.\" $HeadURL$ $LastChangedRevision$ .pso ade-config --format=man .so \*[ade_include_prefix]/ade.man .TH FADSCAN 1 "ADE_APP_TOKEN_RELEASE_DATE_MAN" .ne 5 .SH NAME fadscan \- filesystem scanner .br .ne 5 .SH SYNOPSIS .B fadscan \*[ade_standard_synopsis_component] [ .B \-\-no\-crcs ] [ .B \-m .I addr | .B \-\-mail=\fIaddr ] [ .B \-\-log\-dir=\fIlogdir ] [ .B \-\-state\-dir=\fIsttdir ] { { .B \-i | .B \-\-mode\-init | .B \-c | .B \-\-mode\-check | .B \-r | .B \-\-mode\-refresh } .I scanid .I filelist-file | { .B \-s | .B \-\-mode\-schedule } .I scanid } .br .ne 5 .SH DESCRIPTION .B Fadscan is designed to be run on a day by day basis, reporting differences between the state of a specified set of files on a previous occasion and their state at runtime. .PP .B Fadscan is useful as a security tool, and as a tool to remind the forgetful sysadmin to log system configuration changes, and for those who are simply curious what is happening on their system. .PP .B Fadscan operates in four modes: initialize, check, refresh and schedule which correspond to the options .B \-i\fR, .B \-c\fR, .B \-r\fR and .B \-s\fR. In the first three modes, .B fadscan operates on a fileset defined by the command-line parameters .I scanid and .I filelist-file\fR, where .I scanid is used to determine the names of the state and log files to which it will write to, and .I filelist-file is a file containing a list of files to scan for changes, one per line. If this file is .B \- then the list is read from standard input. In schedule mode, the .I filelist-file parameter is not required. .PP In initialize mode, .B fadscan scans the listed files recording various attributes of each of them. This information is written in gzipped (see .B gzip\fR(1)) .B Data::Dumper\fR(3pm) format, and is preserved to facilitate subsequent checks and refreshes. This file is called the base snapshot. The base snapshot will be overwritten by subsequent initializes, refreshes or post-schedule checks. .PP In refresh mode, .B fadscan scans the listed files reporting important differences in the state of any of them. Additionally it refreshes the base snapshot. Subsequent checks and refreshes will then compare the fileset with the refreshed base snapshot file. .PP In schedule mode, .B fadscan schedules a refresh to be made at the next invocation in check mode. It does this by creating a schedule file, which is detected the next time .B fadscan is run in check mode. This is intended to facilitate refreshing when fadscan is invoked by .B cron\fR(8) in check mode. See .B EXAMPLES below for further explanation of operating .B fadscan with .B cron\fR(8). .PP In check mode, .B fadscan scans the listed files reporting differences in the state of any of the files. If the check is a post-scheduled check, then the temporary base snapshot, created during the scan, is preserved to become the new base snapshot, and the schedule file is deleted. .PP .ne 5 .SH CONFIGURATION The filelist file is most easily prepared using the .B find\fR(1) command and then piped into .B fadscan (so using .B \- to specify the filelist file). .ne 5 .SH OPTIONS \*[ade_standard_synopsis_component] .TP .B \-\-log\-dir=\fIlogdir\fB This option is used to specify an alternative location for reports generated by .B fadscan\fR. The default is .B \*[fad_log_prefix]/fadscan\fR. .TP .B \-\-state\-dir=\fIsttdir\fB This option is used to specify an alternative location for state information which must be preserved between invocations of .B fadscan\fR. The default is .B \*[fad_state_prefix]/fadscan\fR. .TP .B \-i\fR,\fB\-\-mode\-init Operate in initialize mode. .TP .B \-m\fR,\fB\-\-mail=\fIaddr\fB The resulting log file will be mailed to .I addr\fR. This option only makes sense when used in conjunction with .B \-c or .B \-r\fR. Multiple email addresses require multiple .B \-m options. .TP .B \-\-no\-crcs Suppress the writing of CRCs; this will considerably speed up the process of collecting the data about each filesystem item, but will make it impossible to distinguish files whose contents have changed. .TP .B \-r\fR,\fB\-\-mode\-refresh Operate in refresh mode. .TP .B \-s\fR,\fB\-\-mode\-schedule Operate in schedule mode. .br .ne 5 .SH EXIT STATUS On success .B fadscan returns zero. On failure it returns non-zero and displays a diagnostic message. .br .ne 5 .SH FILES .TP 25 .B \*[fad_state_prefix]/fadscan/\fIscanid\fB-basesnap.* Default location of base snapshot for .I scanid\fR, generated by the .B \-i option. .TP .B \*[fad_state_prefix]/fadscan/\fIscanid\fB-scheduled Default location for schedule request files for .I scanid\fR, generated by the .B \-s option. .TP .B \*[fad_state_prefix]/fadscan/\fIscanid\fB-tempsnap.* Default location of temporary snapshot for .I scanid\fR, generated by the .B \-c option. If option .B \-r is used, or .B \-c following a schedule request made with .B \-s\fR, then this file is moved to .B \*[fad_state_prefix]/fadscan/\fIscanid\fB-scheduled\fR after the report has been generated. .TP .B \*[fad_log_prefix]/fadscan/\fIscanid\fB-\fIday\fB.* Default location of log files. .ne 5 .SH ENVIRONMENT VARIABLES None. .ne 5 .SH EXAMPLES Supposing .B /root/bin/list_whole_system contains: .IP .nf .fam C #!/bin/sh find / \\( \\ -path /var/tmp -o \\ -path /tmp -o \\ -path /home -o \\ -path /proc -o \\ -path /sys \\ \\) -prune -o -print .fam T .fi .br .PP Then the base snapshot would be created by the command: .IP .nf .fam C .B /root/bin/list_whole_system | fadscan -i whole_system - .fam T .fi .PP The following entry could be added to root's .B crontab\fR(5)\fR: .IP .nf .fam C 00 04 * * 1-5 /root/bin/list_whole_system | fadscan -c -m root whole_system - .fam T .fi .PP The daily reports which arrive by mail should be read and analyzed for any significant changes. After reading the most recent report, root could issue the command: .IP .nf .fam C .B fadscan -s whole_system .fam T .fi .PP This will ensure that the next check refreshes the base snapshot. If root does not manage to read the report then the command should not be issued. .ne 5 .SH CAVEATS .PP None. .br .ne 5 .SH STANDARDS This manual page documents version ADE_APP_TOKEN_RELEASE_ID of .B fadscan\fR. .br .ne 5 .SH SEE ALSO crontab(5), perlre(1), mkfad(1), faddiff(1), fad(5), cron(8), gzip(1), fadcat(1), fad-config(1), find(1) .br .ne 5 .SH AUTHOR ADE_APP_TOKEN_AUTHOR_NAME .br .ne 5 .SH COPYRIGHT & DISTRIBUTION POLICY Copyright (C) 1995-ADE_APP_TOKEN_RELEASE_YEAR ADE_APP_TOKEN_AUTHOR_NAME \*[ade_standard_copyright_component]