integrit-users Mailing List for integrit file verification system (Page 3)
Brought to you by:
ecashin
Menu
▾
▴
integrit-users — mailing list for discussion of issues related to using integrit
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(9) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
(10) |
Feb
(27) |
Mar
(5) |
Apr
(1) |
May
(1) |
Jun
(12) |
Jul
(5) |
Aug
(14) |
Sep
(6) |
Oct
(31) |
Nov
(6) |
Dec
(4) |
| 2002 |
Jan
(2) |
Feb
(13) |
Mar
(2) |
Apr
(3) |
May
(2) |
Jun
(2) |
Jul
(5) |
Aug
(6) |
Sep
(13) |
Oct
(1) |
Nov
(1) |
Dec
(1) |
| 2003 |
Jan
(8) |
Feb
|
Mar
(2) |
Apr
|
May
(2) |
Jun
|
Jul
(8) |
Aug
(5) |
Sep
(1) |
Oct
|
Nov
|
Dec
|
| 2004 |
Jan
|
Feb
(4) |
Mar
(1) |
Apr
(4) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2005 |
Jan
(1) |
Feb
|
Mar
|
Apr
(5) |
May
(5) |
Jun
|
Jul
|
Aug
|
Sep
(5) |
Oct
(5) |
Nov
|
Dec
(1) |
| 2006 |
Jan
|
Feb
|
Mar
(2) |
Apr
(3) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(15) |
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(2) |
Dec
|
| 2008 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(6) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Antoine <abo...@ya...> - 2005-04-22 12:56:54
|
Hello all, I just did a classic chown -R root:root .* and now my whole filesystem is owned by root. Some apps like the mailer daemon or MySQL don't seem to like that very much. (Users wouldn't like that very much either, but luckily I'm the only user on that system.. :) Now I have a good integrit database from last night, and I'm thinking that it could help me undo the changes at least on /usr, /bin etc. So I'm looking for a script that can parse the changes output by integrit and revert the affected files to the last known good state. Maybe someone here had to write such a thing in the past or can point me in the right direction? A quick web search didn't yield anything. All that interests me really is the changes in ownership, and optionally mtime/atime. thanks, antoine __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/ |
|
From: Marcin O. <mar...@bg...> - 2005-04-09 21:09:51
|
Hi, I've been using successfully integrit for 2 years now but recently I tried to set it up to monitor my /srv directory as follows: file /etc/integrit/srv.list: --------------------------------------- root=/srv known=/var/lib/integrit/srv.cdb current=/var/lib/integrit/srv-current.cdb /srv SIPLUGzAMC --------------------------------------- I've set it that way cos /srv directory contains some huge files and I'd like to cut down the runtime by avoiding unnecessary checks. I just want to know if the file is still there or is removed and its size. Plain as that, nothing more. And the problem is that when invoked by: integrit -C /etc/integrit/srv.list -u the integrit merely ignores all of my settings that should omit unwanted checks and produces output similar to the one here: /srv/filename i(5187) p(660) l(1) u(0) g(25) z(2342320) a(20040121-021359) m(20020314-225656) c(20040311-050315) in each line. Why? I only wanted the filesize. Is there anything I'm doing wrong? -- Best regards, Martin Orda http://www.securityshells.com |
|
From: Raik L. <Rai...@GM...> - 2005-01-10 13:00:33
|
I have made a check with integrit after I deleted many files (about
30.000) on my Windows-"E"-partition. By this check, integrit chrashs.
Up to now integrit everytime runs fine on my System and never crashed.
This is the conf-file:
known=./dat/mnt-e.odb
current=./dat/mnt-e.ndb
root=/mnt/e
/mnt/e sIMC
!/mnt/e/pagefile.sys
!/mnt/e/temp
The Old-Database-File ist about 7MB, the New-Database-File is about
300kB (because the many deleted files). I thougt, that this could be
the reason, but Ed L. Cashin don't think so.
Integrit crash's at the and of its task, comparing the new Database with
the old one:
open("./dat/mnt-e.ndb", O_RDONLY|O_NONBLOCK|O_LARGEFILE) = 9
munmap(0x45ff0000, 1979645953) = 0
fstat64(9, {st_mode=S_IFREG|0640, st_size=344566, ...}) = 0
mmap2(NULL, 344566, PROT_READ, MAP_SHARED, 9, 0) = 0xb7fab000
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
I have noticed, that /proc/meminfo shows a increasing "dirty"-value, a
few seconds before integrit crashs.
normal state: Dirty: 4 kB
14 seconds before integrit crashs: Dirty: 40 kB
13 Seconds until crash: Dirty: 112 kB
6 seconds: Dirty: 108 kB
5: Dirty: 964 kB
4: Dirty: 2328 kB
3: Dirty: 2584 kB
2: Dirty: 5528 kB
Crash: Dirty: 8600 kB
I could reproduce the crash 2times. From these run is the strace and the
meminfo. Now integrit run's fine, I can't reproduce the crash anymore.
My System: RedHat 8.0, Kernel 2.6.9 (kernel.org), gcc version 3.2.2;
glibc-2.2.93-5.
My Question is: Has anybody seen this bug before and has an idea, what
the reason is?!
Bye!
Raik
|
|
From: Ed L C. <ec...@ug...> - 2004-04-27 16:37:19
|
"Wahid Sharif" <wah...@pl...> writes: > Hi, > > I have install integrit-3.02 on Solaris 8. How do I get integrit to email > me if there is a file modification. I know on Linux/Debian you can modify > the conf files with your email address but don't know how you do it on > Solaris. Thanks for your help. Integrit doesn't do email, so you can use any method you want. There are examples in the "examples" directory of integrit's source distribution. See especially examples/crontab and examples/integrit_check. Also, you can find out what the debian package does. -- --Ed L Cashin | PGP public key: ec...@ug... | http://noserose.net/e/pgp/ |
|
From: Wahid S. <wah...@pl...> - 2004-04-27 16:09:00
|
Hi, I have install integrit-3.02 on Solaris 8. How do I get integrit to email me if there is a file modification. I know on Linux/Debian you can modify the conf files with your email address but don't know how you do it on Solaris. Thanks for your help. Thanks, Wahid Sharif Systems Administrator Placemark Investments Phone: 972-404-8100 X32 |
|
From: Ed L C. <ec...@ug...> - 2004-04-21 18:27:11
|
"Wahid Sharif" <wah...@pl...> writes: > Hi, > > =C2=A0 > > I am trying to install integrit 3.02 on Solaris 8.=C2=A0 When I run =E2= =80=9Cmake > install=E2=80=9D, I get > > =C2=A0 > >>>> installing documentation: cd doc && make install > > installing manpage i-ls.1 in /usr/local/man/man1 > > installing manpage i-viewdb.1 in /usr/local/man/man1 > > installing manpage integrit.1 in /usr/local/man/man1 > > installing integrit.info in /usr/local/info > > sh: !: not found > > sh: install-info: not found ... > Any help on this will be greatly appreciated. Huh. That part of the build is hard to make portable because I'm trying to be GNU-compliant by using install-info. Unfortunately there are a couple of different install-info's out there... Anyway, there are a couple of things you can do. One quick fix is to simply change the doc/Makefile line: install : install-man install-info ... so that it doesn't do the install-info target: install : install-man # install-info Then you can install the texinfo documentation yourself as you like.=20 --=20 --Ed L Cashin | PGP public key: ec...@ug... | http://noserose.net/e/pgp/ |
|
From: Wahid S. <wah...@pl...> - 2004-04-21 15:56:48
|
Hi, I am trying to install integrit 3.02 on Solaris 8. When I run "make install", I get >>> installing documentation: cd doc && make install installing manpage i-ls.1 in /usr/local/man/man1 installing manpage i-viewdb.1 in /usr/local/man/man1 installing manpage integrit.1 in /usr/local/man/man1 installing integrit.info in /usr/local/info sh: !: not found sh: install-info: not found *** Error code 1 make: Fatal error: Command failed for target `install-info' Current working directory /usr/share/src/integrit-3.02/doc *** Error code 1 make: Fatal error: Command failed for target `install' Any help on this will be greatly appreciated. Thanks, Wahid Sharif Systems Administrator Placemark Investments Phone: 972-404-8100 X32 |
|
From: Ed L C. <ec...@ug...> - 2004-03-17 16:54:09
|
[copied to integrit-users mailing list] Brian Wotring <br...@sh...> writes: > I'm writing an article on host integrity monitoring practices and > would like to know what platforms are officially supported by > Integrit. In general, it shouldn't be meaningful to "officially" support platforms unless there's some kind of contractual support agreement. The ISO has defined C semantics clearly and POSIX has defined system behavior somewhat clearly, so integrit should build and run fine on any conforming platform. In practice, integrit runs on many platforms because it is written portably. The current (CVS) version surely runs on more platforms than I probably know. I've heard of more than I can remember, but here are a few: Linux (no arch restrictions I know of) Windows XP with Cygwin HPUX Solaris FreeBSD I think it runs on True64 UNIX, but there are some ongoing issues, so don't quote me on that. Folks who are using integrit on other platforms or have heard of it being used successfully elsewhere, could you respond to the list and Cc Mr. Wotring? -- --Ed L Cashin | PGP public key: ec...@ug... | http://noserose.net/e/pgp/ |
|
From: Ed L C. <ec...@ug...> - 2004-02-27 02:06:24
|
Hi, Matt. The only thing that comes to mind is that you might not be using the configuration file(s) that you think you are. A good way to handle this kind of confusing problem is to try to find the most simple way to reproduce it. Often, along the way you find out the true nature of the problem. -- --Ed L Cashin PGP public key: http://noserose.net/e/pgp/ |
|
From: <int...@ma...> - 2004-02-26 16:51:11
|
Hello, for some reason, integrit seems to have started ignoring my prefixs on my config files. For example: =/var/spool/cron MC =/var/spool/postfix MC !/mrlewvar !/mrlewdatabase I would expect these directories to be checked for everything except mod time: /var/spool/cron /var/spool/postfix And to completely ignore these directories: /mrlewvar /mrlewdatabase Which has been the case since I set the rules up. Then 2 days ago I started getting loads of 'new:' lines in my output: new: /mrlewvar/spool/postfix/defer/8/896EDDAB75 p(600) u(1001) g(100) z(84) m(20040226-062818) changed: /mrlewvar/spool/postfix/defer/9 m(20040225-145428:20040226-061138) c(20040225-145428:20040226-061138) new: /mrlewvar/spool/postfix/defer/9/94698DAB76 p(600) u(1001) g(100) z(85) m(20040226-061138) changed: /mrlewvar/spool/postfix/defer/9/9E927DAB72 s(79b59cbcba5b11f227fe29403f5ed8cc0a605ef2:d05577dd1ff958a2887df791d21d0332d1e5e8a7) changed: /mrlewvar/spool/postfix/defer/9/9E927DAB72 m(20040225-145458:20040226-055458) c(20040225-145458:20040226-055458) The reason that there are some changed ones in there is because I thought maybe I'd messed up an config update or something so I made some new databases (same ruleset), but as integrit seems to be ignoring the ignore lines, these are now part of the db. I've racked my brains to think if ANYTHING has changed, but this is happening on 2 machines with independant config files. I use integrit on 4 machines and the other 2 haven't reported anything like this. So I looked at the conf files to find other ! preceded lines, for example /mnt on my firewall. I did touch /mnt/cdrom/test and reran the check. It didn't pick up any new files... I can't understand it at all - any clues greatfully received! Matt -- We do not see things as they are, we see things as we are. - old talmudic saying |
|
From: Ed L C. <ec...@ug...> - 2004-02-23 00:31:16
|
Barry Rountree <rou...@ug...> writes: > Mandrake 9.2 (w/ updates) > integrit 3.02 > > ./configure && make gives: > > gcc -L. -Lhashtbl -static -o integrit main.o options.o xml.o eachfile.o > rules.o checkset.o missing.o xstrdup.o cdb_put.o cdb_get.o elcwft.o cdb.o > cdb_make.o cdb_hash.o md5.o -lhashtbl -lintegrit > /usr/bin/ld: cannot find -lc > collect2: ld returned 1 exit status > make: *** [integrit] Error 1 > > Ed mentioned in a private email that this was most likely caused by not having > a static libc. I've verified that, but would have expected autoconf to > notice that and die loudly. Hi, Barry. It's probably my fault, not autoconf's. Does the configure in the CVS version of integrit work correctly (complaining about the lack of static libc) on your system? Here's a page that has directions for getting the CVS version: http://sourceforge.net/cvs/?group_id=15369 -- --Ed L Cashin | PGP public key: ec...@ug... | http://noserose.net/e/pgp/ |
|
From: Barry R. <rou...@ug...> - 2004-02-21 17:15:04
|
Mandrake 9.2 (w/ updates) integrit 3.02 ./configure && make gives: gcc -L. -Lhashtbl -static -o integrit main.o options.o xml.o eachfile.o rules.o checkset.o missing.o xstrdup.o cdb_put.o cdb_get.o elcwft.o cdb.o cdb_make.o cdb_hash.o md5.o -lhashtbl -lintegrit /usr/bin/ld: cannot find -lc collect2: ld returned 1 exit status make: *** [integrit] Error 1 Ed mentioned in a private email that this was most likely caused by not having a static libc. I've verified that, but would have expected autoconf to notice that and die loudly. Thanks, Barry |
|
From: Ed L C. <ec...@ug...> - 2003-09-02 15:03:09
|
int...@tt... writes:
> Hi List,
>
> First off, to the developers who read this - thanks. I've been using
> integrit for 2 years and I think it does the job great. Its saved my
> skin more than once.
Great!
> Now I'm starting to use it to detect file system corruption instead of
> for security. At the moment I just want to check one directory on this
> huge drive. The directory contains 4000 files, and are about 12MB
> each, for a total of 46GB of data.
>
> I'm only interested in looking at the md5sum at the moment, and
> things were taking a long time. Anyway - I've tried to edit the
> config file so that it in effect does nothing (by turning off all
> flags). It still takes a long time to run[2] - why?
>
> Heres my config for integrit 2.01:
That version is a bit old. I had to check the Changes file to remind
myself of what it was like.
>
> ----
> root=/mighty/files
> current=/nutter/data/perl/localintegrit/mighty.current.db
> known=/nutter/data/perl/localintegrit/mighty.known.db
>
> /mighty/files SIPLUGZAMCR #shouldn't this turn off all checking?
It turns off all the operations. The prefixes control which files
integrit visits, like ! and =.
> ----
>
> Another question. I want to use the latest integrit - but I've got a
> load of scripts in place to do the work and I'm wondering if the
> interface or behaviour has changed at all. I've read the changelog and
> can't find anything - but it can't hurt to ask!
Did you read the "Changes" file? It should have everything
significant, including points where the version number changed.
I think the main thing is that the exit status behavior changed. It
used to use zero if no errors occured and 1 if an error occured, where
an error means integrit was unable to do its job.
Now the exit status is (from texinfo docs):
`0'
When integrit returns zero to the process that started integrit, it
means that no changes were detected. (Unless you are doing a
check, no changes will be detected.)
`1'
An exit status of one means that changes were detected but no
errors were encountered. (An error is a failure condition that
prevents integrit from doing its job.)
`2'
Two signifies that an error occured, and integrit was not able to
do its job.
--
--Ed L Cashin | PGP public key:
ec...@ug... | http://noserose.net/e/pgp/
|
|
From: <int...@tt...> - 2003-08-28 19:18:47
|
Hi List, First off, to the developers who read this - thanks. I've been using integrit for 2 years and I think it does the job great. Its saved my skin more than once. Now I'm starting to use it to detect file system corruption instead of for security. At the moment I just want to check one directory on this huge drive. The directory contains 4000 files, and are about 12MB each, for a total of 46GB of data. I'm only interested in looking at the md5sum at the moment, and things were taking a long time. Anyway - I've tried to edit the config file so that it in effect does nothing (by turning off all flags). It still takes a long time to run[2] - why? Heres my config for integrit 2.01: ---- root=/mighty/files current=/nutter/data/perl/localintegrit/mighty.current.db known=/nutter/data/perl/localintegrit/mighty.known.db /mighty/files SIPLUGZAMCR #shouldn't this turn off all checking? ---- Another question. I want to use the latest integrit - but I've got a load of scripts in place to do the work and I'm wondering if the interface or behaviour has changed at all. I've read the changelog and can't find anything - but it can't hurt to ask! Thanks for any enlightenment, and please CC replies to me. Matt -- Never argue with an idiot. They drag you down to their level, then beat you with experience - anon |
|
From: Scott A. <sco...@ma...> - 2003-08-24 05:26:46
|
You need to already have a known database on the machine. So the first time you run integrit, only run it in update mode. Then rename the current.db to the filename for the known.db ie: mv -f /my/dir/[current].cdb /my/dir/[known].cdb replacing the words in brackets with the actual file names. Then after that you can run it in update check mode... On Sat, 2003-08-23 at 23:17, int...@li... wrote: > Send Integrit-users mailing list submissions to > int...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/integrit-users > or, via email, send a message with subject or body 'help' to > int...@li... > > You can reach the person managing the list at > int...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Integrit-users digest..." > > > Today's Topics: > > 1. how to make known db ? (svi...@ya...) > > --__--__-- > > Message: 1 > From: svi...@ya... > To: int...@li... > Date: Sun, 24 Aug 2003 03:19:04 +0200 > Subject: [Integrit-users] how to make known db ? > > hi, I have a problem to make the known db, look: > -------------------------------------------------------------- > downhill:~# integrit -cu -C /etc/integrit/integrit.conf > integrit: ---- integrit, version 3.02 ----------------- > integrit: output : human-readable > integrit: conf file : /etc/integrit/integrit.conf > integrit: known db : /var/lib/integrit/known.cdb > integrit: current db : /var/lib/integrit/current.cdb > integrit: root : / > integrit: do check : yes > integrit: do update : yes > integrit (open_known_cdb): Error: opening known-state database > (/var/lib/integrit/known.cdb): No such file or directory > downhill:~# ls -l /var/lib/integrit/ > total 10080 > -rw-r----- 1 root root 10279535 Aug 24 02:48 current.cdb > downhill:~# grep -v ^# /etc/integrit/integrit.conf > root=/ > known=/var/lib/integrit/known.cdb > current=/var/lib/integrit/current.cdb > !/proc > -------------------------------------------------------------------- > > what's my mistake ? > > Thx Luca. > > > > > --__--__-- > > _______________________________________________ > Integrit-users mailing list > Int...@li... > https://lists.sourceforge.net/lists/listinfo/integrit-users > > > End of Integrit-users Digest |
|
From: <svi...@ya...> - 2003-08-24 01:24:16
|
hi, I have a problem to make the known db, look: -------------------------------------------------------------- downhill:~# integrit -cu -C /etc/integrit/integrit.conf integrit: ---- integrit, version 3.02 ----------------- integrit: output : human-readable integrit: conf file : /etc/integrit/integrit.conf integrit: known db : /var/lib/integrit/known.cdb integrit: current db : /var/lib/integrit/current.cdb integrit: root : / integrit: do check : yes integrit: do update : yes integrit (open_known_cdb): Error: opening known-state database (/var/lib/integrit/known.cdb): No such file or directory downhill:~# ls -l /var/lib/integrit/ total 10080 -rw-r----- 1 root root 10279535 Aug 24 02:48 current.cdb downhill:~# grep -v ^# /etc/integrit/integrit.conf root=/ known=/var/lib/integrit/known.cdb current=/var/lib/integrit/current.cdb !/proc -------------------------------------------------------------------- what's my mistake ? Thx Luca. |
|
From: Ed L C. <ec...@ug...> - 2003-08-02 03:49:00
|
Scott Anderson <sco...@ma...> writes: > I am still having problems with my script for integrit. I am trying to > pipe the output from integrit into a text file. Then if the exit code > for grep is 1 i want grep to send me an email that tells me whats > up...heres how i am trying to do it... > > /usr/local/sbin/integrit -C $config -c | /root/integrit1.txt This is really a shell scripting question. There's a usenet newsgroup specifically dedicated to this kind of thing: comp.unix.shell Right off the bat, though, it looks like you are trying to pipe the output of integrit to a text file. Pipes, though, are for connecting processes. Since the text file isn't a process, you can't use a pipe. You can simply redirect the output into the text file, though. With a bourne-shell flavor of shell (like bash, for instance), you could change the above line to this: /usr/local/sbin/integrit -C $config -c > /root/integrit1.txt 2>&1 > if [ $? = "1" ]; then > (printf "To: $recipient\nSubject: Integrit found a change\n\n"); > /bin/grep changed integrit1.txt | /usr/lib/sendmail -t || > exit 1 elif test $? != "0"; then # send mail about the error > fi -- --Ed L Cashin PGP public key: http://noserose.net/e/pgp/ |
|
From: Scott A. <sco...@ma...> - 2003-08-01 21:45:21
|
I am still having problems with my script for integrit. I am trying to pipe the output from integrit into a text file. Then if the exit code for grep is 1 i want grep to send me an email that tells me whats up...heres how i am trying to do it... /usr/local/sbin/integrit -C $config -c | /root/integrit1.txt if [ $? = "1" ]; then (printf "To: $recipient\nSubject: Integrit found a change\n\n"); /bin/grep changed integrit1.txt | /usr/lib/sendmail -t || exit 1 fi can someone help me with that?? Thanks, alot |
|
From: Ed L C. <ec...@ug...> - 2003-07-30 14:46:32
|
RD...@al... (Ross Druker) writes: > I'm not sure what you mean when you say integrit sends mail -- integrit doesn't > send mail, it only reports the results of its file checks and set its return > code. 0 = no changes found, no errors. > > I run integrit from a script and check the return code. If it is non-zero, the > scripts sends mail. This works for recent versions of integrit. If your integrit supports the exit code feature the docs will say so. If you know C, you can read the "Exit Status" section of the documentation and then modify examples/integrit-run.c to fit your needs. If you don't know C, or if you prefer, you could use a script to do the same thing. One disadvantage of only getting mail when differences are found is that you won't know if your integrit job stops running for some reason, or if the mail fails to send, or whatever. -- --Ed L Cashin | PGP public key: ec...@ug... | http://noserose.net/e/pgp/ |
|
From: <RD...@al...> - 2003-07-30 14:09:06
|
I'm not sure what you mean when you say integrit sends mail -- integrit doesn't send mail, it only reports the results of its file checks and set its return code. 0 = no changes found, no errors. I run integrit from a script and check the return code. If it is non-zero, the scripts sends mail. Ross On Jul 30, 8:58am, int...@li... wrote: > Subject: [Integrit-users] only getting e-mails when it is important > Right noe integrit sends an e-mail everytime it is run...is there a way to make it so that integrit on sends an e-mail when there is a file changes? > > Th > > > > ------------------------------------------------------- > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > Data Reports, E-commerce, Portals, and Forums are available now. > Download today and enter to win an XBOX or Visual Studio .NET. > http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 > _______________________________________________ > Integrit-users mailing list > Int...@li... > https://lists.sourceforge.net/lists/listinfo/integrit-users >-- End of excerpt from int...@li... -- Ross Druker Rohm and Haas Co. RD...@Ro... Philadelphia, PA (215) 592-3281 The opinions expressed are mine and not those of Rohm and Haas Company. |
|
From: <sco...@ma...> - 2003-07-30 12:58:19
|
Right noe integrit sends an e-mail everytime it is run...is there a way to make it so that integrit on sends an e-mail when there is a file changes? Th |
|
From: Ed L C. <ec...@ug...> - 2003-07-26 15:24:40
|
sco...@ma... writes: > Can somebody help me with another problem i am having. I am trying to > narrow the list of files that integrit is checking down a > lot. Integrit is going to be used on a server for a small business > that hosts its own e-mail and webserver. Plus all that other stuff > like DHCP and DNS and whatnot. So my questionn i guess is, what files > are absolutly critical to protect? I need to check as many files as I > can without having it take up to large an amount of system resources, > but also without making integrit innefective in what it was made to > do. > > My goal is to have integrit run every 10 minutes or so, then e-mail me > of any changes that happened to the files i was checking, or e-mail me > to say that everything is fine. This is probably something that every sysadmin has to fine tune. Some general guidelines for a minimal check might be -- * check essential system configuration files like those in /etc * check init scripts and core system binaries like in /sbin * check core system shared libraries that the above binaries rely on * check kernel-related stuff * maybe less-essential binaries like /usr/local/foo-1.2.3/bin. Others may have some more tips. It is best to experiment a lot so that you're good at tuning integrit to your systems. -- --Ed L Cashin | PGP public key: ec...@ug... | http://noserose.net/e/pgp/ |
|
From: <sco...@ma...> - 2003-07-25 18:24:04
|
Can somebody help me with another problem i am having. I am trying to narrow the list of files that integrit is checking down a lot. Integrit is going to be used on a server for a small business that hosts its own e-mail and webserver. Plus all that other stuff like DHCP and DNS and whatnot. So my questionn i guess is, what files are absolutly critical to protect? I need to check as many files as I can without having it take up to large an amount of system resources, but also without making integrit innefective in what it was made to do. My goal is to have integrit run every 10 minutes or so, then e-mail me of any changes that happened to the files i was checking, or e-mail me to say that everything is fine. Once Again Thanks In Advance -Scott Anderson |
|
From: Keith L. <kei...@le...> - 2003-07-22 01:16:59
|
In the examples directory of the source tree there is a script named integrit_check. You can run that script from cron to recieve a report via email of the output. In the same directory there is a crontab file that has an example of running integrit_check from cron. Just edit it to your environment and everything should work really nicely for you. * Scott Anderson <nir...@ma...> [20030721 21:05]: > I'm kind of new to this, I was wondering what kind of script should be > written to make integrit run automatically. Like say every 10 minutes or > so. > > Thanks in advance. -- Keith Ledford |
|
From: Scott A. <nir...@ma...> - 2003-07-21 19:30:08
|
I'm kind of new to this, I was wondering what kind of script should be written to make integrit run automatically. Like say every 10 minutes or so. Thanks in advance. |
1 message has been excluded from this view by a project administrator.
