Skip to content

Find permission/file changes using a SQLite database with python.

Notifications You must be signed in to change notification settings

skyler-ferrante/FileScanner

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

73 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

File Scanner

Creates an sqlite database correlating filepaths to file hashes and permissions

The current state of the system can be checked against this database to find changes

To generate the database use:

./mark.py /etc/              #Mark all files in /etc/ recursively (including subdirectories)
                             #Or
./mark.py /etc/*.conf        #Mark all files matching /etc/*.conf

After the database is generated you can use:

./check.py -c                #Find all changes (Only works if mark is called with directory)
./check.py -h hash           #Find files with given hash
./check.py -p permission     #Find files with given permission
./check.py -h <file          #Find all files with hashes in file
./check.py file              #File to check if hash has changed
./mark.py  -u                #Update database
./info.py                    #Get basic information on database

Example (finding new crontabs)

$ sudo ./mark.py /var/ # Keep track of var
$ sudo ./check.py -c # Look for changes (none)
$ (crontab -l; echo "* * * * * /home/user/some_script3.sh") | crontab - # Add crontab entry
$ sudo ./check.py -c # Look for changes (should find crontab modification)
/var/spool/cron/crontabs/sky modified 144422a6890f794dc69900d94ec92f0d603e85dbd382754399938d967e96bff7

Create binaries with pyinstaller:

make

Note: Default ignores the directories /mnt, /proc, /var, and /run

This can be changed in filelist/walker.py

About

Find permission/file changes using a SQLite database with python.

Topics

Resources

Stars

Watchers

Forks