Say Hello to
mtree is a tool that comes from the Macintosh's BSD heritage. It is designed to do quite a few things, but its original purpose was to map a directory tree so that you could later check the permissions were still valid or recreate them on another machine. First, it allows you to create a specification file of a portion of your directory that records the following:
- All of the directory paths.
- All of the files within the directories.
- The ownerships and permissions of the files and directories.
- The size, creation, modification times, and checksums of the files.
From this specification file, you can:
- Compare the specification to the current file system and report the differences.
- Apply the permissions and ownerships from the specification to the file system to restore the correct values.
- Recreate the directory structure elsewhere with all of its ownerships and permissions.
There's much more that
mtree can do, but for our purposes, option one looks like an interesting avenue, especially as
mtree did not appear in the preceding list of common rootkit tools. We're going to create a couple of programs that can report changes to the files on a computer. My root volume has 455,123 files on it, so any tool that can help me check through them all to find the changes is a big help. Let's write some code:
#!/bin/sh # The volume that we want to check TOCHECK=/ # The file of directories to exclude EXCLUDE=/usr/local/etc/mtree_exclude_list # Where we write the report to REPORT=/Volumes/Overflow/mtree_spec /usr/sbin/mtree -Pcx -k flags,gid,mode,uid,size,cksum \ -X $EXCLUDE -p $TOCHECK > $REPORT
The first variable is
TOCHECK and is the volume that we want to check, in my case, the root volume of my system. This is followed by
EXCLUDE, which is the name of a file containing a list of files and directories that I do not want included in the check (we will come to this list later), and finally,
REPORT is where we will write our report. Once run (and it will need to be run as root), it will create a specification file that documents all of the files and directories and their associated data. On my Macintosh, it takes around 19 minutes to process 14GB of data. Let's call this
A quick run through the parameters (all of which are available from the
man page): the
mtree from following symbolic links but treats them as files. The
mtree write the specification that it creates to standard out, where we will capture it into
mtree from crossing mount points; this means that if you have an external hard drive attached, then
mtree will not include it in the specification it creates. The
mtree the sort of information that we want to record about the files and directories that it encounters. Specifically:
flags: The flags the file or directory has.
gid: The ID of the group that owns the file or directory.
mode: The permissions of the file or directory.
uid: The ID of the user who owns the file or directory.
size: The size of the file in bytes.
cksum: The checksum of the file.
There are other flags, but these will allow us to monitor if a file or directory's ownership, permissions, or contents have changed, and that is enough for our purposes. Now we have a specification; we need some means of checking it against the current file system to see what has changed. Another piece of code is called for:
#!/bin/sh # The volume that we want to check TOCHECK=/ # The file of directories to exclude EXCLUDE=/usr/local/etc/mtree_exclude_list # the old specification SPECIFICATION=/Volumes/Overflow/mtree_spec # Where to write the report to REPORT=/Volumes/Overflow/mtree_report /usr/sbin/mtree -Px -k flags,gid,mode,uid,size,cksum \ -X $EXCLUDE -p $TOCHECK \ -f $SPECIFICATION > $REPORT
Strangely similar to the first piece of code with only one change, we are no longer creating the specification (dropping the
c flag), but reading it from the file we created in the first script (by adding the
mtree then compares the current file system against the
SPECIFICATION and when it finds any difference, files, or directories added or removed, permission and ownership changes, or contents altered, it will write to
REPORT. Let's call this
mtree_check and, after a suitable interval, run it, again as root, and look at the report.