Looking for a script to monitor (and report) several folders for changes

Amitz · September 25, 2019, 9:40pm

Cheerio, guys!

I have a server with two handful of sites that are “frozen” and will not change during the next years. I am looking for a solution to monitor all directories under /home/$username/public_html/ for changes. Changes are not expected to happen, so each change could be a sign of a possible intrusion.

I can imagine several solutions for this. One would be a daily cronjob that creates a hash of the files or folders and compares it to yesterday’s hash. If there is a change, it sends an eMail to report that.

Or would inotifywait be able to do the task?

The thing is: I could try to create something like that. But I am far from being a bash monster. And I could imagine that there is already something like that in existence, so that I do not have to invent the wheel a second time.

Are you aware of anything that could achieve the targeted goal?
It’s for a Debian server, so any solution that might work for a Windows server will probably not work for me…

Thanks a lot in advance!

Kind regards
Amitz

FAT32 · September 26, 2019, 12:49am

I believe watchman by Facebook is very good for this purpose, if I remember correctly it used inotify for Linux. It is production grade and comes with prebuilt features such as running a script when file change and logging the changes etc.

Examples:

# Add a new folder to watchman
watchman watch ./

# Remove a watched folder from watchman
watchman watch-del ./

# List all watched folders
watchman watch-list

# Add a trigger to watched folder
watchman -- trigger ./ triggername -- ./trigger.sh

# Remove a trigger from watched folder
watchman trigger-del ./ triggername

# List all triggers
watchman trigger-list ./

The command assume you are watching current working directory and contains a script named as trigger.sh. The first parameter / argument passed in to your script will contains the changed file name, which can be accessed using $1 in bash script.

The documentation for watchman is quite bad, will update this post if I make a mistake. For advanced usages please take a look here: Installation | Watchman

Falzo · September 26, 2019, 6:41am

I used to use a simple cron one liner for something like that:

1 1 * * * root find /home/$username/public_html/ -mtime 0 | mail -s yoursubjecthere [email protected]

this is a very basic approach and sends you a daily mail that’s empty, unless there are files that changed, which then will be in it as a list…
probably easy to extend it a bit to only invoke mail if there are results, but I was too lazy

PS: if it’s not a million files you probably could run find twice

1 1 * * * root [[ -z `find /home/$username/public_html/ -mtime 0 -print -quit` ]] || find /home/$username/public_html/ -mtime 0 | mail -s yoursubjecthere [email protected]

haven’t tested that proeperly though…

jetchirag · September 26, 2019, 7:13am

Not really neat but something I can think of is like

dirc=$(find Desktop -name *litespeed*); echo $dirc | if [ $(wc -c) -ne 0 ]; then mail -s yoursubjecthere << $dirc; fi

Though would prefer using slack webhook or something to make sure it actually reaches.

Amitz · September 26, 2019, 8:24am

Excellent! Thank you so much, guys! Those are great starting points for me and will help a lot!