manpage of afick

NAME

afick - Another File Integrity Checker

DESCRIPTION

The goal of this program is to monitor what change on your host : new/deleted/modified files. So it can be used as an intrusion detection system ( by integrity checking ). It is designed to be a portable clone of aide (Advanced Intrusion Detection Environment), or Tripwire software.

For the better security, you should launch it regularly (for exemple by a batch task)

This is a command-line program, you can use afick-tk.pl if you prefer a graphical interface.

A web interface is also privided by a webmin module.

SYNOPSIS

afick [action] [options]

afick use posix syntax, which allow many possibilities :

Mandatory action (one and only one must be used) :

-i|--init                    initialize the hash.dbm database
-C|--check_config            only check config file and exit
-G|--clean_config            check and clean configuration, then exit
-U|--check_update            check if a software update is available
-k|--compare                 compare the hash.dbm database
-l|--list "fic1,fic2,.."     check the files given in arg (separeted by comma)
-u|--update                  compare and update the hash.dbm database
-p|--print                   print content of database
--search filter              print content of database, filtered (see man of html doc for exemples)
--csv                        export the database in csv format
--export                     export database in portable text format
--import                     import a database from an exported file
--print_config               display all internals variables after arguments and config file parsing.
                             it is the same as the 4 followings options, concatenated
                               (for debugging purposes)
--print_directive        display directives (after config file and command line parsing)
--print_macro            display macros (after config file parsing)
--print_alias            display aliases (after config file parsing)
--print_rule             display rules (after config file parsing)
--stat_ext               display list of file extension, sorted by number (usefull for windows)
--stat_secu              display some dangerous files (suid, sgid, group writable, world writable )
--stat_size              display statistics on file size
--stat_date              display chronological list of changed files
--duplicates             display duplicates files

Other options

-a|--ignore_case             helpful on Windows platforms, dangerous on Unix ones
                               reverse : --noignore_case
-c|--config_file file        name of config file to use
-D| --database file          force the database name    
-d|--debug level             set a level of debugging messages, from 0 (none) to 4 (full)
-f|--report_full_newdel      report full information for new or deleted directories
                              reverse : --noreport_full_newdel 
-m|--warn_missing_file           warn about files declared in config files 
                              which do not exist, 
                              reverse : --nowarn_missing_file
-o|--allow_overload          allow rule overload : the last rule wins
                              reverse: --noallow_overload
--allow_relativepath         control files are stored with a relative path
                              reverse: --noallow_overload
-r|--running_files           warn about "running" files : modified since program begin
                              reverse: --norunning_files
-s|--warn_dead_symlinks           warn about dead symlinks 
                              reverse: --nowarn_dead_symlinks
-Y|--follow_symlinks         checksum on links target file (yes) or checksum on target name (no)
                              reverse: --nofollow_symlinks
-S|--max_checksum_size size  maximum cheksum size (bytes) : for bigger file, just compute checksum on begin of file
                               0 means no limit
-t|--timing                  Print timing statistics
                               reverse : --notiming
--utc_time                   display report's dates in utc time, else in local time
                               reverse : --noutc_time
-v|--verbose                 toggle verbose mode (identical to full debug);
                              reverse : --noverbose
-q|--quiet                   toggle quiet mode (print only if there's a change to report)
                               reverse : --noquiet
-P|--progress                display the name of scanned files, to be used only by afick-tk
-h|--help                    show this help page
--man                        full help
-V|--version                 show afick version
-x|--exclude_suffix "ext1 ext2"        list of file/dir suffixes to ignore
-X|--exclude_prefix "pre1 pre2"        list of files/dir prefixes to ignore
-R|--exclude_re "patern1 patern2"      list of files/dir patterns (regular expressions) to ignore
--only_suffix "ext1 ext2"              list of suffix to scan (just this ones)
-y|--history file            history file of all runs with summary
-A|--archive directory       directory where archive files are stored
--report_url output          where to send afick report.default is stdout
--report_syslog              send afick report to sylog. reverser : --noreport_syslog
--report_summary             report changes in summary section
--report_context             report all attributes changes (not only those from rules)
--mask_sysupdate             mask package updates

REQUIRED ARGUMENTS

you have to give afick an action to do. See below :

ACTIONS

You have to use one this mandatory action :

--init|-i

initiate the database.

--check_config|-C

only check config file syntax and exit with the number of errors

--check_update|-U

check if a new software version is available on web server

--clean_config|-G

check config file syntax, clean (comments) bad line, and exit with the number of errors

--compare|-k

compare the file system with the database.

--list|-l "file1,file2,...,filen"

compare the specified files with the database. The files have to separeted by a comma. You can also use : -lfile1 -lfile2 (if a file name contains space character, it must be quoted)

--csv

export the database in csv format the first line give the column title

print the content of the database.

--export

export database in portable text format to stdout. to be used with --import option (see below)

--import

import a database from stdin. The source file must be a result from --export command. The database is empty before import.

--search your_filter

print the content of the database, filtered by your_filter filter.

filters are to be written with column keywords and perl operators, and should be quoted

keywords are : filetype, name, md5, sha1, sha256, sha512, checksum, device, inode, filemode, links, uid, acl, gid, filesize, blocs, atime, mtime, ctime

for examples :

"filetype =~ m/symbolic/" : filter on file type

"filesize < 5000000" : filter on file size

"filemode & 04000" : extract suid files

"(filesize > 5000) and (name =~ m/urpmi/)" : you can combine filters

display all internals variables after command line and config file parsing (for debugging purposes). It is the same as the 4 following options : --print_directive --print_macro --print_alias --print_rule

display directives (after config file and command line parsing)

display macros (after config file parsing)

display aliases (after config file parsing)

display rules (after config file parsing)

--update|-u

compare and update the database.

--stat_ext

display list of file extension, sorted by number (usefull for windows)

--stat_secu

display from databases some dangerous files (suid, sgid, group writable, world writable )

--stat_size

display from databases statistics on file size

can help to configure the max_checksum_size option

--stat_date

display chronological list of changed files

be carefull, the system only keeps the last change date

--duplicates

display a list of duplicates files : files with same contents. It uses the checksum to compare files.

OPTIONS

You can use any number of the following options :

--archive|-A directory

write reports to "directory".

--config_file|-c configfile

read the configuration in config file named "configfile".

--database|-D name

name of database to use.

--debug|-d level

set a level of debugging messages, from 0 (none) to 4 (full)

--report_full_newdel|-f,(--noreport_full_newdel)

(do not) report full information on new and deleted directories.

--help|-h

Output summary help information and exit.

--man

Output full help information and exit.

--history|-y historyfile

write session status to history file

--ignore_case|-a

ignore case for file names. Can be helpful on Windows operating systems, but is dangerous on Unix ones.

--max_checksum_size|-S size

fix a maximum size (bytes) for checksum. on bigger files, compute checksum only on first 'size' bytes. ( 0 means no limit)

--warn_missing_file|-m,(--nowarn_missing_file)

(do not) warn about files declared in config files which does not exist.

(do not) warn about dead symlinks.

if set, do checksum on target file, else do checksum on target file name.

--allow_overload,(--noallow_overload)

if set, allow rule overload (the last rule wins), else put a warning and keep the first rule.

--allow_relativepath,(--noallow_relativepath)

if set, auto-control files (afick scripts, config and database) are stored as relative path.

--progress|-P

display the name of scanned files, to be used only by afick-tk

--running_files|-r,(--norunning_files)

(do not) warn about "running" files : modified since program begin.

--timing|-t,(--notiming)

(do not) Print timing statistics.

--version|-V

Output version information and exit.

--quiet|-q,(--noquiet)

(not in) quiet mode : print only if there's a change to report. Do not use it with stat_* options or your output will be empty !. This mode is not recommanded, as it does not allow to check if an afick log was removed to mask a system change (with afick_archive.pl --check).

--verbose|-v,(--noverbose)

(not in) verbose mode (obsolete).

--only_suffix|-x "ext1 ext2 ... extn"

list of suffix to scan (just this ones)

--exclude_suffix|-x "ext1 ext2 ... extn"

list of suffixes (files/directories ending in .ext1 or .ext2 ...) to ignore

--exclude_prefix|-X "pre1 pre2 ... pren"

list of prefix (files/directories beginning with pre1 or pre2 ...) to ignore

--exclude_re|-R "pre1 pre2 ... pren"

list of patterns (regular expressions) to ignore files or directories

--report_url output

output can stdout, stderr or null (which mean no output)

--report_syslog (--noreport_syslog)

send (or not) afick's report to syslog. the priority is 'notice' for info messages, 'warning' for warning messages. The facility is 'user'

--report_summary,(--noreport_summary)

If true, report in the summary section, one ligne by file change

--report_context,(--noreport_context)

If true, display all attributes changes, not only those selected by rule. To make a difference, attributes from rules will have a "w_" prefix (warning), and other attributes will have a 'i_' prefix (info).

--mask_sysupdate,(--nomask_sysupdate)

each package update produces changes, which can be seen as false positives and the package manager can be used to check changes. this experimental option is set to false by default. If set to true, files which are not modified according the package manager, are masked linux rpm and deb package manager are available to use for now

--utc_time,(--noutc_time)

if set, display report's dates in utc time, else in local time

CONFIGURATION

The configuration file can be given by the -c option. Else it can be given by the AFICK_CONFIG environment variable. Else on windows, it search for a file named windows.conf in the install directory. Else (on Unix/linux), it first search for /etc/afick.conf, then for afick.conf in install directory.

for config file syntax see afick.conf(5)

FILES

afick can write several kinds of file

database file

the database is used to store data between afick's run. name and path are set by the database directive

control file

it is used to check afick integrity. It has the name of the database, with '.ctr' suffix.

history file

(optionnal but recommended) : it is used to keep an history of all report's summary. name and path are set by the history directive

archive's files

(optionnal but recommended) : it is used to keep afick's reports. the path is set by the archive directive. the file name contains the afick run date in AAAAMMJJhhmmss format

log file

unix log file (on /var/log) are created when using the afick_cron script

DATABASE

until release 2.9, the database backend was SDBM, because it was the only one available on every operating system.

Coming with 2.10 release, afick can use other database backend : the 'best' available one will be detected on init. There is no way to migrate an existing SDBM base to a new format. The only way is to re-run afick in init mode (caution : changes since last update will be "lost")

USAGE

To use this program, you must

first adjust the config file to your needs : see afick.conf(5) for the syntax)

then initiate the database with : afick -c afick.conf --init

then you can compare with afick -c afick.conf -k

or compare and update with afick -c afick.conf --update

then the best way is to set a batch task to have regular check, you can use afick_cron script on unix/linux systems or afick_planning.pl on windows

ENVIRONMENT

AFICK_CONFIG

The config file can be set with AFICK_CONFIG environment variable.

AFICK_CHROOT

this define the chroot directory for files declared with a '@' ( afick.conf(5) ).

example :

AFICK_CHROOT=/usr/local

@software all

will scan for files in /usr/local/software

in configuration file

if the config file contain references to environment variables ( syntaxe : ${name} ), they are expanded at the begin of config analysis.

EXIT STATUS

An exit status of 0 means no differences were found, and no dangling links (if the warn_dead_symlinks option is set) , non-zero means some differences were found or some dangling links. The non-zero value is a bitmap representing the type of difference found:

Bit 0 ( value : 1)

Dangling

Bit 1 (value : 2)

Changed

Bit 2 (value : 4)

Deleted

Bit 3 (value : 8)

New

SECURITY

For a better security, afick not only check the rules from configuration file, but try to check it-self : perl scripts, configuration file, database, and warn if something change.

SEE ALSO

afick.conf(5) for the configuration file syntax


afick-tk(1) for the graphical interface


afick(1) for the command-line interface


afickonfig(1) for a tool to change afick's configuration file


afick_archive(1) for a tool to manage archive's reports


afick_learn(1) for a learning tool

DIAGNOSTICS

for diagnostics, you can run afick in debug mode, with the --debug 4 command line option

DEPENDENCIES

this program only use perl and its standard modules.

INCOMPATIBILITIES

none known

BUGS AND LIMITATIONS

afick works on files, it is not a Version Control System, and it does not show changes in registry for windows users

LICENSE AND COPYRIGHT

Copyright (c) 2002 Eric Gerbier All rights reserved.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

AUTHOR

Eric Gerbier

you can report any bug or suggest to eric.gerbier@tutanota.com

 manpage of afick