[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-developers] Recommendation for UNIX utilities to find the differences from one snapshot of the filesystem at a point in time to another.
- Subject: Re: [cobalt-developers] Recommendation for UNIX utilities to find the differences from one snapshot of the filesystem at a point in time to another.
- From: Michael Stauber <devel@xxxxxxxxxxxxxx>
- Date: Mon Sep 22 23:44:00 2003
- Organization: SOLARSPEED.NET
- List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>
> Why not just use find and make the search be based on date stamp.
>
> find / -ctime 2 -print
>
> will find all files changed 48 hours (2 days ago).
That is a good approach, but a properly configured Tripwire or Fcheck will
report only changes to relevant parts of the filesystem. Changes in
directories attributed to the OS (/bin, /sbin, /usr, /lib and so on) are
usually more suspicious than changes in /home/sites or /tmp.
Properly configured a tool like Tripwire or Fcheck will email you once
relevant parts of the filesystem change. Imagine such a tool emails you that
/sbin/init (for example) has been changed out of the sudden. You haven't
installed any patches, nor did you change /sbin/init yourself. So you
instantly know that your box is in troubles.
With the "find" command you could also spot the change, but only if you
already expected troubles and know what to look for.
--
With best regards,
Michael Stauber