Feel free with Open Source Software
Andries Filmer - Internet professional sinds 1996.
Monitoring file system events with inotify, incron and authctl
There are a lot of tools to monitor a filesytem. This time we take a quick look at inotify, incron and auditctl.
The inotify API provides a mechanism for monitoring file system events. Inotify can be used to monitor individual files, or to monitor directories. When a directory is monitored, inotify will return events for the directory itself, and for files inside the directory.
You can combine command's with a pipe so this can be very powerfull (as usually with gnu/linux).
apt-get install inotify-tools
inotifywait -mrq --format '%w%f' -e close_write /home/andries/myProject | while read file;do echo $file >> /var/log/inotify; done &
A example to backup all /etc/ files.
inotifywait -mrq --format '%w%f' -e close_write /etc | while read file;do \ cp --parents $file /var/backups/inotify;mv /var/backups/inotify$file \ /var/backups/inotify$file-`date +'%Y-%m-%d_%H:%M'`; done &
The inotify cron daemon (incrond) is a daemon which monitors filesystem events and executes commands defined in system and user tables. It's use is generally similar to cron(8).
apt-get install incron
#!/bin/sh # Create a inotify backup dir (if not exists) # mkdir /var/backups/inotify # Make a copy off the full path and file # cp -p --parents $1 /var/backups/inotify # move the file to a file with datetime-stamp # mv /var/backups/inotify$1 /var/backups/inotify$1_`date +'%Y-%m-%d_%H:%M'
Make the file executable for root
chmod 755 /root/inotify.sh
/etc IN_CLOSE_WRITE,IN_MODIFY /root/inotify.sh $@/$# /home/andries/myProject IN_CLOSE_WRITE /root/inotify.sh $@/$#
As you can see you can do many more ;)
Auditctl is a utility to assist controlling the system. It is a other approach to monitor the filesystem. This can be useful if there are more people with root access or there are some problems with the system.
apt-get install auditd
Now the audit daemon is running
You can add rules for logging.
We like to audit the /etc/passwd file. Type command as follows:
auditctl -w /etc/passwd -p war -k passwd-file
Syscall audit rule
The next rule suppresses auditing for mount syscall exits
auditctl -a exit,never -S mount
syscall audit rule using pid
See syscalls made by a program sshd (i.o. pid 702)
auditctl -a entry,always -S all -F pid=702
ausearch -f /etc/passwd
Other useful examples
Search for events with date and time stamps. if the date is omitted, today is assumed. If the time is omitted, now is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date is 10/24/05. An example of time is 18:00:00.
ausearch -ts today -k password-file ausearch -ts 3/12/07 -k password-file
Search for an event matching the given executable name using -x option. For example find out who has accessed /etc/passwd using rm command:
ausearch -ts today -k password-file -x rm ausearch -ts 3/12/07 -k password-file -x rm
Search for an event with the given user name (UID). For example find out if user vivek (uid 506) try to open /etc/passwd:
ausearch -ts today -k password-file -x rm -ui 506 ausearch -k password-file -ui 506
I appreciate if you give some comment about this page. Please go ahead.
Andries Filmer | http://andries.filmer.nl | firstname.lastname@example.org | © 2011