Re: [tlug] Using TCT...help

[Tod McQuillin <devin@example.com>]

On Thu, 15 Aug 2002, Operator wrote:

> Run mactime to create an initial database of the time stamps associated with
> your system files. (done) Re-boot your machine (done) Run mactime again and
> determine which files have been modified by booting the machine. Which files
> were accessed but not modified? (Requires root access.)
>
> My problem (question) is how do I determine which files have been modified??

I don't know what mactime is but if it creates a database of time stamps
then what you need to do is compare the state of the system after a reboot
to the recorded state in the database.

There are three timestamps associated with unix files, atime, ctime, and
mtime.

atime is updated whenever the file is accessed (read)
mtime is updated whenever the file is modified
ctime is updated whenever the file's metadata changes (permissions, link
count, atime, mtime, etc)

You need to compare the stored timestamps in the database to the
timestamps your files have after a reboot.  Any that are different from
before have been accessed in some way.

If a file was modified, diff can tell you how (although it is possible
that it is modified and yet remains the same, for example if the same data
is overwritten with itself).  But diff alone won't tell you what was
accessed.

I think this excercise is supposed to get you to think about the file
timestamps and their implications in analysing system activity.  I don't
know what mactime is, but if it can store timestamps from the filesystem
into a database it would make sense for it to compare current timestamps
with saved timestamps too.
-- 
Tod McQuillin