tags. All options are valid in the global block. The only
actions valid in the global block are IncludeAll and ExcludeAll. If a block
does not specify an option, the global value is assumed. If a block does
not contain any actions ( IncludeAll or ExcludeAll ), the default action is used.
The Default Configuration
the default configuration is used on all directories specified on the command
line and any global options not specified in a config file. The default configuration
paramaters are as follows:
Recursive yes
Prompt yes
Verbose yes
ShowErrors yes
FollowLinks no
Hash md5
Database stdout
Example Configuration File
# ----------------------------------------------------
#
# GLOBAL SECTION
#
# this sets up the global values for the directory blocks
# specified below. The following keywords are supported:
#
# runtime configuration, can be overriden by any
# command line arguments specified.
Database /tmp/scan.osi
Verbose no
Prompt yes
ShowErrors yes
Recursive no
FollowLinks no
# default action for blocks. The default is to
# monitor every attribute about all files.
IncludeAll all
# default hash algorithm to use is md5.
Hash md5
# RULE SECTION - specify all the files or directories to
# be scanned including any custom scan options.
# /tmp directory scan. enter all subdirectories, monitor
# default attributes for all actions, ignore all files
# named "core" and only log files with the specified permissions.
<Directory /tmp>
Recursive yes
Exclude file( "core" )
Include permissions( "drwxr*xr*x" )
</Directory>
# this scans only the resolve.conf file and assumes globals for
# attributes to monitor.
<Directory /etc>
Recursive no
FollowLinks no
Include file( "resolv.conf" )
</Directory>
# non recursive scan, use sha1 for checksums, only log
# suid files.
<Directory /usr/local/sbin>
Recursive no
FollowLinks no
Hash sha
Include suid
</Directory>
# end config
# ----------------------------------------------------
Database Modules
Database modules allow osiris to make use of different database systems to store
the data collected. There is a simple module system in place to allow for the
integration and use of other databases. Currently, the only database modules
that exist are GNU's gdbm and MySQL databases. gdbm is the default database
module and is included with the source. The database module is determined at
compile time, thus, to use another database module osiris must be compiled
again.
GDBM
The gdbm module is the default database used by osiris. gdbm is based on the
standard UNIX dbm routines. This module is very fast, however, the databases
it creates can only be stored on the local file system. The major advantages
are speed, the database files are small, and there is no database administration
required.
Databases for gdbm are simply a file path. osiris will create a single file
containing the database with the permissions 00600, for example:
Database /var/log/osiris/scan.osi
MySQL
The MySQL module has the major advantage of being able to store databases on a
seperate host. Although it is not as fast as the gdbm module, based upon your
needs, it may be easier to administer osiris. Also, it is easier to use other
tools to analyze the contents of the databases.
To specify a database with the MySQL module, use the format:
database:user:password@host:port
The database name is the only required field, the rest are optional. If no host is
specified, the localhost is assumed. If no port is specified, the default MySQL
port is assumed -usually 3306. Example:
Database osiris-7-2001:bob:mypassword@somehost
Filters
Filters are a major part of how osiris will scan and log entries into the database. In
every block, including the global block, there will at be at least one filter. If no
filters are specified in a block, the global filter will be used. If no global filter
is specified, nothing in that block will be logged and the block serves no purpose. Don't
do that, it's dumb.
Filters are found after an action directive. Specifically, you include filters after
an 'Include' or 'Exclude' statement. For example, the following two statements include
filters that will catch, or include, the files that perl scripts or any file owned
by user bob.
Include perl
Include user( "bob" )
Filters are designed to catch files of a particular type, or files that share a specific
attribute. The information used to create many of the filters found in osiris are derived
from the unix file(1) utility. The same information can commonly be found on many unix systems
in the magic file located often in /etc or under /usr/share somewhere. The following is a
list of the filters supported in the this release, and their official definitions:
|
sticky
|
any directory or file that has the sticky bit set. For operating systems
that do not support the sticky bit, this filter does not apply and has no effect.
|
|
suid
|
any file that has the suid bit set.
|
|
guid
|
any file that has the guid bit set.
|
|
executable
|
All ELF binaries, i.e., files that begin with the following four bytes:
\177ELF
All common binary file formats specific to the operating system:
FreeBSD/OpenBSD - all files that begin with any of the following 4 byte
long expressions:
(4 bytes) & 0377777777 = 041400407
(4 bytes) & 0377777777 = 041400410
(4 bytes) & 0377777777 = 041400413
(4 bytes) & 0377777777 = 041400314
BSDi - all files that begin with any of the following bytes:
0xCC, 0x107, 0x108, 0x10b
Linux - all files that begin with any of the following 2 byte
short values:
0x00640107
0x00640108
0x0064010b
0x006400cc
or
\01\03\020\04
\01\03\040\04
Solaris/SunOS - all files that begin with any of the following 4 byte
long expressions:
(4 bytes) & 077777777 = 0600413
(4 bytes) & 077777777 = 0600410
(4 bytes) & 077777777 = 0600407
(4 bytes) & 077777777 = 0400413
(4 bytes) & 077777777 = 0400410
(4 bytes) & 077777777 = 0400407
(4 bytes) & 077777777 = 0200413
(4 bytes) & 077777777 = 0200410
(4 bytes) & 077777777 = 0200407
Darwin
|
|
perl
|
any file that contains, within the first thirty bytes, any of the
following strings: "/bin/perl", "/usr/bin/perl", "/usr/local/bin/perl".
|
|
python
|
any file that is a python script, a python text executable, or
a python compiled file. Specifically any file with any of the following
attributes:
- first three bytes: \032\032\032
- first four bytes: \010\013\078\153 ( little endian )
|
|
script
|
any shell script or script, including sh, csh, bash, ksh, tcsh, ksh, ash, ae,
nawk, gawk, awk, rc, env. The file must begin with the string: "#!" or "BEGIN"
and must contain one of the following within the first 25 bytes:
/bin/sh
/bin/csh
/usr/local/bin/bash
/bin/bash
/bin/ksh
/bin/tcsh
/usr/local/tcsh
/usr/local/bin/tcsh
/usr/local/bin/zsh
/usr/local/bin/ash
/usr/local/bin/ae
/bin/nawk
/usr/bin/nawk
/usr/local/bin/nawk
/bin/gawk
/usr/bin/gawk
/usr/local/bin/gawk
/bin/awk
/usr/bin/awk
/bin/rc
/usr/bin/env
|
|
gzip
|
any GNU zipped file or jar file, specifically, any file that begins
with the following two bytes:
\037\213
|
|
zip
|
any file created with winzip, or zip, specifically, any file that
begins with the first four bytes:
PK\003\004
|
|
tar
|
any file created with tar, or GNU tar utilities, specifically, any
file that contains the string "ustar" at byte positions 257-261.
|
|
pgp
|
any PGP public keyring, security ring, encrypted data, ascii armored
data, public key block, message, signed message, or signature. Specifically
any file that begins with any of the following two bytes:
(little endian)
0\153
1\153
1\149
0\149
0\166
or the follwing string:
-----BEGIN\040PGP
|
|
rpm
|
any rpm package file, specifically, any file that begins with the
following four bytes:
\237\171\238\219
|
|
uid(x)
|
any file that is owned by the uid: x
|
|
gid(x)
|
any file that is a member of the group: x |
|
user(x)
|
any file that is owned by user: x
|
|
group(x)
|
any file that is a member of the group: x
|
|
header(x)
|
any file that begins with the literal hex value: x
|
|
file(x)
|
any file that has the complete name: x ( not including path ).
|
|
suffix(x)
|
any file that has a name with the format: *.x
|
|
md5(x)
|
any file that has an MD5 checksum value of: x
|
|
sha(x)
|
any file that has an SHA checksum value of: x
|
|
haval(x)
|
any file that has an HAVAL checksum value of: x
|
|
ripemd(x)
|
any file that has an RIPEMD-160 checksum value of: x
|
|
permissions(x)
|
any file that has a permissions string with the format: x. The
character '*' can be used for a wildcard to denote that any value for that
bit is acceptable. Substrings can also be used. For example, to specify
all files that have owner read bit set, use: "*r" as a value. To speicfy
all files with suid bit set, use: "***s", this is essentially the same as
using the suid filter.
|
Reports
The default output produced by scale is a human readable report that displays
the database headers of the two databases compared, file differences, new files,
missing files, and ( optionally ) lists of files that have the same checksums.
An example of such a report:
osiris database comparison
Thu Jul 26 01:15:25 2001
[ database: /tmp/l.osi ]
records: 7
source: command line
created on: Thu Jul 26 01:11:34 2001
created by: administrator
created with: osiris 1.5.0
[ database: /tmp/r.osi ]
records: 8
source: command line
created on: Thu Jul 26 01:15:22 2001
created by: administrator
created with: osiris 1.5.0
[ file differences ]
/projects/osiris/bin/scale.exe
mtime Jul 26, 2001 01:14 ==> Jul 26, 2001 01:14
/projects/osiris/bin/CVS
mtime Jul 26, 2001 01:14 ==> Jul 26, 2001 01:14
/projects/osiris/bin/osiris.exe
mtime Jul 26, 2001 01:14 ==> Jul 26, 2001 01:14
[ new files (2) ]
/projects/osiris/bin/new-file
/projects/osiris/bin/osiris-copy.exe
[ missing files (1) ]
/projects/osiris/bin/sample.conf
[ duplicate checksums for /tmp/l.osi ]
[ duplicate checksums for /tmp/r.osi ]
md5(af16cde7c4b3fc6386f82abb0af0fed4) 2 files
/projects/osiris/bin/osiris-copy.exe
/projects/osiris/bin/osiris.exe
records compared: 6
records that differ: 3
new records: 2
missing records: 1
Osiris
osiris is the application used to create databases, and test config
files. Most of the command line arguments serve to override the behavior
of the global block. This was to enable a user to quickly make use of the
application without having to create a config file, however, without a
configuration file functionality of the application is quite limited.
The usage for osiris is as follows:
usage: osiris [options ...] | -t <path>
Description of options:
-f <path> use the configuration file located at the specified path.
-a <algorithm> use the specified algorithm for the global block, this
can be one of: md5, sha, haval, or ripemd. this overrides any
Hash statement found in the global block of the config file.
-q quiet Mode. sets the global block to not be verbose. by default,
the global block is verbose, meaning it prints the file name of
every file that is logged to the database. this overrides
any Verbose statement found in the global block of the
config file.
-c continue. sets the global block to ignore all warnings, such as
when a database cannot be opened. this overrides any Prompt
statement found in the global block of the config file.
-n no erorrs. sets the global block to not print error messages.
by default error messages are printed to standard output for
example, when a directory cannot be read, or there was a problem
storing a record to the database. This overrides any ShowErrors
statement found in the global block of the config file.
-s shallow mode. sets the global block to not be recursive. this
overrides any Recursive statement found in the global block
of the config file.
-l follow links. sets the global block to not follow symbolic links.
this overrides any FollowLinks statement found in the global
block of the config file.
-o <db> use the following database for the global block. the syntax
for this will vary depending upon the database module being used. this
can be useful, for example, when you want to use a config, but want
to place the data in a different database without modifying the config
file. this overrides any Database statement found in the global
block of the config file.
-i <path> scan the following list of directories. each directory specified
here will be scanned according to the global block.
-t <path> test the syntax of the specified config file.
-v print the osiris version and module information.
-h prints the osiris usage statement.
Notes:
Scale
The scale application is used to compare two databases or obtain information
about a single database.
With scale you can print print the header of a database:
scale <db>
or, you can print the entire contents of the database. This will print the files in
a format similar to 'ls -la':
scale -p <db>
The most common use of scale, however, is to compare two databases. The left database
is the older database, the right database is the newer of the two databases. By default
scale will compare the databases according to the config file that was used to create them.
Configuration files should remain the same between creating the databases or else the
log file might contain a lot of false positives.
The scale application can also use the config file, specified with -c, to compare the
databases in different ways. The same config file used to create the databases should
be used. You can modify this config file by removing certain block you don't want to
compare, or changing any attribute lists. The purpose of this is to enable comparison
of the databases in different ways, and to filter out any change that may have occured
that are not relevant to the comparison. The attribute lists specified in the original
config are simply there for reference since all of the attributes of a file are always
logged to the database.
Example:
This sample config will scan /usr/bin, /usr/local/bin, and /usr/sbin and include all of
the files in those directories:
Database /tmp/scan.osi
Recursive yes
FollowLinks no
IncludeAll all
<Directory /usr/bin>
</Directory>
<Directory /usr/local/bin>
</Directory>
<Directory /usr/sbin>
</Directory>
When comparing two databases created with this config, supposing it is necessary to see if any
ownership changes have occured in /usr/sbin, acquire ( or extract with scale -e ) the config
and modify it as follows:
Database /tmp/scan.osi
Recursive yes
FollowLinks no
IncludeAll uid
<Directory /usr/sbin>
</Directory>
then run scale:
scale -l db1 -r db2 -c config_file -o log -n -m
will show only the ownership changes on files in /sbin, excluding any files considered new
or missing.
The usage for scale is as follows:
usage: scale -l <db> -r <db> [-o <path>] [-d] [-q] [-n] [-m] [-c <config>] |
-p <db> | -e <db> | -d <db> | <db>
Description of options:
-l <db> specifies the left database for comparison. the syntax
for this will vary depening upon the database module being used.
-r <db> specifies the right database for comparison. the syntax
for this will vary depending upon the database module being used.
-o <path> specifies the output file to store the comparison results.
if not specified, the result will be printed to standard output.
-c <config> use the specified config file to compare the two databases specified.
Only the blocks specified in the config file will be compared, and the attribute
lists may be changed to run different comparisons.
-d check for duplicate checksums. if two databases are being compared
a duplicate report for each database is included in the results. If
only a single database is specified, a duplicate report is printed
to standard output.
-n do not include a list of new files: files found in the right database,
but not the left.
-m do not include a list of missing files: files found in the left database,
but not the right.
-e <db> extract the config file used to create the specified database
to standard output.
-p <db> print the entire contents of the database to standard output.
-q quiet mode. the results summary or progress meter is not printed
to standard output.
-v print the scale version and module information.
-h prints the scale usage statement.
Usage
Osiris can be used for various things, however, the intent is to enable system
administrators, or anyone, to monitor changes that may occur to critical files
or directories over time. Needless to say, there it is necessary to maintain a
level of security in the way this application is installed and used.
The following are recommendations for installation and use to maintain a minimal
level of security in using osiris. These are only suggestions and are not
required. Your needs or your security policy may necessitate a different course
of action.
First, before unpacking and compiling the source, make use of the MD5 and SHA
checksums posted at: http://www.shmoo.com/osiris to verify the integrity of
the download.
The Makefile included with the source comes with a 'make install' target. When
a make install is performed, man pages, the applications, and a sample config
file are installed according to the configuration ( default is /usr/local/osiris ).
It is not recommended that these instances of osiris or scale be used other than
for any initial testing or to familiarize yourself with the applications. There
is more than one reason for this, the biggest being there exists the possibility
that these applications will be compromised. The entire purpose of this system is
to verify the integrity of files on the local filesystem, when the tools used to
verify the data are themsevles subject to the same risks or malicious behaviour,
they become unreliable. The solution is to keep them on read-only media:
- build your new UNIX box offline.
- install and and all apps you will foreseeably need on the box.
- obtain and verify the osiris source:
md5 osiris-1.5.0.tar.gz AND/OR
sha osiris-1.5.0.tar.gz
- configure and compile osiris according to your needs.
- create any number of config files you will use to monitor your system.
- move the applications: osiris and scale, and your config to a CD-R disk.
- run osiris to create your database(s) and immediatly move those to a CD-R disk.
- store your CDs in a safe place.
- On a regularly scheduled basis, and any time you install software on
said box, repeat the process, adding the new database files to the
CD-R.
- Every time, after the initial time you run osiris to catalog files,
run scale with the original (or last known good) database as the
left hand database, and the newest one as the right hand database.
- modify the config file, if desired, removing blocks or changing the
attribute strings to run various types of comparisons against the
database.
- Always, always keep the databases in a secure place, so they are not
accidentally or malevolently erased or tampered with.
Limitations
Osiris is currently under development, see http://www.shmoo.com/osiris for details
regarding the ongoing work for version 2.0.
the following will be fixed in future releases:
* currently, databases need to be compared on the system for which they were created.
* when using a config file with scale, blocks may only be removed, not added
or the directory path changed.
Last updated October 1, 2001