Re: Watching a directory, was Re: how would you do this?
On Sat 21 Aug 2021 at 19:17:31 (+0530), didar wrote:
> On Thu, Aug 19, 2021 at 10:45:44PM -0500, David Wright wrote:
> > On Thu 19 Aug 2021 at 08:01:24 (-0400), songbird wrote:
> > > David Wright wrote:
> > > > On Wed 18 Aug 2021 at 20:55:12 (-0400), songbird wrote:
> > > >> let's suppose you have a directory where there are
> > > >> various scripts, libraries, programs, data, etc.
> > > >>
> > > >> you want to know exactly which other scripts, libraries,
> > > >> etc. use them and to log each caller to know the name so
> > > >> it can be tracked down (location would be nice too, but
> > > >> that could be found later if needed).
> > > >>
> > > >> i don't need to keep the information in a database as
> > > >> just having the log file will be enough.
> > > >>
> > > >> how would you do this?
> > > >>
> > > >> this isn't a homework assignment i'm just curious how
> > > >> easy or hard this would be to accomplish.
> > > >
> > > > Easy.
> > > >
> > > > $ inotifywait -m -e access --timefmt "%F %T" --format "%T %f"
> > > > the-directory/
> > > >
> > > > To try it, just type in that line, using a sensible directory name.
> > > > (The package name to install first is inotify-tools.)
> > > >
> > > > Change the formats to taste. Pipe into a while IFS=$'\n' read
> > > > Filename ; do
> > > > loop if you want to do something with the output. See:
> > > >
> > > > https://lists.debian.org/debian-user/2021/03/msg01494.html
> > > >
> > > > for a real script (waiting on close-writeable-file, rather than just
> > > > access) that I use a lot for stealing files from FireFox's cache
> > > > (~/.cache/mozilla/firefox/foo.bar.profile/cache2/entries/).
> > >
> > > thanks! very interesting! :)
> > >
> > > thank you to others who replied also. :)
> > >
> > > i was wondering if there was a general tool available as on
> > > debian-devel they are talking about usr-merge and if there was a
> > > simple way to find out who's using /bin and such instead of
> > > /usr/bin,
> >
> > No, that's a different problem. My solution addresses a directory,
> > hence the change in Subject line. You'd have to dive deeper into
> > inotify and inotify_add_watch, to see whether you can specify the
> > inode of the /bin symlink separately from that for /usr/bin.
> >
> > $ ls -Glidg /bin /usr/bin
> > 12 lrwxrwxrwx 1 7 Apr 3 2020 /bin -> usr/bin
> > 261634 drwxr-xr-x 2 69632 Aug 11 19:10 /usr/bin
> > $
> >
To be more explicit, my understanding of symlinks is that they're
a property of the filesystem, and so are resolved in the kernel,
likely somewhere in fs/ext{2,4}. So nothing in userspace is likely
to be aware of whether a filename was referenced through a symlink.
> There is an "auditd" package - a Red Hat origin tool/subsystem. It's available
> on Bullseye, but, I have not tried it recently. It might be what you are
> looking
> for.
I would revise my "Easy", above, to Hard. You would have to write
rules to trigger logging just the right events in the kernel, and then
write a program to wade through the log, which will be pouring in from
all the processes triggering those events. Plus deal with the slowdown
from a heavy overhead if the rules aren't adequately focussed.
When the OP replied to my first post, I ran my one-liner on /bin,
and then tried running a few binaries by invoking them through /bin
and /usr/bin (which, of course, didn't reveal anything interesting).
However, I could only do this for ~50 seconds of each minute because
my crontab would spew a couple of screenfuls every time it triggered.
Let us know how it goes, should you attempt it.
Cheers,
David.
Re: Watching a directory, was Re: how would you do this?
On Thu, Aug 19, 2021 at 10:45:44PM -0500, David Wright wrote: > On Thu 19 Aug 2021 at 08:01:24 (-0400), songbird wrote: > > David Wright wrote: > > > On Wed 18 Aug 2021 at 20:55:12 (-0400), songbird wrote: > > >> let's suppose you have a directory where there are > > >> various scripts, libraries, programs, data, etc. > > >> > > >> you want to know exactly which other scripts, libraries, > > >> etc. use them and to log each caller to know the name so > > >> it can be tracked down (location would be nice too, but > > >> that could be found later if needed). > > >> > > >> i don't need to keep the information in a database as > > >> just having the log file will be enough. > > >> > > >> how would you do this? > > >> > > >> this isn't a homework assignment i'm just curious how > > >> easy or hard this would be to accomplish. > > > > > > Easy. > > > > > > $ inotifywait -m -e access --timefmt "%F %T" --format "%T %f" > > > the-directory/ > > > > > > To try it, just type in that line, using a sensible directory name. > > > (The package name to install first is inotify-tools.) > > > > > > Change the formats to taste. Pipe into a while IFS=$'\n' read Filename > > > ; do > > > loop if you want to do something with the output. See: > > > > > > https://lists.debian.org/debian-user/2021/03/msg01494.html > > > > > > for a real script (waiting on close-writeable-file, rather than just > > > access) that I use a lot for stealing files from FireFox's cache > > > (~/.cache/mozilla/firefox/foo.bar.profile/cache2/entries/). > > > > thanks! very interesting! :) > > > > thank you to others who replied also. :) > > > > i was wondering if there was a general tool available as on > > debian-devel they are talking about usr-merge and if there was a > > simple way to find out who's using /bin and such instead of > > /usr/bin, > > No, that's a different problem. My solution addresses a directory, > hence the change in Subject line. You'd have to dive deeper into > inotify and inotify_add_watch, to see whether you can specify the > inode of the /bin symlink separately from that for /usr/bin. > > $ ls -Glidg /bin /usr/bin > 12 lrwxrwxrwx 1 7 Apr 3 2020 /bin -> usr/bin > 261634 drwxr-xr-x 2 69632 Aug 11 19:10 /usr/bin > $ > > > but also the idea of being able to set up a honeypot > > on your own system and see if any programs or processes you > > haven't done yourself are accessing it. might give you a > > warning of being hacked, but of course there are other things > > going on in a system which you expect to access things so it > > is an interesting way to find out what is happening... > > > > after many years and a lot of different things being set up > > i think it is a good idea to keep an eye on what is happening. > > especially with how things are going these days. > > Cheers, > David. > There is an "auditd" package - a Red Hat origin tool/subsystem. It's available on Bullseye, but, I have not tried it recently. It might be what you are looking for. Regards, didar --
Re: Watching a directory, was Re: how would you do this?
On Thu 19 Aug 2021 at 08:01:24 (-0400), songbird wrote: > David Wright wrote: > > On Wed 18 Aug 2021 at 20:55:12 (-0400), songbird wrote: > >> let's suppose you have a directory where there are > >> various scripts, libraries, programs, data, etc. > >> > >> you want to know exactly which other scripts, libraries, > >> etc. use them and to log each caller to know the name so > >> it can be tracked down (location would be nice too, but > >> that could be found later if needed). > >> > >> i don't need to keep the information in a database as > >> just having the log file will be enough. > >> > >> how would you do this? > >> > >> this isn't a homework assignment i'm just curious how > >> easy or hard this would be to accomplish. > > > > Easy. > > > > $ inotifywait -m -e access --timefmt "%F %T" --format "%T %f" the-directory/ > > > > To try it, just type in that line, using a sensible directory name. > > (The package name to install first is inotify-tools.) > > > > Change the formats to taste. Pipe into a while IFS=$'\n' read Filename ; > > do > > loop if you want to do something with the output. See: > > > > https://lists.debian.org/debian-user/2021/03/msg01494.html > > > > for a real script (waiting on close-writeable-file, rather than just > > access) that I use a lot for stealing files from FireFox's cache > > (~/.cache/mozilla/firefox/foo.bar.profile/cache2/entries/). > > thanks! very interesting! :) > > thank you to others who replied also. :) > > i was wondering if there was a general tool available as on > debian-devel they are talking about usr-merge and if there was a > simple way to find out who's using /bin and such instead of > /usr/bin, No, that's a different problem. My solution addresses a directory, hence the change in Subject line. You'd have to dive deeper into inotify and inotify_add_watch, to see whether you can specify the inode of the /bin symlink separately from that for /usr/bin. $ ls -Glidg /bin /usr/bin 12 lrwxrwxrwx 1 7 Apr 3 2020 /bin -> usr/bin 261634 drwxr-xr-x 2 69632 Aug 11 19:10 /usr/bin $ > but also the idea of being able to set up a honeypot > on your own system and see if any programs or processes you > haven't done yourself are accessing it. might give you a > warning of being hacked, but of course there are other things > going on in a system which you expect to access things so it > is an interesting way to find out what is happening... > > after many years and a lot of different things being set up > i think it is a good idea to keep an eye on what is happening. > especially with how things are going these days. Cheers, David.
Re: Watching a directory, was Re: how would you do this?
David Wright wrote: > On Wed 18 Aug 2021 at 20:55:12 (-0400), songbird wrote: >> let's suppose you have a directory where there are >> various scripts, libraries, programs, data, etc. >> >> you want to know exactly which other scripts, libraries, >> etc. use them and to log each caller to know the name so >> it can be tracked down (location would be nice too, but >> that could be found later if needed). >> >> i don't need to keep the information in a database as >> just having the log file will be enough. >> >> how would you do this? >> >> this isn't a homework assignment i'm just curious how >> easy or hard this would be to accomplish. > > Easy. > > $ inotifywait -m -e access --timefmt "%F %T" --format "%T %f" the-directory/ > > To try it, just type in that line, using a sensible directory name. > (The package name to install first is inotify-tools.) > > Change the formats to taste. Pipe into a while IFS=$'\n' read Filename ; do > loop if you want to do something with the output. See: > > https://lists.debian.org/debian-user/2021/03/msg01494.html > > for a real script (waiting on close-writeable-file, rather than just > access) that I use a lot for stealing files from FireFox's cache > (~/.cache/mozilla/firefox/foo.bar.profile/cache2/entries/). thanks! very interesting! :) thank you to others who replied also. :) i was wondering if there was a general tool available as on debian-devel they are talking about usr-merge and if there was a simple way to find out who's using /bin and such instead of /usr/bin, but also the idea of being able to set up a honeypot on your own system and see if any programs or processes you haven't done yourself are accessing it. might give you a warning of being hacked, but of course there are other things going on in a system which you expect to access things so it is an interesting way to find out what is happening... after many years and a lot of different things being set up i think it is a good idea to keep an eye on what is happening. especially with how things are going these days. songbird
Watching a directory, was Re: how would you do this?
On Wed 18 Aug 2021 at 20:55:12 (-0400), songbird wrote: > let's suppose you have a directory where there are > various scripts, libraries, programs, data, etc. > > you want to know exactly which other scripts, libraries, > etc. use them and to log each caller to know the name so > it can be tracked down (location would be nice too, but > that could be found later if needed). > > i don't need to keep the information in a database as > just having the log file will be enough. > > how would you do this? > > this isn't a homework assignment i'm just curious how > easy or hard this would be to accomplish. Easy. $ inotifywait -m -e access --timefmt "%F %T" --format "%T %f" the-directory/ To try it, just type in that line, using a sensible directory name. (The package name to install first is inotify-tools.) Change the formats to taste. Pipe into a while IFS=$'\n' read Filename ; do loop if you want to do something with the output. See: https://lists.debian.org/debian-user/2021/03/msg01494.html for a real script (waiting on close-writeable-file, rather than just access) that I use a lot for stealing files from FireFox's cache (~/.cache/mozilla/firefox/foo.bar.profile/cache2/entries/). Cheers, David.
