[Osiris-devel]osiris database analysis
brian at shmoo.com
Sat Aug 24 10:31:31 EDT 2002
This is a brief overview of what I purpose for the first release of
osiris (and some of the implementation details) with respect to
database comparison. Anything beyond this I think will be considered
features to implement later. This is a list of the bare essentials for
an alpha release.
Each host will have a single database that will be considered the
"trusted database". This is the database that will be used with each
comparison, as a control. After every scan, the trusted database is
compared against the newly created database. A config file called an
"analysis config" will be used in the comparison of the databases. An
anlysis config serves to specify which files the daemon should report
deltas on. At first, this analysis config will contain all the files
in the trusted database. Over time, the administrator will be able to
modify the config so as to reduce the syslog events it generates. In
addition to files and directory names, the analysis config can specify
on a per file basis, which attributes for each file should be included
in the comparison. Scheduling will be simple and allow for the
administrator to schedule a single scan for each host. A schedule
entry consists of a date/time and a scanning config to use. When the
timer fires, the specified config is pushed to the host, a scan is
started, and when complete, the analysis occurs.
the trusted database for each host will be specified in its host.conf
file. The analysis config file will be stored in the root directory
for each host. The analysis config will specify a list of file
entries, for example:
The analysis config will be presented to the user as a listview tree of
directories and files. The administrator can enable/disable any file
to add it to the list of files to be compared. To change the attribute
list, a detailed view of the file can be shown to enable/disable each
The first implementation of scheduling will be a simple cron like
entry. For this release, only one schedule per host will be allowed.
scan = config_name yyy/MM/dd EEE HH:mm
yyyy is a year
MM is a month.
dd is a day
EEE is a day of the week ( MON, TUE, WED, THU, FRI, SAT, SUN ).
HH is an hour in 24 hour day.
mm is a minute in hour.
Use the "*" character for fields to match any value.
The scheduler thread will wake up periodically and check the scheduled
scans, kicking off the ones it needs to. A separate thread will be
created which will start the scan, process the comparison, and log the
This design is meant to allow a host to periodically scan using a
single scanning config, and compare against the trusted database.
Brian Wotring ( brian at shmoo.com )
PGP KeyID: 0x9674763D
More information about the osiris-devel