Gary,
Thanks. Although quite comprehensive about raising an alert when a large
variety action occur to a file, it still doesn't give me the core
requirement of reporting what content has changed. At best, one could
use the 'execute a command option' to, say do a diff on certain actions,
but you would also need to set up capability to replicate the file in
the first place, and, hope no one deletes the replicated file which
would defeat the purpose of the watch. Too many moving parts that can be
attacked.
To me, something like iwatch is a useful capability that can fire off an
alert as soon as the action occurs. At this point a Security Operations
Centre could take action. Although, I would expect them to wait for the
auditd events that not only record the action, but also the high level
command involved (PROCTITLE) and the user (auid) and what privileges
(*uid, *gid) they had.
Again, I am looking for a light weight, self contained tool.
Regards
On Mon, 2015-07-20 at 17:53 +0000, Smith, Gary R wrote:
Hello Burn,
Have you considered iwatch (no, not the Apple wrist gadget). It monitors
files and can alert on a large set file conditions. Check out this man
page at:
http://manpages.ubuntu.com/manpages/utopic/man1/iwatch.1.html
Best regards,
Gary Smith
On 7/20/15 4:56 AM, Burn Alting wrote:
> All,
>
> I am interested in any Linux based capability that will monitor
> identified files and report on actual changes to the monitored file. I
> know there are methods of recording that the file has been changed (e.g.
> aide and/or monitor writes via auditd), but I want to know what has
> changed ... basically something that would provide a 'diff' like output.
>
> Now there are tools like Samhain that will record the content changes of
> a file that is <= 92000 bytes in size, but I am interested in a more
> lightweight solution ... perhaps a simple inotify(7) based utility that
> perhaps maintains a copy of the file(s) in core (in compressed format)
> and based on inotify() returns checks for changes and reports (somehow
> yet to be defined) the before/after changes.
>
> Is there anything 'out there' that list members are aware of?
>
> If not, would the following utility be of interest? On startup, load the
> monitored file(s) (saving a compressed copy in memory). Then, using
> inotify, monitor for changes and if so, emit some kind of record
> defining the change and change the compressed in-memory copy. If so, is
> our mailing list and the contributed portion of auditd an appropriate
> repository for such a tool.
>
> Naturally, such a tool would be supported by appropriate auditd
> monitoring that will take care of changing file attributes etc and file
> writes. That is, auditd tells me who and the utility tells me what.
>
>
> Regards
> Burn
>
> --
> Linux-audit mailing list
> Linux-audit(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/linux-audit
>