| manpage of afick.conf |
afick.conf - Configuration file for afick program
This is the configuration file for afick software (Another File Integrity Checker). It contains the list of files/directories to scan and which attribute to monitor, the name of database to use ...
Afick use /etc/afick.conf (Unix) or windows.conf (Windows) as default configuration file (but you may change it with with -c afick's command-line option)
afick configuration is similar in to aide's or tripwire's configuration file. With little effort aide.conf can be converted to afick format (see below portage section).
general rules :
Afick config is case-sensitive.
Leading and trailing white spaces are ignored.
Blank lines or lines beginning with # are ignored as comments.
one line for each config element
There are four types of lines in afick configuration file :
general afick parameters
customized user's rules
the list of files to monitor.
batch parameters (Unix cron)
These lines have the format : keyword :=
value
for now, the available keywords are :
if set to true, allow config overload (the last line wins), else put a warning and keep the first line. Default is true.
if set to true, auto-control files (afick scripts, config and database) are stored as relative path. This is usefull if this files may be moved (use afick from a cd for example). Default is false.
directory with full path : the archive directory keep all logs, and can be used by webmin module. Default is empty (none).
name with full path : the database to use. This parameter is necessary.
set a level of debugging messages, from 0 (none) to 4 (full). Default is 0.
the default behavior is to scan all requested directories, and add some exception by rules or with the exclude_* directives. But in some cases it is easier to only define which suffixes you want. In this way exclude_* are not used, and the database will contain all directories, and only files with the given suffix. This directive is empty by default (disabled), and will be interesting on operating systems such windows : this will speed the scan, but decrease the security.
a list of suffixes (files or directories ending in .ext1 or .ext2 ...) to ignore (for example : old bak tmp ). This directive can appear several times on a config file to group suffixes. Default is empty.
a list of prefix (files or directories beginning with pre1 or pre2 ...) to ignore (for example : tmp toto ). This directive can appear several times on a config file to group prefixes. Default is empty.
a file pattern (one by line), using the regex syntax. this apply on full file path. examples can be found on examples section. this directive can appear several times on a config file to group patterns. Default is empty.
Note : regex is very powerful, but as a complex syntax. In most cases, an easier way is to use globing on rules line.
if set to true, do checksum on target file, else do checksum on target file name. Default is no.
history file keep all dates and summary results. Default is empty (none).
ignore case for file names (useful on Windows). Default is no.
each package update produces changes, which can be seen as false positives and the package manager can be used to check changes. this experimental option is set to false by default. If set to true, files which are not modified according the package manager, are masked linux rpm and deb package manager are available to use for now Default is no (experimental).
checksum is cpu expensive, this value (a file size in bytes) indicates to have the checksum on first max_checksum_size first bytes, to have afick faster on big files. WARNING : this option will make afick faster but less secure ... default is 0 (no limit).
afick is designed to report changed attributes, selected by rule. In some cases, it may be interesting to display all the attributes changes, when a rule match. For example, with a rule such md5, if the checksum changes, it will also display mtime, size and others interesting attributes. To make a difference, attributes from rules will have a "w_" prefix (warning), and other attributes will have a 'i_' prefix (info) Default is no.
if true report all new files, else only first directory level (avoid too long outputs). Default is no.
where to send the report, default is stdout. null means no report.
If true, report in the summary section, one ligne by file change. Default is true.
If true, send also the report to syslog. Default is no.
warn about "running" files : modified since program begin, default is no.
Print timing statistics (user and system time), default is no.
if set, display dates in utc time, else in local time. Default value is no
for debugging purpose, default is no.
warn about dead symbolic links, default is no.
if true, print a warning message if file selection does not exist, default is no.
The advice it to set it to true during the work on the config file (devel), to be able to detect errors, and set it to false after.
attributes define which parameters to monitor.
base attributes are :
last access time in seconds since the epoch
actual number of blocks allocated
inode change time
device number of filesystem, major and minor number
gid of the file
inode number
last modify time since epoch
the default checksum, quick but not very secure. look at sha* for a better security
see ln command
owner, group, other (Unix)
uid of the file
in bytes
is more secure than md5, but needs more time to compute. you can only set one sha checksum
is more secure than md5 and sha-1, but needs more time to compute. you can only set one sha checksum
is more secure than md5, sha-1, sha-512, but needs more time to compute. you can only set one sha checksum
curently only works on windows
An alias define a customized set of attributes. It is used to write rules for some kind of files ( see examples)
the syntax is : alias_name = alias | attribute [
+attribute ] [ - attribute]
Afick comes with some pre-defined aliases :
for b+c+d+g+i+m+md5+n+p+u+s+acl (all parameter except atime)
for p+d+i+n+u+g+s+m+c+md5 (for aide compatibility)
for p+d+i+n+u+g (for aide compatibility)
for u+g+p+s+n+5 (permission and checksum)
for (empty) (for aide compatibility)
this lines define the list of files to monitor, and what to monitor.
the syntax is : selection_type selection_file
attribute_flag
There are three types of selection lines :
Lines beginning with "!" : the file or directory specified is ignored. attributes flag are not necessary :)
example :
! /tmpLines beginning with "=" : can be used to avoid sub-directory scan.
if the directory ends with a / : scan directory it-self and it's files, but not it's sub-directories
else only scan directory it-self (no files, no sub-directories)
example :
= /dev/scsi allothers lines are regular selective lines : files are added, directories are added with their contents (files and sub-directories)
example :
/home allselection_file design a file or directory with it's full path
file names with space characters must be delimited with ""
you can use globing characters, but not regex.
if the file name begin by '@', the '@' will be expanded using AFICK_CHROOT environment variable
it is the list of attribute used to detect a change
it can be :
example : all
example : L - u + md5
The chroot feature means checking a variable path. For example, you build an afick_database for files on /devel, then want to use it on same files moved on /oper. To use it, you have to configure the AFICK_CHROOT environnement variable to the variable path to check, and use @ as prefix for the selection files under this this path. Configuration lines are expanded on run (see example below).
macros lines begin with @@define keyword, they are not used by afick it-self, but by batch job : afick_cron on unix/linux, afick_planning.pl on windows
is used to truncate too long mails from cron job
is used to send cron job output by mail. any number of email can be set, delimited by comma, without any space. If you want to use a local address, use local_address@localhost, not local_address, as afick check if the text chain contains a @.
define the mail server to send the mail, on windows only
if the mail server needs authentification, set the name and password for it
with bool=1 to have a mail each day, and bool=0 to have only mail if find changes
with bool=1 to enable a mail report and bool=0 to disable mail report
(unix/linux only) val is the nice value (see man nice) : 10 is for a normal job, 14 for a normal cron job, 19 is for very low level job
is used to control afick cron job (for remote users with afick webmin module for example) : bool=1 allow cron job, bool=0 stop cron job
(optionnal, unix/linux only) : specify a directory to mount before the scan and to unmount after the directory has to be defined in /etc/fstab file
(unix/linux only) with bool=1 to enable send status to nagios using ncsa and bool=0 to disable nagios report report
(unix/linux only) dns name or ip address of the nagios server to send messages to
(unix/linux only) path to NSCA configuration file (something like /etc/send_nsca.cfg)
(unix/linux only) name used for nagios passive check on the nagios server side
(unix/linux only) number of the changes that are considered critical if changes greater than val , then nagios state CRITICAL,
if 0< val < changes then nagios state WARNING
if 0 changes, then nagios state OK
(unix/linux only) path to nsca binary (something like /usr/sbin/send_nsca)
set archive retention period : 0 to keep all. else use the nS format, with n as a number S as a scale : d for days, w for week, m for month, y for year example : 3m to keep only the last 3 months
define the path to database
defines the alias "All", from base attributes (could be done with "All=all+a" too)
define the ETC alias from another one
ignores the /dev directory structure.
use globing to exclude files
scan /proc directory for files, not sub-directories
scan just /tmp, not inside
add files with a joker definition
use base attributes, on ETC alias
use modified alias All
exclude files ending with sav (for example toto.rpmsav,
which is not excluded by exclude_suffix :=
sav)
exclude all files or directories named tmp (but not files
such tmpa or atmp as exclude_prefix := tmp
does)
exclude all files or directories containing a space char
exclude all files under /var/log directory which contain a numeral (example : /var/log/mail/info.1.gz)
if you have set AFICK_CHROOT=/opt, the line will be expanded to : /opt/software All
"globing" can be used in rules lines.
globing character are * and ? they are not used as perl regular expressions, but as the shell can use them :
replace any (one) character
replace any chain of characters
here are some changes from aide :
use ":= instead "="
use pathname syntax instead url syntax
no database_out directive : work on only one database
no gzip_dbout directive : database is already in binary format
only md5 and sha* hash : no rmd160, tiger, haval, gost, crc32
no "S" (check for growing size) attribute : I do not know how to use and code it
afick.conf(5) for the configuration file syntax
afick-tk(1) for the graphical interface
afick(1) for the command-line interface
afickonfig(1) for a tool to change afick's configuration file
afick_archive(1) for a tool to manage archive's reports
afick_learn(1) for a learning tool
Copyright (c) 2002,2003,2004 Eric Gerbier All rights reserved.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
Eric Gerbier
you can report any bug or suggest to eric.gerbier@tutanota.com
| manpage of afick.conf |