Fascan is a perl script I use to check security on my computer.
Fascan is a script that checks files and directories to see if they've changed since the last time it ran. It is useful to detect hacks and viruses. It's very simple, which is both good and bad.
% /usr/bin/perl fascan.pl [options]
-d: reinitialize the database, ignoring all stored data to date.
-n: print the report to stdout rather than sending email.
-c file: use
fileas the config file.
Fascan writes files in every directory it studies, so make sure you have write permission in those directories. If you don't, you'll have to run it as
The downloadable source contains three files:
fascan.pl: is the perl script itself.
fascan.conf: is the configuration file.
README: documentation and other info (basically the same as this page).
fascan.conf. The format is as follows.
email someone@somewheredefines who will receive the reports by email.
ignore file-or-directorywill prevent
file-or-directoryfrom being studied.
check file-or-directorywill make the program study
file-or-directory. If it's a directory, all files in it will be checked, but it will not recurse into directories.
recurse directorywill make the program recursively study the contents of
Getoptmodules available. They're usually all installed already. If they're missing, you can get them from CPAN.
$lockfile = '/Users/fil/fascan.lock';
Output is only generated if changes are found. This means you'll only get email if something has changed, so your inbox won't fill with vacuous messages from fascan.
For new files you'll get something like:
New file /Users/fil/.cshrc 0644 1 fil fil 899b 2007/08/15-07:18:54 5B014EDCF77E8AC921A4CD365D4BF01F
For files that have changed, you'll get something like:
Changed OLD: /private/etc/daily 0755 1 root wheel 24b 2005/04/02-23:41:04 7B5C15F3D613B148CB883D8795DCEF4A NEW: /private/etc/daily 0755 1 root wheel 24b 2005/04/02-23:41:04 B1A9AFFD0BDA0588BD4A432C560D468B Changes in: md5
You get info about the old version (as of the last run of fascan), then new version, and a list (in the last line) of the items changed. In the example, only the MD5 checksum changed.
Deleted files are also reported, if they were ever registered in the fascan database.
% sudo /usr/bin/perl fascan.pl -n
This runs as
root (good for checking a whole disk on a multiuser computer) and produces output on the standard output rather than sending email.
% /usr/bin/perl fascan.pl -d -c /usr/local/fascan.conf
This reinitializes the database – ignoring all previous data – and uses a different configuration file.