Last month, we posted a guide on how to make your very own Basic File Integrity Monitor. In this six-part series, you’ll be taking what you learned and replacing simple components with more advanced, realistic counterparts. This first post is all about gathering the files you’ll need for monitoring.

Note: If you don’t already have you basic FIM set up, follow the link above before continuing.

Declaring Paths and Scan types

In our previous post, the FIM was only able to monitor files within its own directory. This greatly reduces the effectiveness of the script’s monitoring abilities and is not a very good approach to take. The first change we’ll make is to declare a list of files and directories we wish to watch over.

Walk-through:

monitor is a simple Python list populated with a number of dictionaries. The path value contains the location of the file/directory, while the recursive value contains a boolean for the type of scan to be used. We’ll put this list to use in our next step.

Declaring the getFiles() Function

Now that we have a list of files and directories to monitor, we’ll need to script up a way to read through it.

Walk-through:

Output:

Get Files

Updating the Basic FIM:

Taking what we’ve written so far, we can add monitor and getFiles() to the top of our existing script.

Walk-through:

Conclusion

You can now add and remove as many files and directories as you wish. Maybe even try experimenting with different combinations of recursive and non recursive scans to see what you come up with. This wraps up the first post in the Advanced File Integrity Monitor series, but check back soon for the next post where we calculate hashes and file bytes.