In this article, we set up AFICK. Let’s adapt AFICK to use a particular directory tree and a different database. This way, we can fingerprint the OS on one run, and fingerprint more dynamic content with a different job. Here is our configuration file:
[root@ids afick]# cat /etc/afickweb.conf database:=/var/lib/afickweb/afick history := /var/lib/afickweb/history archive := /var/lib/afickweb/archive report_url := stdout verbose := no debug := 0 warn_dead_symlinks := no follow_symlinks := no allow_overload := no report_full_newdel := yes warn_missing_file := yes running_files := yes timing := yes ignore_case := no max_checksum_size := 10000000 checkrule = p+d+i+n+u+g+s+b+md5+m /directorytocheck checkrule [root@ids afick]# |
To initialize the database at the new location, we need to use the -c option to specify the different configuration file, and -i to initialize the database at the new location:
[root@ids afick]# afick -c /etc/afickweb.conf -i # Afick (2.8-2) init at 2005/08/30 07:21:45 with options (/etc/afickweb.conf): # database:=/var/lib/afickweb/afick # history:=/var/lib/afickweb/history # archive:=/var/lib/afickweb/archive # report_url:=stdout # report_full_newdel:=1 # warn_missing_file:=1 # running_files:=1 # timing:=1 # max_checksum_size:=10000000 # Hash database created successfully. 12032 files entered. # ################################################################# # MD5 hash of /var/lib/afickweb/afick => somemd5hash # user time : 19.05; system time : 5.43; real time : 60 [root@ids afick]# |
Update the database:
[root@ids afick]# afick -c /etc/afickweb.conf -u # Afick (2.8-2) update at 2005/08/30 07:24:43 with options (/etc/afickweb.conf): # database:=/var/lib/afickweb/afick # history:=/var/lib/afickweb/history # archive:=/var/lib/afickweb/archive # report_url:=stdout # report_full_newdel:=1 # warn_missing_file:=1 # running_files:=1 # timing:=1 # max_checksum_size:=10000000 # last run on 2005/08/30 07:21:45 with afick version 2.8-2 new file : /var/lib/afickweb/afick.ctr new file : /var/lib/afickweb/afick.dir new file : /var/lib/afickweb/afick.pag changed file : /directorytocheck/picture.jpg changed file : /directorytocheck/picture9.jpg # detailed changes new file : /var/lib/afickweb/afick.ctr inode_date : Tue Aug 30 07:22:45 2005 new file : /var/lib/afickweb/afick.dir inode_date : Tue Aug 30 07:24:43 2005 new file : /var/lib/afickweb/afick.pag inode_date : Tue Aug 30 07:25:39 2005 changed file : /directorytocheck/picture.jpg md5 : somemd5hash somemd5hash filesize : 2772 2756 mtime : Tue Aug 30 07:18:37 2005 Tue Aug 30 07:23:41 2005 changed file : /directorytocheck/picture9.jpg md5 : somemd5hash somemd5hash filesize : 2753 2756 mtime : Tue Aug 30 06:33:06 2005 Tue Aug 30 07:23:42 2005 # Hash database updated successfully : 12035 files scanned, 5 changed (new : 3; delete : 0; changed : 2; dangling : 0; exclude_suffix : 0; exclude_prefix : 0; exclude_re : 0; degraded : 2) # ################################################################# # MD5 hash of /var/lib/afickweb/afick => somemd5hash # user time : 21.03; system time : 4.91; real time : 56 [root@ids afick]# |
Let’s check in the new location:
[root@ids afick]# afick -c /etc/afickweb.conf -k # Afick (2.8-2) compare at 2005/08/30 07:26:15 with options (/etc/afickweb.conf): # database:=/var/lib/afickweb/afick # history:=/var/lib/afickweb/history # archive:=/var/lib/afickweb/archive # report_url:=stdout # report_full_newdel:=1 # warn_missing_file:=1 # running_files:=1 # timing:=1 # max_checksum_size:=10000000 # last run on 2005/08/30 07:24:43 with afick version 2.8-2 # Hash database : 12035 files scanned, 0 changed (new : 0; delete : 0; changed : 0; dangling : 0; exclude_suffix : 0; exclude_prefix : 0; exclude_re : 0; degraded : 2) # ################################################################# # MD5 hash of /var/lib/afickweb/afick => somemd5hash # user time : 21.28; system time : 4.65; real time : 58 [root@ids afick]# |
Now, what we want to do is move the AFICK database to a non-root home directory. The intention is that individual users can run integrity checks on their own files. We need to move the database from /var/lib to /home/limited:
[root@ids lib]# mv afickweb /home/limited [root@ids lib]# cd /home/limited [root@ids limited]# ls -l drwxr-xr-x 3 root root 4096 Aug 30 07:22 afickweb |
Change the permisssions:
[root@ids limited]# chown limited afickweb -R [root@ids limited]# chmod 700 afickweb -R [root@ids limited]# ls -l afickweb total 3048 -rwx------ 1 limited root 471 Aug 30 07:32 afick.ctr -rwx------ 1 limited root 4096 Aug 30 07:22 afick.dir -rwx------ 1 limited root 8370176 Aug 30 07:32 afick.pag drwx------ 2 limited root 4096 Aug 30 07:34 archive -rwx------ 1 limited root 1138 Aug 30 07:35 history |
The configuration file needs to be changed for the new location and moved:
[root@ids limited]# vi /etc/afickweb.conf [root@ids limited]# mv /etc/afickweb.conf /home/limited/ [root@ids limited]# chmod 700 /home/limited/afickweb.conf [root@ids limited]# chown limited /home/limited/afickweb.conf [root@ids limited]# ls -l /home/limited/afickweb.conf -rwx------ 1 limited root 425 Aug 30 07:37 /home/limited/afickweb.conf [root@ids limited]# |
Update the database:
ids limited $ afick -c ~/afickweb.conf -u WARNING: (control) directives change : database:=/var/lib/afickweb/afick / database:=/home/limited/afickweb/afick WARNING: (control) directives change : history:=/var/lib/afickweb/history / history:=/home/limited/afickweb/history WARNING: (control) directives change : archive:=/var/lib/afickweb/archive / archive:=/home/limited/afickweb/archive WARNING: (control) directives change : report_url:=STDOUT / report_url:=stdout # Afick (2.8-2) update at 2005/08/30 07:41:02 with options (/home/limited/afickweb.conf): # database:=/home/limited/afickweb/afick # history:=/home/limited/afickweb/history # archive:=/home/limited/afickweb/archive # report_url:=stdout # report_full_newdel:=1 # warn_missing_file:=1 # running_files:=1 # timing:=1 # max_checksum_size:=10000000 # last run on 2005/08/30 07:31:48 with afick version 2.8-2 new file : /home/limited/afickweb.conf new file : /home/limited/afickweb/afick.ctr new file : /home/limited/afickweb/afick.dir new file : /home/limited/afickweb/afick.pag deleted file : /etc/afickweb.conf deleted file : /var/lib/afickweb/afick.ctr deleted file : /var/lib/afickweb/afick.dir deleted file : /var/lib/afickweb/afick.pag changed file : /directorytocheck/picture.jpg changed file : /directorytocheck/picture1.jpg changed file : /directorytocheck/picture2.jpg # detailed changes new file : /home/limited/afickweb.conf inode_date : Tue Aug 30 07:38:38 2005 new file : /home/limited/afickweb/afick.ctr inode_date : Tue Aug 30 07:36:51 2005 new file : /home/limited/afickweb/afick.dir inode_date : Tue Aug 30 07:41:02 2005 new file : /home/limited/afickweb/afick.pag inode_date : Tue Aug 30 07:41:58 2005 deleted file : /etc/afickweb.conf parent_date : Tue Aug 30 07:38:09 2005 deleted file : /var/lib/afickweb/afick.ctr parent_date : Wed Dec 31 18:00:00 1969 deleted file : /var/lib/afickweb/afick.dir parent_date : Wed Dec 31 18:00:00 1969 deleted file : /var/lib/afickweb/afick.pag parent_date : Wed Dec 31 18:00:00 1969 changed file : /directorytocheck/picture.jpg md5 : somemd5hash somemd5hash filesize : 2747 2754 mtime : Tue Aug 30 07:28:44 2005 Tue Aug 30 07:38:52 2005 changed file : /directorytocheck/picture1.jpg md5 : somemd5hash somemd5hash filesize : 2761 2758 mtime : Tue Aug 30 06:43:14 2005 Tue Aug 30 07:33:50 2005 changed file : /directorytocheck/picture2.jpg md5 : somemd5hash somemd5hash filesize : 2773 2754 mtime : Tue Aug 30 06:48:17 2005 Tue Aug 30 07:38:54 2005 # Hash database updated successfully : 12035 files scanned, 11 changed (new : 4; delete : 4; changed : 3; dangling : 0; exclude_suffix : 0; exclude_prefix : 0; exclude_re : 0; degraded : 2) # ################################################################# # MD5 hash of /home/limited/afickweb/afick => somemd5hash # user time : 21.15; system time : 4.98; real time : 57 ids limited $ |
Note that if you rsync the filesystem offsite, you can use the above configuration to check the root filesystem in a secure way, since nobody can mess with your check database.