FCheck

FCheck is an excellent open source host-based intrusion detection system (HIDS), similar in functionality to Tripwire. An excellent SysAdmin magazine article on FCheck is available here.

Here are the steps I use to install and run FCheck on my Linux system:

1. Download FCheck
wget http://www.geocities.com/fcheck2000/FCheck_2.07.59.zip

2. Install FCheck
mkdir fcheck
mv FCheck_2.07.59.zip fcheck
cd fcheck
unzip FCheck_2.07.59.zip
/bin/su
mkdir -m 700 -p /usr/local/admtools/conf /usr/local/admtools/logs
cp fcheck /usr/local/admtools
cp fcheck.cfg /usr/local/admtools/conf

3. Configure FCheck.
vi /usr/local/admtools/conf/fcheck.cfg

We will use md5sum instead of cksum to create file signatures.

Uncomment the following line:
#$Signature = /usr/bin/md5sum

Comment the following line:
$Signature = /bin/cksum

The default directories to monitor are /tmp and /usr/local/admtools. You may monitor as many files and directories as you would like. I recommend at least monitoring the /etc, /bin, and /sbin directories.

Add the following lines:
Directory = /etc/
Directory = /bin/
Directory = /sbin/

Comment the following lines:
Directory = /usr/local/admtools/
Directory = /tmp/

4. Make the FCheck perl script executable
chmod u+x /usr/local/admtools/fcheck

5. Create the initial FCheck database.
/usr/local/admtools/fcheck -acs

Description of FCheck flags (taken verbatim from SysAdmin magazine article):
-a -- Automatic scan of all the directory configuration.
-c -- Create the initial (baseline) database to which subsequent scan comparisons will be made.
-s -- Create signatures (fingerprints). The documentation that comes with FCheck does not emphasize the use of -s, but I highly recommend its use since permissions, dates, and file sizes can be manipulated by skilled hackers and hacking tools. FCheck will use the program defined with the $Signature parameter in the fcheck.cfg configuration file.

6. Add root crontab entry to execute FCheck daily and mail results. Ideally, you should store the FCheck database on non-writable media (CD-R) so that crackers cannot manipulate the FCheck database.
5 4 * * * /usr/local/admtools/fcheck -a | /bin/mail -s "`/bin/hostname` FCheck output for `/bin/date +\%m`-`/bin/date +\%d`-`/bin/date +\%y`" root

Back to brandonhutchinson.com.

Last modified: 01/21/2003