The linksys WRT54G and WRT54GS devices run Linux. Therefore, it is very easyto deploy an Osiris scan agent on them, and monitor the integrity of their environment. A module was developed to monitor the configuration valuesstored in nvram (output of 'nvram show') for change.

All source code is available from this site, and PGP signed with this key (0x9674763D)

Here is a recommended scan configto use when scanning your linksys device.

Helpful Hints:

- Make sure the date is set correctly on the Linksysor else certificate validation will fail.

- You might want to set the boot_wait nvram parameter to "on" whenever you are uploading images so that you can recover in case an image doesn't load.

- The squashfs that comes with the Sveasoft images triggers false positives for blocks/block_size changes. To ignore these, simply add a filter for your linksys hosts(s) to exclude all log entries related to blocks and blocksize.

- Always use the web interface when uploading new firmware to these devices.This is especially important when the image file is larger than 3 MB, as thetftp server throws a fit.

Using a Pre-built image

If you just want to add Osiris to your device, and do not wish to be bothered with building an image from source, then feel free to use the modified Sveasoft Satori 4.0 image below.

Keep in mind, that since the filesystem in this image is read-only, theroot certificate that the Osiris scan agent stores will be kept in /tmp and will be refreshed upon reboot. The advantage here is that using a new certificate will not require the image on the Linksys to be updated. The disadvantage is that the root cert file could be modified.

satori-4.0-osiris.bin (3.1 MB) | MD5 |PGP Signature

Building from Source

If you wish to build from source:

1. Download the latest Linksys source code and follow the instructions forsetting up your build environment.
2. From the WRT54G directory, type 'make'.
3. The compiled image is: image/code.bin

satori-4.0-osiris.tar.gz (47.1 MB) |MD5 |PGP Signature

Building the root cert into the image

If you are ultra-paranoid, and wish to place your own root cert onto the read-only filesystem in your image, then do the following:

1. Download the above source code.
2. Copy your osiris_root.pem file into the src/router/osiris directory.
3. From the WRT54G directory, type 'make'.
4. The compiled image is: image/code.bin

Remember: this root is not mutable and a new image will need to be uploaded if this changes.

• Linksys GPL code
• Sveasoft Code - useful utilities added to the Linksys code.
• Linksys Info - useful information about the linksys devices and configuration.
• OpenWRT - separate linux distro for Linsys devices.
• Osiris - the Osiris Host Integrity Monitoring Project.

Direct all questions, comments, suggestions to brian@hostintegrity.com