http://ask.metafilter.com/46288/Can-You-LockWatch-your-sysyem/ Comments on Ask MetaFilter post Can You Lock/Watch your sysyem? Sun, 10 Sep 2006 13:41:20 -0800 Sun, 10 Sep 2006 13:41:20 -0800 en-us http://blogs.law.harvard.edu/tech/rss 60 http://ask.metafilter.com/46288/Can-You-LockWatch-your-sysyem Is there anyway to boot your mac off a disk image? Or something that can be closely watched in terms of changes? <br /><br /> I want to be able to have my system inside a single (not necessarily compressed) file that I would be able to us diff on or something. I want to be able to track every change in my system folder very closely to see what has been installed on it. Perhaps there is a extension or utility that might do this without loading of a .dmg? post:ask.metafilter.com,2006:site.46288 Sun, 10 Sep 2006 13:27:34 -0800 Napierzaza mac os x system folder dmg file http://ask.metafilter.com/46288/Can-You-LockWatch-your-sysyem#706460 The only way I'm aware of to boot from a disk image is to put the disk image on a Mac OS X server and boot over the network.<br> <br> As for getting diffs of directory changes, why not just periodically do <tt>ls -alR /System &gt;foo.txt</tt> and diff that? You could put it on a cron job. comment:ask.metafilter.com,2006:site.46288-706460 Sun, 10 Sep 2006 13:41:20 -0800 kindall http://ask.metafilter.com/46288/Can-You-LockWatch-your-sysyem#706463 You could use a host based intrusion detection program to monitor files for any changes. Tripwire is what I'd use. Unsurprisingly, there is an OS X patch for it <a href="http://www.macguru.net/~frodo/Tripwire-osx.html">over here.</a> comment:ask.metafilter.com,2006:site.46288-706463 Sun, 10 Sep 2006 13:43:31 -0800 crypticgeek http://ask.metafilter.com/46288/Can-You-LockWatch-your-sysyem#706475 You could get the effect by creating a small partition on your hard disk to boot off. Make a disk image of the partition before and after and diff them. comment:ask.metafilter.com,2006:site.46288-706475 Sun, 10 Sep 2006 13:58:55 -0800 cillit bang http://ask.metafilter.com/46288/Can-You-LockWatch-your-sysyem#706564 You might want to ask this on a more technical Mac forum. Spotlight has the ability to monitor all files on the disk for changes; that's how it's able to update itself live without visible performance loss. I think there is a method to hook into this facility with user programs, but I don't know what it is offhand. comment:ask.metafilter.com,2006:site.46288-706564 Sun, 10 Sep 2006 15:40:23 -0800 Malor http://ask.metafilter.com/46288/Can-You-LockWatch-your-sysyem#706572 <a href="http://www.kernelthread.com/software/fslogger/">FSLogger</a>? This uses the Spotlight hooks that Malor suggested. otherwise, the ls trick above would be good too. comment:ask.metafilter.com,2006:site.46288-706572 Sun, 10 Sep 2006 15:59:40 -0800 mrg http://ask.metafilter.com/46288/Can-You-LockWatch-your-sysyem#706624 How about the mtree command? Check out this Macdevcenter <a href="http://www.oreillynet.com/pub/a/mac/2005/10/07/mac-security.html?page=1">article</a> on it's use for detecting presence of rootkit files under OS X. comment:ask.metafilter.com,2006:site.46288-706624 Sun, 10 Sep 2006 17:26:26 -0800 jaimev http://ask.metafilter.com/46288/Can-You-LockWatch-your-sysyem#706785 There's a shareware utility called <a href="http://www.skytag.com/filebuddy/en/9/index.html">Filebuddy</a> that lets you take snapshots before and after a software install in order to see what was changed. comment:ask.metafilter.com,2006:site.46288-706785 Sun, 10 Sep 2006 21:12:28 -0800 machaus http://ask.metafilter.com/46288/Can-You-LockWatch-your-sysyem#706893 Seconding tripwire. Been around forever, works well. comment:ask.metafilter.com,2006:site.46288-706893 Mon, 11 Sep 2006 05:32:09 -0800 flabdablet