π¨ The Night Everything Broke
My former employer got hacked.
At 3:07 AM, an attacker modified /etc/sudoers.
No alerts.
No logs reviewed.
No alarms.
We noticed it 3 days later.
That night, I opened a blank Python file:
file_monitoring.py
That file became Vigilo.
β Why Existing Tools Failed Us
We didnβt ignore security tools.
We tried them.
OSSEC
β 200+ MB RAM on idle
β 50+ lines of XML config for a single file
β False positives drowning real alerts
Wazuh
β 30+ minutes installation
β YAML + agents + dashboards
β Massive overkill for < 50 servers
What we needed was simple:
βTell me immediately when a critical file changes.
Nothing more. Nothing less.β
π οΈ What I Built Instead
Vigilo is a lightweight File Integrity Monitor built for real-world ops teams.
πΎ < 15 MB RAM
β‘ < 1 second alert latency
π§ Zero configuration hell
π 100% Python, easy to hack & extend
π― Core Design Principles
Install in under 60 seconds
Minimal memory footprint
Readable, auditable code
Production-ready from day one
𧩠Technical Architecture
vigilo/
βββ file_monitoring.py # SHA-256 + metadata tracking
βββ FileWatcher.py # inotify wrapper with smart filtering
βββ logger.py # thread-safe persistent storage
βββ alert_manager.py # system / future email / webhook alerts
βββ main.py # CLI entrypoint
β‘ Performance Optimizations That Matter
1οΈβ£ In-Memory Baseline Cache
Before (slow, disk-bound):
def handle_event(path):
baseline = read_from_disk(path)
After (fast, O(1)):
def handle_event(path):
baseline = self.cache[path]
π Result: 10Γ faster event processing.
2οΈβ£ Atomic Writes (No Corrupted State)
temp = "file_info.json.tmp"
write_to(temp)
os.replace(temp, "file_info.json") # POSIX atomic
Even a crash wonβt break your baseline.
3οΈβ£ Thread Safety (Because Events Are Brutal)
_db_lock = threading.Lock()
with _db_lock:
save_state()
No race conditions. No silent corruption.
π Benchmarks
Test: Monitoring /etc/nginx/nginx.conf
Load: 10 modifications / second
Tool CPU RAM False Positives
Vigilo 0.8% 11 MB 0
OSSEC 3.2% 187 MB 14
Wazuh 5.1% 243 MB 23
π Usage
Install
pip install -r requirements.txt
Add file to monitoring
vigilo add /etc/nginx/nginx.conf --preset full --alert system
Start monitoring
vigilo start
Modify the file β desktop alert in < 1 second.
π Security First (Yes, Even the Tool)
β
Path whitelisting (no /etc/shadow)
β
Command injection protection (shlex.quote)
β
Strict file permissions (0o600)
β
Input validation on all CLI arguments
π Lessons Learned (The Hard Way)
Night 1 β The Watchdog Spam
One file triggered 1000+ events/min.
π Fixed by filtering events before processing.
Night 2 β The Performance Breakthrough
Added in-memory cache.
π Everything became 10Γ faster.
Night 3 β The Security Obsession
Found a command injection flaw in alert execution.
π 6 hours replacing everything with shlex.quote().
Worth it.
β When NOT to Use Vigilo
You manage 1000+ servers
You need advanced event correlation
You require enterprise SLAs
You must meet strict compliance (β use Tripwire / Wazuh)
β
When Vigilo Is Perfect:
< 100 servers
You want something that just works
You hate false positives
You like tools you can actually read and modify
π Open Source
π GitHub: https://github.com/FreemenTech/Vigilo
π License: MIT
Contributions are welcome π
π¬ Questions or feedback? Drop them below π
Top comments (0)