"October 2000" "CyberSoft, Inc."
"VFind Security Toolkit Professional"
Avatar \- File System Baselining Tool .
avatar is a system for maintaining the state of a file system in a baseline and uses that baseline to check and correct the contents of file systems.
avatar can be used:
avatar protects files by recording one or more of the following:
When it determines that one or more of these attributes is incorrect,
Avatar requires a LICENSE file to run.
This LICENSE file is host specific, therefore avatar will only run on the licensed machine. Additional licenses may be purchased by contacting:
CyberSoft, Inc.
1508 Butler Pike
Conshohocken, PA 19428
Phone: +1.610.825.4748
Fax: +1.610.825.6785
At startup, avatar searches for the LICENSE file in these locations:
avatar has eight modes of operation:
create ", " update ", " iupdate ", " add ", " delete ", "
configuration ", " check ", and " correct "." The first six commands create, examine and modify the baseline "." The last two use the baseline to check and/or correct individal files, directory hierarchies, or whole file systems. Each of these commands is invoked by invoking the avatar program with the command name as its first argument. For example:
.nf avatar create foo bar n.cfg .fi
Most commands take other arguments as well which come after the function name
"(i.e., " foo ", " bar " and " n.cfg " above)." They will be explained in the entry for each command. In general, though, most commands have root and baseline as their first two arguments. These are the root of the file system to be used and the name of the baseline directory to be used (or created) respectively.
The Configuration Everything in a baseline maintained by avatar is controlled by the baseline's configuration. The configuration describes what files and directories to check and what attributes to check for each of them. The configuration is initialized by the create command from a configuration file. An example of a possible real configuration is to protect the entire file system with the exception of "/home " and " /logs. The configuration file used to initialize this configuration via the create command could look like:
.nf E / | /home | /logs .fi
The configuration can also allow the system to record varying sets of attributes for different files and directories. It also allows the specification of a directory to be recursively baselined with certain files and subdirectories excluded or recorded with different attributes.
Configuration File Format The configuration file is used by create to control the initial configuration of the
baseline "." Once created, the configuration is part of the baseline and can be modified by add or delete. It can be queried by the configuration command. Each line of the configuration file contains a pathname to be baselined which can be either a file, special file, or a directory. Each pathname is prefixed by a list of the attributes to baseline ", " followed by a space. The attributes are represented by single letters as follows:
e = existence
p = permissions
o = ownership
s = cryptographic signature
c = file contents
| = do not baseline the pathname
R = baseline the recursive contents of directories
E = everything (eposcR)
Thus, a configuration file that consisted of the single line:
.nf E / .fi
baselines the entire file system. Individual files or directories listed can form exceptions to the attributes listed for a recursively baselined directory. So, if the above configuration file had the line.
.nf |R /var .fi
then .I /var and its contents would not be baselined. .SS The Commands The description of each command begins with its invocation. The parameters for all commands are order dependent and are labeled with names in italics. Optional parameters are enclosed in square brackets. avatar create .IR "root baseline configfile" " [" altbaseline "] "
The create command baselines all the pathnames listed in configfile, with .I root prefixed, placing the baseline database in the baseline directory. If provided, the .I altbaseline parameter specifies the location of an alternate baseline which is a secondary source of information used by the
check " and " correct commands (See the extended discussion of this below). There can be one alternate baseline for each .IR baseline "." It can be set via the
create ", " update " or " iupdate " commands." Note that a baseline may consist of a pointer to an alternate baseline, such as on a CD-ROM or an NFS mounted drive. If create has no problems, it will exit with a status of 0; otherwise, it will exit with a non-zero status.
avatar update .IR "root baseline" " [" altbaseline "]"
The update command updates the baseline in the baseline directory with information about the pathnames in the configuration (with .I root prefixed). If .I altbaseline is provided, avatar uses it as a second source of information. Exit status is 0 if there are no problems. One example of a use of the update command would be to modify the baseline due to the installation of a product upgrade on the system when the files of the upgrade reside in an already configured (in the configuration) directory. Another use is to change the alternate baseline without updating any other baseline contents via the invocation:
.nf avatar update / , , altbaseline .fi
The commas indicate that file information is not to be updated.
avatar iupdate .IR "root baseline" " [" altbaseline "]"
The iupdate command performs the same function as .B update except that the baseline administrator is interactively prompted for a yes/no response on each file that needs updating. Only files for which a `yes' response is given will have their baseline information updated.
avatar configuration .I root baseline
The configuration command outputs a report to standard output describing the current configuration of .IR baseline "." This is in a form suitable for use as a configfile argument to the create command. An example of using this command to output the entire configuration of a baseline residing in the directory .I /baseline is:
.nf avatar configuration / /baseline .fi
The root argument to this program has no effect and is only present for purposes of consistency.
avatar check .IR "root baseline" " [" file "]"
The check command checks the directory structure based at .I root (or the individual .IR file ", with " root prefixed, if specified) against the information in the baseline database in the baseline directory. Exit status is 0 if there are no problems. Exit status is 1 is there if a discrepancy between baseline and the file system. In that case, a report of the discrepancies is written to standard output. The exit status is greater than 1 in the case of other problems.
avatar correct .IR "root baseline" " [" file "]"
The correct command attempts to restore the directory structure based at .I root (or the individual file, with .I root prefixed, if specified) to the state described in the baseline database in the baseline directory. correct automatically invokes check for the purposes of determining which corrections are needed. Exit status is 0 if the restoration is completely successful and a report of the corrections made is written to standard output. Otherwise, the exit status is non-zero and a report of the problems encountered is written to standard error.
avatar add .I root baseline attributes path
The add command allows the addition of files to the .IR baseline "." It also updates the corresponding file information in the baseline. attributes is an attribute list as described for the configuration file above. An example of its use is adding protection to a disk drive that was recently added to the system.
avatar delete root baseline path
Is equivalent to:
.nf avatar add root baseline | path .fi
which uses the | flag to indicate that the path is not to be baselined. Information about path is removed from baseline and the configuration is modified so that subsequent updates to the baseline will not include information about path "."
Explanation of Alternate Database Since avatar will only maintain files specified in the configuration, it may be desirable to locate some or all of the baseline on a central system for access via NFS or on a CD-ROM. The alternate baseline function provides a baseline that is only used by the check and correct commands. The alternate baseline may be used if there is a failure of the primary baseline during the operation of the check or correct commands. If the program was able to obtain the reference to the alternate database before the failure of the primary one, it can be used instead. This would be useful in the case of a network failure where the primary baseline is contained remotely. A smaller, secondary baseline of very critical files may be contained on the unit operating. If, during a correct operation, a file is found to have an incorrect cryptographic signature and the file contents are not contained in the primary baseline, then the alternate baseline is consulted. The alternate baseline may also be used if there is an explicit file argument to the check or correct commands. If the file isn't in the configuration of the primary baseline, these programs check for it in the alternate baseline. Lastly, alternate baselines may be explicitly used in scripts that invoke avatar. avatar always exits with status 23 if, upon initialization, it can't access the specified baseline. This exit status can then be checked in a script to automatically reinvoke avatar, explicitly pointing to an alternate baseline.
Simple Introductory Use Create a directory of data you wish to baseline; call it /data. Create a config file called avatar.cfg with the single line:
.nf E /data .fi
That says to baseline everything in all files. Enter the following command:
.nf avatar create / baseline avatar.cfg .fi
Examine the output; it should reflect baselining everything in /data. Run `avatar configuration / baseline'; that should just regurgitate the contents of avatar.cfg. Run `avatar spew / baseline'; this undocumented function lists the entire baseline contents. Run `avatar check / baseline'; this should produce no output as nothing has been changed. Run `avatar update / baseline'; again, there should be no output because nothing has changed. Modify a file somewhere in /data. Perform a check followed by an update followed by another check. The first check should report the change; the update should report incorporating the change; the second check should report nothing, since nothing's been changed since the last update. Modify another file in /data. Perform a check, followed by `avatar correct / baseline', followed by another check.
FILES LICENSE
"vfind" "(1), " "cit" "(1), " "thd" "(1)"
BUGS Please report all bugs to support@cyber.com
Make sure to include the version of avatar, the platform and OS, the script or command used, the complete output showing the bug, a short description of the problem, and contact information.
COPYRIGHT Copyright 1999-2000 CyberSoft, Inc. All rights reserved.