I was going to just drop it, since you're clearly not willing to listen. But, well, someone else might read your rant and think you have a point. So, what I'm doing is explaining where you are going wrong in hopes of preventing someone else from making a bad mistake. I'm not trying to attack you; I'm exposing a bad method. So, I'm going to address your points here, and ignore the personal attacks. If you want to attack me, Aigh, go ahead. My email's at the bottom of the node, you can /msg, you can find me in #perlmonks on irc.slashnet.org. Otherwise, let's stick to facts.

Saying that I should search for an existing product when all is needed is a few lines of code is silly. That is like saying, if somebody breaks into your house, and you are worried they will come back in 5 minutes, order a security system. No, looking out the window is a better plan. Obviously I cannot prevent the person from accessing the files. They have root. What I can do, is be notified when those files are accessed, and scare them into staying out in the future.

If it's REALLY the way you want to go, then roll your own. I simply said that using an existing product is going to be more secure, more stable, and less likely to contain problems. As for your analogy, it's seriously flawed. If someone's broken into your house and you're afraid they'll be back in five minutes, don't look out the window. Call 911. If they come back before the police arrive, then yes, it's nice to know they're there. However, screaming "boo" at them is not likely to do any good if you're unarmed. If they've broken in, they have full control over the situation, and they're fully armed - they "have root" on your house - screaming "boo" is more likely to result in death by high-velocity lead poisoning - a rather final "rm -rf *", you might say.

There is no "intruder," there is a person who was copying files. Being the owner of the box, this person is going to continue to have access to the server, and is going to continue to have root access, regardless of myself being the administrator. There are times in life where all that is needed is an effective deterent, a barking dog.

There is an "intruder" in the general sense that someone is going somewhere they should not be, doing something they should not be doing. You did not originally state that it was the owner of the box; you said "someone". The implication is that it's someone from outside. If it's another user (non-root) on the box, the solution is to go through the admin; if you're the admin, so much the easier. If it's another admin, then sort it out by other means. In this specific case, use the contract. In general, use whatever's available in the situation.

In computer security, you do not want a barking watchdog, you want a tight fence. Why? Because a barking dog has a brain, and it has teeth. A barking dog can think, at least well enough to recognize who belongs there and who doesn't. And it can do more than alert you; it can scare off the intruder. But it's not the bark that the intruder is afraid of. You can't do that in computer security; false positives are a fact of life (such as your cron job problem) and since we all know computers are too literal, you wind up shooting yourself in the foot more than anything else. So you wind up with not a guard dog, but a guard poodle; all bark and no bite. Your script can't even do that; all it can do is bark. And again; generally speaking, when the intruder finishes chuckling at your message, they'll simply take what they want, do their best to cover their tracks - i.e., rm -rf * - and go on their way.

In the end, in this specific situation - a box you have root on, but do not own, with another root-enabled user (the owner) performing the unauthorized activity - this method is at least valid. I don't think it's the best way to go, but it's not the security risk it would be in any other situation.

So if you've been reading this thread and you're not Aigh, number one - Why?? and number two, unless your situation exactly matches this one, don't use this. It's a bad security method. And if you don't believe me, ask any other competent security admin.

PS - TIMTOWTDI is a valid statement for programming, for drive partitioning, for network layouts, and, yes, for security. There is indeed more than one correct way to approach security problems. This is not one of them. There are plenty of methods, and plenty of people smarter than you or I spend their time thinking up new and better ones. The ones that pass muster and survive "live fire" testing are published, usually with products and utilities to make it easier to implement. That may be formulaic; but then, so's "use strict;".