fcheck is a program that emails an alert when important files or directories change. This is useful for change control or detecting unauthorized modifications that may indicate an intrusion.
Most sysadmins will agree that having a file integrity checker is a good idea, the problem with them is that they are usually a giant pain to get working and keep up-to-date. Thus they are perpetually on the “to do” list and then you don’t have it when you need it. (Hint, after the intrusion is too late.)
Enter fcheck, which Just Works out-of-the-box with the exception of the “major gotcha” detailed below, and with only a little care and feeding.
When installed it creates the file database (DB) then runs from cron every two hours. When it sees a change it sends email (via cron) then rebuilds the DB by itself, so you won’t get the same error next time. That’s a potential security issue, since if you lose that email you’ve missed your one and only alert. Also, if some files change all the time (like /etc/mtab
, /etc/printcap
, and /etc/samba/smbpasswd
) you will get alerted on them every run, until you go exclude them. The configuration file supports file includes, so keeping a custom fcheck.local
file is a breeze.
You will get a large alert message after an aptitude *-upgrade
command, which is a great way to validate your change control policy (yup, stuff was changed when it was supposed to; or Who the heck is messing with my server?!?
).
The existing package does not include logcheck ignore files, so if you’re using the logcheck package (and you should be on a server) you’ll get a alerts about DB rebuilds unless you add an ignore line (see samples).
The default config file is not bad, and adding new files and directories for fcheck to monitor is really easy, though including directories is a bit subtle in that they are only checked recursively if listed with a trailing ‘/’. See the examples below for things I usually add.
There is also a major gotcha reported in this bug report. It turns out there is a missing exclude needed for /lib/udev/devices/
so the install will hang at “Building fcheck database (may be some time)…” or during a check at “PROGRESS: validating integrity of /lib/” and leave a ton of fcheck processes clogging up your system. See the bug and the samples below for the fix.
Because of the easy failure mode of a single email before the DB update, and the lack of cryptographic protection of its component files, it’s not the most secure program in the book. But it is drop-dead easier than anything else I looked at. In my book, “easy and used” beats “such a pain I never got around to it” any day :-)
. And it’s not that hard to make it more secure by keeping off-line copies of the DB, configuration and Perl script and adjusting the cronjob to NOT rebuild after changes, if you want to.
If you run a server you should be using fcheck and logcheck. And probably tmpreaper, etckeeper and maybe monit too. To summarise:
Pros:
- Just Works out-of-the box, unlike its competitors
- Simple to set up and use
- Very stable code (hasn’t changed since 2001 or so)
- Written in Perl, for easy hacking
- Runs on Windows too
Cons:
Other alternatives:
debsums
- Verify installed package files against MD5 checksums.
integrit
- A file integrity verification program.
osiris
- network-wide system integrity monitor control interface.
samhain
- Data integrity and host intrusion alert system.
stealth
- A stealthy File Integrity Checker.
tripwire
- file and directory integrity checker.
Availability:
Debian: Since at least Etch: 2.7.59-8
Ubuntu: Since at least Dapper: 2.7.59-8
Samples:
Edit /etc/fcheck/fcheck.cfg
and add at the bottom:
# Tweak the main file if needed, then add this near the bottom.
# In addition to the defaults in this main file, also:
CFInclude = /etc/fcheck/fcheck.cfg.local
Create /etc/fcheck/fcheck.cfg.local
# In addition to the defaults in '/etc/fcheck/fcheck.cfg':
# Track changes to crontabs (may want to limit to some users on busy systems)
# Note trailing '/' for recursive check of this directory
Directory = /var/spool/cron/
# This stuff changes too often
Exclusion = /etc/package.list
Exclusion = /etc/printcap
Exclusion = /etc/motd
Exclusion = /etc/mtab
#Exclusion = /etc/samba/smbpasswd
# for DHCP: Exclusion = /etc/resolv.conf
# BUGFIX, per https://bugs.launchpad.net/ubuntu/+source/fcheck/+bug/47408
# Can't hurt to have this just in case
Exclusion = /lib/udev/devices/
Only if you are also using the logcheck package, create /etc/logcheck/ignore.d.server/fcheck.local
:
# Ignore fcheck rebuild notices
# Note that this should be one single line:
^\w{3} [ :0-9]{11} \w+ fcheck: “INFO: Rebuild of the fcheck database /var/lib/fcheck/fcheck\.dbf begun \
for \w+ using config file /etc/fcheck/fcheck\.cfg”