[Osiris-devel]version 1.5 base requirements

Brian Wotring brian at shmoo.com
Mon Mar 12 00:53:51 EST 2001 

Here is the first draft that I feel is worthy of consideration.  I've been working on this all weekend with a lot of help from bruce.  It's still very 
rough but certainly something to start from.

Of course I encourage feedback and discussion.  Now is the time to make requests and voice opinions.

--
  Brian Wotring  ( brian at shmoo.com )
  PGP KeyID: 0x9674763D
-------------- next part --------------

osiris version 1.5 requirements
March 9, 2001

Overview:

This will be the last major overhaul to osiris before v2.0, therefore, it must be very cool.
One of the biggest limitations currently is that the runtime arguments apply to every root
directory specified.  It's impossible to log all files in /usr/bin and only specific types of files in /usr/local.  A config file will allow for this and a more detailed runtime configuration
specification.

Also, I think there is a strong advantage to shipping master databases for common systems.
Often there is a need for comparing the state of a system to it's initial installation.  For
any number of reasons osiris was not run initially.  This is not something that you can do
with tools like tripwire and I believe it to be valuable.


- the same model will be used, two applications:

    osiris: scanning application, creates databases.
    scale:  audit application, compares two databases, or analyzes a single db.
    Applications:

[ o s i r i s ]

- gdbm will continue to be used to create the original databases.
- will have a fully functional command line interface.
- will be able to acquire any of the following file information:

    * file_path
    * permissions string
    * mtime ( creat, mknod, pipe, utime, and write )
    * atime
    * ctime
    * inode number
    * number of hard links
    * uid
    * gid
    * size in bytes.
    * block count
    * checksum ( md5, sha1, haval, ripemd )
     - each database will contain a header including:
     * creator username
    * osiris version
    * date created
    * entry count
    * runtime configuration ( configuration file )
     - will require the use of a configuration file.
 - each entry in db will contain a "reason" for being logged.
 - will compare and verify known file types with names, suffix.

[ configuration file ]

- comments begin with: # and can start at any point on a line.
- global section contains runtime configuration and all defaults.
- directory blocks are exclusive in configuration.

              attributes   - perm,mtime,atime,ctime,inode,links,uid,gid,bytes,blocks
  options      - all,recursive,shallow,follow_links,noenter,ignore
  hashes       - md5,sha,haval,ripemd
  actions      - ignore,noentry
              file_types
  ------------
    	    ur	        - user read bit set.
  	    uw	        - user write bit set.
  	    ux          - user executable bit set.
  	    gr          - group read bit set.
  	    gw          - group write bit set.
  	    gx          - group executable bit set.
  	    or          - others read bit set.
  	    ow          - others write bit set.
  	    ox          - others executable bit set.
  	      	    executable  - any executable or suid bit set.
  	      	    sticky      - all directories with sticky bit set.
            suid        - all suid files
            guid        - all guid files

            uid(x)      - uid with value: x
            gid(x)      - gid with value: x
            user(x)     - file owned by user: x
            group(x)    - file member of group: x
            header(x)   - header with value: x
            file(x)     - file with name: x
            suffix(x)   - file with suffix value: x
             	    archive     - archive library
            library     - dynamic libraries
            perl        - perl script
            python      - python script
            script      - shell script
            elf         - common elf format
            gzip        - gzipped file
            tar         - tar file
                          # ----------------------------------------------------------
#
# example osiris configuration file
#

# GLOBAL SECTION
#
# this sets up the global values for any directory blocks
# specified below.  The following keywords are supported:
#
#  database		- database #  verbose		- display logging to stdout.
#  prompt		- prompt for db overwrite.
#  errors		- show errors to stdout.
#  attributes		- default attribute mask.
#  hash			- default hash algorithm to use.
#  options		- default options mask.


# runtime configuration, can be overriden by any
# command line arguments specified.

database	/var/log/osiris.osi	# path to output db file.
verbose		0			# don't display logging output to stdout.
prompt 		1			# prompt for db overwrite.
errors		1			# show errors to stdout.

# default attributes to get for files.  The default is to
# get every attribute about files.

attributes	all

# default hash algorithm to use is md5.

hash		md5

# default options for all directories specified # in the configuration file.  Scan all files in a directory
# recursively, but do not traverse symbolic links to # directories.

options		all,recursive

# RULE SECTION - specify all the files or directories to
#                be scanned including any custom attribute
#                or option lists.

# root directory scan. scan all files, do not enter any
# directories.  use default attributes.  ignore any file
# named "core".

directory /
{
    options		all, shallow
    ignore		file( core )
}

# this scans the resolve.conf file and assumes globals for
# attributes to get.

file /etc/resolv.conf

# this scans /bin with default options and
# attributes, which is basically a recursive
# scan of all the files in /bin getting all of
# the attributes.

directory /bin
{

}

# recursive scan of directory, use sha1 for checksums,
# all attributes of files with 0xfeedface header, all
# attributes of files owned by "brian", all attributes
# of sticky directories, ignore any files owned by
# user "bob", and do not enter directory src.

directory /usr/local
{
    options 			recursive,follow_links
    hash			sha
        header( 0xfeedface )	all
    user( brian )		all
        sticky			all
        ignore			user( bob )
    noentry			file( /usr/local/src )
}


# non recursive scan, use sha1 for checksums, get all attributes
# of python and perl files, get three attributes of any files
# with header: 0xcafe, and get default attributes for
# any suid files.  -this takes precedence for all rules set
# in the /usr/local block above.

directory /usr/local/bin
{
    options		shallow		# non-recursive scan.
    hash		sha		# use sha instead of md5
        python		all		# log python scripts, all attributes.
    perl 		all		# log perl scripts, all attributes.
    header( 0xcafe )	perm,mtime,inode
    suid				# all suid files, default attributes.
}

# scan recursively all files in directory
# with default attributes and ignore the # images directory and do not enter it either.
# do not scan any pixmap files.

directory /usr/share
{
    options     all,recursive
        ignore	file( images )
    noenter	file( images )
        ignore	suffix( xpm )
}


# recursive scan of a mounted windows disk.  put
# scan into seperate database.  scan files with
# the specified suffixes.

directory /mnt/windows-c
{
    database	/var/log/windows-c.osi
    errors	0
    prompt 	1
    options	all,recursive
        suffix( dll )
    suffix( com )
    suffix( sys )
}



[ s c a l e ]

- gdbm will continue to be supported.
- will have fully functional command line interface.
- will be able to print results to stdout.
- will be able to read a db and print it to stdout or files.
- produce human readable and machine readable outputs.
- can filter comparison results ( e.g. don't show missing files ).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: MSL61452.sig
Type: application/pgp-signature
Size: 231 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/osiris-devel/attachments/20010311/6105f10a/attachment.pgp

More information about the osiris-devel mailing list