Sidebar 1: fcheck_file_support

Although the documentation states that FCheck supports the monitoring of individual files, this statement was left over from earlier documentation. This is clarified in the author's FAQ in the README file. The author, Michael Gumienny, mentions in the FAQ that the user can simulate single file support basically by defining the directory and excluding everything else. This is what the few lines of code below in the fcheck_file_support does. After placing the file in an appropriate place, such as /usr/local/bin/ and setting the execute bit, you can run the program with two parameters: the directory, and the file that you wish to monitor. The script will then print out a list of Exclusion statements that you can either redirect with append mode (>>) to the config file or paste into the file. Be sure that you also have the Directory = parameter before the Exclusion entries as well.

Although this script does the trick, it is not as granular as a complete integration could be. Additionally, any new files created in the directory will also set of the IDS...not a bad thing, but not the complete control that many of us would like to have. However, as I mentioned in the column, FCheck is still a very good thing to have in your toolbox.

#!/bin/bash
# fcheck_file_support

if echo $1 | grep -v \/$ >/dev/null
then
        dir="$1/"
else
        dir="$1"
fi

for i in ‘ls $1‘
do
        echo "Exclusion      = $dir$i" | grep -v "/$2"
done