File Integrity Monitoring systems are great for notifying users when important files are being changed, and can even prevent the changes from sticking. In this post, I’ll show you how to build your own basic FIM using Python, alerting on changes by sending messages to the console.

Note: I’ve created a new directory for this project, and added a few junk files in addition to my BasicFIM.py script. You can add any files you want.

Getting the files to monitor

The first step we’ll take, is to gather up all the files in our script’s directory. After all, we need something to monitor, right?

Walk-through:

Output:

Get Files

Calculating the hash

There are many different types of hashes to chose from, all with varying speeds and levels of security. In a production-level FIM, you’ll want to take things like calculation speed and collisions into account, but for the purposes of this post, we’ll use MD5.

Walk-through:

Output:

Calculate Hash

Storing Hashes

So now that you’ve got your files hashed, it’s time to put them some place where you can access them later.

Walk-through:

Output:

Store Hash

Send a useful alert

Here’s where you get to be creative! When it comes to alerting, you have a number of options to choose from. Customize the format, come up with a creative message, write to the console, send an email or text message, the possibilities are endless!

Walk-through:

Output:

Send Alert

Detecting the change

Because we trust the baseline hashes and only want to be alerted when they change, we need to add some sort of check to prevent our alert from always going off.

Walk-through:

Output:

After this step, you shouldn’t see anything! But that will change shortly…

Continuously Monitor

So far, you’ve scanned your directory, picked out the files, collected their hashes, and added alerts. For this final step, we’ll throw it all in a loop to keep the code running and start the monitoring.

Walk-through:

Output:

Continuously Monitor

Conclusion

Congratulations! You’ve built your very own File Integrity Monitor. Even though it’s very basic, all the core fundamentals are there for you to build off of. If you are interested in learning more, check back for future posts on building a more advanced FIM (along with other security related goodies).