Windows XP Windows 7 Windows 2003 Windows Vista Windows教程綜合 Linux 系統教程
Windows 10 Windows 8 Windows 2008 Windows NT Windows Server 電腦軟件教程
 Windows教程網 >> Linux系統教程 >> Linux教程 >> shell監控linux系統文件變動

shell監控linux系統文件變動

日期:2017/2/7 14:33:18      編輯:Linux教程
 

利用shell的來監控當系統被入侵時,linux系統常用的文件是否被改動,比如常見的/etc/passwd 命令top,ps等

#!/bin/bash
EMAIL_TO="[email protected]" #發信人郵箱地址
EMAIL_TO_B="[email protected]" #收信人郵箱地址
statfile="" #文件原有狀態,目錄位置自己定義
file_command="" #命令文件,目錄位置自己定義,裡面存在命令,一行一個命令,如top ps
file_system="" #系統文件,目錄位置自己定義,一行一個文件路徑,如/etc/passwd
rm -f ${statfile}
while [ ture ]
do
if [ ! -f ${statfile} ];then
touch ${statfile}
file1=`(cat ${file_command})`
for i in ${file1};do
cmmond=`which $i`
stat1=`md5sum ${cmmond}|awk '{print $(1)}'`
echo "${cmmond} " "${stat1}" >>${statfile}
done
file2=`(cat ${file_system})`
for i in ${file2};do
stat1=`md5sum $i|awk '{print $(1)}'`
echo "$i " "${stat1}" >>${statfile}
done
fi
file1=`(cat ${file_command})`
for i in ${file1};do
cmmond=`which $i`
FILESTATUS_NEW=`md5sum ${cmmond}|awk '{print $(1)}'`
if `! grep -q $i ${statfile} `;then
cmmond=`which $i`
stat1=`md5sum ${cmmond}|awk '{print $(1)}'`
echo "${cmmond} " "${stat1}" >>${statfile}
else
FILESTATUS_OLD=`cat ${statfile}|grep ${cmmond}|awk '{print $(NF)}'`
if [ "${FILESTATUS_NEW}" != "${FILESTATUS_OLD}" ];then
find_cmd=`which find`
${find_cmd} ${statfile} | xargs sed -i 's/${FILESTATUS_OLD}/${FILESTATUS_NEW}/g'"
IP_Addr=`/sbin/ifconfig|sed -n '/inet addr/s/^[^:]*:\([0-9.]\{7,15\}\) .*/\1/p'|grep -v "10.4"|head -1`
SendMail="服務器IP: "${IP_Addr}" "${cmmond}" 文件發生變化,請檢查,原文件為:"${FILESTATUS_OLD}" 新文件為:"${FILESTATUS_NEW}""
MailTitle="Alarm, the server "${IP_Addr}" File "${cmmond}" was modified"
echo $SendMail | mail -s "$MailTitle" ${EMAIL_TO_B} -- -f ${EMAIL_TO}
fi
fi
done
file2=`(cat ${file_system})`
for i in ${file2};do
FILESTATUS_NEW=`md5sum ${i}|awk '{print $(1)}'`
if `! grep -q ${i} ${statfile} `;then
stat1=`md5sum $i|awk '{print $(1)}'`
echo "$i " "${stat1}" >>${statfile}
else
FILESTATUS_OLD=`cat ${statfile}|grep ${i}|awk '{print $(NF)}'`
if [ "${FILESTATUS_NEW}" != "${FILESTATUS_OLD}" ];then
find_cmd=`which find`
${find_cmd} ${statfile} | xargs sed -i 's/${FILESTATUS_OLD}/${FILESTATUS_NEW}/g'"
IP_Addr=`/sbin/ifconfig|sed -n '/inet addr/s/^[^:]*:\([0-9.]\{7,15\}\) .*/\1/p'|grep -v "10.4"|head -1`
SendMail="服務器IP: "${IP_Addr}" "${i}" 文件發生變化,請檢查,原文件為:"${FILESTATUS_OLD}" 新文件為:"${FILESTATUS_NEW}""
MailTitle="Alarm, the server "${IP_Addr}" File "${i}" was modified"
echo $SendMail | mail -s "$MailTitle" ${EMAIL_TO_B} -- -f ${EMAIL_TO}
fi
fi
done
sleep 20
done

Copyright © Windows教程網 All Rights Reserved