Integrit for File Verification

Ed L. Cashin

Integrit is a free software tool that helps sys admins stay in touch with and trust the files on their systems. When I was first learning systems administration, our shop had an old Sun machine ("Butch") that functioned as our email server. At the first staff meeting I attended, it was announced that a rogue process had been spotted running on Butch.

It turned out that Butch had been compromised. Our sys admin found the rootkit and the backdoor that the attacker had left, but as I gained more responsibility for the care of Butch, I started to wonder how many times it had happened before. What parts of the system could I trust? What parts of Butch had been replaced with Trojan horses?

Trojan horses are a very real part of many system break-ins. When an attacker gains unauthorized root access to a system, that access can be solidified and enhanced by replacing parts of the compromised system with custom-made files. The replacements may cover the tracks of the attacker or provide a backdoor that allows the attacker to gain re-entry to the system.

A trojaned syslog daemon might fail to log the attacker's actions. A trojaned find command might silently ignore a rootkit, and a bogus crond might listen on port 666 for an attacker's telnet session while carrying out cron's normal duties.

This article describes my experiences with several tools designed to help sys admins tell which files are to be trusted and which files have unexpectedly changed. I then describe a new tool, integrit, that I wrote to overcome some of the problems I encountered.

The Problem -- How Do You Know Your System Can Be Trusted?

Not knowing what parts of a system you can trust severely limits your ability to determine the stability or security of the system.