afick - Another File Integrity Checker

The goal of this program is to monitor what change on your host : new/deleted/modified files. So it can be used as an intrusion detection system ( by integrity checking ).

It is designed to be a portable clone of aide (Advanced Intrusion Detection Environment), or Tripwire software.

you should launch it regulary (by cron for example) and after any software change.

this is a command-line program, you can use afick-tk.pl if you prefer a graphical interface.

afick [mandatory action] [others options]

afick use posix syntaxe, with long (--), short (-), and negative (--no) options

You have to use one this mandatory action :

--init|-i

initiate the database.

--compare|-k

compare the file system with the database.

--list|-l <"file1 file2 ... filen">

compare the specified files with the database.

--print|-p

print content of the database.

--update|-u

compare and update the database.

others options :

--archive| <directory>

write reports to <directory>.

--config_file|-c <configfile>

read the configuration in <configfile>.

--debug|-d <level>

set a level of debugging messages, from 0 (none) to 3 (full)

--full_newdel|-f,(--nofull_newdel)

(do not) report full information on new and deleted directories, default is no

--help|-h

Output help information and exit.

--history|-y <historyfile>

write session status to historyfile

--ignore_case|-a

ignore case for file names. can be helpfull on windows plateforms, but is dangerous on unix ones.

--missing_files|-m,(--nomissing_files)

(do not) warn about files declared in config files which does not exists, default is no

--dead_symlinks|-s,(--nodead_symlinks)

(do not) warn about dead symlinks, default is no

--print_config,

display internals variables after arguments and config file parsing (for debugging purposes)

--progress|-P,

display the name of scanned files, to be used only by afick-tk

--running_files|-r,(--norunning_files)

(do not) warn about "running" files : modified since program begin, default is no

--timing|-t,(--notiming)

(do not) Print timing statistics , default is no

--version|-V

Output version information and exit.

--verbose|-v,(--noverbose)

(not in) verbose mode, default is no

--exclude_suffix|-x <"ext1 ext2 ... extn">

list of suffixes to ignore

if no config file on command line, afick try to open /etc/afick.conf as default config

for config file syntax see afick.conf(5)

each database is composed of 3 binary files :

one with .dir suffixe

(a file index)

one with .pag suffixe

(the database core)

one with .ctr suffixe

(a control file)

To use this program, you must

first adjust the config file to your needs :

(see afick.conf(5) for the syntaxe)

then initiate the database with :

afick -c linux.conf --init

then you can compare with

afick -c linux.conf -k

or compare and update with

afick -c linux.conf --update

An exit status of 0 means no differences were found, non-zero means some differences were found. The non-zero value is a bitmap representing the type of difference found:

Bit 0 :

Dangling

Bit 1 :

Changed

Bit 2 :

Deleted

Bit 3 :

New

afick.conf(5) for configuration file

afick-tk(1) for graphical interface

http://www.cs.tut.fi /~rammer/aide for aide software

Copyright (c) 2002,2003,2004 Eric Gerbier All rights reserved.

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

Eric Gerbier

you can report any bug or suggest to <gerbier@users.sourceforge.net>