1

I want to implement sort of trip-wire security mechanism, that tracks in real time events when user writes a file with a specific content on hard drive of his workstation (which will be managed by me).

Otherwise brilliant loggedfs doesn't let me monitor file's contents, only file names.

What other option do I have? I guess I need something similar to the stuff that real-time antivirus software uses.

P.S. I can use btrfs and rely on its leaf block checksums. But I prefer a more general solution.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
Adam Ryczkowski
  • 5,493
  • 7
  • 39
  • 60
  • inotify might be a way, but is this XY? – coteyr Jun 17 '15 at 06:48
  • @coteyr what is XY? – Adam Ryczkowski Jun 17 '15 at 07:42
  • 1
    http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem – coteyr Jun 17 '15 at 14:08
  • @coteyr I'm going to hire some people to help me with my programming project. The people will need to have access to some sensitive binaries, and I'd like to make sure they don't take them away. And the only way out is through their Linux workstations. – Adam Ryczkowski Jun 18 '15 at 06:03
  • *The people will need to have access to some sensitive binaries, and I'd like to make sure they don't take them away.* Trivial to defeat: `openssl enc -des -a -in /path/to/sensitive/binary -out mytextfile.txt` – Andrew Henle Mar 28 '19 at 10:26

1 Answers1

6

When on Linux you can use the inotify mechanism in combination with incron. Setup incron by installing the package and edit the config:

/etc/incron.conf
system_table_dir=/etc/incron.d
user_table_dir=/var/spool/incron
allowed_users=/etc/incron.allow
denied_users=/etc/incron.deny
lockfile_dir=/var/run
logfile_name=incrond
editor=vi

Then configure a watch in /etc/incron.d/myscriptwatch:

/path/to/dir IN_CLOSE_WRITE,IN_MOVED_TO /path/to/check_content_script.sh $@ $#

Next step is to setup your /path/to/check_content_script.sh to check what is done with the file:

CURRSUM=$(md5sum $@)
PREVSUM=$(cat /path/to/old_saved_sum)

if [ "$CURRSUM" = "$PREVSUM" ]
then
   echo "file $@ is not altered" >> /tmp/watch_log
else
   echo "file $@ is altered" >> /tmp/watch_log
fi

You can also monitor for the other events to see if the file is changed like IN_CLOSE_WRITE,IN_ATTRIB,IN_MODIFY

See man 5 incrontab for more details.

Lambert
  • 12,495
  • 2
  • 26
  • 35