Tracking file changes with systraq / filetraq

low-cost host-based IDS

tested on ubuntu/hirsute and slack150

Introduction

filetraq is good for tracking config file changes (not that much binary sums, as stated in the README).

note systraq is a proposed enhancement to run the diffs as user, but we are sticking with just filetraq for now.

Install

debian/ubuntu

apt install systraq
grep systr /etc/passwd

cd /etc/systraq/
mv -i filetraq.default /etc/default/filetraq

some samples

ls -lF /usr/share/doc/systraq/examples/snapshot_*

slackware

see systraq-source

Setup

how many levels of sub-folders do you have?

ls -lF /etc/*/*/*/*/* # is there
ls -lF /etc/*/*/*/*/*/* # nope on slackware
ls -lF /etc/*/*/*/*/*/*/* # nope on debian

define your folders to supervise

# ubuntu
vi /etc/systraq/filetraq.conf # empty

# slackware
    mv -i /etc/filetraq.conf /etc/filetraq.conf.dist
    vi /etc/filetraq.conf # new file

    /boot/*
    /boot/*/*
    /etc/*
    /etc/*/*
    /etc/*/*/*
    /etc/*/*/*/*
    /etc/*/*/*/*/*

debian / ubuntu

tune the output

    vi /etc/default/filetraq

    diffopts="-bu"
difforder="oldnew"

Ready to go

assuming system is able to send emails

generate the initial backup

#rm -rf /var/lib/filetraq/*
filetraq /etc/systraq/filetraq.conf
ls -lF /var/lib/filetraq/

now enable daily subsequent runs as cron job

debian / ubuntu

not sure what this one does

mv -i /etc/cron.d/systraq /etc/cron.d/systraq.disabled

this one is good enough (every 5 minutes)

cat /etc/cron.d/filetraq

slackware

    crontab -e

    20 4 * * * /usr/local/sbin/filetraq /etc/filetraq.conf /var/lib/filetraq 2>&1

Resources

the originating tool

http://filetraq.xidus.net/

http://filetraq.xidus.net/README

https://manpages.ubuntu.com/manpages/kinetic/man8/filetraq.8.html

some improvements

http://mdcc.cx/systraq/

http://mdcc.cx/pub/systraq/systraq-latest/doc/manual.html