Fcheck File System Security on Linux, Unix

Fcheck File System Security on Linux, Unix :-
Download fcheck (see resources) and unpack it. fcheck is a cross-platform Perl script which runs on UNIX and Windows systems (as long as they have Perl installed).

$mkdir /usr/local/fcheck
$cp fcheck /usr/local/fcheck
$cp fcheck.cfg /usr/local/fcheck

Edit /usr/local/fcheck/fcheck.cfg with your favorite editor and change the following values:
Directory, FileTyper, Database, Logger, TimeZone, and Signature.

# Directories that will be monitored
# if there is a trailing / it will be recursive

Directory = /etc/
Directory = /bin/
Directory = /sbin/
Directory = /lib/
Directory = /usr/bin/
Directory = /usr/sbin/
Directory = /usr/lib/
TimeZone = PST8PDT # For Pacific Standard

# Database of file signatures

DataBase = /usr/local/fcheck/sol.dbf
Logger = /usr/bin/logger -t fcheck

# Utility to determin file type

FileTyper = /bin/file

# What to use to create signatures Database of
# file signatures

$Signature = /usr/bin/md5sum#
DataBase = /usr/local/fcheck/sol.dbf
Logger = /usr/bin/logger -tfcheck

# Utility to determin file type

FileTyper = /bin/file

Also edit the fcheck script and change the path of the configuration file to /usr/local/fcheck/fcheck.cfg

Then run fcheck for the first time to create the baseline database.

# Options explained:
# c create the database
# a is for all
# d is to monitor directory creation
# s is to create signatures for all files
# x is for extended permissions monitoring

$ ./fcheck -cadsx

To test that everything has been setup correctly run the following commands and fcheck should alert you to the difference.

$ touch /etc/FOO
$ ./fcheck -adsx

fcheck should display some information about /etc/FOO. $rm /etc/FOO will prevent future messages.
Next, create a short shell script that will be run periodically by cron and check for changes. Open your favorite editor and create /usr/local/bin/fcheck_script.

When using the `cron` utility lookout for _symlink attacks_ :-

#!/bin/bash
# Use mktemp instead of $$ to prevent sym-link attacks
FCHECK_LOG=`mktemp`

# Grep for any changes
/usr/local/fcheck/fcheck -adsx \
| grep -Ev ^PROGRESS: |^STATUS:^$ > $FCHECK_LOG

# If there were any changes email the sys-admin
if [-s $FCHECK_LOG ] then
/usr/bin/mail -s fcheck \
`hostname` youremail@yourprovider.com < \
$FCHECK_LOG
/bin/rm $FCHECK_LOG
fi

The cron utility will be used to run periodic checks of the file-system and will compare it to the baseline database. The following command will edit root’s crontab:

$ crontab -e

# Add this line to run the script every 15 minutes
# using nice lower priority when the system load
# is high.
*/15 * * * * nice /usr/local/bin/fcheck_script > \
/dev/null

Symlink Attacks :-

Side Note: Symlink Attacks running an IDS package usually involve running a script at a pre-configured time using the cron utility. This opens up systems to symlink attacks. Symlink Attacks rely on the attacker knowing that a certain file is going to be created at a certain time with a certain name. A common shell scripting technique that generates some randomness is the use of $$, which is the PID of the running script. However, this is vulnerable to Symlink Attacks because most PIDs are below 35K and most file systems can have 35K files. The correct technique is the use of mktemp, which is a truly random file name.