The latest articles on Forem by pkdev23 (@pkdev23). https://forem.com/pkdev23 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3560113%2Fd2ebc875-f486-424f-8776-b497ed872982.png https://forem.com/pkdev23 en pkdev23 Sun, 12 Oct 2025 09:17:30 +0000 https://forem.com/pkdev23/detecting-file-changes-in-2-seconds-python-file-integrity-monitoring-3mo0 https://forem.com/pkdev23/detecting-file-changes-in-2-seconds-python-file-integrity-monitoring-3mo0 <h2> Detecting File Changes in 2-3 Seconds: Python File Integrity Monitoring </h2> <p>I built <strong>CoNum</strong> - an open-source file integrity monitor that detects unauthorized changes in 2 - 3 seconds and generates forensic-grade reports.</p> <p><strong>GitHub:</strong> <a href="https://github.com/pkdev23/conum" rel="noopener noreferrer">https://github.com/pkdev23/conum</a></p> <h2> The Problem </h2> <p>Traditional file monitoring solutions are either:</p> <ul> <li> <strong>Too expensive</strong> (Tripwire: $5,000+/year)</li> <li> <strong>Too slow</strong> (polling-based tools take minutes)</li> <li> <strong>Too complex</strong> (OSSEC takes days to configure)</li> <li> <strong>Too limited</strong> (Git hooks only work on commits)</li> </ul> <p>I needed something that detects critical file changes <strong>instantly</strong> - for production configs, SSH keys, deployment scripts, and <code>.env</code> files.</p> <h2> CoNum in 30 Seconds </h2> <h3> What It Does </h3> <ul> <li>⚡ <strong>2-3 seconds detection</strong> using filesystem events (not polling)</li> <li>🔔 <strong>Email alerts</strong> with PDF reports showing line-by-line changes</li> <li>🛡️ <strong>Risk scoring</strong> (0-10) based on keywords and patterns</li> <li>💾 <strong>Local SQLite database</strong> for complete audit trail</li> <li>📤 <strong>SIEM-ready export</strong> (JSONL, CEF, CSV formats)</li> </ul> <h3> How It Works </h3> <ol> <li>Monitor critical files with Watchdog (filesystem events)</li> <li>Calculate SHA-256 hashes for tamper detection</li> <li>Store changes in SQLite with forensic details</li> <li>Alert immediately via email with detailed reports</li> </ol> <h3> Why It’s Different </h3> <ul> <li> <strong>Code-focused</strong> (not OS files like Tripwire/OSSEC)</li> <li> <strong>2-second detection</strong> (not minutes)</li> <li> <strong>5-minute setup</strong> (not days)</li> <li> <strong>Free/$249</strong> (not $5,000+/year)</li> </ul> <h2> Real-World Use Cases </h2> <p>✅ <strong>Detect SSH backdoors</strong> - Monitor <code>authorized_keys</code> for unauthorized access<br><br> ✅ <strong>Track config changes</strong> - Alert on <code>.env</code>, <code>nginx.conf</code>, database configs<br><br> ✅ <strong>Compliance auditing</strong> - Generate reports for SOC 2, ISO 27001, PCI-DSS<br><br> ✅ <strong>Incident response</strong> - Know exactly what files changed during a breach and how they were changed<br> ✅ <strong>Deployment verification</strong> - Ensure scripts weren’t tampered with</p> <h2> Quick Comparison </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>CoNum</th> <th>Tripwire</th> <th>OSSEC</th> <th>Git Hooks</th> </tr> </thead> <tbody> <tr> <td><strong>Price</strong></td> <td>Free/$249</td> <td>$5,000+/year</td> <td>Free</td> <td>Free</td> </tr> <tr> <td><strong>Setup</strong></td> <td>5 min</td> <td>Days</td> <td>Hours</td> <td>Minutes</td> </tr> <tr> <td><strong>Detection</strong></td> <td>2 sec</td> <td>Minutes</td> <td>Minutes</td> <td>Commit-only</td> </tr> <tr> <td><strong>SIEM</strong></td> <td>✅</td> <td>✅</td> <td>✅</td> <td>❌</td> </tr> <tr> <td><strong>Dashboard</strong></td> <td>✅</td> <td>❌</td> <td>❌</td> <td>❌</td> </tr> </tbody> </table></div> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/pkdev23/conum.git <span class="nb">cd </span>conum pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt python conum_rack.py </code></pre> </div> <p>That’s it. No Docker, no complex configs, no external databases.</p> <h2> Tech Stack </h2> <ul> <li> <strong>Python 3.11+</strong> with Watchdog for filesystem events</li> <li> <strong>SHA-256 hashing</strong> for integrity verification</li> <li> <strong>SQLite with WAL</strong> for crash-safe storage</li> <li> <strong>Tkinter GUI</strong> for native macOS/Windows interface</li> <li> <strong>SMTP</strong> for email alerts with PDF reports</li> </ul> <p><strong>Platforms:</strong> macOS, Windows </p> <h2> Get Started </h2> <p><strong>Free Version:</strong> Monitor up to 4 files<br><br> <strong>Pro Version:</strong> 16 files, SIEM export, risk scoring ($249)</p> <p>👉 <strong>Full details, screenshots, and source code:</strong><br><br> <a href="https://github.com/pkdev23/conum" rel="noopener noreferrer">https://github.com/pkdev23/conum</a></p> <p><strong>GitHub Issues:</strong> <a href="https://github.com/pkdev23/conum/issues" rel="noopener noreferrer">https://github.com/pkdev23/conum/issues</a><br><br> <strong>Email:</strong> <a href="mailto:pk_dev@gmx.at">pk_dev@gmx.at</a></p> <p><em>If this sounds useful, please ⭐ star the repo on GitHub!</em></p> <h3> Tags </h3> <h1> python #security #devops #opensource </h1> python security git devops