Security - Customizing the AFICK File Integrity Checker

SignalQ Sites:
NetAdminTools - Coprolite - NoNIC - SpotBridge - NAW
RoboCoop - AreWeDown - SolarPower - SysAdminTools
Xfig - Gold Loaf - GeekPapa - FixGMC - MCJ - FixRambler

Categories:
·GNU/Linux
·Homebrew designs
·Perl
·Administration
·Backup/Recovery
·Bugs/Fixes
·Certification
·Database
·Email
·File/Print
·Hardware
·Information Grab Bag
·Interoperability
·GNU/Linux ABCs
·Monitoring
·Name Resolution
·Network Services
·Networking
·Remote Control
·Security
·Desktop
·Web
·BSD
·Solaris
·GIAGD
·REALbasic
·All Categories

Customizing the AFICK File Integrity Checker
Topic: Security Posted:2005-08-30
Printer Friendly:

In this article, we set up AFICK. Let's adapt AFICK to use a particular directory tree and a different database. This way, we can fingerprint the OS on one run, and fingerprint more dynamic content with a different job. Here is our configuration file:

[root@ids afick]# cat /etc/afickweb.conf
database:=/var/lib/afickweb/afick
history := /var/lib/afickweb/history
archive := /var/lib/afickweb/archive
report_url := stdout
verbose := no
debug := 0
warn_dead_symlinks := no
follow_symlinks := no
allow_overload := no
report_full_newdel := yes
warn_missing_file := yes
running_files := yes
timing := yes
ignore_case := no
max_checksum_size := 10000000
checkrule = p+d+i+n+u+g+s+b+md5+m
/directorytocheck checkrule
[root@ids afick]#

To initialize the database at the new location, we need to use the -c option to specify the different configuration file, and -i to initialize the database at the new location:

[root@ids afick]# afick -c /etc/afickweb.conf -i
# Afick (2.8-2) init at 2005/08/30 07:21:45 with options (/etc/afickweb.conf):
# database:=/var/lib/afickweb/afick
# history:=/var/lib/afickweb/history
# archive:=/var/lib/afickweb/archive
# report_url:=stdout
# report_full_newdel:=1
# warn_missing_file:=1
# running_files:=1
# timing:=1
# max_checksum_size:=10000000
# Hash database created successfully. 12032 files entered.
# #################################################################
# MD5 hash of /var/lib/afickweb/afick => somemd5hash
# user time : 19.05; system time : 5.43; real time : 60
[root@ids afick]#

Update the database:

[root@ids afick]# afick -c /etc/afickweb.conf -u
# Afick (2.8-2) update at 2005/08/30 07:24:43 with options (/etc/afickweb.conf):
# database:=/var/lib/afickweb/afick
# history:=/var/lib/afickweb/history
# archive:=/var/lib/afickweb/archive
# report_url:=stdout
# report_full_newdel:=1
# warn_missing_file:=1
# running_files:=1
# timing:=1
# max_checksum_size:=10000000
# last run on 2005/08/30 07:21:45 with afick version 2.8-2
new file : /var/lib/afickweb/afick.ctr
new file : /var/lib/afickweb/afick.dir
new file : /var/lib/afickweb/afick.pag
changed file : /directorytocheck/picture.jpg
changed file : /directorytocheck/picture9.jpg
# detailed changes
new file : /var/lib/afickweb/afick.ctr
inode_date   : Tue Aug 30 07:22:45 2005
new file : /var/lib/afickweb/afick.dir
inode_date   : Tue Aug 30 07:24:43 2005
new file : /var/lib/afickweb/afick.pag
inode_date   : Tue Aug 30 07:25:39 2005
changed file : /directorytocheck/picture.jpg
md5          : somemd5hash somemd5hash
filesize     : 2772 2756
mtime        : Tue Aug 30 07:18:37 2005     Tue Aug 30 07:23:41 2005
changed file : /directorytocheck/picture9.jpg
md5          : somemd5hash somemd5hash
filesize     : 2753 2756
mtime        : Tue Aug 30 06:33:06 2005     Tue Aug 30 07:23:42 2005
# Hash database updated successfully : 12035 files scanned, 5 changed 
(new : 3; delete : 0; changed : 2; dangling : 0; exclude_suffix : 0; 
exclude_prefix : 0; exclude_re : 0; degraded : 2)
# #################################################################
# MD5 hash of /var/lib/afickweb/afick => somemd5hash 
# user time : 21.03; system time : 4.91; real time : 56
[root@ids afick]#

Let's check in the new location:

[root@ids afick]# afick -c /etc/afickweb.conf -k
# Afick (2.8-2) compare at 2005/08/30 07:26:15 with options (/etc/afickweb.conf):
# database:=/var/lib/afickweb/afick
# history:=/var/lib/afickweb/history
# archive:=/var/lib/afickweb/archive
# report_url:=stdout
# report_full_newdel:=1
# warn_missing_file:=1
# running_files:=1
# timing:=1
# max_checksum_size:=10000000
# last run on 2005/08/30 07:24:43 with afick version 2.8-2
# Hash database : 12035 files scanned, 0 changed (new : 0; delete : 0; 
changed : 0; dangling : 0; exclude_suffix : 0; exclude_prefix : 0; 
exclude_re : 0; degraded : 2)
# #################################################################
# MD5 hash of /var/lib/afickweb/afick => somemd5hash 
# user time : 21.28; system time : 4.65; real time : 58
[root@ids afick]#

Now, what we want to do is move the AFICK database to a non-root home directory. The intention is that individual users can run integrity checks on their own files. We need to move the database from /var/lib to /home/limited:

[root@ids lib]# mv afickweb /home/limited
[root@ids lib]# cd /home/limited
[root@ids limited]# ls -l
drwxr-xr-x    3 root     root         4096 Aug 30 07:22 afickweb

Change the permisssions:

[root@ids limited]# chown limited afickweb -R
[root@ids limited]# chmod 700 afickweb -R
[root@ids limited]# ls -l afickweb
total 3048
-rwx------    1 limited   root          471 Aug 30 07:32 afick.ctr
-rwx------    1 limited   root         4096 Aug 30 07:22 afick.dir
-rwx------    1 limited   root      8370176 Aug 30 07:32 afick.pag
drwx------    2 limited   root         4096 Aug 30 07:34 archive
-rwx------    1 limited   root         1138 Aug 30 07:35 history

The configuration file needs to be changed for the new location and moved:

[root@ids limited]# vi /etc/afickweb.conf
[root@ids limited]# mv /etc/afickweb.conf /home/limited/
[root@ids limited]# chmod 700 /home/limited/afickweb.conf
[root@ids limited]# chown limited /home/limited/afickweb.conf
[root@ids limited]# ls -l /home/limited/afickweb.conf
-rwx------    1 limited   root    425 Aug 30 07:37 /home/limited/afickweb.conf
[root@ids limited]#

Update the database:

ids limited $ afick -c ~/afickweb.conf -u
WARNING: (control) directives change : database:=/var/lib/afickweb/afick 
/ database:=/home/limited/afickweb/afick
WARNING: (control) directives change : history:=/var/lib/afickweb/history 
/ history:=/home/limited/afickweb/history
WARNING: (control) directives change : archive:=/var/lib/afickweb/archive 
/ archive:=/home/limited/afickweb/archive
WARNING: (control) directives change : report_url:=STDOUT / report_url:=stdout
# Afick (2.8-2) update at 2005/08/30 07:41:02 with options 
(/home/limited/afickweb.conf):
# database:=/home/limited/afickweb/afick
# history:=/home/limited/afickweb/history
# archive:=/home/limited/afickweb/archive
# report_url:=stdout
# report_full_newdel:=1
# warn_missing_file:=1
# running_files:=1
# timing:=1
# max_checksum_size:=10000000
# last run on 2005/08/30 07:31:48 with afick version 2.8-2
new file : /home/limited/afickweb.conf
new file : /home/limited/afickweb/afick.ctr
new file : /home/limited/afickweb/afick.dir
new file : /home/limited/afickweb/afick.pag
deleted file : /etc/afickweb.conf
deleted file : /var/lib/afickweb/afick.ctr
deleted file : /var/lib/afickweb/afick.dir
deleted file : /var/lib/afickweb/afick.pag
changed file : /directorytocheck/picture.jpg
changed file : /directorytocheck/picture1.jpg
changed file : /directorytocheck/picture2.jpg
# detailed changes
new file : /home/limited/afickweb.conf
inode_date   : Tue Aug 30 07:38:38 2005
new file : /home/limited/afickweb/afick.ctr
inode_date   : Tue Aug 30 07:36:51 2005
new file : /home/limited/afickweb/afick.dir
inode_date   : Tue Aug 30 07:41:02 2005
new file : /home/limited/afickweb/afick.pag
inode_date   : Tue Aug 30 07:41:58 2005
deleted file : /etc/afickweb.conf
parent_date  : Tue Aug 30 07:38:09 2005
deleted file : /var/lib/afickweb/afick.ctr
parent_date  : Wed Dec 31 18:00:00 1969
deleted file : /var/lib/afickweb/afick.dir
parent_date  : Wed Dec 31 18:00:00 1969
deleted file : /var/lib/afickweb/afick.pag
parent_date  : Wed Dec 31 18:00:00 1969
changed file : /directorytocheck/picture.jpg
md5          : somemd5hash somemd5hash 
filesize     : 2747 2754
mtime        : Tue Aug 30 07:28:44 2005     Tue Aug 30 07:38:52 2005
changed file : /directorytocheck/picture1.jpg
md5          : somemd5hash somemd5hash
filesize     : 2761 2758
mtime        : Tue Aug 30 06:43:14 2005     Tue Aug 30 07:33:50 2005
changed file : /directorytocheck/picture2.jpg
md5          : somemd5hash somemd5hash
filesize     : 2773 2754
mtime        : Tue Aug 30 06:48:17 2005     Tue Aug 30 07:38:54 2005
# Hash database updated successfully : 12035 files scanned, 11 changed (new : 
4; delete : 4; changed : 3; dangling : 0; exclude_suffix : 0; exclude_prefix : 
0; exclude_re : 0; degraded : 2)
# #################################################################
# MD5 hash of /home/limited/afickweb/afick => somemd5hash 
# user time : 21.15; system time : 4.98; real time : 57
ids limited $

Note that if you rsync the filesystem offsite, you can use the above configuration to check the root filesystem in a secure way, since nobody can mess with your check database.

Please read our Terms of Use
Microsoft, Windows, Windows XP, Windows 2003, Windows 2000, and NT are either trademarks or registered trademarks of Microsoft Corporation. NetAdminTools.com is not affiliated with Microsoft Corporation. Linux is a registered trademark of Linus Torvalds, and refers to the Linux kernel. The operating system of most distributions that contain the Linux kernel is GNU/Linux. All logos and trademarks in this site are property of their respective owner. Copyright 1997-2008 NetAdminTools.com

Created by:

MCJ CMS