oreilly.comSafari Books Online.Conferences.


AddThis Social Bookmark Button

Mac Security: Identifying Changes to the File System
Pages: 1, 2, 3, 4

Say Hello to mtree

mtree is a tool that comes from the Macintosh's BSD heritage. It is designed to do quite a few things, but its original purpose was to map a directory tree so that you could later check the permissions were still valid or recreate them on another machine. First, it allows you to create a specification file of a portion of your directory that records the following:

  • All of the directory paths.
  • All of the files within the directories.
  • The ownerships and permissions of the files and directories.
  • The size, creation, modification times, and checksums of the files.

From this specification file, you can:

  1. Compare the specification to the current file system and report the differences.
  2. Apply the permissions and ownerships from the specification to the file system to restore the correct values.
  3. Recreate the directory structure elsewhere with all of its ownerships and permissions.

There's much more that mtree can do, but for our purposes, option one looks like an interesting avenue, especially as mtree did not appear in the preceding list of common rootkit tools. We're going to create a couple of programs that can report changes to the files on a computer. My root volume has 455,123 files on it, so any tool that can help me check through them all to find the changes is a big help. Let's write some code:


# The volume that we want to check

# The file of directories to exclude

# Where we write the report to

/usr/sbin/mtree -Pcx -k flags,gid,mode,uid,size,cksum \
                -X $EXCLUDE -p $TOCHECK > $REPORT

The first variable is TOCHECK and is the volume that we want to check, in my case, the root volume of my system. This is followed by EXCLUDE, which is the name of a file containing a list of files and directories that I do not want included in the check (we will come to this list later), and finally, REPORT is where we will write our report. Once run (and it will need to be run as root), it will create a specification file that documents all of the files and directories and their associated data. On my Macintosh, it takes around 19 minutes to process 14GB of data. Let's call this mtree_build.

A quick run through the parameters (all of which are available from the man page): the P stops mtree from following symbolic links but treats them as files. The c tells mtree write the specification that it creates to standard out, where we will capture it into REPORT. The x stops mtree from crossing mount points; this means that if you have an external hard drive attached, then mtree will not include it in the specification it creates. The -k tells mtree the sort of information that we want to record about the files and directories that it encounters. Specifically:

  • flags: The flags the file or directory has.
  • gid: The ID of the group that owns the file or directory.
  • mode: The permissions of the file or directory.
  • uid: The ID of the user who owns the file or directory.
  • size: The size of the file in bytes.
  • cksum: The checksum of the file.

There are other flags, but these will allow us to monitor if a file or directory's ownership, permissions, or contents have changed, and that is enough for our purposes. Now we have a specification; we need some means of checking it against the current file system to see what has changed. Another piece of code is called for:


# The volume that we want to check

# The file of directories to exclude

# the old specification

# Where to write the report to

/usr/sbin/mtree -Px -k flags,gid,mode,uid,size,cksum \
                -X $EXCLUDE -p $TOCHECK \
                -f $SPECIFICATION > $REPORT

Strangely similar to the first piece of code with only one change, we are no longer creating the specification (dropping the c flag), but reading it from the file we created in the first script (by adding the -f flag). mtree then compares the current file system against the SPECIFICATION and when it finds any difference, files, or directories added or removed, permission and ownership changes, or contents altered, it will write to REPORT. Let's call this mtree_check and, after a suitable interval, run it, again as root, and look at the report.

Pages: 1, 2, 3, 4

Next Pagearrow