Monitor creation of hidden system files
 

I have a RHEL/Apache webserver with approx 500 users actively publishing into a large website (about 60Gb of content) and and I would like to be able to monitor the creation or uploading of any hidden files (e.g. .htaccess) to immediately trigger a cron job to review their contents and edit inline if those files contain specific configuration directives which are prohibited.

Any of the monitoring tools I've looked at work on the basis of detecting all new files created and/or watching existing files for change. I haven't found anything to monitor for specific filenames or dot files as they are created.

Does anyone know if this is possible or how to go about it?

Thanks!

For .htaccess you are better off using the AllowOverride rules provided by the Apache config. Not sure what other types of files would be interesting to look at.

I'd suggest you deny use of .htaccess in your apache config.

Or rig your kernel to log the creation or renaming of files - and have a program following the logfile to read what files it should examine.

Thanks for the suggestions but unfortunately denying or even limiting the creation of .htaccess files is not an option. I had considered logging the new files created and periodically checking that list but given that the directives I'm interested in pose a security risk I was hoping to eliminate the period between checking, even it it's only a few minutes, by checking on the fly at file creation time if that was possible.

Checkout fam: http://en.wikipedia.org/wiki/File_Alteration_Monitor

Dnotify was a kernel 2.4 era mechanism, since kernel 2.6 we have Inotify. If you search LQ then you're bound to find scripts using Inotify, or else try software that incorporates it like Samhain (or IIRC Linux Malware Detect or ClamAV, since you're running a web server?).

Thanks again for the suggestions. I'd already looked at both inotify and fam but reading the documentation I saw inotify isn't recursive and so not practical where I have literally thousands of sub-folders with new ones being added daily and FAM appears to be only good for monitoring existing files for change. Unless I'm missing something anyone who's actually used either tool can fill me in on?

Never worked with any of them.

Just for the recursive listing of a directory tree you can either go with
or

Both totaly untested and dark shoots.

Hi

The inotify kernel calls are not recursive, but userspace tools can be:

But it needs to set up watches for all subdirectories, so if it's many thousands, it might be a problem. From "man inotifywait":

FWIW there's also recursive Inotify daemons in PERL and Python.

in order to watch uploads... You would either need to have something in the app the files are being uploaded with, scpd, ftpd, tar files make this very difficult... or you would need something in the FS to watch, which would be selinux, it has a log target, so the files could be allowed but there would be a log of it. Then watch your log files for these logs.

Like unspawn said you could use perl but then you have another process doing it, if the process dies ...