[Integrit-users] Possible issue with integrit

[James.FitzGibbon <Jam...@ta...>]

I've discovered a way that an attacker might get around integrit.

When integrit is walking a file tree, it will stop dead if it
encounters a directory that it cannot traverse:

> mkdir home/prod/.A
> chmod 000 home/prod/.A
> integrit -C integrit.conf -c
integrit: ---- integrit, version 2.01 -----------------
integrit:                      output : human-readable
integrit:                   conf file : integrit.conf
integrit:                    known db : integrit.cdb
integrit:                  current db : integrit.cdb.new
integrit:                        root : home/prod
integrit:                    do check : yes
integrit:                   do update : no
changed: home/prod   l(2:3) m(20010725-085631:20010725-085801)
c(20010725-085631:20010725-085801)
Error: cannot open directory (home/prod/.A): Permission denied
integrit (main): Error: walk_file_tree: Permission denied

So if someone is running integrit in some fashion like this:

integrit -C config.file -c -x > foo.xml && parse_xml && mail_output

Then an attacker can prevent integrit reports from being mailed by just
creating a directory in the hierarchy that cannot be traversed.

Granted, any on-the-ball sysadmin would notice that they weren't getting
an integrit report for a given host and check things out, but in a large
environment it's easy to lose one mail and that could give an attacker an
entire day to play around, make the machine a staging platform for further
attacks, then remove the offending directory.

This should be simple just by having integrit continue walking the
tree when opendir() fails instead of quitting.  It might also be advisable
to log this as a change event, but I'm not sure if that truly entails
extending integrit's view of a directory to include its attributes
as well as the ability to cd into it.

-- 
j.

James FitzGibbon                       voice/fax 612-761-6121/3148 
Consultant, TTS-3D@TPN7Z               jam...@ta...