Introduction link
Integrit is a simple yet secure alternative to products like tripwire. It has a small memory footprint, uses up-to-date cryptographic algorithms, and has features that make sense (like including the MD5 checksum of newly generated databases in the report
Installation link
To install Integrit:
1
| aptitude install integrit
|
Configuration link
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| # /etc/integrit/integrit.debian.conf
# Configuration of the example daily cron job /etc/cron.daily/integrit
# Set the configuration file(s) for integrit. /etc/cron.daily/integrit
# will run ``integrit -uc -C <file>'' for each file specified in CONFIGS.
# An empty CONFIGS variable disables /etc/cron.daily/integrit. Multiple
# file names are separated with spaces, e.g.:
# CONFIGS="/etc/integrit/usr.conf /etc/integrit/lib.conf"
# CONFIGS="/etc/integrit/integrit.conf"
CONFIGS="/etc/integrit/integrit.conf"
# Set the mail address reports are sent to
EMAIL_RCPT="xxx@mycompany.com"
# Set the subject line for the report mails
EMAIL_SUBJ="[integrit] `hostname -f`: report on changes in the filesystems"
# If ALWAYS_EMAIL is set to ``true'', a report is mailed on every run.
# Normally a report is only generated when integrit(1) exits non-zero.
ALWAYS_EMAIL=false
|
You need to adapt the vars vars listed bellow:
- CONFIGS: set your main configuration or multiples if you have so
- EMAIL_RCPT: your email address (the recipient)
- EMAIL_SUBJ: the email subject if this one doesn’t suit you
- ALWAYS_EMAIL: set it to false if you want to receive emails only when a change occur
Now we’re going to edit the main configuration of Integrit:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
| # /etc/integrit/integrit.conf
# /etc/integrit.conf : configuration file for integrit
#
# See integrit(1) and /usr/share/doc/integrit/examples/
# for more information.
#
# *** WARNING ***
#
# This is a simple default configuration file for Debian systems.
# It contains only comments, therefore integrit will not run with
# it. To make integrit functional, you must edit this file according
# to your needs.
#
# Please read README.Debian before running integrit.
#
# *** WARNING ***
#
root=/
known=/var/lib/integrit/known.cdb
current=/var/lib/integrit/current.cdb
#
# # Here's a table of letters and the corresponding checks / options:
# # Uppercase turns the check off, lowercase turns it on.
# #
# # s checksum
# # i inode
# # p permissions
# # l number of links
# # u uid
# # g gid
# # z file size (redundant if checksums are on)
# # a access time
# # m modification time
# # c ctime (time UN*X file info last changed)
# # r reset access time (use with care)
#
# # ignore directories that are expected to change
#
# !/cdrom
!/dev
!/lost+found
!/proc
!sys
# !/etc
# !/floppy
# !/home
# !/mnt
# !/root
# !/tmp
# !/var
#
# # ignore inode, change time and modification time
# # for ephemeral module files.
#
# /lib/modules/2.4.3/modules.dep IMC
# /lib/modules/2.4.3/modules.generic_string IMC
# /lib/modules/2.4.3/modules.isapnpmap IMC
# /lib/modules/2.4.3/modules.parportmap IMC
# /lib/modules/2.4.3/modules.pcimap IMC
# /lib/modules/2.4.3/modules.usbmap IMC
#
# # to cut down on runtime and db size:
#
# =/usr/include
# =/usr/X11R6/include
#
# =/usr/doc
# =/usr/info
# =/usr/share
#
# =/usr/X11R6/man
# =/usr/X11R6/lib/X11/fonts
#
# # ignore user-dependant directories
#
# !/usr/local
# !/usr/src
|
To give you a quick understand of this configuration file:
- !: do not scan this folder/file
- =: do not search recursively if it’s a folder
- $: tells not not inherit from the parent folder regarding the checking method
- /etc MC: this example ask to not check mtime + ctime verification on /etc
Now we’re going to initialize the known database:
1
2
3
4
5
6
7
8
9
| integrit -C /etc/integrit/integrit.conf -u
integrit: ---- integrit, version 4.1 -----------------
integrit: output : human-readable
integrit: conf file : /etc/integrit/integrit.conf
integrit: known db : /var/lib/integrit/known.cdb
integrit: current db : /var/lib/integrit/current.cdb
integrit: root : /
integrit: do check : no
integrit: do update : yes
|
Move the current known database to known:
1
| mv /var/lib/integrit/current.cdb /var/lib/integrit/known.cdb
|
Next and to finish, you can update manually (or let cron do) the database:
1
| integrit -C /etc/integrit/integrit.conf -c
|
report
This is strongly recommanded that you put the known database on a read only share
References link
Last updated
07 May 2013, 14:44 CEST. history