IWATCH TECHNOLOGYINTRODUCTION There are a number of excellent tools to check filesystem integrity; they are essential part of your system security. These tools allow us to detect unwanted manipulation on our system and report it to the system administrator. However, the administrator will not know about the unauthorized change or the intrusion in to the system until this tool scan the filesystem again, maybe in next few hours or in the next day, it depends on the schedule when and how often we run this filesystem integrity checker. It is very important to know about the intrusion as soon as possible. It can avoid big damage if you can react right after the break, not hours later. Unfortunately the current filesystem integrity checkers dont have the functionality to alert the system administrator immediately after filesystems integrity is broken. This is the reason why iWatch was developed, it tries to fill this gap. iWatch monitor the filesystems integrity in realtime and will send alarm immediately to the system administrator when there is any changes in the monitored filesystem.IWATCH TECHNOLOGY iWatch is a realtime filesystem monitoring program. Its purpose is to monitor any changes in a specific directory or file and send email notification immediately after the change. This can be very useful to watch a sensible file or directory against any changes, like files /etc/passwd,/etc/shadow or directory /bin or to monitor the root directory of a website against any unwanted changes. This application is written in Perl and need inotify support in Linux kernel >= 2.6.13. And it needs also following third party perl modules: Linux::Inotify2, Event, Mail::Sendmail and XML::Simple. You can have all this modules from cpan as usual. iWatch can be executed in two modes, the first mode is daemon mode where you can use an xml configuration file, and put a list of directories and files (targets) to monitor. And the second mode is command line mode where you can run it without a configuration file, you just need to put the necessary information (target to watch,
email, exception, recursivity, events to monitor and command to execute) in the command line. The options for both modes cant be mixed together. In the xml configuration file, each target can have its own email contact point. This contact point will get an email notification for any changes in the monitored targets. You can monitor a directory recursively, and you can also setup a list of exceptions where you dont want to monitor directory/file inside a monitored directory. It is also possible to disable email notification, and instead setup a command to be executed if an event occurs. Per default iWatch only monitor following events: close_write, create, delete, move, delete_self and move_self. But you can specify any possible events, like access, attrib, modify all_events and default.DESIGN OF IWATCH The iWatch is as fanciful a design as you could wish for. The concept timepiece is a wrist-sized iPhony, a tiny iPod Touch on a strap. It’s also gorgeous. The design is from the Italian ADR Studio, and exists only in the world of Photoshop. The main screen, seen above, shows the time, date and weather (Rome’s looking very inviting this month). The gallery goes on to show the Bluetooth syncing options (to iPad and iPhone but not a computer, oddly) and a picture of the iWatch throwing a projected movie onto a wall (hell, it’s a concept design: why not dream a little?) Read the specs and you learn that there will also be an RSS reader, Wi-Fi and 16GB memory. ADR Studio has "tried to imagine a new Apple style product," called the iWatch. It has an aluminum casing, with 16GB of internal storage and connects to iPhones or iPads by Wi-Fi or Bluetooth. It could answer calls that come through on the iPhone in your pocket, or display RSS feeds, weather or photos. An inbuilt pico projector for beaming photos and video sounds awesome but my wrist feels sore already just thinking of being held up in order to project a full movie.USING IWATCH In the daemon mode iWatch has following options: Usage: iwatch [-d] [-f <config file>] [-v] -d Execute the application as daemon. iWatch will run in foregroud without this option. -f Specify an alternate xml configuration file. Per default, iWatch will
read /etc/iwatch.xml as its configuration file. -p Specify an alternate pid file (default: /var/run/iwatch.pid) -v Verbose mode. In the command line mode iWatch has following options: Usage: iwatch [-c command] [-e event[,event[,..]]] [-h|--help] [-m <emailaddress>][-r] [-r] [-s <on|off>] [-t filter] [-v] [--version] [-x exception] <target> Target is the directory or file you want to monitor. -c command You can specify a command to be executed if an event occurs. And you can use following special string format in the command: %f Full path of the filename that gets an event %p Program name (iWatch) %v Version number -e event [,event[,..]] Specify a list of events you want to watch. Following are the possible events you can use: access : file was modified modify : file was modified attrib : file attributes changed close_write : file closed, after being opened in writeable mode close_nowrite: file closed, after being opened in read-only mode close : file closed, regardless of read/write mode open : file was opened moved_from : File was moved away from. moved_to : File was moved to. move : a file/dir within watched directory was moved create : a file was created within watched director delete : a file was deleted within watched directory delete_self : the watched file was deleted unmount : file system on which watched file exists was unmounted q_overflow : Event queued overflowed ignored : File was ignored isdir : event occurred against dir oneshot : only send event once all_events : All events
: close_write, create, delete, move, delete_self and default move_self. -h, --help Print this help. -m <email address> Specify the contact points email address. Without this option, iwatch will not send any email notification. -r Recursivity of the watched directory. -s <on|off> Enable or disable reports to the syslog (default is off/disabled) -t <filter string> Specify a filter string (regex) to compare with the filename or directory name. Itwill report events only if the file/directory name matchs the filter string. -v verbose mode. --version Print the version number. -x exception Specify the file or directory which should not be watched. -X <regex string as exception> Specify a regex string as exceptionEXAMPLE OF CONFIGURATION FILE<config> <guard email="myadmin@localhost" name="IWatch"></guard> <watchlist> <title>Public Website</title> <contactpoint email="webmaster@localhost" name="Web Master"/> <path type="single">/var/www/localhost/htdocs</path> <path type="single" syslog="on">/var/www/localhost/htdocs/About</path> <path type="recursive">/var/www/localhost/htdocs/Photos</path> </watchlist> <watchlist>
<title>Operating System</title> <contactpoint email="admin@localhost" name="Administrator"/> <path type="recursive">/etc/apache2</path> <path type="single">/etc/passwd</path> <path type="recursive">/etc/mail</path> <path type="exception">/etc/mail/statistics</path> <path type="single" filter="shadow|passwd">/etc</path> </watchlist> <watchlist> <title>Only Test</title> <contactpoint email="root@localhost" name="Administrator"/> <path type="single" alert="off" exec="(w;ps -ef)|mail -s %f root@localhost">/tmp/dir1</path> <path type="single" events="access,close" alert="off" exec="(w;ps -ef)|mail -s %f root@localhost">/tmp/dir2</path> <path type="single" events="default,access" alert="off" exec="(w;ps -ef)|mail -s %f is accessed root@localhost">/tmp/dir3</path> <path type="single" events="all_events" alert="off">/tmp/dir4</path> </watchlist></config>With this configuration, iwatch will monitor a single directory /var/www/localhost/htdocswithouth its sub directories, and any notification will be sent to the contact pointwebmaster@localhost. But it will monitor the whole directory tree of /etc/apache2,including any sub directories created later after the IWatch is started. You can use alsoexception here if you dont want to get notification for a file or subdirectory inside themonitored directory.EXAMPLE OF THE COMMAND LINE MODEiwatch /tmp monitor changes in /tmp directory with default eventsiwatch -r -e access,create -m cahya@localhost -x /etc/mail /etc monitor only access and create events in /etc directory recursively with /etc/mail as exception and send email notification to email@example.com -r -c "(w;ps -ef)|mail -s %f was changed cahya@localhost" /bin monitor /bin directory recursively and execute the command.
iwatch -r -X .svn ~/projects monitor ~/projects directory recursively, but exclude any .svn directories inside. Thiscant be done with a normal -x option since -x can only exclude the defined path.iWatch is very simple to use, suppose you want to watch the change in /etc filesystem,you just need to run it in the console$ iwatch /etcand iwatch will tell you if something changes in this directory. And if you want to benotified per email:$ iwatch -m firstname.lastname@example.org /etcIn this case, the admin will get email notification (maybe you can use your sms gatewayaccount, so you will be alarmed immediately anytime and anywhere). And if you want tomonitor many difference directories you can use a configuration file. This configurationfile is an xml file with an easy understandable structure.<config> <guard email="iwatch@localhost" name="iWatch"/> <watchlist> <title>Operating System</title> <contactpoint email="admin@localhost" name="admin"/> <path type="single">/etc</path> <path type="single">/sbin</path> <path type="recursive">/dev</path> <path type="exception">/dev/pts</path> </watchlist> <watchlist> <title>Website</title> <contactpoint email="webmaster@localhost" name="webmaster"/> <path type="recursive">/var/www/localhost/htdocs</path> </watchlist></config>
IWATCH CONCEPT IS LIKE AN IPHONE ON YOUR WRISTThis iWatch concept is designed to pair up with your iPhone, sharing information andallowing you to see all sorts of information without pulling your phone out of yourpocket. And its pretty damned slick.The watch, which would connect to your phone via Bluetooth, would have 16GB ofinternal storage and would allow you to do things like answer calls via it, display RSSfeeds, show you the weather or let you flip through photos. Theres also a built-in picoprojector for letting you show videos on a nearby wall.
FEATURES run in command line mode as well as in daemon mode using an easy xml configuration file can watch directory recursively and watch new created directory can have a list of exceptions can use regex to compare the file/directory name can execute command if an event occures send email syslog print time stampCONCLUSION Thus iWatch is an real time monitoring system.,and will send alarm immediately to the system administrator when there is any changes in the monitored filesystem. It is mainly useful for the human to prevent their system.