Skip to main content Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Python script to monitor a file for changes and then mail the report with the file attached.

Published: 21-12-2012 | Author: Remy van Elst | Text only version of this article

Table of Contents

This is a script which checks a file's md5 hash, compares it to a previous (orgiven) hash and mails a report with the option of attaching the file with theemail. I wrote it because I use AIDE on some systems, and I let it auto updatethe database. This script runs via cron before and after the AIDE run, so I havean archive of databases. But it can be used for all kind of files, not just forthe AIDE database.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)



Clone this git repo:

git clone

Or download it from



Usage of the script is fairly simple. I'll explain the command line optionsbelow:


  1. Monitor the file /var/lib/aide/aide.db.gz, mail to, overwrite checksum on change and attach the file:

./ -e "" -a -o /var/lib/aide/aide.db.gz

  1. Monitor the file /var/lib/aide/aide.db.gz against known checksum and mail to

./ -e "" -a -c "41ce523dd72a67039df2db9b4542411c"/var/lib/aide/aide.db.gz

  1. Monitor file /etc/passwd, send even if md5sum matches, from using smtp server, do not attach it to the email and do not overwrite the checksum file:

./ -e "" -f "" -s"" -m /etc/passwd

  1. Cron job to monitor the AIDE database and mail changes every night at 10 PM:

1 22 * * * /usr/bin/python /root/scripts/ -e "" -a-o /var/lib/aide/aide.db.gz

Sample report email

File checksum report (v 0.1).Date: Sat, 15 Dec 2012 21:18:26 +0000. Hostname: does NOT match.Old: 54b0a4497e2b1d9b8e9dc704838e9047. New: 38293053ec07539050f3efd9d33b310b. Filename: /usr/share/doc/munin-node/README.Debian. I checksummed the file itself.Overwriting old checksum with new checksum as requested. Written checksum 38293053ec07539050f3efd9d33b310b to file /tmp/usr-share-doc-munin-node-README.Debian.md5

More info:

See .


# Copyright (C) 2012  Remy van Elst# This program is free software: you can redistribute it and/or modify# it under the terms of the GNU General Public License as published by# the Free Software Foundation, either version 3 of the License, or# (at your option) any later version.# This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the# GNU General Public License for more details.# You should have received a copy of the GNU General Public License# along with this program.  If not, see <>.
Tags: aide, file, ids, intrusion-detection, md5sum, monitoring, python, software