On Thu 19 Aug 2021 at 08:01:24 (-0400), songbird wrote:
> David Wright wrote:
> > On Wed 18 Aug 2021 at 20:55:12 (-0400), songbird wrote:
> >> let's suppose you have a directory where there are
> >> various scripts, libraries, programs, data, etc.
> >>
> >> you want to know exactly which other scripts, libraries,
> >> etc. use them and to log each caller to know the name so
> >> it can be tracked down (location would be nice too, but
> >> that could be found later if needed).
> >>
> >> i don't need to keep the information in a database as
> >> just having the log file will be enough.
> >>
> >> how would you do this?
> >>
> >> this isn't a homework assignment i'm just curious how
> >> easy or hard this would be to accomplish.
> >
> > Easy.
> >
> > $ inotifywait -m -e access --timefmt "%F %T" --format "%T %f" the-directory/
> >
> > To try it, just type in that line, using a sensible directory name.
> > (The package name to install first is inotify-tools.)
> >
> > Change the formats to taste. Pipe into a while IFS=$'\n' read Filename ;
> > do
> > loop if you want to do something with the output. See:
> >
> > https://lists.debian.org/debian-user/2021/03/msg01494.html
> >
> > for a real script (waiting on close-writeable-file, rather than just
> > access) that I use a lot for stealing files from FireFox's cache
> > (~/.cache/mozilla/firefox/foo.bar.profile/cache2/entries/).
>
> thanks! very interesting! :)
>
> thank you to others who replied also. :)
>
> i was wondering if there was a general tool available as on
> debian-devel they are talking about usr-merge and if there was a
> simple way to find out who's using /bin and such instead of
> /usr/bin,
No, that's a different problem. My solution addresses a directory,
hence the change in Subject line. You'd have to dive deeper into
inotify and inotify_add_watch, to see whether you can specify the
inode of the /bin symlink separately from that for /usr/bin.
$ ls -Glidg /bin /usr/bin
12 lrwxrwxrwx 1 7 Apr 3 2020 /bin -> usr/bin
261634 drwxr-xr-x 2 69632 Aug 11 19:10 /usr/bin
$
> but also the idea of being able to set up a honeypot
> on your own system and see if any programs or processes you
> haven't done yourself are accessing it. might give you a
> warning of being hacked, but of course there are other things
> going on in a system which you expect to access things so it
> is an interesting way to find out what is happening...
>
> after many years and a lot of different things being set up
> i think it is a good idea to keep an eye on what is happening.
> especially with how things are going these days.
Cheers,
David.
