我怎样才能在linux中找到可疑文件

时间:2022-04-20 04:29:15

I'm trying to make my own ls. Furthermore, I want to implement secure ls option which can find suspicious files in whole linux system. I have to make a decision with only two information.(location of file, file attribute)

我正在尝试制作自己的ls。此外,我想实现安全的ls选项,可以在整个linux系统中找到可疑文件。我只需要两个信息做出决定。(文件位置,文件属性)

How can i determine which file is suspicious?

如何确定哪个文件可疑?

I found some example.

我找到了一些例子。

ex)

  • /dev/ setuid # if there is setuid file in /dev, then warning
  • / dev / setuid#如果/ dev中有setuid文件,则警告

  • /etc/ .file # if there is file which is start with character '.' in /etc, then warning
  • / etc / .file#如果有以字符“。”开头的文件。在/ etc中,然后警告

  • / worldwritable # If there is 777 permision file in whole directory
  • / worldwritable#如果整个目录中有777 permision文件

  • / setgid # If there is setgid file file in whole directory
  • / setgid#如果整个目录中有setgid文件文件

Please give me your idea!

请把你的想法告诉我!

(I think there is no right answer but i just want your reasonable idea)

(我认为没有正确的答案,但我只是想要你的理由)

1 个解决方案

#1


Well, we cannot tell you what files you consider "suspicious"...

好吧,我们不能告诉你你认为哪些文件“可疑”......

Your description sounds like you want to implement a "rule catalog" you test all result entries against, but that is very vague. The general approach would be to feed each entry in the raw result of the file listing (what ls usually does) into some logic that applies all rules in the catalog to the entry. If one rule matches (comes out true), then you have a match. Sounds like a good example of a utility coded in C language with the rules coded in Lua (as plugins). That would offer great extensibility. HOwever keep in mind the extreme performance overhead you create!

您的描述听起来像是要实施一个“规则目录”来测试所有结果条目,但这是非常模糊的。一般方法是将文件列表的原始结果中的每个条目(通常做什么)提供给将目录中的所有规则应用于条目的逻辑。如果一个规则匹配(出现真实),那么你就匹配了。听起来像是用C语言编写的实用程序的一个很好的例子,其规则用Lua编码(作为插件)。这将提供很大的可扩展性。请记住您创建的极端性能开销!

Usually a different strategy is used: the package management on most Linux systems allows to decide if a file is "owned" by an installed package and if it has been modified. This could come in handy here: you check the "owning" package for each file in typical locations like /etc, /var, /srv, if it is not owned by any package, then that is what I would call suspicious, since it hints on a "wild installed package", so someone having bypassed the package management.

通常使用不同的策略:大多数Linux系统上的包管理允许确定文件是否由已安装的包“拥有”以及是否已被修改。这可以派上用场:在/ etc,/ var,/ srv等典型位置检查每个文件的“拥有”包,如果它不归任何包所有,那么这就是我称之为可疑的,因为它提示“野生安装包”,所以有人绕过了包管理。

#1


Well, we cannot tell you what files you consider "suspicious"...

好吧,我们不能告诉你你认为哪些文件“可疑”......

Your description sounds like you want to implement a "rule catalog" you test all result entries against, but that is very vague. The general approach would be to feed each entry in the raw result of the file listing (what ls usually does) into some logic that applies all rules in the catalog to the entry. If one rule matches (comes out true), then you have a match. Sounds like a good example of a utility coded in C language with the rules coded in Lua (as plugins). That would offer great extensibility. HOwever keep in mind the extreme performance overhead you create!

您的描述听起来像是要实施一个“规则目录”来测试所有结果条目,但这是非常模糊的。一般方法是将文件列表的原始结果中的每个条目(通常做什么)提供给将目录中的所有规则应用于条目的逻辑。如果一个规则匹配(出现真实),那么你就匹配了。听起来像是用C语言编写的实用程序的一个很好的例子,其规则用Lua编码(作为插件)。这将提供很大的可扩展性。请记住您创建的极端性能开销!

Usually a different strategy is used: the package management on most Linux systems allows to decide if a file is "owned" by an installed package and if it has been modified. This could come in handy here: you check the "owning" package for each file in typical locations like /etc, /var, /srv, if it is not owned by any package, then that is what I would call suspicious, since it hints on a "wild installed package", so someone having bypassed the package management.

通常使用不同的策略:大多数Linux系统上的包管理允许确定文件是否由已安装的包“拥有”以及是否已被修改。这可以派上用场:在/ etc,/ var,/ srv等典型位置检查每个文件的“拥有”包,如果它不归任何包所有,那么这就是我称之为可疑的,因为它提示“野生安装包”,所以有人绕过了包管理。