Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Python script to monitor a file for changes and then mail the report with the file attached.

Published: 21-12-2012 | Author: Remy van Elst | Text only version of this article


Table of Contents


This is a script which checks a file's md5 hash, compares it to a previous (orgiven) hash and mails a report with the option of attaching the file with theemail. I wrote it because I use AIDE on some systems, and I let it auto updatethe database. This script runs via cron before and after the AIDE run, so I havean archive of databases. But it can be used for all kind of files, not just forthe AIDE database.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

Requirements

Download

Clone this git repo:

git clone https://github.com/RaymiiOrg/hash-check-mail.git

Or download it from Raymii.org:

wget http://raymii.org/s/inc/downloads/check-file.py

Usage

Usage of the script is fairly simple. I'll explain the command line optionsbelow:

Examples

  1. Monitor the file /var/lib/aide/aide.db.gz, mail to admin@domain.com, overwrite checksum on change and attach the file:

./check-file.py -e "admin@domain.com" -a -o /var/lib/aide/aide.db.gz

  1. Monitor the file /var/lib/aide/aide.db.gz against known checksum and mail to admin@domain.com:

./check-file.py -e "admin@domain.com" -a -c "41ce523dd72a67039df2db9b4542411c"/var/lib/aide/aide.db.gz

  1. Monitor file /etc/passwd, send even if md5sum matches, from customer@kpn.nl using smtp server smtp.kpnmail.com, do not attach it to the email and do not overwrite the checksum file:

./check-file.py -e "admin@domain.com" -f "customer@kpn.nl" -s"smtp.kpnmail.com" -m /etc/passwd

  1. Cron job to monitor the AIDE database and mail changes every night at 10 PM:

1 22 * * * /usr/bin/python /root/scripts/check-file.py -e "admin@domain.com" -a-o /var/lib/aide/aide.db.gz

Sample report email

File checksum report (v 0.1).Date: Sat, 15 Dec 2012 21:18:26 +0000. Hostname: aide.raymii.org.Checksum does NOT match.Old: 54b0a4497e2b1d9b8e9dc704838e9047. New: 38293053ec07539050f3efd9d33b310b. Filename: /usr/share/doc/munin-node/README.Debian. I checksummed the file itself.Overwriting old checksum with new checksum as requested. Written checksum 38293053ec07539050f3efd9d33b310b to file /tmp/usr-share-doc-munin-node-README.Debian.md5

More info:

See .

License

# Copyright (C) 2012  Remy van Elst# This program is free software: you can redistribute it and/or modify# it under the terms of the GNU General Public License as published by# the Free Software Foundation, either version 3 of the License, or# (at your option) any later version.# This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the# GNU General Public License for more details.# You should have received a copy of the GNU General Public License# along with this program.  If not, see <http://www.gnu.org/licenses/>.
Tags: aide, file, ids, intrusion-detection, md5sum, monitoring, python, software