low-cost host-based IDS
tested on ubuntu/hirsute and slack150
filetraq is good for tracking config file changes (not that much binary sums, as stated in the README).
note systraq is a proposed enhancement to run the diffs as user, but we are sticking with just filetraq for now.
apt install systraq grep systr /etc/passwd cd /etc/systraq/ mv -i filetraq.default /etc/default/filetraq
some samples
ls -lF /usr/share/doc/systraq/examples/snapshot_*
see systraq-source
how many levels of sub-folders do you have?
ls -lF /etc/*/*/*/*/* # is there ls -lF /etc/*/*/*/*/*/* # nope on slackware ls -lF /etc/*/*/*/*/*/*/* # nope on debian
define your folders to supervise
# ubuntu vi /etc/systraq/filetraq.conf # empty # slackware mv -i /etc/filetraq.conf /etc/filetraq.conf.dist vi /etc/filetraq.conf # new file /boot/* /boot/*/* /etc/* /etc/*/* /etc/*/*/* /etc/*/*/*/* /etc/*/*/*/*/*
tune the output
vi /etc/default/filetraq diffopts="-bu" difforder="oldnew"
assuming system is able to send emails
generate the initial backup
#rm -rf /var/lib/filetraq/* filetraq /etc/systraq/filetraq.conf ls -lF /var/lib/filetraq/
now enable daily subsequent runs as cron job
not sure what this one does
mv -i /etc/cron.d/systraq /etc/cron.d/systraq.disabled
this one is good enough (every 5 minutes)
cat /etc/cron.d/filetraq
crontab -e 20 4 * * * /usr/local/sbin/filetraq /etc/filetraq.conf /var/lib/filetraq 2>&1
http://filetraq.xidus.net/README
https://manpages.ubuntu.com/manpages/kinetic/man8/filetraq.8.html
http://mdcc.cx/pub/systraq/systraq-latest/doc/manual.html