-2

I want to be able to instrument and analyze at a prebuilt server and get a list of every file read.

I would also like to determine which of those files were read by the kernel to execute a program, load a library or just read by an application.

I thought it would be simple. SELinux by default deny, and in permissive mode, it logs everything. So, install it with no rules and run it in permissive mode and everything should be logged.

Note this question is related to this one on Security SE as I am experiencing something similar to that poster. Then there is the issue that running under SELinux or any of the other auditing packages would introduce substantial load and possibly change the behavior of the system under observation.

Improve this question
5
  • 1
    Why SELinux when auditd would most likely do? Commented Oct 6, 2023 at 21:11
  • Because I don't want to "most likely", I want to definitely get the complete list. Commented Oct 8, 2023 at 6:32
  • 4
    This sounds like an XY problem. What are you really trying to do? How will this list of files help? What about duplicates? What's a "prebuilt server"? Wouldn't strace -e open ... do it? man strace. Commented Oct 18, 2023 at 0:00
  • a prebuilt server: a server someone else built Commented Dec 15, 2023 at 21:21
  • strace would work if every command invoked were run under strace Commented Oct 13, 2024 at 4:54

1 Answer 1

Reset to default
-1

One of the requirements for my application is to not add dependencies.

For my purposes, it's not that important why the file was read whether it was read as an executable or configuration file, since the kernel records these events back into the file system for most file systems I realized I just need to extract that data from the inode stats.

%T@ prints creation time and %A@ prints access time so if those are almost the same the file has not been modified since installation.

I do recommend mounting with lazytime for best results

find / -type f -printf "%p|%T@|%A@\\n" > logfile.psv

#Create a PSV file (pipe seperated values file) that contains #path|creation_time|access_time

Why the "|" Some ubuntu firmware modules have a "," in their name so that's not a good separator.
Given the importance of the "|" symbol I settled on that.

Combined with a simple "package exploder" when we find a file that hasn't been used recently we can cross reference the installation package it came from

Improve this answer
6
  • 2
    For an upvote, explain what your find options do, and why the ones you chose are important to solving the problem you faced. Commented Nov 23, 2023 at 6:55
  • Note that in bash, setting find_args to an array like that and then using $find_args would only give you the first element of the array. It would probably be good to mention what shell you're using (zsh?). Commented Oct 11, 2024 at 19:16
  • 1
    Also, it seems to me that your find command just lists all regular files on the root partition. It doesn't seem to be related specifically to "files read by the kernel". Commented Oct 11, 2024 at 19:18
  • I use Dash to run all scripts that it can handle code, but the find_args array was just a convenience. To simplify the code, I'll remove it and I'll take your word for it making the code more shell-compatible. Commented Oct 13, 2024 at 4:50
  • 1
    I don't understand. If you can't have external dependencies, how can you use find? How can find be OK and Perl or Python not? Commented Oct 13, 2024 at 17:19

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.