Can You Lock/Watch your sysyem?
September 10, 2006 1:27 PM Subscribe
Is there anyway to boot your mac off a disk image? Or something that can be closely watched in terms of changes?
I want to be able to have my system inside a single (not necessarily compressed) file that I would be able to us diff on or something. I want to be able to track every change in my system folder very closely to see what has been installed on it. Perhaps there is a extension or utility that might do this without loading of a .dmg?
I want to be able to have my system inside a single (not necessarily compressed) file that I would be able to us diff on or something. I want to be able to track every change in my system folder very closely to see what has been installed on it. Perhaps there is a extension or utility that might do this without loading of a .dmg?
You could use a host based intrusion detection program to monitor files for any changes. Tripwire is what I'd use. Unsurprisingly, there is an OS X patch for it over here.
posted by crypticgeek at 1:43 PM on September 10, 2006
posted by crypticgeek at 1:43 PM on September 10, 2006
You could get the effect by creating a small partition on your hard disk to boot off. Make a disk image of the partition before and after and diff them.
posted by cillit bang at 1:58 PM on September 10, 2006
posted by cillit bang at 1:58 PM on September 10, 2006
You might want to ask this on a more technical Mac forum. Spotlight has the ability to monitor all files on the disk for changes; that's how it's able to update itself live without visible performance loss. I think there is a method to hook into this facility with user programs, but I don't know what it is offhand.
posted by Malor at 3:40 PM on September 10, 2006
posted by Malor at 3:40 PM on September 10, 2006
FSLogger? This uses the Spotlight hooks that Malor suggested. otherwise, the ls trick above would be good too.
posted by mrg at 3:59 PM on September 10, 2006
posted by mrg at 3:59 PM on September 10, 2006
How about the mtree command? Check out this Macdevcenter article on it's use for detecting presence of rootkit files under OS X.
posted by jaimev at 5:26 PM on September 10, 2006
posted by jaimev at 5:26 PM on September 10, 2006
There's a shareware utility called Filebuddy that lets you take snapshots before and after a software install in order to see what was changed.
posted by machaus at 9:12 PM on September 10, 2006
posted by machaus at 9:12 PM on September 10, 2006
Seconding tripwire. Been around forever, works well.
posted by flabdablet at 5:32 AM on September 11, 2006
posted by flabdablet at 5:32 AM on September 11, 2006
This thread is closed to new comments.
As for getting diffs of directory changes, why not just periodically do ls -alR /System >foo.txt and diff that? You could put it on a cron job.
posted by kindall at 1:41 PM on September 10, 2006