment. Whether you are a beginner or an experienced administrator, you'll quickly be able to apply its principles and advice to your everyday problems.


This was first published in February 2001

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    Back to top