FCheck
By: James Reynolds - Revised: 2006-05-17 devinIntroduction
Learn how to install and set up FCheck.
Why this document?
I wrote this document in 2002 for Mac OS X 10.1. I never posted it because I decided to use
Radmind instead of FCheck. Well, I had this finished document that still was good (written for FCheck 2.07.59, which is still the current version as of May 2003), so I decided to throw it up here. I updated part of the exclusion list below for Mac OS X 10.2, but I haven't tested it.
What is FCheck?
FCheck notices changes on the hard disk and notifies you of unauthorized changes. FCheck does this by taking periodic "baseline" snapshots and comparing them. This is also called a tripwire. For more information, see the
FCheck homepage.
Installing FCheck
FCheck is written in perl, free, and easy to install. To install, first download the scripts from the
FCheck download page, or just
click here to download the tar.gz file. You will get 5 files:
- fcheck - the perl script that takes the snapshots and compares them.
- install - instructions how to install fcheck.
- fcheck.cfg - the fcheck configuration file.
- README - more instructions.
- license - what you are agreeing by using the software.
1) Decide where you want to put fcheck. The install file suggests "/usr/local/fcheck". However, you can put it where ever you like. You will need to place the location of fcheck, its configuration file, and more, so its location does matter.
2) Copy "fcheck" and "fcheck.cfg" to the location you have choosen.
Configure FCheck
3) Edit "fcheck". Find the section titled "User modifiable variable definitions".
Change: $config="
location of fcheck.cfg"
Example: $config="/usr/local/fcheck/fcheck.cfg"
4) Edit "fcheck.cfg".
Here are the sections that will require modification:
- DataBase - the location of the "snapshot".
- Change: Database = location of fcheck database
- Example: Database = /usr/local/fcheck/fcheck.dbf
- System - the platform.
- TimeZone - the timezone.
- Change: TimeZone = your timezone environment variable
- Format is xxxyyyzzz where:
xxx is the Standard Time Zone
yyy is the hours west of GMT
zzz is the Daylight Savings Time Zone
- Atlantic, AST4ADT; Eastern, EST5EDT; Central, CST6CDT; Mountain, MST7MDT; Pacific, PST8PDT.
Directory - tells fcheck what folders to check. Open your terminal and type "ls -al /" to get a list of the directories you need to check.
- The following lines tell FCheck to check the entire hard disk:
Directory = /
Directory = /Applications/
Directory = /Library/
Directory = /Network/
Directory = /System/
Directory = /Users/
Directory = /bin/
Directory = /private/
Directory = /sbin/
Directory = /usr/
- There are other directories at the root level, but they generate errors. Here are some of them:
/File Transfer Folder/
/TheVolumeSettingsFolder/
/.Trashes/
/Trash/
/Desktop Folder/
/Volumes/
/automount/
/dev/
- Note: specifying a directory causes FCheck to perform a recursive search. The main exception is the root directory "/". See the README for more information.
Exclusion - tells fcheck to ignore files/folders (like logs)
- Here is a list of files that change often. Some of the files below are critical files, and you shouldn't ignore them, but are listed here so that you know what changes often.
Exclusion = /Library/Caches/
Exclusion = /Network/Servers/
Exclusion = /Library/ColorSync/Profiles/Displays/
Exclusion = /Library/Preferences/
Exclusion = /System/Library/Caches/
Exclusion = /System/Library/Extensions.mkext
Exclusion = /System/Library/Filesystems/hfs.fs/hfs.label
Exclusion = /System/Library/Filesystems/hfs.fs/hfs.name
Exclusion = /Users/your user/
Exclusion = /Volumes/
Exclusion = /dev
Exclusion = /mach.sym
Exclusion = /mach
Exclusion = /private/etc/appletalk.nvram.en0
Exclusion = /private/etc/appletalk.cfg
Exclusion = /private/etc/hostconfig
Exclusion = /private/etc/resolv.conf
Exclusion = /private/var/backups/local.nidump
Exclusion = /private/var/db/NetworkInterfaces.xml
Exclusion = /private/var/db/SystemEntropyCache
Exclusion = /private/var/db/dhcpclient/leases/
Exclusion = /private/var/db/netinfo/local.nidb/
Exclusion = /private/var/log/
Exclusion = /private/var/msgs/bounds
Exclusion = /private/var/root/Library/Preferences/
Exclusion = /private/var/run/
Exclusion = /private/var/sleep.out
Exclusion = /private/var/tmp/
Exclusion = /private/var/vm/
- Note: entries that end with "/" are folders. Entries that do not end with "/" are files.
Logger - how to alert you of changes.
Read the README for information on the configuration file.
Running FCheck for the first time
It is extremely helpful to use a script that perform several tasks when testing fcheck. Because FCheck can take awhile, the most useful thing is to be informed when FCheck has finished. The following line will verbally say "F Check is finished.".
sudo fcheck -ac ; osascript -e 'say "F check is finished"'
You could also hard code this into a script like this:
#!/bin/sh
# run me as root!
sudo fcheck -ac
osascript -e 'say "F check is finished"'
After running FCheck, make some "unauthorized changes". See if FCheck catches it by running the same command as above without the "c" option. Like this:
sudo fcheck -a ; osascript -e 'say "F check is finished"'
Or this script:
#!/bin/sh
# run me as root!
fcheck -a
osascript -e 'say "F check is finished"'
To automate the process, add a line to the system crontab file (/etc/crontab), like this:
0 2 * * * root /Users/macmgr/Admin/fcheck/fcheck -a
Or you can run a script instead, like this:
0 2 * * * root /Users/macmgr/Admin/fcheck/periodic_check.sh
#!/bin/sh
# periodic_check.sh # run me as root!
sudo fcheck -a