INLS 183 - September 30, 2002
Updated for INLS 187 March 26, 2003
Greg Newby

Integrit: File Integrity Checking
---------------------------------

Overview: Integrit is similar to Tripwire.  It builds a database of
file checksums, and can check a current file's status against that
database.


1. General Integrit information at Integrit's home:
http://sourceforge.net/projects/integrit/


2. Follow the links to download; I got my copy via
http://unc.dl.sourceforge.net/sourceforge/integrit/integrit-3.02.00.tar.gz


3. tar xzf integrit-3.02.00.tar.gz ; cd integrit-3.02


4. Take a look at the INSTALL file for instructions.


5. It looks like a default install is about right:

   ./configure
   make
   make install (as root)


6. To work, I need a configuration file.  There are some 
examples in the "examples" subdirectory of the integrit
installation directory.  I arbitrarily chose to put my
configuration file in /usr/local/etc/integrit.conf:

   cd examples
   cp root.conf /usr/local/etc/integrit.conf (as root)


7. I needed to edit /usr/local/etc/integrit.conf , and 
make a few changes.  Basically, I put the known (secure)
database on /mnt/cdrom , and the current (snapshot)
database in /usr/local/etc


8. Let's try it:

   /usr/local/sbin/integrit -u -C /usr/local/etc/integrit.conf  (as root)


This takes awhile...I could trim /usr/local/etc/integrit.conf
to check fewer things, perhaps.


*** FOR THESE NEXT FEW STEPS, YOU COULD SKIP USING 
*** A CD AND JUST USE A FILE ON A HARD DRIVE, FOR DEMONSTRATION PURPOSES.
*** Why is this not good security practice in real life, though?

9. I copied the output file to a writable CD on another
system: /usr/local/etc/integrit-peabody.cdb.new


10. I put the CD in peabody, and mounted it ("mount /mnt/cdrom" as root)


11. Let's actually compare with an integrit check (as root):

	/usr/local/sbin/integrit -c -C /usr/local/etc/integrit.conf

This output all the changes since I had run the initial command above,
and included some device files and things that really shouldn't be
tracked.

12. At this point, things work.  I tuned /usr/local/etc/integrit.conf
and reran steps 8-11 until I got reasonable output.

13. In root's crontab I scheduled a daily run at midnight:

0 0 * * * /usr/local/sbin/integrit -c -C /usr/local/etc/integrit.conf

Output will go to me EVERY DAY, and I must read it to see
what's going on.  Periodically, I'll update integrit.conf
and/or re-run the -u option above to re-create the database,
otherwise I'll be overwhelmed by output detailing legimate
changes.

--END--