afick(1) - Linux man page
Name
afick - Another File Integrity Checker
Description
The goal of this program is to monitor what change on your host : new/deleted/modified files. So it can be used as an intrusion detection system ( by integrity checking ).
It is designed to be a portable clone of aide (Advanced Intrusion Detection Environment), or Tripwire software.
you should launch it regulary (by cron for example) and after any software change.
this is a command-line program, you can use afick-tk.pl if you prefer a graphical interface.
Synopsis
afick [mandatory action] [others options]
Options
afick use posix syntaxe, with long (--), short (-), and negative (--no)
options
You have to use one this mandatory action :
- --init|-i
- initiate the database.
- --compare|-k
- compare the file system with the database.
- --list|-l <"file1 file2 ... filen">
- compare the specified files with the database.
- --print|-p
- print content of the database.
- --update|-u
- compare and update the database.
others options :
- --archive| <directory>
- write reports to <directory>.
- --config_file|-c <configfile>
- read the configuration in <configfile>.
- --debug|-d <level>
- set a level of debugging messages, from 0 (none) to 3 (full)
- --full_newdel|-f,(--nofull_newdel)
- (do not) report full information on new and deleted directories, default is no
- --help|-h
- Output help information and exit.
- --history|-y <historyfile>
- write session status to historyfile
- --ignore_case|-a
- ignore case for file names. can be helpfull on windows plateforms, but is dangerous on unix ones.
- --missing_files|-m,(--nomissing_files)
- (do not) warn about files declared in config files which does not exists, default is no
- --dead_symlinks|-s,(--nodead_symlinks)
- (do not) warn about dead symlinks, default is no
- --print_config,
- display internals variables after arguments and config file parsing (for debugging purposes)
- --progress|-P,
- display the name of scanned files, to be used only by afick-tk
- --running_files|-r,(--norunning_files)
- (do not) warn about "running" files : modified since program begin, default is no
- --timing|-t,(--notiming)
- (do not) Print timing statistics , default is no
- --version|-V
- Output version information and exit.
- --verbose|-v,(--noverbose)
- (not in) verbose mode, default is no
- --exclude_suffix|-x <"ext1 ext2 ... extn">
- list of suffixes to ignore
Files
if no config file on command line, afick try to open /etc/afick.conf as default config
for config file syntax see afick.conf(5)
each database is composed of 3 binary files :
- one with .dir suffixe
- (a file index)
- one with .pag suffixe
- (the database core)
- one with .ctr suffixe
- (a control file)
Use
To use this program, you must
- first adjust the config file to your needs :
- (see afick.conf(5) for the syntaxe)
- then initiate the database with :
- afick -c linux.conf --init
- then you can compare with
- afick -c linux.conf -k
- or compare and update with
- afick -c linux.conf --update
Return Values
An exit status of 0 means no differences were found, non-zero means some differences were found. The non-zero value is a bitmap representing the type of difference found:
- Bit 0 :
- Dangling
- Bit 1 :
- Changed
- Bit 2 :
- Deleted
- Bit 3 :
- New
Notes
this program only use perl and its standard modules.See Also
afick.conf(5) for configuration file
afick-tk(1) for graphical interface
http://www.cs.tut.fi /~rammer/aide for aide software
Copyright
Copyright (c) 2002,2003,2004 Eric Gerbier All rights reserved.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
Authors
Eric Gerbier
you can report any bug or suggest to <gerbier@users.sourceforge.net>
