low-cost host-based IDS
tested on ubuntu/hirsute and slack150
filetraq is good for tracking config file changes (not that much binary sums, as stated in the README).
note systraq is a proposed enhancement to run the diffs as user, but we are sticking with just filetraq for now.
apt install systraq grep systr /etc/passwd cd /etc/systraq/ mv -i filetraq.default /etc/default/filetraq
some samples
ls -lF /usr/share/doc/systraq/examples/snapshot_*
see systraq-source
how many levels of sub-folders do you have?
ls -lF /etc/*/*/*/*/* # is there ls -lF /etc/*/*/*/*/*/* # nope on slackware ls -lF /etc/*/*/*/*/*/*/* # nope on debian
define your folders to supervise
# ubuntu
vi /etc/systraq/filetraq.conf # empty
# slackware
mv -i /etc/filetraq.conf /etc/filetraq.conf.dist
vi /etc/filetraq.conf # new file
/boot/*
/boot/*/*
/etc/*
/etc/*/*
/etc/*/*/*
/etc/*/*/*/*
/etc/*/*/*/*/*
tune the output
vi /etc/default/filetraq
# doesn't work
#diffopts="-bu --exclude=/etc/adjtime"
diffopts="-bu"
difforder="oldnew"
assuming system is able to send emails
generate the initial backup
#rm -rf /var/lib/filetraq/* filetraq /etc/systraq/filetraq.conf ls -lF /var/lib/filetraq/
now enable daily subsequent runs as cron job
not sure what this one does
mv -i /etc/cron.d/systraq /etc/cron.d/systraq.disabled
this one is good enough (every 5 minutes)
cat /etc/cron.d/filetraq
the diff --exclude=/etc/adjtime pattern does not work hence we’re removing that out
crontab -e
# guest systems
#20 4 * * * /usr/local/sbin/filetraq /etc/filetraq.conf /var/lib/filetraq 2>&1
# bare-metal - deal with adjtime
20 4 * * * /root/bin/filetraq-wrapper.bash 2>&1
cd /root/bin/
wget https://pub.nethence.com/bin/filetraq-wrapper.bash
chmod +x filetraq-wrapper.bash
http://filetraq.xidus.net/README
https://manpages.ubuntu.com/manpages/kinetic/man8/filetraq.8.html
http://mdcc.cx/pub/systraq/systraq-latest/doc/manual.html