> Why not just use find and make the search be based on date stamp. > > find / -ctime 2 -print > > will find all files changed 48 hours (2 days ago).
That is a good approach, but a properly configured Tripwire or Fcheck will report only changes to relevant parts of the filesystem. Changes in directories attributed to the OS (/bin, /sbin, /usr, /lib and so on) are usually more suspicious than changes in /home/sites or /tmp. Properly configured a tool like Tripwire or Fcheck will email you once relevant parts of the filesystem change. Imagine such a tool emails you that /sbin/init (for example) has been changed out of the sudden. You haven't installed any patches, nor did you change /sbin/init yourself. So you instantly know that your box is in troubles. With the "find" command you could also spot the change, but only if you already expected troubles and know what to look for. -- With best regards, Michael Stauber _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
