FCheck

By: James Reynolds - Revised: 2006-05-17 devin

Introduction

Learn how to install and set up FCheck.


Why this document?

I wrote this document in 2002 for Mac OS X 10.1. I never posted it because I decided to use Radmind instead of FCheck. Well, I had this finished document that still was good (written for FCheck 2.07.59, which is still the current version as of May 2003), so I decided to throw it up here. I updated part of the exclusion list below for Mac OS X 10.2, but I haven't tested it.

What is FCheck?

FCheck notices changes on the hard disk and notifies you of unauthorized changes. FCheck does this by taking periodic "baseline" snapshots and comparing them. This is also called a tripwire. For more information, see the FCheck homepage.

Installing FCheck

FCheck is written in perl, free, and easy to install. To install, first download the scripts from the FCheck download page, or just click here to download the tar.gz file. You will get 5 files:
  • fcheck - the perl script that takes the snapshots and compares them.
  • install - instructions how to install fcheck.
  • fcheck.cfg - the fcheck configuration file.
  • README - more instructions.
  • license - what you are agreeing by using the software.
1) Decide where you want to put fcheck. The install file suggests "/usr/local/fcheck". However, you can put it where ever you like. You will need to place the location of fcheck, its configuration file, and more, so its location does matter.

2) Copy "fcheck" and "fcheck.cfg" to the location you have choosen.

Configure FCheck

3) Edit "fcheck". Find the section titled "User modifiable variable definitions".
Change: $config="location of fcheck.cfg"
Example: $config="/usr/local/fcheck/fcheck.cfg"

4) Edit "fcheck.cfg".

Here are the sections that will require modification:
  • DataBase - the location of the "snapshot".
    • Change: Database = location of fcheck database
    • Example: Database = /usr/local/fcheck/fcheck.dbf
  • System - the platform.
    • Change: System = UNIX
  • TimeZone - the timezone.
    • Change: TimeZone = your timezone environment variable
    • Format is xxxyyyzzz where:
      xxx is the Standard Time Zone
      yyy is the hours west of GMT
      zzz is the Daylight Savings Time Zone
    • Atlantic, AST4ADT; Eastern, EST5EDT; Central, CST6CDT; Mountain, MST7MDT; Pacific, PST8PDT.
Directory - tells fcheck what folders to check. Open your terminal and type "ls -al /" to get a list of the directories you need to check.
  • The following lines tell FCheck to check the entire hard disk:

    Directory = /
    Directory = /Applications/
    Directory = /Library/
    Directory = /Network/
    Directory = /System/
    Directory = /Users/
    Directory = /bin/
    Directory = /private/
    Directory = /sbin/
    Directory = /usr/
  • There are other directories at the root level, but they generate errors. Here are some of them:

    /File Transfer Folder/
    /TheVolumeSettingsFolder/
    /.Trashes/
    /Trash/
    /Desktop Folder/
    /Volumes/
    /automount/
    /dev/
  • Note: specifying a directory causes FCheck to perform a recursive search. The main exception is the root directory "/". See the README for more information.
Exclusion - tells fcheck to ignore files/folders (like logs)
  • Here is a list of files that change often. Some of the files below are critical files, and you shouldn't ignore them, but are listed here so that you know what changes often.

    Exclusion = /Library/Caches/
    Exclusion = /Network/Servers/
    Exclusion = /Library/ColorSync/Profiles/Displays/
    Exclusion = /Library/Preferences/
    Exclusion = /System/Library/Caches/
    Exclusion = /System/Library/Extensions.mkext
    Exclusion = /System/Library/Filesystems/hfs.fs/hfs.label
    Exclusion = /System/Library/Filesystems/hfs.fs/hfs.name
    Exclusion = /Users/your user/
    Exclusion = /Volumes/
    Exclusion = /dev
    Exclusion = /mach.sym
    Exclusion = /mach
    Exclusion = /private/etc/appletalk.nvram.en0
    Exclusion = /private/etc/appletalk.cfg
    Exclusion = /private/etc/hostconfig
    Exclusion = /private/etc/resolv.conf
    Exclusion = /private/var/backups/local.nidump
    Exclusion = /private/var/db/NetworkInterfaces.xml
    Exclusion = /private/var/db/SystemEntropyCache
    Exclusion = /private/var/db/dhcpclient/leases/
    Exclusion = /private/var/db/netinfo/local.nidb/
    Exclusion = /private/var/log/
    Exclusion = /private/var/msgs/bounds
    Exclusion = /private/var/root/Library/Preferences/
    Exclusion = /private/var/run/
    Exclusion = /private/var/sleep.out
    Exclusion = /private/var/tmp/
    Exclusion = /private/var/vm/

  • Note: entries that end with "/" are folders. Entries that do not end with "/" are files.
Logger - how to alert you of changes.
  • Logger = /usr/bin/logger
Read the README for information on the configuration file.

Running FCheck for the first time

It is extremely helpful to use a script that perform several tasks when testing fcheck. Because FCheck can take awhile, the most useful thing is to be informed when FCheck has finished. The following line will verbally say "F Check is finished.".

sudo fcheck -ac ; osascript -e 'say "F check is finished"'

You could also hard code this into a script like this:

#!/bin/sh

# run me as root!

sudo fcheck -ac
osascript -e 'say "F check is finished"'

After running FCheck, make some "unauthorized changes". See if FCheck catches it by running the same command as above without the "c" option. Like this:

sudo fcheck -a ; osascript -e 'say "F check is finished"'

Or this script:

#!/bin/sh

# run me as root!

fcheck -a
osascript -e 'say "F check is finished"'

To automate the process, add a line to the system crontab file (/etc/crontab), like this:

0 2 * * * root /Users/macmgr/Admin/fcheck/fcheck -a

Or you can run a script instead, like this:

0 2 * * * root /Users/macmgr/Admin/fcheck/periodic_check.sh

#!/bin/sh

# periodic_check.sh # run me as root!

sudo fcheck -a