With the introduction of IWatch things start to really get interesting in the world of live security monitoring. Unfortunately the documentation is VERY poor in one area.
Generally you can watch a directory and send notifications as soon as anything happens, and you can monitor processes and get notified as soon as a process dies or you can monitor a log file and get notified when something with the file happens. For example, let's monitor the /etc directory recursively for any changes:
/etc/iwatch/iwatch.xml:
<?xml version="1.0" ?> <!DOCTYPE config SYSTEM "/etc/iwatch/iwatch.dtd" > <config> <guard email="IWatch@server.domain.tld" name="IWatch"/> <watchlist> <title>Operating System</title> <contactpoint email="user@domain.tld" name="Administrator"/> <path type="single" syslog="on">/bin</path> <path type="single" syslog="on">/sbin</path> <path type="single" syslog="on">/usr/bin</path> <path type="single" syslog="on">/usr/sbin</path> <path type="recursive">/etc</path> </watchlist> </config>
I have kept the above config very simple and as you can see I set up a recursive watch on /etc. Now the problem lies in not getting bombarded with mails that you don't need. For example, I use the denyhost package to help keep idiots off my server. The problem is that once denyhost is running and somebody attempts to access my server denyhost updates the /etc/hosts.deny file and in the process generates a LOT of IWatch warnings. Below is the general IWatch config to exclude those files from triggering an event:
<?xml version="1.0" ?> <!DOCTYPE config SYSTEM "/etc/iwatch/iwatch.dtd" > <config> <guard email="IWatch@www.itadmins.net" name="IWatch"/> <watchlist> <title>Operating System</title> <contactpoint email="chuck@itadmins.net" name="Administrator"/> <path type="single" syslog="on">/bin</path> <path type="single" syslog="on">/sbin</path> <path type="single" syslog="on">/usr/bin</path> <path type="single" syslog="on">/usr/sbin</path> <path type="recursive">/etc</path> <path type="exception">/etc/hosts.deny</path> <path type="exception">/etc/hosts.deny.old</path> <path type="exception">/etc/hosts.deny.purge.tmp</path> <path type="exception">/etc/hosts.deny.purge.bak</path> </watchlist> </config>
Now the above helps a LOT, however, there is still the problem of the temp files that are created. Here is where the documentation for IWatch just sucks. There is the handy little path type called “regexception” in IWatch. The problem is that a lot of people have trouble with it because the documentation is really crap.
<?xml version="1.0" ?> <!DOCTYPE config SYSTEM "/etc/iwatch/iwatch.dtd" > <config> <guard email="IWatch@www.itadmins.net" name="IWatch"/> <watchlist> <title>Operating System</title> <contactpoint email="chuck@itadmins.net" name="Administrator"/> <path type="single" syslog="on">/bin</path> <path type="single" syslog="on">/sbin</path> <path type="single" syslog="on">/usr/bin</path> <path type="single" syslog="on">/usr/sbin</path> <path type="recursive">/etc</path> <path type="regexception">sed.*</path> <path type="exception">/etc/hosts.deny</path> <path type="exception">/etc/hosts.deny.old</path> <path type="exception">/etc/hosts.deny.purge.tmp</path> <path type="exception">/etc/hosts.deny.purge.bak</path> </watchlist> </config>
As you can see, first comes the path to watch. Directly afterwards the regexception (which is based on the preceding path) and contains only the regex of the file to be ignored. It's as simple as that.
Now let's clean this up a bit and get rid of the whole /etc/hosts.deny based exceptions and merge them into one line with the sed.* regexception.
<?xml version="1.0" ?> <!DOCTYPE config SYSTEM "/etc/iwatch/iwatch.dtd" > <config> <guard email="IWatch@www.itadmins.net" name="IWatch"/> <watchlist> <title>Operating System</title> <contactpoint email="chuck@itadmins.net" name="Administrator"/> <path type="single" syslog="on">/bin</path> <path type="single" syslog="on">/sbin</path> <path type="single" syslog="on">/usr/bin</path> <path type="single" syslog="on">/usr/sbin</path> <path type="recursive">/etc</path> <path type="regexception">sed.*|hosts.deny.*</path> </watchlist> </config>
Enjoy.