Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'another alternative would be Tripwire' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
another alternative would be Tripwire
Authored by: weefle on Oct 01, '03 01:42:59PM

Install the Tripwire filesystem monitoring tool

Tripwire does pretty much the same thing as this Perl script does with the -md5 option, but with the option of customizing what checks are performed on each category of files. So, for example, you can simply check to make sure that your log files haven't been deleted and haven't had their ownership changed, but you can also check to make sure that system executables haven't had their contents replaced with Trojan code. It takes a lot of work to customize properly, but once you're done, you can be relatively sure that you'll catch any system modifications that are done.

Tripwire has been available for Mac OS X for a few months now.



[ Reply to This | # ]
comparing the alternatives
Authored by: hayne on Oct 01, '03 10:59:15PM
I think Tripwire occupies a different ecological niche. It is explicitly concerned with security and is far more sophisticated, with concomitant complexity of use.

Of similar sophistication but in a slightly different niche is Radmind - it is usually used for maintaining multiple machines in a known state.

A bit lower on the complexity scale but still considerably more sophisticated than the 'watchfile' script is the bubblegum program. It is a compiled C program that is designed to run as a daemon.

The 'watchfile' script was intended mostly for impromptu troubleshooting sessions where the ease of modification of a script (as opposed to a compiled executable) is often a big advantage.

[ Reply to This | # ]

Using bubblegum
Authored by: pwharff on Oct 02, '03 05:07:20PM

hayne,

I have been using your script watchfile and it works great, but it always has to be running and I have to have a Terminal window open always. So I tried bubblegum, but I couldn't get it to work with directories and I emailed the developer and no response so far.



[ Reply to This | # ]
running programs in the background
Authored by: hayne on Oct 02, '03 10:53:02PM
You don't need to run the 'watchfile' script in the foreground of a Terminal window. You can start any program in the background by adding an ampersand (&) at the end of the invocation command. If the program sends results to the terminal window (as 'watchfile' does) then you need to redirect the output into a file.

E.g. you could run the above example in the background as follows:
watchfile ~/Library/Preferences/com.apple.* > ~/myoutput &
where I have redirected the output into the file ~/myoutput
When you start a program in the background like this, it stays running even when the Terminal window is closed. In fact it will stay running until the machine is rebooted. You can examine the output file whenever you want. Doing it this way gives you something very much like what bubblegum does.

[ Reply to This | # ]

running programs in the background
Authored by: pwharff on Oct 03, '03 05:57:06PM

Thanks a bunch, I'm somewhat new to unix/linux. What happens if you dont redirect the output to a file and if there is eventually output, where does that output go or is there an error?



[ Reply to This | # ]
running programs in the background
Authored by: pwharff on Oct 03, '03 06:07:52PM

Also, if I were to run this script watchfile in the background as you described and quit the Terminal, how would I later on kill this process. Usually I use "jobs" to find the currently running jobs, but this only applies to my current tty.

Thanks again for your help, I'm learning.



[ Reply to This | # ]
ps
Authored by: hayne on Oct 03, '03 08:49:49PM

You can kill any process that you started if you know the process id (pid) by using the 'kill' command. You can find out the pid by using the command 'ps'.
Or if you know that there is only one instance of a process with a particular name, you can use 'killall'.

May I suggest that you should read some of the many freely available UNIX tutorials? There are some listed in the links section of this site.



[ Reply to This | # ]