[Osiris-devel]version 1.5 base requirements
brian at shmoo.com
Mon Mar 12 00:53:51 EST 2001
Here is the first draft that I feel is worthy of consideration. I've been working on this all weekend with a lot of help from bruce. It's still very
rough but certainly something to start from.
Of course I encourage feedback and discussion. Now is the time to make requests and voice opinions.
Brian Wotring ( brian at shmoo.com )
PGP KeyID: 0x9674763D
-------------- next part --------------
osiris version 1.5 requirements
March 9, 2001
This will be the last major overhaul to osiris before v2.0, therefore, it must be very cool.
One of the biggest limitations currently is that the runtime arguments apply to every root
directory specified. It's impossible to log all files in /usr/bin and only specific types of files in /usr/local. A config file will allow for this and a more detailed runtime configuration
Also, I think there is a strong advantage to shipping master databases for common systems.
Often there is a need for comparing the state of a system to it's initial installation. For
any number of reasons osiris was not run initially. This is not something that you can do
with tools like tripwire and I believe it to be valuable.
- the same model will be used, two applications:
osiris: scanning application, creates databases.
scale: audit application, compares two databases, or analyzes a single db.
[ o s i r i s ]
- gdbm will continue to be used to create the original databases.
- will have a fully functional command line interface.
- will be able to acquire any of the following file information:
* permissions string
* mtime ( creat, mknod, pipe, utime, and write )
* inode number
* number of hard links
* size in bytes.
* block count
* checksum ( md5, sha1, haval, ripemd )
- each database will contain a header including:
* creator username
* osiris version
* date created
* entry count
* runtime configuration ( configuration file )
- will require the use of a configuration file.
- each entry in db will contain a "reason" for being logged.
- will compare and verify known file types with names, suffix.
[ configuration file ]
- comments begin with: # and can start at any point on a line.
- global section contains runtime configuration and all defaults.
- directory blocks are exclusive in configuration.
attributes - perm,mtime,atime,ctime,inode,links,uid,gid,bytes,blocks
options - all,recursive,shallow,follow_links,noenter,ignore
hashes - md5,sha,haval,ripemd
actions - ignore,noentry
ur - user read bit set.
uw - user write bit set.
ux - user executable bit set.
gr - group read bit set.
gw - group write bit set.
gx - group executable bit set.
or - others read bit set.
ow - others write bit set.
ox - others executable bit set.
executable - any executable or suid bit set.
sticky - all directories with sticky bit set.
suid - all suid files
guid - all guid files
uid(x) - uid with value: x
gid(x) - gid with value: x
user(x) - file owned by user: x
group(x) - file member of group: x
header(x) - header with value: x
file(x) - file with name: x
suffix(x) - file with suffix value: x
archive - archive library
library - dynamic libraries
perl - perl script
python - python script
script - shell script
elf - common elf format
gzip - gzipped file
tar - tar file
# example osiris configuration file
# GLOBAL SECTION
# this sets up the global values for any directory blocks
# specified below. The following keywords are supported:
# database - database # verbose - display logging to stdout.
# prompt - prompt for db overwrite.
# errors - show errors to stdout.
# attributes - default attribute mask.
# hash - default hash algorithm to use.
# options - default options mask.
# runtime configuration, can be overriden by any
# command line arguments specified.
database /var/log/osiris.osi # path to output db file.
verbose 0 # don't display logging output to stdout.
prompt 1 # prompt for db overwrite.
errors 1 # show errors to stdout.
# default attributes to get for files. The default is to
# get every attribute about files.
# default hash algorithm to use is md5.
# default options for all directories specified # in the configuration file. Scan all files in a directory
# recursively, but do not traverse symbolic links to # directories.
# RULE SECTION - specify all the files or directories to
# be scanned including any custom attribute
# or option lists.
# root directory scan. scan all files, do not enter any
# directories. use default attributes. ignore any file
# named "core".
options all, shallow
ignore file( core )
# this scans the resolve.conf file and assumes globals for
# attributes to get.
# this scans /bin with default options and
# attributes, which is basically a recursive
# scan of all the files in /bin getting all of
# the attributes.
# recursive scan of directory, use sha1 for checksums,
# all attributes of files with 0xfeedface header, all
# attributes of files owned by "brian", all attributes
# of sticky directories, ignore any files owned by
# user "bob", and do not enter directory src.
header( 0xfeedface ) all
user( brian ) all
ignore user( bob )
noentry file( /usr/local/src )
# non recursive scan, use sha1 for checksums, get all attributes
# of python and perl files, get three attributes of any files
# with header: 0xcafe, and get default attributes for
# any suid files. -this takes precedence for all rules set
# in the /usr/local block above.
options shallow # non-recursive scan.
hash sha # use sha instead of md5
python all # log python scripts, all attributes.
perl all # log perl scripts, all attributes.
header( 0xcafe ) perm,mtime,inode
suid # all suid files, default attributes.
# scan recursively all files in directory
# with default attributes and ignore the # images directory and do not enter it either.
# do not scan any pixmap files.
ignore file( images )
noenter file( images )
ignore suffix( xpm )
# recursive scan of a mounted windows disk. put
# scan into seperate database. scan files with
# the specified suffixes.
suffix( dll )
suffix( com )
suffix( sys )
[ s c a l e ]
- gdbm will continue to be supported.
- will have fully functional command line interface.
- will be able to print results to stdout.
- will be able to read a db and print it to stdout or files.
- produce human readable and machine readable outputs.
- can filter comparison results ( e.g. don't show missing files ).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 231 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/osiris-devel/attachments/20010311/6105f10a/attachment.pgp
More information about the osiris-devel