Fcheck - Simple Perl Integrity checker

fcheck is GPL licensed Perl script written by Michael A. Gumienny. Its a medium size (80K source) monolythic PERL script.  It's source can be downloaded from various sites (debian). The current version is 2.7.59. Development stopped in 2001.

Script works both in Windows and Unix, but it is preferable to run it under Cygwin under Windows.

Directories and files for checking are specified in  fcheck.cfg file.  Both non-recursive recursive directory specifications are supported. For recursive comparison the directory should have training slash like in /usr/

It is configurable to exclude files or directories. The latter can be excluded recursively (same syntax as for inclusion).  The keywords are:

• DIRECTORY
• FILE
• EXCLUSION

Can be ran as often  as needed from the command line or cron making it extremely difficult to circumvent.

Usage:

    fcheck [-acdfihlrsvx] [configuration file ] [directory ]

Options:

• -a Automatic mode, do all directories in configuration file.
• -c Create a new base line database for the given directory.
• -d Directory names are to be monitored for changes also.
• -f Use alternate 'filename' as the configuration file.
• -i Ignore creation times, check permissions, adds, deletes.
• -h Append the $HOSTNAME to the configuration filename.
• -l Log information to logger rather than stdout messages.
• -r Report mode - so you can save to a file and get a record of what you have checked, even if errors go to logger
• -s Sign each file with a CRC/hash signature.
• -v Verbose mode, not used for report generation.
• -x eXtended Unix checks - Nlinks, UID, GID, Major/Minor numbers

Example of config file

# FCheck.cfg (Sol)
#
# Directories to be monitored are shown below. Multiple entries may be used
# by using the following 'keyword=variable' format:
#
# [Directory=(path/name)]
# [Directory=(path/name)]
# ...
#
# If you want recursive direcotry monitoring, place a / at the end of
# the directory name, otherwise the script will interpret the entry as a
# single file or single directory to monitor.
#
# For example the entry "Directory=/usr"
#     will watch everything in the /usr directory
#
# and the entry "Directory=/etc/passwd"
#     will monitor only the password file.
#
# while the entry "Directory=/usr/"
#     will watch everything in the /usr directory, and everything
#     recursively under it, (I.E. /usr/bin..., /usr/local/..., etc.)
# 

Directory	= /usr/local/admtools/
Directory	= /tmp/
#Directory	= C:/WINNT/



# WARNING
# Use the following exclusions with care,
# only include log files that are constantly undating and are known to
# be written to frequently otherwise you can defeat the purpose of fcheck
# by excluding too much...
#
# Specific files, and/or directories can be excluded.
#
# If used, configure them as full paths and their filenames. Directory
# names must have a "/" appended to the end of its filename in the exclude
# section.
#

#Exclusion      = /tmp/dir/afile
Exclusion       = /usr/local/admtools/data/
#Exclusion       = /usr/local/admtools/logs/
#Exclusion       = C:/WINNT/TEMP/




# Miscellaneous settings are passed to fcheck from here.
#
# The baseline database files are to be kept under the "DataBase" directory
# that is defined next.
#
DataBase        = /usr/local/admtools/logs/sol.dbf
#DataBase       = C:/FCHECK/LOCALHOST.DBF


# If you are using a read-only location. You can write the database files to
# one location, and read from an alternate read-only (CD-ROM?) location.
#ReadDB          = /usr/local/data
#WriteDB         = /usr/local/data



# Your systems interface for passing messages to its log files, UNIX systems
# are typically found as "/usr/bin/logger".
#
# You could also send messages directly to a line printer if desired.
#
# Win32 platforms are forced to use line printers for now until a error
# logging module is created for NT platforms.
#
#Logger          = /usr/bin/lpr
#
# As of version 2.7.50, you pass logger taglines (-t) options through here.
# Any other options can now be passed to third party loggers, scripts, etc.
Logger          = /usr/bin/logger -tfcheck

#AuthLogger      = /usr/bin/logger -tfcheck -pauth.info
#AuthLogger      = /usr/bin/logger -tfcheck -pauth.notice



# This is the system command to determine a files type. Used to determine
# pipes, major/minor numbers.
#
# Only useful on Unix platforms, not portable to Windows (yet).
FileTyper        = /bin/file



# You may optionally set your hostname from the configuration file if FCheck
# is unable to determine it on its own.
#
#HostName        = "Mikes"


# You may optionally set the system type from the configuration file if
# FCheck is unable to determine it on its own.
# Currently the only accepted option her is "System = DOS", otherwise FCheck
# will default to a UNIX system.
#
#System          = Dos



# This must be set only for readability by you. It in no way effects the scan
# function of FCheck. It only changes what is presented to the end user, so
# the times that are presented to you may not be accurate if not set.
TimeZone        = EST5EDT



# This is used only if you require/desire a hash signature to also be generated
# for each file by use of the '-s' flag. If you do not use the (s)ignature
# flag, then the following variable setting will not impact fcheck in any way.
#$Signature      = /usr/bin/sum
#$Signature      = /usr/bin/cksum
#$Signature      = /usr/bin/md5sum
$Signature      = /bin/cksum



# Include an optional configuration file.
# [CFInclude = (path/config_file_name)]
#CFInclude

# Used for individual file checking (I.E. FCheck databases!)
#
File	= /usr/local/admtools/logs/sol.dbf

#
# End of FCheck.cfg file
#

NEWS CONTENTS

• 200102 : Building a Linux-Based Appliance ( Building a Linux-Based Appliance, )
• 200102 : Using fcheck (or installing-using some other integrity checker) MEPIS ( Using fcheck (or installing-using some other integrity checker) MEPIS, )

Old News ;-)

Building a Linux-Based Appliance

Configuration Backup and Restore

To create the backup and restore utilities, it was critical to determine which files needed to be backed up. For this purpose we used the utility FCheck, a popular and useful Perl script by Michael A. Gumienny. FCheck makes it is possible to take a snapshot of the files before changes are made, and then view the differences after the changes are completed. FCheck is available at www.geocities.com/fcheck2000/fcheck.html. (It is also extremely useful for performing intrusion detection.)

Setup and configuration is performed by modifying the fcheck.cfg file, in which you can specify both paths and individual files to be monitored for changes. You can exclude individual files or directories and specify whether a monitored directory should be recursively scanned.

Before making changes to the configuration files, we ran FCheck as follows:

./fcheck -acd

This created a baseline file, which stores all of the original states of the files, including file size and time of last modification. After modifying the configuration files and loading a new policy from the Windows-based Policy Editor, we ran FCheck as follows:

./fcheck -ad | grep WARNING

This displayed the files changed during the policy modification process.

Using fcheck (or installing-using some other integrity checker) MEPIS

The fcheck utility is an IDS (Intrusion Detection System) which can be used to monitor changes to any given filesystem.

Essentially, fcheck has the ability to monitor directories, files or complete filesystems for any additions, deletions, and modifications. It is
configurable to exclude active log files, and can be ran as often as needed from the command line or cron making it extremely difficult to cir-
cumvent.

Operation and Getting Started

Flag passing is a fairly simple process. Primarily you will be using two commands. One builds (or rebuilds) your baseline database files (system
snapshots). The second runs in a scanning comparison mode.

"fcheck -ac"

Builds the baseline database.

"fcheck -a"

Comparison scans the system against the baseline database.

For normal operation: Initially you will run fcheck by issuing the command "fcheck -ac" to create the initial baseline file used for comparison.
Any runs after the creation of the basline will normally be with the following flags "fcheck "-a"" to scan for any system modifications.

After a scan is completed, you will probably want to have fcheck re-create its baseline database for the next comparison cycle. Otherwise you
will be seeing every system modification since the last baseline re-build. In other words, run the "fcheck -ac" command again.

(Advanced Note:) A more intensive system check would be accomplished by building your database to include GID/UID checks, directories, and CRC
checks by using the following sample syntax:

"fcheck -cadsxlf /etc/fcheck/fcheck.cfg"

And provide periodic integrity scans from cron by using the following sample syntax:

"fcheck -adsxlf /etc/fcheck/fcheck.cfg"

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March, 12, 2019