A lightweight, efficient file integrity monitoring tool written in Go. This tool helps system administrators and website owners monitor web files for unauthorized changes, which could indicate a security breach or malware infection.
Repository: magneticat/catscanner
- π File Integrity Monitoring: Generates and verifies SHA-256 hashes of files
- π Change Detection: Identifies new, modified, and deleted files
- π§ Notifications: Email alerts when changes are detected
- π Detailed Logging: All activities are logged with timestamps
- βοΈ Flexible Configuration: JSON-based configuration file
- π Multiple File Types: Support for monitoring various file extensions
- π¨ Email Options: Supports both SMTP and local mail command
- Go 1.16 or higher
- For mail command notifications:
mailutils(Debian/Ubuntu) ormailx(CentOS/RHEL)
-
Clone the repository:
git clone https://github.com/magneticat/catscanner.git cd catscanner -
Build the binary:
go build -o catscanner
-
Create your configuration:
cp config.example.json config.json
-
Edit
config.jsonto match your environment:{ "target_dir": "/path/to/your/web/files", "integrity_file": "/path/to/logs/integrity.txt", "log_file": "/path/to/logs/integrity.log", "email": "[email protected]", "from_email": "[email protected]", "email_method": "mailcmd", "smtp_server": "smtp.example.com", "smtp_port": "587", "smtp_user": "smtp_username", "smtp_pass": "smtp_password", "whitelist": [ "*.tmp", "cache/*", "/path/to/your/web/files/temp/*", "test.php" ] }
Before scanning for changes, generate an initial integrity file:
./catscanner -r -ext ".php,.html,.js"To check for file modifications:
./catscanner -s -ext ".php,.html,.js"-r: Regenerate the integrity file-s: Scan for changes-ext: Comma-separated list of file extensions to scan (default: ".php")-config: Path to configuration file (default: "config.json")
The simplest option for Linux/Unix systems. Requires a local mail transport agent.
{
"email_method": "mailcmd",
"email": "[email protected]"
}Install required packages:
# Debian/Ubuntu
sudo apt-get install mailutils
# CentOS/RHEL
sudo yum install mailxFor using an external SMTP server:
{
"email_method": "smtp",
"email": "[email protected]",
"smtp_server": "smtp.example.com",
"smtp_port": "587",
"smtp_user": "username",
"smtp_pass": "password"
}For regular monitoring, add to crontab:
# Check every hour
0 * * * * /path/to/catscanner -s -ext ".php,.html,.js" -config /path/to/config.json- Ensure your SMTP port matches the server capability:
- 587: STARTTLS (what this tool uses with
smtp.SendMailif supported) - 465: Implicit TLS (not supported by
smtp.SendMail; use 587 instead)
- 587: STARTTLS (what this tool uses with
- Many providers require a valid From header that matches the authenticated user. Set
from_emailto your mailbox, or leave it empty to default tosmtp_user. - Some providers (e.g., Gmail) require an App Password or OAuth; normal password may fail.
- Make sure DNS for the From domain has proper SPF/DMARC to avoid spam/bounces.
- If using
mailcmd, verify the local MTA is configured to relay mail externally; otherwise messages may remain local or be rejected. - Check the application log file for detailed SMTP or mail command error messages.
- Store the integrity and log files outside the web root
- Disable write permissions on the integrity file after its generation
- Use a dedicated email account for notifications
- Keep the config file secure (contains SMTP credentials)
- Regular updates of the integrity file after legitimate changes
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the MIT License - see the LICENSE file for details.
- Inspired by the need for a simple, efficient file integrity monitoring solution
- Built with Go's standard library for minimal dependencies
Edit the config.json file to match your environment:
{
"target_dir": "/path/to/your/web/files",
"integrity_file": "/path/to/logs/integrity.txt",
"log_file": "/path/to/logs/integrity.log",
"email": "[email protected]",
"from_email": "[email protected]",
"email_method": "mailcmd",
"smtp_server": "smtp.example.com",
"smtp_port": "587",
"smtp_user": "smtp_username",
"smtp_pass": "smtp_password",
"whitelist": [
"*.tmp",
"cache/*",
"/path/to/your/web/files/temp/*",
"test.php"
]
}| Option | Description |
|---|---|
target_dir |
Directory to monitor for changes |
integrity_file |
File to store file hashes |
log_file |
File to store scan logs |
email |
Email address for notifications (To) |
from_email |
Optional explicit From address for notifications |
email_method |
Email method ("smtp" or "mailcmd") |
smtp_* |
SMTP server configuration |
whitelist |
Array of patterns to exclude from notifications |
The whitelist feature allows you to specify files or patterns that should not trigger email notifications when changed. Changes to whitelisted files are still logged but won't generate alerts. Patterns support standard glob syntax:
*: Matches any sequence of characters except path separators?: Matches any single character except path separator[abc]: Matches one character given in the bracket**: Matches zero or more directories
Examples:
"whitelist": [
"*.tmp", // Ignore all .tmp files
"cache/*", // Ignore everything in the cache directory
"**/temp/**", // Ignore files in any temp directory
"test.php", // Ignore a specific file
"/full/path/*" // Ignore files in a specific directory (full path)
]- Ensure your SMTP port matches the server capability:
- 587: STARTTLS (what this tool uses with
smtp.SendMailif supported) - 465: Implicit TLS (not supported by
smtp.SendMail; use 587 instead)
- 587: STARTTLS (what this tool uses with
- Many providers require a valid From header that matches the authenticated user. Set
from_emailto your mailbox, or leave it empty to default tosmtp_user. - Some providers (e.g., Gmail) require an App Password or OAuth; normal password may fail.
- Make sure DNS for the From domain has proper SPF/DMARC to avoid spam/bounces.
- If using
mailcmd, verify the local MTA is configured to relay mail externally; otherwise messages may remain local or be rejected. - Check the application log file for detailed SMTP or mail command error messages.