Re: Watching a directory, was Re: how would you do this?
On Sat 21 Aug 2021 at 19:17:31 (+0530), didar wrote: > On Thu, Aug 19, 2021 at 10:45:44PM -0500, David Wright wrote: > > On Thu 19 Aug 2021 at 08:01:24 (-0400), songbird wrote: > > > David Wright wrote: > > > > On Wed 18 Aug 2021 at 20:55:12 (-0400), songbird wrote: > > > >> let's suppose you have a directory where there are > > > >> various scripts, libraries, programs, data, etc. > > > >> > > > >> you want to know exactly which other scripts, libraries, > > > >> etc. use them and to log each caller to know the name so > > > >> it can be tracked down (location would be nice too, but > > > >> that could be found later if needed). > > > >> > > > >> i don't need to keep the information in a database as > > > >> just having the log file will be enough. > > > >> > > > >> how would you do this? > > > >> > > > >> this isn't a homework assignment i'm just curious how > > > >> easy or hard this would be to accomplish. > > > > > > > > Easy. > > > > > > > > $ inotifywait -m -e access --timefmt "%F %T" --format "%T %f" > > > > the-directory/ > > > > > > > > To try it, just type in that line, using a sensible directory name. > > > > (The package name to install first is inotify-tools.) > > > > > > > > Change the formats to taste. Pipe into a while IFS=$'\n' read > > > > Filename ; do > > > > loop if you want to do something with the output. See: > > > > > > > > https://lists.debian.org/debian-user/2021/03/msg01494.html > > > > > > > > for a real script (waiting on close-writeable-file, rather than just > > > > access) that I use a lot for stealing files from FireFox's cache > > > > (~/.cache/mozilla/firefox/foo.bar.profile/cache2/entries/). > > > > > > thanks! very interesting! :) > > > > > > thank you to others who replied also. :) > > > > > > i was wondering if there was a general tool available as on > > > debian-devel they are talking about usr-merge and if there was a > > > simple way to find out who's using /bin and such instead of > > > /usr/bin, > > > > No, that's a different problem. My solution addresses a directory, > > hence the change in Subject line. You'd have to dive deeper into > > inotify and inotify_add_watch, to see whether you can specify the > > inode of the /bin symlink separately from that for /usr/bin. > > > > $ ls -Glidg /bin /usr/bin > > 12 lrwxrwxrwx 1 7 Apr 3 2020 /bin -> usr/bin > > 261634 drwxr-xr-x 2 69632 Aug 11 19:10 /usr/bin > > $ > > To be more explicit, my understanding of symlinks is that they're a property of the filesystem, and so are resolved in the kernel, likely somewhere in fs/ext{2,4}. So nothing in userspace is likely to be aware of whether a filename was referenced through a symlink. > There is an "auditd" package - a Red Hat origin tool/subsystem. It's available > on Bullseye, but, I have not tried it recently. It might be what you are > looking > for. I would revise my "Easy", above, to Hard. You would have to write rules to trigger logging just the right events in the kernel, and then write a program to wade through the log, which will be pouring in from all the processes triggering those events. Plus deal with the slowdown from a heavy overhead if the rules aren't adequately focussed. When the OP replied to my first post, I ran my one-liner on /bin, and then tried running a few binaries by invoking them through /bin and /usr/bin (which, of course, didn't reveal anything interesting). However, I could only do this for ~50 seconds of each minute because my crontab would spew a couple of screenfuls every time it triggered. Let us know how it goes, should you attempt it. Cheers, David.
Re: Watching a directory, was Re: how would you do this?
On Thu, Aug 19, 2021 at 10:45:44PM -0500, David Wright wrote: > On Thu 19 Aug 2021 at 08:01:24 (-0400), songbird wrote: > > David Wright wrote: > > > On Wed 18 Aug 2021 at 20:55:12 (-0400), songbird wrote: > > >> let's suppose you have a directory where there are > > >> various scripts, libraries, programs, data, etc. > > >> > > >> you want to know exactly which other scripts, libraries, > > >> etc. use them and to log each caller to know the name so > > >> it can be tracked down (location would be nice too, but > > >> that could be found later if needed). > > >> > > >> i don't need to keep the information in a database as > > >> just having the log file will be enough. > > >> > > >> how would you do this? > > >> > > >> this isn't a homework assignment i'm just curious how > > >> easy or hard this would be to accomplish. > > > > > > Easy. > > > > > > $ inotifywait -m -e access --timefmt "%F %T" --format "%T %f" > > > the-directory/ > > > > > > To try it, just type in that line, using a sensible directory name. > > > (The package name to install first is inotify-tools.) > > > > > > Change the formats to taste. Pipe into a while IFS=$'\n' read Filename > > > ; do > > > loop if you want to do something with the output. See: > > > > > > https://lists.debian.org/debian-user/2021/03/msg01494.html > > > > > > for a real script (waiting on close-writeable-file, rather than just > > > access) that I use a lot for stealing files from FireFox's cache > > > (~/.cache/mozilla/firefox/foo.bar.profile/cache2/entries/). > > > > thanks! very interesting! :) > > > > thank you to others who replied also. :) > > > > i was wondering if there was a general tool available as on > > debian-devel they are talking about usr-merge and if there was a > > simple way to find out who's using /bin and such instead of > > /usr/bin, > > No, that's a different problem. My solution addresses a directory, > hence the change in Subject line. You'd have to dive deeper into > inotify and inotify_add_watch, to see whether you can specify the > inode of the /bin symlink separately from that for /usr/bin. > > $ ls -Glidg /bin /usr/bin > 12 lrwxrwxrwx 1 7 Apr 3 2020 /bin -> usr/bin > 261634 drwxr-xr-x 2 69632 Aug 11 19:10 /usr/bin > $ > > > but also the idea of being able to set up a honeypot > > on your own system and see if any programs or processes you > > haven't done yourself are accessing it. might give you a > > warning of being hacked, but of course there are other things > > going on in a system which you expect to access things so it > > is an interesting way to find out what is happening... > > > > after many years and a lot of different things being set up > > i think it is a good idea to keep an eye on what is happening. > > especially with how things are going these days. > > Cheers, > David. > There is an "auditd" package - a Red Hat origin tool/subsystem. It's available on Bullseye, but, I have not tried it recently. It might be what you are looking for. Regards, didar --
Re: Watching a directory, was Re: how would you do this?
On Thu 19 Aug 2021 at 08:01:24 (-0400), songbird wrote: > David Wright wrote: > > On Wed 18 Aug 2021 at 20:55:12 (-0400), songbird wrote: > >> let's suppose you have a directory where there are > >> various scripts, libraries, programs, data, etc. > >> > >> you want to know exactly which other scripts, libraries, > >> etc. use them and to log each caller to know the name so > >> it can be tracked down (location would be nice too, but > >> that could be found later if needed). > >> > >> i don't need to keep the information in a database as > >> just having the log file will be enough. > >> > >> how would you do this? > >> > >> this isn't a homework assignment i'm just curious how > >> easy or hard this would be to accomplish. > > > > Easy. > > > > $ inotifywait -m -e access --timefmt "%F %T" --format "%T %f" the-directory/ > > > > To try it, just type in that line, using a sensible directory name. > > (The package name to install first is inotify-tools.) > > > > Change the formats to taste. Pipe into a while IFS=$'\n' read Filename ; > > do > > loop if you want to do something with the output. See: > > > > https://lists.debian.org/debian-user/2021/03/msg01494.html > > > > for a real script (waiting on close-writeable-file, rather than just > > access) that I use a lot for stealing files from FireFox's cache > > (~/.cache/mozilla/firefox/foo.bar.profile/cache2/entries/). > > thanks! very interesting! :) > > thank you to others who replied also. :) > > i was wondering if there was a general tool available as on > debian-devel they are talking about usr-merge and if there was a > simple way to find out who's using /bin and such instead of > /usr/bin, No, that's a different problem. My solution addresses a directory, hence the change in Subject line. You'd have to dive deeper into inotify and inotify_add_watch, to see whether you can specify the inode of the /bin symlink separately from that for /usr/bin. $ ls -Glidg /bin /usr/bin 12 lrwxrwxrwx 1 7 Apr 3 2020 /bin -> usr/bin 261634 drwxr-xr-x 2 69632 Aug 11 19:10 /usr/bin $ > but also the idea of being able to set up a honeypot > on your own system and see if any programs or processes you > haven't done yourself are accessing it. might give you a > warning of being hacked, but of course there are other things > going on in a system which you expect to access things so it > is an interesting way to find out what is happening... > > after many years and a lot of different things being set up > i think it is a good idea to keep an eye on what is happening. > especially with how things are going these days. Cheers, David.
Re: Watching a directory, was Re: how would you do this?
David Wright wrote: > On Wed 18 Aug 2021 at 20:55:12 (-0400), songbird wrote: >> let's suppose you have a directory where there are >> various scripts, libraries, programs, data, etc. >> >> you want to know exactly which other scripts, libraries, >> etc. use them and to log each caller to know the name so >> it can be tracked down (location would be nice too, but >> that could be found later if needed). >> >> i don't need to keep the information in a database as >> just having the log file will be enough. >> >> how would you do this? >> >> this isn't a homework assignment i'm just curious how >> easy or hard this would be to accomplish. > > Easy. > > $ inotifywait -m -e access --timefmt "%F %T" --format "%T %f" the-directory/ > > To try it, just type in that line, using a sensible directory name. > (The package name to install first is inotify-tools.) > > Change the formats to taste. Pipe into a while IFS=$'\n' read Filename ; do > loop if you want to do something with the output. See: > > https://lists.debian.org/debian-user/2021/03/msg01494.html > > for a real script (waiting on close-writeable-file, rather than just > access) that I use a lot for stealing files from FireFox's cache > (~/.cache/mozilla/firefox/foo.bar.profile/cache2/entries/). thanks! very interesting! :) thank you to others who replied also. :) i was wondering if there was a general tool available as on debian-devel they are talking about usr-merge and if there was a simple way to find out who's using /bin and such instead of /usr/bin, but also the idea of being able to set up a honeypot on your own system and see if any programs or processes you haven't done yourself are accessing it. might give you a warning of being hacked, but of course there are other things going on in a system which you expect to access things so it is an interesting way to find out what is happening... after many years and a lot of different things being set up i think it is a good idea to keep an eye on what is happening. especially with how things are going these days. songbird