Script to monitor(audit) and log changes of directories

stev.h · 02-12-2012, 09:42 AM

Hi, everyone
I would like to write ksh script in ksh (HP-UX), to audit any changes inside target directories.
My enviroment has many constrains, so I can only use ksh and cannot install
any 3rd party soft or command (include perl or other languages)

The script functions like below
1) take a snapshot of the target directory (recursive with the directory inside, like ls -ailR target_dir)
2) log any changes(compare with snapshot) that been added, deleted or modified(include chmod) and seperatly store into log.add, log.del, log.mod
3) this script will excute in crontab once a day

note: maybe could use the cmd "dircmp" to compare two directories, but it's hard to make the snapshot if the directory size is huge

I've already search the related articles both in forum and google.
I do find something ... but due to the constrains of my enviroment,
it's far from complete the goal to finish the script (new to ksh, used to coding in perl)

There are some programs exactly the function I need, like open source EICS - Easy Integrity Check System
or L5 => infossies.org/unix/misc/old/L5.tgz, and commercial soft tripwire

Unfortunately, I cannot find the same functaion wrote in script (still researching

Hope someone can help to complete this script
I'll be very appreciate the effert you've done.

Thanks in advanced.

Stev.H

Thanks to the original author Steven Koh(id : izy100)
I've modified the code as follow

Code:

#!/usr/local/bin/ksh93
#
# UNIX Monitor Script
# Purpose: Monitors the changes in a directory
# Outputs: Log file
# Author : Steven Koh
# Modified by Stev.H
#*********************************************************
#

if test $# -lt 1; then
echo "Usage: $0 <DIR TO MONITOR FOR NEW FILES>"
echo "Example: $0 /var/tmp"
echo
exit 0;
fi

MONITOR_DIR=$1
LOG_DIR="log"
NEW_LOG="${LOG_DIR}/mon_file.log"
OLD_LOG="${LOG_DIR}/mon_file.old"
ADD_FILE="${LOG_DIR}/mon_file.add"
DEL_FILE="${LOG_DIR}/mon_file.del"


if test ${MONITOR_DIR}="./"; then
MONITOR_DIR=`pwd`
fi

if [[ -d $LOG_DIR ]]; then
#if directory log exist then print nothing
print
else
mkdir ${LOG_DIR}
fi

touch ${NEW_LOG}
mv ${NEW_LOG} ${OLD_LOG}

print "============= `date` =============\n${MONITOR_DIR}:" | tee $NEW_LOG
unalias ls
ls -ailR ${MONITOR_DIR} | tee -a ${NEW_LOG}
#egrep -vf ${OLD_LOG} ${NEW_LOG} | grep -v "=============" > ${DIFF_FILE} 2>&1
comm -23 ${OLD_LOG} ${NEW_LOG} | grep -v "=============" > ${DEL_FILE} 2>&1
comm -13 ${OLD_LOG} ${NEW_LOG} | grep -v "=============" > ${ADD_FILE} 2>&1

if test `wc -l < ${DEL_FILE}` -gt 0; then
echo "Monitor files been deleted in ${MONITOR_DIR}"
echo "=================================="
echo
cat ${DEL_FILE}
elif test `wc -l < ${ADD_FILE}` -gt 0; then
echo "Monitor files been added in ${MONITOR_DIR}"
echo "=================================="
echo
cat ${ADD_FILE}
fi

cbtshare · 02-12-2012, 05:27 PM

I wrote the code below,you can see how it works and use parts you like for your code , or use the entire thing

Code:

#!/bin/bash

#For this script to work properly you need to take a snapshot of the directory you want to monitor and pipe
#the result to "bench.txt".

#You can also enter the directory you would like to monitor by typing it after the command to run the script
#and hit enter example : ./script_name Directory_to_Monitor

#If you dont want to enter a directory to monitor at the command-line you can also enter the directory to
#monitor in the script at the "DIR" line.

touch result.txt
touch resultN.txt

DIR=${1:-/var/www/}

#if [ "$#" = "0"  ]
#then
#DIR=/var/www/
#elif [ "$#" = "1" ]
#then
#DIR=$1
#else
#echo you need to enter a proper directory
#fi

ls -A > $DIR/bench2.txt

DIFF=$(diff $DIR/bench2.txt $DIR/bench.txt > $DIR/whatChanged.txt)

if [ $? -eq 0 ]
then

echo Nothing in the directory has changed

else

echo Something has changed in the directory:

EXIST=$(cat $DIR/whatChanged.txt | cut -d ' ' -f 2)

for i in $EXIST
do

        if [ -f  $i  ]
        then
        echo These files have been added : $i >> result.txt

        elif [ ! -f $i ]
        then

                for o in $i
                do

                NUMTEST=$(echo $o | grep [0-9])

                        if [ $? -eq 0 ]
                        then
                        echo unimportant >/dev/null

                        else

                        echo Values have been deleted : $o >> resultN.txt

                        fi
                done
        cat resultN.txt
        echo resultN.txt | mail -s "Files have been deleted in the directory" root@127.0.0.1

cat $DIR/bench2.txt > $DIR/bench.txt

fi

stev.h · 02-13-2012, 08:30 AM

Thank you cbtshare,

I'll check this script later and report the result

lithos · 02-13-2012, 02:56 PM

Hi,

I don't know if it will help you, but if you can use, then try
- inotify
it's just what you need (I think)

stev.h · 02-15-2012, 10:45 AM

Hi, lithos

Thank for your reply, but the target system cannot install any software ...

So, I can only use the ksh to achieve the goal lol

stev.h · 02-15-2012, 10:59 AM

Quote:

Originally Posted by cbtshare

I wrote the code below,you can see how it works and use parts you like for your code , or use the entire thing

Hi, cbtshare

I've modified the code you wrote to fit my requirement, now it can only check current or target dir, but cannot handle the recursive directories inside.

There's two way can solve it, one is use another script to craw all the subdir then execute this script inside and append the target path to log.

Another way is use "ls -AiR" command but need to handle the path inside the result file, it may be too complicated for me to do this now :< I'm not very familiar with coding in script.

It costed me the whole weekend study HOWTO shell script to make the following modification.

Code:

#!/usr/local/bin/ksh93

#For this script to work properly you need to take a snapshot of the directory
#you want to monitor and pipe the result to "bench.txt".

#You can also enter the directory you would like to monitor by typing it after
#the command to run the script and hit enter example : ./script_name Directory_to_Monitor

#If you dont want to enter a directory to monitor at the command-line you can
#also enter the directory to monitor in the script at the "DIR" line.

PWD=`pwd`
DIR=${1:-$PWD}

if [ -f bench.txt ]; then
    echo Reading Basefile to compare directory changes ...
    ls -Ai > $DIR/bench2.txt  #create the current directory status

    awk '{print $2}' bench2.txt > bench2i.txt #create another bench file that remove inode for
    awk '{print $2}' bench.txt > benchi.txt   #easier compare

    diff bench2.txt bench.txt | tee tmp_changes | awk '{print $3}' | sort | uniq -d | grep -v '^$' > changed_files.txt

    if [ -s tmp_changes ]; then
        echo ---------------------------------------
        echo Something had changed in the directory:
        echo ---------------------------------------
        if [ -s changed_files.txt ]; then
            echo These files had been modified
            cat changed_files.txt
            echo ---------------------------------------
        else
            echo No files been modified!
            echo ---------------------------------------
        fi
    #   diff bench2i.txt benchi.txt | sort | uniq -u | awk '/^</ {print $2}'|tee addfile
        comm -23 bench2i.txt benchi.txt |grep -v '^$' > addfile
        if [ -s addfile ]; then
            echo These files had been added
            cat addfile
            echo ---------------------------------------
        else
            echo No files been added!
            echo ---------------------------------------
        fi
    #    diff bench2i.txt benchi.txt | sort | uniq -u | awk '/^>/ {print $2}'|tee deletefile
        comm -13 bench2i.txt benchi.txt |grep -v '^$' > tee deletefile
        if [ -s deletefile ]; then
            echo These files had been deleted
            cat deletefile
            echo ---------------------------------------
        else
            echo No files been deleted!
            echo ---------------------------------------
        fi
    else
        echo ---------------------------------------
        echo There were no files had been changed
        exit 0
    fi
else
    echo Basefile not exist, please execute the command '"ls -Ai target_dir > bench.txt"' to create !
fi