Debianhelp.co.uk


Monitoring filesystem Using Integrit
What is integrit?

integrit is a more simple alternative to file integrity verification programs like tripwire and aide. It helps you determine whether an intruder has modified a computer system.

Download Integrit

http://sourceforge.net/project/showfiles.php?group_id=15369

Integrit FAQ

http://integrit.sourceforge.net/texinfo/integrit.html#FAQ

Installing Integrit in Debian

#apt-get install integrit

Reading Package Lists... Done
Building Dependency Tree... Done
The following NEW packages will be installed:
 integrit
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 105kB of archives.
After unpacking 340kB of additional disk space will be used.
Get:1 http://mirror.ox.ac.uk stable/main integrit 3.02.00-11 [105kB]
Fetched 105kB in 0s (274kB/s)
Selecting previously deselected package integrit.
(Reading database ... 12745 files and directories currently installed.)
Unpacking integrit (from .../integrit_3.02.00-11_i386.deb) ...
Setting up integrit (3.02.00-11) ...

This will complete the installation of integrit

Once installed you'll find a configuration file /etc/integrit/integrit.conf.check default integrit.conf file.

This configuration file contains a list of directories, or paths, which are checked.

Every file beneath the named directory will be checksumed using the SHA-1 hash, and its details will be stored in the integret database located at /var/lib/integrit.

The configuration file contains a list of example directories along with a brief explanation of how to add new entries

Minimal Integrit working configuration file

#
# Global settings
#
root=/
known=/var/lib/integrit/known.cdb
current=/var/lib/integrit/current.cdb
#
#  Ignore '!' the following directories because we don't care if their contents are modified.
#
!/mnt
!/dev
!/etc
!/home
!/lost+found
!/proc
!/tmp
!/usr/local
!/usr/src

Once this is setup you can create the initial database:

#integrit -C /etc/integrit/integrit.conf -u

This saves the current state of the system into the file /var/lib/integrit/current.cdb, we need to move this into the known state - and also take a copy offsite.

#mv /var/lib/integrit/current.cdb /var/lib/integrit/known.cdb

Mailing a copy of this file offsite to a safe location is useful as it allows you to test again later - even if you think your database might have been modified by a local user.

To check the filesystem for changes we can now run:

#integrit -C /etc/integrit/integrit.conf -c

As you've just created a pristine database you should see no errors.

More Integrit Options

usage:

     integrit -C conffile [-x] [-u] [-c]
     integrit -V
     integrit -h

options:

      -C      Specify conffile as the configuration file for integrit.
      -V      Show integrit version information and exit.
      -h      Show brief help.
      -x      Produce XML output.
      -u      Do update - create a new database that reflects the current state of the system.
      -c      Do check - compare the current state of the system to a database containing a snapshot of the   system when it was in a known state.
      -N      Manually override specification of the current ("New") database.  Normally it is set in the                          configuration file.
      -O      Manually override specification of the known ("Old") database.  Normally it is set in the                            configuration file.
      -q      Lower integrit's level of verbosity.
      -v      Increase integrit's level of verbosity.

To test that the system is working run:

#touch /bin/ls  # Modify a file

#integrit -C /etc/integrit/integrit.conf -c

This time you should see an errorm essage:

changed: /bin/ls   m(20020318-151001:20041130-142618) c(20031107-102841:20041130-142618)

(m in this case is the modification date of the file, c being the creation date).

The Debian package will mail you every day if files have changed - and even if they haven't. There is a cron job setup by the file /etc/cron.daily/integrit. You can edit that file if you only wish to see an email in the case of differences, the comments explain how to do so:

   # * UNCOMMENT the two following lines marked with `# !' if you don't
   # * want to receive reports if no mismatches were found

   # ! if [ '$(echo '$output' | egrep -v '^integrit: ')' ]; then
       message=$(echo '$message' && echo '$output')
   # ! fi

If you want to run this every day you can configure the integrit.debian.conf file

Sample file Looks like below you need to adjust the settings fit to your needs

# Configuration of the example daily cron job /etc/cron.daily/integrit

# Set the configuration file(s) for integrit.  /etc/cron.daily/integrit
# will run ``integrit -uc -C <file>'' for each file specified in CONFIGS.
# An empty CONFIGS variable disables /etc/cron.daily/integrit.  Multiple
# file names are separated with spaces, e.g.:
# CONFIGS="/etc/integrit/usr.conf /etc/integrit/lib.conf"
# CONFIGS="/etc/integrit/integrit.conf"
CONFIGS=""

# Set the mail address reports are sent to
EMAIL_RCPT="root"

# Set the subject line for the report mails
EMAIL_SUBJ="[integrit] `hostname -f`: report on changes in the filesystems"

# If ALWAYS_EMAIL is set to ``true'', a report is mailed on every run.
# Normally a report is only generated when integrit(1) exits non-zero.
ALWAYS_EMAIL=false

For more information and other options check integrit manual