On Thu, Aug 19, 2021 at 10:45:44PM -0500, David Wright wrote: > On Thu 19 Aug 2021 at 08:01:24 (-0400), songbird wrote: > > David Wright wrote: > > > On Wed 18 Aug 2021 at 20:55:12 (-0400), songbird wrote: > > >> let's suppose you have a directory where there are > > >> various scripts, libraries, programs, data, etc. > > >> > > >> you want to know exactly which other scripts, libraries, > > >> etc. use them and to log each caller to know the name so > > >> it can be tracked down (location would be nice too, but > > >> that could be found later if needed). > > >> > > >> i don't need to keep the information in a database as > > >> just having the log file will be enough. > > >> > > >> how would you do this? > > >> > > >> this isn't a homework assignment i'm just curious how > > >> easy or hard this would be to accomplish. > > > > > > Easy. > > > > > > $ inotifywait -m -e access --timefmt "%F %T" --format "%T %f" > > > the-directory/ > > > > > > To try it, just type in that line, using a sensible directory name. > > > (The package name to install first is inotify-tools.) > > > > > > Change the formats to taste. Pipe into a while IFS=$'\n' read Filename > > > ; do > > > loop if you want to do something with the output. See: > > > > > > https://lists.debian.org/debian-user/2021/03/msg01494.html > > > > > > for a real script (waiting on close-writeable-file, rather than just > > > access) that I use a lot for stealing files from FireFox's cache > > > (~/.cache/mozilla/firefox/foo.bar.profile/cache2/entries/). > > > > thanks! very interesting! :) > > > > thank you to others who replied also. :) > > > > i was wondering if there was a general tool available as on > > debian-devel they are talking about usr-merge and if there was a > > simple way to find out who's using /bin and such instead of > > /usr/bin, > > No, that's a different problem. My solution addresses a directory, > hence the change in Subject line. You'd have to dive deeper into > inotify and inotify_add_watch, to see whether you can specify the > inode of the /bin symlink separately from that for /usr/bin. > > $ ls -Glidg /bin /usr/bin > 12 lrwxrwxrwx 1 7 Apr 3 2020 /bin -> usr/bin > 261634 drwxr-xr-x 2 69632 Aug 11 19:10 /usr/bin > $ > > > but also the idea of being able to set up a honeypot > > on your own system and see if any programs or processes you > > haven't done yourself are accessing it. might give you a > > warning of being hacked, but of course there are other things > > going on in a system which you expect to access things so it > > is an interesting way to find out what is happening... > > > > after many years and a lot of different things being set up > > i think it is a good idea to keep an eye on what is happening. > > especially with how things are going these days. > > Cheers, > David. >
There is an "auditd" package - a Red Hat origin tool/subsystem. It's available on Bullseye, but, I have not tried it recently. It might be what you are looking for. Regards, didar --