You are not logged in.

#1 2004-04-28 09:55:31

From: Italy
Registered: 2004-04-24
Posts: 19

[system: utilities] integrit

For who needs a simplier fs integrity checker than aide here is integrit...

# Contributor: blue_ant <>
pkgdesc="A more simple alternative to file integrity verification programs like tripwire and aide."

build() {
  cd $startdir/src/$pkgname-3.02
  ./configure --prefix=/usr
  make || return 1
  make utils || return 1
  make prefix=$startdir/pkg/usr install

Please ignore the following lines during compialtion:

Warning: install-info did not run successfully.
           to complete the installation of the documenation,
           Make sure info is installed and install-info is in
           the path when doing 'make install'
  (pausing 3 seconds)

But this one should be followed:

It is recommended that the binary be copied to a secure location and
  re-copied to /var/abs/local/integrit/pkg/usr/sbin at runtime or run directly
  from the secure medium.

in fact in the INSTALL you can read:

SECURE INSTALLATION --------------------------------------------------

Please note that if you are doing this for real, you'll need to
compile on a trusted machine (e.g., one with a fresh install of the OS
that hasn't yet been plugged into the network) and copy the compiled
binary to a secure location.

At runtime the binary should be copied back to the localhost or run
directly from the secure location.

Doing otherwise is fine for testing, but it won't be secure, since
there's less security in compiling integrit on an untrusted host, and
no security in leaving the integrit binary on the host your checking.

Ok I did not follow this recomandation, so don't trust my binary package I've uploaded in incoming, build one from you self...




      integrit -C conffile [-x] [-u] [-c]
      integrit -V
      integrit -h

      -C        specify configuration file
      -x        use XML output instead of human-readable output
      -u        do update: create current state database
      -c        do check: verify current state against known db
      -V        show integrit version and exit
      -h        show this help     

Briefly, the idea is to do this periodically:

generate a new current-state database while checking against an old known-state database that has been protected from modification (e.g. by putting it on read-only media or on a secure server), mailing the output to a remote machine (or more)

read the report, perhaps using UN*X or XML tools to massage it into a form to your liking

if the report looks fine, copy the new database to a secure server for export via read-only NFS, or a secure medium that can be made read-only. (saving the old one in case something goes wrong.)

IMPORTANT: verify that the current md5sum of the database you just copied over matches the MD5 checksum in the report. (This shows that no one has tampered with the database since the report and the new database were generated.)

everything's OK, so the new database will be the known-state database the next time you repeat this process.

as always I'm open to comments and suggestons...

and if you need a sample configuration file or a post_install that puts it in your crontab let me know...
I saw also some useful examples on the integrit cvs.



Board footer

Powered by FluxBB