FADSCAN(1) General Commands Manual FADSCAN(1)
NAME
fadscan - filesystem scanner
SYNOPSIS
fadscan [ -V | --version ] [ -v | --verbose | -d level | --debug=level
] [ -h | --help ] [ -p | --paths ] [ -n | --simulate ] [ --no-crcs ] [
--log-dir=logdir ] [ --state-dir=sttdir ] { { -i | --mode-init | -c |
--mode-check | -r | --mode-refresh } scanid filelist-file | { -s |
--mode-schedule } scanid }
DESCRIPTION
Fadscan is designed to be run on a day by day basis, reporting differ-
ences between the state of a specified set of files on a previous occa-
sion and their state at runtime.
Fadscan is useful as a security tool, and as a tool to remind the for-
getful sysadmin to log system configuration changes, and for those who
are simply curious what is happening on their system.
Fadscan operates in four modes: initialize, check, refresh and schedule
which correspond to the options -i, -c, -r and -s. In the first three
modes, fadscan operates on a fileset defined by the command-line param-
eters scanid and filelist-file, where scanid is used to determine the
names of the state and log files to which it will write to, and
filelist-file is a file containing a list of files to scan for changes,
one per line. If this file is - then the list is read from standard in-
put. In schedule mode, the filelist-file parameter is not required.
In initialize mode, fadscan scans the listed files recording various
attributes of each of them. This information is written in gzipped
(see gzip(1)) Data::Dumper(3pm) format, and is preserved to facilitate
subsequent checks and refreshes. This file is called the base snapshot.
The base snapshot will be overwritten by subsequent initializes, re-
freshes or post-schedule checks.
In refresh mode, fadscan scans the listed files reporting important
differences in the state of any of them. Additionally it refreshes the
base snapshot. Subsequent checks and refreshes will then compare the
fileset with the refreshed base snapshot file.
In schedule mode, fadscan schedules a refresh to be made at the next
invocation in check mode. It does this by creating a schedule file,
which is detected the next time fadscan is run in check mode. This is
intended to facilitate refreshing when fadscan is invoked by cron(8) in
check mode. See EXAMPLES below for further explanation of operating
fadscan with cron(8).
In check mode, fadscan scans the listed files reporting differences in
the state of any of the files. If the check is a post-scheduled check,
then the temporary base snapshot, created during the scan, is preserved
to become the new base snapshot, and the schedule file is deleted.
CONFIGURATION
The filelist file is most easily prepared using the find(1) command and
then piped into fadscan (so using - to specify the filelist file).
OPTIONS
-d level, --debug=level Determines how verbose this program will be.
The message types displayed for the different
values of level are as follows: 0 displays no
messages; 1 displays only errors, 2 displays
errors and warnings; 3 displays errors, warn-
ings and informational messages; higher values
display errors, warnings, informational mes-
sages and various messages intended for debug-
ging. The default is 2.
-h, --help Displays a brief usage message.
-p, --paths Lists the compiled-in paths of various files
and directories that this program uses. -n,
--simulate Some external commands that this
program runs may be displayed rather than ac-
tually executed. BEWARE: different programs
implement different levels of simulation; so
this option may work perfectly; on the other
hand it may do nothing at all!
-v, --verbose Equivalent to -d 3.
-V, --version Prints the program's version number and exits.
--log-dir=logdir This option is used to specify an alternative
location for reports generated by fadscan.
The default is /var/log/fad/fadscan.
--state-dir=sttdir This option is used to specify an alternative
location for state information which must be
preserved between invocations of fadscan. The
default is /var/lib/fad/fadscan.
-i,--mode-init Operate in initialize mode.
--no-crcs Suppress the writing of CRCs; this will con-
siderably speed up the process of collecting
the data about each filesystem item, but will
make it impossible to distinguish files whose
contents have changed.
-r,--mode-refresh Operate in refresh mode.
-s,--mode-schedule Operate in schedule mode.
EXIT STATUS
On success fadscan returns zero. On failure it returns non-zero and
displays a diagnostic message.
FILES
/var/lib/fad/fadscan/scanid-basesnap.*
Default location of base snapshot for scanid,
generated by the -i option.
/var/lib/fad/fadscan/scanid-scheduled
Default location for schedule request files
for scanid, generated by the -s option.
/var/lib/fad/fadscan/scanid-tempsnap.*
Default location of temporary snapshot for
scanid, generated by the -c option. If option
-r is used, or -c following a schedule request
made with -s, then this file is moved to
/var/lib/fad/fadscan/scanid-scheduled after
the report has been generated.
/var/log/fad/fadscan/scanid-day.*
Default location of log files.
ENVIRONMENT VARIABLES
None.
EXAMPLES
Supposing /root/bin/list_whole_system contains:
#!/bin/bash
find / \( \
-path /var/tmp -o \
-path /tmp -o \
-path /home -o \
-path /proc -o \
-path /sys \
\) -prune -o -print
Then the base snapshot would be created by the command:
/root/bin/list_whole_system | fadscan -i whole_system -
The following entry could be added to root's crontab(5):
00 04 * * 1-5 /root/bin/list_whole_system | fadscan -c whole_system -
After reading the most recent report, root could issue the command:
fadscan -s whole_system
This will ensure that the next check refreshes the base snapshot. If
root does not manage to read the report then the command should not be
issued.
CAVEATS
None.
STANDARDS
This manual page documents version 7 of fadscan.
SEE ALSO
crontab(5), perlre(1), mkfad(1), faddiff(1), fad(5), cron(8), gzip(1),
fadcat(1), fad-config(1), find(1)
AUTHOR
Alexis Huxley <alexishuxley@gmail.com>
COPYRIGHT & DISTRIBUTION POLICY
Copyright (C) 1995-2024 Alexis Huxley
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MER-
CHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
675 Mass Ave, Cambridge, MA 02139, USA.
30 Jul 2024 FADSCAN(1)
