We were recently configuring AIDE, and didn’t pay attention to the defaults in the configuration when we compiled it, and didn’t know where aide.db.new was going to after running aide initially. Sure, lsof would work while to porgram is running; however, we needed to know what files were open while the program was running. Strace works well to determine this. Here is how to run strace to determine only the file open commands using the -e option:
root@srv-1 mnt # strace -e trace=open ./aide --config=./aide.conf --init
open("/dev/urandom", O_RDONLY) = 3
open("./aide.conf", O_RDONLY) = 3
open("/usr/local/etc/aide.db.new", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
open("/etc/localtime", O_RDONLY) = 4
open("/", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 4
open("/ruk", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY) = 4
open("/ruk/ruk.txt", O_RDONLY) = 5
AIDE, version 0.10
### AIDE database initialized.
root@srv-1 mnt #
|
Ahhh… we found the file:
root@srv-1 mnt # ls /usr/local/etc/aide.db.new -l -rw------- 1 root root 364 Jul 3 09:18 /usr/local/etc/aide.db.new root@srv-1 mnt # date Sat Jul 3 09:19:16 PDT 2004 root@srv-1 mnt # |
