Hack67.Verify Fileystem Integrity with Afick

Previous page
Table of content
Next page

Hack 67. Verify Fileystem Integrity with Afick

Monitor filesystem integrity with this easy-to-use tool.

Online security concerns grow every day as new viruses and worms are released. Because of this, it is now more important than ever to monitor your server's filesystem for signs of compromise. "Tame Tripwire" [Hack #66] introduced intrusion detection systems and discussed using the filesystem integrity checker Tripwire to monitor the multitude of changes that occur within your filesystem. Tripwire is an excellent tool, but to many people the steep learning curve is a big turnoff in deploying it. If for whatever reason Tripwire isn't for you, other integrity checkers are available. This is Linux, after all! Afick (Another File Integrity Checker) is one such tool that provides numerous configuration methods, including a perl/tk GUI and a Web-min module. This hack will get you up and running using Afick while your other sysadmin friends are still reading the Tripwire manual.

7.6.1. Installing Afick

There are few dependencies involved in deploying Afick. Since Afick is written in Perl, you'll obviously need to have Perl and its libraries installed. Beyond that, simply download the source code from http://afick.sourceforge.net, unpack it to your favorite build location, and run the installation as follows:

 # perl Makefile

If you don't want to install the perl/tk GUI, you can ignore any warnings you may see regarding missing perl/tk modules.

Once Perl has finished processing the Makefile, run the following command to actually install the software:

 # make install

Now that we've built and installed Afick, let's configure it and put it through its paces.

7.6.2. Configuring Afick to Match Your System

The first step in configuring Afick to suit your filesystem is editing the Afick configuration file, which determines what attributes of your filesystem Afick pays attention to when scanning, and thus how it knows when to alert you to specific changes. Afick provides a default configuration file, but as every system is different, you should not depend on it to keep your server safe. Ultimately, fine-tuning Afick to match your filesystem will be a process of trial and error.

To start this process, first take a look at the Afick configuration file, which is called linux.conf and is located in the directory where you unpacked Afick. The configuration file contains several sections, two of which are of particular interest to us. The file is presented and laid out in a very user-friendly manner, making the sections of the file very easy to differentiate.

The first section we're interested in is the alias section. In this section, we'll set up the different combinations of file checks that Afick can perform. We will later apply the aliases defined here to specific types of files and directories. Here are some common aliases:

 # alias : ######### DIR = p+i+n+u+g ETC = p+d+i+u+g+s+md5 Logs = p+n+u+g MyRule = p+d+i+n+u+g+s+b+md5+m

The first part of each directive is simply the name of the alias being defined. You'll use this later to assign these aliases to specific files and directories. The second part of each alias is a list of the filesystem checks to be performed, separated by plus signs. A list of these options is presented in Table 7-1 for your reference.

Table 7-1. Afick filesystem check options

Option

Associated filesystem check

md5

Verify md5 checksum of file contents

sha1

Verify sha1 checksum of file contents

d

Verify major and minor number of device

i

Verify inode number

p

Verify file permissions

n

Verify number of links

u

Verify file ownership (user)

g

Verify file ownership (group)

s

Verify file size

b

Verify number of blocks allocated to file

m

Verify last modidication time (mtime)

c

Verify last change time (ctime)

a

Verify last access time (atime)


The second part of the configuration file we're interested in is the Files to Scan section. In this section, you can define which individual Afick checks or combinations of them that you defined as aliases will be performed against specific files and directories on your filesystem. Here are some examples for you to use to start the process of tuning your configuration:

 /etc/adjtime ETC /etc/aliases.db ETC -md5 /etc/mail/statistics ETC -md5 /etc/dhcpd.conf c+sha1+s+p !/etc/cups/certs/0

This excerpt highlights much of the syntax of the config file. Each of the first three files uses the predefined ETC alias to specify what attributes should be checked. However, the second two use the -md5 directive to tell Afick to use the ETC alias minus the md5 checking option. This approach is useful if you'd like to specify a generic alias to work from with a little modification for different files. The fourth entry checks only the last modification time, sha1 checksum, file size, and permissions of the file /etc/dhcpd.conf. The final entry listed above uses the ! option (or bang, for you old school *nixers out there), which tells Afick not to check the specified file or directory at all. This option should be used sparingly, and only where truly necessary.

7.6.3. Running Afick

Once you've taken a few minutes to adjust the configuration file to suit your filesystem, you're ready to run Afick for the first time. Afick operates by creating a snapshot of your filesystem in the form of a database. When you run Afick for the first time, this database will be initialized, stored, and used as the basis for comparison in later integrity checks. To create the database, run the following command:

 # afick -c  /path_to_linux.conf /linux.conf -i

The -c directive tells Afick where to find the configuration file it should use, while the -i tells Afick to create an initial database. This operation may take a few minutes, but when it completes you'll find the database in the location specified in the first directive within your linux.conf file. Once the initial database is created, wait a few moments and rerun Afick, this time with the -k option:

 # afick -c  /path_to_linux.conf /linux.conf -k

The -k option tells Afick to compare the existing filesystem against the snapshot in the database and report any errors. It is at this point that you'll begin the trial-and-error phase of your Afick configuration. As errors and changes are reported, sort through them and modify your configuration file accordingly. As long as you aren't changing things, and your system is in a quiet state, what will show up are things on your system that are probably constantly changing. In some cases it will be appropriate to continue monitoring attributes such as ownership and inodes, but not mtime or atime values. Experiment and adjust your config file accordingly. Once you can run Afick without returning a flood of alerts, you're ready to add it to root's crontab to automate it to run on a schedule. To have Afick added to root's crontab, run the following command as root:

 # crontab -e

This will open root's crontab in your default text editor. Add the following line, substituting the appropriate path:

 0*/8 * * * root /path_to_afick.cron/afick.cron

This will schedule Afick to run every eight hours, emailing root with any changes that occur.

7.6.4. Securing Afick

Once you've reached this point in your configuration, you should consider moving your database to a read-only storage medium. In my experience, an old zip disk is an excellent choice (although you can also use a CD-R or DVD). To move your database to a zip disk, first mount the zip drive and then run the following command:

 # mv /var/lib/afick/afick.pag /mnt/zip/afick.pag

Once you've done this, make sure you modify your configuration file to point to your newly moved database using a database := /path/to/database entry. You can then move your configuration file over to the zip disk as well, and flip the switch on the back of the zip disk to mark the disk as being read-only. By doing this, you're protecting your database and configuration file from being modified by anyone without physical access to the server.

7.6.5. Updating Your Database

When you make changes to your filesystem, you'll need to update your database. You can do this by issuing the following command:

 # afick -c  /path_to_linux.conf /linux.conf -u

Once the command finishes executing, your database is updated. You should perform an update any time you upgrade an application, apply new software or kernel patches, or perform any other activity that will alter your filesystem.

7.6.6. Conclusion

As you can probably tell, Afick is a less complicated version of Tripwire. The two applications share many similarities, but I find Afick to be the more useful and user-friendly of the two. In my experience with Afick, I've found a few other uses for it beyond ensuring my system isn't compromised. Among these uses are ensuring that applications properly uninstall themselves as well as tracking the exact changes made by running applications. There are many other uses to be found for this and other integrity checkers, and just a little bit of experimentation is guaranteed to reveal one or two that are relevant to you.

7.6.7. See Also

  • "Tame Tripwire" [Hack #66]

  • http://afick.sourceforge.net

Brian Warshawsky


Previous page
Table of content
Next page
Linux Server Hacks (Vol. 2)
BSD Sockets Programming from a Multi-Language Perspective (Programming Series)
ISBN: N/A
EAN: 2147483647
Year: 2003
Pages: 162
Authors: M. Tim Jones
BUY ON AMAZON
Java I/O
Interprocess Communications in Linux: The Nooks and Crannies
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
MySQL Clustering
Introduction to 80x86 Assembly Language and Computer Architecture
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy