FCheck - FAQ

Intrusion Detection - Policy Enforcement

      FCheck: The filesystem baseline integrity checker.

            Copyright (C) 1996 Michael A. Gumienny





  Please send your comments, updates, improvements, wishes and

                   bug reports for FCheck to:



                       Michael A. Gumienny

                       gumienny@hotmail.com







   This program is free software; you can redistribute it and

   /or modify it under the terms of the GNU General Public

   License as published by the Free Software Foundation;

   either version 2 of the License, or (at your option) any

   later version.



   This program is distributed in the hope that it will be

   useful, but WITHOUT ANY WARRANTY; without even the implied

   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

   PURPOSE.  See the GNU General Public License for more

   details.



   You should have received a copy of the GNU General Public

   License along with this program; if not, write to:



         Free Software Foundation, Inc.

         59 Temple Place - Suite 330

         Boston, MA 02111-1307, USA.



    Or you can find the full GNU GPL online at:

        http://www.gnu.org









      
 What files should I have?

      
 What progress has FCheck made?

      
 FCheck says it can't find the configuration file, why?

      
 FCheck says 'no base file directory exist', why?

      
 I removed a directory and told FCheck to exclude it,
    but it keeps reporting it as deleted, why?

      
 FCheck says 'debug: (GetDir) No can do (/some_file)...'
    when I try to monitor a file. Does 'Directory =' have
    to be a Directory or File name?

      
 Gzip says 'decompression OK, trailing garbage ignored',
    is my tar file damaged?









Files:

Your FCheck distribution should contain the following seven

(7) files:



    README                      Your reading this file.

    fcheck                      PERL script fcheck.

    fcheck.cfg                  Required configuration file.

    fcheck_2.07.45.lsm          Linux Software Map file.

    license                     GNU GPL License agreement.

    install.unix                UNIX install guide.

    install.win                 Win32 install guide.



This documentation contains the following sections.



    Files:                      The section you are reading now.

                                Contains listing of files you

                                should have with your

                                distribution.

    History behind FCheck:      A brief introduction as to why

                                FCheck was written.

    FCheck Features:            What FCheck can do for you.

    Changelog:                  Small, because FCheck was

                                really written a few years ago

                                and stablized, but is now

                                being added to again.

    Operation:                  A brief intro to normal flag

                                usage when you run FCheck.

    Closing Hints:              A few tips from the author from

                                real time usage experience.

    Mini FAQ:                   Questions that have filtered

                                back to the author concerning

                                operational problems.



Complete detailed configuration and setup procedures can be

found in the install.unix and install.win documents also

included.











Changelog:

Todo: request have been made to register a permission problem when ran

      as other than root user and can't recurse directory trees rather

      than terminate with an error as fcheck does now.





Version 2.7.51

 * Final checkin for revision control of the stable version.



Version 2.7.50

 * Modified parsing routine of the "logger" variable to allow user defined

   option flags.



 * Finally got around to fixing the trailing space bug in the configuration

   file. Now the parser is less strick of the varying editors being used to

   create configuration files.



Version 2.7.49

 * Fixed option when told to ignore creation dates to also check file size.



 * Fixed option when told to ignore diretory names (-d), when you are not

   checking recursively and don't want to see directory Inode changes.



Version 2.7.47

 * Removed the pre-defined "-t" (tag) option used by logger to allow for

   user defined output devices: scritps, programs, or device files.



 * This also fixed a reported glitch with European and some US spellings

   for filenames that contain a single quote (D'Abo) was fixed. (This was

   a bonus of the removal of forced flags above).



 * Fixed a typo found under permission calculations:

       local ($ftype) = $ftype[($mode & 0170000)>>12];



Version 2.7.46

 * Minor improvements and documentation efforts made.



 * Replaced uneeded date coding to compensate epoch of January 1, 1970 GMT

                $year += ($year < 70) ? 2000 : 1900;

   with a simpler

                $year += 1900;

   No (Y2K) harm was detected, it just wasted space.



Version 2.07.45

 * Added (per request), optional file hash and CRC calculations signature

   abilityes. This was included as an all or nothing switch '-s' so that

   operation could still remain an easy 'set and forget'.



Version 2.07.40

 * Changed the array lookups to associative array lookups to gain

   performance.



 * Removed un-needed lines of code left in from previous edits.



 * Updated documentation.



Version 2.07.38

 * RedHat Linux users needed the message string enclosed in quotes

   for logger to function properly.



 * Fixed spelling and documentation errors that initially slipped by.



Version 2.07.34

 * FCheck now runs on DOS based platforms by use of an internally

   coded "ls" replacement.



 * By making FCheck available to run on DOS based platforms, the

   remote operations needed to be removed. This feature offers too

   much temptation to open another security hole by use of the "remsh"

   command.



Version 2.06.27

 * Initial version released for public usage, after receiving feedback

   it was decided to continue support with additional features.















Mini FAQ:



Q: When I try to initialize with the command "FCheck -ac" I get the following

   error message back. Why?



      FCheck: Can't find C:/Work/temp/perl/fcheck/FCheck.cfg

      terminating...



A: FCheck can't locate the configuration file that you have instructed

   it to use. Edit the executable (FCheck) and ensure that the variable

   "$config=" is set properly to reflect your configuration files

   location. When FCheck was upgraded to version 2.07.37 the separate

   directory/config_file setting was replaced by the single

   "$config=C:/Work/temp/perl/fcheck/FCheck.cfg" command, but the

   documentation provided did not reflect this change.







Q: When I try to initialize with the command "FCheck -ac" I get the following

   error message back. Why?



      FCheck: no base file directory exist! [C:/Work/temp/perl/fcheck/data]

      terminating...



A: The directory that you have instructed FCheck to utilize to store

   its database does not exist. Either modify the configuration file

   (FCheck.cfg) to use an existing directory, or create the one it needs.







Q: I have removed a directory "/usr/local/etc" and told FCheck

   to exclude it from future scans with the line

   "Exclusion = /usr/local/etc/", now it is being reported as

   deleted.



A: But, the scanned directory does still exist in FChecks databases.

   After a modification to any scanned area of a system. You must tell

   FCheck to re-initialize its database (FCheck -ac) to stop this

   behavior. Otherwise FCheck will continue to report any changes that

   it has detected, including the directory you told it to exclude

   from future scans. Once you have re-initialize the databases, only

   then will FCheck ignore any directories or files that you

   instructed it to exclude.







Q: FCheck says debug: '(GetDir) No can do (/some_file)...' when I try to monitor a file.

   Does 'Directory =' have to be a Directory or File name?



A: Okay, you caught me! FCheck never had any documentation until recently

   which means there's bound to be an error or two. Some more noticeable than others.



   You must use the directory name that you wish to monitor. As an option,

   you can monitor that directory recursively by placing a "/" at the

   end of the path (/etc for the immediate directory, or /etc/ for recursive).



   For you to monitor only your "/etc/passwd" you would have an entry of

   "Directory = /etc" and then use several excludes such as

   "Exclude = /etc/group", "Exclude = /etc/motd", and so on. But I think that

   you will probably want to monitor the entire "/etc" directory for

   changes.







Q: Gzip says "decompression OK, trailing garbage ignored." when I uncompress FCheck,

   is my tar file damaged?



A:

   The Netscape website appears to be padding GZipped files with NULLS. Although

   it does not happen to the identical Pkzipped files. As expressed in the

   warning message, Gzip ignores the trailing NULL characters with no impact

   to the extracted tar file. If the displayed warning bothers you too much,

   then try the Pkzipped version of FCheck as it is an identical version.