0

My question is similar to Find out which process is changing a file , but i need something more. inotify only tells about few events on a file, Auditd also just gives us pid which did something to file. but i need to know more details about the changes, like what did the process actually did to file, for example the contents of the file added or removed, if new file added then who added that file, if permissions were changed then by whom, and what were before/after permissions etc.

in short, is there any Alternative to inofity anf AuditD? I am using OSSEC for this purpose as well, but need to know if something better is available.

Community
  • 1
Farhan
  • 4,210
  • 9
  • 47
  • 76

2 Answers2

2

You could rig something together using Monit's service tests. Either file content or checksum testing.

Otherwise, are you looking for something more comprehensive like Tripwire? While there's a free variant, it sounds like you're interested in a full auditing solution. The File Integrity Monitor from Tripwire does what you're asking for.

Maybe SAMHAIN, too...

Is there a particular issue with the OSSEC solution you have in place now?

ewwhite
  • 194,921
  • 91
  • 434
  • 799
0

Would it work for you to combine incron and git? incron would notice file/dir changes and then immediately commit the file to a git repository. That way you could at least see the changes.

ausearch provides you detailed information about who changed the file, which command was used, what the file permissions are/were and so on.

Janne Pikkarainen
  • 31,454
  • 4
  • 56
  • 78