Hello Burn, Have you considered iwatch (no, not the Apple wrist gadget). It monitors files and can alert on a large set file conditions. Check out this man page at: http://manpages.ubuntu.com/manpages/utopic/man1/iwatch.1.html
Best regards, Gary Smith On 7/20/15 4:56 AM, Burn Alting wrote: > All, > > I am interested in any Linux based capability that will monitor > identified files and report on actual changes to the monitored file. I > know there are methods of recording that the file has been changed (e.g. > aide and/or monitor writes via auditd), but I want to know what has > changed ... basically something that would provide a 'diff' like output. > > Now there are tools like Samhain that will record the content changes of > a file that is <= 92000 bytes in size, but I am interested in a more > lightweight solution ... perhaps a simple inotify(7) based utility that > perhaps maintains a copy of the file(s) in core (in compressed format) > and based on inotify() returns checks for changes and reports (somehow > yet to be defined) the before/after changes. > > Is there anything 'out there' that list members are aware of? > > If not, would the following utility be of interest? On startup, load the > monitored file(s) (saving a compressed copy in memory). Then, using > inotify, monitor for changes and if so, emit some kind of record > defining the change and change the compressed in-memory copy. If so, is > our mailing list and the contributed portion of auditd an appropriate > repository for such a tool. > > Naturally, such a tool would be supported by appropriate auditd > monitoring that will take care of changing file attributes etc and file > writes. That is, auditd tells me who and the utility tells me what. > > > Regards > Burn > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit > -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
