|
|
 
One important component of securing a system is to use a file integrity checker.There are multiple tools out there that can do this, including AIDE, and Tripwire. One project that does what we need, has few installation requirements, is fairly easy to install, and is multi platform is AFICK. In this article we will install a basic system. This is a good place to start for fingerprinting the OS files. We also have an article on customizing for a particular directory here. We will use the RPM version:
[root@ids intrusion]# ls af*
afick-2.8-2.noarch.rpm
[root@ids intrusion]#
[root@ids intrusion]# rpm -i afick-2.8-2.noarch.rpm
warning: afick-2.8-2.noarch.rpm: V3 DSA signature: NOKEY, key ID cb6fa42a
error: Failed dependencies:
perl is needed by afick-2.8-2
/usr/bin/perl is needed by afick-2.8-2
Suggested resolutions:
/perl-5.8.0-89.10.i386.rpm
|
We really do have perl, but we didn't use an RPM on this test machine:
[root@ids intrusion]# perl -v
This is perl, v5.8.7 built for i686-linux
.
.
.
[root@ids intrusion]#
|
We need to install with --nodeps. Be warned that this will do an initial scan as well of your system. Be sure and do this on a test box first:
[root@ids intrusion]# rpm -i afick-2.8-2.noarch.rpm --nodeps
warning: afick-2.8-2.noarch.rpm: V3 DSA signature: NOKEY, key ID cb6fa42a
WARNING: rule DIR (pinug) for /usr/X11R6/bin is not enough
WARNING: rule DIR (pinug) for /usr/kerberos/lib is not enough
WARNING: rule DIR (pinug) for /usr/X11R6/lib is not enough
WARNING: rule DIR (pinug) for /usr/local/mysql/lib/mysql is not enough
add rule line /usr/X11R6/lib all
add rule line /usr/kerberos/lib all
add rule line /usr/local/mysql/lib/mysql all
add rule line /usr/X11R6/bin all
rewrite changed /etc/afick.conf (4)
directives (0) macros(0) alias (0) rules (4)
WARNING: skip config file =/dev/scsi p+n (line 127),
/dev/scsi directory does not exists
WARNING: find 1 errors in config file /etc/afick.conf
first install : we will initiate the database
WARNING: skip config file =/dev/scsi p+n (line 127),
/dev/scsi directory does not exists
# Afick (2.8-2) init at 2005/08/30 06:32:19 with options (/etc/afick.conf):
# database:=/var/lib/afick/afick
# history:=/var/lib/afick/history
# archive:=/var/lib/afick/archive
# report_url:=stdout
# running_files:=1
# timing:=1
# exclude_suffix:= log LOG html htm HTM txt TXT xml
# max_checksum_size:=10000000
WARNING: /root/logs/rl.t as been modified during the program run
WARNING: /root/logs/stl.t as been modified during the program run
# Hash database created successfully. 40530 files entered.
# #################################################################
# MD5 hash of /var/lib/afick/afick => somemd5hash
# user time : 39.22; system time : 9.88; real time : 189
[root@ids intrusion]#
|
We have something wrong in our config file. We can check this again with:
[root@ids etc]# afick -C
WARNING: skip config file =/dev/scsi p+n (line 127),
/dev/scsi directory does not exists
WARNING: find 1 errors in config file /etc/afick.conf
[root@ids etc]#
|
Let's fix that up:
[root@ids etc]# vi /etc/afick.conf
|
This line needs to change:
Check again:
[root@ids etc]# afick -C
# config file /etc/afick.conf ok
[root@ids etc]#
|
The -k command will do a scan without updating:
[root@ids idshome]# afick -k
# Afick (2.8-2) compare at 2005/08/30 06:49:31 with options (/etc/afick.conf):
# database:=/var/lib/afick/afick
# history:=/var/lib/afick/history
# archive:=/var/lib/afick/archive
# report_url:=stdout
# running_files:=1
# timing:=1
# exclude_suffix:= log LOG html htm HTM txt TXT xml
# max_checksum_size:=10000000
# last run on 2005/08/30 06:32:19 with afick version 2.8-2
WARNING: /root/logs/rl.t as been modified during the program run
WARNING: /root/logs/stl.t as been modified during the program run
new character_device : /dev/pts/2
new character_device : /dev/pts/3
new file : /var/lib/afick/afick.ctr
new file : /var/lib/afick/afick.dir
new file : /var/lib/afick/afick.pag
changed file : /etc/afick.conf
changed directory : /root
changed file : /root/getvarlogmess
changed file : /root/logs/rl.t
changed file : /root/logs/stl.t
changed file : /root/topstats
# detailed changes
new character_device : /dev/pts/2
inode_date : Tue Aug 30 06:32:55 2005
new character_device : /dev/pts/3
inode_date : Tue Aug 30 06:43:55 2005
new file : /var/lib/afick/afick.ctr
inode_date : Tue Aug 30 06:35:27 2005
new file : /var/lib/afick/afick.dir
inode_date : Tue Aug 30 06:49:31 2005
new file : /var/lib/afick/afick.pag
inode_date : Tue Aug 30 06:49:31 2005
changed file : /etc/afick.conf
md5 : somestuff diffstuff
filesize : 4417 4418
mtime : Tue Aug 30 06:32:17 2005 Tue Aug 30 06:43:22 2005
ctime : Tue Aug 30 06:32:17 2005 Tue Aug 30 06:43:22 2005
changed directory : /root
mtime : Mon Aug 8 17:24:49 2005 Tue Aug 30 06:38:58 2005
changed file : /root/getvarlogmess
mtime : Tue Aug 30 06:28:50 2005 Tue Aug 30 06:48:50 2005
changed file : /root/logs/rl.t
mtime : Tue Aug 30 06:33:18 2005 Tue Aug 30 06:50:08 2005
changed file : /root/logs/stl.t
mtime : Tue Aug 30 06:33:18 2005 Tue Aug 30 06:50:08 2005
changed file : /root/topstats
md5 : somestuff diffstuff
filesize : 4649 5432
mtime : Tue Aug 30 06:28:54 2005 Tue Aug 30 06:48:54 2005
# Hash database : 40535 files scanned, 11 changed (new : 5; delete : 0; changed
: 6; dangling : 8; exclude_suffix : 196; exclude_prefix : 0; exclude_re :
0; degraded : 9)
# #################################################################
# MD5 hash of /var/lib/afick/afick => somemd5hash
# user time : 47.54; system time : 7.96; real time : 116
[root@ids idshome]#
|
When you are happy with your system, update the database with -u:
[root@ids idshome]# afick -u
# Afick (2.8-2) update at 2005/08/30 06:55:20 with options (/etc/afick.conf):
# database:=/var/lib/afick/afick
# history:=/var/lib/afick/history
# archive:=/var/lib/afick/archive
# report_url:=stdout
# running_files:=1
# timing:=1
# exclude_suffix:= log LOG html htm HTM txt TXT xml
# max_checksum_size:=10000000
# last run on 2005/08/30 06:32:19 with afick version 2.8-2
.
.
.
# Hash database updated successfully : 40535 files scanned, 11 changed
(new : 5; delete : 0; changed : 6; dangling : 8; exclude_suffix :
196; exclude_prefix : 0; exclude_re : 0; degraded : 9)
# #################################################################
# MD5 hash of /var/lib/afick/afick => somemd5hash
# user time : 46.69; system time : 7.89; real time : 119
[root@ids idshome]#
|
The next time you run afick with -k, you will only see the changes since the last update:
[root@ids idshome]# afick -k
# Afick (2.8-2) compare at 2005/08/30 06:58:05 with options (/etc/afick.conf):
# database:=/var/lib/afick/afick
# history:=/var/lib/afick/history
# archive:=/var/lib/afick/archive
# report_url:=stdout
# running_files:=1
# timing:=1
# exclude_suffix:= log LOG html htm HTM txt TXT xml
# max_checksum_size:=10000000
# last run on 2005/08/30 06:55:20 with afick version 2.8-2
WARNING: /root/logs/rl.t as been modified during the program run
WARNING: /root/logs/stl.t as been modified during the program run
changed file : /root/logs/rl.t
changed file : /root/logs/stl.t
# detailed changes
changed file : /root/logs/rl.t
mtime : Tue Aug 30 06:55:57 2005 Tue Aug 30 06:58:40 2005
changed file : /root/logs/stl.t
mtime : Tue Aug 30 06:55:57 2005 Tue Aug 30 06:58:40 2005
# Hash database : 40535 files scanned, 2 changed (new : 0; delete : 0; changed
: 2; dangling : 8; exclude_suffix : 196; exclude_prefix : 0; exclude_re : 0;
degraded : 9)
# #################################################################
# MD5 hash of /var/lib/afick/afick => somemd5hash
# user time : 47.52; system time : 8.05; real time : 119
[root@ids idshome]#
|
We also have an article on customizing for a particular directory here.
|
|
