LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-20-2013, 08:37 AM   #1
mollyf
LQ Newbie
 
Registered: Mar 2007
Posts: 3

Rep: Reputation: 0
Monitor creation of hidden system files


I have a RHEL/Apache webserver with approx 500 users actively publishing into a large website (about 60Gb of content) and and I would like to be able to monitor the creation or uploading of any hidden files (e.g. .htaccess) to immediately trigger a cron job to review their contents and edit inline if those files contain specific configuration directives which are prohibited.

Any of the monitoring tools I've looked at work on the basis of detecting all new files created and/or watching existing files for change. I haven't found anything to monitor for specific filenames or dot files as they are created.

Does anyone know if this is possible or how to go about it?

Thanks!
 
Old 11-20-2013, 08:47 AM   #2
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 & 7
Posts: 3,016

Rep: Reputation: 802Reputation: 802Reputation: 802Reputation: 802Reputation: 802Reputation: 802Reputation: 802
For .htaccess you are better off using the AllowOverride rules provided by the Apache config. Not sure what other types of files would be interesting to look at.
 
Old 11-20-2013, 08:49 AM   #3
linosaurusroot
Member
 
Registered: Oct 2012
Distribution: OpenSuSE,RHEL,Fedora,OpenBSD
Posts: 982
Blog Entries: 2

Rep: Reputation: 244Reputation: 244Reputation: 244
I'd suggest you deny use of .htaccess in your apache config.

Or rig your kernel to log the creation or renaming of files - and have a program following the logfile to read what files it should examine.
 
Old 11-20-2013, 08:59 AM   #4
mollyf
LQ Newbie
 
Registered: Mar 2007
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks for the suggestions but unfortunately denying or even limiting the creation of .htaccess files is not an option. I had considered logging the new files created and periodically checking that list but given that the directives I'm interested in pose a security risk I was hoping to eliminate the period between checking, even it it's only a few minutes, by checking on the fly at file creation time if that was possible.
 
Old 11-20-2013, 09:22 AM   #5
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
Checkout fam: http://en.wikipedia.org/wiki/File_Alteration_Monitor
 
Old 11-21-2013, 12:41 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,390
Blog Entries: 55

Rep: Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563
Dnotify was a kernel 2.4 era mechanism, since kernel 2.6 we have Inotify. If you search LQ then you're bound to find scripts using Inotify, or else try software that incorporates it like Samhain (or IIRC Linux Malware Detect or ClamAV, since you're running a web server?).
 
Old 11-21-2013, 08:34 AM   #7
mollyf
LQ Newbie
 
Registered: Mar 2007
Posts: 3

Original Poster
Rep: Reputation: 0
Thanks again for the suggestions. I'd already looked at both inotify and fam but reading the documentation I saw inotify isn't recursive and so not practical where I have literally thousands of sub-folders with new ones being added daily and FAM appears to be only good for monitoring existing files for change. Unless I'm missing something anyone who's actually used either tool can fill me in on?
 
Old 11-21-2013, 10:00 AM   #8
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
Never worked with any of them.

Just for the recursive listing of a directory tree you can either go with
Code:
find /var/www -type d
or

Code:
ls -Rd
Both totaly untested and dark shoots.
 
Old 11-21-2013, 10:58 AM   #9
Guttorm
Senior Member
 
Registered: Dec 2003
Location: Trondheim, Norway
Distribution: Debian and Ubuntu
Posts: 1,317

Rep: Reputation: 350Reputation: 350Reputation: 350Reputation: 350
Hi

The inotify kernel calls are not recursive, but userspace tools can be:

Code:
inotifywait -q -e moved_to,close_write -m -r /var/www/ | grep .htaccess
But it needs to set up watches for all subdirectories, so if it's many thousands, it might be a problem. From "man inotifywait":

Quote:
-r, --recursive
Watch all subdirectories of any directories passed as arguments. Watches will be set up recursively to an unlimited depth. Symbolic links are not traversed. Newly created subā
directories will also be watched.

Warning: If you use this option while watching the root directory of a large tree, it may take quite a while until all inotify watches are established, and events will not be
received in this time. Also, since one inotify watch will be established per subdirectory, it is possible that the maximum amount of inotify watches per user will be reached.
The default maximum is 8192; it can be increased by writing to /proc/sys/fs/inotify/max_user_watches.
 
1 members found this post helpful.
Old 11-21-2013, 01:08 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,390
Blog Entries: 55

Rep: Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563Reputation: 3563
FWIW there's also recursive Inotify daemons in PERL and Python.
 
1 members found this post helpful.
Old 12-02-2013, 09:56 PM   #11
stoggy
Member
 
Registered: Jun 2008
Location: Dallas, TX
Distribution: Slackware and FC
Posts: 113

Rep: Reputation: 22
in order to watch uploads... You would either need to have something in the app the files are being uploaded with, scpd, ftpd, tar files make this very difficult... or you would need something in the FS to watch, which would be selinux, it has a log target, so the files could be allowed but there would be a log of it. Then watch your log files for these logs.

Like unspawn said you could use perl but then you have another process doing it, if the process dies ...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Delete regular files (not hidden files) with find + rm in one line older than 15 Virtuose Linux - Newbie 1 01-08-2011 05:24 PM
bash: mv hidden and not hidden files lupe Linux - General 4 06-22-2009 01:27 PM
How to backup /home except hidden/system files glenn69 Linux - General 3 05-16-2007 09:46 AM
get creation time of hidden directory allelopath Linux - Software 2 12-30-2005 11:56 AM
hmm.. hidden system files need some help glacier1985 Linux - Newbie 5 06-07-2004 09:20 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:15 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration