Problem solve Get help with specific problems with your technologies, process and projects.

Checking modification dates and inode numbers

The only way to know if someone has been in your system is to check for changes.

Checking modification dates and inode numbers
By Aeleen Frisch

Unless your hacker likes to make himself known, the only way to know if someone has been in your system is to check for changes. In this tip from Essential System Administration, O'Reilly and Associates, Aeleen Frisch advises where to look for system alterations.

If you want to perform more careful monitoring of the system files, you should compare not only file ownership and protection, but also modification dates and inode numbers. For these two items you can use the ls command with the options -lsid for the application files and directories. These options display the file's inode number, size (in both blocks and bytes), owners, protection modes, modification date and name. For example:

$ ls -lsid /ect/rc*

690 3 -rwxr-xr-x 1 root root 1324 Mar 20 12:58 /etc/rc0

691 4 -rwxr-xr-x 1 root root 1655 Mar 20 12:58 /etc/rc2

692 1 drwxr-xr-x 2 root root 272 Jul 22 07:33 /etc/rc2.d

704 2 -rwxr-xr-x 1 root root 874 Mar 20 12:58 /etc/rc3

705 1 drwxr-xr-x 2 root root 32 Mar 13 16:14 /etc/rc3.d

The -d option allows the information on directories themselves to be displayed, rather than listing their contents.

If you check this data regularly, comparing it against a previously saved file of the expected output, you will catch any changes very quickly and it will be more difficult for someone to modify any file without detection (although, unfortunately, far from impossible -- rigging file modification times is not really very hard). This method inevitably requires that you update the saved data file every time you make a change yourself, or you will have to wade through lots of false positives when examining the output. As always, it is important that the data file be kept in a secure location to prevent it from being modified.

Related book

Essential System Administration, Second Edition
Author : Aeleen Frisch
Publisher : O'Reilly & Associates
ISBN/CODE : 1565921275
Cover Type : Soft Cover
Pages : 788
Published : Sept. 1995
Essential System Administration takes an in-depth look at the fundamentals of UNIX system administration in a real-world, heterogeneous environment. Whether you are a beginner or an experienced administrator, you'll quickly be able to apply its principles and advice to your everyday problems.

This was last published in February 2001

Dig Deeper on Risk assessments, metrics and frameworks

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.