Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl
- #
- # - Track files in /etc
- # - Create audit log message with diff for every changed file
- #
- use MIME::Base64;
- use strict;
- sub ensure_file_is_in_git {
- my ($path,$file) = @_;
- my ($diff);
- unless ( system("cd $path ; git ls-files --error-unmatch \"$file\" &>/dev/null") == 0 ) {
- # use git add --force since path may bin in .gitignore
- system("cd $path ; git add -f $file ; git commit -m 'added new file $path/$file' \"$file\" &>/dev/null ");
- $diff = `diff -Nru /dev/null "$path/$file"`;
- }
- return $diff;
- }
- sub exclude_matched {
- my ($file) = @_;
- # exclude irrelevant files
- # - .git directory (track-loop!)
- # - .etckeeper file/directory (track-loop!)
- # - Editor Swap-files .swp/.swx/.swy/.swz/*~
- if(
- $file =~ /(\/etc\/\.git|\.etckeeper)/
- or $file =~ /\.[^\/]+\.sw[p-z]$/
- or $file =~ /\~$/
- ) {
- return 1;
- }
- return 0;
- }
- sub process_delete {
- my ($path,$file) = @_;
- my ($diff);
- # if file is contained in git repo
- #
- # -> create diff
- # -> delete file from
- #
- # if file is not contained in git repo
- #
- # -> ignore
- #
- if ( system("cd $path ; git ls-files --error-unmatch \"$file\" &>/dev/null") == 0 ) {
- $diff = `cd $path && git diff -- $file 2>/dev/null`;
- system("cd $path && git rm -- $file; git commit -m 'deleted-file-$file' $file");
- return $diff;
- }
- }
- sub process_modify {
- my ($path,$file) = @_;
- my ($diff);
- # if file is not in git repo
- #
- # -> create diff
- # -> add file to git
- #
- # ---
- # for all:
- #
- #
- $diff = ensure_file_is_in_git($path,$file);
- # if the prior diff is empty, we get the diff from the git command
- $diff = `cd $path && git diff -- $file 2>/dev/null` unless($diff);
- if ($diff ne '') {
- # commit non-empty changes after detection
- system("cd $path && git commit -m 'auto-commit-".time()."' $file 2>/dev/null >&2");
- }
- return $diff;
- }
- sub diff_audit_write {
- my ($time,$fullpath,$diff) = @_;
- # ignore events with empty diffs
- if($diff ne '') {
- # encode it to base64 to avoid problems with special characters
- $diff = encode_base64($diff);
- #no linebreaks in audit message!
- $diff =~ s/\R//g ;
- # create audit message with encoded diff
- system("auditctl -m 'file_content_tracker $fullpath " .$diff."'");
- print("file change detected: file=$fullpath,time=$time,diff_length=".length($diff)."\n");
- }
- }
- sub main {
- my ($inotifywait,$line,$path,$file,$fullpath,$event,$diff,$time);
- # watch for file changes
- open($inotifywait,"inotifywait --recursive --monitor --event modify,delete /etc /var/log/yum.log --format '%T %w%f %e' --timefmt '%s' 2>/dev/null|");
- while($line=<$inotifywait>) {
- ($time,$fullpath,$event) = split(/[\s]+/,$line);
- next if(exclude_matched($fullpath));
- ($path,$file) = $fullpath =~ /(.*)\/([^\/]+)$/;
- $diff = process_delete($path,$file) if($event eq "DELETE");
- $diff = process_modify($path,$file) if($event eq "MODIFY");
- diff_audit_write($time,$fullpath,$diff);
- }
- }
- main();
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement