manpage of afick.conf

NAME

afick.conf - Configuration file for afick program

DESCRIPTION

This is the configuration file for afick software (Another File Integrity Checker). It contains the list of files/directories to scan and which attribute to monitor, the name of database to use ...

FILE

Afick use /etc/afick.conf (Unix) or windows.conf (Windows) as default configuration file (but you may change it with with -c afick's command-line option)

FILE FORMAT

afick configuration is similar in to aide's or tripwire's configuration file. With little effort aide.conf can be converted to afick format (see below portage section).

general rules :

There are four types of lines in afick configuration file :

directives

general afick parameters

aliases

customized user's rules

files

the list of files to monitor.

macros

batch parameters (Unix cron)

DIRECTIVES LINES

These lines have the format : keyword := value

for now, the available keywords are :

allow_overload := boolean value

if set to true, allow rule overload (the last rule wins), else put a warning and keep the first rule. Default is true.

allow_relativepath := boolean value

if set to true, auto-control files (afick scripts, config and database) are stored as relative path. This is usefull if this files may be moved (use afick from a cd for example). Default is false.

archive := path_to_archive_directory

directory with full path : the archive directory keep all logs, and can be used by webmin module. Default is empty (none).

database := path_to_database

name with full path : the database to use. This parameter is necessary.

debug := level

set a level of debugging messages, from 0 (none) to 4 (full). Default is 0.

only_suffix := ext1 ext2 ...

the default behavior is to scan all requested directories, and add some exception by rules or with the exclude_* directives. But in some cases it is easier to only define which suffixes you want. In this way exclude_* are not used, and the database will contain all directories, and only files with the given suffix. This directive is empty by default (disabled), and will be interesting on operating systems such windows : this will speed the scan, but decrease the security.

exclude_suffix := ext1 ext2 ...

a list of suffixes (files or directories ending in .ext1 or .ext2 ...) to ignore (for example : old bak tmp ). This directive can appear several times on a config file to group suffixes. Default is empty.

exclude_prefix := pre1 pre2 ...

a list of prefix (files or directories beginning with pre1 or pre2 ...) to ignore (for example : tmp toto ). This directive can appear several times on a config file to group prefixes. Default is empty.

exclude_re := pattern1

a file pattern (one by line), using the regex syntax. this apply on full file path. examples can be found on examples section. this directive can appear several times on a config file to group patterns. Default is empty.

Note : regex is very powerful, but as a complex syntax. In most cases, an easier way is to use globing on rules line.

if set to true, do checksum on target file, else do checksum on target file name. Default is no.

history := path_to_history

history file keep all dates and summary results. Default is empty (none).

ignore_case := boolean value

ignore case for file names (useful on Windows). Default is no.

mask_sysupdate := boolean value

each package update produces changes, which can be seen as false positives and the package manager can be used to check changes. this experimental option is set to false by default. If set to true, files which are not modified according the package manager, are masked linux rpm and deb package manager are available to use for now Default is no (experimental).

max_checksum_size := numeric value

checksum is cpu expensive, this value (a file size in bytes) indicates to have the checksum on first max_checksum_size first bytes, to have afick faster on big files. WARNING : this option will make afick faster but less secure ... default is 0 (no limit).

report_context := boolean value

afick is designed to report changed attributes, selected by rule. In some cases, it may be interesting to display all the attributes changes, when a rule match. For example, with a rule such md5, if the checksum changes, it will also display mtime, size and others interesting attributes. To make a difference, attributes from rules will have a "w_" prefix (warning), and other attributes will have a 'i_' prefix (info) Default is no.

report_full_newdel := boolean value

if true report all new files, else only first directory level (avoid too long outputs). Default is no.

report_url := stdout|stderr|null

where to send the report, default is stdout. null means no report.

report_summary := boolean value

If true, report in the summary section, one ligne by file change. Default is true.

report_syslog := boolean value

If true, send also the report to syslog. Default is no.

running_files := boolean value

warn about "running" files : modified since program begin, default is no.

timing := boolean value

Print timing statistics (user and system time), default is no.

utc_time := boolean

if set, display dates in utc time, else in local time. Default value is no

verbose := boolean value

for debugging purpose, default is no.

warn about dead symbolic links, default is no.

warn_missing_file := boolean value

if true, print a warning message if file selection does not exist, default is no.

The advice it to set it to true during the work on the config file (devel), to be able to detect errors, and set it to false after.

ATTRIBUTES

attributes define which parameters to monitor.

base attributes are :

a: atime

last access time in seconds since the epoch

b: blocks

actual number of blocks allocated

c: ctime

inode change time

d: device

device number of filesystem, major and minor number

g: group

gid of the file

i: inode

inode number

m: mtime

last modify time since epoch

md5 : md5 checksum

the default checksum, quick but not very secure. look at sha* for a better security

see ln command

p: permissions

owner, group, other (Unix)

u: user

uid of the file

s: file size

in bytes

sha1 : sha-1 checksum

is more secure than md5, but needs more time to compute. you can only set one sha checksum

sha256 : sha-256 checksum

is more secure than md5 and sha-1, but needs more time to compute. you can only set one sha checksum

sha512 : sha-512 checksum

is more secure than md5, sha-1, sha-512, but needs more time to compute. you can only set one sha checksum

ALIAS LINES

An alias define a customized set of attributes. It is used to write rules for some kind of files ( see examples)

the syntax is : alias_name = alias | attribute [ +attribute ] [ - attribute]

Afick comes with some pre-defined aliases :

all

for b+c+d+g+i+m+md5+n+p+u+s (all parameter except atime)

R

for p+d+i+n+u+g+s+m+c+md5 (for aide compatibility)

L

for p+d+i+n+u+g (for aide compatibility)

P

for u+g+p+s+n+5 (permission and checksum)

E

for (empty) (for aide compatibility)

FILES LINES

this lines define the list of files to monitor, and what to monitor.

the syntax is : selection_type selection_file attribute_flag

selection_type

There are three types of selection lines :

negative

Lines beginning with "!" : the file or directory specified is ignored. attributes flag are not necessary :)

example :

! /tmp
equals

Lines beginning with "=" : can be used to avoid sub-directory scan.

if the directory ends with a / : scan directory it-self and it's files, but not it's sub-directories

else only scan directory it-self (no files, no sub-directories)

example :

= /dev/scsi all
regular

others lines are regular selective lines : files are added, directories are added with their contents (files and sub-directories)

example :

/home all

selection_file

selection_file design a file or directory with it's full path

file names with space characters must be delimited with ""

you can use globing characters, but not regex.

if the file name begin by '@', the '@' will be expanded using AFICK_CHROOT environment variable

attribute_flag

it is the list of attribute used to detect a change

it can be :

an alias name

example : all

an expression as an alias definition

example : L - u + md5

CHROOT

The chroot feature means checking a variable path. For example, you build an afick_database for files on /devel, then want to use it on same files moved on /oper. To use it, you have to configure the AFICK_CHROOT environnement variable to the variable path to check, and use @ as prefix for the selection files under this this path. Configuration lines are expanded on run (see example below).

MACROS LINES

macros lines begin with @@define keyword, they are not used by afick it-self, but by batch job : afick_cron on unix/linux, afick_planning.pl on windows

@@define LINES a_number

is used to truncate too long mails from cron job

@@define MAILTO a_mail_address[,another_mail]

is used to send cron job output by mail. any number of email can be set, delimited by comma, without any space. If you want to use a local address, use local_address@localhost, not local_address, as afick check if the text chain contains a @.

@@define MAILHOST an_smtp_server

define the mail server to send the mail, on windows only

@@define MAILAUTH username,password

if the mail server needs authentification, set the name and password for it

@@define VERBOSE bool

with bool=1 to have a mail each day, and bool=0 to have only mail if find changes

@@define REPORT bool

with bool=1 to enable a mail report and bool=0 to disable mail report

@@define NICE val

(unix/linux only) val is the nice value (see man nice) : 10 is for a normal job, 14 for a normal cron job, 19 is for very low level job

@@define BATCH bool

is used to control afick cron job (for remote users with afick webmin module for example) : bool=1 allow cron job, bool=0 stop cron job

@@define MOUNT directory

(optionnal, unix/linux only) : specify a directory to mount before the scan and to unmount after the directory has to be defined in /etc/fstab file

@@define NAGIOS bool

(unix/linux only) with bool=1 to enable send status to nagios using ncsa and bool=0 to disable nagios report report

@@define NAGIOS_SERVER nagios_server

(unix/linux only) dns name or ip address of the nagios server to send messages to

@@define NAGIOS_CONFIG

(unix/linux only) path to NSCA configuration file (something like /etc/send_nsca.cfg)

@@define NAGIOS_CHECK_NAME

(unix/linux only) name used for nagios passive check on the nagios server side

@@define NAGIOS_CRITICAL_CHANGES val

(unix/linux only) number of the changes that are considered critical if changes greater than val , then nagios state CRITICAL,

if 0< val < changes then nagios state WARNING

if 0 changes, then nagios state OK

@@define NAGIOS_NCSA path_to_send_nsca

(unix/linux only) path to nsca binary (something like /usr/sbin/send_nsca)

@@define ARCHIVE_RETENTION nS

set archive retention period : 0 to keep all. else use the nS format, with n as a number S as a scale : d for days, w for week, m for month, y for year example : 3m to keep only the last 3 months

EXAMPLES

database := /var/lib/afick/afick

define the path to database

All= a+b+c+d+g+i+m+md5+n+p+u+s

defines the alias "All", from base attributes (could be done with "All=all+a" too)

ETC=All - i -c -a

define the ETC alias from another one

!/dev

ignores the /dev directory structure.

!/tmp/*.tmp

use globing to exclude files

=/proc/ p+u+g

scan /proc directory for files, not sub-directories

=/tmp R

scan just /tmp, not inside

/boot/vmlinux* all

add files with a joker definition

/etc ETC

use base attributes, on ETC alias

/var All - i -c -a

use modified alias All

exclude_re := sav$

exclude files ending with sav (for example toto.rpmsav, which is not excluded by exclude_suffix := sav)

exclude_re := /tmp$

exclude all files or directories named tmp (but not files such tmpa or atmp as exclude_prefix := tmp does)

exclude_re := \s

exclude all files or directories containing a space char

exclude_re := ^/var/log/.*\d

exclude all files under /var/log directory which contain a numeral (example : /var/log/mail/info.1.gz)

@software All

if you have set AFICK_CHROOT=/opt, the line will be expanded to : /opt/software All

GLOBING

"globing" can be used in rules lines.

globing character are * and ? they are not used as perl regular expressions, but as the shell can use them :

'?'

replace any (one) character

'*'

replace any chain of characters

PORTAGE

here are some changes from aide :

directives

use ":= instead "="

database syntax

use pathname syntax instead url syntax

database number

no database_out directive : work on only one database

compression

no gzip_dbout directive : database is already in binary format

checksum

only md5 and sha* hash : no rmd160, tiger, haval, gost, crc32

growing size

no "S" (check for growing size) attribute : I do not know how to use and code it

SEE ALSO

afick.conf(5) for the configuration file syntax


afick-tk(1) for the graphical interface


afick(1) for the command-line interface


afickonfig(1) for a tool to change afick's configuration file


afick_archive(1) for a tool to manage archive's reports


afick_learn(1) for a learning tool

COPYRIGHT

Copyright (c) 2002,2003,2004 Eric Gerbier All rights reserved.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

AUTHOR

Eric Gerbier

you can report any bug or suggest to eric.gerbier@tutanota.com

 manpage of afick.conf