2 releases
0.1.3 | Jun 17, 2022 |
---|---|
0.1.2 | Jun 17, 2022 |
0.1.1 |
|
#21 in #file-integrity
26KB
620 lines
Snitch - Intrusion Notification
Snitch is a file integrity and authentication monitoring system.
-
Snitch calculates and stores hashes of files found by recursing user defined directory trees. If a file hash changes Snitch will send a warning to the user (via email or telegram) to notify about the modified file.
-
Snitch also watches authentication logs and sends a notification when user logs in.
Requirements
This is work in progress that requires rust nightly
features:
rustup default nightly
On a plain Ubuntu/Debian you also need to:
apt install gcc build-essential pkg-config libssl-dev
Installation
cargo install snitch
Note that access to root level folders and monitoring authentication logs usually requires an installation as root
.
Usage
Run the initial scan
snitch --init
and trigger a scan to verify file integrity with
snitch --scan
To start watching authentication logs use:
snitch --watch
Configuration
Snitch can be configured in etc/snitch/config.yaml
. If that file does not exist you can run
snitch --demo-config > /etc/snitch/config.yaml
to create a template that should be fine on Ubuntu
and Debian
.
All files found under directories
in that file will be integrity checked.
Notification Channels
Telegram
Requires environment variables: TELEGRAM_BOT_TOKEN
and TELEGRAM_CHAT_ID
.
Slack
Requires environment variables: SLACK_WEBHOOK_URL
and SLACK_CHANNEL
.
Requires environment variables: SMTP_SERVER
, SMTP_USER
and SMTP_PASSWORD
. Note, that storing email credentials on your system in clear text is a rather high risk once someone gained access. Thus, this should rather be used for development for now.
Performance
Ubuntu20.04
(~150.000 files) takes about one minute to hash on one virtual CPU using SHA265
hashing.
Dependencies
~33–67MB
~1.5M SLoC