Skip to content

Implementation of Checking Changes in Sensitive Files

This will demonstrate how to use Scheck to check sensitive files using a Lua script.

  • Version: 1.0.7-5-gb83de2d
  • Release Date: 2022-08-30 03:31:26
  • Supported Operating Systems: linux/arm, linux/arm64, linux/386, linux/amd64

Prerequisites

Development Steps

  1. Enter the installation directory and set the enable field in the configuration file scheck.conf to true:
...
[scoutput]
   # ##Messages generated during Security Check can be sent to local, http, or Alibaba Cloud sls.
   # ##Remote server, example: http(s)://your.url
  [scoutput.http]
    enable = true
    output = "http://127.0.0.1:9529/v1/write/security"
  [scoutput.log]
    # ##Local storage can be configured
    enable = false
    output = "/var/log/scheck/event.log"
...
  1. Create a manifest file files.manifest under the directory /usr/local/scheck/custom.rules.d (this directory is for user-defined scripts), and edit it as follows:
id       = 'check-file'
category = 'system'
level    = 'warn'
title    = 'Monitor File Changes'
desc     = 'File {{.File}} has changed'
cron     = '*/10 * * * *' # This means the Lua script will run every 10 seconds
os_arch  = ["Linux"]
  1. In the same directory as the manifest file, create a script file files.lua, and edit it as follows:
local files={
    '/etc/passwd',
    '/etc/group'
}

local function check(file)
    local cache_key=file
    local hashval = file_hash(file)

    local old = get_cache(cache_key)
    if not old then
        set_cache(cache_key, hashval)
        return
    end

    if old ~= hashval then
        trigger({File=file})
        set_cache(cache_key, hashval)
    end
end

for i,v in ipairs(files) do
    check(v)
end
  1. When a sensitive file is modified, within the next 10 seconds, the change will be detected and the trigger function will be invoked, sending the event to the file /var/log/scheck/event.log, adding a line of data, for example:
check-file-01,category=security,level=warn,title=Monitor File Changes message="File /etc/passwd has changed" 1617262230001916515

Feedback

Is this page helpful? ×