|
Monitoring filesystem Using Integrit
What is integrit?
integrit is a more simple alternative to file integrity verification programs like tripwire and aide. It helps you determine whether an intruder has modified a computer system.
Download Integrit
http://sourceforge.net/project/showfiles.php?group_id=15369
Integrit FAQ
http://integrit.sourceforge.net/texinfo/integrit.html#FAQ
Installing Integrit in Debian
#apt-get install integrit
Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
integrit
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 105kB of archives.
After unpacking 340kB of additional disk space will be used.
Get:1 http://mirror.ox.ac.uk stable/main integrit 3.02.00-11 [105kB]
Fetched 105kB in 0s (274kB/s)
Selecting previously deselected package integrit.
(Reading database ... 12745 files and directories currently installed.)
Unpacking integrit (from .../integrit_3.02.00-11_i386.deb) ...
Setting up integrit (3.02.00-11) ...
This will complete the installation of integrit
Once installed you'll find a configuration file /etc/integrit/integrit.conf.check default integrit.conf file.
This configuration file contains a list of directories, or paths, which are checked.
Every file beneath the named directory will be checksumed using the SHA-1 hash, and its details will be stored in the integret database located at /var/lib/integrit.
The configuration file contains a list of example directories along with a brief explanation of how to add new entries
Minimal Integrit working configuration file
#
# Global settings
#
root=/
known=/var/lib/integrit/known.cdb
current=/var/lib/integrit/current.cdb
#
# Ignore '!' the following directories because we don't care if their contents are modified.
#
!/mnt
!/dev
!/etc
!/home
!/lost+found
!/proc
!/tmp
!/usr/local
!/usr/src
Once this is setup you can create the initial database:
#integrit -C /etc/integrit/integrit.conf -u
This saves the current state of the system into the file /var/lib/integrit/current.cdb, we need to move this into the known state - and also take a copy offsite.
#mv /var/lib/integrit/current.cdb /var/lib/integrit/known.cdb
Mailing a copy of this file offsite to a safe location is useful as it allows you to test again later - even if you think your database might have been modified by a local user.
To check the filesystem for changes we can now run:
#integrit -C /etc/integrit/integrit.conf -c
As you've just created a pristine database you should see no errors.
More Integrit Options
usage:
integrit -C conffile [-x] [-u] [-c]
integrit -V
integrit -h
options:
-C Specify conffile as the configuration file for integrit.
-V Show integrit version information and exit.
-h Show brief help.
-x Produce XML output.
-u Do update - create a new database that reflects the current state of the system.
-c Do check - compare the current state of the system to a database containing a snapshot of the system when it was in a known state.
-N Manually override specification of the current ("New") database. Normally it is set in the configuration file.
-O Manually override specification of the known ("Old") database. Normally it is set in the configuration file.
-q Lower integrit's level of verbosity.
-v Increase integrit's level of verbosity.
To test that the system is working run:
#touch /bin/ls # Modify a file
#integrit -C /etc/integrit/integrit.conf -c
This time you should see an errorm essage:
changed: /bin/ls m(20020318-151001:20041130-142618) c(20031107-102841:20041130-142618)
(m in this case is the modification date of the file, c being the creation date).
The Debian package will mail you every day if files have changed - and even if they haven't. There is a cron job setup by the file /etc/cron.daily/integrit. You can edit that file if you only wish to see an email in the case of differences, the comments explain how to do so:
# * UNCOMMENT the two following lines marked with `# !' if you don't
# * want to receive reports if no mismatches were found
# ! if [ '$(echo '$output' | egrep -v '^integrit: ')' ]; then
message=$(echo '$message' && echo '$output')
# ! fi
If you want to run this every day you can configure the integrit.debian.conf file
Sample file Looks like below you need to adjust the settings fit to your needs
# Configuration of the example daily cron job /etc/cron.daily/integrit
# Set the configuration file(s) for integrit. /etc/cron.daily/integrit
# will run ``integrit -uc -C <file>'' for each file specified in CONFIGS.
# An empty CONFIGS variable disables /etc/cron.daily/integrit. Multiple
# file names are separated with spaces, e.g.:
# CONFIGS="/etc/integrit/usr.conf /etc/integrit/lib.conf"
# CONFIGS="/etc/integrit/integrit.conf"
CONFIGS=""
# Set the mail address reports are sent to
EMAIL_RCPT="root"
# Set the subject line for the report mails
EMAIL_SUBJ="[integrit] `hostname -f`: report on changes in the filesystems"
# If ALWAYS_EMAIL is set to ``true'', a report is mailed on every run.
# Normally a report is only generated when integrit(1) exits non-zero.
ALWAYS_EMAIL=false
For more information and other options check integrit manual
|
|