There are a number of excellent tools to check filesystem integrity; they are an essential part of your system security. These tools allow us to detect unwanted manipulation on our system and report it to the system administrator. However, the administrator will not know about the unauthorized change or the intrusion in to the system until this tool scan the filesystem again, maybe in next few hours or in the next day, it depends on the schedule when and how often we run this filesystem integrity checker.
It is very important to know about the intrusion as soon as possible. It can avoid big damage if you can react right after the break, not hours later. Unfortunately the current filesystem integrity checkers don’t have the functionality to alert the system administrator immediately after filesystem’s integrity is broken. This is the reason why iWatch was developed, it tries to fill this gap. iWatch monitor the filesystem’s integrity in realtime and will send alarm immediately to the system administrator when there is any changes in the monitored filesystem.
Written in Perl and based on inotify, a file change notification system, a kernel feature that allows applications to request the monitoring of a set of files against a list of events. Inotify was introduced the first time in the Linux kernel version 2.6.13.
Usage and important commands for iwatch:
Suppose, you want to watch the change in /etc filesystem, you just need to run it in the console:
$ iwatch /etc
if something changes in this directory. And if you want to be notified per email:
$ iwatch -m admin [at] smsgateway [d0t] local /etc
You can try many other permutation and combination:
We find it much similar to watchdog utility but advanced version with email notification and background activity. Useful for security administrator it can also be used to create a small buget honeypot for your analysis , install all kind of vulnerable services and keep on checking mal sfor changes and you can caught some one read handed .
Features of iWatch:
-run in command line mode as well as in daemon mode
-using an easy xml configuration file
-can watch directory recursively and watch new created directory
-can have a list of exceptions
-can use regex to compare the file/directory name
-can execute command if an event occures
-send email
-syslog
-print time stamp
Operating System Supported:
Linux systems.
Downlaod iWatch here
Searches leading to this post:iwatch forensic, there are a number of excellent tools to check filesystem
You must log in to post a comment.