FileWatch v0.09 Copyright (C) 2000 Lasse Kaislaniemi This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. - - - - - - - - - - - - - New in version 0.09: - FileWatch now packs the database file to save space on disk. !! fix1 of version 0.08 fixes a bug in the calling function. New in version 0.08: - New installing script. 'chat' program can be found even if it's not included in the path. A man page created. A part of configuration held in 'filew.conf' file. New in version 0.07: - Few little fixes, ie. in documentation. Program can now show defined scripts. New in version 0.06: - Possibility to define own actions (shell scripts). New in version 0.05: - More informative reporting. Few little fixes. New in version 0.04: - Better calling functionality. Calls only once, even though more than one alarm is generated at time. Uses pppd's 'chat' program for calling. - - - - INDEX: - - - - - - 1. About FileWatch 1.1 What is it? 1.2 License 2. Program 2.1 Requirements 2.2 Installation 2.3 Setting options 2.4 Making it to your crontab 2.5 Adding and deleting files to/from your 'hot list' 2.6 Defining own actions 2.7 Notes (READ this!) 2.8 Troubleshooting 2.9 Security 3. Other 3.1 ToDo 3.2 Contact 3.3 Thanks - - - - - - - - - - - - - - 1. About FileWatch 1.1 What is it? FileWatch is a perl script (program) which looks after your important files (ie. /etc/passwd and others like that). It notices every little change (change of uid/gid, permissions, data and so on) in the file(s) you want to keep on eye. This is quite handy when, for example, you want to know, is there an Evil Cracker visiting your computer. The noticing of changes is based on the 'ctime' value of file (returned by stat() system call). It can inform you about changes by text notification on screen (STDERR), e-mail, a line in log file or by calling with modem to any number you want to. It's also possible to define own actions. See section 2.6 for more info how to do it. 1.2 License FileWatch is distributed under GNU General Public License. See LICENSE for more. 2. Program 2.1 Requirements FileWatch needs a version of Perl, which has a support for object-oriented programming (as far as I know version 5) and Data::Dumper module. Data::Dumper module comes with Perl 5. Perl is available for download at http://www.perl.com. FileWatch needs also pppd (which includes 'chat' program), when using 'call to phone' option FileWatch has been tested under Linux (SuSE Linux 6.4 with kernel version 2.2.14). It should also be working with other OSes (which has perl interpreter anyway) with few changes (no, I am not going to do it - at least yet - but if you feel like it, YOU can do the changes), but if you haven't ever before programmed perl, I think you shouldn't try ;-). 2.2 Installation Please, read section 2.9 before installation. Unpack the .tar.gz packet: # tar -zxvf filewatch-0.08.tar.gz And go to the directory 'filew': # cd filew Edit file filew.pl with your favourite editor, and change the first line of the file to point to your perl interpreter. (You can find it out with command # which perl This prints the path. Add the path to the first line of the filew.pl file. But don't forget the leading chars '#!'.) Few lines below, you can find line $prefix = '/filew'; Change '/filew' to point to the path where to you have extracted the packet. (If you haven't make extra direcotry changes during this installation process, you can find it out with command # pwd Now, save file and exit the editor. Next, run command # perl install.pl or (if last didn't work) # `which perl` install.pl This 'installs' a package (library) needed by program. Test installation with command # perl filew.pl If this doesn't print anything, everything seems to be ok. You are ready to move to the next section. 2.3 Setting options Stay in the directory and edit file 'filew.conf'. 2.4 Making it to yor crontab This one is needed to run check regularly. Run # EDITOR=/path/to_your/favourite_editor; export EDITOR (not really necessary...). # crontab -e Now you can see your crontab. Add line 0,30 * * * * perl /prefix/filew.pl check to the file. 'prefix' is the same as you defined above ($prefix =...). This runs check every 30th minute. See 'man crontab' for more info about scheduling tasks. 2.5 Adding and deleting files to/from your 'hot list' Now it's time to add a file to be looked after. Run command # ./filew.pl add /etc/passwd Now, you are informed any time when file /etc/passwd has been changed (in any way). You can add any regular file (no directories) to the list. (Update: it seems to be working also with directories, so you can try. This feature, anyway, hasn't been tested very well, so it may work or then not.) To remove from list run command # perl filew.pl del /your/file/name 2.6 Defining own actions You may define you own actions, which are run, when alarm is being generated. Own actions are defined as shell scripts. Define shell scripts this way: # perl filew.pl addscript num 'script' Like this one: # perl filew.pl addscript 1 'echo Hello world!; echo yep.' Delete with # perl filew.pl delscript num You may also use four program's internal variable in shell scripts. Those are VALUE_CHANGED, FILE_CHANGED, VALUE_WAS, VALUE_IS. This way: # perl filew.pl addscript 1 'echo Value $VALUE_CHANGED of file \ $FILE_CHANGED was $VALUE_WAS, but is now $VALUE_IS.' When you have defined the script(s) make the script run by editin 'filew.conf' file ('options' setting). Use # perl filew.pl showscript [num] to see what you have defined to be script number [num]. I hope you got the idea, even though my english is quite poor :-). If not, please mail me and ask. 2.7 Notes - Updating file info Let's have an example: You have /etc/passwd in the 'hot list'. Now _you_ (not the Evil Cracker) make a new user, when /etc/passwd is being modified. Next time FileWatch checks files, it will generate an alarm. If you don't want this, you may update file info by adding it to the list with # /prefix/filew.pl add /etc/passwd This doesn't make another copy of file to the list, but rather updates the info of existing file. - Write full path when adding or deleting files to/from the list When you add or delete a file to/from the list, use full path. Do NOT write the path as 'mydir/myfile'. Instead write it '/home/mydir/myfile'. 2.8 Troubleshooting Sorry, this section of README is not ready. But if you have any questions, please mail me and describe the problem as well as possible. I'll be glad to help you. 2.9 Security It is a good idea to run FileWatch as normal user (not as root). This means, that you also should _install_ FileWatch as normal user. It's possible that superuser doesn't allow normal users have their own crontabs. Then you must ask him/her to allow you to have a own crontab. If _you_ are the system adminstrator, read 'man crontab' to see how to allow normal users have their own crontabs if it's not currently possible. If you notice a security hole in program, please report. 3. Other 3.1 ToDo - 'Cleaner' documentation. A simple README for quick startup and a larger documentation in another file. - Some kind of (Tk?) interface would be very nice... - Sending SMS when alarm has been generated. 3.2 Contact Please, send _anything_ (comments, fixes and stuff like that, but also pizzas and coffee packets ;-) to: ---- Lasse Kaislaniemi (klasse@mbnet.fi) Koivumaentie 23-25 N66 01230 Vantaa Finland ---- And visit http://filewatch.sourceforge.net 3.3 Thanks Thanks goes to... hmm... who has invited coffee maker?-) Well, I got the idea of making this program when reading news://sfnet.atk.linux...