On this page

Integrit: Add an integrity control tool on your Debian

Integrit


Software version	4.1
Operating System	Debian 7
Website	Integrit Website
Last Update	07/05/2013

Introduction

Integrit¹ is a simple yet secure alternative to products like tripwire. It has a small memory footprint, uses up-to-date cryptographic algorithms, and has features that make sense (like including the MD5 checksum of newly generated databases in the report

Installation

To install Integrit:

  aptitude install integrit

Configuration

  # /etc/integrit/integrit.debian.conf
# Configuration of the example daily cron job /etc/cron.daily/integrit

# Set the configuration file(s) for integrit.  /etc/cron.daily/integrit
# will run ``integrit -uc -C <file>'' for each file specified in CONFIGS.
# An empty CONFIGS variable disables /etc/cron.daily/integrit.  Multiple
# file names are separated with spaces, e.g.:
# CONFIGS="/etc/integrit/usr.conf /etc/integrit/lib.conf"
# CONFIGS="/etc/integrit/integrit.conf"
CONFIGS="/etc/integrit/integrit.conf"

# Set the mail address reports are sent to
EMAIL_RCPT="xxx@mycompany.com"

# Set the subject line for the report mails
EMAIL_SUBJ="[integrit] `hostname -f`: report on changes in the filesystems"

# If ALWAYS_EMAIL is set to ``true'', a report is mailed on every run.
# Normally a report is only generated when integrit(1) exits non-zero.
ALWAYS_EMAIL=false

You need to adapt the vars vars listed bellow:

CONFIGS: set your main configuration or multiples if you have so
EMAIL_RCPT: your email address (the recipient)
EMAIL_SUBJ: the email subject if this one doesn’t suit you
ALWAYS_EMAIL: set it to false if you want to receive emails only when a change occur

Now we’re going to edit the main configuration of Integrit:

  # /etc/integrit/integrit.conf
# /etc/integrit.conf : configuration file for integrit
#
# See integrit(1) and /usr/share/doc/integrit/examples/
# for more information.
#
# *** WARNING ***
#
# This is a simple default configuration file for Debian systems.
# It contains only comments, therefore integrit will not run with
# it. To make integrit functional, you must edit this file according
# to your needs.
#
# Please read README.Debian before running integrit.
#
# *** WARNING ***

#
root=/
known=/var/lib/integrit/known.cdb
current=/var/lib/integrit/current.cdb
#
# # Here's a table of letters and the corresponding checks / options:
# # Uppercase turns the check off, lowercase turns it on.
# #
# # 	  s	checksum
# # 	  i	inode
# # 	  p	permissions
# # 	  l	number of links
# # 	  u	uid
# # 	  g	gid
# # 	  z	file size (redundant if checksums are on)
# # 	  a	access time
# # 	  m	modification time
# # 	  c	ctime (time UN*X file info last changed)
# # 	  r	reset access time (use with care)
#
# # ignore directories that are expected to change
#
# !/cdrom
!/dev
!/lost+found
!/proc
!sys
# !/etc
# !/floppy
# !/home
# !/mnt
# !/root
# !/tmp
# !/var
#
# # ignore inode, change time and modification time
# # for ephemeral module files.
#
# /lib/modules/2.4.3/modules.dep IMC
# /lib/modules/2.4.3/modules.generic_string IMC
# /lib/modules/2.4.3/modules.isapnpmap IMC
# /lib/modules/2.4.3/modules.parportmap IMC
# /lib/modules/2.4.3/modules.pcimap IMC
# /lib/modules/2.4.3/modules.usbmap IMC
#
# # to cut down on runtime and db size:
#
# =/usr/include
# =/usr/X11R6/include
#
# =/usr/doc
# =/usr/info
# =/usr/share
#
# =/usr/X11R6/man
# =/usr/X11R6/lib/X11/fonts
#
# # ignore user-dependant directories
#
# !/usr/local
# !/usr/src

To give you a quick understand of this configuration file:

!: do not scan this folder/file
=: do not search recursively if it’s a folder
$: tells not not inherit from the parent folder regarding the checking method
/etc MC: this example ask to not check mtime + ctime verification on /etc

Now we’re going to initialize the known database:

  integrit -C /etc/integrit/integrit.conf -u
integrit: ---- integrit, version 4.1 -----------------
integrit:                      output : human-readable
integrit:                   conf file : /etc/integrit/integrit.conf
integrit:                    known db : /var/lib/integrit/known.cdb
integrit:                  current db : /var/lib/integrit/current.cdb
integrit:                        root : /
integrit:                    do check : no
integrit:                   do update : yes

Move the current known database to known:

  mv /var/lib/integrit/current.cdb /var/lib/integrit/known.cdb

Next and to finish, you can update manually (or let cron do) the database:

  integrit -C /etc/integrit/integrit.conf -c

report

This is strongly recommanded that you put the known database on a read only share

References

https://sourceforge.net/projects/integrit/ ↩︎

Edit this page

Last updated 07 May 2013, 14:44 CEST. history

Compile Your PHP Scripts

Vim: Essential Commands & Quick Reference Card

Integrit: Add an integrity control tool on your Debian

Introduction link

Installation link

Configuration link

References link

Introduction

Installation

Configuration

References