File Integrity (sec-integrity)

Checks the integrity of system files, detects unknown binaries, SUID/SGID files, and executable files in temporary directories.

Configuration

ParameterTypeDefaultDescription
enabledbooltrueEnable/disable module
check_interval_multiplierint6Check interval multiplier (6 x check_interval = 30 min at default)
system_pathslist["/usr/bin", "/usr/sbin", "/usr/local/bin", "/usr/local/sbin"]System paths for binary checking
ignore_pathslist[]Paths to exclude
tmp_pathslist["/tmp", "/var/tmp"]Temporary directories to check
sensitive_dirslist["/etc", "/usr/bin", "/usr/sbin", "/usr/lib"]Directories for permission checking
max_find_depthint3Maximum search depth in tmp directories

YAML Example

sec_integrity:
  enabled: true
  check_interval_multiplier: 6
  system_paths:
    - "/usr/bin"
    - "/usr/sbin"
  ignore_paths:
    - "/usr/local/bin/custom-tool"
  tmp_paths:
    - "/tmp"
    - "/var/tmp"

Diagnostic Codes

Linux

CodeSeverityMeaningRecommendation
73000No integrity issues detected
73011Binary does not belong to any packageVerify origin
73021New SUID/SGID file foundReview SUID bit, remove if unnecessary
73031World-writable file in sensitive directoryRestrict permissions
73041File without valid owner (orphaned UID/GID)Set owner or remove file
73052Executable file in temporary directoryInvestigate and remove file

Windows

CodeSeverityMeaningRecommendation
83000No integrity issues detected
83012SFC/CBS reports system file corruptionRun sfc /scannow
83021System file modified (hash mismatch)Verify file
83031Unsigned file in System32Verify origin
83041Alternate Data Stream (ADS) on fileReview and remove ADS if necessary
83052Executable file in temporary directoryInvestigate and remove file

Platform Support

  • Linux: Uses dpkg -S/rpm -qf for package verification, find for SUID/tmp scanning.
  • Windows: Uses SFC logs, Authenticode signature verification, NTFS ADS detection.