1
2 FCheck: The filesystem baseline integrity checker.
3 Copyright (C) 1996 Michael A. Gumienny
4
5
6 Please send your comments, updates, improvements, wishes and
7 bug reports for fcheck to:
8
9 Michael A. Gumienny
10 gumienny@hotmail.com
11
12 ###################################################################
13 This program is free software; you can redistribute it and/or modify it
14 under the terms of the GNU General Public License as published by the
15 Free Software Foundation; either version 2 of the License, or (at your
16 option) any later version.
17
18 This program is distributed in the hope that it will be useful, but
19 WITHOUT ANY WARRANTY; without even the implied warranty of
20 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
21 Public License for more details.
22
23 You should have received a copy of the GNU General Public License along
24 with this program; if not, write to:
25
26 Free Software Foundation, Inc.
27 59 Temple Place - Suite 330
28 Boston, MA 02111-1307, USA.
29
30 Or you can find the full GNU GPL online at: http://www.gnu.org
31 ###################################################################
32
33
34
35Files:
36Your distribution should contain the following seven (5) files:
37
38 README Your reading this file.
39 fcheck PERL script fcheck.
40 fcheck.cfg Required configuration file.
41 license GNU GPL License agreement.
42 install Installation guide for all platforms.
43
44This documentation contains the following sections.
45
46 Files: This sections you are reading now. Contains
47 listing of files you should have included in
48 your distribution.
49 History behind FCheck: A brief introduction as to why FCheck was
50 written.
51 FCheck Features: What FCheck cna do for you.
52 Changelog: Small, because FCheck was really written a
53 few years ago but is now being added to.
54 Operation: A brief intro to normal flag usage when you
55 run FCheck.
56 Closing Hints: A few tips from the author from real time
57 usage experience.
58 Mini FAQ: Questions that have filtered back to the
59 author concerning operational problems.
60
61Complete detailed configuration and setup procedures can be found in the
62install.unix and install.win documents also included.
63
64
65
66 ###################################################################
67
68
69
70History behind FCheck:
71Fcheck was developed out of necessity from a situation when my company
72outsourced its UNIX administrators. Originally intended for monitoring the
73administrators whimsical changes to the systems, it grew into a full-blown
74security tool.
75
76Being the person that went to the meetings and responsible for the systems
77(I.E. the guy with his head on the block), not knowing that a complete
78filesystem had been removed, happened only once. My "staff" had forgotten to
79notify me of the change, along with several other changes. I needed a way to
80monitor the system for any modifications and would report back to me
81immediately to stay abreast of whimsical changes. Thus, FCheck was born.
82
83FCheck grew into an overnight success, even though I did not see its complete
84potential at first. When a surprise Security Audit Team arrived, the full
85potential was recognized.
86
87Having several tools already in place to satisfy the auditors demands, they
88thought they had us when a baseline snapshot of the system was requested.
89Expecting to hear that we had no such tool in place, they were eager to learn
90more about FCheck and its capabilities.
91
92
93
94 ###################################################################
95
96
97
98FCheck Features:
99Essentially, FCheck has the ability to monitor directories, files or complete
100filesystems for any additions, deletions, and modifications. It is configurable
101to exclude active log files, and can be ran as often as needed from the command
102line or cron making it extremely difficult to circumvent. It is written in
103standard PERL and requires no special outside library modules.
104
105Currently there are a few 'Tripwire' style baseline system security tools and
106most are purchasable with licensing agreements, etc. Personally I hate software
107that you must purchase so this is distributed under the GNU license. (I.E. It's
108yours to play with, but keep my name in it, and let me know what you modified
109so that others can share the benefits). FCheck was further developed with the
110junior administrator in mind that do not yet understand the complex
111configuration files and operation required to run many security products.
112
113All code is written from scratch, and is owned solely by the author, but rights
114are granted for its usage under the GNU license agreement to any site that
115desires free baseline security measures.
116
117
118
119 ###################################################################
120
121
122
123Changelog:
124See the script, it's getting big!
125
126
127Major Updates Provided in this release:
128 o Added ability to determine version of MD5 being used.
129
130 o Modified the routines that call MD5 and "file" to pipes, slight speed
131 increase and less vulnerable to shell exploits.
132
133
134Update in last release:
135 o Databases merged into one database, DATABASE= configuration keyword now
136 points to the full path and filename to use for that database.
137
138 o Added the "-h" option to look for the configuration file with the $HOSTNAME
139 environment variable appended to the end fo it. (This is useful in
140 distributed system environments.)
141
142 (Example)
143 $HOSTNAME=myhost
144 fcheck -ahf A_Config.dbf
145 Result: fcheck would use a configuration file of "A_Config.dbf.myhost"
146
147 o Added the "-r" option to create a report suitable for email. The generated
148 report will show good, and bad integrity checks.
149
150 o Added the "-x" option to allow monitoring the "number of links", "UID",
151 "GID", and the "Major/Minor" numbers of device files.
152
153 o Added the "FILE=" keyword in the configuration file. This will allow you to
154 monitor single files, rather than entire directory contents.
155
156 o Added the "FILETYPER=" keyword in the configuration file. This needs to be
157 set if you use the "-x" option, and is what will allow you to determine
158 file types, and major/minor numbers of device files.
159
160
161 ###################################################################
162
163
164
165Operation, and Getting Started:
166Flag passing is a fairly simple process. Primarily you will be using two
167commands. One builds (or rebuilds) your baseline database files (system
168snapshots). The second runs in a scanning comparison mode.
169
170 "fcheck -ac" Builds the baseline database.
171 "fcheck -a" Comparison scans the system against the baseline database.
172
173For normal operation: Initially you will run fcheck by issuing the command
174"fcheck -ac" to create the initial baseline file used for comparison. Any
175runs after the creation of the basline will normally be with the flags
176"fcheck -a" to scan for any system modifications.
177
178After a scan is completed, you will probably want to have fcheck re-create its
179baseline database for the next comparison cycle. Otherwise you will be seeing
180every system modification since the last baseline re-build. In other words, run
181the "fcheck -ac" command again.
182
183(Advanced Note:)
184A more intensive system check would be accomplished by building your database
185to include GID/UID checks, directories, and CRC checks by using the following
186sample syntax:
187
188 "fcheck -cadsxlhf /usr/local/admtools/etc/fcheck.dbf.yourhost"
189
190And provide periodic integrity scans from cron by using the following sample
191syntax:
192
193 "fcheck -adsxlhf /usr/local/admtools/etc/fcheck.dbf.yourhost"
194
195
196
197 ###################################################################
198
199
200
201Closing Hints:
202I would also suggest using the "l" flag to send messages to syslog unless you
203really want to watch the output from this all the time. You could also make
204use of some log monitoring packages like CA-Unicenter, HP-Openview, or
205several other shareware alternatives including 'xlog' or even the 'pmem' Tcl/Tk
206interface that I also wrote.
207
208FCheck was ran from cron in a production environment at 10 minute intervals
209with no impact to system performance. Message logging was handled by syslog
210with the "-l" flag and imported to a commercial event monitoring package that
211monitored and displayed system logfiles, highlighting only the important
212events. A shorter duration can be obtained on smaller systems, but you must
213allow FCheck to complete its baseline comparison before re-building the
214baseline to alleviate false readings. Actual interval times will vary
215depending on how active a system you are running FCheck on.
216
217Those of you that have scanned the early code may have noticed the remote shell
218feature has been removed. I felt this offered too much temptation to open a
219security hole and was removed. Fcheck does NOT have to run as root, but it does
220need to have read permissions to each of the directories and files that you
221want to monitor.
222
223Other flags for you to play with are as follows:
224
225 -a Automatic mode, do all directories in configuration file.
226 -c Create a new base line database for the given directory.
227 -d Directory names are to be monitored for changes also.
228 -f Use alternate 'filename' as the configuration file.
229 -i Ignore creation times, check permissions, adds, deletes only.
230 -h Append the $HOSTNAME to the configuration filename.
231 -l Log information to logger rather than stdout messages.
232 -r Report mode, great for emailed status reports.
233 -s Sign each file with a CRC/hash signature.
234 -v Verbose mode, not used for report generation.
235 -x eXtended unix checks, # of links, UID, GID, Major/Minor checks.
236
237
238Final Notes:
239As stated elsewhere in this README. If you have suggestions please forward
240them to me and I'll try to accommodate them. If they make sense and others have
241requested the same changes, then they may make it into the next release.
242
243* THREATS ARE IGNORED WHEN YOUR SUGGESTION DOES NOT GET WRITTEN INTO A RELEASE *
244
245This is free software and I don't make a living from it. It is also distributed
246under the terms of the GNU General Public License WITHOUT WARRANTY!
247
248
249
250 ###################################################################
251
252
253
254Mini FAQ:
255
256Q: When I try to initialize with the command "FCheck -ac" I get the following
257 error message back. Why?
258
259 FCheck: Can't find C:/Work/temp/perl/fcheck/FCheck.cfg
260 terminating...
261
262A: FCheck can't locate the configuration file that you have instructed it to
263 use. Edit the executable (FCheck) and ensure that the variable "$config="
264 is set properly to reflect your configuration files location.
265
266
267
268Q: When I try to initialize with the command "FCheck -ac" I get the following
269 error message back. Why?
270
271 FCheck: no base file directory exist! [C:/Work/temp/perl/fcheck/data]
272 terminating...
273
274A: The directory that you have instructed FCheck to utilize to store its
275 database does not exist. Either modify the configuration file (FCheck.cfg)
276 to use an existing directory, or create the one it needs.
277
278
279
280Q: I have removed a directory "/usr/local/etc" and told FCheck to exclude it
281 from future scans with the line "Exclusion = /usr/local/etc/", now it is
282 being reported as deleted.
283
284A: But, the scanned directory does still exist in FChecks databases. After a
285 modification to any scanned area of a system. You must tell FCheck to
286 re-initialize its database (FCheck -ac) to stop this behaviour. Otherwise
287 FCheck will continue to report any changes that it has detected, including
288 the directory you told it to exclude from future scans. Once you have
289 re-initialize the databases, only then will FCheck ignore any directories
290 or files that you instructed it to exclude.
291
292
293
294Q: FCheck says "debug: (GetDir) No can do (/some_file)..." when I try to monitor
295 a file. Does "Directory =" have to be a Directory for File Name?
296
297A: Okay, you caught me! FCheck never had any real documentation until recently
298 which means there is bound to be an error or two. Some more noticeable than
299 others.
300
301 You must use the directories name that you wish to monitor. As an option,
302 you can monitor that directory recursively by placing a "/" at the end of
303 the path ("/etc" for the immediate directory, or "/etc/" for recursive).
304
305 For you to monitor only your "/etc/passwd" you would have an entry of
306 "Directory = /etc" and then you would use several excludes such as
307 "Exclude = /etc/group", "Exclude = /etc/motd", and so on. But I think that
308 you will probably want to monitor the entire "/etc" directory for
309 changes.
310
311
312
313Q: Gzip says "decompression OK, trailing garbage ignored." When I uncompress
314 FCheck, is my tar file damaged?
315
316A: The Netscape WEB site appears to be padding GZipped files with NULLS,
317 although it does not happen to the identical Pkzipped file. As expressed in
318 the warning message, GZip ignores the trailing NULL characters with no
319 impact to the extracted tar file. If the displayed warning bothers you too
320 much, then try the Pkzipped version of FCheck as it is an identical varsion.
321
322
323