Manipulation detection with AFICK
Checker
AFICK (another file integrity checker) detects changes to the system and sounds an alert. The tool first creates a unique fingerprint of selected files in the form of a checksum. If a different checksum is computed during a later check, a malicious program, an attacker, or a defect is likely to have modified the files under investigation. In this way, AFICK not only detects manipulation attempts, but also acts as a small intrusion detection system.
The tool is licensed under the liberal GNU GPLv3 license, which also allows free use in the enterprise. AFICK only requires Perl v5.10 or newer. Developer Eric Gerbier has tested his tool under all Windows versions from XP upward, various Unix systems (e.g., HPUX and AIX), and numerous Linux distributions (e.g., SUSE, Red Hat, Debian, and Ubuntu). Windows users can easily install Perl with the ActivePerl [1] package.
Most Unix and Linux systems come with Perl by default or support simple installation from the package manager. In addition to the Perl package, you will also want the Digest::MD5, Digest::SHA1, and Perl/Tk modules. The latter two are optional; Perl/Tk is only required for the graphical user interface.
Installation
To install AFICK, first download the latest version from SourceForge [2]. Windows users need the EXE file – at the editorial deadline this was afick-setup-3.6.1.exe
. All you have to do is start this program and leave the installation to the wizard, which downloads a few additional Perl modules, so you must have Internet access.
Linux users, on the other hand, have the choice between several packages. Only the packages that start with afick
and are immediately followed by the version number (e.g., afick_3.6.1-1_all.deb
) are of importance. If you have an Ubuntu-based distribution, you should grab the package with the ubuntu_all.deb
extension, and Debian users will want to go for the package with the shorter _all.deb
file extension. In both cases, you import the package by typing:
dpkg -i <package name>
On SUSE, openSUSE, Red Hat, and CentOS, you should use the file with the .noarch.rpm
extension and install it with:
rpm -Uvh <package name>
On all other distributions and Unix systems, make sure you have the make
tool on your computer before downloading and unpacking the .tgz
archive. From the newly created directory, call the commands:
perl Makefile.pl sudo make all
The first of these commands prepares the installation process and provides an overview of all the required Perl modules. The second command installs AFICK in the /opt/afick
directory. Because of the manual installation, you will always have to update the tool manually in the future by simply installing the new version over the old one.
Creating Checksums
A configuration file informs the tool which files and directories you want AFICK to monitor. Windows users can find it in the C:\Programs (x86)\afick
folder. On Linux, you will usually find the afick.conf
file under /etc/
or /opt/afick/etc/
. If you used the tar.gz
archive, you can also use the included linux.conf
file as a starting point. For an initial test run, leave the settings in the configuration file as they are.
Before AFICK can report changes, the tool needs to create checksums and store them in its database with the
afick.pl -c <configfile> -i
command. On Linux you have to introduce the command with sudo
for root privileges (Figure 1). To run it under Windows, open a command prompt with administrator rights, switch to the AFICK folder, and call the above-mentioned command preceded with perl -w
(which will be necessary for the rest of the AFICK commands in Windows):
cd C:\Program Files (x86)\afick perl -w afick.pl -c <configfile> -i
Throughout, replace <configfile>
with the name of your configuration file (e.g., /etc/afick.conf
or, on Windows, windows.conf
). Administrator rights are needed because the configuration file always applies globally for the entire system. With corresponding settings in the configuration file, normal users can also run AFICK against their home or user directories.
Depending on your system, creating checksums can take several minutes. On Ubuntu 18.10, AFICK took about three minutes with the sample configuration on a test system that was no longer up to date. If you use the supplied configuration file, AFICK uses the MD5 checksums, which are no longer considered totally secure but can be generated more quickly. In the configuration file, however, you can switch to SHA1 or SHA256 (more on this later). In the end, AFICK outputs the message MD5 hash of and the storage location of the database. The code after the => is your MD5 checksum, which you can use at any time to check whether the file with the database has been manipulated.
Detecting Tampering
After the database is filled with checksums, use the following command to test your system for changes:
afick.pl -c <configfile> -k
Here, too, Linux users have to use sudo
. The result is a list with all changed files and some statistics (Figure 2). Among other things, the statistics provide information about how many files AFICK has examined and how many new files have been added. Some system files and their checksums change, especially after system updates have been imported. In such situations, the command
afick.pl -c <configfile> -u
updates the AFICK database.
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.