Shulou(Shulou.com)06/01 Report--

Afick is a security tool very similar to the famous file integrity verification tool tripwire, it can monitor your file system changes, so it can detect * behavior. (the above is an online introduction, about its principle and this time will not introduce the following briefly about the installation and use.)

Environment Centeros 6.364 bit

The following is the last time the software sent information and didn't pay attention to the problem of downloading beans. I don't want beans for open source after that.

Http://down.51cto.com/data/1099898 source code package

Http://down.51cto.com/data/1099899 rpm package

Install the unwanted software package first

[root@localhost ~] # yum-y install perl

[root@localhost ~] # tar xf afick-3.4.tgz

[root@localhost ~] # cd afick-3.4

[root@localhost afick-3.4] # perl Makefile.pl

[root@localhost afick-3.4] # make install

[root@localhost ~] # vi / etc/afick.conf edit configuration file to add directories to be detected

Here are some of the contents of the configuration file and my understanding of it

This is a surveillance operation.

# action: a list of item to check:

# md5: md5 checksum

# sha1: sha-1 checksum

# sha256: sha-256 checksum

# sha512: sha-512 checksum

# d: device

# i: inode

# p: permissions

# n: number of links

# u: user

# g: group

# s: size

# b: number of blocks

# m: mtime

# c: ctime

# a: atime

This is an alias combination of some of the "monitored actions" set up.

# all: p+d+i+n+u+g+s+b+m+c+md5

# R: p+d+i+n+u+g+s+m+c+md5

# L: p+d+i+n+u+g

# P: p+n+u+g+s+md5

# E:''

DIR=p+i+n+u+g

ETC = p+d+i+u+g+s+md5

Logs = p+n+u+g

MyRule = p+d+i+n+u+g+s+b+md5+m

The following is the monitored directory and the actions of the directory being monitored

= / DIR

/ etc ETC

/ usr/bin MyRule

/ usr/sbin MyRule

/ usr/lib MyRule

Here are some simple operations to use commands

[root@localhost ~] # afick-c / etc/afick.conf-I create the original database

# Hash database created successfully. 13326 files entered.

# #

# MD5 hash of / var/lib/afick/afick = > y1GbVg0B+pVBaUp9l8sizQ

# user time: 4.63; system time: 1.11; real time: 6

[root@localhost] # touch jdm.test make a change

[root@localhost] # chmod 644 / etc/profile make a change

[root@localhost] # chmod 777 aaaaa make a change

[root@localhost] # useradd-g root zhangxi make a change

[root@localhost] # afick-c / etc/afick.conf-k check for changes

# detailed changes

New file: / root/jdm.test

Inode_date: Wed Mar 12 14:00:29 2014

Changed file: / etc/passwd

Md5: 8b047ab7fa8e663c0a4601731ec27137 22c53b608c0f8da5cb5b0a341c75b761

Inode: 188601 188609

Filesize: 1211 1252

Changed file: / etc/passwd-

Md5: 95f354f48ca9a62372727d5cf220ab13 8b047ab7fa8e663c0a4601731ec27137

Filesize: 1178 1211

Changed file: / etc/profile

Filemode: 100644 100777

Changed file: / etc/shadow

Md5: 90b5aba8688fa713ab3787a598569187 da4e3c7b3ac80f52bf8a545902d2cbdc

Inode: 188602 188601

Filesize: 810 840

Changed file: / etc/shadow-

Md5: 297162f0cee8ba0fb70e4b8b17256946 90b5aba8688fa713ab3787a598569187

Filesize: 781 810

Changed directory: / root

Mtime: Wed Mar 12 13:13:05 2014 Wed Mar 12 14:00:29 2014

Changed file: / root/aaaaa

Filemode: 100644 100777

# Hash database: 13327 files scanned, 8 changed (new: 1; delete: 0; changed: 7; dangling: 5; exclude_suffix: 161; exclude_prefix: 0; exclude_re: 0; degraded: 1)

# #

# MD5 hash of / var/lib/afick/afick = > y1GbVg0B+pVBaUp9l8sizQ

# user time: 5.4; system time: 0.79; real time: 6

[root@localhost] # afick-c / etc/afick.conf-u updates the database

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.