DesignWIKI

Fil Salustri's Design Site

Site Tools


research:fascan

Table of Contents

Fascan

Fascan is a perl script I use to check security on my computer.

Fascan is a script that checks files and directories to see if they've changed since the last time it ran. It is useful to detect hacks and viruses. It's very simple, which is both good and bad.

Usage

% /usr/bin/perl fascan.pl [options]

where options are:

  • -d: reinitialize the database, ignoring all stored data to date.
  • -n: print the report to stdout rather than sending email.
  • -c file: use file as the config file.

Fascan writes files in every directory it studies, so make sure you have write permission in those directories. If you don't, you'll have to run it as root.

Installation

The downloadable source contains three files:

  • fascan.pl: is the perl script itself.
  • fascan.conf: is the configuration file.
  • README: documentation and other info (basically the same as this page).
  1. Make a directory to contain both fascan.pl and fascan.conf.
  2. Edit fascan.conf. The format is as follows.
    • Lines starting with # are comments and will be ignored.
    • Blank lines are allowed and ignored.
    • email someone@somewhere defines who will receive the reports by email.
    • ignore file-or-directory will prevent file-or-directory from being studied.
    • check file-or-directory will make the program study file-or-directory. If it's a directory, all files in it will be checked, but it will not recurse into directories.
    • recurse directory will make the program recursively study the contents of directory.
  3. Make sure your installation of perl has the MD5, Fcntl, and Getopt modules available. They're usually all installed already. If they're missing, you can get them from CPAN.
  4. Change the line in fascan.pl that looks like: $lockfile = '/Users/fil/fascan.lock';
    • Change the path given, to point to a file that you can read/write. This file is used to prevent multiple instances of fascan from running simultaneously or overlappingly.

Reporting

Output is only generated if changes are found. This means you'll only get email if something has changed, so your inbox won't fill with vacuous messages from fascan.

For new files you'll get something like:

New file /Users/fil/.cshrc
0644  1      fil      fil  899b  2007/08/15-07:18:54
5B014EDCF77E8AC921A4CD365D4BF01F
  • The 2nd line gives the mode, number of links, owner, group, size, and the 'modification time' as reported by 'stat'.
  • The 3rd line gives the MD5 checksum for the item.

For files that have changed, you'll get something like:

Changed 
OLD: /private/etc/daily
0755  1     root    wheel   24b  2005/04/02-23:41:04
7B5C15F3D613B148CB883D8795DCEF4A
NEW: /private/etc/daily
0755  1     root    wheel   24b  2005/04/02-23:41:04
B1A9AFFD0BDA0588BD4A432C560D468B
Changes in: md5

You get info about the old version (as of the last run of fascan), then new version, and a list (in the last line) of the items changed. In the example, only the MD5 checksum changed.

Deleted files are also reported, if they were ever registered in the fascan database.

Examples

% sudo /usr/bin/perl fascan.pl -n

This runs as root (good for checking a whole disk on a multiuser computer) and produces output on the standard output rather than sending email.

% /usr/bin/perl fascan.pl -d -c /usr/local/fascan.conf

This reinitializes the database – ignoring all previous data – and uses a different configuration file.

research/fascan.txt · Last modified: 2020.03.12 13:30 (external edit)