2

We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a pretty good job at that.

We have looked at centralized (OSSEC) and non-centralized (Tripwire Open Source) however they each have their limitation in regards to file restrictions and recursively monitoring thousands of files/directories.

Essentially we have thousands of php/cgi/pl files which we will like to monitor for changes/injections. The problem is they are all in directories that might contain other filetypes and other things that changes. Directory integrity checking is not an option as the directory might changes but not the files we are interested in monitoring.

Is there a software out there that can take a 'find' command to get a file list, places this file list in a database with an md5 checksum for each file and then on the next run it matches the file list file by file and alerts of any changes to the md5 checksums and new files?

Dev
  • 21
  • 2

4 Answers4

1

Perhaps you can try AIDE (http://aide.sourceforge.net/), and create a rule that will only monitor *php/cgi/pl files.

Supremo
  • 21
  • 3
  • AIDE is also recommended in the RHEL security guide. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using-aide – hargut May 28 '19 at 05:43
0

You can use auditd (userspace) - create rules, centralize messages and filter event logs according to your needs. It won't check integrity, but will monitor for changes. If you are running custom services, then it wouldn't be hard to write integrity check utility.

BTW. regexp rules for filenames are not supported by OSSEC for file integrity check? O_o

GioMac
  • 4,444
  • 3
  • 24
  • 41
  • Yup, years later OSSEC 2.8 only supports what they very-very generously call a simple regular expression (sregex). It's so simple and so close to strcmp it doesn't even support `.*` or even `.` (a dot)! – kubanczyk Feb 07 '17 at 22:51
0

Check out Mugsy. You can monitor specific directories, but exclude certain patterns. It logs locally as well as to elasticsearch.

Banjer
  • 3,854
  • 11
  • 40
  • 47
0

Most file integrity monitoring systems should be able to do this, creating a 'known-good' baseline snapshot which files are later checked against.

You've already mentioned the open source systems OSSEC and Tripwire, but there are a few commercial options too - which will typically have a better user interface, be much easier to configure, and come with a central management console. One such option is Verisys, which will let you specify patterns for the files to include and exclude. Some info from the user guide here.

Cocowalla
  • 623
  • 5
  • 16