Untitled

#!/usr/bin/perl

#
#       - Track files in /etc
#       - Create audit log message with diff for every changed file
#

use MIME::Base64;
use strict;

sub ensure_file_is_in_git {

        my ($path,$file) = @_;
        my ($diff);
        unless ( system("cd $path ; git ls-files --error-unmatch \"$file\" &>/dev/null") == 0 )  {
                # use git add --force since path may bin in .gitignore
                system("cd $path ; git add -f $file ; git commit -m 'added new file $path/$file' \"$file\" &>/dev/null ");
                $diff = `diff -Nru /dev/null "$path/$file"`;
        }

        return $diff;
}

sub exclude_matched {

        my ($file) = @_;

        # exclude irrelevant files
        #       - .git directory (track-loop!)
        #       - .etckeeper file/directory (track-loop!)
        #       - Editor Swap-files .swp/.swx/.swy/.swz/*~

        if(
                        $file =~ /(\/etc\/\.git|\.etckeeper)/
                or      $file =~ /\.[^\/]+\.sw[p-z]$/
                or      $file =~ /\~$/
        ) {
                return 1;
        }
        return 0;
}

sub process_delete {

        my ($path,$file) = @_;
        my ($diff);

        # if file is contained in git repo
        #
        #       -> create diff
        #       -> delete file from
        #
        # if file is not contained in git repo
        #
        #       -> ignore
        #

        if ( system("cd $path ; git ls-files --error-unmatch \"$file\" &>/dev/null") == 0 )  {

                $diff = `cd $path && git diff -- $file 2>/dev/null`;
                system("cd $path && git rm -- $file; git commit -m 'deleted-file-$file' $file");
                return $diff;

        }
}

sub process_modify {

        my ($path,$file) = @_;
        my ($diff);

        # if file is not in git repo
        #
        #       -> create diff
        #       -> add file to git
        #
        # ---
        # for all:
        #
        #

        $diff = ensure_file_is_in_git($path,$file);

        # if the prior diff is empty, we get the diff from the git command
        $diff = `cd $path && git diff -- $file 2>/dev/null` unless($diff);

        if ($diff ne '') {
                # commit non-empty changes after detection
                system("cd $path && git commit -m 'auto-commit-".time()."' $file 2>/dev/null >&2");
        }

        return $diff;

}

sub diff_audit_write {

        my ($time,$fullpath,$diff) = @_;

        # ignore events with empty diffs
        if($diff ne '') {

                # encode it to base64 to avoid problems with special characters
                $diff = encode_base64($diff);

                #no linebreaks in audit message!
                $diff =~ s/\R//g ;

                # create audit message with encoded diff
                system("auditctl -m 'file_content_tracker $fullpath " .$diff."'");

                print("file change detected: file=$fullpath,time=$time,diff_length=".length($diff)."\n");
        }
}

sub main {

        my ($inotifywait,$line,$path,$file,$fullpath,$event,$diff,$time);

        # watch for file changes
        open($inotifywait,"inotifywait --recursive --monitor --event modify,delete /etc /var/log/yum.log --format '%T %w%f %e' --timefmt '%s' 2>/dev/null|");

        while($line=<$inotifywait>) {

                ($time,$fullpath,$event) = split(/[\s]+/,$line);
                next if(exclude_matched($fullpath));
                ($path,$file)            = $fullpath =~ /(.*)\/([^\/]+)$/;

                $diff = process_delete($path,$file) if($event eq "DELETE");
                $diff = process_modify($path,$file) if($event eq "MODIFY");

                diff_audit_write($time,$fullpath,$diff);

        }
}

main();