A robust Linux File Integrity Monitor (FIM) featuring real-time SHA-256 baseline verification, VirusTotal threat intelligence integration, immutable vault protection, and continuous background monitoring.
Calculates and monitors:
- SHA-256 hashes
- POSIX file permissions
- File sizes
- Last modified timestamps
This enables detection of unauthorized file additions, modifications, and deletions with high accuracy.
Seamlessly integrates with the VirusTotal v3 API.
When an unknown or modified file is detected, its SHA-256 hash can be automatically checked against multiple security vendors to identify potentially malicious files.
Includes system-level hardening capabilities.
Using the GUI, administrators can apply the Linux immutable attribute (chattr +i) to monitored directories, preventing files from being:
- Modified
- Deleted
- Renamed
even by privileged users until the attribute is removed.
Utilizes a multithreaded monitoring engine to perform integrity checks at configurable intervals without interrupting the graphical interface.
Enforces root privilege validation at application startup to ensure access to protected system resources and immutable file operations.
The trusted baseline is stored locally within the project root:
.baseline.jsonRecords integrity violations, baseline generations, monitoring activity, and security alerts to:
/var/log/file_integrity_secure_vault.logLinux-Secure-FIM/
β
βββ folder_integrity_tool/
β β
β βββ .baseline.json # Generated integrity baseline
β βββ main.py # Main entry point and privilege enforcement
β β
β βββ core/
β β βββ engine.py # SHA-256 hashing and integrity verification logic
β β βββ utils.py # Configuration, privilege checks, logging
β β βββ virustotal.py # VirusTotal API integration
β β
β βββ gui/
β βββ app.py # CustomTkinter graphical interface
β
βββ LICENSE
βββ README.md
- Linux
- POSIX-compliant filesystem
chattrutility installed
The application must be executed with root privileges (UID 0) to:
- Read protected directories
- Apply immutable attributes
- Access restricted system resources
Python 3.x
pip install customtkinter requestsgit clone https://github.com/thieveshkar/Linux-Secure-FIM.git
cd Linux-Secure-FIM/folder_integrity_toolBy default, the tool contains a placeholder API key inside:
core/utils.pyReplace it with your own VirusTotal API key:
VT_API_KEY = "your_personal_virustotal_api_key_here"Alternatively, the API key can be entered directly through the GUI during runtime.
Run the application from the project directory with root privileges:
sudo python3 main.py- Enter one or more target paths in the Target Paths field.
Example:
/opt/scan_folder, /var/www/html
- Click Generate Baseline.
The tool will:
- Traverse the selected directories
- Calculate cryptographic hashes
- Capture file metadata
- Store the trusted state in
.baseline.json
Performs a one-time comparison against the stored baseline.
Starts the background monitoring thread.
Detected file states include:
| Status | Description |
|---|---|
| MATCHED | No changes detected |
| ADDED | New file detected |
| MODIFIED | Existing file changed |
| DELETED | File removed |
Applies:
chattr -R +ito the selected directories.
This makes files and folders immutable.
Removes the immutable attribute:
chattr -R -iallowing normal filesystem operations to resume.
The monitoring engine operates using periodic polling (default: 60 seconds).
An attacker who modifies a file and restores its original contents and metadata before the next scan cycle may evade detection. This is a known limitation of interval-based monitoring systems.
The effectiveness of any File Integrity Monitoring system depends entirely on the trustworthiness of the initial baseline.
If a compromised file exists during baseline creation, it will be considered trusted by the system.
This project is licensed under the MIT License.
See the LICENSE file for details.