There can be multiple reasons to keep an eye on a critical/suspicious file or directory. For example, you could track an attacker and wait for some access to the captured credentials in a phishing kit installed on a compromised server. You could deploy an EDR solution or an OSSEC agent that implements an FIM (‘File Integrity Monitoring”)[1]. Upon a file change, an action can be triggered. Nice, but what if you would like a quick solution but agentless? (In the scope of an incident, for example)
There is a well-known suite of API calls on Linux that track filesystem changes: inotify[2]. Around the API, a set of tools are available, like “inotifywatch” that generates an event when a file is “accessed”:
remnux@remnux:~$ inotifywatch /etc/hosts
Establishing watches...
Finished establishing watches, now collecting statistics.
^Ctotal access close_nowrite open filename
5 1 2 2 /etc/hosts
Another helpful command in scripts is “inotifywait”:
remnux@remnux:~$ inotifywait /etc/hosts
Setting up watches.
Watches established.
/etc/hosts OPEN
This one waits for some activity, and when it happens, it exists. In a shell script, it helps to wait for an event and then continue the script. That’s interesting, but what if you can’t keep a shell running? What if the shell script exists? How to handle multiple events?
I recently discovered an interesting tool to implement better file system monitoring: incron[3]. The idea is to have an "inotify cron" system. It consists of a daemon and a table manipulator. Like the regular cron, you can schedule scripts that will be executed upon a filesystem change. Here ..
Support the originator by clicking the read the rest link below.
){kind=link}