Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Track file changes to help with system recovery UNIX
With the recent advent of a possible Mac OS X virus (or trojan, depending on who you ask) many OS X users are wondering how safe they really are. Those "infected" by the so called virus are currently clueless as to what the virus has really done. Luckily, UNIX has a tool that may help find it.

The du command (disk usage) is capable of printing out a list of all the files on your Mac. Redirecting its output, you basically have a giant log of all of your files at any given time. If you do this on a regular basis, and compare the old with the new, you suddenly can see what has changed (ie: where is a virus?).

So, do this, I whipped up a little shell script. Note that I am not great with scripts, but I have tested this, and it works for me (on at least 10.4). Make a script called duscript.sh, and save it in your Home directory. This is the script:
#!/bin/sh
cd /

du > ~/duLog-`date +%Y%m%d` &
Make sure to make the file executable by typing chmod +x duscript.sh. Then, add the file to cron. I used CronniX to do this.

In CronniX, choose File: Open System Crontab. Then, click the New button in the main window. Click the Expert tab. In the below textboxes, set it to run however often you want. I have mine to run every day, at 6 PM. For Day, Day of Week, and Month, I have it set to *, and for hour, 18. You can set it to run however often you want. Then click the Browse button and select your script.

That should do it for you. The script will run in the background on your specified terms, and it will give you logs to work with if (heaven forbid) you need to clean up from a virus.

[robg adds: While this works, it will generate very large files. In a test on my G5, I wound up with a file that was nearly 20MB in size and took about 15 minutes to execute. Comparing two such files won't be very pleasant, even using FileMerge or diff.

However, given the recent activities in the malware/trojan area, I think that discussing ways to track changes to your system is an important one. Read the rest of the hint for my thoughts on one alternative method of tracking such changes...

Instead of simply logging every file on your system, you can create a log that shows only modified (as in changed, or brand new) files. Here's the basic idea in a script:
#!/bin/sh
cd /

sudo find . -type f -mtime -1 > ~/Desktop/ModFiles-`date +%Y%m%d`.txt
The above command will search from the top-level directory down (find .), looking for files (-type f) that have been modified in the last day (-mtime -1). It then writes that list of files out to a datestamped file on your desktop. The end result is a much smaller file, and one that doesn't need to be compared with anything. Instead, you can just scan it for suspicious activity.

However, the above is still far from perfect. There are many directories (the Mail messages folders, cache folders) that you could skip, as these change very often and probably won't ever contain any damaging code. Modifying the command to exclude these directories should be possible, but I haven't spent any time on doing so.

So how about it? What are some other options for tracking changed files on your Mac?]
    •    
  • Currently 3.60 / 5
  You rated: 5 / 5 (5 votes cast)
 
[14,182 views]  

Track file changes to help with system recovery | 13 comments | Create New Account
Click here to return to the 'Track file changes to help with system recovery' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Track file changes to help with system recovery
Authored by: dbs on Feb 22, '06 08:17:01AM

You've basically invented a simplified version of tripwire. Tripwire monitors critical parts of your system for changes (additions/removals/modifications) and alerts you as to what's happening. It's generally a pain to setup, but it will tell you when a file is modified, even if that modification cleverly didn't change the size of the original.

If you're really paranoid the only solution is to install tripwire and have it write its files to some safe place. You can then use those files to cryptographically verify that the contents of your system have not been changed. (Of course if you do make changes you have to update the tripwire database, but that's pretty easy.)



[ Reply to This | # ]
Track file changes to help with system recovery
Authored by: matx on Feb 22, '06 10:13:13AM

I've been using logGen for years to do this.

I did it to see what an app installs, so we can package it up and track the changes for lab builds.

http://freshmeat.net/projects/loggen/?branch_id=49025&release_id=155769 or
http://www.lsa.umich.edu/lsait/admin/mac/software/index.asp

To use it, first run "sudo /usr/local/sbin/logGen [orig.dat]" then
"sudo /usr/local/sbin/logGen [new.dat] [orig.dat] > changes.txt"

Or to track system binaries use Checkmate:
http://personalpages.tds.net/~brian_hill/checkmate.html

And check out the afp548 article, for links to updates for checkmate:
http://www.afp548.com/article.php?story=20050325082931247

And finally, RADMIND, Fine grain control over the whole system:
http://rsug.itd.umich.edu/software/radmind/



---
Mat X -- VFX Mac Tech



[ Reply to This | # ]
Track file changes to help with system recovery
Authored by: klktrk on Feb 22, '06 10:21:00AM

Yeah, I was gonna say. There is a whole field of software dedicated to tracking system software changes and alerting the administrator if anything is changed. And perhaps the best place to start is with TripWire.



[ Reply to This | # ]
Track file changes to help with system recovery
Authored by: klktrk on Feb 22, '06 10:23:56AM

Oh, and I should add the URL as there is a commercial version of TripWire, and it's a little harder to find the open source version. It's here: http://sourceforge.net/projects/tripwire/



[ Reply to This | # ]
Track file changes to help with system recovery
Authored by: FlyBoy on Feb 22, '06 10:37:06AM

I wrote a little shell script that gets called by launchd whenever anything in my user or main Library InputManagers or StartupItems directories get changed. I have growl installed so I have the script give me a growl notification as well as e-mailing me a note with the time of the change and the output of a find command on the directories in question.



[ Reply to This | # ]
Track file changes to help with system recovery
Authored by: GlowingApple on Feb 22, '06 08:17:12PM

Would you be willing to post your script here?

---
Jayson --When Microsoft asks you, "Where do you want to go today?" tell them "Apple."



[ Reply to This | # ]
Track file changes to help with system recovery
Authored by: ocdinsomniac on Feb 22, '06 12:11:10PM

The launchd method described by FlyBoy is along the lines of what I've been wanting to do. launchd seems perfect for building a tripwire system. I would add that UNIX tripwires generally monitor key system components, like commands in /bin and /sbin, for changes that would likely be indicative of a hack. Creating a full featured tripwire system that does this (as well as Mac OS-specific stuff) with launchd probably wouldn't be too difficult, and would have the added benefit of running in the background and providing notification of changes. If ever I get around to building such a beast, I will post about it here.



[ Reply to This | # ]
finding changed files
Authored by: sjk on Feb 22, '06 12:52:07PM
It's trivial to fool find ... -mtime ... using touch (or something equivalent) to change file modification times, which any cleverly-written trojan/virus would do. The -ctime option for find does a better job at detecting changed files.

[ Reply to This | # ]
Track file changes to help with system recovery
Authored by: bdog on Feb 22, '06 12:59:23PM

fseventer

http://www.macupdate.com/info.php/id/19141



[ Reply to This | # ]
Track file changes to help with system recovery
Authored by: joh on Feb 22, '06 02:31:52PM

If you want an "official" solution for such things (and quite a few more), look at the Common Criteria Tools from Apple:

http://www.apple.com/downloads/macosx/apple/commoncriteriatools.html



[ Reply to This | # ]
Already been done
Authored by: Rainy Day on Feb 22, '06 11:17:25PM
Or you could use one of these tools:
  • tripwire – DarwinPorts' integrity assurance and intrusion detection tool
  • radmind – tripwire/integrity checking: once a change is detected, can optionally reverse change
(Source: Things MacOS X)

 

[ Reply to This | # ]

Track file changes to help with system recovery
Authored by: bed124 on Feb 24, '06 01:33:20AM
There's also our product FileControl.

FileControl:
  • was designed to be easy to use, but still be useful
  • does not have to run all the time
  • was created so we could "check up" on product installs & initial runs
  • has proven to be useful during troubleshooting

  • A trial version can be downloaded.

    [ Reply to This | # ]
    Track file changes to help with system recovery
    Authored by: Krazy on Feb 26, '06 01:18:16PM
    Perhaps listed last here, but definitely not least, take a look at Osiris, another multi-platform (MacOSX, Windows, Linux, *nix) file scanning system
    http://www.hostintegrity.com/osiris/


    [ Reply to This | # ]