NAME

afick - Another File Integrity Checker

DESCRIPTION

The goal of this program is to monitor what change on your host : new/deleted/modified files. So it can be used as an intrusion detection system ( by integrity checking ). It is designed to be a portable clone of aide (Advanced Intrusion Detection Environment), or Tripwire software.

You should launch it regularly (by cron for example) and after any software change.

This is a command-line program, you can use afick-tk.pl if you prefer a graphical interface.

SYNOPSIS

afick [action] [options]

afick use posix syntax, which allow many possibilities :

long (--) options
short (-) options
negative (--no) options

ACTIONS

You have to use one this mandatory action :

--init|-i
initiate the database.
--check_config|-C
only check config file syntax and exit with the number of errors
--check_update|-U
check if a new software version is available on web server
--clean_config|-G
check config file syntax, clean (comments) bad line, and exit with the number of errors
--compare|-k
compare the file system with the database.
--list|-l ``file1 file2 ... filen''
compare the specified files with the database.
--print|-p
print the content of the database.
--search your_filter
print the content of the database, filtered by your_filter filter.
filters are to be written with column keywords and perl operators, and should be quoted

keywords are : filetype, name, md5, sha1, checksum, device, inode, filemode, links, uid, acl, gid, filesize, blocs, atime, mtime, ctime

for examples :

``filetype =~ m/symbolic/'' : filter on file type

``filesize < 5000000'' : filter on file size

``filemode & 04000'' : extract suid files

``(filesize > 5000) and (name =~ m/urpmi/)'' : you can combine filters
--print_config
display all internals variables after command line and config file parsing (for debugging purposes). It is the same as the 4 following options : --print_directive --print_macro --print_alias --print_rule
--print_directive
display directives (after config file and command line parsing)
--print_macro
display macros (after config file parsing)
--print_alias
display aliases (after config file parsing)
--print_rule
display rules (after config file parsing)
--update|-u
compare and update the database.
--stat_secu
display from databases some dangerous files (suid, sgid, group writable, world writable )
--stat_size
display from databases statistics on file size
can help to configure the max_checksum_size option

OPTIONS

You can use any number of the following options :

--archive|-A directory
write reports to ``directory''.
--config_file|-c configfile
read the configuration in config file named ``configfile''.
--database|-D name
name of database to use.
--debug|-d level
set a level of debugging messages, from 0 (none) to 4 (full)
--full_newdel|-f,(--nofull_newdel)
(do not) report full information on new and deleted directories.
--help|-h
Output summary help information and exit.
--man
Output full help information and exit.
--history|-y historyfile
write session status to history file
--ignore_case|-a
ignore case for file names. Can be helpful on Windows operating systems, but is dangerous on Unix ones.
--max_checksum_size|-S size
fix a maximum size (bytes) for checksum. on bigger files, compute checksum only on first 'size' bytes. ( 0 means no limit)
--missing_files|-m,(--nomissing_files)
(do not) warn about files declared in config files which does not exists.
--dead_symlinks|-s,(--nodead_symlinks)
(do not) warn about dead symlinks.
--follow_symlinks,(--nofollow_symlinks)
if set, do checksum on target file, else do checksum on target file name.
--allow_overload,(--noallow_overload)
if set, allow rule overload (the last rule wins), else put a warning and keep the first rule.
--progress|-P
display the name of scanned files, to be used only by afick-tk
--running_files|-r,(--norunning_files)
(do not) warn about ``running'' files : modified since program begin.
--timing|-t,(--notiming)
(do not) Print timing statistics.
--version|-V
Output version information and exit.
--verbose|-v,(--noverbose)
(not in) verbose mode (obsolete).
--exclude_suffix|-x ``ext1 ext2 ... extn''
list of suffixes (files/directories ending in .ext1 or .ext2 ...) to ignore
--exclude_prefix|-X ``pre1 pre2 ... pren''
list of prefix (files/directories beginning with pre1 or pre2 ...) to ignore
--exclude_re|-R ``pre1 pre2 ... pren''
list of patterns (regular expressions) to ignore files or directories

FILES

if no config file on command line, afick try to open /etc/afick.conf (Unix) or windows.conf (Windows) as default config

for config file syntax see afick.conf(5)

each database is composed of 3 binary files :

one with .dir suffix : a file index
one with .pag suffix : the database core
one with .ctr suffix : a control file, used by afick

USE

To use this program, you must

first adjust the config file to your needs : see afick.conf(5) for the syntax)

then initiate the database with : afick -c afick.conf --init

then you can compare with afick -c afick.conf -k

or compare and update with afick -c afick.conf --update

ENVIRONMENT

The default config file can be set with AFICK_CONFIG environment variable.

RETURN VALUES

An exit status of 0 means no differences were found, non-zero means some differences were found. The non-zero value is a bitmap representing the type of difference found:

Bit 0 ( value : 1): Dangling
Bit 1 (value : 2): Changed
Bit 2 (value : 4): Deleted
Bit 3 (value : 8): New

SECURITY

For a better security, afick not only check the rules from configuration file, but try to check it-self : perl scripts, configuration file, database, and warn if something change.

NOTES

this program only use perl and its standard modules.

COPYRIGHT

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

AUTHORS

Eric Gerbier

you can report any bug or suggest to gerbier@users.sourceforge.net

afick - Another File Integrity Checker