FCheck: A Solution to Host-Based Intrusion Detection

Ron McCarty

Sidebar 1

In September 1999, my Sys Admin article "Intrusion Detection Strategies and Design Considerations" gave an overview of intrusion detection. In February 2000, I followed up with an introduction to Snort, a network intrusion detection system (IDS), so it is about time I got around to a host-based IDS.

A host-based IDS is responsible for notifying administrators that key system files have changed on a particular system. Intrusion detection provides a very important function, but many administrators come to rely on their host-based IDS to provide an audit trail for changes made by their peers and themselves in the regular course of systems administration.

This value added auditing feature has encouraged the use of free software (especially Tripwire [http://www.tripwire.com], which was freely available in the past) for this purpose even in shops that would not normally allow "free" software installation. Since there is no capital expenditure for the product, the system auditing functionality can be used in as many systems as possible. This is definitely win-win: it provides a broader spectrum of host-based IDS and allows administrators to more effectively manage systems through better auditing.

FCheck: (http://sites.netscape.net/fcheck/download.html) is an Open Source freely available host IDS that will run on both UNIX and Windows systems. FCheck is written in Perl, which will be considered an advantage by many admins. Perl 5 or later is required.

FCheck Architecture

FCheck definitely supports the UNIX philosophy of using small, specific task-oriented tools to create larger, general purpose tools.