Implementation of Checking Changes in Sensitive Files¶
This will demonstrate how to use Scheck to check sensitive files using a Lua script.
- Version: 1.0.7-5-gb83de2d
- Release Date: 2022-08-30 03:31:26
- Supported Operating Systems: linux/arm, linux/arm64, linux/386, linux/amd64
Prerequisites¶
- Scheck is installed
Development Steps¶
- Enter the installation directory and set the
enable
field in the configuration filescheck.conf
totrue
:
...
[scoutput]
# ##Messages generated during Security Check can be sent to local, http, or Alibaba Cloud sls.
# ##Remote server, example: http(s)://your.url
[scoutput.http]
enable = true
output = "http://127.0.0.1:9529/v1/write/security"
[scoutput.log]
# ##Local storage can be configured
enable = false
output = "/var/log/scheck/event.log"
...
- Create a manifest file
files.manifest
under the directory/usr/local/scheck/custom.rules.d
(this directory is for user-defined scripts), and edit it as follows:
id = 'check-file'
category = 'system'
level = 'warn'
title = 'Monitor File Changes'
desc = 'File {{.File}} has changed'
cron = '*/10 * * * *' # This means the Lua script will run every 10 seconds
os_arch = ["Linux"]
- In the same directory as the manifest file, create a script file
files.lua
, and edit it as follows:
local files={
'/etc/passwd',
'/etc/group'
}
local function check(file)
local cache_key=file
local hashval = file_hash(file)
local old = get_cache(cache_key)
if not old then
set_cache(cache_key, hashval)
return
end
if old ~= hashval then
trigger({File=file})
set_cache(cache_key, hashval)
end
end
for i,v in ipairs(files) do
check(v)
end
- When a sensitive file is modified, within the next 10 seconds, the change will be detected and the
trigger
function will be invoked, sending the event to the file/var/log/scheck/event.log
, adding a line of data, for example: