Kekkai
A lightweight Go tool for detecting file tampering by comparing content-based hashes stored securely in S3.
Install / Use
/learn @catatsuy/KekkaiREADME
Kekkai
A simple and fast Go tool for file integrity monitoring. Detects unauthorized file modifications caused by OS command injection and other attacks by recording file hashes during deployment and verifying them periodically.
The name "Kekkai" comes from the Japanese word 結界 (kekkai), meaning "barrier" - a protective boundary that keeps unwanted things out, perfectly representing this tool's purpose of protecting your files from tampering.
Takumi, the AI offensive security engineer
<a href="https://flatt.tech/oss/gmo/trampoline" target="_blank"><img src="https://flatt.tech/assets/images/badges/gmo-oss.svg" height="24px"/></a>
Design Philosophy
Kekkai was designed to solve specific challenges in production server environments:
Why Kekkai?
Traditional tools like tar or file sync utilities (e.g., rsync) include metadata like timestamps in their comparisons, causing false positives when only timestamps change. In environments with heavy NFS usage or dynamic log directories, existing tools become difficult to configure and maintain.
Core Principles
-
Content-Only Hashing
- Hashes only file contents, ignoring timestamps and metadata
- Detects actual content changes, not superficial modifications
-
Immutable Exclude Rules
- Exclude patterns are set during manifest generation only
- Cannot be modified during verification, preventing attackers from hiding changes
- Only exclude server-generated files (logs, cache, uploads, NFS mounts)
- Application dependencies (vendor, node_modules) are monitored as they're part of the deployment
-
Symlink Security
- Uses
os.Lstatto properly detect symlinks without following them - Tracks symbolic links with their target paths (via
os.Readlink) - Hashes the symlink target path itself, not the target's content
- Detects when symlinks are modified to point to different targets
- Detects when regular files are replaced with symlinks (and vice versa)
- Prevents attackers from hiding malicious changes through symlink manipulation
- Uses
-
Secure Hash Storage with S3
- Deploy servers have write-only access
- Application servers have read-only access
- Even if compromised, attackers cannot modify stored hashes
- Local file output available for testing
-
Tamper-Resistant Distribution
- Single Go binary with minimal dependencies
- Recommended to run with restricted permissions
- Configuration should be read from S3 or managed paths, not local files
Features
- 🚀 Fast: Efficient hash calculation with parallel processing
- 🔒 Secure: Tamper-proof storage with S3 integration
- 📊 Monitoring Ready: Multiple output formats for various monitoring systems
- 🎯 Deterministic: Same file structure always produces the same hash
- ☁️ EC2 Ready: Authentication via IAM roles
Installation
# Build from source
git clone https://github.com/catatsuy/kekkai.git
cd kekkai
make
# Or directly with go build
go build -o ./bin/kekkai ./cmd/kekkai
# Run tests
make test
Usage
Basic Usage
# Generate manifest
kekkai generate --target /var/www/app --output manifest.json
# Verify files
kekkai verify --manifest manifest.json --target /var/www/app
Advanced Usage
Target Specific Files
kekkai generate \
--target /var/www/app \
--exclude "*.log" \
--exclude "cache/**" \
--output manifest.json
Using S3 Storage
Kekkai stores manifests in S3 for secure, centralized management. Each deployment updates the same manifest.json file.
# For production deployment (must explicitly specify --base-path)
kekkai generate \
--target /var/www/app \
--s3-bucket my-manifests \
--app-name myapp \
--base-path production # Explicitly required for production
# For staging/development (uses default "development" if not specified)
kekkai generate \
--target /var/www/app \
--s3-bucket my-manifests \
--app-name myapp \
--base-path staging
# During verification (must match the base-path used during generation)
kekkai verify \
--s3-bucket my-manifests \
--app-name myapp \
--base-path production \
--target /var/www/app
Benefits:
- Lower S3 costs - Minimal S3 operations
- Clean structure - One manifest file per application
Monitoring Integration
# Add to crontab for periodic checks
*/5 * * * * kekkai verify \
--s3-bucket my-manifests \
--app-name myapp \
--base-path production \
--target /var/www/app
# Use cache for faster verification (cache in temp directory)
*/5 * * * * kekkai verify \
--s3-bucket my-manifests \
--app-name myapp \
--base-path production \
--target /var/www/app \
--use-cache \
--verify-probability 0.1
# Use persistent cache in custom directory
*/5 * * * * kekkai verify \
--s3-bucket my-manifests \
--app-name myapp \
--base-path production \
--target /var/www/app \
--use-cache \
--cache-dir /var/cache/kekkai \
--verify-probability 0.1
Configure your monitoring system to alert based on your requirements (e.g., alert after consecutive failures).
Preset Examples
These examples show common exclude patterns for various frameworks. Important: Only exclude files generated on the server (logs, cache, uploads). Application dependencies like vendor or node_modules MUST be monitored as they are part of the deployed application.
For production use, replace --output manifest.json with S3 storage options (--s3-bucket, --app-name, --base-path).
Laravel
kekkai generate \
--target /var/www/app \
--exclude "storage/**" \
--exclude "bootstrap/cache/**" \
--exclude "*.log" \
--output manifest.json
Node.js
kekkai generate \
--target /var/www/app \
--exclude "*.log" \
--exclude ".npm/**" \
--exclude "tmp/**" \
--output manifest.json
Rails
kekkai generate \
--target /var/www/app \
--exclude "log/**" \
--exclude "tmp/**" \
--exclude "public/assets/**" \
--output manifest.json
Python/Django
kekkai generate \
--target /var/www/app \
--exclude "**/__pycache__/**" \
--exclude "media/**" \
--exclude "staticfiles/**" \
--exclude "*.pyc" \
--output manifest.json
S3 Configuration
IAM Policies
For deployment server (write access):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-manifests/*"
}
]
}
For production server (read-only):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-manifests/*"
}
]
}
S3 Bucket Setup
Recommended: Enable S3 versioning to maintain history of manifest changes.
# Optional: Enable versioning for history tracking
aws s3api put-bucket-versioning \
--bucket my-manifests \
--versioning-configuration Status=Enabled
# Enable encryption
aws s3api put-bucket-encryption \
--bucket my-manifests \
--server-side-encryption-configuration '{
"Rules": [{
"ApplyServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}]
}'
# Optional: Set lifecycle policy to delete old versions after N days
aws s3api put-bucket-lifecycle-configuration \
--bucket my-manifests \
--lifecycle-configuration '{
"Rules": [{
"Id": "DeleteOldVersions",
"Status": "Enabled",
"NoncurrentVersionExpiration": {
"NoncurrentDays": 30
}
}]
}'
Deployment Flow Example
#!/bin/bash
# deploy.sh
set -e
APP_NAME="myapp"
DEPLOY_DIR="/var/www/app"
S3_BUCKET="my-manifests"
# 1. Install dependencies locally
cd ./src
composer install --no-dev
# 2. Deploy application to server
rsync -av ./src/ ${DEPLOY_DIR}/
# 3. Generate manifest and save to S3
# Note: For production, explicitly specify --base-path production
kekkai generate \
--target ${DEPLOY_DIR} \
--exclude "storage/**" \
--exclude "bootstrap/cache/**" \
--s3-bucket ${S3_BUCKET} \
--app-name ${APP_NAME} \
--base-path production # MUST be explicit for production
echo "Deploy completed with integrity manifest"
echo "Manifest saved to: ${S3_BUCKET}/production/${APP_NAME}/manifest.json"
Command Reference
generate
Generate a manifest file.
Options:
-target string Target directory (default ".")
-output string Output file, "-" for stdout (default "-")
-exclude string Exclude pattern (can be specified multiple times)
-s3-bucket string S3 bucket name
-s3-region string AWS region
-base-path string S3 base path (default "development")
-app-name string Application name (creates path: {base-path}/{app-name}/manifest.json)
-format string Output format: text, json (default "text")
-workers int Number of worker threads (0 = auto detect, capped at CPU count)
-rate-limit int Rate limit in bytes per second (0 = no limit)
-timeout int Timeout in seconds (default: 300)
verify
Verify file integrity.
Options:
-manifest string Manifest file path
-s3-bucket string S3 bucket name
-s3-region string AWS region
-base-path string S3 base path (default "development")
-app-name string Application name (reads from: {base-path}/{app-name}/manifest.json)
-target string Target directory to verify (default ".")
-format string Output format: text, json (default "text")
-workers int Number of worker threads (0 = auto detect, capped at CPU count)
-rate-limit int Rate limit in bytes per second (0 = no limit)
-timeout int Timeout in seconds (default: 300)
-use-cache Enable local cache for verification (checks size, mtime, ctime)
-cache-dir string Directory for cache file (default: system temp directory)
-verify-probabil
Related Skills
qqbot-channel
344.1kQQ 频道管理技能。查询频道列表、子频道、成员、发帖、公告、日程等操作。使用 qqbot_channel_api 工具代理 QQ 开放平台 HTTP 接口,自动处理 Token 鉴权。当用户需要查看频道、管理子频道、查询成员、发布帖子/公告/日程时使用。
docs-writer
99.8k`docs-writer` skill instructions As an expert technical writer and editor for the Gemini CLI project, you produce accurate, clear, and consistent documentation. When asked to write, edit, or revie
model-usage
344.1kUse CodexBar CLI local cost usage to summarize per-model usage for Codex or Claude, including the current (most recent) model or a full model breakdown. Trigger when asked for model-level usage/cost data from codexbar, or when you need a scriptable per-model summary from codexbar cost JSON.
Design
Campus Second-Hand Trading Platform \- General Design Document (v5.0 \- React Architecture \- Complete Final Version)1\. System Overall Design 1.1. Project Overview This project aims t
