1. IWATCH TECHNOLOGY
INTRODUCTION
There are a number of excellent tools to check filesystem integrity; they are
essential part of your system security.
These tools allow us to detect unwanted manipulation on our system and report it
to the system administrator.
However, the administrator will not know about the unauthorized change or the
intrusion in to the system until this tool scan the filesystem again, maybe in next
few hours or in the next day, it depends on the schedule when and how often we
run this filesystem integrity checker.
It is very important to know about the intrusion as soon as possible. It can avoid
big damage if you can react right after the break, not hours later.
Unfortunately the current filesystem integrity checkers don't have the
functionality to alert the system administrator immediately after filesystem's
integrity is broken.
This is the reason why iWatch was developed, it tries to fill this gap.
iWatch monitor the filesystem's integrity in realtime and will send alarm
immediately to the system administrator when there is any changes in the
monitored filesystem.
IWATCH TECHNOLOGY
iWatch is a realtime filesystem monitoring program.
Its purpose is to monitor any changes in a specific directory or file and send email
notification immediately after the change.
This can be very useful to watch a sensible file or directory against any changes,
like files /etc/passwd,/etc/shadow or directory /bin or to monitor the root directory
of a website against any unwanted changes.
This application is written in Perl and need inotify support in Linux kernel >=
2.6.13. And it needs also following third party perl modules: Linux::Inotify2,
Event, Mail::Sendmail and XML::Simple. You can have all this modules from
cpan as usual.
iWatch can be executed in two modes, the first mode is daemon mode where you
can use an xml configuration file, and put a list of directories and files (targets) to
monitor.
And the second mode is command line mode where you can run it without a
configuration file, you just need to put the necessary information (target to watch,
2. email, exception, recursivity, events to monitor and command to execute) in the
command line. The options for both modes can't be mixed together.
In the xml configuration file, each target can have its own email contact point.
This contact point will get an email notification for any changes in the monitored
targets. You can monitor a directory recursively, and you can also setup a list of
exceptions where you don't want to monitor directory/file inside a monitored
directory. It is also possible to disable email notification, and instead setup a
command to be executed if an event occurs. Per default iWatch only monitor
following events: close_write, create, delete, move, delete_self and move_self.
But you can specify any possible events, like access, attrib, modify all_events and
default.
DESIGN OF IWATCH
The iWatch is as fanciful a design as you could wish for. The concept timepiece is
a wrist-sized iPhony, a tiny iPod Touch on a strap. It’s also gorgeous.
The design is from the Italian ADR Studio, and exists only in the world of
Photoshop. The main screen, seen above, shows the time, date and weather
(Rome’s looking very inviting this month). The gallery goes on to show the
Bluetooth syncing options (to iPad and iPhone but not a computer, oddly) and a
picture of the iWatch throwing a projected movie onto a wall (hell, it’s a concept
design: why not dream a little?) Read the specs and you learn that there will also
be an RSS reader, Wi-Fi and 16GB memory.
ADR Studio has "tried to imagine a new Apple style product," called the iWatch.
It has an aluminum casing, with 16GB of internal storage and connects to iPhones
or iPads by Wi-Fi or Bluetooth. It could answer calls that come through on the
iPhone in your pocket, or display RSS feeds, weather or photos. An inbuilt pico
projector for beaming photos and video sounds awesome but my wrist feels sore
already just thinking of being held up in order to project a full movie.
USING IWATCH
In the daemon mode iWatch has following options:
Usage: iwatch [-d] [-f <config file>] [-v]
-d Execute the application as daemon. iWatch will run in foregroud
without this option.
-f Specify an alternate xml configuration file. Per default, iWatch will
3. read /etc/iwatch.xml as it's configuration file.
-p Specify an alternate pid file (default: /var/run/iwatch.pid)
-v Verbose mode.
In the command line mode iWatch has following options:
Usage: iwatch [-c command] [-e event[,event[,..]]] [-h|--help] [-m <email
address>][-r] [-r] [-s <on|off>] [-t filter] [-v] [--version] [-x exception] <target>
Target is the directory or file you want to monitor.
-c command
You can specify a command to be executed if an event occurs. And you
can use following special string format in the command:
%f Full path of the filename that gets an event
%p Program name (iWatch)
%v Version number
-e event [,event[,..]]
Specify a list of events you want to watch. Following are the possible events you
can use:
access : file was modified
modify : file was modified
attrib : file attributes changed
close_write : file closed, after being opened in writeable mode
close_nowrite: file closed, after being opened in read-only mode
close : file closed, regardless of read/write mode
open : file was opened
moved_from : File was moved away from.
moved_to : File was moved to.
move : a file/dir within watched directory was moved
create : a file was created within watched director
delete : a file was deleted within watched directory
delete_self : the watched file was deleted
unmount : file system on which watched file exists was unmounted
q_overflow : Event queued overflowed
ignored : File was ignored
isdir : event occurred against dir
oneshot : only send event once
all_events : All events
4. : close_write, create, delete, move, delete_self and
default
move_self.
-h, --help
Print this help.
-m <email address>
Specify the contact point's email address. Without this option, iwatch will not
send any email notification. -r Recursivity of the watched directory.
-s <on|off>
Enable or disable reports to the syslog (default is off/disabled)
-t <filter string>
Specify a filter string (regex) to compare with the filename or directory name. It
will report events only if the file/directory name matchs the filter string.
-v verbose mode.
--version
Print the version number.
-x exception
Specify the file or directory which should not be watched.
-X <regex string as exception>
Specify a regex string as exception
EXAMPLE OF CONFIGURATION FILE
<config>
<guard email="myadmin@localhost" name="IWatch"></guard>
<watchlist>
<title>Public Website</title>
<contactpoint email="webmaster@localhost" name="Web Master"/>
<path type="single">/var/www/localhost/htdocs</path>
<path type="single" syslog="on">/var/www/localhost/htdocs/About</path>
<path type="recursive">/var/www/localhost/htdocs/Photos</path>
</watchlist>
<watchlist>
5. <title>Operating System</title>
<contactpoint email="admin@localhost" name="Administrator"/>
<path type="recursive">/etc/apache2</path>
<path type="single">/etc/passwd</path>
<path type="recursive">/etc/mail</path>
<path type="exception">/etc/mail/statistics</path>
<path type="single" filter="shadow|passwd">/etc</path>
</watchlist>
<watchlist>
<title>Only Test</title>
<contactpoint email="root@localhost" name="Administrator"/>
<path type="single" alert="off" exec="(w;ps -ef)|mail -s %f
root@localhost">/tmp/dir1</path>
<path type="single" events="access,close" alert="off" exec="(w;ps -ef)|mail -s %f
root@localhost">/tmp/dir2</path>
<path type="single" events="default,access" alert="off" exec="(w;ps -ef)|mail -s '%f is
accessed' root@localhost">/tmp/dir3</path>
<path type="single" events="all_events" alert="off">/tmp/dir4</path>
</watchlist>
</config>
With this configuration, iwatch will monitor a single directory /var/www/localhost/htdocs
withouth it's sub directories, and any notification will be sent to the contact point
webmaster@localhost. But it will monitor the whole directory tree of /etc/apache2,
including any sub directories created later after the IWatch is started. You can use also
exception here if you don't want to get notification for a file or subdirectory inside the
monitored directory.
EXAMPLE OF THE COMMAND LINE MODE
iwatch /tmp
monitor changes in /tmp directory with default events
iwatch -r -e access,create -m cahya@localhost -x /etc/mail /etc
monitor only access and create events in /etc directory recursively with /etc/mail as
exception and send email notification to cahya@localhost.
iwatch -r -c "(w;ps -ef)|mail -s '%f was changed' cahya@localhost" /bin
monitor /bin directory recursively and execute the command.
6. iwatch -r -X '.svn' ~/projects
monitor ~/projects directory recursively, but exclude any .svn directories inside. This
can't be done with a normal '-x' option since '-x' can only exclude the defined path.
iWatch is very simple to use, suppose you want to watch the change in /etc filesystem,
you just need to run it in the console
$ iwatch /etc
and iwatch will tell you if something changes in this directory. And if you want to be
notified per email:
$ iwatch -m admin@smsgw.local /etc
In this case, the admin will get email notification (maybe you can use your sms gateway
account, so you will be alarmed immediately anytime and anywhere). And if you want to
monitor many difference directories you can use a configuration file. This configuration
file is an xml file with an easy understandable structure.
<config>
<guard email="iwatch@localhost" name="iWatch"/>
<watchlist>
<title>Operating System</title>
<contactpoint email="admin@localhost" name="admin"/>
<path type="single">/etc</path>
<path type="single">/sbin</path>
<path type="recursive">/dev</path>
<path type="exception">/dev/pts</path>
</watchlist>
<watchlist>
<title>Website</title>
<contactpoint email="webmaster@localhost" name="webmaster"/>
<path type="recursive">/var/www/localhost/htdocs</path>
</watchlist>
</config>
7. IWATCH CONCEPT IS LIKE AN IPHONE ON YOUR WRIST
This iWatch concept is designed to pair up with your iPhone, sharing information and
allowing you to see all sorts of information without pulling your phone out of your
pocket. And it's pretty damned slick.
The watch, which would connect to your phone via Bluetooth, would have 16GB of
internal storage and would allow you to do things like answer calls via it, display RSS
feeds, show you the weather or let you flip through photos. There's also a built-in pico
projector for letting you show videos on a nearby wall.
8. FEATURES
run in command line mode as well as in daemon mode
using an easy xml configuration file
can watch directory recursively and watch new created directory
can have a list of exceptions
can use regex to compare the file/directory name
can execute command if an event occures
send email
syslog
print time stamp
CONCLUSION
Thus iWatch is an real time monitoring system.,and will send alarm immediately
to the system administrator when there is any changes in the monitored
filesystem. It is mainly useful for the human to prevent their system.