| manpage of afick |
afick - Another File Integrity Checker
The goal of this program is to monitor what change on your host : new/deleted/modified files. So it can be used as an intrusion detection system ( by integrity checking ). It is designed to be a portable clone of aide (Advanced Intrusion Detection Environment), or Tripwire software.
For the better security, you should launch it regularly (for exemple by a batch task)
This is a command-line program, you can use
afick-tk.pl if you prefer a graphical interface.
A web interface is also privided by a webmin module.
afick use posix syntax, which allow many possibilities :
long (--) options
short (-) options
negative (--no) options
Mandatory action (one and only one must be used) :
-i|--init initialize the hash.dbm database
-C|--check_config only check config file and exit
-G|--clean_config check and clean configuration, then exit
-U|--check_update check if a software update is available
-k|--compare compare the hash.dbm database
-l|--list "fic1,fic2,.." check the files given in arg (separeted by comma)
-u|--update compare and update the hash.dbm database
-p|--print print content of database
--search filter print content of database, filtered (see man of html doc for exemples)
--csv export the database in csv format
--export export database in portable text format
--import import a database from an exported file
--print_config display all internals variables after arguments and config file parsing.
it is the same as the 4 followings options, concatenated
(for debugging purposes)
--print_directive display directives (after config file and command line parsing)
--print_macro display macros (after config file parsing)
--print_alias display aliases (after config file parsing)
--print_rule display rules (after config file parsing)
--stat_ext display list of file extension, sorted by number (usefull for windows)
--stat_secu display some dangerous files (suid, sgid, group writable, world writable )
--stat_size display statistics on file size
--stat_date display chronological list of changed files
--duplicates display duplicates filesOther options
-a|--ignore_case helpful on Windows platforms, dangerous on Unix ones
reverse : --noignore_case
-c|--config_file file name of config file to use
-D| --database file force the database name
-d|--debug level set a level of debugging messages, from 0 (none) to 4 (full)
-f|--report_full_newdel report full information for new or deleted directories
reverse : --noreport_full_newdel
-m|--warn_missing_file warn about files declared in config files
which do not exist,
reverse : --nowarn_missing_file
-o|--allow_overload allow config overload : the last line wins
reverse: --noallow_overload
--allow_relativepath control files are stored with a relative path
reverse: --noallow_relativepath
-r|--running_files warn about "running" files : modified since program begin
reverse: --norunning_files
-s|--warn_dead_symlinks warn about dead symlinks
reverse: --nowarn_dead_symlinks
-Y|--follow_symlinks checksum on links target file (yes) or checksum on target name (no)
reverse: --nofollow_symlinks
-S|--max_checksum_size size maximum cheksum size (bytes) : for bigger file, just compute checksum on begin of file
0 means no limit
-t|--timing Print timing statistics
reverse : --notiming
--utc_time display report's dates in utc time, else in local time
reverse : --noutc_time
-v|--verbose toggle verbose mode (identical to full debug);
reverse : --noverbose
-q|--quiet toggle quiet mode (print only if there's a change to report)
reverse : --noquiet
-P|--progress display the name of scanned files, to be used only by afick-tk
-h|--help show this help page
--man full help
-V|--version show afick version
-x|--exclude_suffix "ext1 ext2" list of file/dir suffixes to ignore
-X|--exclude_prefix "pre1 pre2" list of files/dir prefixes to ignore
-R|--exclude_re "patern1 patern2" list of files/dir patterns (regular expressions) to ignore
--only_suffix "ext1 ext2" list of suffix to scan (just this ones)
-y|--history file history file of all runs with summary
-A|--archive directory directory where archive files are stored
--report_url output where to send afick report.default is stdout
--report_syslog send afick report to sylog. reverser : --noreport_syslog
--report_summary report changes in summary section
--report_context report all attributes changes (not only those from rules)
--mask_sysupdate mask package updatesyou have to give afick an action to do. See below :
You have to use one this mandatory action :
initiate the database.
only check config file syntax and exit with the number of errors
check if a new software version is available on web server
check config file syntax, clean (comments) bad line, and exit with the number of errors
compare the file system with the database.
compare the specified files with the database. The files have to separeted by a comma. You can also use : -lfile1 -lfile2 (if a file name contains space character, it must be quoted)
export the database in csv format the first line give the column title
print the content of the database.
export database in portable text format to stdout. to be used with --import option (see below)
import a database from stdin. The source file must be a result from --export command. The database is empty before import.
print the content of the database, filtered by your_filter filter.
filters are to be written with column keywords and perl operators, and should be quoted
keywords are : filetype, name, md5, sha1, sha256, sha512, checksum, device, inode, filemode, links, uid, acl, gid, filesize, blocs, atime, mtime, ctime
for examples :
"filetype =~ m/symbolic/" : filter on file type
"filesize < 5000000" : filter on file size
"filemode & 04000" : extract suid files
"(filesize > 5000) and (name =~ m/urpmi/)" : you can combine filters
display all internals variables after command line and config file parsing (for debugging purposes). It is the same as the 4 following options : --print_directive --print_macro --print_alias --print_rule
display directives (after config file and command line parsing)
display macros (after config file parsing)
display aliases (after config file parsing)
display rules (after config file parsing)
compare and update the database.
display list of file extension, sorted by number (usefull for windows)
display from databases some dangerous files (suid, sgid, group writable, world writable )
display from databases statistics on file size
can help to configure the max_checksum_size option
display chronological list of changed files
be carefull, the system only keeps the last change date
display a list of duplicates files : files with same contents. It uses the checksum to compare files.
You can use any number of the following options :
write reports to "directory".
read the configuration in config file named "configfile".
name of database to use.
set a level of debugging messages, from 0 (none) to 4 (full)
(do not) report full information on new and deleted directories.
Output summary help information and exit.
Output full help information and exit.
write session status to history file
ignore case for file names. Can be helpful on Windows operating systems, but is dangerous on Unix ones.
fix a maximum size (bytes) for checksum. on bigger files, compute checksum only on first 'size' bytes. ( 0 means no limit)
(do not) warn about files declared in config files which does not exist.
(do not) warn about dead symlinks.
if set, do checksum on target file, else do checksum on target file name.
if set, allow config overload (the last line wins), else put a warning and keep the first config.
if set, auto-control files (afick scripts, config and database) are stored as relative path.
display the name of scanned files, to be used only by afick-tk
(do not) warn about "running" files : modified since program begin.
(do not) Print timing statistics.
Output version information and exit.
(not in) quiet mode : print only if there's a change to report. Do not use it with stat_* options or your output will be empty !. This mode is not recommanded, as it does not allow to check if an afick log was removed to mask a system change (with afick_archive.pl --check).
(not in) verbose mode (obsolete).
list of suffix to scan (just this ones)
list of suffixes (files/directories ending in .ext1 or .ext2 ...) to ignore
list of prefix (files/directories beginning with pre1 or pre2 ...) to ignore
list of patterns (regular expressions) to ignore files or directories
output can stdout, stderr or null (which mean no output)
send (or not) afick's report to syslog. the priority is 'notice' for info messages, 'warning' for warning messages. The facility is 'user'
If true, report in the summary section, one ligne by file change
If true, display all attributes changes, not only those selected by rule. To make a difference, attributes from rules will have a "w_" prefix (warning), and other attributes will have a 'i_' prefix (info).
each package update produces changes, which can be seen as false positives and the package manager can be used to check changes. this experimental option is set to false by default. If set to true, files which are not modified according the package manager, are masked linux rpm and deb package manager are available to use for now
if set, display report's dates in utc time, else in local time
The configuration file can be given by the -c option. Else it can be given by the AFICK_CONFIG environment variable. Else on windows, it search for a file named windows.conf in the install directory. Else (on Unix/linux), it first search for /etc/afick.conf, then for afick.conf in install directory.
for config file syntax see afick.conf(5)
afick can write several kinds of file
the database is used to store data between afick's run. name and path are set by the database directive
it is used to check afick integrity. It has the name of the database, with '.ctr' suffix.
(optionnal but recommended) : it is used to keep an history of all report's summary. name and path are set by the history directive
(optionnal but recommended) : it is used to keep afick's reports. the path is set by the archive directive. the file name contains the afick run date in AAAAMMJJhhmmss format
unix log file (on /var/log) are created when using the afick_cron script
until release 2.9, the database backend was SDBM, because it was the only one available on every operating system.
Coming with 2.10 release, afick can use other database backend : the 'best' available one will be detected on init. There is no way to migrate an existing SDBM base to a new format. The only way is to re-run afick in init mode (caution : changes since last update will be "lost")
To use this program, you must
first adjust the config file to your needs : see afick.conf(5) for the syntax)
then initiate the database with : afick -c afick.conf
--init
then you can compare with afick -c afick.conf
-k
or compare and update with afick -c afick.conf
--update
then the best way is to set a batch task to have regular check, you can use afick_cron script on unix/linux systems or afick_planning.pl on windows
The config file can be set with AFICK_CONFIG environment variable.
this define the chroot directory for files declared with a '@' ( afick.conf(5) ).
example :
AFICK_CHROOT=/usr/local
@software all
will scan for files in /usr/local/software
if the config file contain references to environment variables ( syntaxe : ${name} ), they are expanded at the begin of config analysis.
An exit status of 0 means no differences were found, and no dangling links (if the warn_dead_symlinks option is set) , non-zero means some differences were found or some dangling links. The non-zero value is a bitmap representing the type of difference found:
Dangling
Changed
Deleted
New
For a better security, afick not only check the rules from configuration file, but try to check it-self : perl scripts, configuration file, database, and warn if something change.
afick.conf(5) for the configuration file syntax
afick-tk(1) for the graphical interface
afick(1) for the command-line interface
afickonfig(1) for a tool to change afick's configuration file
afick_archive(1) for a tool to manage archive's reports
afick_learn(1) for a learning tool
for diagnostics, you can run afick in debug mode, with the --debug 4 command line option
this program only use perl and its standard modules.
none known
afick works on files, it is not a Version Control System, and it does not show changes in registry for windows users
Copyright (c) 2002 Eric Gerbier All rights reserved.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
Eric Gerbier
you can report any bug or suggest to eric.gerbier@tutanota.com
| manpage of afick |