These are some meditations on using the *NIX 'find' command for security...
These are very quick ways of find the 'last access' on every file. 'Stat -x' is for OpenBSD. The grep 'file' contains:
File:
Access:
for i in `find /`; do echo $i `stat -x $i | grep "Access"`;done
find / | xargs stat -x | grep -f file | tr -d "[\042]"
On Linux or Cygwin:
for i in `find /cygdrive/C/Security`; do echo $i `stat $i | grep "Access" | grep -v Gid`;done
/cygdrive/C/Security Access: 2010-06-14 15:58:04.293000000 -0700
/cygdrive/C/Security Access: 2010-06-14 15:58:04.293000000 -0700
/cygdrive/C/Security/.PapersToAuthor.txt.swo Access: 2009-12-08 18:30:19.533000000 -0800
/cygdrive/C/Security/.PapersToAuthor.txt.swp Access: 2009-12-07 12:23:46.045000000 -0800
find /cygdrive/C/Security | xargs stat | grep -f file | grep -v Gid: | tr -d "[\042]"
File: `/cygdrive/C/Security/004.log'
Access: 2010-05-17 11:57:27.217000000 -0700
File: `/cygdrive/C/Security/05.13.10.log'
Access: 2010-05-13 11:47:53.292000000 -0700
File: `/cygdrive/C/Security/05.14.10.log'
Access: 2010-05-14 09:27:55.329000000 -0700
Now, I am looking at ways to use the find command per user. The purpose of this experiment is to understand why I get such different results for commands that would seemingly return only more detail for the same result...
find / -user rferrisx
find / -exec ls -l {} \; | awk '$3=="rferrisx" {print $3" "$9}'
find / -user rferrisx -exec ls -lhuS {} \; | awk '{print $3" "$5" "$9}'
bash-4.0# find / -user rferrisx
/home/rferrisx
/home/rferrisx/.ssh
/home/rferrisx/.ssh/authorized_keys
/home/rferrisx/.Xdefaults
/home/rferrisx/.cshrc
/home/rferrisx/.login
/home/rferrisx/.mailrc
/home/rferrisx/.profile
/home/rferrisx/.Xauthority
/dev/ttyp0
bash-4.0# find / -exec ls -l {} \; | awk '$3=="rferrisx" {print $3" "$9}'
rferrisx rferrisx
rferrisx .Xauthority
rferrisx .Xdefaults
rferrisx .cshrc
rferrisx .login
rferrisx .mailrc
rferrisx .profile
rferrisx .ssh
rferrisx authorized_keys
rferrisx /home/rferrisx/.ssh/authorized_keys
....
bash-4.0# find / -user rferrisx -exec ls -lhuS {} \; | awk '{print $3" "$5" "$9}'
root 28.6M 08Mar1142PST2010.in.1268074842
root 18.2M 08Mar1137PST2010.out.1268074837
root 2.7M 08Mar1142PST2010.in.log
root 1.6M 08Mar1142PST2010.in.p0f
root 258K 08Mar1137PST2010.out.log
root 154K 08Mar1137PST2010.out.p0f
rferrisx 773B .cshrc
rferrisx 512B .ssh
rferrisx 398B .login
rferrisx 218B .profile
...
Access: 2010-05-13 11:47:53.292000000 -0700
File: `/cygdrive/C/Security/05.14.10.log'
Access: 2010-05-14 09:27:55.329000000 -0700
....
Now, I am looking at ways to use the find command per user. The purpose of this experiment is to understand why I get such different results for commands that would seemingly return only more detail for the same result...
find / -user rferrisx
find / -exec ls -l {} \; | awk '$3=="rferrisx" {print $3" "$9}'
find / -user rferrisx -exec ls -lhuS {} \; | awk '{print $3" "$5" "$9}'
bash-4.0# find / -user rferrisx
/home/rferrisx
/home/rferrisx/.ssh
/home/rferrisx/.ssh/authorized_keys
/home/rferrisx/.Xdefaults
/home/rferrisx/.cshrc
/home/rferrisx/.login
/home/rferrisx/.mailrc
/home/rferrisx/.profile
/home/rferrisx/.Xauthority
/dev/ttyp0
bash-4.0# find / -exec ls -l {} \; | awk '$3=="rferrisx" {print $3" "$9}'
rferrisx rferrisx
rferrisx .Xauthority
rferrisx .Xdefaults
rferrisx .cshrc
rferrisx .login
rferrisx .mailrc
rferrisx .profile
rferrisx .ssh
rferrisx authorized_keys
rferrisx /home/rferrisx/.ssh/authorized_keys
....
bash-4.0# find / -user rferrisx -exec ls -lhuS {} \; | awk '{print $3" "$5" "$9}'
root 28.6M 08Mar1142PST2010.in.1268074842
root 18.2M 08Mar1137PST2010.out.1268074837
root 2.7M 08Mar1142PST2010.in.log
root 1.6M 08Mar1142PST2010.in.p0f
root 258K 08Mar1137PST2010.out.log
root 154K 08Mar1137PST2010.out.p0f
rferrisx 773B .cshrc
rferrisx 512B .ssh
rferrisx 398B .login
rferrisx 218B .profile
...
0 komentar:
Posting Komentar