Configuration file monitoring - reporting content changes

[Smith, Gary R]

Hello Burn,

Have you considered iwatch (no, not the Apple wrist gadget). It monitors
files and can alert on a large set file conditions. Check out this man
page at: http://manpages.ubuntu.com/manpages/utopic/man1/iwatch.1.html

Best regards,

Gary Smith

On 7/20/15 4:56 AM, Burn Alting wrote:
> All,
>
> I am interested in any Linux based capability that will monitor
> identified files and report on actual changes to the monitored file. I
> know there are methods of recording that the file has been changed (e.g.
> aide and/or monitor writes via auditd), but I want to know what has
> changed ... basically something that would provide a 'diff' like output.
>
> Now there are tools like Samhain that will record the content changes of
> a file that is <= 92000 bytes in size, but I am interested in a more
> lightweight solution ... perhaps a simple inotify(7) based utility that
> perhaps maintains a copy of the file(s) in core (in compressed format)
> and based on inotify() returns checks for changes and reports (somehow
> yet to be defined) the before/after changes.
>
> Is there anything 'out there' that list members are aware of?
>
> If not, would the following utility be of interest? On startup, load the
> monitored file(s) (saving a compressed copy in memory). Then, using
> inotify, monitor for changes and if so, emit some kind of record
> defining the change and change the compressed in-memory copy. If so, is
> our mailing list and the contributed portion of auditd an appropriate
> repository for such a tool.
>
> Naturally, such a tool would be supported by appropriate auditd
> monitoring that will take care of changing file attributes etc and file
> writes. That is, auditd tells me who and the utility tells me what.
>
>
> Regards
> Burn
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>