Manipulation detection with AFICK


File Attributes

A file has metadata other than its size (e.g., the date of the last modification). In the configuration file, you specify which metadata you want AFICK to monitor for changes. However, it would be quite tedious to specify for each file which information is of interest. AFICK therefore saves you some work with the help of aliases. The tool assigns a letter to each file attribute. An explanation of the letter codes appear at the start of the alias section in the configuration file (Listing 1).

Listing 1

AFICK Aliases

# alias section
# action : a list of items to check
# md5 : md5 checksum
# sha1 : sha-1 checksum
# sha256 : sha-256 checksum
# sha512 : sha-512 checksum
# d : device
# i : inode
# p : permissions
# n : number of links
# u : user
# g : group
# s : size
# b : number of blocks
# m : mtime
# c : ctime
# a : atime
#all : p+d+i+n+u+g+s+b+m+c+md5
#R : p+d+i+n+u+g+s+m+c+md5
#L : p+d+i+n+u+g
#P : p+n+u+g+s+md5
#E : '' (empty)
# action alias may be configured with
# your_alias = another_alias|item[+item][-item]
# all is a pre-defined alias for all items except "a"
DIR = p+i+n+u+g
ETC = p+d+u+g+s+md5
Logs = p+n+u+g
MyRule = p+d+n+u+g+s+b+md5

For example, if in a letters directory you have several files for which you want AFICK to monitor the file size and owner, you would first type the attribute abbreviations separated by plus signs and then tell AFICK which method to use to generate the checksums, again referring to the abbreviations at the beginning of the alias section. For example, md5 would apply the MD5 procedure, and sha1 would apply the SHA-1 procedure. Next, assign a name to this complete structure:

simple = s+u+md5

You don't have to specify a checksum; likewise, you don't have to apply AFICK to other file attributes like file size. However, the more features you include, the more likely the program is to detect tampering. From now on in the configuration file, you can simply tag all files from the letters directory with simple. AFICK then knows that it has to use the MD5 checksum for these files, paying attention to the file size and the user. You can tell the application what these files are in the file section that follows the alias section.

Directory-Wide Inspection

In principle, you can use the file section to specify in each line the path to a file that you want AFICK to check. After the file, note the appropriate alias. In this example, it might be:

/documents/letters/taxoffice.txt simple

In this case, AFICK would inspect the taxoffice.txt file under the conditions set by the simple alias. If you want this to happen for all letters in the letters directory, you would simply enter:

/documents/letters simple

On Windows, use the standard Windows notation with backslashes. If you want AFICK to ignore a file in the letters folder, write its file name in a new line and prefix its name with an exclamation mark. In the following example, the tool would consider all files from the folder letters, but not the files draft.txt and ideas.txt:

/documents/letters simple
! /documents/letters/draft.txt
! /documents/letters/ideas.txt

If you specify a directory, AFICK automatically digs down into the subdirectories. If you want to prevent this, add an equals sign to the corresponding line followed by a space:

= /documents/letters simple

Further examples can be found in the configuration file that comes with the AFICK bundle. Choosing the right settings requires some experience. Therefore, you will want to start with the settings in the sample configuration file and then adjust them to suit your needs. Always check the changes to the configuration file for errors with the command: -c <configfile> --check_config

The complete documentation of the configuration file is available online [3]. The meaning of the individual lines is also explained by the many comments within the file.

User Interface

AFICK includes a graphical user interface for Linux that uses the Tk toolkit. If you used the RPM or DEB package, you will need to install the front end. From the AFICK download page, get the DEB or RPM package that starts with afick-gui, and install it as you did the AFICK package. The script starts the front end. On Windows, try the corresponding entry in the start menu. Depending on the configuration, you might also have to open the user interface with administrator rights.

If necessary, first load your configuration file with Configuration | Select . The file name now appears in the input field on the right. Action | Init recreates the database with the checksums. If you see an error message telling you that the database is already locked , it is very likely that appropriate access rights are missing. In this case, run as administrator.

Action | Update updates the database, and Action | Compare triggers a check. The pane called changes section at the top always groups the output from AFICK, and the warnings section at the bottom has all the error messages. You can follow the progress and the time AFICK needs to complete the action at the bottom of the page.

If AFICK finds a large number of changed files, the output becomes quite confusing. Calling up a tree view under the Analysis menu displays all the files in question in a more comprehensible way. Clicking on a file in the tree unfolds further information to the right. From the Analysis menu you can also call up various statistics and information. For example, Analysis | Duplicates returns all files stored multiple times on the hard disk. To view the history, select File | History . Clicking on an entry restores all its messages in the main window.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus