Linux HOWTOs

About | Home | Search


HOWTO: syscheck
Description: Checks your files to see what has changed
Click here for ChangeLog
NOTE: I use GNU tar >= 1.13.25 so it's -j for .tar.bz2 files,
it's safe to assume that make, gcc, binutils, fileutils/coreutils, gawk, sed, and grep are prerequisites for almost everything


# syscheck 0.3
# ============
cd
test -f installed/syscheck-0.3.tar.gz && mv installed/syscheck-0.3.tar.gz .
test ! -f syscheck-0.3.tar.gz &&
 wget http://www.ossec.net/syscheck/files/syscheck-0.3.tar.gz

# Verify tarball w/ md5sum:
echo "0ca011e829b493c1e58091736b8d1df3  syscheck-0.3.tar.gz" | md5sum -c

mkdir -p -m 0700 src
cd src
find -maxdepth 1 -type d -name "syscheck-*" -exec rm -r {} \;
tar xzvf ~/syscheck-0.3.tar.gz
cd syscheck-0.3
test $UID = 0 && chown -R root:root .
chmod -R u+w .

# "Builded" -> "Built", "Scannig" -> "Scanning":
wget -nc http://englanders.cc/pub/linux/patches/syscheck-0.3.patch &&
 patch -p1 < syscheck-0.3.patch

make -f Makefile.example

# Create an initial sample configuration (required by 'make ... install'
# below).  This one is probably most appropriate to be run locally and from
# cron periodically.  For more info about what to put in here, see the two
# samples in ./conf/ and look at the ./README
cat > conf/syscheck.config <<EOF
term = n
syslog = y
daemon = n
chkdir = /sbin/,/bin/,/etc/,/usr/local/sbin/,/usr/local/bin/
EOF

# Become root to install and configure it
su

make -f Makefile.example install

# Create the database:
/usr/local/syscheck/syscheck start

# Check files on your system against the database:
/usr/local/syscheck/syscheck

# If you want to keep the database on a remote (secure) server, modify the
# config file (/usr/local/syscheck/syscheck.config) to look like
# conf/syscheck-remote.config in the source.  scp the config file to the
# remote server, then syscheck will read it remotely.  See the source's
# README for more info.

# You can run it by hand, run it from cron, or have it run as a daemon
# (see the config file).

# To set up an hourly cron job (if you have the
# /etc/cron.(hourly|daily|weekly|monthly directories set up):
echo '#!/bin/sh' > /etc/cron.hourly/syscheck.sh
echo '/usr/local/syscheck/syscheck' >> /etc/cron.hourly/syscheck.sh
chmod 700 /etc/cron.hourly/syscheck.sh

# Become yourself again
exit

cd
mkdir -p -m 0700 installed
rm -f installed/syscheck-*.tar.*
mv syscheck-0.3.tar.gz installed/

Back to the list


Last updated: Wed, 29 Apr 2020 22:04:50 -0400
Jason Englander <jason at englanders dot us>