"It is not uncommon for system administrators to have to drop
whatever they are working on to deal with the security problem du
jour. Some of these problems involve serious breaches of security.
In these cases, the first question asked is often, "What has the
intruder done?" In my recently released O'Reilly book, Perl for
System Administration, I begin the chapter on security and network
monitoring with a discussion of some of the available Perl tools
that can help answer this question. Here's an excerpt from that
chapter, which deals with finding changes made to a local
"Filesystems are an excellent place to begin our exploration
into change-checking programs. We're going to explore ways to check
if important files like operating system binaries and
security-related files (e.g., /etc/passwd or msgina.dll ) have
changed. Changes to these files made without the knowledge of
the administrator are often signs of an intruder. There are some
relatively sophisticated cracker tool-kits available on the Net
that do a very good job of installing Trojan versions of important
files and covering up their tracks. That's the most malevolent kind
of change we can detect. On the other end of the spectrum,
sometimes it is just nice to know when important files have been
changed (especially in environments where multiple people
administer the same systems). The techniques we're about to explore
will work equally well in both cases."
"The easiest way to tell if a file has changed is to use the
Perl functions stat() and lstat(). These functions take a filename
or a filehandle and return an array with information about that
file. The only difference between the two functions manifests
itself on operating systems like Unix that support symbolic links.
In these cases lstat() is used to return information about the
target of a symbolic link instead of the link itself...."
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.