谁能帮我写一个脚本,监视目录的

发布于 2022-07-20 22:50:41 字数 55 浏览 7 评论 3

监视一个目录,如果这个目录及其子目录,产生了新文件,调用杀毒软件扫描新文件,如果发现病毒,立即删除这个新文件。

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

蓝咒 2022-07-26 20:38:10

原帖由 flw 于 2006-8-28 17:33 发表

这个方法很土(尽管也许它很管用),

自从 linux 2.4 之后,linux 内核就支持一套监视目录的接口,
楼主可以 man 一下 fcntl,下面是从我的机器上摘录下来的部分:
[code]FCNTL(2)                   Linu ...

>>
>>
>>还真没有用过这个,赞一个!
>>
>>

晨曦慕雪 2022-07-26 17:30:53

原帖由 Bayweb 于 2006-8-27 19:49 发表

>>
>>
>>Linux下可以通过比较目录文件的内容是否一样(.文件)实现
>>1.事先将文件列表或者目录文件储存起来(例如文件、程序变量)
>>2.定时获得当前文件信息,进行比较
& ...

这个方法很土(尽管也许它很管用),

自从 linux 2.4 之后,linux 内核就支持一套监视目录的接口,
楼主可以 man 一下 fcntl,下面是从我的机器上摘录下来的部分:

  1. FCNTL(2)                   Linux Programmer's Manual                  FCNTL(2)
  2. NAME
  3.        fcntl - manipulate file descriptor
  4. .....<omit>.....
  5.    File and directory change notification (dnotify)
  6.        F_NOTIFY
  7.               (Linux  2.4  onwards)  Provide  notification  when the directory
  8.               referred to by fd or any  of  the  files  that  it  contains  is
  9.               changed.   The events to be notified are specified in arg, which
  10.               is a bit mask specified by ORing together zero or  more  of  the
  11.               following bits:
  12.               Bit         Description (event in directory)
  13.               -------------------------------------------------------------
  14.               DN_ACCESS   A file was accessed (read, pread, readv)
  15.               DN_MODIFY   A file was modified (write, pwrite,
  16.                           writev, truncate, ftruncate)
  17.               DN_CREATE   A file was created (open, creat, mknod,
  18.                           mkdir, link, symlink, rename)
  19.               DN_DELETE   A file was unlinked (unlink, rename to
  20.                           another directory, rmdir)
  21.               DN_RENAME   A file was renamed within this
  22.                           directory (rename)
  23.               DN_ATTRIB   The attributes of a file were changed
  24.                           (chown, chmod, utime[s])
  25.               (In  order  to obtain these definitions, the _GNU_SOURCE feature
  26.               test macro must be defined.)
  27.               Directory notifications are normally "one-shot", and the  appli-
  28.               cation   must  re-register  to  receive  further  notifications.
  29.               Alternatively, if DN_MULTISHOT is included in arg, then  notifi-
  30.               cation will remain in effect until explicitly removed.
  31.               A  series of F_NOTIFY requests is cumulative, with the events in
  32.               arg being added to the set already monitored.  To disable  noti-
  33.               fication  of all events, make an F_NOTIFY call specifying arg as
  34.               0.
  35.               Notification occurs via delivery of a signal.  The default  sig-
  36.               nal is SIGIO, but this can be changed using the F_SETSIG command
  37.               to fcntl().  In the latter case, the signal handler  receives  a
  38.               siginfo_t  structure  as its second argument (if the handler was
  39.               established using SA_SIGINFO) and the si_fd field of this struc-
  40.               ture   contains   the   file   descriptor  which  generated  the
  41.               notification (useful when establishing notification on  multiple
  42.               directories).
  43.               Especially  when using DN_MULTISHOT, a POSIX.1b real time signal
  44.               should be used for notification, so that multiple  notifications
  45.               can be queued.
  46.               NOTE:  New applications should consider using the inotify inter-
  47.               face (available since kernel 2.6.13), which provides a  superior
  48.               interface  for  obtaining  notifications  of file system events.
  49.               See inotify(7).

复制代码
上面把这套机制基本上说清楚了。
另外还提到,自从 2.6.13 之后,kernel 又提供了一套更高级、更方便的接口,下面是它的文档:

  1. INOTIFY(7)                 Linux Programmer's Manual                INOTIFY(7)
  2. NAME
  3.        inotify - monitoring file system events
  4. DESCRIPTION
  5.        The inotify API provides a mechanism for monitoring file system events.
  6.        Inotify can be used to monitor individual files, or to monitor directo-
  7.        ries.   When  a  directory is monitored, inotify will return events for
  8.        the directory itself, and for files inside the directory.
  9.        The following system calls are used with this API: inotify_init(), ino-
  10.        tify_add_watch(), inotify_rm_watch(), read(), and close().
  11.        inotify_init(2) creates an inotify instance and returns a file descrip-
  12.        tor referring to the inotify instance.
  13.        inotify_add_watch(2) manipulates the "watch list"  associated  with  an
  14.        inotify  instance.  Each item ("watch") in the watch list specifies the
  15.        pathname of a file or directory, along with some set of events that the
  16.        kernel  should monitor for the file referred to by that pathname.  ino-
  17.        tify_add_watch() either creates a new watch item, or modifies an exist-
  18.        ing  watch.   Each  watch  has  a unique "watch descriptor", an integer
  19.        returned by inotify_add_watch() when the watch is created.
  20.        inotify_rm_watch(2) removes an item from an inotify watch list.
  21.        When all file descriptors referring to an inotify  instance  have  been
  22.        closed, the underlying object and its resources are freed for re-use by
  23.        the kernel; all associated watches are automatically freed.
  24.        To determine what events have occurred, an  application  read(2)s  from
  25.        the  inotify file descriptor.  If no events have so far occurred, then,
  26.        assuming a blocking file descriptor, read() will block until  at  least
  27.        one event occurs.
  28.        Each  successful  read() returns a buffer containing one or more of the
  29.        following structures:
  30.          struct inotify_event {
  31.              int      wd;       /* Watch descriptor */
  32.              uint32_t mask;     /* Mask of events */
  33.              uint32_t cookie;   /* Unique cookie associating related
  34.                                    events (for rename(2)) */
  35.              uint32_t len;      /* Size of 'name' field */
  36.              char     name[];   /* Optional null-terminated name */
  37.          };
  38.        wd identifies the watch for which this event occurs.  It is one of  the
  39.        watch descriptors returned by a previous call to inotify_add_watch().
  40.        mask contains bits that describe the event that occurred (see below).
  41.        cookie  is  a  unique  integer that connects related events.  Currently
  42.        this is only used for rename events, and allows the resulting  pair  of
  43.        IN_MOVE_FROM  and IN_MOVE_TO events to be connected by the application.
  44.        The name field is only present when an event is  returned  for  a  file
  45.        inside a watched directory; it identifies the file pathname relative to
  46.        the watched directory.   This  pathname  is  null-terminated,  and  may
  47.        include  further  null  bytes  to  align subsequent reads to a suitable
  48.        address boundary.
  49.        The len field counts all of the  bytes  in  name,  including  the  null
  50.        bytes;  the  length of each inotify_event structure is thus sizeof(ino-
  51.        tify_event)+len.
  52.    inotify events
  53.        The inotify_add_watch(2) mask argument and the mask field of  the  ino-
  54.        tify_event  structure returned when read(2)ing an inotify file descrip-
  55.        tor are both bit masks identifying inotify events.  The following  bits
  56.        can  be  specified  in mask when calling inotify_add_watch() and may be
  57.        returned in the mask field returned by read():
  58.          Bit                Description
  59.          IN_ACCESS          File was accessed (read) (*)
  60.          IN_ATTRIB          Metadata changed (permissions, timestamps,
  61.                             extended attributes, etc.) (*)
  62.          IN_CLOSE_WRITE     File opened for writing was closed (*)
  63.          IN_CLOSE_NOWRITE   File not opened for writing was closed (*)
  64.          IN_CREATE          File/directory created in watched directory (*)
  65.          IN_DELETE          File/directory deleted from watched directory (*)
  66.          IN_DELETE_SELF     Watched file/directory was itself deleted
  67.          IN_MODIFY          File was modified (*)
  68.          IN_MOVE_SELF       Watched file/directory was itself moved
  69.          IN_MOVED_FROM      File moved out of watched directory (*)
  70.          IN_MOVED_TO        File moved into watched directory (*)
  71.          IN_OPEN            File was opened (*)
  72.        When monitoring a directory, the events marked  with  an  asterisk  (*)
  73.        above  can  occur  for  files  in the directory, in which case the name
  74.        field in the returned inotify_event structure identifies  the  name  of
  75.        the file within the directory.
  76.        The  IN_ALL_EVENTS  macro  is defined as a bit mask of all of the above
  77.        events.  This macro can be used as the mask argument when calling  ino-
  78.        tify_add_watch().
  79.        Two  additional  convenience  macros  are  IN_MOVE,  which  equates  to
  80.        IN_MOVED_FROM|IN_MOVED_TO,    and    IN_CLOSE    which    equates    to
  81.        IN_CLOSE_WRITE|IN_CLOSE_NOWRITE.
  82.        The  following  further bits can be specified in mask when calling ino-
  83.        tify_add_watch():
  84.          Bit              Description
  85.          IN_DONT_FOLLOW   Don't dereference pathname if it is a symbolic link
  86.          IN_MASK_ADD      Add (OR) events to watch mask for this pathname if
  87.                           it already exists (instead of replacing mask)
  88.          IN_ONESHOT       Monitor pathname for one event, then remove from
  89.                           watch list
  90.          IN_ONLYDIR       Only watch pathname if it is a directory
  91.        The following bits may be set in the mask field returned by read():
  92.          Bit             Description
  93.          IN_IGNORED      Watch was removed explicitly (inotify_rm_watch())
  94.                          or automatically (file was deleted, or
  95.                          file system was unmounted)
  96.          IN_ISDIR        Subject of this event is a directory
  97.          IN_Q_OVERFLOW   Event queue overflowed (wd is -1 for this event)
  98.          IN_UNMOUNT      File system containing watched object was unmounted
  99.    /proc interfaces
  100.        The following interfaces can be used to limit the amount of kernel mem-
  101.        ory consumed by inotify:
  102.        /proc/sys/fs/inotify/max_queued_events
  103.               The  value  in  this file is used when an application calls ino-
  104.               tify_init(2) to set an upper limit on the number of events  that
  105.               can  be queued to the corresponding inotify instance.  Events in
  106.               excess of this limit are dropped, but an IN_Q_OVERFLOW event  is
  107.               always generated.
  108.        /proc/sys/fs/inotify/max_user_instances
  109.               This specifies an upper limit on the number of inotify instances
  110.               that can be created per real user ID.
  111.        /proc/sys/fs/inotify/max_user_watches
  112.               This specifies a limit on the number  of  watches  that  can  be
  113.               associated with each inotify instance.
  114. NOTES
  115.        Inotify file descriptors can be monitored using select(2), poll(2), and
  116.        epoll(7).
  117.        If successive output  inotify  events  produced  on  the  inotify  file
  118.        descriptor  are  identical  (same wd, mask, cookie, and name) then they
  119.        are coalesced into a single event.
  120.        The events returned by reading from an inotify file descriptor form  an
  121.        ordered  queue.  Thus, for example, it is guaranteed that when renaming
  122.        from one directory to another, events will be produced in  the  correct
  123.        order on the inotify file descriptor.
  124.        The FIONREAD ioctl() returns the number of bytes available to read from
  125.        an inotify file descriptor.
  126.        Inotify monitoring of directories is not recursive: to  monitor  subdi-
  127.        rectories under a directory, additional watches must be created.
  128. VERSIONS
  129.        Inotify  was merged into the 2.6.13 Linux kernel.  The required library
  130.        interfaces were added to glibc in version 2.4.
  131. BUGS
  132.        In kernels before 2.6.16, the IN_ONESHOT mask flag does not work.
  133.        As at glibc 2.4, the definitions for IN_DONT_FOLLOW,  IN_MASK_ADD,  and
  134.        IN_ONLYDIR are missing from <sys/inotify.h>.
  135. CONFORMING TO
  136.        The inotify API is Linux specific.
  137. SEE ALSO
  138.        inotify_add_watch(2),  inotify_init(2),  inotify_rm_watch(2),  read(2),
  139.        stat(2), Documentation/filesystems/inotify.txt.
  140. Linux 2.6.15                      2006-02-07                        INOTIFY(7)

复制代码

猫七 2022-07-23 21:14:54

原帖由 zhangshoug 于 2006-8-26 14:02 发表
监视一个目录,如果这个目录及其子目录,产生了新文件,调用杀毒软件扫描新文件,如果发现病毒,立即删除这个新文件。

>>
>>
>>Linux下可以通过比较目录文件的内容是否一样(.文件)实现
>>1.事先将文件列表或者目录文件储存起来(例如文件、程序变量)
>>2.定时获得当前文件信息,进行比较
>>如果只是靠脚本来做到,bash会比较麻烦;建议选用tcl之类的脚本
>>
>>

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文