linux-system-files
Traverses the /usr/bin/ directory on a Linux system to retrieve permission information and metadata for system files. When the md5 option is enabled, it also collects the MD5 hash of each file. This command can be used during forensic analysis to check whether system binaries have been tampered with.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | Administrator |
| License usage | Licensed command |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
md5=BOOL- Whether to collect the MD5 hash of each file. (Default:
f)
t: Calculates the MD5 hash of each file and assigns it to themd5field.f: Does not collect MD5 hashes.
Output fields
| Field | Type | Description |
|---|---|---|
file_path | string | Absolute path of the file |
file_name | string | File name |
file_type | string | File type. file: regular file, directory: directory |
permissions | string | POSIX file permission string (e.g., rwxr-xr-x). Returns null if unreadable. |
file_size | long | File size (bytes) |
file_ctime | timestamp | File creation time |
file_mtime | timestamp | Last modification time |
file_atime | timestamp | Last access time |
md5 | string | MD5 hash of the file. Only assigned when the md5=t option is specified. Assigns null if hash calculation fails. |
owner_read | boolean | Whether the owner has read permission |
owner_write | boolean | Whether the owner has write permission |
owner_execute | boolean | Whether the owner has execute permission |
group_read | boolean | Whether the group has read permission |
group_write | boolean | Whether the group has write permission |
group_execute | boolean | Whether the group has execute permission |
others_read | boolean | Whether others have read permission |
others_write | boolean | Whether others have write permission |
others_execute | boolean | Whether others have execute permission |
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
95040 | no-read-permission | Occurs when run without administrator privilege |
Runtime errors
N/A
Description
The linux-system-files command recursively traverses the /usr/bin/ directory to collect metadata and POSIX file permission information for each file. It reads the attributes of the links themselves without following symbolic links (NOFOLLOW_LINKS).
When the md5=t option is specified, it calculates the MD5 hash of each file and assigns it to the md5 field. If hash calculation fails because the file cannot be read, null is assigned to the md5 field. MD5 hash calculation requires reading the entire file, so execution time may be longer when there are many or large files.
If visiting a file fails (e.g., due to insufficient permissions), that file is skipped and the traversal continues.
This command requires administrator privilege. Without it, an error occurs at the parse stage.
Examples
-
Retrieve a list of system files
linux-system-filesRetrieves all files and their permission information in the
/usr/bin/directory. -
Retrieve system files including MD5 hash
linux-system-files md5=tRetrieves metadata including MD5 hash for all files in the
/usr/bin/directory. -
Detect files with write permission for others
linux-system-files | search others_write == trueFilters system files that have write permission granted to others. Excessive permissions on system binaries can be a security risk.