Linux File Watcher

A ready to install, second opinion, on access scanner for Linux systems.
Summary

Designed to be installed on to Linux Systems, this Plugin Type will monitor and scan file system activity in locations that you can specify.

With the code up on GitHub the Plugin Type is readly extensible but can also be used out of the box with default configuration suitable for common scenarios.

About

What is the Linux File Watcher?

The Linux File Watcher is a inotify-based daemon that starts at system start up and keeps running as a system service, via systemd on most distributions.

What are the features?

  • Lazy On Access Scanning - Monitor file access and automatically submit files for analysis
  • Out of Box Defaults - Comes with default API keys and configuation so it works out of the box
  • Configurable Watch Directories - Configure which directories to watch for activity
  • Infected File Deletion - Delete infected files
  • Secplugs Portal - With a registered API key you can access all the core Secplugs features via the portal.

How does it work?

At startup, the daemon reads the configuration file and initialises the process with all the directories listed in the configuration.
The daemon monitors for files created in or moved into the configured directories. When it detects a file, the file is sent to secplugs for a score based scan.
If this scan detects this file to be malicious, the file is removed from the filesystem. This uses a very minimal configuration that is just enough. The list of directories to monitor is the only mandatory configuration. Other optional configurations include the vendor to use for scanning the files and the API key.

How do I get started?

Simply download and install the package. Details vary so check the instructions for your target Linux Distro.

To use additional features and the privacy of your own account, after registering in Secplugs.com, login with your username and create an API key to use with the tool. Replace the key in the configuration file. You can now use the Secplugs portal to configure the Plugin Type and well as view activity, run reports and do deeper retrospective threat analysis.