Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed | Gopher

Python script to monitor a file for changes and then mail the report with the file attached.

Published: 21-12-2012 | Author: Remy van Elst | Text only version of this article


❗ This post is over ten years old. It may no longer be up to date. Opinions may have changed.

Table of Contents


This is a script which checks a file's md5 hash, compares it to a previous (or given) hash and mails a report with the option of attaching the file with the email. I wrote it because I use AIDE on some systems, and I let it auto update the database. This script runs via cron before and after the AIDE run, so I have an archive of databases. But it can be used for all kind of files, not just for the AIDE database.

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days.

Requirements

Download

Clone this git repo:

git clone https://github.com/RaymiiOrg/hash-check-mail.git

Or download it from Raymii.org:

wget http://raymii.org/s/inc/downloads/check-file.py

Usage

Usage of the script is fairly simple. I'll explain the command line options below:

Examples

  1. Monitor the file /var/lib/aide/aide.db.gz, mail to admin@domain.com, overwrite checksum on change and attach the file:

./check-file.py -e "admin@domain.com" -a -o /var/lib/aide/aide.db.gz

  1. Monitor the file /var/lib/aide/aide.db.gz against known checksum and mail to admin@domain.com:

./check-file.py -e "admin@domain.com" -a -c "41ce523dd72a67039df2db9b4542411c" /var/lib/aide/aide.db.gz

  1. Monitor file /etc/passwd, send even if md5sum matches, from customer@kpn.nl using smtp server smtp.kpnmail.com, do not attach it to the email and do not overwrite the checksum file:

./check-file.py -e "admin@domain.com" -f "customer@kpn.nl" -s "smtp.kpnmail.com" -m /etc/passwd

  1. Cron job to monitor the AIDE database and mail changes every night at 10 PM:

1 22 * * * /usr/bin/python /root/scripts/check-file.py -e "admin@domain.com" -a -o /var/lib/aide/aide.db.gz

Sample report email

File checksum report (v 0.1).

Date: Sat, 15 Dec 2012 21:18:26 +0000. 
Hostname: aide.raymii.org.

Checksum does NOT match.



Old: 54b0a4497e2b1d9b8e9dc704838e9047. 
New: 38293053ec07539050f3efd9d33b310b. 
Filename: /usr/share/doc/munin-node/README.Debian. 
I checksummed the file itself.
Overwriting old checksum with new checksum as requested. 
Written checksum 38293053ec07539050f3efd9d33b310b to file /tmp/usr-share-doc-munin-node-README.Debian.md5

More info:

See .

License

# Copyright (C) 2012  Remy van Elst

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
Tags: aide , file , ids , intrusion-detection , md5sum , monitoring , python , software