
              FCheck: The filesystem baseline integrity checker.
                    Copyright (C) 1996 Michael A. Gumienny


      Please send your comments, updates, improvements, wishes and
                        bug reports for fcheck to:

                           Michael A. Gumienny
                           gumienny@hotmail.com

     ###################################################################
   This program is free software; you can redistribute it and/or modify it
   under the terms of the GNU General Public License as published by the
   Free Software Foundation; either version 2 of the License, or (at your
   option) any later version.

   This program is distributed in the hope that it will be useful, but
   WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General
   Public License for more details.

   You should have received a copy of the GNU General Public License along
   with this program; if not, write to:

             Free Software Foundation, Inc.
             59 Temple Place - Suite 330
             Boston, MA 02111-1307, USA.

        Or you can find the full GNU GPL online at: http://www.gnu.org
     ###################################################################



Files:
Your distribution should contain the following seven (7) files:

    README                      Your reading this file.
    fcheck                      PERL script fcheck.
    fcheck.cfg                  Required configuration file.
    fcheck_2.07.37.lsm          LSM file, Linux folks know this one.
    license                     GNU GPL License agreement.
    install.unix                Installation guide for UNIX platforms.
    install.win                 Installation guide for Win32 platforms.

This documentation contains the following sections.

    Files:                      This sections you are reading now. Contains
                                listing of files you should have included in
                                your distribution.
    History behind FCheck:      A brief introduction as to why FCheck was
                                written.
    FCheck Features:            What FCheck cna do for you.
    Changelog:                  Small, because FCheck was really written a
                                few years ago but is now being added to.
    Operation:                  A brief intro to normal flag usage when you
                                run FCheck.
    Closing Hints:              A few tips from the author from real time
                                usage experience.
    Mini FAQ:                   Questions that have filtered back to the
                                author concerning operational problems.

Complete detailed configuration and setup procedures can be found in the
install.unix and install.win documents also included.



     ###################################################################



History behind FCheck:
Fcheck was developed out of necessity from a situation when my company
outsourced its UNIX administrators. Originally intended for monitoring the
administrators whimsical changes to the systems, it grew into a full-blown
security tool.

Being the person that went to the meetings and responsible for the systems
(I.E. the guy with his head on the block), not knowing that a complete
filesystem had been removed, happened only once. My "staff" had forgotten to
notify me of the change, along with several other changes. I needed a way to
monitor the system for any modifications and would report back to me
immediately to stay abreast of whimsical changes. Thus, FCheck was born. 

FCheck grew into an overnight success, even though I did not see its complete
potential at first. When a surprise Security Audit Team arrived, the full
potential was recognized.

Having several tools already in place to satisfy the auditors demands, they
thought they had us when a baseline snapshot of the system was requested.
Expecting to hear that we had no such tool in place, they were eager to learn
more about FCheck and its capabilities. 



     ###################################################################



FCheck Features:
Essentially, FCheck has the ability to monitor directories, files or complete
filesystems for any additions, deletions, and modifications. It is
configurable to exclude active log files, and can be ran as often as needed
from the command line or cron making it extremely difficult to circumvent. It
is written in standard PERL and requires no special library modules.

There is no encryption processing of the baseline database, but if their are
sufficient request I will include it in future release. Also, the "ls" funtion
that is now being used is being re-written as a PERL function within FCheck
to remove various system dependant "ls" flags (I.E. so future releases can
run on NT too).

Currently only one other baseline system security tool exist (Tripwire), and
is purchasable with licensing agreements, etc. Personally I hate software that
you must purchase so this is distributed under the GNU license. (I.E. It's
yours to play with, but keep my name in it, and let me know what you modified).
All code is written from scratch, and is owned solely by the author, but
rights are granted for its usage under the GNU license agreement to any site
that desires free baseline security measures. 



     ###################################################################



Changelog:

Version 2.06.30
 * FCheck now runs on DOS based platforms by use of an internally coded "ls"
   replacement.

 * By makeing FCheck available to run on DOS based platforms, the remote
   operations needed to be removed. This feature offers too much temptation
   to open another security hole by use of the "remsh" command.

Version 2.06.27
 * Initial version released for public usage, after recieving feedback it was
   decided to continue support with additional features.



   ###################################################################



Operation:
Flag passing is a fairly simple process. Primarily you will be using two
commands. One builds (or rebuilds) your baseline database files (system
snapshots). The second runs in a scanning comparison mode.

  "fcheck -ac"   Builds the baseline database.
  "fcheck -a"    Comparison scans the system against the baseline database.

For normal operation you will operate fcheck initially with the following flags
"fcheck -ac" to build the initial baseline file for comparison. Any additional
runs can be with the flags "fcheck -a" to scan for any system modifications.

After a scan is completed, you will have to have fcheck re-build its baseline
database for the next comparison cycle. Otherwise you will be seeing every
system modification since the last baseline re-build. In other words, run the
"fcheck -ac" command again.



     ###################################################################



Closing Hints:
I would also suggest using the "l" flag to send messages to syslog unless you
really want to watch the output from this all the time. You could also make
use of some log monitoring packages like CA-Unicenter, HP-Openview, or
several other shareware alternatives including the 'pmem' Tcl/Tk interface
that I also wrote.

FCheck was ran from cron in a production environment at 10 minute intervals
with no impact to system performance. Message logging was handled by syslog
with the "-l" flag and imported to a commercial event monitoring package that
monitored and displayed system logfiles, highlighting only the important
events. A shorter duration can be obtained on smaller systems, but you must
allow FCheck to complete its baseline comparison before re-building the
baseline to alleviate false readings. Actual interval times will vary
depending on how active a system you are running FCheck on.

Those of you that have scanned the code may have noticed the remote shell
feature has been removed in this version. I felt this offered too much
temptation to open a security hole and was removed. Fcheck does NOT have to
run as root, just have read permissions to each of the directories and files
that you want to monitor.

Other flags for you to play with are as follows:

   -a    Automatic mode, do all directories in configuration file.
   -c    Create a new base line database for the given directory.
   -i    Ignore creation times, check permissions, adds, deletes.
   -l    Log information to logger rather than stdout messages.
   -v    Verbose mode, not used for report generation.



     ###################################################################



Mini FAQ:

Q: When I try to initialize with the command "FCheck -ac" I get the following
   error message back. Why?

      FCheck: Can't find C:/Work/temp/perl/fcheck/FCheck.cfg
      terminating...

A: FCheck can't locate the configuration file that you have instructed it to
   use. Edit the executable (FCheck) and ensure that the variable "$config="
   is set properly to reflect your configuration files location.
  


Q: When I try to initialize with the command "FCheck -ac" I get the following
   error message back. Why?

      FCheck: no base file directory exist! [C:/Work/temp/perl/fcheck/data]
      terminating...

A: The directory that you have instructed FCheck to utilize to store its
   database does not exist. Either modify the configuration file (FCheck.cfg)
   to use an existing directory, or create the one it needs.



Q: I have removed a directory "/usr/local/etc" and told FCheck to exclude it
   from future scans with the line "Exclusion = /usr/local/etc/", now it is
   being reported as deleted.

A: But, the scanned directory does still exist in FChecks databases. After a
   modification to any scanned area of a system. You must tell FCheck to
   re-initialize its database (FCheck -ac) to stop this behaviour. Otherwise
   FCheck will continue to report any changes that it has detected, including
   the directory you told it to exclude from future scans. Once you have
   re-initialize the databases, only then will FCheck ignore any directories
   or files that you instructed it to exclude.


