2

We've been searching for a simple file integrity monitoring solution on CentOS/Linux that will work on the application level. We are not looking for OS/network level IDS as OSSEC and the others do a pretty good job at that.

We have looked at centralized (OSSEC) and non-centralized (Tripwire Open Source) however they each have their limitation in regards to file restrictions and recursively monitoring thousands of files/directories.

Essentially we have thousands of php/cgi/pl files which we will like to monitor for changes/injections. The problem is they are all in directories that might contain other filetypes and other things that changes. Directory integrity checking is not an option as the directory might changes but not the files we are interested in monitoring.

Is there a software out there that can take a 'find' command to get a file list, places this file list in a database with an md5 checksum for each file and then on the next run it matches the file list file by file and alerts of any changes to the md5 checksums and new files?

1
  • Consider using version control (example GitHub) to monitor your web files. Commented Jul 1, 2016 at 14:31

4 Answers 4

1

Perhaps you can try AIDE (http://aide.sourceforge.net/), and create a rule that will only monitor *php/cgi/pl files.

1
0

You can use auditd (userspace) - create rules, centralize messages and filter event logs according to your needs. It won't check integrity, but will monitor for changes. If you are running custom services, then it wouldn't be hard to write integrity check utility.

BTW. regexp rules for filenames are not supported by OSSEC for file integrity check? O_o

1
  • Yup, years later OSSEC 2.8 only supports what they very-very generously call a simple regular expression (sregex). It's so simple and so close to strcmp it doesn't even support .* or even . (a dot)!
    – kubanczyk
    Commented Feb 7, 2017 at 22:51
0

Most file integrity monitoring systems should be able to do this, creating a 'known-good' baseline snapshot which files are later checked against.

You've already mentioned the open source systems OSSEC and Tripwire, but there are a few commercial options too - which will typically have a better user interface, be much easier to configure, and come with a central management console. One such option is Verisys, which will let you specify patterns for the files to include and exclude. Some info from the user guide here.

0

Check out Mugsy. You can monitor specific directories, but exclude certain patterns. It logs locally as well as to elasticsearch.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .