One important component of securing a system is to use a file integrity checker.There are multiple tools out there that can do this, including AIDE, and Tripwire. One project that does what we need, has few installation requirements, is fairly easy to install, and is multi platform is AFICK. In this article we will install a basic system. This is a good place to start for fingerprinting the OS files. We also have an article on customizing for a particular directory here. We will use the RPM version:
[root@ids intrusion]# ls af* afick-2.8-2.noarch.rpm [root@ids intrusion]# [root@ids intrusion]# rpm -i afick-2.8-2.noarch.rpm warning: afick-2.8-2.noarch.rpm: V3 DSA signature: NOKEY, key ID cb6fa42a error: Failed dependencies: perl is needed by afick-2.8-2 /usr/bin/perl is needed by afick-2.8-2 Suggested resolutions: /perl-5.8.0-89.10.i386.rpm |
We really do have perl, but we didn’t use an RPM on this test machine:
[root@ids intrusion]# perl -v This is perl, v5.8.7 built for i686-linux . . . [root@ids intrusion]# |
We need to install with –nodeps. Be warned that this will do an initial scan as well of your system. Be sure and do this on a test box first:
[root@ids intrusion]# rpm -i afick-2.8-2.noarch.rpm --nodeps warning: afick-2.8-2.noarch.rpm: V3 DSA signature: NOKEY, key ID cb6fa42a WARNING: rule DIR (pinug) for /usr/X11R6/bin is not enough WARNING: rule DIR (pinug) for /usr/kerberos/lib is not enough WARNING: rule DIR (pinug) for /usr/X11R6/lib is not enough WARNING: rule DIR (pinug) for /usr/local/mysql/lib/mysql is not enough add rule line /usr/X11R6/lib all add rule line /usr/kerberos/lib all add rule line /usr/local/mysql/lib/mysql all add rule line /usr/X11R6/bin all rewrite changed /etc/afick.conf (4) directives (0) macros(0) alias (0) rules (4) WARNING: skip config file =/dev/scsi p+n (line 127), /dev/scsi directory does not exists WARNING: find 1 errors in config file /etc/afick.conf first install : we will initiate the database WARNING: skip config file =/dev/scsi p+n (line 127), /dev/scsi directory does not exists # Afick (2.8-2) init at 2005/08/30 06:32:19 with options (/etc/afick.conf): # database:=/var/lib/afick/afick # history:=/var/lib/afick/history # archive:=/var/lib/afick/archive # report_url:=stdout # running_files:=1 # timing:=1 # exclude_suffix:= log LOG html htm HTM txt TXT xml # max_checksum_size:=10000000 WARNING: /root/logs/rl.t as been modified during the program run WARNING: /root/logs/stl.t as been modified during the program run # Hash database created successfully. 40530 files entered. # ################################################################# # MD5 hash of /var/lib/afick/afick => somemd5hash # user time : 39.22; system time : 9.88; real time : 189 [root@ids intrusion]# |
We have something wrong in our config file. We can check this again with:
[root@ids etc]# afick -C WARNING: skip config file =/dev/scsi p+n (line 127), /dev/scsi directory does not exists WARNING: find 1 errors in config file /etc/afick.conf [root@ids etc]# |
Let’s fix that up:
[root@ids etc]# vi /etc/afick.conf |
This line needs to change:
#=/dev/scsi p+n |
Check again:
[root@ids etc]# afick -C # config file /etc/afick.conf ok [root@ids etc]# |
The -k command will do a scan without updating:
[root@ids idshome]# afick -k # Afick (2.8-2) compare at 2005/08/30 06:49:31 with options (/etc/afick.conf): # database:=/var/lib/afick/afick # history:=/var/lib/afick/history # archive:=/var/lib/afick/archive # report_url:=stdout # running_files:=1 # timing:=1 # exclude_suffix:= log LOG html htm HTM txt TXT xml # max_checksum_size:=10000000 # last run on 2005/08/30 06:32:19 with afick version 2.8-2 WARNING: /root/logs/rl.t as been modified during the program run WARNING: /root/logs/stl.t as been modified during the program run new character_device : /dev/pts/2 new character_device : /dev/pts/3 new file : /var/lib/afick/afick.ctr new file : /var/lib/afick/afick.dir new file : /var/lib/afick/afick.pag changed file : /etc/afick.conf changed directory : /root changed file : /root/getvarlogmess changed file : /root/logs/rl.t changed file : /root/logs/stl.t changed file : /root/topstats # detailed changes new character_device : /dev/pts/2 inode_date : Tue Aug 30 06:32:55 2005 new character_device : /dev/pts/3 inode_date : Tue Aug 30 06:43:55 2005 new file : /var/lib/afick/afick.ctr inode_date : Tue Aug 30 06:35:27 2005 new file : /var/lib/afick/afick.dir inode_date : Tue Aug 30 06:49:31 2005 new file : /var/lib/afick/afick.pag inode_date : Tue Aug 30 06:49:31 2005 changed file : /etc/afick.conf md5 : somestuff diffstuff filesize : 4417 4418 mtime : Tue Aug 30 06:32:17 2005 Tue Aug 30 06:43:22 2005 ctime : Tue Aug 30 06:32:17 2005 Tue Aug 30 06:43:22 2005 changed directory : /root mtime : Mon Aug 8 17:24:49 2005 Tue Aug 30 06:38:58 2005 changed file : /root/getvarlogmess mtime : Tue Aug 30 06:28:50 2005 Tue Aug 30 06:48:50 2005 changed file : /root/logs/rl.t mtime : Tue Aug 30 06:33:18 2005 Tue Aug 30 06:50:08 2005 changed file : /root/logs/stl.t mtime : Tue Aug 30 06:33:18 2005 Tue Aug 30 06:50:08 2005 changed file : /root/topstats md5 : somestuff diffstuff filesize : 4649 5432 mtime : Tue Aug 30 06:28:54 2005 Tue Aug 30 06:48:54 2005 # Hash database : 40535 files scanned, 11 changed (new : 5; delete : 0; changed : 6; dangling : 8; exclude_suffix : 196; exclude_prefix : 0; exclude_re : 0; degraded : 9) # ################################################################# # MD5 hash of /var/lib/afick/afick => somemd5hash # user time : 47.54; system time : 7.96; real time : 116 [root@ids idshome]# |
When you are happy with your system, update the database with -u:
[root@ids idshome]# afick -u # Afick (2.8-2) update at 2005/08/30 06:55:20 with options (/etc/afick.conf): # database:=/var/lib/afick/afick # history:=/var/lib/afick/history # archive:=/var/lib/afick/archive # report_url:=stdout # running_files:=1 # timing:=1 # exclude_suffix:= log LOG html htm HTM txt TXT xml # max_checksum_size:=10000000 # last run on 2005/08/30 06:32:19 with afick version 2.8-2 . . . # Hash database updated successfully : 40535 files scanned, 11 changed (new : 5; delete : 0; changed : 6; dangling : 8; exclude_suffix : 196; exclude_prefix : 0; exclude_re : 0; degraded : 9) # ################################################################# # MD5 hash of /var/lib/afick/afick => somemd5hash # user time : 46.69; system time : 7.89; real time : 119 [root@ids idshome]# |
The next time you run afick with -k, you will only see the changes since the last update:
[root@ids idshome]# afick -k # Afick (2.8-2) compare at 2005/08/30 06:58:05 with options (/etc/afick.conf): # database:=/var/lib/afick/afick # history:=/var/lib/afick/history # archive:=/var/lib/afick/archive # report_url:=stdout # running_files:=1 # timing:=1 # exclude_suffix:= log LOG html htm HTM txt TXT xml # max_checksum_size:=10000000 # last run on 2005/08/30 06:55:20 with afick version 2.8-2 WARNING: /root/logs/rl.t as been modified during the program run WARNING: /root/logs/stl.t as been modified during the program run changed file : /root/logs/rl.t changed file : /root/logs/stl.t # detailed changes changed file : /root/logs/rl.t mtime : Tue Aug 30 06:55:57 2005 Tue Aug 30 06:58:40 2005 changed file : /root/logs/stl.t mtime : Tue Aug 30 06:55:57 2005 Tue Aug 30 06:58:40 2005 # Hash database : 40535 files scanned, 2 changed (new : 0; delete : 0; changed : 2; dangling : 8; exclude_suffix : 196; exclude_prefix : 0; exclude_re : 0; degraded : 9) # ################################################################# # MD5 hash of /var/lib/afick/afick => somemd5hash # user time : 47.52; system time : 8.05; real time : 119 [root@ids idshome]# |
We also have an article on customizing for a particular directory here.
