FCheck is an excellent open source host-based intrusion detection system (HIDS), similar in functionality to Tripwire. An excellent SysAdmin magazine article on FCheck is available here.
Here are the steps I use to install and run FCheck on my Linux system:
1. Download FCheck
2. Install FCheck
mv FCheck_2.07.59.zip fcheck
mkdir -m 700 -p /usr/local/admtools/conf /usr/local/admtools/logs
cp fcheck /usr/local/admtools
cp fcheck.cfg /usr/local/admtools/conf
3. Configure FCheck.
We will use md5sum instead of cksum to create file signatures.
Uncomment the following line:
#$Signature = /usr/bin/md5sum
Comment the following line:
$Signature = /bin/cksum
The default directories to monitor are /tmp and /usr/local/admtools. You may monitor as many files and directories as you would like. I recommend at least monitoring the /etc, /bin, and /sbin directories.
Add the following lines:
Directory = /etc/
Directory = /bin/
Directory = /sbin/
Description of FCheck flags (taken verbatim
from SysAdmin magazine article):
-a -- Automatic scan of all the directory configuration.
-c -- Create the initial (baseline) database to which subsequent scan comparisons will be made.
-s -- Create signatures (fingerprints). The documentation that comes with FCheck does not emphasize the use of -s, but I highly recommend its use since permissions, dates, and file sizes can be manipulated by skilled hackers and hacking tools. FCheck will use the program defined with the $Signature parameter in the fcheck.cfg configuration file.
6. Add root crontab entry to execute FCheck
daily and mail results. Ideally, you should store the FCheck database on
non-writable media (CD-R) so that crackers cannot manipulate the FCheck database.
5 4 * * * /usr/local/admtools/fcheck -a | /bin/mail -s "`/bin/hostname` FCheck output for `/bin/date +\%m`-`/bin/date +\%d`-`/bin/date +\%y`" root
Back to brandonhutchinson.com.
Last modified: 01/21/2003