Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a RHEL/Apache webserver with approx 500 users actively publishing into a large website (about 60Gb of content) and and I would like to be able to monitor the creation or uploading of any hidden files (e.g. .htaccess) to immediately trigger a cron job to review their contents and edit inline if those files contain specific configuration directives which are prohibited.
Any of the monitoring tools I've looked at work on the basis of detecting all new files created and/or watching existing files for change. I haven't found anything to monitor for specific filenames or dot files as they are created.
Does anyone know if this is possible or how to go about it?
For .htaccess you are better off using the AllowOverride rules provided by the Apache config. Not sure what other types of files would be interesting to look at.
Thanks for the suggestions but unfortunately denying or even limiting the creation of .htaccess files is not an option. I had considered logging the new files created and periodically checking that list but given that the directives I'm interested in pose a security risk I was hoping to eliminate the period between checking, even it it's only a few minutes, by checking on the fly at file creation time if that was possible.
Dnotify was a kernel 2.4 era mechanism, since kernel 2.6 we have Inotify. If you search LQ then you're bound to find scripts using Inotify, or else try software that incorporates it like Samhain (or IIRC Linux Malware Detect or ClamAV, since you're running a web server?).
Thanks again for the suggestions. I'd already looked at both inotify and fam but reading the documentation I saw inotify isn't recursive and so not practical where I have literally thousands of sub-folders with new ones being added daily and FAM appears to be only good for monitoring existing files for change. Unless I'm missing something anyone who's actually used either tool can fill me in on?
But it needs to set up watches for all subdirectories, so if it's many thousands, it might be a problem. From "man inotifywait":
Quote:
-r, --recursive
Watch all subdirectories of any directories passed as arguments. Watches will be set up recursively to an unlimited depth. Symbolic links are not traversed. Newly created subā
directories will also be watched.
Warning: If you use this option while watching the root directory of a large tree, it may take quite a while until all inotify watches are established, and events will not be
received in this time. Also, since one inotify watch will be established per subdirectory, it is possible that the maximum amount of inotify watches per user will be reached.
The default maximum is 8192; it can be increased by writing to /proc/sys/fs/inotify/max_user_watches.
in order to watch uploads... You would either need to have something in the app the files are being uploaded with, scpd, ftpd, tar files make this very difficult... or you would need something in the FS to watch, which would be selinux, it has a log target, so the files could be allowed but there would be a log of it. Then watch your log files for these logs.
Like unspawn said you could use perl but then you have another process doing it, if the process dies ...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.