File Monitoring Techiques and Tools on Linux
File alteration monitoring techniques are used by system administrators to keep apprised of what is going on a system and to prepare a delta of what has changed over time. This can be tremendously useful in the event a system needs to be diagnosed for a problem or a possible exploit.
There are many techniques to monitor files. I use a very crude shell script. It monitors what files have changed daily and other important file characteristics like whiles files are SUID and GUID (these are special file permission modes where the file that has these permissions is executed under the user or group of its owner, not the user calling the file, the owned is often root and SUID is more often used than GUID in order to allow users to execute certain files with root permissions, obviously this is a security concern). I use this script to keep a delta of what has changed on systems that I administer.
There are MUCH better ways to do this (the way I do is just an old habit). It turns out the Linux kernel now has a monitor called "dnotify" built into it. A recent article on DevChannel, File alteration monitoring techniques under Linux outlines the use of dnotify and a few other utilities for this task.
The most prevalent tool for this in modern Unix OSes seems to be FAM. FAM is the File Alteration Monitor originally from SGI. It now has been ported to Linux and BSD and so on. SGI maintains a very nice FAM site which contains a lot more info and source. (Note that FAM can be used for more than just information and security, it can be used to mirror data. FAM is robust enough to be able to notify immediately on changes and be used in conjunction with other tools to create a real time mirror, for more on this see the FAM site.)
The bottom line is that file alteration monitoring can be done various ways but the important thing is that it is a part of your system administration tasks.
