manpagez: man pages & more
man afick(1)
Home | html | info | man
afick(1)              User Contributed Perl Documentation             afick(1)




NAME

       afick - Another File Integrity Checker


DESCRIPTION

       The goal of this program is to monitor what change on your host :
       new/deleted/modified files.  So it can be used as an intrusion
       detection system ( by integrity checking ).  It is designed to be a
       portable clone of aide (Advanced Intrusion Detection Environment), or
       Tripwire software.

       For the better security, you should launch it regularly (for exemple by
       a batch task)

       This is a command-line program, you can use "afick-tk.pl" if you prefer
       a graphical interface.

       A web interface is also privided by a webmin module.


SYNOPSIS

       afick [action] [options]

       afick use posix syntax, which allow many possibilities :

       o   long (--) options

       o   short (-) options

       o   negative (--no) options

       Mandatory action (one and only one must be used) :

        -i|--init                    initialize the hash.dbm database
        -C|--check_config            only check config file and exit
        -G|--clean_config            check and clean configuration, then exit
        -U|--check_update            check if a software update is available
        -k|--compare                 compare the hash.dbm database
        -l|--list fic1 .. fic2       check the files given in arg
        -u|--update                  compare and update the hash.dbm database
        -p|--print                   print content of database
        --search filter              print content of database, filtered (see man of html doc for exemples)
        --print_config               display all internals variables after arguments and config file parsing.
                                     it is the same as the 4 followings options, concatenated
                                       (for debugging purposes)
        --print_directive            display directives (after config file and command line parsing)
        --print_macro                display macros (after config file parsing)
        --print_alias                display aliases (after config file parsing)
        --print_rule                 display rules (after config file parsing)
        --stat_ext                   display list of file extension, sorted by number (usefull for windows)
        --stat_secu                  display from databases some dangerous files (suid, sgid, group writable, world writable )
        --stat_size                  display from databases statistics on file size

       Other options

        -a|--ignore_case             helpful on Windows platforms, dangerous on Unix ones
                                       reverse : --noignore_case
        -c|--config_file file        name of config file to use
        -D| --database file          force the database name
        -d|--debug level             set a level of debugging messages, from 0 (none) to 4 (full)
        -f|--full_newdel             report full information for new or deleted directories
                                      reverse : --nofull_newdel
        -m|--missing_files           warn about files declared in config files
                                      which do not exists,
                                      reverse : --nomissing_files
        -o|--allow_overload          allow rule overload : the last rule wins
                                      reverse: --noallow_overload
        -r|--running_files           warn about "running" files : modified since program begin
                                      reverse: --norunning_files
        -s|--dead_symlinks           warn about dead symlinks
                                      reverse: --nodead_symlinks
        -Y|--follow_symlinks         checksum on links target file (yes) or checksum on target name (no)
                                      reverse: --nofollow_symlinks
        -S|--max_checksum_size size  maximum cheksum size (bytes) : for bigger file, just compute checksum on begin of file
                                       0 means no limit
        -t|--timing                  Print timing statistics
                                       reverse : --notiming
        -v|--verbose                 toggle verbose mode (identical to full debug);
                                      reverse : --noverbose
        -q|--quiet                   toggle quiet mode (print only if there's a change to report)
                                       reverse : --noquiet
        -P|--progress                display the name of scanned files, to be used only by afick-tk
        -h|--help                    show this help page
        --man                        full help
        -V|--version                 show afick version
        -x|--exclude_suffix "ext1 ext2"        list of file/dir suffixes to ignore
        -X|--exclude_prefix "pre1 pre2"        list of files/dir prefixes to ignore
        -R|--exclude_re "patern1 patern2"      list of files/dir patterns (regular expressions) to ignore
        --only_suffix "ext1 ext2"              list of suffix to scan (just this ones)
        -y|--history file            history file of all runs with summary
        -A|--archive directory       directory where archive files are stored
        --report_url output          where to send afick report.default is stdout
        --report_syslog              send afick report to sylog. reverser : --noreport_syslog


REQUIRED ARGUMENTS

       you have to give afick an action to do. See below :


ACTIONS

       You have to use one this mandatory action :

       --init|-i
           initiate the database.

       --check_config|-C
           only check config file syntax and exit with the number of errors

       --check_update|-U
           check if a new software version is available on web server

       --clean_config|-G
           check config file syntax, clean (comments) bad line, and exit with
           the number of errors

       --compare|-k
           compare the file system with the database.

       --list|-l "file1 file2 ... filen"
           compare the specified files with the database.

       --print|-p
           print the content of the database.

       --search your_filter
           print the content of the database, filtered by your_filter filter.

           filters are to be written with column keywords and perl operators,
           and should be quoted

           keywords are :  filetype, name, md5, sha1, checksum, device, inode,
           filemode, links, uid, acl, gid, filesize, blocs, atime, mtime,
           ctime

           for examples :

           "filetype =~ m/symbolic/"  : filter on file type

           "filesize <  5000000" : filter on file size

           "filemode & 04000" : extract suid files

           "(filesize >  5000) and (name =~ m/urpmi/)" : you can combine
           filters

       --print_config
           display all internals variables after command line and config file
           parsing (for debugging purposes).  It is the same as the 4
           following options : --print_directive --print_macro --print_alias
           --print_rule

       --print_directive
           display directives (after config file and command line parsing)

       --print_macro
           display macros (after config file parsing)

       --print_alias
           display aliases (after config file parsing)

       --print_rule
           display rules (after config file parsing)

       --update|-u
           compare and update the database.

       --stat_ext
           display list of file extension, sorted by number (usefull for
           windows)

       --stat_secu
           display from databases some dangerous files (suid, sgid, group
           writable, world writable )

       --stat_size
           display from databases statistics on file size

           can help to configure the max_checksum_size option


OPTIONS

       You can use any number of the following options :

       --archive|-A directory
           write reports to "directory".

       --config_file|-c configfile
           read the configuration in config file named "configfile".

       --database|-D name
           name of database to use.

       --debug|-d level
           set a level of debugging messages, from 0 (none) to 4 (full)

       --full_newdel|-f,(--nofull_newdel)
           (do not) report full information on new and deleted directories.

       --help|-h
           Output summary help information and exit.

       --man
           Output full help information and exit.

       --history|-y historyfile
           write session status to history file

       --ignore_case|-a
           ignore case for file names. Can be helpful on Windows operating
           systems, but is dangerous on Unix ones.

       --max_checksum_size|-S size
           fix a maximum size (bytes) for checksum. on bigger files, compute
           checksum only on first 'size' bytes.  ( 0 means no limit)

       --missing_files|-m,(--nomissing_files)
           (do not) warn about files declared in config files which does not
           exists.

       --dead_symlinks|-s,(--nodead_symlinks)
           (do not) warn about dead symlinks.

       --follow_symlinks,(--nofollow_symlinks)
           if set, do checksum on target file, else do checksum on target file
           name.

       --allow_overload,(--noallow_overload)
           if set, allow rule overload (the last rule wins), else put a
           warning and keep the first rule.

       --progress|-P
           display the name of scanned files, to be used only by afick-tk

       --running_files|-r,(--norunning_files)
           (do not) warn about "running" files : modified since program begin.

       --timing|-t,(--notiming)
           (do not) Print timing statistics.

       --version|-V
           Output version information and exit.

       --quiet|-q,(--noquiet)
           (not in) quiet mode : print only if there's a change to report. Do
           not use it with stat_* options or your output will be empty !. This
           mode is not recommanded, as it does not allow to check if an afick
           log was removed to mask a system change (with afick_archive.pl
           --check).

       --verbose|-v,(--noverbose)
           (not in) verbose mode (obsolete).

       --only_suffix|-x "ext1 ext2 ... extn"
           list of suffix to scan (just this ones)

       --exclude_suffix|-x "ext1 ext2 ... extn"
           list of suffixes (files/directories ending in .ext1 or .ext2 ...)
           to ignore

       --exclude_prefix|-X "pre1 pre2 ... pren"
           list of prefix (files/directories beginning with pre1 or pre2 ...)
           to ignore

       --exclude_re|-R "pre1 pre2 ... pren"
           list of patterns (regular expressions) to ignore files or
           directories

       --report_url output
           output can stdout, stderr or null (which mean no output)

       --report_syslog (--noreport_syslog)
           send (or not) afick's report to syslog. the priority is 'notice'
           for info messages, 'warning' for warning messages. The facility is
           'user'


CONFIGURATION

       if no config file is given on command line, afick try to open
       /etc/afick.conf (Unix) or windows.conf (Windows) as default config

       for config file syntax see afick.conf(5)


FILES

       afick can write several kinds of file

       database file
           the database is used to store data between afick's run. name and
           path are set by the database directive

       control file
           it is used to check afick integrity.  It has the name of the
           database, with '.ctr' suffix.

       history file
           (optionnal but recommended) : it is used to keep an history of all
           report's summary. name and path are set by the history directive

       archive's files
           (optionnal but recommended) : it is used to keep afick's reports.
           the path is set by the archive directive. the file name contains
           the afick run date in AAAAMMJJhhmmss format

       log file
           unix log file (on /var/log) are created when using the afick_cron
           script


DATABASE

       until release 2.9, the database backend was SDBM, because it was the
       only one available on every operating system.

       Coming with 2.10 release, afick can use other database backend : the
       'best' available one will be detected on init.  There is no way to
       migrate an existing SDBM base to a new format. The only way is to re-
       run afick in init mode (caution : changes since last update will be
       "lost")


USAGE

       To use this program, you must

       first adjust the config file to your needs : see afick.conf(5) for the
       syntax)

       then initiate the database with : "afick -c afick.conf --init"

       then you can compare with "afick -c afick.conf -k"

       or compare and update with "afick -c afick.conf --update"

       then the best way is to set a batch task to have regular check, you can
       use afick_cron script on unix/linux systems or afick_planning.pl on
       windows


ENVIRONMENT

       The default config file can be set with AFICK_CONFIG environment
       variable.


EXIT STATUS

       An exit status of 0 means no differences were found, and no dangling
       links (if the warn_dead_symlinks option is set) , non-zero means some
       differences were found or some dangling links.  The non-zero value is a
       bitmap representing the type of difference found:

       Bit 0 ( value : 1)
           Dangling

       Bit 1 (value : 2)
           Changed

       Bit 2 (value : 4)
           Deleted

       Bit 3 (value : 8)
           New


SECURITY

       For a better security, afick not only check the rules from
       configuration file, but try to check it-self : perl scripts,
       configuration file, database, and warn if something change.


SEE ALSO

       afick.conf(5) for configuration file

       afick-tk(1) for graphical interface

       afickonfig(1) for a tool to change afick's configuration file

       afick_archive(1) for a tool to manage archive's reports


DIAGNOSTICS

       for diagnostics, you can run afick in debug mode, with the --debug 4
       command line option


DEPENDENCIES

       this program only use perl and its standard modules.


INCOMPATIBILITIES

       none known


BUGS AND LIMITATIONS

       afick works on files, it is not a Version Control System, and it does
       not show changes in registry for windows users


LICENSE AND COPYRIGHT

       Copyright (c) 2002 Eric Gerbier All rights reserved.

       This program is free software; you can redistribute it and/or modify it
       under the terms of the GNU General Public License as published by the
       Free Software Foundation; either version 2 of the License, or (at your
       option) any later version.


AUTHOR

       Eric Gerbier

       you can report any bug or suggest to gerbier@users.sourceforge.net



perl v5.10.0                      2009-07-24                          afick(1)

afick 2.14-1 - Generated Sun Aug 9 09:13:47 CDT 2009
© manpagez.com 2000-2021
Individual documents may contain additional copyright information.