[Osiris-devel]osiris database analysis

Brian Wotring brian at shmoo.com
Sat Aug 24 10:31:31 EDT 2002 

This is a brief overview of what I purpose for the first release of 
osiris (and some of the implementation details) with respect to 
database comparison. Anything beyond this I think will be considered 
features to implement later.  This is a list of the bare essentials for 
an alpha release.

[overview]

Each host will have a single database that will be considered the 
"trusted database".  This is the database that will be used with each 
comparison, as a control.  After every scan, the trusted database is 
compared against the newly created database. A config file called an 
"analysis config" will be used in the comparison of the databases.  An 
anlysis config serves to specify which files the daemon should report 
deltas on.  At first, this analysis config will contain all the files 
in the trusted database.  Over time, the administrator will be able to 
modify the config so as to reduce the syslog events it generates.  In 
addition to files and directory names, the analysis config can specify 
on a per file basis, which attributes for each file should be included 
in the comparison.  Scheduling will be simple and allow for the 
administrator to schedule a single scan for each host.  A schedule 
entry consists of a date/time and a scanning config to use.  When the 
timer fires, the specified config is pushed to the host, a scan is 
started, and when complete, the analysis occurs.

[details]

the trusted database for each host will be specified in its host.conf 
file.  The analysis config file will be stored in the root directory 
for each host.  The analysis config will specify a list of file 
entries, for example:

     file: /etc/hosts
     mtime,ctime,uid,gid,perm,bytes

     file: /bin/bash
     mtime,ctime,uid,gid,perm,bytes,checksum

     file: /bin/ps
     mtime,ctime,uid,gid,perm,bytes,checksum,inode

     file: /var
     mtime,uid,gid,inode

The analysis config will be presented to the user as a listview tree of 
directories and files.  The administrator can enable/disable any file 
to add it to the list of files to be compared.  To change the attribute 
list, a detailed view of the file can be shown to enable/disable each 
attribute.

The first implementation of scheduling will be a simple cron like 
entry.  For this release, only one schedule per host will be allowed.

scan = config_name yyy/MM/dd EEE HH:mm

where:
     yyyy is a year
     MM is a month.
     dd is a day
     EEE is a day of the week ( MON, TUE, WED, THU, FRI, SAT, SUN ).
     HH is an hour in 24 hour day.
     mm is a minute in hour.

Use the "*" character for fields to match any value.

The scheduler thread will wake up periodically and check the scheduled 
scans, kicking off the ones it needs to.  A separate thread will be 
created which will start the scan, process the comparison, and log the 
deltas.

This design is meant to allow a host to periodically  scan using a 
single scanning config, and compare against the trusted database.

--
     Brian Wotring  ( brian at shmoo.com )
     PGP KeyID: 0x9674763D

More information about the osiris-devel mailing list