Configuration file monitoring - reporting content changes
Burn Alting
burn at swtf.dyndns.org
Mon Jul 20 13:03:43 UTC 2015
Mon, 2015-07-20 at 21:09 +0900, Tetsuo Handa wrote:
> Burn Alting wrote:
> > All,
> >
> > I am interested in any Linux based capability that will monitor
> > identified files and report on actual changes to the monitored file. I
> > know there are methods of recording that the file has been changed (e.g.
> > aide and/or monitor writes via auditd), but I want to know what has
> > changed ... basically something that would provide a 'diff' like output.
> >
> > Now there are tools like Samhain that will record the content changes of
> > a file that is <= 92000 bytes in size, but I am interested in a more
> > lightweight solution ... perhaps a simple inotify(7) based utility that
> > perhaps maintains a copy of the file(s) in core (in compressed format)
> > and based on inotify() returns checks for changes and reports (somehow
> > yet to be defined) the before/after changes.
> >
> > Is there anything 'out there' that list members are aware of?
>
> If you don't need to protect "copy of the file(s)" from malicious attacks,
> I think cvs / svn / git etc. would be sufficient.
>
> If you need to protect "copy of the file(s)" from malicious attacks,
> you would need to use access control mechanisms (e.g. SELinux).
Tetsuo,
I appreciate what you say, but I am looking at this problem from the
point of view of
a. There is no central management of configuration files, which means
git/puppet is not a viable solution.
b. The entity that will change the file is authorized to make the
change. That is, I just want to know what has changed. I am assuming
there are sufficient access control mechanisms to 'protect the file'.
Regards
More information about the Linux-audit
mailing list