Last month, we posted a guide on how to make your very own Basic File Integrity Monitor. In this six-part series, you’ll be taking what you learned and replacing simple components with more advanced, realistic counterparts. This first post is all about gathering the files you’ll need for monitoring.
Note: If you don’t already have you basic FIM set up, follow the link above before continuing.
##Declaring Paths and Scan types In our previous post, the FIM was only able to monitor files within its own directory. This greatly reduces the effectiveness of the script’s monitoring abilities and is not a very good approach to take. The first change we’ll make is to declare a list of files and directories we wish to watch over.
monitor is a simple Python list populated with a number of dictionaries. The
path value contains the location of the file/directory, while the
recursive value contains a boolean for the type of scan to be used. We’ll put this list to use in our next step.
##Declaring the getFiles() Function Now that we have a list of files and directories to monitor, we’ll need to script up a way to read through it.
- Line 9: Declares the local variable
filesListas an empty list. Each iteration of the Monitor will start fresh in order to detect new or deleted files.
- Line 11: Utilizes the
os.path, determining whether or not our path is a directory.
- Line 13: To scan a directory recursively, the FIM must not only locate files within the directory, but also in sub directories until it cannot continue further. To accomplish this, we use the
osmodules walk() function. This line uses a List Comprehension in order to take a series of commands and combine them into one. As each file is located, it is added to a list and then eventually added to
filesList. An normal version of this line is written as follows:
- Line 15: In a non-recursive version of line 13, each file located within the single directory is then added to
- Line 17: If the value of
x['path']is a file, no additional work is required. It is added to
##Updating the Basic FIM:
Taking what we’ve written so far, we can add
getFiles() to the top of our existing script.
- Line 21: Replacing the original script’s code with
for file in getFiles():will allow it to iterate through the returned list from the new
getFiles()function, instead of calculating the files in-line.
##Conclusion You can now add and remove as many files and directories as you wish. Maybe even try experimenting with different combinations of recursive and non recursive scans to see what you come up with. This wraps up the first post in the Advanced File Integrity Monitor series, but check back soon for the next post where we calculate hashes and file bytes.