Tracking file changes with systraq / filetraq

low-cost host-based IDS

tested on ubuntu/hirsute and slack150

Install

debian/ubuntu

apt install systraq
grep systr /etc/passwd

cd /etc/systraq/
mv -i filetraq.default /etc/default/filetraq

some samples

ls -lF /usr/share/doc/systraq/examples/snapshot_*

slackware

see systraq-source

Setup

how many levels of sub-folders do you have?

ls -lF /etc/*/*/*/*/* # is there
ls -lF /etc/*/*/*/*/*/* # nope

define your folders to supervise

# ubuntu
vi /etc/systraq/filetraq.conf # was empty

# slackware
    mv -i /etc/filetraq.conf /etc/filetraq.conf.dist
    vi /etc/filetraq.conf # new file

    /boot/*
    /boot/*/*
    /etc/*
    /etc/*/*
    /etc/*/*/*
    /etc/*/*/*/*
    /etc/*/*/*/*/*

ubuntu only

tune the output

    vi /etc/default/filetraq

    diffopts="-bu"

Ready to go

ubuntu

filetraq /etc/systraq/filetraq.conf

systraq already has a default job but we disable it

mv -i /etc/cron.d/systraq /etc/cron.d/systraq.disabled

we only need this one

cat /etc/cron.d/filetraq

slackware

ls -alF /var/lib/filetraq/
rm -rf /var/lib/filetraq/*

filetraq --help
filetraq /etc/filetraq.conf /var/lib/filetraq

and enable as cron job

    crontab -e

    20 4 * * * /usr/local/sbin/filetraq /etc/filetraq.conf /var/lib/filetraq 2>&1

Resources

http://mdcc.cx/pub/systraq/systraq-latest/doc/manual.html

http://manpages.ubuntu.com/manpages/bionic/man8/systraq.8.html


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | NU | HTML5
Copyright © 2022 Pierre-Philipp Braun