Lead Image © Christos Georghiou, 123RF.com

Lead Image © Christos Georghiou, 123RF.com

Manipulation detection with AFICK

Checker

Article from ADMIN 54/2019
By
AFICK is a small, free tool that helps administrators detect attempts to manipulate documents and system files.

AFICK (another file integrity checker) detects changes to the system and sounds an alert. The tool first creates a unique fingerprint of selected files in the form of a checksum. If a different checksum is computed during a later check, a malicious program, an attacker, or a defect is likely to have modified the files under investigation. In this way, AFICK not only detects manipulation attempts, but also acts as a small intrusion detection system.

The tool is licensed under the liberal GNU GPLv3 license, which also allows free use in the enterprise. AFICK only requires Perl v5.10 or newer. Developer Eric Gerbier has tested his tool under all Windows versions from XP upward, various Unix systems (e.g., HPUX and AIX), and numerous Linux distributions (e.g., SUSE, Red Hat, Debian, and Ubuntu). Windows users can easily install Perl with the ActivePerl [1] package.

Most Unix and Linux systems come with Perl by default or support simple installation from the package manager. In addition to the Perl package, you will also want the Digest::MD5, Digest::SHA1, and Perl/Tk modules. The latter two are optional; Perl/Tk is only required for the graphical user interface.

Installation

To install AFICK, first download the latest version from SourceForge [2]. Windows users need the EXE file – at the editorial deadline this was afick-setup-3.6.1.exe. All you have to do is start this program and leave the installation to the wizard, which downloads a few additional Perl modules, so you must have Internet access.

Linux users, on the other hand, have the choice between several packages. Only the packages that start with afick and are immediately followed by the version number (e.g., afick_3.6.1-1_all.deb) are of importance. If you have an Ubuntu-based distribution, you should grab the package with the ubuntu_all.deb extension, and Debian users will want to go for the package with the shorter _all.deb file extension. In both cases, you import the package by typing:

dpkg -i <package name>

On SUSE, openSUSE, Red Hat, and CentOS, you should use the file with the .noarch.rpm extension and install it with:

rpm -Uvh <package name>

On all other distributions and Unix systems, make sure you have the make tool on your computer before downloading and unpacking the .tgz archive. From the newly created directory, call the commands:

perl Makefile.pl
sudo make all

The first of these commands prepares the installation process and provides an overview of all the required Perl modules. The second command installs AFICK in the /opt/afick directory. Because of the manual installation, you will always have to update the tool manually in the future by simply installing the new version over the old one.

Creating Checksums

A configuration file informs the tool which files and directories you want AFICK to monitor. Windows users can find it in the C:\Programs (x86)\afick folder. On Linux, you will usually find the afick.conf file under /etc/ or /opt/afick/etc/. If you used the tar.gz archive, you can also use the included linux.conf file as a starting point. For an initial test run, leave the settings in the configuration file as they are.

Before AFICK can report changes, the tool needs to create checksums and store them in its database with the

afick.pl -c <configfile> -i

command. On Linux you have to introduce the command with sudo for root privileges (Figure 1). To run it under Windows, open a command prompt with administrator rights, switch to the AFICK folder, and call the above-mentioned command preceded with perl -w (which will be necessary for the rest of the AFICK commands in Windows):

cd C:\Program Files (x86)\afick
perl -w afick.pl -c <configfile> -i
Figure 1: AFICK gives a short summary during the initialization phase stating where it stores its database and which files it excludes from monitoring.

Throughout, replace <configfile> with the name of your configuration file (e.g., /etc/afick.conf or, on Windows, windows.conf). Administrator rights are needed because the configuration file always applies globally for the entire system. With corresponding settings in the configuration file, normal users can also run AFICK against their home or user directories.

Depending on your system, creating checksums can take several minutes. On Ubuntu 18.10, AFICK took about three minutes with the sample configuration on a test system that was no longer up to date. If you use the supplied configuration file, AFICK uses the MD5 checksums, which are no longer considered totally secure but can be generated more quickly. In the configuration file, however, you can switch to SHA1 or SHA256 (more on this later). In the end, AFICK outputs the message MD5 hash of and the storage location of the database. The code after the => is your MD5 checksum, which you can use at any time to check whether the file with the database has been manipulated.

Detecting Tampering

After the database is filled with checksums, use the following command to test your system for changes:

afick.pl -c <configfile> -k

Here, too, Linux users have to use sudo. The result is a list with all changed files and some statistics (Figure 2). Among other things, the statistics provide information about how many files AFICK has examined and how many new files have been added. Some system files and their checksums change, especially after system updates have been imported. In such situations, the command

afick.pl -c <configfile> -u
Figure 2: Although no files were changed, this can change quickly, especially on Linux systems.

updates the AFICK database.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

comments powered by Disqus