Designing a File Tampering Detection Tool for a Legacy PHP Application

I work on a legacy PHP application that runs on AWS EC2. The application is deployed from a deploy server with rsync . In this environment, I needed a practical way to detect file tampering on application servers. Existing tools did not fit this deployment model well, so I built a small Go tool called kekkai and open-sourced it. In this post, I want to explain not only the design choices, but also the implementation and operational details that mattered in practice. https://github.com/catatsuy/kekkai The environment This application has these characteristics: it runs on AWS EC2 it is a legacy PHP application dependencies are installed on a deploy server the application is deployed with rsync This is a common setup for older PHP applications. I wanted a solution that fits this environment instead of assuming container images or immutable deployments. The basic model The model is simple. First, the deploy server calculates hashes for files and creates a manifest. The manifest can be stor