| afick - Another File Integrity Checker |
afick - Another File Integrity Checker
The goal of this program is to monitor what change on your host : new/deleted/modified files. So it can be used as an intrusion detection system ( by integrity checking ). It is designed to be a portable clone of aide (Advanced Intrusion Detection Environment), or Tripwire software.
You should launch it regularly (by cron for example) and after any software change.
This is a command-line program, you can use afick-tk.pl if you
prefer a graphical interface.
afick use posix syntax, which allow many possibilities :
Mandatory action (one and only one must be used) :
-i|--init initialize the hash.dbm database
-C|--check_config only check config file and exit
-G|--clean_config check and clean configuration, then exit
-U|--check_update check if a software update is available
-k|--compare compare the hash.dbm database
-l|--list fic1 .. fic2 check the files given in arg
-u|--update compare and update the hash.dbm database
-p|--print print content of database
--search filter print content of database, filtered (see man of html doc for exemples)
--print_config display all internals variables after arguments and config file parsing.
it is the same as the 4 followings options, concatenated
(for debugging purposes)
--print_directive display directives (after config file and command line parsing)
--print_macro display macros (after config file parsing)
--print_alias display aliases (after config file parsing)
--print_rule display rules (after config file parsing)
--stat_secu display from databases some dangerous files (suid, sgid, group writable, world writable )
--stat_size display from databases statistics on file size
Other options
-a|--ignore_case helpful on Windows platforms, dangerous on Unix ones
reverse : --noignore_case
-c|--config_file file name of config file to use
-D| --database file force the database name
-d|--debug level set a level of debugging messages, from 0 (none) to 4 (full)
-f|--full_newdel report full information for new or deleted directories
reverse : --nofull_newdel
-m|--missing_files warn about files declared in config files
which do not exists,
reverse : --nomissing_files
-o|--allow_overload allow rule overload : the last rule wins
reverse: --noallow_overload
-r|--running_files warn about "running" files : modified since program begin
reverse: --norunning_files
-s|--dead_symlinks warn about dead symlinks
reverse: --nodead_symlinks
-Y|--follow_symlinks checksum on links target file (yes) or checksum on target name (no)
reverse: --nofollow_symlinks
-S|--max_checksum_size size maximum cheksum size (bytes) : for bigger file, just compute checksum on begin of file
0 means no limit
-t|--timing Print timing statistics
reverse : --notiming
-v|--verbose toggle verbose mode (identical to full debug);
reverse : --noverbose
-P|--progress display the name of scanned files, to be used only by afick-tk
-h|--help show this help page
--man full help
-V|--version show afick version
-x|--exclude_suffix ext1 ext2 list of file/dir suffixes to ignore
-X|--exclude_prefix pre1 pre2 list of files/dir prefixes to ignore
-R|--exclude_re patern1 patern2 list of files/dir patterns (regular expressions) to ignore
-y|--history file history file of all runs with summary
-A|--archive directory directory where archive files are stored
--report_url output where to send afick report.default is stdout
--report_syslog send afick report to sylog. reverser : --noreport_syslog
You have to use one this mandatory action :
filters are to be written with column keywords and perl operators, and should be quoted
keywords are : filetype, name, md5, sha1, checksum, device, inode, filemode, links, uid, acl, gid, filesize, blocs, atime, mtime, ctime
for examples :
``filetype =~ m/symbolic/'' : filter on file type
``filesize < 5000000'' : filter on file size
``filemode & 04000'' : extract suid files
``(filesize > 5000) and (name =~ m/urpmi/)'' : you can combine filters
can help to configure the max_checksum_size option
You can use any number of the following options :
if no config file on command line, afick try to open /etc/afick.conf (Unix) or windows.conf (Windows) as default config
for config file syntax see afick.conf(5)
afick uses a ``control file'' too. It has the name of the database, with '.ctr' suffix.
until release 2.9, the database backend was SDBM, because it was the only one available on every operating system.
Coming with 2.10 release, afick can use other database backend : the 'best' available one will be detected on init. There is no way to migrate an existing SDBM base to a new format. The only way is to re-run afick in init mode (caution : changes since last update will be ``lost'')
To use this program, you must
first adjust the config file to your needs : see afick.conf(5) for the syntax)
then initiate the database with :
afick -c afick.conf --init
then you can compare with
afick -c afick.conf -k
or compare and update with
afick -c afick.conf --update
The default config file can be set with AFICK_CONFIG environment variable.
An exit status of 0 means no differences were found, and no dangling links (if the warn_dead_symlinks option is set) , non-zero means some differences were found or some dangling links. The non-zero value is a bitmap representing the type of difference found:
For a better security, afick not only check the rules from configuration file, but try to check it-self : perl scripts, configuration file, database, and warn if something change.
this program only use perl and its standard modules.
afick.conf(5) for configuration file
afick-tk(1) for graphical interface
afickonfig(1) for a tool to change afick's configuration file
afick_archive(1) for a tool to manage archive's reports
Copyright (c) 2002 Eric Gerbier All rights reserved.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
Eric Gerbier
you can report any bug or suggest to gerbier@users.sourceforge.net
| afick - Another File Integrity Checker |