shell/perl Script for file record

barunparichha · 01-28-2011, 02:16 AM

Hi,
I want to write a cron job for a script which should list out
1. new files added, owner of this file, date.
2. if some file deleted, by whom and date.

How can I write this script ?
Any idea would help me a lot.

Thanks,
Barun Parichha

gb2312 · 01-28-2011, 02:38 PM

I don't know if it's possible to figure out who deleted what file just from shell script, but maybe this program "iwatch" can help (I've never used it):

http://iwatch.sourceforge.net/index.html

barunparichha · 01-31-2011, 11:42 PM

I can think of two possible approach at this moment:

1. Based on Inode table changes:
Is there any command available, which will trigger some script for inode-table changes ?

2.Based on storage of files in an array:
Info for Files in the folder will be stored in an array. And a cron job would check, if files in array r avaiable in folder. New files would be added to trail of array.

gb2312 · 02-05-2011, 02:25 PM

Looking at iwatch documentation, it can probably start a script whenever files changed:

http://iwatch.sourceforge.net/documentation.html

I don't know if you can get who deleted a file though.

Renaming is a major problem for method two: "mv a b" would be interpreted as "rm a" and "create b".

If you can accept the shortcoming of not known who changed/deleted files, I think using a combination of method 1 + 2 might work like this:

* assume the script is run be cron periodically to check what changed below a certain directory

* use command find to build a listing of files under that directory containing: i-node number, modification timestamp, pathname

For example (see man find, just an example)

Quote:

$ find /tmp/test -printf '%i %T@ %p\n'
1586145 1296936601.0000000000 /tmp/test
1586146 1296936591.0000000000 /tmp/test/a.txt
1586147 1296936594.0000000000 /tmp/test/b.txt
1586148 1296936604.0000000000 /tmp/test/c
1586149 1296936604.0000000000 /tmp/test/c/c.txt

* Now you can sort this list by i-node number and save as a snapshot of the directory

* Every time the script runs, it generate a new snapshot and compares it with the old one:

@ missing old inode: old file/directory deleted
@ same inode: compare timestamp and pathname for change
@ new inode: new file/directory created

* You might want to investigate more timestamps (man 2 stat: st_ctime), adding file type (file or directory) and other attributes for report (man find)

barunparichha · 02-10-2011, 06:19 AM

Cron job:

Code:

*/2 * * * * /usr/bin/sh Myscript.sh

Myscript.sh :

Code:

#Script to run once in every 2 mins
#RecFile which store all transaction info
Touch RecFile
#PrevList contains old filenames 
touch PrevList
#PresList contains present filenames
ls -l| tr -s ' '| cut -d ' ' -f9 >PresList
#Writing files added to Record
echo "Files Added:\c" >>RecFile
for i in `comm -1 PrevList PresList`
do
echo "$i \c" >>RecFile
done
#Writing files removed to record
echo ":Files Removed:\c" >>RecFile
for i in `comm -1 PresList PrevList`
do
echo "$i \c">>RecFile
done
echo ":`date`\n">>RecFile
#Store present filelists to PrevList
mv PresList PrevList

unSpawn · 02-10-2011, 07:33 AM

Quote:

Originally Posted by barunparichha

I want to write a cron job for a script which should list out 1. new files added, owner of this file, date. 2. if some file deleted, by whom and date.

Is there a specific reason for doing or needing that? I'm asking because logging this type of auditing information doesn't need re-invention of the wheel. It is already provided for if you run the auditd service on a system with an audit-enabled kernel: just configure system call logging. Then with the accompanying reporting tools you can query the log for any creation / deletions.

barunparichha · 02-11-2011, 12:21 AM

I agree with unSpawn's comment.
But I don't see any alternate way except writing a new script.
I am using Solaris 10 machine and I don't know if this is audit-enabled.

Is there a mechanism to find out, the command or user who deleted the file ?

barunparichha · 02-11-2011, 12:22 AM

I agree with unSpawn's comment.
But I don't see any alternate way except writing a new script.
I am using Solaris 10 machine and I don't know if this is audit-enabled.

Is there a mechanism to find out, the command or user who deleted the file ?

XavierP · 02-11-2011, 05:26 PM

Moved: This thread is more suitable in Solaris and has been moved accordingly to help your thread/question get the exposure it deserves.

jlliagre · 02-13-2011, 02:43 AM

There are several ways to do it under Solaris. One would be to use a simple dtrace script which would report in real time every plain file creation and deletion. That one will do the job:

Code:

#!/usr/sbin/dtrace -qws
BEGIN
{
        printf("%6s\t%6s\t%12s\t%6s\t%s\n", "PID","UID","CMD","ACTION","FILE");
}
fop_create:entry
{
        self->create=args[5];
}
fop_create:return
/self->create/
{
        printf("%6d\t%6d\t%12s\tcreate\t%s\n", pid, uid, execname, stringof(((*self->create)->v_path)));
        self->create=0;
}

fop_remove:entry
{
        printf("%6d\t%6d\t%12s\tremove\t%s/%s\n", pid, uid, execname, stringof(args[0]->v_path), stringof(args[1]));
}

If you want something more configurable and integrated, you can also explore BSM (auditing framework) and Solaris extended accounting capabilities.

http://download.oracle.com/docs/cd/E...7q8/index.html
http://download.oracle.com/docs/cd/E...t-6/index.html

barunparichha · 02-14-2011, 03:07 AM

dtrace can be used only in super user mode.
What can be done as a normal user?

jlliagre · 02-14-2011, 11:21 AM

Knowing what files are created and deleted and by whom is a sensitive information. The user requiring this information need to be granted the required privilege. It need not necessarily be root though.