May 2, 2005

The Second Commandment of system administration

Author: Brian Warshawsky

Trust is a hard thing to come by in any workplace. Luckily for you, trust in your servers isn't. With the help of file integrity checkers, you can be absolutely sure of every change made within the filesystems of your servers.

II. Thou shalt establish absolute trust in thy servers

As their name suggests, file integrity checkers monitor the state of your filesystem, and report any changes that are made to files or directories back to you. They can monitor user and group ownership, last modification date, inode, file size, and a host of others items. This makes integrity checkers ideal for security applications, which is what most are designed for. If an intruder were to compromise one of your machines and modify a log file to hide his tracks, regular checks of your filesystem would immediately clue you in to a security breach. This type of early detection can make the difference between a quickly defeated intrusion and a serious sustained root-level compromise.

Besides the obvious benefits you gain on the security front, integrity checkers can also provide help with such tasks as ensuring that an application is completely removed when uninstalled, keeping tabs on what settings and files users are changing, and troubleshooting problematic applications.

Each integrity checker is a little different, so do some research before deciding on one. There are many excellent integrity checking applications out there, but the one I recommend and prefer is called afick (Another File Integrity ChecKer). Afick offers several advantages over integrity checkers such as Tripwire and AIDE. The first and foremost difference is that afick is written in Perl, which gives it the advantage of speed. Afick finishes the initialization of the database that stores filesystem attributes almost a minute faster than AIDE. Being written in Perl also means that afick is highly portable between operating systems. I currently have afick running on Linux, Windows, and Macintosh systems, and the afick Web page lists HP Tru64 Unix and AIX as well. I intend to deploy afick on a few Solaris servers in the near future, and I do not anticipate any issues with that. Having a consistent application on all of my servers it minimizes both installation time and the learning curve. Whether you are dealing with tens or hundreds of servers, this consistency is a blessing.

Installation of afick is as simple as any other Perl application. Simply download and untar the source code, and type:

perl Makefile.pl

If you're installing the command-line version, which is what I do, you can ignore any warnings about missing tk libraries, as they're not needed. After that, just tweak the configuration file to focus on the important areas of your filesystem and ignore the areas that will generate constant false alarms. Afick supports a wide range of configuration possibilities, and tuning it to perfectly monitor your system is likely to take a little trial and error. It won't take much time to get a grasp on the command syntax though, and before long you'll be comfortable with it.

While a full tutorial on configuring afick is outside the scope of this article, you can find an article that does just that here.

The commandments so far:
I. Thou shalt make regular and complete backups
II. Thou shalt establish absolute trust in thy servers

Click Here!