[Integrit-users] Re: integrit suggestions

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

(copied to integrit-users, see sourceforge.net/projects/integrit for
subscription information)

Andras BALI <dr...@bi...> writes:

> Hi,
> 
> during the packaging of integrit into Debian I discovered a few
> imperfections in the application and I'd suggest you to put these
> on the todo list:

Hi, I appreciate your suggestions, but I decided against doing those
things at integrit's inception.  integrit is an alternative to
software that tries to do everything.

> * specificiation of the path using regular expressions is really
>   missing, since it's now nearly impossible to make configuration
>   files that are both secure and usable on all systems;

With integrit you don't use regular expressions.  In aide, I found
that the regular expressions didn't work, and in real life, I find
that I don't need regular expressions at all.  It might mean using a
couple of lines instead of one, but it's not really something I would
wish for.

> * perhaps the database could be compressed so it wouldn't take up
>   that big disk space;

I looked into that.  The solution was a compromise: to use cdb, which
makes databases that are much smaller than Berkley databases.  

> * the human-readable output should be a bit more human readable (and
>   the lines do not need to be prepended with "integrit").

The current form is the most easy to scan that I've seen.  I worked
with other folks in finding this form.  If you look at the output,
only some of the lines have the prefix "integrit:" others have
different prefixes like, "changed: ", as documented in the man page.

I did consider switching from showing numerical user and group ids to
showing the textual name, e.g., "ecashin", instead of "500", but it
wasn't as readable.

Thank you for your input.  A couple of things that *are* on the todo
list: 

  * make a configuration file syntax for checksets that are not
    inherited.  This will help with rules for ignoring directory
    modification and change times without affecting the subdirectories
    and files under that directory.

  * provide command line options for specifying the databases,
    overriding the configuration file

  * implement MD5 and SHA-1 to get rid of openssl dependency.

-- 
--Ed Cashin                   PGP public key:
  ec...@te...       http://www.terry.uga.edu/~ecashin/pgp/