1 2 FCheck: The filesystem baseline integrity checker. 3 Copyright (C) 1996 Michael A. Gumienny 4 5 6 Please send your comments, updates, improvements, wishes and 7 bug reports for fcheck to: 8 9 Michael A. Gumienny 10 gumienny@hotmail.com 11 12 ################################################################### 13 This program is free software; you can redistribute it and/or modify it 14 under the terms of the GNU General Public License as published by the 15 Free Software Foundation; either version 2 of the License, or (at your 16 option) any later version. 17 18 This program is distributed in the hope that it will be useful, but 19 WITHOUT ANY WARRANTY; without even the implied warranty of 20 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General 21 Public License for more details. 22 23 You should have received a copy of the GNU General Public License along 24 with this program; if not, write to: 25 26 Free Software Foundation, Inc. 27 59 Temple Place - Suite 330 28 Boston, MA 02111-1307, USA. 29 30 Or you can find the full GNU GPL online at: http://www.gnu.org 31 ################################################################### 32 33 34 35Files: 36Your distribution should contain the following seven (5) files: 37 38 README Your reading this file. 39 fcheck PERL script fcheck. 40 fcheck.cfg Required configuration file. 41 license GNU GPL License agreement. 42 install Installation guide for all platforms. 43 44This documentation contains the following sections. 45 46 Files: This sections you are reading now. Contains 47 listing of files you should have included in 48 your distribution. 49 History behind FCheck: A brief introduction as to why FCheck was 50 written. 51 FCheck Features: What FCheck cna do for you. 52 Changelog: Small, because FCheck was really written a 53 few years ago but is now being added to. 54 Operation: A brief intro to normal flag usage when you 55 run FCheck. 56 Closing Hints: A few tips from the author from real time 57 usage experience. 58 Mini FAQ: Questions that have filtered back to the 59 author concerning operational problems. 60 61Complete detailed configuration and setup procedures can be found in the 62install.unix and install.win documents also included. 63 64 65 66 ################################################################### 67 68 69 70History behind FCheck: 71Fcheck was developed out of necessity from a situation when my company 72outsourced its UNIX administrators. Originally intended for monitoring the 73administrators whimsical changes to the systems, it grew into a full-blown 74security tool. 75 76Being the person that went to the meetings and responsible for the systems 77(I.E. the guy with his head on the block), not knowing that a complete 78filesystem had been removed, happened only once. My "staff" had forgotten to 79notify me of the change, along with several other changes. I needed a way to 80monitor the system for any modifications and would report back to me 81immediately to stay abreast of whimsical changes. Thus, FCheck was born. 82 83FCheck grew into an overnight success, even though I did not see its complete 84potential at first. When a surprise Security Audit Team arrived, the full 85potential was recognized. 86 87Having several tools already in place to satisfy the auditors demands, they 88thought they had us when a baseline snapshot of the system was requested. 89Expecting to hear that we had no such tool in place, they were eager to learn 90more about FCheck and its capabilities. 91 92 93 94 ################################################################### 95 96 97 98FCheck Features: 99Essentially, FCheck has the ability to monitor directories, files or complete 100filesystems for any additions, deletions, and modifications. It is configurable 101to exclude active log files, and can be ran as often as needed from the command 102line or cron making it extremely difficult to circumvent. It is written in 103standard PERL and requires no special outside library modules. 104 105Currently there are a few 'Tripwire' style baseline system security tools and 106most are purchasable with licensing agreements, etc. Personally I hate software 107that you must purchase so this is distributed under the GNU license. (I.E. It's 108yours to play with, but keep my name in it, and let me know what you modified 109so that others can share the benefits). FCheck was further developed with the 110junior administrator in mind that do not yet understand the complex 111configuration files and operation required to run many security products. 112 113All code is written from scratch, and is owned solely by the author, but rights 114are granted for its usage under the GNU license agreement to any site that 115desires free baseline security measures. 116 117 118 119 ################################################################### 120 121 122 123Changelog: 124See the script, it's getting big! 125 126 127Major Updates Provided in this release: 128 o Added ability to determine version of MD5 being used. 129 130 o Modified the routines that call MD5 and "file" to pipes, slight speed 131 increase and less vulnerable to shell exploits. 132 133 134Update in last release: 135 o Databases merged into one database, DATABASE= configuration keyword now 136 points to the full path and filename to use for that database. 137 138 o Added the "-h" option to look for the configuration file with the $HOSTNAME 139 environment variable appended to the end fo it. (This is useful in 140 distributed system environments.) 141 142 (Example) 143 $HOSTNAME=myhost 144 fcheck -ahf A_Config.dbf 145 Result: fcheck would use a configuration file of "A_Config.dbf.myhost" 146 147 o Added the "-r" option to create a report suitable for email. The generated 148 report will show good, and bad integrity checks. 149 150 o Added the "-x" option to allow monitoring the "number of links", "UID", 151 "GID", and the "Major/Minor" numbers of device files. 152 153 o Added the "FILE=" keyword in the configuration file. This will allow you to 154 monitor single files, rather than entire directory contents. 155 156 o Added the "FILETYPER=" keyword in the configuration file. This needs to be 157 set if you use the "-x" option, and is what will allow you to determine 158 file types, and major/minor numbers of device files. 159 160 161 ################################################################### 162 163 164 165Operation, and Getting Started: 166Flag passing is a fairly simple process. Primarily you will be using two 167commands. One builds (or rebuilds) your baseline database files (system 168snapshots). The second runs in a scanning comparison mode. 169 170 "fcheck -ac" Builds the baseline database. 171 "fcheck -a" Comparison scans the system against the baseline database. 172 173For normal operation: Initially you will run fcheck by issuing the command 174"fcheck -ac" to create the initial baseline file used for comparison. Any 175runs after the creation of the basline will normally be with the flags 176"fcheck -a" to scan for any system modifications. 177 178After a scan is completed, you will probably want to have fcheck re-create its 179baseline database for the next comparison cycle. Otherwise you will be seeing 180every system modification since the last baseline re-build. In other words, run 181the "fcheck -ac" command again. 182 183(Advanced Note:) 184A more intensive system check would be accomplished by building your database 185to include GID/UID checks, directories, and CRC checks by using the following 186sample syntax: 187 188 "fcheck -cadsxlhf /usr/local/admtools/etc/fcheck.dbf.yourhost" 189 190And provide periodic integrity scans from cron by using the following sample 191syntax: 192 193 "fcheck -adsxlhf /usr/local/admtools/etc/fcheck.dbf.yourhost" 194 195 196 197 ################################################################### 198 199 200 201Closing Hints: 202I would also suggest using the "l" flag to send messages to syslog unless you 203really want to watch the output from this all the time. You could also make 204use of some log monitoring packages like CA-Unicenter, HP-Openview, or 205several other shareware alternatives including 'xlog' or even the 'pmem' Tcl/Tk 206interface that I also wrote. 207 208FCheck was ran from cron in a production environment at 10 minute intervals 209with no impact to system performance. Message logging was handled by syslog 210with the "-l" flag and imported to a commercial event monitoring package that 211monitored and displayed system logfiles, highlighting only the important 212events. A shorter duration can be obtained on smaller systems, but you must 213allow FCheck to complete its baseline comparison before re-building the 214baseline to alleviate false readings. Actual interval times will vary 215depending on how active a system you are running FCheck on. 216 217Those of you that have scanned the early code may have noticed the remote shell 218feature has been removed. I felt this offered too much temptation to open a 219security hole and was removed. Fcheck does NOT have to run as root, but it does 220need to have read permissions to each of the directories and files that you 221want to monitor. 222 223Other flags for you to play with are as follows: 224 225 -a Automatic mode, do all directories in configuration file. 226 -c Create a new base line database for the given directory. 227 -d Directory names are to be monitored for changes also. 228 -f Use alternate 'filename' as the configuration file. 229 -i Ignore creation times, check permissions, adds, deletes only. 230 -h Append the $HOSTNAME to the configuration filename. 231 -l Log information to logger rather than stdout messages. 232 -r Report mode, great for emailed status reports. 233 -s Sign each file with a CRC/hash signature. 234 -v Verbose mode, not used for report generation. 235 -x eXtended unix checks, # of links, UID, GID, Major/Minor checks. 236 237 238Final Notes: 239As stated elsewhere in this README. If you have suggestions please forward 240them to me and I'll try to accommodate them. If they make sense and others have 241requested the same changes, then they may make it into the next release. 242 243* THREATS ARE IGNORED WHEN YOUR SUGGESTION DOES NOT GET WRITTEN INTO A RELEASE * 244 245This is free software and I don't make a living from it. It is also distributed 246under the terms of the GNU General Public License WITHOUT WARRANTY! 247 248 249 250 ################################################################### 251 252 253 254Mini FAQ: 255 256Q: When I try to initialize with the command "FCheck -ac" I get the following 257 error message back. Why? 258 259 FCheck: Can't find C:/Work/temp/perl/fcheck/FCheck.cfg 260 terminating... 261 262A: FCheck can't locate the configuration file that you have instructed it to 263 use. Edit the executable (FCheck) and ensure that the variable "$config=" 264 is set properly to reflect your configuration files location. 265 266 267 268Q: When I try to initialize with the command "FCheck -ac" I get the following 269 error message back. Why? 270 271 FCheck: no base file directory exist! [C:/Work/temp/perl/fcheck/data] 272 terminating... 273 274A: The directory that you have instructed FCheck to utilize to store its 275 database does not exist. Either modify the configuration file (FCheck.cfg) 276 to use an existing directory, or create the one it needs. 277 278 279 280Q: I have removed a directory "/usr/local/etc" and told FCheck to exclude it 281 from future scans with the line "Exclusion = /usr/local/etc/", now it is 282 being reported as deleted. 283 284A: But, the scanned directory does still exist in FChecks databases. After a 285 modification to any scanned area of a system. You must tell FCheck to 286 re-initialize its database (FCheck -ac) to stop this behaviour. Otherwise 287 FCheck will continue to report any changes that it has detected, including 288 the directory you told it to exclude from future scans. Once you have 289 re-initialize the databases, only then will FCheck ignore any directories 290 or files that you instructed it to exclude. 291 292 293 294Q: FCheck says "debug: (GetDir) No can do (/some_file)..." when I try to monitor 295 a file. Does "Directory =" have to be a Directory for File Name? 296 297A: Okay, you caught me! FCheck never had any real documentation until recently 298 which means there is bound to be an error or two. Some more noticeable than 299 others. 300 301 You must use the directories name that you wish to monitor. As an option, 302 you can monitor that directory recursively by placing a "/" at the end of 303 the path ("/etc" for the immediate directory, or "/etc/" for recursive). 304 305 For you to monitor only your "/etc/passwd" you would have an entry of 306 "Directory = /etc" and then you would use several excludes such as 307 "Exclude = /etc/group", "Exclude = /etc/motd", and so on. But I think that 308 you will probably want to monitor the entire "/etc" directory for 309 changes. 310 311 312 313Q: Gzip says "decompression OK, trailing garbage ignored." When I uncompress 314 FCheck, is my tar file damaged? 315 316A: The Netscape WEB site appears to be padding GZipped files with NULLS, 317 although it does not happen to the identical Pkzipped file. As expressed in 318 the warning message, GZip ignores the trailing NULL characters with no 319 impact to the extracted tar file. If the displayed warning bothers you too 320 much, then try the Pkzipped version of FCheck as it is an identical varsion. 321 322 323