Jan-Pieter Cornet wrote: > On Wed, Apr 02, 2008 at 10:50:59AM -0700, Dennis Peterson wrote: >> Arthur Sherman wrote: >>>> I use scripts now to monitor user space for new php code. >>> Could you share these scripts? >> On a Solaris system you can use the built-in aset tool, and for any >> Unix/Linux system you can use trip-wire or Cfengine. > > Or in plain old sh: > > touch /tmp/lastscan.tmp > find /path/to/documentroot -newer /tmp/lastscan -name \*.php > mv /tmp/lastscan.tmp /tmp/lastscan
Yep - absolutely. But the other tools return what is needed plus the rest of what a good admin should be looking at, too. "Find" is just a bit too granular for this kind of thing, at least in my tool kit. Rather than writing a find loop for cores, changed files of a certain type, another for perl scripts, etc., a tool like trip-wire does it all in one go. But "find" does demonstrate how trivial tools can produce very valuable security information. Mostly what it tells me in fact is a user installed a new version of Wordpress :) dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
