File Integrity Monitor

An automated python tool that scans the sensitive files /etc/passwd and /etc/shadow containing user information in the unix system to monitor the file integrity

🔎 Table of Content

1. About The Project
• Built With
• Language
• Libraries & Dependancies
2. Getting Started
• Prerequisites
• Installation
3. Usage
4. Acknowledgement

(Back to Top)

About the Project

When an enterprise Linux server is compromised, one of the immediate actions taken by the attacker is to create a backdoor user to achieve persistence. Once a new user is created, /etc/passwd and /etc/shadow (which contain all user information in the system) will be modified.

This lightweight Python tool is designed to check the integrity of these sensitive files by comparing them with their initial SHA-256 hash values every hour. Alerts will be sent to a SOC Webhook server if discrepancies are detected, allowing incident responders to take immediate remediation action.

(Back to Top)

Built With

Language

Libraries & Dependancies

• certifi (v2.7.0)
• charset-normalizer (v3.4.7)
• idna (v3.15)
• requests (v2.34.2)
• urllib3 (v2.7.0)

(Back to Top)

Getting Started

The File Integrity Monitor is designed to use on the unix system, please make sure the system is updated and python with virtual environment is installed. Moreover, A Discord Webhook server is required to install to receive alert notifications.

Prerequisites

1. System Update and Installation of Python

  sudo apt update && sudo apt install -y python3.12-venv  

2. Configure a Discord Webhook Server

2-1. Navigate to Discord and Login

2-2. Scroll down the navbar on the left and press "Add a Server"

2-3. Create Your Server

choose "Create My Own"

2-4. Tell Us About Your Server

choose "For me and my friends"

2-5. Customize Your Server

Give a name to your server and i named "File Integrity Monitor"

2-6. A server is installed

Click the Gear icon next to # general

2-7. Click "Integrations"

2-8. Click "Create Webhook" button

2.9. Click "Copy Webhook URL" button and paste it to your clipboard

2.10. Great! The Webhook server is created!

Installation

1. Clone the Repo

 git clone https://github.com/abc1230940/file-integrity-monitor.git 

2. Navigate into the folder

 cd file-integrity-monitor 

3. Set up the virtual environment

 python3 -m venv env 

4. Activate the virtual environment

 source env/bin/activate 

5. Install the required dependancies

 pip install -r requirements.txt 

6. Deactivate the virtual environment when finished

 deactivate  

(Back to Top)

Usage

1. Edit the python script and then save

 nano file_integrity_monitor.py 

❗The monitor is designed to scan the sensitive files (/etc/passwd and /etc/shadow), but you can edit to scan targeted file paths

❗Paste your Webhook URL from the clipboard you have done before

2. Launch the file integrity monitor script to begin monitoring

 sudo python3 file_integrity_monitor.py 

3. If the attacker created a backdoor user on the system upon compromise

 useradd hacker 

 passwd hacker 

A backdoor user "hacker" was added into /etc/passwd and /etc/shadow

4. After an hour the script ran again and detected the files were edited, the following alert was shown

5. And the alert was also sent to your webhook server, so you can be alerted immediately on your workstation

6. The monitor run automatically for every hour (3600 seconds) to keep checking file integrity

(Back to Top)

Acknowledgement

LetsDefend - Python for Blue Team

Discord

(Back to Top)