Easy Integrity Check System
- Setting up
You need the following extra software to use eics
You configure the compilation by typing ./configure. This will install
the program with prefix /usr which means that
|Binary goes to||:||/usr/bin/eics|
You can configure the places files go mainly with the following parameters
|--prefix=DIR||Defines where you want to put the files|
|--sbindir=DIR||Where 'eics' goes. This defaults to $prefix/sbin|
|--sysconfdir=DIR||Configuration and keyfiles will be placed into this directory. Defaults to $prefix/etc|
|--with-database-dir=DIR||Database files will be placed here. Defaults to $prefix/lib/eics|
|--with-root-prefix=DIR||This is for package builders. When the files are copied this is appended to the paths. Does not affect the program itself.|
|--mandir=DIR||Where man pages go. Defaults to $prefix/man|
To compile the program, type 'make' (or gmake if your make is not GNU). The program should compile without much fiddling. If it does not compile properly, contact me.
'make install' will install the program into appropriate places.
All configuration at this point lies within the eics.conf file. Format of the file is very simple, and follows the following rules:
- A line that starts with # is a comment
- A line that is empty is ignored
- Line that begins with ~/ or / is a policy line
- ~/ is a regular epxression
- / is a pattern expression
- First expression must be an absolute directory. This will be the start point. Usually this is '/'
- After expression comes flags
Flags that you can use are:
|Check when the file was last accessed (as in, read f.ex.). You cannot use the 'h' flag with this because it accesses the file and modifies this value. Do not use this for directories either. Actually, just use this for those FILES you need to know.|
|Checks for entry creation time. This is updated for every directory if a file is created there.|
|When someone modifies a file or directory this gets updated.|
|Checks for the numeric gid.|
|h||Check file contents|
|Calculates SHA1 and RIPEMD160 hashes from regular files. Note! Do not use this in /dev or /proc unless you are asking for trouble. /dev/null is not a regular file, but /proc/kcore is. In other words, it's not safe.|
|i||Check file inode|
|Checks for the inode of the file. This reveals if the file has been deleted and recreated.|
|l||Allow file to grow|
|This is good for monitoring log files. You use this with 's' flag. If the file size only grows, no warning is given.|
|m||Check file permissions and type|
|Checks the file permissions (user,group,world) and the entry type. No, this does not mean if it's text file or not. It checks whether a file has changed into a symlink, or directory into a file etc.|
|n||Number of links|
|This checks how many links there are from a file. F.ex. if someone creates a subdirectory, the parent is linked into the subdir's '..' entry. This increases the number of links by 1. Likewise if directory disappears, the number is decreased.|
|File owner's uid chck.|
|s||Size of file|
|Checks the size of the file. See flag 'l' for log files and such|
|X||Exclude this entry from all checks (other flags are not meaningful here)|
|This mode causes that the entry defined won't be considered. You can use this for excluding all *.tmp files. /home/cmouse/*.tmp X|
|D||Do not descend to directory|
|Since there is no flag inheritance yet, specifying just 'D' won't do the trick. You need to specify all flags that you want to apply for this entry as well. If you want to check some directory's SUBDIRS without going into them, do not write /home Dgmui. Write /home/* Dgmui. Otherwise it won't go into /home.|
|After giving password when confirming policy changes comes error message 'error checking policy file'.
||The program cannot write to the policy signature file (eics.conf.sig) or you have given wrong password three times.
|I get a complaint about a database problem? Can I just fix the database?
||Sorry, this is not possible. You need to reinitialize the database to fix this.
|For some reason file/directory did not get checked.
||Make sure your policy file has been written correctly. There is a grave difference between /tmp and /tmp/*. Note that /tmp/ won't ever match anything and /tmp/* will match everything. Even if you have a policy for /tmp/myfile.
|Program claims that an entry has gone missing, and it's still there!
||This is usually because you have edited policy file. If you add new exlusions and limits to it, program will think that they have gone missing because it won't check them anymore. No need to be alerted.
|I have a problem and it's not listed here!
||Read the documentation once more and if still unresolved, email to me at cmouse at users dot sourceforge dot net.