Even if you have followed all the appropriate precautions to make your firewall secure, you may still want an extra level of assurance that no person or process has modified your system. To provide this assurance, the Gauntlet Firewall includes facilities to assist you in verifying the integrity of your system.
The following sections describe the concepts behind system integrity and some common administrative tasks:
The Gauntlet integrity database is a collection of cryptographic checksums or message digests for most files on your filesystem. The database contains a checksum for each file, and includes information about the user ID, group ID, and mode.
To verify the integrity of the system, you can create a new database of checksums, and compare the values with the existing database. Changes in the checksums for a file indicate that someone or something has modified the file in some manner.
The database does not contain information about files that can change often, such as the mail spool, the log files, and system aliases. You expect these files to change, so the checksums would always be different. You can modify the list of files that the integrity checker ignores. Unless you specifically tell the Gauntlet Firewall to ignore a particular item, it provides information on that item.
The Gauntlet Firewall allows you to create integrity databases. When you create an integrity database, the firewall runs a scan program (scan) that walks the directory tree and creates MD5 message digest checksums for each file. It ignores the files listed in a scan configuration file. The scan program writes the checksums to the integrity database.
Updating the database reinitializes the integrity database to reflect the current state of your firewall.
Configuring integrity checks consists of accessing the Integrity Check window and selecting files to ignore.
To access integrity checking:
You can modify the list of files and directories that the scan program ignores when creating and checking databases. This allows you to ignore directories and files that you know are volatile.
To configure the files to ignore:
Log in to the firewall and become root.
Use your favorite text editor to edit /usr/local/etc/checksums/scan.conf.
Modify the list of directories and files the integrity checker ignores.
The next time you create or update an integrity database, the firewall does not create database entries for the files you added.
You can create an integrity database anytime you wish. You should create one after you first configure your firewall. Generally, you create a new database when you have made major modifications to your firewall. Of course, you can do this more or less often as your security policy dictates.
You can create an integrity database on the firewall. An online database is easy to access, and does not require someone to physically place media into the firewall. However, an online database can be accessed by others who have access to the firewall.
 | Note: Creating an integrity database scans your entire directory tree. On systems with large disks, this may take as long as 10 or 20 minutes. |
To create an integrity database:
On the Integrity Check window, click Online Database.
Click Create New.
The firewall creates the integrity database.
You use the integrity database to verify that nothing has modified your system. Therefore you must protect the database itself from tampering. Consider the following options to protect your integrity database (/usr/local/etc/checksums/gauntlet.sum):
Copy the integrity database to removable media that you keep off line for safekeeping. Store this copy of the database according to your security policies.
If you leave the database online, protect the database file by removing write permission for groups and others.
Store the copy of the initial integrity database that you created during your installation with your original distribution media.
Updating the integrity database creates a small database file that contains only the updates.
When you wish to check the integrity of the files on your system, you can verify the current filesystem checksums against the known, good filesystem checksum information stored in the integrity database. This process runs the scan program (scan), which walks the directory tree and creates MD5 checksums for each file. It ignores the files listed in a scan configuration file. The scan program compares the checksums for each file with the information in the integrity database, and writes any differences to a temporary file (/tmp/scan.processID). The scan program leaves the changes list in the /tmp directory, so you can view them later.
The firewall can compare checksums with information in a database stored online. It can also compare with a database on a floppy diskette.
You can verify your system integrity anytime you wish. Administrators often perform these types of tasks monthly. You may also wish to check system integrity any time you notice unusual behavior on your firewall. You can, of course, define what you consider unusual according to your security policies.
To check integrity against an online database:
On the Integrity Check window, click Online Database.
Click Check Integrity.
The firewall creates a new integrity database and compares it with the old database.
Review the changes noted in the changes file and make sure they are acceptable changes. For example, you may have added users to your authentication database since you last created your integrity database. The authentication database information is different, and the integrity check notes this. This is an acceptable difference.
The scan program does not tell you what has changed about the file. It only tells you that the file has changed.
To view the results of an integrity check:
Log in to the firewall and become root.
Use your favorite text editor to view the file (/tmp/scan.processID) that contains the list of changes.