This project is a File Modification Tracker implemented in Go, designed to run as a background service on macOS. It tracks and records modifications to files in a specified directory, integrates system monitoring via osquery, and provides a simple UI for interaction.
- Prerequisites
- Installation using source code
- Troubleshooting
- Installation using .pkg for macOS
- Configuration
- Usage
- Uninstallation
- Troubleshooting OsQuery
- Contributing
- Contact
- macOS (tested on macOS Mojave and later)
- Go (version 1.20 or later)
- osquery
- Homebrew (for easy installation of dependencies)
-
Clone the repository
git clone [email protected]:tejiriaustin/filemodtracker.git
-
Install osquery using Homebrew
brew install osquery
-
Verify osquery installation:
osqueryi --version
-
Install GCC (MinGW-w64) For windows or Linux Devices
- Download from mingw-w64.org or use MSYS2
- Add MinGW-w64 bin directory to PATH
-
verify GCC
gcc --version
-
Graphics Library for Linux Devices
- Install either:
- OpenGL drivers (usually pre-installed on Windows)
- Mesa3D software renderer for systems without GPU
- Install either:
-
Install the daemon
make install
-
Start the UI
make ui
-
Configure your osquery
make configure
-
Visit the url below to verify the service is running
http://localhost:8081/health
Note: Please ensure osquery is properly installed and running
- Run the following commands to verify your osquery configuration
sudo osqueryi --database_path=/var/tmp/osquery_data/osquery.db --disable_events=false --enable_file_events=true --config_path=/usr/local/etc/osquery/osquery.conf --verbose --json
- Then in the console that opens up, run the following
select * from file_events;
- Osquery should return a list of events. If not, run the following command to properly configure the file_events table
make configure
-
Install osquery using Homebrew:
brew install osquery
-
Verify osquery installation:
osqueryi --version
-
Install the File Modification Tracker:
sudo installer -pkg FileModTracker.pkg -target /
-
Verify the installation:
ls /usr/local/bin/filemodtracker
-
Open the configuration file:
sudo nano /usr/local/etc/filemodtracker/config.yaml
-
Update the following settings:
monitored_directory: "/Users/username/Documents/filemodtest" check_frequency: 60 # in seconds
-
Save and exit (Ctrl+X, Y, Enter)
-
Load the service:
sudo launchctl load /Library/LaunchDaemons/com.example.filemodtracker.plist
-
Verify it's running:
launchctl list | grep filemodtracker
-
Create, modify, or delete files in the monitored directory:
echo "Hello, world!" > ~/Documents/filemodtest/testfile.txt echo "New content" >> ~/Documents/filemodtest/testfile.txt rm ~/Documents/filemodtest/testfile.txt
-
View the logs:
cat /var/log/filemodtracker.log
- Health check:
curl http://localhost:8081/health
- Send commands to the worker thread:
curl -X POST -H "Content-Type: application/json" -d '{"command":"echo Hello"}' http://localhost:8081/command
- Retrieve logs:
curl http://localhost:8081/events
To uninstall the service:
sudo /usr/local/bin/uninstall_filemodtracker.sh
If you encounter issues with osquery:
-
Check Homebrew's information about osquery:
brew info osquery
-
Try relinking osquery:
brew link osquery
-
If issues persist, reinstall osquery:
brew uninstall osquery brew install osquery
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature
) - Commit your changes (
git commit -m 'Add some AmazingFeature'
) - Push to the branch (
git push origin feature/AmazingFeature
) - Open a Pull Request
Tejiri Austin - [email protected]
Project Link: https://github.com/tejiriaustin/filemodtracker