google / fswalker

Simple file system integrity checking tooling.
https://google.github.io/fswalker/
Apache License 2.0
102 stars 12 forks source link

fswalker

A simple and fast file system integrity checking tool in Go.

Build Status

Overview

fswalker consists of two parts:

Note: The walker and the reporter have two separate definitions of directories to include and exclude. This is done on purpose so more information can be collected than what is later reviewed. If something suspicious comes up, it is always possible to see more changes than the ones deemed "interesting" in the first place.

Why using fswalker instead of using existing solutions such as Tripwire, AIDE, Samhain, etc?

Installation

go get github.com/google/fswalker/cmd/walker
go get github.com/google/fswalker/cmd/reporter

Configuration

Walker Policy

The Walker policy specifies how a file system is walked and what to write to the output file. Most notably, it contains a list of includes and excludes.

Refer to the proto buffer description to see a complete reference of all options and their use.

The following constitutes a functional example for Ubuntu:

policy.textpb

version: 1
max_hash_file_size: 1048576
walk_cross_device: true
ignore_irregular_files: false
include: "/"
exclude_pfx: "/usr/local/"
exclude_pfx: "/usr/src/"
exclude_pfx: "/usr/share/"
exclude_pfx: "/var/backups/"
exclude_pfx: "/var/cache/"
exclude_pfx: "/var/log/"
exclude_pfx: "/var/mail/"
exclude_pfx: "/var/spool/"
exclude_pfx: "/var/tmp/"

Reporter Config

The reporter allows to specify fewer things in its config, notably excludes. The reason to have additional excludes in the reporter is simple: It allows recording more details in the walks and fewer to be reported. If something suspicious is ever found, it allows going back to previous walks however and check what the status was back then.

The following constitutes a functional example for Ubuntu:

config.textpb

version: 1
exclude_pfx: "/root/"
exclude_pfx: "/home/"
exclude_pfx: "/tmp/"

Refer to the proto buffer description to see a complete reference of all options.

Review File

The following constitutes a functional example:

reviews.textpb

review: {
  key: "some-host.google.com"
  value: {
    walk_id: "457ab084-2426-4ca8-b54c-cefdce543042"
    walk_reference: "/tmp/some-host.google.com-20181205-060000-fswalker-state.pb"
    fingerprint: {
      method: SHA256
      value: "0bfb7506e44dbca14914c3250b2d4d5be005d0de4460c9f298f227bac096f642"
    }
  }
}

Refer to the proto buffer description to see a complete reference of all options.

Examples

The following examples show how to run both the walker and the reporter.

Note that there are libraries for each which can be used independently if so desired. See the implementations of walker and reporter main for a reference on how to use the libraries.

Walker

Once you have a policy as described above, you can run the walker:

walker \
  -policy-file=policy.textpb \
  -output-file-pfx="/tmp"

Add -verbose to see more details about what's going on.

Reporter

Once you have a config as described above and more than one Walk file, you can run the reporter.

Add -verbose to see more details about what's going on.

To allow for easier reviews, -paginate allows to invoke $PAGER (or less if $PAGER is not set) to page through the results.

Direct Comparison

The simplest way to run it is to directly specify two Walk files to compare against each other:

reporter \
  -config-file=config.textpb \
  -before-file=/tmp/some-host.google.com-20181205-060000-fswalker-state.pb \
  -after-file=/tmp/some-host.google.com-20181206-060000-fswalker-state.pb \
  -paginate

Note that you can also run with just -after-file specified which will basically list all files as newly added. This is only really useful with a new machine.

Review File Based

Contrary to the above example, reporter would normally be run with a review file:

reporter \
  -config-file=config.textpb \
  -review-file=reviews.textpb \ # this needs to be writeable!
  -walk-path=/tmp \
  -hostname=some-host.google.com \
  -paginate

The reporter runs, displays all diffs and when deemed ok, updates the review file with the latest "known good" information.

The idea is that the review file contains a set of "known good" states and is under version control and four-eye principle / reviews.

Development

Protocol Buffer

If you change the protocol buffer, ensure you generate a new Go library based on it:

go generate

(The rules for go generate are in fswalker.go.)

License

Apache 2.0

This is not an officially supported Google product