This manual corresponds to integrit version 3.02.
Copyright (C) 2000, 2001, 2002 Ed L. Cashin
Current copies should be available at the integrit homepage.
the integrit file verification system is an independent project hosted by Sourceforge.
The integrit system detects intrusion by detecting when trusted files have been altered.
By creating an integrit database (update mode) that is a snapshot of a host system in a known state, the host's files can later be verified as unaltered by running integrit in check mode to compare current state to the recorded known state. integrit can do a check and an update simultaneously.
Using a product like integrit for intrusion detection is a repeating process, involving something like the following activities:
This step can be done unattended, since the report that integrit generates at runtime includes the MD5 checksum of the newly-generated current-state database. The output should be directed to a remote host, e.g., via a trusted sendmail binary.
You may use a script to renice the integrit process and possibly do a sequence of runs, each with a different configuration file.
There is an example GUI viewer for integrit's XML output in the
examples directory of the distribution.
Below please find a description of the syntax of integrit's human-readable output format.
Here is a list of command-line arguments that may be used when invoking integrit:
-C {conffile}
-V
-h
-x
-u
-c
-N
-O
-q
-v
The configuration file determines what integrit does when it runs. For that reason, it should be kept on a secure medium, like a CD-ROM or a directory that's exported via read-only NFS from a tightly-secured machine.1
Please note that a trailing slash is never part of a filename, including directory names. A slash is a path separator, and any other use is not supported.
The following kinds of lines in the configuration file are ignored by
integrit: blank lines; lines consisting of whitespace only; lines
having the # character as the first non-whitespace character.
The location of the known database (which contains information about
the previous state of the host's files) is specified with a line like
this:
known=/root/databases/usr_known.cdb
The location of the current database (the one to be generated if
integrit is doing an update) is specified in a similar manner.
current=/root/databases/usr_current.cdb
The root of the filetree that integrit will cover is specified on a
line like this:
root=/usr
Integrit's file tree walk starts at the root. Everything integrit checks must be under the root. In the above example, the "/boot" directory will never be checked because it is not under /usr. You can specify slash as the root and then ignore lots of directories like /tmp, /proc, and /home, or you can use multiple configuration files.
To search multiple roots, use multiple configure files and launch multiple instances of integrit, either in sequence or in parallel, depending on your needs.
Rules in the configuration file tell integrit how to treat various parts
of the filesystem. You can tell integrit to ignore /proc, not to
do checksums on logfiles, not to descend into /home, to ignore
the modification time on /etc/issue, etc.
Whether or not integrit descends parts of the filetree, and whether or
not it does checksums, comparison of access times, etc., are specified
in a compact syntax (described below) on lines like these:
!/usr/local/useless
!/usr/mnt/nfs
=/usr/share/teTeX
/usr/local/var/log SIAM
We'll get into the nitty gritty in the following sections.
When integrit is running it can do several things. By specifying rules for integrit to follow, you can control its behavior. Each rule has an optional prefix or prefixes, a filename (or directory name), and a set of checks that integrit should or should not do.
A prefix comes before the filename and tells integrit something
!
It will cause integrit to pretend a file or directory isn't there.
# ignore the useless directory and its subdirectories
!/usr/local/useless
=
This is useful for telling integrit not to bother with certain parts
of a file tree.
# don't bother with old_project's subdirectories,
# but do perform normal checks on the directory itself
=/usr/local/share/old_project
You can cut down drastically on database size and integrit's runtime by ignoring parts of the filesystem that are not essential to the system, e.g., home directories.
In general, integrit is much easier to use on a daily basis if it's just
checking the most essential parts of a system. Some sysadmins, however,
have told me that they enjoy getting more in touch with their systems by
having integrit monitor almost everything!
$
# this redhat system updates /etc/issue on boot
# so we ignore modification and change time on /etc,
# but we still want to monitor mtime and ctime on
# some files and directories under this /etc.
$ /etc MC
A filename followed by a set of one-letter switches turns checks on
and off, for example:
# do check the access time, but don't do a checksum:
/usr/local/secret/text.txt aS
There are no spaces between the switches.
Upper case turns off a given check. Lower case turns it on.
When you turn off a check, e.g. by using S for "no checksums",
then all subdirectories inherit that option: no checksums are done.
You can always override switches that are inherited from parent directories. There is also a special dollar-sign prefix (described above) you can use to override the normal cascading behavior.
e.g., In the example below, all the stuff under /var/log won't have
checksums done, except all the files under /var/log/archives:
/var/log S
/var/log/archive s
Again, the upper case turns the check off, and the lower case turns it back on.
The default checks are these: checksum; inode; permissions; number of links; uid; gid; mtime; and ctime. You can overrule the defaults by specifying all switches for the root directory in the configuration file.
Here's a table of letters and the corresponding checks/options:
s
i
p
l
u
g
z
a
m
c
r
The human-readable format is intended for quick scanning on a viewer with a large number of columns (like an xterm with maximized width).
Other popular file integrity verification systems split the information between a list of files that have changed at the top of the report and a more detailed section showing the nature of the changes at the bottom of the report. Instead, integrit provides all the information for each file as it learns it.
Besides saving on runtime memory usage, the big advantage of this approach is that the person reading the output never has to skip to the end of the report to learn the exact nature of a change.
In this output format, messages from integrit have a specific prefix showing what kind of message it is:
The one-letter characters for options and checks (see table of checkset codes) is used in the human-readable output format for reporting corresponding changes.
For example, the switch for checking permissions is p. If
integrit notes that the file permissions have changed, in the output you
will see this kind of line:
changed: /etc/secret p(640:666)
That means that the permissions ("p") have changed from 640 to 666.
In general, the syntax is as follows:
changed: filename x(known:current)... where
x is the one-letter symbol showing what's changed
(see list of switches), "known" is
the value from the known database, and "current" is the state of the
file that integrit observed at runtime.
exceptions:
sym where the octal permissions (which would always
be "777") would be.
You can skip the preamble in the human-readable report by lowering the verbosity level with the "-q" command-line option.
Since version three, integrit's exit status indicates whether or not it found changes.
0
1
2
The integrit source distribution comes with two standalone tools. You do not need to be familiar with these tools in order to use integrit, but I personally find them to be very convenient once in a while.
The tools are i-viewdb and i-ls.
To detect file deletions, modifications, and creations, integrit saves information about your files in databases. i-viewdb is a standalone tool that allows you to view the information stored in integrit databases. It only has one option:
-s
i-viewdb [-s] {dbname}
... where "dbname" is the name of the integrit database for
i-viewdb to examine.
The output syntax is the same as that of integrit.
Examples:
i-viewdb integrit-foo.cdb | less... uses the "less" pager to view contents of the integrit database.
i-viewdb integrit-foo.cdb | awk '{ print $1 " " $8 }'
... look at the files and access times in the integrit database.
The integrit system detects intrusion by detecting when trusted files have been altered.
Integrit records information about files in a database when it does an update and compares that information to live files when it does a check.
The i-ls standalone tool allows the user to see that same
information for live files.
The output syntax is similar to that of integrit.
Options:
-s
It is invoked like this:
i-ls [-s] {filename|dirname} [filename|dirname] ...
You specify a filename for i-ls to examine, or you specify a directory to have i-ls examine all the files in the directory.
Examples:
i-ls /tmp/foo.txt /tmp/bar.txt... shows file stat attributes for the file,
/tmp/foo.txt
and also for /tmp/bar.txt.
i-ls /tmp... shows file stat attributes for all files in the directory,
/tmp.
i-ls -s /tmp... shows file stat attributes for all files in the directory,
/tmp, omitting SHA-1 checksum information.
Q: What about Win32 support?
A few people have asked about Win32 support. In short, go for it.
I'm not interested in using Win32, but by using Cygwin, djgpp, and or some other POSIX/UNIX emulation platform, you could probably have some success.
A helpful soul pointed out that it is still (Windows 2000) not possible to create a directory named "aux" in Windows (a DOS-ism like "prn" and "nul"), and so integrit's aux directory has been renamed to "utils" since version three to accomodate the limitation.
Please let us know how it goes. (integrit-users at lists.sf.net)
Q: What about regular expressions in the conf file?
It usually occurs to an integrit user at some point, "Wouldn't it be nice to use regular expressions in the integrit configuration file instead of literal paths?" The answer is that, yes, that would be convenient, but it isn't likely to happen.
The added runtime cost of compiling regular expression objects and evaluating all the pathnames would be substantial, and it would make integrit more complex. Better to leave integrit stable and simple and then list files explicitly in the configuration file.
After all, you have all kinds of unix tools (find, grep, etc.), that can help you create the configuration file by using regular expressions!
Q: Why does integrit scan /proc when I put "! /proc/" in the configuration file?
Trailing slashes aren't really part of a directory's name. Leave them out in the configuration file.
For example, to ignore /var/tmp, this will work:
! /tmp
... but this will not:
# WRONG: trailing slash
! /tmp/
Q: When I do a check only, -c and no -u, I get an error:
integrit: not doing update, so no check for missing files
Just use both "-c" and "-u". This is the fastest, simplest way to be able to check for missing files. If integrit is creating a new current-state database, then at the end of the run it has all the information it needs to tell you what files are missing.
The good news is that it takes almost the same amount of time to do check and update simultaneously as it would to do one or the other. wouldn't be gaining anything by running check by itself.
Q: Why does integrit crash on encountering files of greater than five gigabytes in size?
It's a platform-dependent thing.
Many Operating Systems are in the process of developing support for large files. If you see integrit fail when it encounters large files, then large file support is what you need.
Since version 3.02, integrit has large file support turned on by default (via the autoconf-generated configure script), but you still need to make sure your system can handle large files.
For Linux-based systems, there is a good document here:
http://www.suse.de/~aj/linux_lfs.html
In a nutshell, if you are using gcc and Linux, then if your using a 2.4.x and an ext2 filesystem that was created under a 2.4.x kernel, then you should be OK with integrit versions 3.02 and later.
For general information, here is a resource:
http://www.sas.com/standards/large.file/x_open.20Mar96.html
Your system should have documentation explaining how to get large file support.
Q: Wouldn't it be nicer if we could put multiple roots in one integrit config file?
A: Perhaps, but not much nicer, and it would complicate integrit internally.
Say you want to ignore all of /usr/local in your integrit-root.conf configuration file, but you want to check /usr/local/etc. You can create another configuration file, integrit-usr_local_etc.conf, with "root=/usr/local/etc" in it.
Then simply run integrit twice. You can even run two integrits in parallel if /usr/local/etc is on a different device than the other areas and you have the CPU and memory to spare.
It is very easy to generate multiple configuration files from a master configuration file using UN*X tools. It's also easy to create a statically-linked program that does fork and execl to run multiple integrits. So if you really want one command and one configuration file, you can do it. In fact, if you ask nicely on the integrit-users mailing list, someone might add examples to the integrit distribution! ;)
To get the latest integrit, check the integrit homepage:
http://integrit.sourceforge.net/
There are many resources at integrit's project page on sourceforge,
including mailing lists and a web-interface for the source in CVS.
http://sourceforge.net/projects/integrit
Copyright © 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and modification follow.
Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.
In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.
If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.
If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
one line to give the program's name and an idea of what it does. Copyright (C) 19yy name of author This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.
The hypothetical commands show w and show c should show
the appropriate parts of the General Public License. Of course, the
commands you use may be called something other than show w and
show c; they could even be mouse-clicks or menu items--whatever
suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. signature of Ty Coon, 1 April 1989 Ty Coon, President of Vice
This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.
Your kernel may also support read-only files on the localhost. The FreeBSD kernel, for example, when running in higher security levels, honors the "immutable" file attribute. On such a system you could keep integrit's known database locally, but you'd have to install it in single-user mode.
You will only see missing files reported if you're running update and check at the same time. Otherwise integrit won't know both necessary facts: the file existed in the past and isn't there now.