I have a server with two handful of sites that are “frozen” and will not change during the next years. I am looking for a solution to monitor all directories under /home/$username/public_html/ for changes. Changes are not expected to happen, so each change could be a sign of a possible intrusion.
I can imagine several solutions for this. One would be a daily cronjob that creates a hash of the files or folders and compares it to yesterday’s hash. If there is a change, it sends an eMail to report that.
Or would inotifywait be able to do the task?
The thing is: I could try to create something like that. But I am far from being a bash monster. And I could imagine that there is already something like that in existence, so that I do not have to invent the wheel a second time.
Are you aware of anything that could achieve the targeted goal?
It’s for a Debian server, so any solution that might work for a Windows server will probably not work for me…
I believe watchman by Facebook is very good for this purpose, if I remember correctly it used inotify for Linux. It is production grade and comes with prebuilt features such as running a script when file change and logging the changes etc.
Examples:
# Add a new folder to watchman
watchman watch ./
# Remove a watched folder from watchman
watchman watch-del ./
# List all watched folders
watchman watch-list
# Add a trigger to watched folder
watchman -- trigger ./ triggername -- ./trigger.sh
# Remove a trigger from watched folder
watchman trigger-del ./ triggername
# List all triggers
watchman trigger-list ./
The command assume you are watching current working directory and contains a script named as trigger.sh. The first parameter / argument passed in to your script will contains the changed file name, which can be accessed using $1 in bash script.
The documentation for watchman is quite bad, will update this post if I make a mistake. For advanced usages please take a look here: Installation | Watchman
this is a very basic approach and sends you a daily mail that’s empty, unless there are files that changed, which then will be in it as a list…
probably easy to extend it a bit to only invoke mail if there are results, but I was too lazy
PS: if it’s not a million files you probably could run find twice