GithubHelp home page GithubHelp logo

alhazred / illumos-fim Goto Github PK

View Code? Open in Web Editor NEW
1.0 1.0 0.0 28 KB

IFIM is an illumos fork of Achiefs File Integrity Monitoring tool that performs file system analysis, file integrity checking on illumos-based distributions.

License: GNU General Public License v3.0

Rust 100.00%
file-integrity rust events file file-integrity-monitoring file-monitoring illumos security-monitoring solaris

illumos-fim's Introduction

illumos FIM

illumos FIM is a fork of File Integrity Monitoring tool (https://github.com/Achiefs/fim), which tracks any event over files on illumos-based distributions.

It is capable of keeping historical data of your files. It checks the filesystem changes in the background. It could integrate with other security tools like Ossec or Wazuh. The produced data can be ingested and analyzed with tools like ElasticSearch/OpenSearch.

Features

  • Filesystem monitor (File change monitor).
  • Identification of changes in content, attributes, ownership or permissions.
  • Store logs of detected events.
  • Compatible with illumos.

Get started

  1. Install with:
  • CARGO: cargo install --git https://github.com/alhazred/ifim.git

  1. You can start to work typing sudo nohup ifim in your terminal

  2. IFIM monitor will start monitoring any activity on the default folders configured in /etc/ifim/config.yml file.

  3. If you want to test it you could launch touch /tmp/file.txt in your terminal then, take a look at /var/lib/ifim/events.json file. It will store each produced event in JSON format. Event contains id, file path, file mode, uid, gid, file size, mtime, atime, ctime, operation (MODIFY, CREATE, REMOVE, ACCESS), event timestamp, file checksum, monitor path label.

Configuration

Edit /etc/ifim/config.yaml, add paths or ignore files.

How to compile

Use the Cargo tool to get dependencies automatically downloaded. Steps:

cargo build --release

Then take a look at the target/release folder.

Set up environment

illumos

  • Install git
  • Install gcc
  • Run curl https://sh.rustup.rs -sSf | sh to install rust (install at default location).
  • Reload PATH variable in your terminal.
  • Run git clone https://github.com/alhazred/ifim.git
  • Run cd ifim to go inside cloned folder.
  • Edit config.yml to adjust your needs, add paths or ignore files.
  • Run cargo run to download crates, build and run IFIM monitor.

Sample output

tail -f /var/log/ifim/ifim.log

Jun 27 10:10:32 [INFO] Events file: /var/lib/ifim/events.json
Jun 27 10:10:32 [INFO] illumos File Integrity Monitor started
Jun 27 10:10:32 [INFO] Monitoring path: /bin
Jun 27 10:10:32 [INFO] Ignoring files with: .swp inside /bin
Jun 27 10:10:32 [INFO] Monitoring path: /usr/bin
Jun 27 10:10:32 [INFO] Ignore for '/usr/bin' not set
Jun 27 10:10:32 [INFO] Monitoring path: /etc
Jun 27 10:10:32 [INFO] Ignore for '/etc' not set
Jun 27 10:11:02 [INFO] Changes found: /etc/wtmpx MODIFY
Jun 27 10:11:02 [INFO] Changes found: /etc/utmpx MODIFY
^C

tail -f /var/lib/ifim/events.json

{"id":"faad0126-49e8-4a03-a5ce-b6b6b355ccf3","path":"/etc/dev/.devfsadm_dev.lock","mode":"100644","uid":"0","gid":"0","filesize":"4","mtime":"1671211277","atime":"1671211277","ctime":"1671211277","operation":"MODIFY","timestamp":"1671211286106","checksum":"UNKNOWN","label":"etc"}
{"id":"516102df-70f2-4086-ad41-cd93dae49a47","path":"/etc/dev/.devlink_db","mode":"100644","uid":"0","gid":"0","filesize":"139264","mtime":"1671211277","atime":"1671211277","ctime":"1671211277","operation":"MODIFY","timestamp":"1671211286108","checksum":"UNKNOWN","label":"etc"}
{"id":"fb6c42f0-855f-40be-bdb6-fb6cf1831aff","path":"/etc/svc/volatile/init.state","mode":"100600","uid":"0","gid":"0","filesize":"412","mtime":"1671211277","atime":"1671211277","ctime":"1671211277","operation":"MODIFY","timestamp":"1671211286111","checksum":"553a0074d394b6eb0f6dbd4e9a952ebedf19580ea87880caa7ba066b2efeb3d11ca6aa9037384c0516012aab04e638b362f2f6ebc04eae5ea970319c70ed516b","label":"etc"}
{"id":"02647516-c1c4-4154-ac5f-bfe9fcbcd7cc","path":"/etc/wtmpx","mode":"100644","uid":"4","gid":"4","filesize":"219108","mtime":"1671211273","atime":"1671211273","ctime":"1671211273","operation":"MODIFY","timestamp":"1671211286113","checksum":"UNKNOWN","label":"etc"}
{"id":"57d7f306-4d2f-4609-b007-8eecff060df5","path":"/etc/devices/snapshot_cache","mode":"100444","uid":"0","gid":"0","filesize":"539028","mtime":"1671211277","atime":"1671211277","ctime":"1671211277","operation":"MODIFY","timestamp":"1671211286116","checksum":"UNKNOWN","label":"etc"}
{"id":"80485ccc-de87-4430-9e3b-dcad6e04a795","path":"/etc/utmpx","mode":"100644","uid":"0","gid":"2","filesize":"4836","mtime":"1671211273","atime":"1671211273","ctime":"1671211273","operation":"MODIFY","timestamp":"1671211286118","checksum":"UNKNOWN","label":"etc"}
{"id":"f9730be9-91be-4111-a8c3-eeeaa1be3aed","path":"/etc/wtmpx","mode":"100644","uid":"4","gid":"4","filesize":"398412","mtime":"1687860647","atime":"1687860647","ctime":"1687860647","operation":"MODIFY","timestamp":"1687860662035","checksum":"UNKNOWN","label":""}
{"id":"e0342ee0-ab71-4025-bf8a-522deb4a5e78","path":"/etc/utmpx","mode":"100644","uid":"0","gid":"2","filesize":"4092","mtime":"1687860647","atime":"1687860652","ctime":"1687860647","operation":"MODIFY","timestamp":"1687860662049","checksum":"UNKNOWN","label":""}

illumos-fim's People

Contributors

alhazred avatar

Stargazers

avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.