Labrador

.: Features :.

Despite doing what other integrity checkers do, Labrador also offers:

  • Easy instalation, without "./configure" or "make"

  • Ease of use

  • Stable tool under constant development

  • Entirely FREE and OPEN-SOURCE, released under the GPL license

  • Good documentation (I hope ;-)

  • Intuitive rules file format based on cascading tags

  • Ability to run in different platforms (virtually *no* learning curve from one system to the other)

  • Sample rules files for *NIX and Windows

  • Ability to check system databases even if they are now mounted as directories/drives in another system (like /mnt/suspicious_hard_drive/) through the "--rootdir" parameter (ideal for doing forensics in LKM tampered systems).

  • Option to backup original files and safely restore compromised ones via the <backup> tag in the rules file. The restauration can even be done automatically through the "--restore" parameter. You can even put the modified files in quarantine for further analysis!

  • Database compression and encryption with several algorithms (Blowfish, Twofish, IDEA, DES, CAST5, Rijndael and many others)

  • Ability to send email to you whenever a test fails

  • Abitily to run an arbitrary command, program or script whenever something goes wrong


Labrador can currently make 13 (!) different checksum tests:

tag description
<md5> </md5> creates MD5 (128 bits) checksum of files
<sha1>  </sha1> creates SHA-1 (160 bits) checksum of files
<sha224> </sha224> creates SHA-224 (224 bits) checksum of files
<sha256> </sha256> creates SHA-256 (256 bits) checksum of files
<sha384> </sha384> creates SHA-384 (384 bits) checksum of files
<sha512> </sha512> creates SHA-512 (512 bits) checksum of files
<haval> </haval> creates Haval (256 bits) checksum of files
<whirlpool> </whirlpool> creates Whirlpool (512 bits) checksum of files
<ripemd160> </ripemd160> creates RIPEMD-160 (160 bits) checksum of files
<crc32> </crc32> creates CRC-32 (32 bits) checksum of files
<crc16> </crc16> creates CRC-16 (16 bits) checksum of files
<crc8> </crc8> creates CRC-8 (8 bits) checksum of files
<crcccitt> </crcccitt> creates CRC-CCITT (16 bits) checksum of files


And several integrity checks:

tag description
<mode> </mode> registers file type and permissions
<uid> </uid> registers user id of file's owner
<gid> </gid> registers group id of file's owner
<nlink> </nlink> registers number of (hard) links of file
<inode> </inode> registers the file's inode number
<mtime> </mtime> registers the file's last modification time
<atime> </atime> registers the file's last access time
<ctime>

 </ctime>

 registers the file inode's last modification time
(or the file's creation time in Windows)
<size> </size> registers the total file size, in bytes
<nblocks> </nblocks> registers the number of blocks allocated to file
<dev> </dev> registers the device number of filesystem for file
<grow> </grow> registers that the file size can only increase


It also has other integrity checks not currently available in most of the "competition":

tag description
<nonew>

 </nonew>

 registers that the directory must not contain new files (created after the database was made)
<nodel> </nodel> registers that no file can be deleted in the given directory
<nosuid> </nosuid> registers that the directory must not contain suid files
<nosgid> </nosgid> registers that the directory must not contain sgid files
<noexec> </noexec> registers that the directory must not contain executable files
<nobinary> </nobinary> registers that the directory must not contain binary files
<notext> </notext> registers that the directory must not contain text files
<nohidden> </nohidden> registers that the directory must not contain hidden files
<nosymlink> </nosymlink> registers that the directory must not contain symbolic links

Not to mention the <reset> tag, that resets all tags at once, making it even easier to configure.


How about mitigation after a compromise has been detected?
tag description
<backup>
 </backup>
 lets you restore you're system to it's original (trusted) state
<execute=""> run any command, program or script that you wish whenever a rule is broken


Still not impressed? Then please let me know what features or tests you would like to see in Labrador in the future!
About
Features
Migrating
Documentation
Screenshots
Download
Clavis

GRIS

use perl;

SourceForge.net Logo