1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
(Solaris users please also see README.Solaris if you have trouble.)
The following commands should build integrit:
./configure && make
Then after su'ing to root:
make install
SECURE INSTALLATION --------------------------------------------------
Please note that if you are doing this for real, you'll need to
compile on a trusted machine (e.g., one with a fresh install of the OS
that hasn't yet been plugged into the network) and copy the compiled
binary to a secure location.
At runtime the binary should be copied back to the localhost or run
directly from the secure location.
Doing otherwise is fine for testing, but it won't be secure, since
there's less security in compiling integrit on an untrusted host, and
no security in leaving the integrit binary on the host your checking.
MISC ----------------------------------------------------------------
Using virtual memory means that less virtual memory is available in
the system. mmap-ping a file uses no physical memory, but it does use
virtual memory. If you don't have lots of swap space, then your
system may *think* it's low on memory even if it's just virtual memory
that's being used.
For this reason, it's now possible to limit the amount of virtual
memory integrit uses for mmap. Use the --with-max-mmap configure
option to specify in bytes the biggest file size you want mmap'ed.
(mmap is used only for reading databases, not for writing.)
The default max is 10485760 bytes (ten megabytes) -- you might even
want to raise it. Use a max of zero to disable mmap-ing.
TROUBLESHOOTING ------------------------------------------------------
1)
If you have trouble during "make", try using GNU make. Systems
sometimes have GNU make installed as "gmake".
2)
Solaris users please read "README.Solaris" if you have trouble
building integrit.
3)
Integrit's documentation is in the GNU texinfo format, which has many
advantages. That means, however, that people who don't have
install-info in their path when they do a "make install" will see this
message go by:
+ install-info --dir-file=/tmp/integrit-install/info/dir --info-file=/tmp/integrit-install/info/integrit
/bin/sh: install-info: command not found
Warning: install-info did not run successfully.
to complete the installation of the documenation,
Make sure info is installed and install-info is in
the path when doing 'make install'
(pausing 3 seconds)
That means that integrit won't be added to your system's info
directory. install-info adds lines like this to the "dir" file
(e.g., in /usr/share/info/dir):
Security Tools
* Integrit: (integrit). Integrit File Verification System.
You can copy these lines literally into the file or preferably make
sure that you have a proper installation of info such that
install-info is in the path of any user likely to install
documentation.
Alternatively, if you have an install-info with a funny-name or in a
funny place, you can just tell make when you do "make install". In
this example, the binary is in the "/opt/cocteau-twins" directory and
is named "liz" instead of "install-info"
make install INSTALL_INFO=/opt/cocteau-twins/liz
4)
This shouldn't be necessary since integrit stopped using openssl, but
if you have a required library in a place your compiler wouldn't
normally look, e.g. "/tmp/foo", you can provide that information to
configure like so:
LDFLAGS="-L /tmp/foo/lib" ./configure
... and to say where the headers are too ...
LDFLAGS="-L /tmp/foo/lib" CPPFLAGS="-I /tmp/foo/include" ./configure
... for a shell with Bourne-shell syntax.
|
