integrit file verification system

Please visit the URL below to access the most current versions of integrit. The sourceforge site is not being updated actively.

https://github.com/integrit/integrit

integrit.sourceforge.net

home of the integrit file verification system

the integrit project

What is integrit?

integrit is a more simple alternative to file integrity verification programs like tripwire and aide. It helps you determine whether an intruder has modified a computer system.

Without a system like integrit, a sysadmin can't know whether the tools he/she uses to investigate a potential break in are trojan horses or not. e.g., If the machine has a "/tmp/. " directory containing a shell that's setuid root, and you want to investigate to determine how badly the cracker has compromised the machine, how do you know that the attacker hasn't replaced your "find" and "ls" commands with tampered versions that fail to report the cracker's files?

A system like integrit works by creating a database that is a snapshot of the most essential parts of your computer system. You put the database somewhere safe, and then later you can use it to make sure that no one has made any illicit modifications to the computer system. In the case of a break in, you know exactly which files have been modified, added, or removed.

integrit is a robust, stable piece of software designed for professional use.

Its features include:

small memory footprint during runtime

This is a big deal because a machine that is important enough to protect is probably doing important things. Since the other processes are important, integrit doesn't step on anyone's toes: its conservative with memory.
simple, modular design and implementation means a smaller learning curve and better potential for open-source development
uses up-to-date cryptographic algorithms from gnupg.
designed with unattended use in mind

e.g., integrit includes the MD5 checksum of newly generated databases in its report
intuitive cascading rulesets for the paths listed in the configuration file
an option to reset the access times of selected files or directory trees after doing checksums
output format can be XML or an easy-to-scan human-readable format
simultaneous check and update: integrit can generate a new database while running a check against an old database
distribution contains standalone auxiliary programs for convenience that you can safely ignore or else use when needed.
builds quickly and easily

source

distribution-specific packages

Please note: unless you carefully configure integrit for your site, you cannot use integrit effectively as a security tool.

Packages often use a default configuration for convenience, but package maintainers expect that a sysadmin will only use integrit on production systems after reading integrit's documentation and configuring integrit to work at each specific site.

debian package
FreeBSD port
RPM: coming soon.

project page

Note: do not run integrit on virtual filesystems like Linux's /proc filesystem. Use a configuration rule like like the one below to ignore virtual filesystems:

!/proc

Note that there is no trailing slash.

Documentation:

The Manual (including the FAQ)
The Integrit File Verification System Manual (one HTML page)

The Integrit File Verification System Manual (postscript)
More Docs
introduction

brief howto

synopsis of the configuration file syntax

Donations:

One way to support integrit is to donate money.

Links:

discussion
If you are interested in discussing integrit, please join the appropriate mailing list.
project page
You can download sources or participate by visiting the project page.
libraries
integrit no longer uses the openssl library for cryptographic checksums. Instead, code adapted from the free gnupg is being used.

The Boehm garbage collection library (not required) is used for memory leak detection (not for garbage collection).

integrit's databases use the cdb database format, developed by D. J. Bernstein, but integrit does not require cdb to be installed.

A general hash table library, hashtbl, is included in integrit.

integrit is a simple tool in the spirit of the UN*X idea that each tool should do one thing and do it well. There are some realistic examples of how to use integrit in conjunction with other tools like awk, cron, and sendmail in the integrit distribution's "examples" directory.

It is my hope that users who have not yet used a file integrity verification system will use integrit because it is relatively easy to understand.

praise for integrit on Freshmeat.net:

by Karellen - Jan 6th 2001 17:15:58

This tool is pretty nice and it has most of the things I wanted from a file integrity verification system: constant datbases, file attributes like inode, pemissions, number of links, uid, gid, file size, access and modification times, and of course SHA checksums. It's statically linked with OpenSSL and CDB, so things don't get messed up if someone poisons your libs. Very simple config file syntax (syslog.conf like) and checksum generation for the current/known state database so you know if it's been tampered with. See the homepage for more info. Keep up the good work, I'd like to see this included in Debian ;*)

[note: integrit was added to debian soon after these comments were made.]

Read the SysAdmin Magazine web exclusive article on integrit.

the integrit file verification system is an independent project hosted by Sourceforge.