Integrit File Verification System

Current copies should be available at the integrit homepage.

the integrit file verification system is an independent project hosted by Sourceforge.

Top

• Introduction:		General information and orientation.
• Invoking Integrit:		Commandline options.
• Configuration File:		The runtime configuration file.
• Human Readable Output:		The easy-to-scan format explained.
• Exit Status:		Understanding integrit’s exit status.
• Auxiliary Tools:		Tools you can ignore or delight in.
• FAQ:		Frequently Asked Questions and some answers.
• Resources:		How to find more.
• Copying:		Conditions for copying and changing integrit.
• Concept Index:		Look up ideas.

1 Introduction

1.1 Description

The integrit system detects intrusion by detecting when trusted files have been altered.

By creating an integrit database (update mode) that is a snapshot of a host system in a known state, the host’s files can later be verified as unaltered by running integrit in check mode to compare current state to the recorded known state. integrit can do a check and an update simultaneously.

1.2 Normal Use

Using a product like integrit for intrusion detection is a repeating process, involving something like the following activities:

generate a new current-state database while checking against an old known-state database that has been protected from modification (e.g. by putting it on read-only media or on a secure server), mailing the output to a remote machine (or more)
This step can be done unattended, since the report that integrit generates at runtime includes the checksum of the newly-generated current-state database. The output should be directed to a remote host, e.g., via a trusted sendmail binary.

You may use a script to renice the integrit process and possibly do a sequence of runs, each with a different configuration file.
read the report, possibly using UN*X or XML tools to massage it into a form to your liking
There is an example GUI viewer for integrit’s XML output in the examples directory of the distribution.

Below please find a description of the syntax of integrit’s human-readable output format.
if the report looks fine, copy the new database to a secure server for export via read-only NFS, or a secure medium that can be made read-only. (saving the old one in case something goes wrong.)
IMPORTANT: verify that the current checksum of the database you just copied over matches the one in the report. (This shows that no one has tampered with the database since the report and the new database were generated.)
everything’s OK, so the new database will be the known-state database the next time you repeat this process.

2 Invoking Integrit

Here is a list of command-line arguments that may be used when invoking integrit:

-C {conffile}: Specify a runtime configuration file for integrit.
-V: Show integrit version information and exit.
-h: Show brief help.
-x: Produce XML output.
-u: Do update - create a new database that reflects the current state of the system.
-c: Do check - compare the current state of the system to a database containing a snapshot of the system when it was in a known state.
-N: Manually override specification of the current (“New”) database. Normally it is set in the configuration file.
-O: Manually override specification of the known (“Old”) database. Normally it is set in the configuration file.
-q: Lower integrit’s level of verbosity.
-v: Increase integrit’s level of verbosity.

3 Configuration File

The configuration file determines what integrit does when it runs. For that reason, it should be kept on a secure medium, like a CD-ROM or a directory that’s exported via read-only NFS from a tightly-secured machine.¹

Please note that a trailing slash is never part of a filename, including directory names. A slash is a path separator, and any other use is not supported.

3.1 Config File Elements

comments
The following kinds of lines in the configuration file are ignored by integrit: blank lines; lines consisting of whitespace only; lines having the # character as the first non-whitespace character.
known database
The location of the known database (which contains information about the previous state of the host’s files) is specified with a line like this:
```
     known=/root/databases/usr_known.cdb
```
current database
The location of the current database (the one to be generated if integrit is doing an update) is specified in a similar manner.
```
    current=/root/databases/usr_current.cdb
```
the root of integrit’s check
The root of the filetree that integrit will cover is specified on a line like this:
```
    root=/usr
```
Integrit’s file tree walk starts at the root. Everything integrit checks must be under the root. In the above example, the "/boot" directory will never be checked because it is not under /usr. You can specify slash as the root and then ignore lots of directories like /tmp, /proc, and /home, or you can use multiple configuration files.

To search multiple roots, use multiple configure files and launch multiple instances of integrit, either in sequence or in parallel, depending on your needs.
behavior on errors
By default integrit stops scanning at the first error. When running as root, errors usually mean severely broken permissions or media errors that the administrator should take note of immediately. When stop_on_err is set to “0” instead, integrit will try to continue as much as possible, ignoring all non-fatal errors in the process.
rules
Rules in the configuration file tell integrit how to treat various parts of the filesystem. You can tell integrit to ignore /proc, not to do checksums on logfiles, not to descend into /home, to ignore the modification time on /etc/issue, etc.

Whether or not integrit descends parts of the filetree, and whether or not it does checksums, comparison of access times, etc., are specified in a compact syntax (described below) on lines like these:
```
    !/usr/local/useless
    !/usr/mnt/nfs
    =/usr/share/teTeX
    /usr/local/var/log SIAM
```
We’ll get into the nitty gritty in the following sections.

3.2 Config Rule Prefixes

When integrit is running it can do several things. By specifying rules for integrit to follow, you can control its behavior. Each rule has an optional prefix or prefixes, a filename (or directory name), and a set of checks that integrit should or should not do.

A prefix comes before the filename and tells integrit something

!

An exclamation point means “ignore”.

It will cause integrit to pretend a file or directory isn’t there.

    # ignore the useless directory and its subdirectories
    !/usr/local/useless

=

An equal sign means “don’t descend”. It will cause integrit to do checks on the file itself, but if it’s a directory, integrit won’t visit its subdirectories.

This is useful for telling integrit not to bother with certain parts of a file tree.

    # don't bother with old_project's subdirectories,
    # but do perform normal checks on the directory itself
    =/usr/local/share/old_project

You can cut down drastically on database size and integrit’s runtime by ignoring parts of the filesystem that are not essential to the system, e.g., home directories.

In general, integrit is much easier to use on a daily basis if it’s just checking the most essential parts of a system. Some sysadmins, however, have told me that they enjoy getting more in touch with their systems by having integrit monitor almost everything!

$

A dollar sign prefix indicates a non-cascading rule that doesn’t get inherited by subdirectories and files as regular rules do.

    # this redhat system updates /etc/issue on boot
    # so we ignore modification and change time on /etc,
    # but we still want to monitor mtime and ctime on
    # some files and directories under this /etc.

    $ /etc     MC

3.3 Config Rule Checksets

a set of switches
A filename followed by a set of one-letter switches turns checks on and off, for example:
```
    # do check the access time, but don't do a checksum:
    /usr/local/secret/text.txt aS
```
There are no spaces between the switches.
switch syntax
Upper case turns off a given check. Lower case turns it on.

When you turn off a check, e.g. by using S for “no checksums”, then all subdirectories inherit that option: no checksums are done.

You can always override switches that are inherited from parent directories. There is also a special dollar-sign prefix (described above) you can use to override the normal cascading behavior.

e.g., In the example below, all the stuff under /var/log won’t have checksums done, except all the files under /var/log/archives:
```
    /var/log            S
    /var/log/archive    s
```
Again, the upper case turns the check off, and the lower case turns it back on.
list of switches
The default checks are these: checksum; inode; permissions; number of links; uid; gid; mtime; and ctime. You can overrule the defaults by specifying all switches for the root directory in the configuration file.

Here’s a table of letters and the corresponding checks/options:

s

checksum

i

inode

p

permissions

t

file type

d

device type (if file is blk or chr special)

l

number of links

u

uid

g

gid

z

file size (redundant if checksums are on)

a

access time

m

modification time

c

time UN*X file information was changed

r

reset access time (option)

4 Human Readable Output

The human-readable format is intended for quick scanning on a viewer with a large number of columns (like an xterm with maximized width).

Other popular file integrity verification systems split the information between a list of files that have changed at the top of the report and a more detailed section showing the nature of the changes at the bottom of the report. Instead, integrit provides all the information for each file as it learns it.

Besides saving on runtime memory usage, the big advantage of this approach is that the person reading the output never has to skip to the end of the report to learn the exact nature of a change.

In this output format, messages from integrit have a specific prefix showing what kind of message it is:

“integrit: ” integrit is telling you something
“changed: ” a file has changed somehow
“missing: ” a file in the known database is no longer around ²
“new: ” a file not in the known database has appeared

The one-letter characters for options and checks (see table of checkset codes) is used in the human-readable output format for reporting corresponding changes.

For example, the switch for checking permissions is p. If integrit notes that the file permissions have changed, in the output you will see this kind of line:

    changed: /etc/secret   p(640:666)

That means that the permissions (“p”) have changed from 640 to 666. In general, the syntax is as follows:

    changed: filename   x(known:current)

… where x is the one-letter symbol showing what’s changed (see list of switches), "known" is the value from the known database, and "current" is the state of the file that integrit observed at runtime.

exception:

Symlinks have sym where the octal permissions (which would always be “777”) would be.

You can skip the preamble in the human-readable report by lowering the verbosity level with the “-q” command-line option.

5 Exit Status

Since version three, integrit’s exit status indicates whether or not it found changes.

0: When integrit returns zero to the process that started integrit, it means that no changes were detected. (Unless you are doing a check, no changes will be detected.)
1: An exit status of one means that changes were detected but no errors were encountered. (An error is a failure condition that prevents integrit from doing its job.)
2: Two signifies that an error occured, and integrit was not able to do its job. When stop_on_err is “0” and a check is performed, an exit status of two means that some errors were encountered during the scan, but no changes could be found.
3: Both errors and changes were found.

6 Auxiliary Tools

The integrit source distribution comes with two standalone tools. You do not need to be familiar with these tools in order to use integrit, but I personally find them to be very convenient once in a while.

The tools are i-viewdb and i-ls.

6.1 i-viewdb

To detect file deletions, modifications, and creations, integrit saves information about your files in databases. i-viewdb is a standalone tool that allows you to view the information stored in integrit databases. It only has one option:

-s: Do not show the checksums stored in the database.

… and you invoke it like this:

    i-viewdb [-s] {dbname}

… where “dbname” is the name of the integrit database for i-viewdb to examine.

The output syntax is the same as that of integrit.

Examples:

   i-viewdb integrit-foo.cdb | less

… uses the "less" pager to view contents of the integrit database.

   i-viewdb integrit-foo.cdb | awk '{ print $1 " " $8 }'

… look at the files and access times in the integrit database.

6.2 i-ls

The integrit system detects intrusion by detecting when trusted files have been altered.

Integrit records information about files in a database when it does an update and compares that information to live files when it does a check.

The i-ls standalone tool allows the user to see that same information for live files.

The output syntax is similar to that of integrit.

Options:

-s: Do not show/calculate a checksums for all regular files. In case i-ls cannot do a checksum (e.g. permission denied), a warning is issued.

It is invoked like this:

    i-ls [-s] {filename|dirname} [filename|dirname] ...

You specify a filename for i-ls to examine, or you specify a directory to have i-ls examine all the files in the directory.

Examples:

     i-ls /tmp/foo.txt /tmp/bar.txt

… shows file stat attributes for the file, /tmp/foo.txt and also for /tmp/bar.txt.

     i-ls /tmp

… shows file stat attributes for all files in the directory, /tmp.

     i-ls -s /tmp

… shows file stat attributes for all files in the directory, /tmp, omitting SHA-1 checksum information.

7 FAQ

7.1 Win32

Q: What about Win32 support?

A few people have asked about Win32 support. In short, go for it. I get the impression that it’s not something that a lot of people have done, and I’m not much of a Windows user, but I did it just to see what would happen.

A helpful soul pointed out that it is still (Windows 2000) not possible to create a directory named "aux" in Windows (a DOS-ism like "prn" and "nul"), and so integrit’s aux directory has been renamed to "utils" since version three to accomodate the limitation. Since then it’s been theoretically possible to build integrit on Windows.

Version 3.03 integrit on Windows XP using Cygwin 1.3.12-2 builds cleanly and passes the “make test”. Your mileage may vary.

7.2 Regular Expressions

Q: What about regular expressions in the conf file?

It usually occurs to an integrit user at some point, "Wouldn’t it be nice to use regular expressions in the integrit configuration file instead of literal paths?" The answer is that, yes, that would be convenient, but it isn’t likely to happen.

The added runtime cost of compiling regular expression objects and evaluating all the pathnames would be substantial, and it would make integrit more complex. Better to leave integrit stable and simple and then list files explicitly in the configuration file.

After all, you have all kinds of unix tools (find, grep, etc.), that can help you create the configuration file by using regular expressions!

7.3 Trailing Slash

Q: Why does integrit scan /proc when I put "! /proc/" in the configuration file?

Trailing slashes aren’t really part of a directory’s name. Leave them out in the configuration file.

For example, to ignore /var/tmp, this will work:

    ! /tmp

... but this will not:

    # WRONG: trailing slash
    ! /tmp/

7.4 Missing Files

Q: When I do a check only, -c and no -u, I get an error:

   integrit: not doing update, so no check for missing files

Just use both "-c" and "-u". This is the fastest, simplest way to be able to check for missing files. If integrit is creating a new current-state database, then at the end of the run it has all the information it needs to tell you what files are missing.

The good news is that it takes almost the same amount of time to do check and update simultaneously as it would to do one or the other. wouldn’t be gaining anything by running check by itself.

7.5 Large Files

Q: Why does integrit crash on encountering files of greater than five gigabytes in size?

It’s a platform-dependent thing.

Many Operating Systems are in the process of developing support for large files. If you see integrit fail when it encounters large files, then large file support is what you need.

Since version 3.02, integrit has large file support turned on by default (via the autoconf-generated configure script), but you still need to make sure your system can handle large files.

For Linux-based systems, there is a good document here:

http://www.suse.de/~aj/linux_lfs.html

In a nutshell, if you are using gcc and Linux, then if your using a 2.4.x and an ext2 filesystem that was created under a 2.4.x kernel, then you should be OK with integrit versions 3.02 and later.

For general information, here is a resource:

http://www.sas.com/standards/large.file/x_open.20Mar96.html

Your system should have documentation explaining how to get large file support.

7.6 Multiple Roots

Q: Wouldn’t it be nicer if we could put multiple roots in one integrit config file?

A: Perhaps, but not much nicer, and it would complicate integrit internally.

Say you want to ignore all of /usr/local in your integrit-root.conf configuration file, but you want to check /usr/local/etc. You can create another configuration file, integrit-usr_local_etc.conf, with “root=/usr/local/etc” in it.

Then simply run integrit twice. You can even run two integrits in parallel if /usr/local/etc is on a different device than the other areas and you have the CPU and memory to spare.

It is very easy to generate multiple configuration files from a master configuration file using UN*X tools. It’s also easy to create a statically-linked program that does fork and execl to run multiple integrits. There’s an example in the examples directory of the integrit distribution: integrit-run.c.

Appendix A Resources

To get the latest integrit, check the integrit homepage:

    http://integrit.sourceforge.net/

There are many resources at integrit’s project page on sourceforge, including mailing lists and a web-interface for the source in CVS.

    http://sourceforge.net/projects/integrit

Appendix B GNU GENERAL PUBLIC LICENSE

Version 2, June 1991

Copyright © 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111, USA

Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.

Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software—to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation’s software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.

For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.

Also, for each author’s protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors’ reputations.

Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone’s free use or not licensed at all.

The precise terms and conditions for copying, distribution and modification follow.

This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The “Program”, below, refers to any such program or work, and a “work based on the Program” means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term “modification”.) Each licensee is addressed as “you”.
Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.
You may copy and distribute verbatim copies of the Program’s source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.
You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
1. You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.
2. You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.
3. If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.
You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:
1. Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
2. Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,
3. Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.
You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.
You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.
Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients’ exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.
If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.
If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.
The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.
Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and “any later version”, you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.
If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

How to Apply These Terms to Your New Programs

If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms.

To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the “copyright” line and a pointer to where the full notice is found.

one line to give the program's name and an idea of what it does.
Copyright (C) 19yy  name of author

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.

Also add information on how to contact you by electronic and paper mail.

If the program is interactive, make it output a short notice like this when it starts in an interactive mode:

Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details
type `show w'.  This is free software, and you are welcome
to redistribute it under certain conditions; type `show c' 
for details.

The hypothetical commands ‘show w’ and ‘show c’ should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than ‘show w’ and ‘show c’; they could even be mouse-clicks or menu items—whatever suits your program.

You should also get your employer (if you work as a programmer) or your school, if any, to sign a “copyright disclaimer” for the program, if necessary. Here is a sample; alter the names:

Yoyodyne, Inc., hereby disclaims all copyright
interest in the program `Gnomovision'
(which makes passes at compilers) written 
by James Hacker.

signature of Ty Coon, 1 April 1989
Ty Coon, President of Vice

This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.

Concept Index

Jump to:	! $ = C D E F H I K L M N O P R S T U V W X

	Index Entry	Section

!
	!:	Config Rule Prefixes

$
	$:	Config Rule Prefixes

=
	=:	Config Rule Prefixes

C
	changed:	Human Readable Output
	check:	Invoking Integrit
	checksets:	Config File Elements
	checksets:	Config Rule Checksets
	checksum:	i-viewdb
	checksum:	i-ls
	comments:	Config File Elements
	configuration file:	Configuration File
	current database:	Invoking Integrit
	current database:	Config File Elements

D
	database:	Description
	database:	Normal Use
	database:	Config File Elements
	dollar sign:	Config Rule Prefixes
	don’t descend:	Config Rule Prefixes

E
	equal sign:	Config Rule Prefixes
	exclamation point:	Config Rule Prefixes
	exit status:	Exit Status

F
	FAQ:	FAQ

H
	human-readable output:	Human Readable Output

I
	i-ls:	i-ls
	i-viewdb:	i-viewdb
	ignore:	Config Rule Prefixes

K
	known database:	Invoking Integrit
	known database:	Config File Elements

L
	Large File Support:	Large Files
	license:	Copying

M
	mailing list:	Multiple Roots
	missing:	Human Readable Output
	Missing Files:	Missing Files
	Multiple Roots:	Multiple Roots

N
	new:	Human Readable Output
	new database:	Invoking Integrit
	NFS:	Normal Use
	NFS:	Configuration File
	non-cascading rules:	Config Rule Prefixes
	non-inheriting rules:	Config Rule Prefixes

O
	old database:	Invoking Integrit
	options:	Invoking Integrit

P
	prefixes, output:	Human Readable Output
	prefixes, rule:	Config File Elements

R
	Regular Expressions:	Regular Expressions
	root:	Config File Elements
	routine:	Normal Use
	rules:	Config File Elements

S
	stop_on_err:	Config File Elements
	switch table:	Config Rule Checksets
	switches:	Config Rule Checksets

T
	Trailing Slash:	Trailing Slash

U
	update:	Invoking Integrit

V
	verbosity:	Invoking Integrit

W
	web site:	Multiple Roots
	Windows:	Win32

X
	XML:	Normal Use
	XML:	Invoking Integrit

Jump to:	! $ = C D E F H I K L M N O P R S T U V W X

Footnotes

(1)

Your kernel may also support read-only files on the localhost. The FreeBSD kernel, for example, when running in higher security levels, honors the “immutable” file attribute. On such a system you could keep integrit’s known database locally, but you’d have to install it in single-user mode.

(2)

You will only see missing files reported if you’re running update and check at the same time. Otherwise integrit won’t know both necessary facts: the file existed in the past and isn’t there now.

• Description:		What is integrit?
• Normal Use:		Using integrit.

• Config File Elements:		Parts of the config file.
• Config Rule Prefixes:		Relating a rule to the filesystem.
• Config Rule Checksets:		Specifying what checks to do.

• i-viewdb:		Looking inside of integrit databases.
• i-ls:		Viewing characteristics of live files.

• Win32:		What about Win32 support?
• Regular Expressions:		What about regular expressions in the conf file?
• Trailing Slash:		Why doesn’t "! /proc/" work?
• Missing Files:		I don’t see missing files when doing a check!
• Large Files:		It crashes on encountering large (> 5 Gig) files!
• Multiple Roots:		I want to put multiple roots in one config file!