Writing a File Integrity Monitor from scratch

Anish Sujanani
Aug 23 · 6 min read

The Technical Idea:

The implementation:

Features:

Config File:

config.ini — write manually or using configparser

Entry-point and Scheduling:

Computing Baselines, + hashing after the initial baseline

Computing Metadata and Additional Details

Storing Baselines and Detecting Changes

DB Storage — Insertion and Updates to the baselines

Alerting

The Database Table Schema

Results and Working

./testfiles/a.txt
./testfiles/testdir/
We start with an empty table on the DB server.
The monitor-list is watching for testfiles/a.txt and testfiles/testdir recursively — we start with these files non existant and these directories empty.
We create a.txt within testfiles/
Our code picks up on the new file addition when it scans during the next interval.
These details are pushed to the DB — we have now baselined a.txt
We get an email alert on the same.
We then change permissions on testfiles/a.txt, change its content, and delete testfiles/testdir/b.txt — both of these files have already been baselined.
The code has picked up on all 3 changes — the content change, the permission change and the deletion.
A consolidated email alert is sent out for the same.
After all of the above, here is what our DB table looks like.
And here is what our filesystem looks like. You can see that the presence of the b.txt record in the table, and the absence of that file here triggers the deletion alert.
Anish Sujanani

Written by

Cybersec engineer. Loves Python and the Elastic stack. Reversing binaries is fun too.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade