Skip to content

mrceha/securehash

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
securehash.py
securehash.py
 
 

Repository files navigation

🔒 SecureHash

File Integrity Monitoring via SHA-256 Baseline Comparison

Python 3.10+ License: MIT No Dependencies

SecureHash creates cryptographic snapshots of directory trees and detects unauthorized modifications, additions, or deletions. Zero external dependencies — runs on any system with Python 3.10+.

Why?

File integrity monitoring is a fundamental security control (NIST SP 800-53 SI-7). Commercial solutions exist, but most are bloated. SecureHash does one thing well: it tells you exactly what changed, when you need to know.

Quick Start

# Create a baseline snapshot
python securehash.py baseline ./my_project

# Verify integrity against baseline
python securehash.py verify ./my_project

# Continuous monitoring (every 60 seconds)
python securehash.py watch ./my_project --interval 60

Usage

Create Baseline

Scans every file recursively, computes SHA-256 hashes, and saves the manifest:

python securehash.py baseline ./target --exclude __pycache__ .git node_modules

This creates .securehash.json in the target directory.

Verify Integrity

Compares the current state against the stored baseline:

python securehash.py verify ./target

Output:

⚠ Integrity check failed — 3 change(s) detected.

  Modified (1):
    ~ config/settings.yaml

  Added (1):
    + scripts/backdoor.sh

  Removed (1):
    - docs/api_reference.md

  47 file(s) unchanged.

Exit codes: 0 = clean, 1 = error, 2 = changes detected.

Watch Mode

Runs verification in a loop, useful for monitoring sensitive directories:

python securehash.py watch ./etc --interval 30
[14:23:01] ✓ Clean — 312 files verified.
[14:23:31] ✓ Clean — 312 files verified.
[14:24:01] ⚠ 1 change(s) detected!

Design Decisions

  • SHA-256 only — One algorithm, no configuration surface for downgrade attacks.
  • No timestamps for comparison — File modification times are trivially spoofable. Only hash comparison determines integrity.
  • Chunked reads — 8 KB chunks handle multi-gigabyte files without memory pressure.
  • Symlink exclusion — Prevents symlink-based traversal attacks during scanning.
  • Zero dependencies — Nothing to supply-chain attack. Standard library only.

Baseline Format

The .securehash.json manifest is human-readable:

{
  "version": "1.2.0",
  "algorithm": "sha256",
  "created_at": "2025-03-15T12:00:00+00:00",
  "root_directory": "/home/user/project",
  "file_count": 48,
  "records": {
    "src/main.py": {
      "path": "src/main.py",
      "sha256": "a1b2c3d4...",
      "size": 2048,
      "modified": 1710504000.0
    }
  }
}

License

MIT — see LICENSE.

About

File integrity monitoring tool — SHA-256 baseline comparison with watch mode. Zero dependencies.

Topics

python hashing cli security monitoring cybersecurity sha256 file-integrity

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages