A real-time filesystem monitoring program
It is very important to know about the intrusion as soon as possible. It can avoid a big damage if you can react right after the break, not hours later. Unfortunately the current filesystem integrity checker like tripwire, AIDE or samhain don't have the funktionality to alert the system administrator immediately after filesystem's integrity is broken . And this is the reason why iWatch is developed, it tries to fill this gap. iWatch monitor the filesystem's integrity in realtime and will send alarm immediately to the system administrator when there is any changes in the monitored filesystem.
iWatch is written in Perl and based on inotify, a file change notification system, a kernel features that allows applications to request the monitoring of a set of files against a list of events. Inotify was introduced the first time in the Linux kernel version 2.6.13.
iWatch is very simple to use, suppose you want to watch the change in /etc filesystem, you just need to run it in the console
and iwatch will tell you if something changes in this directory. And if you want to be notified per email:
iwatch -m firstname.lastname@example.org /etc
In this case, the admin will get email notification (maybe you can use your sms gateway account, so you will be alarmed immediately anytime and anywhere).
And if you want to monitor many difference directories you can use a configuration file. This configuration file is an xml file with an easy understandable structure.