low-cost host-based IDS
tested on ubuntu/hirsute and slack150
apt install systraq grep systr /etc/passwd cd /etc/systraq/ mv -i filetraq.default /etc/default/filetraq
some samples
ls -lF /usr/share/doc/systraq/examples/snapshot_*
see systraq-source
how many levels of sub-folders do you have?
ls -lF /etc/*/*/*/*/* # is there ls -lF /etc/*/*/*/*/*/* # nope on slackware ls -lF /etc/*/*/*/*/*/*/* # nope on debian
define your folders to supervise
# ubuntu
vi /etc/systraq/filetraq.conf # empty
# slackware
mv -i /etc/filetraq.conf /etc/filetraq.conf.dist
vi /etc/filetraq.conf # new file
/boot/*
/boot/*/*
/etc/*
/etc/*/*
/etc/*/*/*
/etc/*/*/*/*
/etc/*/*/*/*/*
tune the output
vi /etc/default/filetraq
diffopts="-bu"
difforder="oldnew"
assuming system is able to send emails
generate the initial backup
#rm -rf /var/lib/filetraq/* filetraq /etc/systraq/filetraq.conf ls -lF /var/lib/filetraq/
now enable daily subsequent runs as cron job
not sure what this one does
mv -i /etc/cron.d/systraq /etc/cron.d/systraq.disabled
this one is good enough (every 5 minutes)
cat /etc/cron.d/filetraq
crontab -e
20 4 * * * /usr/local/sbin/filetraq /etc/filetraq.conf /var/lib/filetraq 2>&1
http://mdcc.cx/pub/systraq/systraq-latest/doc/manual.html
http://manpages.ubuntu.com/manpages/bionic/man8/systraq.8.html