After examining Tripwire and deciding that it was *way* overkill for my own purposes, I decided to cobble together my own minimalist solution to the unix file integrity problem. I call it "L5", for a variety of reasons, and have decided to present it to the community as a Useful Hack. For all I know it may have already been done elsewhere, but I haven't yet seen such a thing mentioned, despite the simple underlying concept. L5 can be FTPed from asylum.sf.ca.us:/pub/hobbit/L5.tar.Z. L5 simply walks down Unix or DOS filesystems, sort of like "ls -R" or "find" would, generating listings of anything it finds there. It tells you everything it can about a file's status, and adds on an MD5 hash of it. Its output is rather "numeric", but it is a very simple format and is designed to be post-treated by scripts that call L5. Here are some of its other features: Filenames come first, making sorting easier. Filenames are delimited in a non-[unix]-spoofable way; ending in "//". The single character after "//" indicates the file type. Scanning stops at device boundaries, so L5 doesn't go slogging through random NFS trees or "tmpfs"es unless you tell it to. You can tell it not to walk any directories lower than the one[s] you handed it as arguments. [It always walks one level of its given arguments.] You can tell it to only print the filenames. If a file looks like a script of some kind, it is shown as type "K" instead of "F". Useful for finding those setuid shell scripts... MD5 hashing can be output in hex, Tripwire's radix64 format, or not at all, as you specify. The hex hash for a given file is the same as that of the CERT "md5check". You can feed it a list of files or directories to check as its standard input. You can have it do its hash *on* standard input. This feature is useful for doing things like "l5 /critical/files | l5" to get a small but secure summary hash. It is small and reasonably fast. Some of it is based on code from Tripwire, but it doesn't use a DBM database and only offers one hash option. The MD5 code, in particular, is the endian-independent version from Tripwire, which builds almost anywhere. Selection of files to ignore certain changes in is undoubtedly less versatile, but you can always filter the output through further scripts before, for example, diffing your "old" system snapshot against your "new" system snapshot. [The rest of this file is in the README that comes with L5.] _H*