|
|
||||||||||||
| FCheck - FAQ
Intrusion Detection - Policy EnforcementFCheck: The filesystem baseline integrity checker. Copyright (C) 1996 Michael A. Gumienny Please send your comments, updates, improvements, wishes and bug reports for FCheck to: Michael A. Gumienny gumienny@hotmail.com
Files:Your FCheck distribution should contain the following seven (7) files: README Your reading this file. fcheck PERL script fcheck. fcheck.cfg Required configuration file. fcheck_2.07.45.lsm Linux Software Map file. license GNU GPL License agreement. install.unix UNIX install guide. install.win Win32 install guide. This documentation contains the following sections. Files: The section you are reading now. Contains listing of files you should have with your distribution. History behind FCheck: A brief introduction as to why FCheck was written. FCheck Features: What FCheck can do for you. Changelog: Small, because FCheck was really written a few years ago and stablized, but is now being added to again. Operation: A brief intro to normal flag usage when you run FCheck. Closing Hints: A few tips from the author from real time usage experience. Mini FAQ: Questions that have filtered back to the author concerning operational problems. Complete detailed configuration and setup procedures can be found in the install.unix and install.win documents also included.Changelog:Todo: request have been made to register a permission problem when ran as other than root user and can't recurse directory trees rather than terminate with an error as fcheck does now. Version 2.7.51 * Final checkin for revision control of the stable version. Version 2.7.50 * Modified parsing routine of the "logger" variable to allow user defined option flags. * Finally got around to fixing the trailing space bug in the configuration file. Now the parser is less strick of the varying editors being used to create configuration files. Version 2.7.49 * Fixed option when told to ignore creation dates to also check file size. * Fixed option when told to ignore diretory names (-d), when you are not checking recursively and don't want to see directory Inode changes. Version 2.7.47 * Removed the pre-defined "-t" (tag) option used by logger to allow for user defined output devices: scritps, programs, or device files. * This also fixed a reported glitch with European and some US spellings for filenames that contain a single quote (D'Abo) was fixed. (This was a bonus of the removal of forced flags above). * Fixed a typo found under permission calculations: local ($ftype) = $ftype[($mode & 0170000)>>12]; Version 2.7.46 * Minor improvements and documentation efforts made. * Replaced uneeded date coding to compensate epoch of January 1, 1970 GMT $year += ($year < 70) ? 2000 : 1900; with a simpler $year += 1900; No (Y2K) harm was detected, it just wasted space. Version 2.07.45 * Added (per request), optional file hash and CRC calculations signature abilityes. This was included as an all or nothing switch '-s' so that operation could still remain an easy 'set and forget'. Version 2.07.40 * Changed the array lookups to associative array lookups to gain performance. * Removed un-needed lines of code left in from previous edits. * Updated documentation. Version 2.07.38 * RedHat Linux users needed the message string enclosed in quotes for logger to function properly. * Fixed spelling and documentation errors that initially slipped by. Version 2.07.34 * FCheck now runs on DOS based platforms by use of an internally coded "ls" replacement. * By making FCheck available to run on DOS based platforms, the remote operations needed to be removed. This feature offers too much temptation to open another security hole by use of the "remsh" command. Version 2.06.27 * Initial version released for public usage, after receiving feedback it was decided to continue support with additional features.Mini FAQ:Q: When I try to initialize with the command "FCheck -ac" I get the following error message back. Why? FCheck: Can't find C:/Work/temp/perl/fcheck/FCheck.cfg terminating... A: FCheck can't locate the configuration file that you have instructed it to use. Edit the executable (FCheck) and ensure that the variable "$config=" is set properly to reflect your configuration files location. When FCheck was upgraded to version 2.07.37 the separate directory/config_file setting was replaced by the single "$config=C:/Work/temp/perl/fcheck/FCheck.cfg" command, but the documentation provided did not reflect this change. Q: When I try to initialize with the command "FCheck -ac" I get the following error message back. Why? FCheck: no base file directory exist! [C:/Work/temp/perl/fcheck/data] terminating... A: The directory that you have instructed FCheck to utilize to store its database does not exist. Either modify the configuration file (FCheck.cfg) to use an existing directory, or create the one it needs. Q: I have removed a directory "/usr/local/etc" and told FCheck to exclude it from future scans with the line "Exclusion = /usr/local/etc/", now it is being reported as deleted. A: But, the scanned directory does still exist in FChecks databases. After a modification to any scanned area of a system. You must tell FCheck to re-initialize its database (FCheck -ac) to stop this behavior. Otherwise FCheck will continue to report any changes that it has detected, including the directory you told it to exclude from future scans. Once you have re-initialize the databases, only then will FCheck ignore any directories or files that you instructed it to exclude. Q: FCheck says debug: '(GetDir) No can do (/some_file)...' when I try to monitor a file. Does 'Directory =' have to be a Directory or File name? A: Okay, you caught me! FCheck never had any documentation until recently which means there's bound to be an error or two. Some more noticeable than others. You must use the directory name that you wish to monitor. As an option, you can monitor that directory recursively by placing a "/" at the end of the path (/etc for the immediate directory, or /etc/ for recursive). For you to monitor only your "/etc/passwd" you would have an entry of "Directory = /etc" and then use several excludes such as "Exclude = /etc/group", "Exclude = /etc/motd", and so on. But I think that you will probably want to monitor the entire "/etc" directory for changes. Q: Gzip says "decompression OK, trailing garbage ignored." when I uncompress FCheck, is my tar file damaged? A: The Netscape website appears to be padding GZipped files with NULLS. Although it does not happen to the identical Pkzipped files. As expressed in the warning message, Gzip ignores the trailing NULL characters with no impact to the extracted tar file. If the displayed warning bothers you too much, then try the Pkzipped version of FCheck as it is an identical version.
Page last updated: 2000/11/07 |