iWatch News
11/14/09 iWatch version 0.2.2 is released
  • Fix the bug where the file being watched contains one of the formats available for substitution
  • Watch the renamed/moved directory properly
  • Fix unnecessary watching of create event
  • Add a functionality to reload the configuration file using the SIGHUP signal
  • Add a functionality to specify the charset

2/14/07 iWatch version 0.2.1 is released
  • Option -X was added. It is exception with regular expression.
  • New string formats in command option
  • It send now email for all defined events.

1/28/07 iWatch version 0.2.0 is released
  • Validation of xml configuration using DTD file
  • Replacing XML::Simple with XML::SimpleObject::LibXML

1/20/07 New Website is launched
  • This website has been redesigned by Karina

1/14/07 iWatch version 0.1.0 is released
  • Move from alpha status to beta.
  • Minor fix and documentation's update.

11/05/06 iWatch version 0.0.12 is released
  • Options --help, --version are now supported
  • Support pid file, by default is /var/run/iwatch.pid

9/27/06 iWatch version 0.0.10 is released
  • Add option -q quite mode, no print out in console or syslog for each monitored directory.
  • Now you can do "iwatch /"

9/17/06 iWatch version 0.0.9 is released
  • Add option -t or filter="regex string". It will report only events if the file/directory name match the filter string.

8/21/06 iWatch version 0.0.8 is released
  • Now using taint mode ("-T") to improve the security
  • Syslog message is disabled per default, but it can be enabled or disabled in each watched directory/file. Use syslog="on" in configuration file or option -s to enable the syslog report.
  • In command line mode, the option -w is deprecated. Instead, we can put the directory/file name in the argument without option -w (e.g. ./iwatch /bin)
  • Add time stamp in the output.

Introduction

There are a number of excellent tools to check filesystem integrity; they are essential part of your system security. These tools allow us to detect unwanted manipulation on our system and report it to the system administrator. However, the administrator will not know about the unauthorized change or the intrusion in to the system until this tool scan the filesystem again, maybe in next few hours or in the next day, it depends on the schedule when and how often we run this filesystem integrity checker.

It is very important to know about the intrusion as soon as possible. It can avoid big damage if you can react right after the break, not hours later. Unfortunately the current filesystem integrity checkers don't have the functionality to alert the system administrator immediately after filesystem's integrity is broken. This is the reason why iWatch was developed, it tries to fill this gap. iWatch monitor the filesystem's integrity in realtime and will send alarm immediately to the system administrator when there is any changes in the monitored filesystem.

iWatch is written in Perl and based on inotify, a file change notification system, a kernel feature that allows applications to request the monitoring of a set of files against a list of events. Inotify was introduced the first time in the Linux kernel version 2.6.13.

Using iWatch

iWatch is very simple to use, suppose you want to watch the change in /etc filesystem, you just need to run it in the console

$ iwatch /etc

and iwatch will tell you if something changes in this directory. And if you want to be notified per email:

$ iwatch -m admin@smsgw.local /etc

In this case, the admin will get email notification (maybe you can use your sms gateway account, so you will be alarmed immediately anytime and anywhere). And if you want to monitor many difference directories you can use a configuration file. This configuration file is an xml file with an easy understandable structure.

<config>
  <guard email="iwatch@localhost" name="iWatch"/>
  <watchlist>
    <title>Operating System</title>
    <contactpoint email="admin@localhost" name="admin"/>
    <path type="single">/etc</path>
    <path type="single">/sbin</path>
    <path type="recursive">/dev</path>
    <path type="exception">/dev/pts</path>
  </watchlist>
  <watchlist>
    <title>Website</title>
    <contactpoint email="webmaster@localhost" name="webmaster"/>
    <path type="recursive">/var/www/localhost/htdocs</path>
  </watchlist>
</config>