As I mention every time I teach FOR577, I have been a big fan of file integrity monitoring tools (FIM) since Gene Kim first released Tripwire well over 30 years ago. I&#;x26;#;39;ve used quite a few of them over the years including tripwire, OSSEC, samhain, and aide, just to name a few. For many years, I used the fcheck Perl script (by Michael A. Gumienny) that was available as an apt package on Ubuntu because it was lightning fast. Unfortunately, sometime between Ubuntu 16.04 and Ubuntu 20.04 (my memory fails me as to exactly when), it slowed down on many of the systems I managed to the point where instead of being able to run it 4-6 times a day, it would now sometimes take more than 24 hours to run. And that was just running it on select directories, not the entire system, the way I run tools like aide. Though I started writing Perl scripts in 1989, I didn&#;x26;#;39;t spend any time trying to figure out why fcheck was suddenly having so many issues. I let it go for quite a while, but a few months ago, I started thinking about it again and decided I&#;x26;#;39;d write a look-alike in python. What I&#;x26;#;39;m releasing today is not quite complete, hence the 0.9.0 version number, but I&#;x26;#;39;ve been using it an about a dozen systems (Debian and Ubuntu, though it shoud run just fine on any Linux with Python 3.9 or newer, probably older, too, but I again haven&#;x26;#;39;t tried it on anything older) for about 6 months. I still want to add a couple of things including the ability to include additional config files like the .local.cfg that fcheck had, rather than having to put all the additions into the primary config.
As I mention every time I teach FOR577, I have been a big fan of file integrity monitoring tools (FIM) since Gene Kim first released Tripwire well over 30 years ago. I’ve used quite a few of them over the years including tripwire, OSSEC, samhain, and aide, just to name a few. For many years, I used the fcheck Perl script (by Michael A. Gumienny) that was available as an apt package on Ubuntu because it was lightning fast. Unfortunately, sometime between Ubuntu 16.04 and Ubuntu 20.04 (my memory fails me as to exactly when), it slowed down on many of the systems I managed to the point where instead of being able to run it 4-6 times a day, it would now sometimes take more than 24 hours to run. And that was just running it on select directories, not the entire system, the way I run tools like aide. Though I started writing Perl scripts in 1989, I didn’t spend any time trying to figure out why fcheck was suddenly having so many issues. I let it go for quite a while, but a few months ago, I started thinking about it again and decided I’d write a look-alike in python. What I’m releasing today is not quite complete, hence the 0.9.0 version number, but I’ve been using it an about a dozen systems (Debian and Ubuntu, though it shoud run just fine on any Linux with Python 3.9 or newer, probably older, too, but I again haven’t tried it on anything older) for about 6 months. I still want to add a couple of things including the ability to include additional config files like the .local.cfg that fcheck had, rather than having to put all the additions into the primary config.
I’ve named my tool ficheck.py[1] (File Integrity CHECK) since I didn’t want to step on Mr. Gumienny’s tool name, but I freely admit this is an homage to his tool that I really liked and used for years. I stole his config file and report formats. The script runs in under 90 seconds on all the systems I’ve been testing on including some large systems in public cloud and some very small memory VMs. I am also releasing a quick and dirty install script that will install a basic config, install a cron job to run it every 2 hours, and another of my scripts, mail_stuff.py[2] which will use mailx to send e-mail if it gets any ASCII (or UTF-8) bytes on stdin. Everything needed to install is in my scripts github repo[3]. The tool monitors for file creation and deletion, and inode number change (meaning a new file with same name), plus changes to file size, number of links, ownership, group, permissions, SHA2-256 hash (on files less than 500M, configurable witha commandline switch), file modification time (MTime), file metadata (inode) change time (CTime), and, if the pystatx module is installed (as described in my mac_robber.py update diary last year), file creation time (BTime).
The directories I generally watch are ones where I don’t expect a lot of changes unless I’m applying patches. I do tune it to remove some files that get modified regularly during normal operations. I also have added some places (like /dev/shm) where attackers sometimes try to hide their malware. Here is a screenshot of the e-mail received when there are changes found. 
Check it out. If you run into any problems or have suggestions for improvements, e-mail me at the address below or on the handlers list or open an issue on github.
References:
- https://github.com/clausing/scripts/blob/master/ficheck.py
- https://github.com/clausing/scripts/blob/master/mail_stuff.py
- https://github.com/clausing/scripts/tree/master
—————
Jim Clausing, GIAC GSE #26
jclausing –at– isc [dot] sans (dot) edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Leave A Reply