Osiris User Handbook

Contents:

• Installing Osiris
  This part explains how to perform the initial setup and general deployment of Osiris.
  1. About Osiris
     General overview of Osiris functionality and system components.
  2. Getting Osiris
     Download locations, CVS repository, and web based options for viewing source and development activities.
  3. Configuration
     Discussion of things to consider before configuring the Osiris source.
  4. Compilation and Installation
     Building, Installation, and steps needed to deploy Osiris management and agent software.
  5. Configure the Management Console
     The management console should be configured prior to use.
  6. Adding a Host
     Follow these steps whenever you want to add a host to be monitored.
  7. Where to go from here
     Other sources of information or help with Osiris.
• Using Osiris
  Learn how to use Osiris, specifically: how the system functions, customizing what is being monitored, and responding to detected changes.
  1. How Scheduling Works
     Learn how the scheduler behaves, and how to configure scheduling of host scans.
  2. Scan Databases
     Information about how scan data is stored, and how to deal with scan databases, archiving, purging, etc.
  3. Dealing With Detected Changes
     Options available to administrators for dealing with scan reports that indicate a host's environment has changed.
  4. Notifications
     Outlets for being notified of detected change, and their configuration.
  5. Comparison Filters
     Sometimes recurring changes are best dealt with by adding filters to remove noise from the logs.
  6. Custom Scan Configurations
     Osiris comes with default scan configuration files for many platforms, but often it is necessary to alter, tweak, or devise new scan configuration files.
  7. Logging
     Osiris can log to system logs, or files. These outlets as well as the log format is presented in this section.
• Appendix A - Scan Configuration Syntax
  Learn the details of the scan configuration syntax, and what exactly the scan filters do.
• Appendix B - Platform Specific Issues
  Misc. issues regarding platform specific issues with Osiris.

A. Installing Osiris

1. About Osiris

1.a. Introduction

Osiris is a host integrity monitoring system that can be used to monitor changes to a network of hosts over time and report those changes back to the administrator(s). Currently, this includes monitoring any changes to the filesystems. Osiris takes periodic snapshots of the filesystem and stores them in a database. These databases, as well as the configurations and logs, are all stored on a central management host. When changes are detected, Osiris will log these events to the system log and optionally send email to an administrator.

In addition to files, Osiris has the ability to monitor of other system information including user lists, group lists, and kernel modules or extensions.

Some integrity monitoring systems are signature-based, that is, they look for specific file attributes as a means of detecting malicious activity. This type of approach to host integrity can be very cumbersome to manage and can lead to unauthorized change going undetected. Osiris is intentionally not like this. Osiris will detect and report changes to a filesystem and let the administrator determine what (if any) action needs to take place. There are no complicated assumptions or dumbing-down of information. If a change occurs, it can be detected and reported.

All Osiris components compile and run on both Windows and common UNIX systems, including BSD, Linux, Mac OS X and Darwin, AIX, IRIX, and Windows NT/2K/XP. This allows for the flexibility to manage all types of platforms from either a UNIX or Windows environment.

Osiris has a modular interface that allows developers to easily extend what the scan agents are capable of monitoring. See the modules page for details.

1.b. Overview of Components

Osiris consists of three major components: the management console (osirsimd), a scan agent (osirisd), and a CLI management application (osiris). At the present time, the management application uses only a command-line interface.

The management console should be deployed on a trusted host. This is where all of the information about managed hosts are kept, including configs, logs, and databases. This process runs as an unprivileged user.

The scan agent is a lightweight process that runs on each monitored host. The scan agent is responsible for scanning the local filesystem and sending the data back to the management host. On UNIX systems, as well as Linux, the scan agent runs with privilege separation. The root process exists only to open privileged files during a scan. (files are never opened for write access, never).

The management application is used by the administrator to manage the details of the scanned hosts. It communicates directly only with the management console.

The management console has a very simple, portable, directory structure and can be tar'd or zipped and moved to any other supported system (if needed). It is organized as follows:

    osiris/
      |
      |
      `--certs/               - root cert (osirismd.crt)
      |
      `--configs/             - default and shared scan config files
      |
      `--filter.db            - comparison filter database
      |
      `--hosts/               - host directories (see below)
      |
      `--osirismd.conf        - management console config
      |
      `--private              - user database, SSL key file

Each host directory under the “hosts” directory has the following structure:

    example-host/
      |
      |
      `--configs/             - scan config files
      |
      `--databases/           - scan database files
      |
      `--logs/                - comparison log files
      |
      `--host.conf            - config for this host

1.c. General Considerations

Before installing and using Osiris, it makes sense to consider certain issues such as the number of hosts you will be monitoring, the various platforms of monitored hosts, the location and security of your management console, and the environment you will be using to build Osiris.

If you have installed Osiris from a ports tree of some kind, these issues have already been considered for you, feel free to skip to the next chapter (Using Osiris).

If you will be monitoring more than a handful of hosts, a means of distributing the scan agent software to these hosts will be necessary unless you want to do that by hand. The osiris system currently does not have any way of remotely installing or updating scan agents.

Osiris requires a single host to be used as a management console. Ideally, this host is a host dedicated to being an Osiris management console, running only necessary services and applications, and only available to the necessary administrator(s). The security of the management console is key to the integrity of the Osiris system as a whole. If the management console is compromised, all of the data associated with monitored hosts becomes useless (at least).

It may be the case that your management host, or monitored hosts do not have a compiler on them. In that case, the management console and the agent software can be built offline, in a trusted environment. Obviously, you need to build the management console on the same platform, and build scan agent packages on the same platform(s) that you will be deploying them to.

2. Getting Osiris

The main distribution point for the osiris source code is here:

Compilation on Windows is not fun, so PGP signed binary distributions for windows are also available at this download location.

To get access to the latest unreleased top of tree source code, there is an anonymous Subversion mirror:

$ svn checkout http://pinkfloyd.colorado.edu:8080/svn/osiris/osiris/trunk osiris 

3. Configuration

If you have specific requirements for Osiris such as where the management console stores monitoring data, or the privilege separation user, then these things can be specified as arguments to configure. Most users will not need to customize the configuration and can simply use the defaults:

$ ./configure

If not customizing, then proceed to the next section on compilation and installation.

optional configuration parameters

 --with-root-dir=/var/adm/osiris
 --with-osiris-user=myuser
 --with-osiris-md-user=myconsoleuser
 --with-md-conf-dir=/etc
 --with-ssl-dir=/my/ssl/dir/location
 --enable-fancy-cli

By default, the management console stores all logs, config files, databases, and other files under the /usr/local/osiris/ directory. Over time, the databases directory may grow rather large and some administrators may wish to keep the osiris root directory somewhere else in the file system. To specify an alternate location, use the --with-root-dir=DIR as an option to configure, for example, to place the osiris root at /var/adm/osiris, do the following:

During installation, an unprivileged osiris user and group is created. The management console runs as this unprivileged user. In addition, the scan agent has two processes, one run as root, the other as the unprivileged osiris user as a form of privilege separation. To change the name of this unprivileged user, use the --with-osiris-user option to configure.

If you wish the management console to run as a different user than the scan agent, use the --with-md-user option.

To specify an alternate directory where the management console can find its configuration file (osirismd.conf) use the --with-md-conf-dir option.

By default, configure attempts to find the location of OpenSSL on your system. If not found, you may have to explicitly tell configure where OpenSSL is. Use the --with-ssl-dir=DIR option.

There are some experimental features of the Osiris command line that provide a command history list using the up-arrow key as well as command completion. To enable this, use the --enable-fancy-cli option. By default, Osiris will use libreadline (if installed) unless this option is specified.

4. Compilation and Installation

If you your plans are to simply install the management console on a single host, and monitor only that host, then compilation and installation is as simple as doing:

$ ./configure
$ make
# make install

However, if you are planning on monitoring multiple hosts, or your management host does not have a compiler, then you will need to build the installer packages.

4.a. Management Console

To build an installer package for the management console, use the 'console' make target:

$ make console

This will produce a tar.gz file containing the binaries and an installation script located in the src/install/ directory. The name of the file will include the Osiris version, Operating System, and system architecture (e.g. x86). Transfer this tar.gz file to the management host, unpack it and run the installer script as root (or equivalent):

# ./install.sh

This script will create the user and group needed and prompt you for which components to install. When installing the management console, it is recommended that you also install a local scan agent as well as the command line interface.

The install script will also install startup items for the management daemon and the scan agent if installed. When prompted for starting the daemons now, choose yes.

4.a. Scan Agent

To build an installer package for the scan agent, use the 'agent' make target:

$ make agent

This will produce a tar.gz file containing the binaries and an installation script located in the src/install/ directory. The name of the file will include the Osiris version, Operating System, and system architecture (e.g. x86). Transfer this tar.gz file to each like platform to be monitored. Unpack the installer package and run the installer script as root (or equivalent):

# ./install.sh

Repeat this for each host to be monitored. For example, if you plan on monitoring 20 linux boxes, and 3 FreeBSD, you would need to build one Linux agent package, and one FreeBSD agent package. Currently, the Osiris system does not include a means of distribution and this is the responsibility of the administrator.

There are some suggestions for agent distribution and automated integration into the management console that can be found on the contribution section of the Osiris site.

5. Configure the Management Console

After the management console has been installed, some initialization is necessary. The steps presented here are simply suggestions. Configure your management console according to your needs/requirements/security policy as necessary.

To configure settings for the management console, use the 'edit-mhost' command. This will invoke a series of questions. If you are unsure of a setting, just accept the defaults. Login as the user admin with no password.

$  osiris
Osiris Shell Interface - version 4.0.5-release
unable to load root certificate for management host:
(/Users/brian/.osiris/osiris_root.pem)
 >>> fetching root certificate from management host (localhost).

The authenticity of host 'localhost' can't be established.

  [ server certificate ]

 subject = /C=US/CN=Osiris Management Console/OU=Osiris Host Integrity System
 issuer  = /C=US/CN=Osiris Management Console/OU=Osiris Host Integrity System

            key size: 2048 bit
      MD5 fingerprint: 84:28:18:89:0F:7E:0C:5B:AE:B6:57:8B:38:B7:44:EF

Verify the fingerprint specified above.
Are you sure you want to continue connecting (yes/no)? yes
 >>> authenticating to (localhost)

User: admin
Password: 

connected to management console, code version (4.0.5-release).
hello.

WARNING: your password is empty, use the 'passwd' command
to set your password.

osiris-4.0.5-release: edit-mhost

[ edit management host (localhost) ]

  > syslog facility [DAEMON]: 
  > control port [2266]: 
  > http host name (uses system name by default) []: 
  > http control port [2267]: 
  > notify email (default for hosts) []: 
  > notification smtp host [127.0.0.1]: 
  > notification smtp port [25]: 

  > authorized hosts:

   127.0.0.1

  Modify authorization list (y/n)? [n] n

[ management config (localhost) ]

syslog_facility = DAEMON
control_port = 2266
http_port = 2267
http_host = 
notify_email = 
notify_smtp_host = 127.0.0.1
notify_smtp_port = 25
hosts_directory = 
allow = 127.0.0.1

Is this correct (y/n)? y
 >>> management host configuration has been saved.
osiris-4.0.5-release: 

The following list is a description of each setting:

syslog facility: this is the facility that the management console will use for all logs. Logs include everything from the status of the management daemon, to communication with agents, and scan comparison logs.

control port: this is the port that the management console listens on for communication with the CLI. If you will be connecting to the management console from other hosts, make sure the firewall has this port open.

http control port: this is the port that the management console listens on for web based confirmation of changes. When changes are detected, if this port is enabled, any email notifications will contain an URL that allows the administrator to confirm the changes and reset the trusted database. By default, this feature is turned off. It is here merely as a convenience for administrators that wish to manually acknowledge changes. Do not enable this feature unless you know you require it.

notify email: this is default email address that all changes will be sent to for hosts that have email notification turned on. The default value is not set.

notification smtp host: this is the host running an smtp server that the console will use to send mail. The management console does not have a built-in MTA. The default assumes the local host is running an smtp server.

notification smtp port: this is the port that the notification smtp host accepts smtp requests on. The default is 25.

authorized hosts: The management console has an access control list that specifies exactly which hosts are allowed to connect to the control port on. By default, this list includes only 127.0.0.1. You can add hosts specifically to this list, or you can use regular expressions to add a group of hosts. Adding "*" is not recommended since this will allow any host to connect.

6. Adding a Host

For each scan agent deployed, you will need to establish a host profile under the management console. A host is added with the 'new-host' command. Assuming the management console was recently configured, it makes sense to add and configure the agent running on the management host:

osiris-4.0.5-release: new-host

[ new host ]

  > name this host []:  mgmt
  > hostname/IP address []: 127.0.0.1
  > description []: management console agent
  > agent port [2265]: 
  > enable log files for this host? (yes/no) [no]: 

Scan Databases:

    => keep archives of scan databases?  Enabling this option means that the
       database generated with each scan is saved, even if there are no changes
       detected.  Because of disk space, this option is not recommended
       unless your security policy requires it. (yes/no) [no]: 

    => auto-accept changes?  Enabling this option means that detected
       changes are reported only once, and the baseline database is
       automatically set when changes are detected. (yes/no) [yes]: 

    => purge database store?  Enabling this option means that none
       of the scan databases are saved.  That is, whenever the baseline database
       is set, the previous one is deleted. (yes/no): [yes]: 

Notifications:

    => enable admin email notification for this host? (yes/no) [no]: 
    => send notification on scheduled scans failures? (yes/no) [no]: 
    => send scan notification, even when no changes detected  (yes/no) [no]: 
    => send notification when agent has lost session key  (yes/no) [no]: 
    => notification email (default uses mhost address) []: 

Scheduling:

  > configure scan scheduling information? (yes/no) [no]: yes

    [ scheduling information for mgmt ]

    Scheduling information consists of a start time and a frequency value.
    The frequency is a specified number of minutes between each scan, starting
    from the start time.  The default is the current time.  Specify the start
    time in the following format: mm/dd/yyyy HH:MM

    enter the start date and time 
    using 'mm/dd/yyyy HH:MM' format: [Tue Sep 28 08:14:12 2004] 
    enter scan frequency in minutes: [1440] 

  > activate this host? (yes/no) [yes]: 

host                  => mgmt
hostname/IP address   => 127.0.0.1
description           => management console agent
agent port            => 2265
host type             => generic
log enabled           => no
archive scans         => no
auto accept           => yes
purge databases       => yes
notifications enabled => no
notifications always  => no
notify on rekey       => no
notify on scan fail   => no
notify email          => (management config)
scans starting on     => Tue Sep 28 08:14:12 2004
scan frequency        => daily (every 1440 minutes).
enabled               => yes

Is this correct (y/n)? y
 >>> new host (mgmt) has been created.

After the host has been created, the management console will ask to initialize it. What this means is that the management console will determine what Operating System is running on the host, suggest a default scan configuration to use, and start an initial scan to create a baseline for this host. It is not necessary to initialize right away, you can always come back and initialize this host with the 'init' command. In this case, we will initialize the agent running on the management console:

Initialize this host? (yes/no): yes 

Initializing a host will push over a configuration, start
a scan, and set the created database to be the
trusted database.

Are you sure you want to initialize this host (yes/no): yes

OS Name: Darwin
OS Version: 8.0.0b1

use the default configuration for this OS? (yes/no): y
 >>> configuration (default.darwin) has been pushed.
 >>> scanning process was started on host: mgmt

We can see the status of the host at any time by using the 'status' command:

osiris-4.0.5-release: status mgmt

[ current status of host: mgmt ]

     current time: Tue Sep 28 08:19:22 2004
         up since: Thu Sep 23 09:49:04 2004

 last config push: Tue Sep 28 08:18:38 2004
 configuration id: 043faff0

     agent status: idle.
    config status: current config is valid.
   osiris version: 4.0.5-release
               OS: Darwin 8.0.0b1

osiris-4.0.5-release: list-db mgmt
This may take a while...

  [ name ]                        [ created ]                   

  * 1                               Tue Sep 28 08:18:38 

total: 1
(*) denotes the base database for this host.

For reference, the following list is a description of each host setting:

name: the short name associated with this host, keep this small but descriptive as this is the name that is used whenever you reference the host in the CLI, and is what is sent out in notification mails and logs.

hostname: the IP address or hostname where this host can be contacted at.

description: a small description of the host (e.g. "dev-test solaris 9") that is printed out when you list the hosts.

agent port: this is the port that the agent is listening on. By default this is 2265. Do not change this unless you have a reason to. If you do, be sure that the agent is started and told to listen on the same port (-p option) or else communication will be lost.

enable log files: When enabled, each scan report will produce a new log file under the /logs directory for this host. This is useful if you wish to keep separate log files for each scan, for records, or forensic purposes. Keep in mind that ALL of these log entries are sent to syslog on the management console and that is the recommended means of collecting and dealing with logs. It is not recommended that this feature be enabled. The default is 'no', disabled.

archive scan databases: After each scan, a database is created. Turning this feature on saves each scan database, even if it is identical to the previous scan. Again, it is not recommended that this feature be enabled unless you need it. The default is 'no', do not archive databases.

auto accept changes: Each host has a baseline database that is compared with the database created after each scan. Enabling this feature automatically sets the baseline database to be the newly created database if changes are detected. By default, this is turned on and it is recommended that this be enabled unless you have reason to disable it. If you wish to manually reset the baseline database, turn this feature off.

purge database store: in order to prevent scan database files from accumulating on the management console, this feature automatically deletes databases older than the baseline. It is recommended that this feature stay enabled. If you need access to previous databases, turn this feature off.

email notification: turning this feature on will send email to the notify email address set for this host, or to the default address set under the management settings. If disabled, no email notifications for this host will be issued.

notify on scan failures: enabling this feature will send mail to the administrator in the event that a scheduled scan was not able to be started. The failure reason is included in this email notification.

notify on no changes: enabling this feature will send mail to the administrator after each scan, even if there are no changes. If disabled, notifications are only sent when changes are detected for this host.

notify on session rekey: enabling this feature will send mail to the administrator each time the agent loses it's memory resident session key. This is the key that is established between the management console and the agent. If the agent is restarted, or the box is rebooted, the key is lost. This enables the administrator to be informed of someone has restarted the daemon, or the box has rebooted.

notification email: the email address for the administrator of this host. If left blank, the default address in the management console settings is used.

scheduling date/period: scheduling works by setting a start date and time, and a period in minutes. The default is the current date and time. This is usually fine unless you have specific requirements for when this host is scanned. For example, to scan a host every day at 2 a.m., you would enter some date and 2 a.m. Then, a period of 1440 minutes (daily).

activate: The scheduler only schedules scans for activated hosts. If you disable a host, the scheduler ignores it. However, you can still communicate and manually kick off scans on disabled hosts. Notifications and logs all work the same.

6. Where to go from here

At this point, the management console has been installed and configured. In addition, a scan agent is running on the management console and a baseline database has been configured. To add more hosts, follow the example above.

For more details about using osiris, go on to the next section Using Osiris. The most current documentation is always online. In addition, there are mailing lists available for developers, and users.

If you still need help, or have questions or suggestions, feel free to send mail to me at brian at shmoo.com.

B. Using Osiris

1. How Scheduling Works

The built-in scheduler is responsible for telling the managed hosts when to start a scan. When it is time for a host to be scanned, the scheduler does the following:

1. Sends the scan config used to create the currently trusted database to the managed host.
2. Starts a scan on the remote host.
3. When the scan is complete, the newly created database is then compared to the trusted database. Depending upon the host's configuration and the results of the database comparison, the comparison results might or might not be sent to the administrator.

The scheduler pushes the scan config each time to ensure that the managed host has the correct scan config loaded. The current scheduler is limited to scheduling scans based off of a single config.

2. Scan Databases

When a host is scanned, all scan data is sent back to the management host. None of the information collected is ever kept on the filesystem of the managed host. This is done in an attempt to preserve the integrity and confidentiality of the scan data.

The management host stores scan data in Berkeley DB files. Each scan database contains some meta data, the scan entries, and any errors that may have occurred during the scan. The databases are formatted in such a way that they can be moved across platforms or machines with different byte ordering. This makes it easy to migrate a management host to a different platform with little hassle. This is also handy in a forensic situation by allowing a timeline of scans to be analyzed on any of the supported platforms.

The scan database files are considered read-only and are even created so as to not allow write privileges to any user. Thus, database files are NEVER altered in any way by any of the Osiris executables.

Each host has one database that is considered the base, or trusted, database. When a subsequent database is created, it is compared against the base database in order to determine if any changes have occurred. Since databases are never altered, change management is handled by changing which database is the trusted database. More information on this in the section below, Dealing with Detected Changes.

Hosts can be configured to have database archiving enabled or disabled. In most cases, it is sufficient to disable archiving, but your security policy might require that each database be kept and stored for some period of time. If archiving is enabled, keep in mind the scan frequency and size of each database when determining disk space requirements.

The following table lists the file attributes scanned with each scan record type:

path
cryptographic checksum
owner name
owner SID
group name
group SID
modification time
access time
change time
file size (bytes)
device
attributes (archive,compressed,dir,encrypted,hidden,normal,indexed,
offline,readonly,reparse,sparse,system,temporary)

path
cryptographic checksum
permissions string
user name
group name
device
inode
file mode
number of hard links
uid
gid
modification time
access time
change time
device type
file size (bytes)
blocks
block size

Viewing Database Contents At times, it may be necessary to view the contents of a scan database. The command line interface allows for this with the print-db command. Use the list-db command to view a listing of databases. The print-db command will then enter a subcommand mode for that database that allows for the printing of the database header, file record listing, specific file details, system record listing, and any errors that were encountered while scanning. For example:

osiris-4.0.5-release[local]: list-db
This may take a while...
  [ name ]                        [ created ]
  * 1                               Mon Jan  5 07:28:55
    2                               Tue Jan  6 07:21:17
total: 2
(*) denotes the base database for this host.
osiris-4.0.5-release[local]: print-db 2
This may take a while...
100% [========================================>] 233472 bytes
    h) show database header.
    r) list file records.
    d) list file record details.
    s) list system records.
    x) list errors.
    q) quit
[local:database: 2]: h
  DATABASE: 2
         status: complete
           host: unknown
           user: unknown
         config: test (35c8e80b)
         errors: 0
   file records: 34
 system records: 55
  SCAN RESULTS:
            record type: UNIX1
      files encountered: 34
          files scanned: 34
   symlinks encountered: 0
      symlinks followed: 0
       files unreadable: 0
 directories unreadable: 0
    symlinks unreadable: 0
           scan started: Tue Jan  6 07:21:17 2004
          scan finished: Tue Jan  6 07:21:18 2004
    h) show database header.
    r) list file records.
    d) list file record details.
    s) list system records.
    x) list errors.
    q) quit
[local:database: 2]:

3. Dealing with Detected Changes

The use of Osiris can vary in purpose, but the bottom line is that the administrator desires to be notified of certain changes and not others. Whatever the case, there are always unanticipated changes. Software is upgraded. Security alerts trigger patches to critical parts of a system.

When the latest scan produces information that differs from the trusted state, log entries are created and email might be sent to the administrator listing the detected changes. Unless action is taken, the subsequent scans will report the same changes and, depending upon the host's configuration, continue to notify the administrator. Since databases are not altered, the way to "acknowledge" changes is to change what is considered the trusted database for that host. There are two ways to do this:

1. Log in to the management host and use the set-base-db command to set the base database. Usually this will be the most recently created database. When managing a lot of hosts, this can be cumbersome.
2. Enable email notifications and the http server port. When a change occurs for a host, email is sent to the administrator listing the changes. Included in each email is a URL that will allow the administrator to use a web browser to quickly command the management host to change the trusted database accordingly. The same authentication logic applies. The user must login from a host that is in the management host's allowed access list.

4. Notifications

Currently, the only supported notification is email. Although monitoring of the logs is strongly recommended, it can be very convenient to be notified of changes by email. Hosts can be configured to notify the administrator after each scan, or only when changes are detected. A warning notification is issued in the event that a scheduled scan fails for any reason.

A notification consists of statistics related to the scan as well as all of the log entries associated with any detected changes. If the http server is enabled, a URL is also specified to provide the recipient the opportunity to update the trusted database via an SSL enabled web browser.

The following is an example of a notification after updating some executables:

If these changes are approved, visit the URL below to set the
latest scan database to be the trusted database. Or, login to the
management console and set the trusted database to 4.If these
notifications persist, you may need to modify the scan config for
this host.

    <https://example.com:2267/?host=mac-ibook&base_db=4>

Change Statistics:
----------------------------------
        checksums: 1
       SUID files: 0
 root-owned files: 3
 file permissions: 0
        new files: 0
    missing files: 0
total differences: 10
     compare time: Fri Sep 19 23:27:37 2003
             host: mac-ibook
         log file: no log file generated, see system log.
          base db: 3
       compare db: 4

[mac-ibook][cmp][/usr/sbin/osiris][mtime][Fri Sep 19 14:32:00 2003,Fri Sep 19 23:22:51 2003]
[mac-ibook][cmp][/usr/sbin/osiris][ctime][Fri Sep 19 14:32:00 2003,Fri Sep 19 23:22:51 2003]
[mac-ibook][cmp][/System/Library/StartupItems/Osiris][mtime][Fri Sep 19 14:32:01 2003,Fri Sep 19 23:22:51 2003]
[mac-ibook][cmp][/System/Library/StartupItems/Osiris][ctime][Fri Sep 19 14:32:01 2003,Fri Sep 19 23:22:51 2003]
[mac-ibook][cmp][/usr/sbin/osirisd][mtime][Fri Sep 19 14:32:00 2003,Fri Sep 19 23:22:51 2003]
[mac-ibook][cmp][/usr/sbin/osirisd][ctime][Fri Sep 19 14:32:00 2003,Fri Sep 19 23:22:51 2003]
[mac-ibook][cmp][/usr/sbin/osirismd][checksum][1df0207690badc70f5503a7293514a77b877101,cfcd60e2cea349b8223703b3d16fd06b6523b17]
[mac-ibook][cmp][/usr/sbin/osirismd][mtime][Fri Sep 19 14:32:00 2003,Fri Sep 19 23:22:51 2003]
[mac-ibook][cmp][/usr/sbin/osirismd][ctime][Fri Sep 19 14:32:00 2003,Fri Sep 19 23:22:51 2003]
[mac-ibook][cmp][/usr/sbin/osirismd][bytes][1575356,1575460]

5. Comparison Filters

Sometimes it may be necessary to monitor only certain attributes of files. For example, it is common for log files to change in size and content but the permissions should probably never change.

Comparison filters allow certain changes to exist without triggering a log entry. One of the biggest problems with IDS systems is that they often become noisy, or issue bothersome alerts that eventually numb the administrator to the point where events are ignored or not given proper attention.

Comparison filters allow an administrator to specifically single out changes that should be ignored, or changes that should given attention so that notifications become more meaningful. Filters are basically a list of regular expressions. Use the filters command to list your currently installed filters. Use the edit-filters to spawn an editor and edit the filter list.

6. Custom Scan Configurations

Osiris ships with default scan configs, but you will likely want to modify those or create your own.

The "configs" directory in the osiris root on the management host contains all of the default configs, e.g. default.linux These are the configs used during the init process and when a host is created. Feel free to modify these files so that the addition of new hosts can take advantage of the custom configs.

The config files in this directory are known as shared because any number of hosts can take advantage of them. This makes it easy to monitor many similar hosts and be able to make changes to their scan by editing a single config file.

At any point in time, you can view the config used to create the trusted database for a host, use the config command:

osiris-4.0.5-release: config mac-ibook
the trusted database for host: mac-ibook created with config: (default.darwin)

For hosts that require very customized configs, you may choose to store it under that host’s configs directory. The only real advantage of this is that the main ‘configs’ directory will not get cluttered with customized configs.

To create a new config, use the new-config command. To create a config in the shared configs directory, just provide a name:

osiris-4.0.5-release: new-config myconfig

Or, to add a config to be used only for a specific host:

osiris-4.0.5-release: new-config myhost myconfig

Once a config has been created, it can be edited with the 'edit-config' command. This command will download the config and open it in an editor on the local machine. If saved, the modified config will be sent back (saved) to the management host. Note that editing the config will most likely generate a different database signature and generate log entries.

To list all of the configs, use the configs command. To verify that a config is syntactically valid, use the verify-config command. The verify command will also print any errors and their line numbers.

For details on the syntax of scan configurations, see Appendix 1.

7. Logging

7.a. System Logs

The management console logs to the system log (syslog on UNIX platforms and the Event Viewer on Windows). Syslog parameters (facility and level) are specified in the management console’s configuration file. There are three levels of logging: low, medium, high. The low setting has only critical events sent to the log. The high setting is the most verbose.

7.b. Log Files

If a the log_to_file attribute is enabled for a host, a log file is created after each scan. The log details the results of the comparison. Comparison logs are always sent to the system log regardless of the log level. This cannot be turned off.

Scan agents do not log anything related to scans to the system log, only events related to the status or state of the daemon itself. This is by design. The goal is to keep sensitive information in a central location for reasons of security and usability.

7.c. Log Formats

The log formats sent to syslog and the EventViewer are as follows:

[id][host][type][message...]

If the host field is not applicable, it is "*". The type field is one of:

• error
• warning
• info
• cmp

For logs of type cmp, the message field has one of the following formats for new, missing, and altered items:

• [new][value]
• [missing][value]
• [attribute][before,after]

For example, here is an informational log entry:

11:57:54 localhost osirismd[284]:[16][*][info] authorized connection from: 127.0.0.1.

The path is a full path of the file in question. The attribute is the attribute that has changed (e.g. inode, mtime, or checksum).

The third field contains two values: the trusted or initial value for the attribute and the current value separated by a comma.

For example, here is a comparison log entry that shows that the mtime value for “/bin/ln” has changed:

Apr  6 12:12:37 localhost osirismd[861]: [211][local][cmp][/bin/ls][mtime][Mon Mar 15 21:40:11 2004,Tue Apr  6 12:11:07 2004]

8. Further Information and Support

The most current documentation is always online. In addition, there are mailing lists available for developers, and users.

If you still need help, or have questions or suggestions, feel free to send mail to me at brian at shmoo.com.

Appendix 1: Scan Configuration Reference

Scan configs are used to dictate exactly what is scanned on a host. Osiris ships with default configs for many platforms, so you have a decent starting point.

The config syntax for Osiris is very similar to the config sytnax used by Apache. A scan config consists of a global section, and a list of blocks. Each block represents a directory and contains options for that block, as well as rules used to include or exclude certain files.

Blocks are specified within directory tags:

<Directory></Directory>

If an option is not specified, the global value is assumed. If no rules are listed then the default rules are assumed. If a block is a subdirectory of another block, the subdirectory block takes precedence.

Options

Options dictate the nature of the scanning that takes place in the directory. Usually options appear first in the block, but their placement within the block has no signifigance or precedence.

Options not found within a specific block are said to be global. If no global value is specified, there is a default value for each option.

Currently supported options are as follows:

Recursive <bool>

if set, this osiris will recursively scan this directory, otherwise, only a top level scan will be done.

FollowLinks <bool>

if set, osiris will follow any symbolic links it encounters. If symbolic link is a link to a directory, it will only follow that link if the the recursive option is set.

Hash <hash>

specifies the hash algorithm to be used for all files in the directory. Algorithm may be one of: md5, sha, or ripemd boolean values must be one of: yes, y, 1, true, yup, no, n, 0, false, nope and the hash value must be one of: md5, sha, ripemd (for MD5,SHA-1,and RIPEMD-160).

Rules

a rule serves to include or exclude files, either specifically, or by property. The order of the rules is important. When a file is encountered during a scan, the rules for that block are analyzed in the order they are listed. If a rule catches a file, the information about the file is stored in the resultant database. Otherwise, it is ignored. The list of rules and their formats are as follows:

IncludeAll

Include all files, all files will be caught under this rule. If a block contains no rules, this is the default rule assumed.

ExcludeAll

Exclude all files.

Include <filter>

Include any files that pass the specified filter.

Exclude <filter>

Exclude any files that pass the specified filter.

NoEntry <directory>

The specified directory is not entered and the directory file itself is also ignored. The directory specified should be relative to the block. For example, to exclude the contents of /usr/local/src as well as the /usr/local/src directory file itself, use the following rule:

<Directory /usr/local>
    NoEntry src
</Directory>

The NoEntry directive does not support regular expressions and is case sensitive except on Mac OS X and Windows, where case is ignored. No quotes are required.

Filters

In every block of the scan config, including the global block, there will at be at least one filter. If no filters are specified in a block, the global filter will be used.

Filters are found as part of a rule. Specifically, you include filters after an 'Include' or 'Exclude' rule. For example, the following two statements include filters that will catch, or include, the files that are perl scripts or any file owned by user bob:

Include perl
Include user("bob")

Filters are designed to catch files of a particular type, or files that share a specific attribute. The information used to create many of the filters found in osiris are derived from the unix file(1) utility. The following is a list of the currently implemented filters, and their official definitions:

sticky

suid

sgid

executable

        (4 bytes) & 0377777777 = 041400407
        (4 bytes) & 0377777777 = 041400410
        (4 bytes) & 0377777777 = 041400413
        (4 bytes) & 0377777777 = 041400314

        0xCC, 0x107, 0x108, 0x10b

        0x00640107
        0x00640108
        0x0064010b
        0x006400cc
        or
        \01\03\020\04
        \01\03\040\04

        (4 bytes) & 077777777 = 0600413
        (4 bytes) & 077777777 = 0600410
        (4 bytes) & 077777777 = 0600407
        (4 bytes) & 077777777 = 0400413
        (4 bytes) & 077777777 = 0400410
        (4 bytes) & 077777777 = 0400407
        (4 bytes) & 077777777 = 0200413
        (4 bytes) & 077777777 = 0200410
        (4 bytes) & 077777777 = 0200407

        (4 byte header: feadface)

perl

python

    - first three bytes: \032\032\032
    - first four bytes:  \010\013\078\153 ( little endian ) 

script

        /bin/sh
        /bin/csh
        /usr/local/bin/bash
        /bin/bash
        /bin/ksh
        /bin/tcsh
        /usr/local/tcsh
        /usr/local/bin/tcsh
        /usr/local/bin/zsh
        /usr/local/bin/ash
        /usr/local/bin/ae
        /bin/nawk
        /usr/bin/nawk
        /usr/local/bin/nawk
        /bin/gawk
        /usr/bin/gawk
        /usr/local/bin/gawk
        /bin/awk
        /usr/bin/awk
        /bin/rc
        /usr/bin/env

gzip

zip

tar

pgp

        0\153
        1\153
        1\149
        0\149
        0\166

rpm

uid(x)

gid(x)

sid(x)

user(x)

group(x)

header(x)

file(regex)

any file that has the name matching the regular expression specified.

Note that the regex is case insensitive, meaning that "regex" will match against "regex", "REGEX", "ReGex", and so on.
The regular expression is a so called extended regular expression (ERE). For more information, please refer to: re.html.

Here are some examples:

    Include file( ^/etc/motd$ )

    Exclude file (^\. )

    Exclude file( ^/var/log/.*\.log$ )

    Exclude file( ignore )

suffix(x)

md5(x)

sha1(x)

ripemd(x)

permissions(x)

Global Blocks

The global block does not apply to any specific directory and is not within any tags. All options are valid in the global block. The only valid rules in the global block are IncludeAll and ExcludeAll rules.

Modules Block

The modules block allows for any compiled-in modules to be included in a system scan. There is only one modules block. Use the following tags to designate the modules block:

<Modules></Modules>

The following built-in modules are included with the scan agent:

Use the Include keywords to use these attributes, for example:

<Modules>
    Include mod_users
    Include mod_groups
    Include mod_kmods
    Include mod_ports
</Modules>

See http://osiris.shmoo.com/modules for information on how to obtain or develop modules for the Osiris scan agent.

Default Configuration

Global options are assumed if not specified. However, if no global option is specified, the default values for options are as follows:

Recursive      yes
FollowLinks    no
Hash           md5

Example Scan Configuration

The following is the included default config for Mac OS X. It scans most of the executable directories as well as root's home and the NetInfo database files.

Recursive   no
FollowLinks no
IncludeAll
Hash sha

<Modules>
  Include mod_users
  Include mod_groups
</Modules>

<Directory /private/var/root>
  Recursive yes
  Include executable
</Directory>

<Directory /bin>
</Directory>

<Directory /usr/bin>
</Directory>

<Directory /usr/local/bin>
</Directory>

<Directory /sbin>
</Directory>

<Directory /usr/sbin>
</Directory>

<Directory /var/db/netinfo>
</Directory>

Appendix B: Platform Specific Issues

Mention of platform or OS specific issues surrounding Osiris are listed below. Although Osiris has been designed to work in a similar fashion on all platforms there are sometimes small functional differences with each of the disparate platforms it runs on.

Resource Forks - With HFS+ filesystems on Mac OS X, some files may still have resource forks; some applications still make use of this characteristic of the filesystem. The Osiris scan agent automatically checks for resource forks on each file that is scanned. If the resource fork exists, it is scanned and monitored. At this time, this behavior is not configurable.