So I came into work today and my inbox had a wonderful little gift; a co-worker had made changes to some of my code that was considered production without providing me a log of what changes he made, just a general not of what sub-folder might contain changes that were naturally NOT included in the git repository. Naturally I was so pissed about this that I considered doing bodily harm to inanimate objects while screaming profanity, then I got busy actually finding all the things he changed. All I had to work from was the bash history showing me every file he touched, so I manually diff’ed them against files from the repo that I knew he hadn’t touched only to find out he did more looking than touching, but that was probably a godsend really once I realized he was changing commented out code (hope he didn’t expect to see anything actually change).
After I got all the non-changes found and replicated in the repo by hand (obviously hes not up to speed with such things as version control) I decided I was done fucking around with undocumented changes to live production code which could have all kinds of nasty consequences, thus the following quick and dirty script was created.
# author: dword
# purpose: generate daily md5 sums of files and email them off for tracking of changes
# Lets generate the msg file, not used currently but will be later
echo "*** Daily Integrity Report ***" > int.msg
echo " " >> int.msg
echo "Generated: " >> int.msg; date >> int.msg
# Now to tag the log with today's date
date > int.log
# Generate MD5 sums for every file we want to track
for f in $(find /var/www/html/); do md5sum $f >> int.log; done
# Mail it off!
mail -s "Daily Integrity.sh Report" firstname.lastname@example.org < int.log
# Clean up files
Just change the path that find uses to whatever location you would like to keep track of and make the email actually something that works, slap it in a @daily crontab and you should be golden. Its not anything fancy like tripwire or the like but at least hopefully it will save someone else from having to do a bunch of manual work diffing files wondering which were edited and which were just looked at. I would have liked to simply lock the reject out who managed to cause this whole mess in the first place but I don’t think the boss would appreciate me circumventing the chain of command to start decreeing who works on what, even if they are total morons who probably shouldn’t be allowed to touch production systems in the first place.