Config Monitoring

Know when configs change.
Instantly.

HostAtlas monitors configuration files across your infrastructure using SHA-256 hash-based change detection. Every 5 minutes, the agent checks 18 default paths plus any custom paths you add. When a config file changes, you know about it within minutes — with a full diff showing exactly what changed.

Start free — no credit card See how it works

5 min

Check interval

18

Default paths

SHA-256

Hash detection

Diff

Side-by-side

Detection Engine

SHA-256 hashes every 5 minutes. No file content leaves your server.

The HostAtlas agent computes a SHA-256 hash of each monitored config file every 5 minutes. When the hash changes, the agent reads the file content, generates a diff against the previous version, and sends the change event to the platform. Only the diff is transmitted — not the full file — minimizing bandwidth and exposure.

fingerprint

Step 1

Hash

Agent computes SHA-256 hash of each monitored file every 5 minutes.

compare

Step 2

Compare

New hash is compared against the stored hash. If they differ, a change is detected.

difference

Step 3

Diff

Agent generates a unified diff between the previous and current file content.

campaign

Step 4

Alert

Change event sent to platform. Alert rules fire. Critical files create auto-incidents.

Why SHA-256 hashing?

speed

Extremely fast

Hashing a config file takes microseconds. Even monitoring 50+ files adds negligible CPU overhead. The agent can check all paths in under 1ms total.

security

Cryptographically reliable

SHA-256 guarantees that any change, no matter how small — a single whitespace character, a comment, a newline — produces a completely different hash.

data_usage

Minimal network usage

Only 32 bytes per file per check. Full file content is only read and diffed when a change is detected. Normal operation transmits almost no data.

# Agent config check cycle
[INFO] Config check cycle starting (18 paths)
[INFO] /etc/nginx/nginx.conf — unchanged
[INFO] /etc/mysql/my.cnf — unchanged
[WARN] /etc/ssh/sshd_config — CHANGED
old: a1b2c3d4e5f6... new: f6e5d4c3b2a1...
[INFO] Generating diff for sshd_config
[ALERT] Critical file changed: sshd_config
[ALERT] Creating incident INC-4012
[INFO] /etc/redis/redis.conf — unchanged
... 14 more paths checked
[INFO] Config check complete: 1 change detected (0.4ms)

Default Paths

18 paths monitored out of the box.

HostAtlas monitors the most critical configuration files on Linux servers automatically. No setup required — the agent starts tracking these files the moment it is installed. Every path is checked every 5 minutes.

language Web Servers
/etc/nginx/nginx.conf
/etc/nginx/sites-enabled/*
/etc/apache2/apache2.conf
storage Databases
/etc/mysql/my.cnf
/etc/mysql/mysql.conf.d/*
/etc/postgresql/*/main/postgresql.conf
/etc/postgresql/*/main/pg_hba.conf
bolt Caching & Queues
/etc/redis/redis.conf
/etc/memcached.conf
code PHP
/etc/php/*/fpm/php.ini
/etc/php/*/fpm/pool.d/www.conf
shield Security Critical
/etc/ssh/sshd_config
/etc/sudoers
/etc/passwd
/etc/shadow

Auto-incident on any change

settings System
/etc/sysctl.conf
/etc/fstab
/etc/hosts

Custom Paths

Monitor any file. Glob patterns supported.

Add custom watch paths to monitor application configs, environment files, firewall rules, or any other file your infrastructure depends on. Glob patterns let you watch entire directories or file patterns with a single rule.

folder_open

Exact Paths

Monitor a specific file by its absolute path. Useful for application configs, .env files, or custom service configurations.

pattern

Glob Patterns

Use wildcards to watch multiple files: /etc/nginx/conf.d/*.conf monitors all nginx config files. Supports *, **, and ? wildcards.

label

Critical Flag

Mark any custom path as "critical" to enable auto-incident creation on change. Use this for files where any unauthorized modification should trigger an immediate investigation.

Custom Watch Paths
/var/www/app/.env

Application environment

Critical
/etc/nginx/conf.d/*.conf

Nginx virtual hosts (glob)

Normal
/etc/ufw/user.rules

Firewall rules

Critical
/etc/letsencrypt/renewal/*.conf

Let's Encrypt renewal configs (glob)

Normal
/etc/crontab

System crontab

Critical

Diff Viewer

See exactly what changed. Side by side.

When a config file changes, HostAtlas captures the diff and presents it in a side-by-side viewer. Removed lines are highlighted in red, added lines in green. You can see the before and after state of every change without SSHing into the server.

Config Change /etc/ssh/sshd_config
Critical File Apr 3, 2026 at 14:22:07 UTC
Removed
Added
3 lines changed
22 # Authentication settings
23 - PermitRootLogin no
23 + PermitRootLogin yes
24 PubkeyAuthentication yes
25 - PasswordAuthentication no
25 + PasswordAuthentication yes
26 ChallengeResponseAuthentication no
27 UsePAM yes
warning

Security Impact: Critical

PermitRootLogin changed from "no" to "yes" and PasswordAuthentication enabled. This significantly weakens SSH security. Incident INC-4012 created automatically.

INC-4012 Critical Open

Critical config changed: sshd_config on prod-web-01

Detected Apr 3, 2026 at 14:22:07 UTC · Auto-detected · Config Monitoring

File

/etc/ssh/sshd_config

Lines Changed

3 lines (2 modified, 0 added)

Key Changes

warning PermitRootLogin: no → yes
warning PasswordAuthentication: no → yes
View Full Diff

Auto-Incidents

Critical file changes create incidents automatically.

Changes to security-critical files like sshd_config, sudoers, passwd, and shadow automatically create incidents. These files should rarely change in production, and when they do, it often indicates either a security breach or an unauthorized configuration change that needs immediate review.

crisis_alert

Immediate Alert Delivery

All configured notification channels fire simultaneously. Slack, email, PagerDuty, and webhooks are all supported with the full change details included in the notification body.

difference

Diff Included in Alert

The notification includes the specific lines that changed, not just the file name. You can assess severity from the alert itself without opening the dashboard.

history

Full Change History

Every change to every monitored file is stored with its timestamp, SHA-256 hashes (before and after), and the full diff. You can review the complete history of any config file from the dashboard.

Alert Rules

Two alert types. Flexible routing.

HostAtlas provides two dedicated alert rule types for config monitoring. "Any Config Change" fires for all monitored files. "Critical File Change" fires only for files marked as critical. Both can be routed to different notification channels with different urgency levels.

edit_notifications

Any Config Change

Warning severity

Fires whenever any monitored config file changes. Use this for general awareness — route it to a low-urgency Slack channel or email digest so your team stays informed about infrastructure changes without being interrupted.

Triggers for all monitored paths
Includes file path and change summary
Configurable cooldown period
Low urgency — informational
gpp_bad

Critical File Change

Critical severity

Fires only for security-critical files: sshd_config, sudoers, passwd, shadow, and any custom path you mark as critical. Route this to high-urgency channels — PagerDuty, immediate Slack notifications — because these changes demand immediate attention.

Triggers for critical paths only
Includes full diff in notification
Auto-creates incident
High urgency — immediate response

Get started

Stop finding out about config changes the hard way.

Config monitoring is included on every HostAtlas plan. Install the agent and 18 critical paths are monitored immediately. Add custom watch paths for your application configs. Get alerts within 5 minutes of any change — with the full diff showing exactly what was modified.

Start free — no credit card View pricing plans

Quick install

$ curl -sSL https://install.hostatlas.app/install.sh | sudo bash -s -- --key=SERVER_KEY_