Fil Salustri's Design Site

Site Tools


Table of Contents


Fascan is a perl script I use to check security on my computer.

Fascan is a script that checks files and directories to see if they've changed since the last time it ran. It is useful to detect hacks and viruses. It's very simple, which is both good and bad.


% /usr/bin/perl [options]

where options are:

  • -d: reinitialize the database, ignoring all stored data to date.
  • -n: print the report to stdout rather than sending email.
  • -c file: use file as the config file.

Fascan writes files in every directory it studies, so make sure you have write permission in those directories. If you don't, you'll have to run it as root.


The downloadable source contains three files:

  • is the perl script itself.
  • fascan.conf: is the configuration file.
  • README: documentation and other info (basically the same as this page).
  1. Make a directory to contain both and fascan.conf.
  2. Edit fascan.conf. The format is as follows.
    • Lines starting with # are comments and will be ignored.
    • Blank lines are allowed and ignored.
    • email someone@somewhere defines who will receive the reports by email.
    • ignore file-or-directory will prevent file-or-directory from being studied.
    • check file-or-directory will make the program study file-or-directory. If it's a directory, all files in it will be checked, but it will not recurse into directories.
    • recurse directory will make the program recursively study the contents of directory.
  3. Make sure your installation of perl has the MD5, Fcntl, and Getopt modules available. They're usually all installed already. If they're missing, you can get them from CPAN.
  4. Change the line in that looks like: $lockfile = '/Users/fil/fascan.lock';
    • Change the path given, to point to a file that you can read/write. This file is used to prevent multiple instances of fascan from running simultaneously or overlappingly.


Output is only generated if changes are found. This means you'll only get email if something has changed, so your inbox won't fill with vacuous messages from fascan.

For new files you'll get something like:

New file /Users/fil/.cshrc
0644  1      fil      fil  899b  2007/08/15-07:18:54
  • The 2nd line gives the mode, number of links, owner, group, size, and the 'modification time' as reported by 'stat'.
  • The 3rd line gives the MD5 checksum for the item.

For files that have changed, you'll get something like:

OLD: /private/etc/daily
0755  1     root    wheel   24b  2005/04/02-23:41:04
NEW: /private/etc/daily
0755  1     root    wheel   24b  2005/04/02-23:41:04
Changes in: md5

You get info about the old version (as of the last run of fascan), then new version, and a list (in the last line) of the items changed. In the example, only the MD5 checksum changed.

Deleted files are also reported, if they were ever registered in the fascan database.


% sudo /usr/bin/perl -n

This runs as root (good for checking a whole disk on a multiuser computer) and produces output on the standard output rather than sending email.

% /usr/bin/perl -d -c /usr/local/fascan.conf

This reinitializes the database – ignoring all previous data – and uses a different configuration file.

research/fascan.txt · Last modified: 2020.03.12 13:30 (external edit)