{"id":3960,"date":"2015-12-19T01:33:48","date_gmt":"2015-12-18T17:33:48","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3960"},"modified":"2015-12-19T01:33:58","modified_gmt":"2015-12-18T17:33:58","slug":"integrit-file-verification-system","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2015\/12\/integrit-file-verification-system\/","title":{"rendered":"Integrit – File Verification System"},"content":{"rendered":"
Integrit is a file verification system, a simple yet secure alternative to products like tripwire. It has a small memory footprint, uses up-to-date cryptographic algorithms, and has features that make sense (like including the MD5 checksum of newly generated databases in the report).<\/p>\n
<\/p>\n
The Integrit system detects intrusion by detecting when trusted files have been altered.<\/p>\n
By creating an Integrit database (update mode) that is a snapshot of a host system in a known state, the host’s files can later be verified as unaltered by running integrit in check mode to compare current state to the recorded known state. Integrit can do a check and an update simultaneously.<\/p>\n
Other options are:<\/p>\n
– AIDE \u2013 Advanced Intrusion Detection Environment<\/a> Using a product like Integrit for intrusion detection is a continuous process, involving a sequence something like the following:<\/p>\n *<\/strong> You may use a script to renice the Integrit process and possibly do a sequence of runs, each with a different configuration file.<\/em><\/p>\n The human-readable format is intended for quick scanning on a viewer with a large number of columns (like an xterm with maximized width).<\/p>\n Other popular file integrity verification systems split the information between a list of files that have changed at the top of the report and a more detailed section showing the nature of the changes at the bottom of the report. Instead, integrit provides all the information for each file as it learns it.<\/p>\n Besides saving on runtime memory usage, the big advantage of this approach is that the person reading the output never has to skip to the end of the report to learn the exact nature of a change.<\/p>\n You can download integrit here:<\/p>\n
\n– Tiger \u2013 Unix Security Audit & Intrusion Detection Tool<\/a>
\n– Samhain v.2.5.9c \u2013 Open Source Host-Based Intrusion Detection System (HIDS)<\/a>
\n– OSSEC HIDS \u2013 Open Source Host-based Intrusion System<\/a><\/p>\nUsage<\/h3>\n
\n
Output<\/h3>\n