5

Looking for some (*nix) software which will build an index of "interesting" files on a server and notify when certain of those files contents are modified, or new files appear.

Similar to rkhunter et al, but less focussed on system binaries and more on executables served via web.

Any recommendations?

8 Answers8

9

You may want to look at Tripwire or AIDE

Both will track config file changes on your machines.

See also:

Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • +1 for AIDE which I couldn't remember since Tripwire seems to have gone proprietary – Martin M. Jun 09 '09 at 21:47
  • @Server\ Horror Yes, the original Tripwire has gone commercial, but when that happened, the project forked into "Open Source Tripwire" which is located at http://sourceforge.net/projects/tripwire/ . – sunny256 Jun 09 '09 at 22:15
  • 2
    Tripwire/AIDE are not active anymore... Last AIDE version was from 2006 and Tripwire way before... OSSEC, Samhain and Osiris are the active ones. – sucuri Jun 10 '09 at 13:56
6

Look at OSSEC, I use it to do file integrity checks on our servers, it's very complete and easy to configure. It can send mail notification, you can check alerts via command line or a web interface ...

http://www.ossec.net/

taken from the website :

"OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response."

Guillaume
  • 136
  • 1
  • +1 for ossec. It is by far the most active/developed of them. It also includes system auditing capabilities that alert on incorrect/insecure configuration options.. – sucuri Jun 10 '09 at 13:55
3

You might try the inotify framework. You could use it to get a list of files that are reported to you by a write_close event. You might want to investigate incron or the inotify-tools (both linked from the wikipedia page.

On the other hand it sounds like tripwire is exactly what you are searching for, to my knowledge you can simply define which files to look at. I don't see a reason why tripwire (which granted is actually for system binaries in it's basic use case) isn't suited for your use case.

Martin M.
  • 6,428
  • 2
  • 24
  • 42
1

The best package for this is definitely tripwire.

There's a quick-start guide here: penguinapple.blogspot.com

The guide is for Debian but the "Configuration and Use" section should be very similar for all *nix.

belacqua
  • 583
  • 4
  • 10
1

In addition to AIDE and Tripwire (already mentioned), you might want to check out Samhain.

While all three probably default to monitoring /etc and various binary directories, they can be configured to monitor pretty much anything.

freiheit
  • 14,334
  • 1
  • 46
  • 69
0

Take a look at systraq

http://directory.fsf.org/project/systraq/

Kevin Kuphal
  • 9,064
  • 1
  • 34
  • 41
0

Also look at radmind. It can do filesystem-wide diffs and then unapply or reapply them. You can use the client utilities by themselves, or use the server to create a repository for all of your diffs.

http://rsug.itd.umich.edu/software/radmind/

lukecyca
  • 2,185
  • 13
  • 20
0

CFEngine has the ability to track checksums for arbitrary files as well as managing the rest of your configuration. I'd assume that some of the derivative configuration management tools (like Puppet or Chef) with agents can probably also do something similar.

http://cfengine.com/

dannysauer
  • 752
  • 4
  • 8