File Attribute Monitor is a tool for detecting changes to files. It has been developed primarily as a tool for system administrators to detect unauthorized changes to critical system files, but it may be useful for other purposes.
File Attribute Monitor has been developed on Red Hat Linux, and may work on other *nix-like systems.
Detection of changes to files is a three step process:
Identify the files and attributes of interest
Produce a reference database of files attributes
Compare file attributes with those recorded in the reference database
The first step is to identify the files and attributes of interest. These are specified in the File Attribute Monitor configuration file: fattmon.conf. This configuration file is described completely in Section 1.2.
Ones interest may be as narrow as ensuring that a small set of data files remain unchanged or as broad as ensuring that a complete system configuration, including its applications, remains unchanged. For some files, one may be interested in all attributes of the file, but for others one may only be interested in changes to the ownership and permissions of the file. With time and experience one may evolve the set to meet ones needs.
As system and interests change, the set of files and attributes to be monitored will change. A plan should be developed for reviewing the set of files and attributes. The reviews may be at regularly scheduled times, or they may be triggered by relevant events. For example, one might review the set of files and attributes being monitored quarterly and every time a change is applied to a system.
Example 1-1. A sample configuration
# include all files in directory /foo, monitoring the pre-defined set of # attributes R, including permissions, inode, number of links, user # group, size, mtime, ctime and md5 checksum. +/foo R # exclude the subdirectory /foo/bar and its contents. -/foo/bar # include all files in directory /foo/bar having names ending with ".baz", # monitoring the set of attributes R and sha1 checksum. +/foo/bar/.*\.baz R+sha1 |
After writing a configuration file specifying the files and attributes to be monitored, the next step is to create a reference database.
Even if the set of files and attributes to be monitored does not change, it may be necessary to re-generate the reference database from time to time as authorized changes are applied to the system. This might be done as part of the change implementation procedure, or it might be done after changes are detected if investigation determines that all the changes are acceptable.
In the following example, fattmon is run using configuration file fattmon.conf in the current directory to create a reference database. The database is created in the current directory with the default name fattmon.db.new. This is renamed to fattmon.db, which is the default input database name used when checking in the next step.
After generating a reference database, File Attribute Monitor can be run periodically to check for changes.
Depending on ones objectives, one might check for changes frequently or only occasionally. For example, on a busy server exposed to the Internet, one might set up a cron job to check for changes every hour, while on a development system one might check for changes only when starting final testing of a new system configuration.
In the following examples, fattmon is run using configuration file fattmon.conf in the current directory to compare current file attributes with those recorded in the default reference database fattmon.db in the current directory.
Example 1-4. Finding changes
# fattmon --config=./fattmon.conf --check fattmon found differences between database and filesystem!! Start timestamp: 2002-12-05 05:47:16 Summary: Total number of files=34,added files=0,removed files=2,changed files=0 Removed files: removed:/foo/bar/foobar.baz removed:/foo/bar/barfoo.baz # |