[osiris-devel] monitoring host state
Alexei Roudnev
Alexei_Roudnev at exigengroup.com
Tue Jan 6 19:52:27 EST 2004
I mean - you should keep a syntax, allowing to do it. My idea was, yes, to
allow filters to work (you can always alias 'file' and 'name' filters).
But it works ONLY if this (users, services, groups) are in separate scan
sections.
This makes things easy - you have a few _different_ scans, but every scan
apply all names to the filters inside section, allowing to use unified
filters.
----- Original Message -----
From: "Brian Wotring" <brian at shmoo.com>
To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
Sent: Tuesday, January 06, 2004 4:44 PM
Subject: Re: [osiris-devel] monitoring host state
>
> I'm not opposed to adding more control later.
>
> Keep in mind, the real target for these features are servers. These
> are systems that are not generally going to be dynamically loading and
> unloading kernel modules or services, altering user and group entries
> ,etc.
>
> One way to solve problems like you described would be to allow the
> filters to work on these scans.
>
> On Jan 6, 2004, at 5:14 PM, Alexei Roudnev wrote:
>
> > Status is suspicious. We have many services, which can be in both, UP
> > and
> > DOWN, states; so if I add Services, I'd like to be able to Exclude
> > something...
> >
> > Btw - can we have some kind of Include and Exclude appliable for this
> > objects (users, groups, services)?
> >
> > May be
> >
> > <Users>
> > Exclude user("guest")
> > IncludeAll
> > </Users>
> > <Services>
> > Include ...
> > Exclude ...
> > IncludeAll
> > </Services>
> >
> > At least, if you add new objects which are complex, you should allow
> > future
> > extentions for the better control. For the services, it may be
> > important.
> >
> > Additionally, I do not want to control service status, but I'd like to
> > control command names and arguments for the services.
> > Service status is operational object, which reflect current system
> > state,
> > not stateful system state.
> >
> > PS. There is a big set of operational parameters, which can be used
> > inside
> > IDS. Service status is one example; listened ports is another; etc
> > etc...
> > But it is important to understand, that it is operational parameters,
> > so
> > they should have another control rules and control methods.
> >
> > ----- Original Message -----
> > From: "Brian Wotring" <brian at shmoo.com>
> > To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
> > Sent: Tuesday, January 06, 2004 3:39 PM
> > Subject: Re: [osiris-devel] monitoring host state
> >
> >
> >>
> >> On Windows, it displays:
> >>
> >>>> windows kmods (services): name, display_name, status (types
> >>>> SERVICE_WIN32)
> >>
> >> On Jan 6, 2004, at 4:18 PM, Alexei Roudnev wrote:
> >>
> >>> What is 'services' ? I man - what is scanned?
> >>>
> >>>
> >>>
> >>> ----- Original Message -----
> >>> From: "Brian Wotring" <brian at shmoo.com>
> >>> To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
> >>> Sent: Tuesday, January 06, 2004 2:02 PM
> >>> Subject: Re: [osiris-devel] monitoring host state
> >>>
> >>>
> >>>>
> >>>> You can test these features by adding this to your config:
> >>>>
> >>>> <System>
> >>>> Include users
> >>>> Include groups
> >>>> Include services
> >>>> </System>
> >>>>
> >>>> And, debug configurations have been added to all of the Visual
> >>>> Studio
> >>>> project files.
> >>>>
> >>>> On Jan 6, 2004, at 2:52 PM, Alexei Roudnev wrote:
> >>>>
> >>>>> Hmm, NT.. I think I have (yet) 1 NT. I'll try to verify (btw,
> >>>>> virtusl
> >>>>> machines can be a good choice for testing).
> >>>>>
> >>>>> Which version - 3.0?
> >>>>>
> >>>>> ----- Original Message -----
> >>>>> From: "Brian Wotring" <brian at shmoo.com>
> >>>>> To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
> >>>>> Sent: Tuesday, January 06, 2004 12:46 PM
> >>>>> Subject: Re: [osiris-devel] monitoring host state
> >>>>>
> >>>>>
> >>>>>>
> >>>>>> I've only tested this on Windows 2000. If you could verify this
> >>>>>> on
> >>>>>> NT
> >>>>>> and XP, that would be really helpful.
> >>>>>>
> >>>>>> On Jan 6, 2004, at 1:39 PM, Alexei Roudnev wrote:
> >>>>>>
> >>>>>>> Excellent - if it works -:).
> >>>>>>>
> >>>>>>> Where (which OS) did you tested it already?
> >>>>>>>
> >>>>>>> ----- Original Message -----
> >>>>>>> From: "Brian Wotring" <brian at shmoo.com>
> >>>>>>> To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
> >>>>>>> Sent: Tuesday, January 06, 2004 6:02 AM
> >>>>>>> Subject: Re: [osiris-devel] monitoring host state
> >>>>>>>
> >>>>>>>
> >>>>>>>>
> >>>>>>>> The user entry for Windows now contains a list of groups that
> >>>>>>>> user
> >>>>>>>> is
> >>>>>>>> a
> >>>>>>>> member of.
> >>>>>>>>
> >>>>>>>> On Jan 5, 2004, at 1:05 PM, Alexei_Roudnev wrote:
> >>>>>>>>
> >>>>>>>>> For Windows, you need to monitor, at least,
> >>>>>>>>>
> >>>>>>>>> Users, 'Member Of', with names insted of group SID. I can
> >>>>>>>>> find a
> >>>>>>>>> code,
> >>>>>>>>> which allowed to extract such information (I wrote it in past -
> >>>>>>>>> user,
> >>>>>>>>> list
> >>>>>>>>> of groups).
> >>>>>>>>>
> >>>>>>>>> It is not excellent, but works.
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> ----- Original Message -----
> >>>>>>>>> From: "Brian Wotring" <brian at shmoo.com>
> >>>>>>>>> To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
> >>>>>>>>> Sent: Monday, January 05, 2004 11:38 AM
> >>>>>>>>> Subject: [osiris-devel] monitoring host state
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Here is what we have so far. I'm mostly concerned with the
> >>>>>>>>>> lack
> >>>>>>>>>> of
> >>>>>>>>>> any
> >>>>>>>>>> significant attributes on the Windows side. If anyone knows
> >>>>>>>>>> of
> >>>>>>>>>> any
> >>>>>>>>>> way
> >>>>>>>>>> to expand this, now is the time.
> >>>>>>>>>>
> >>>>>>>>>> unix users: name,uid,gid,gecos,home,shell
> >>>>>>>>>> windows users: name, privs, home, flags, auth_flags
> >>>>>>>>>>
> >>>>>>>>>> unix groups: group,gid
> >>>>>>>>>>
> >>>>>>>>>> For Windows, only the name. The LOCAL_GROUP_INFO structure
> >>>>>>>>>> contains
> >>>>>>>>>> only the name and the comment field. Getting the gid and
> >>>>>>>>>> other
> >>>>>>>>>> attributes requires using NetGroupEnum(), which I have found
> >>>>>>>>>> to
> >>>>>>>>>> be
> >>>>>>>>>> unreliable for listing local group information.
> >>>>>>>>>>
> >>>>>>>>>> linux kmods: same as output from lsmod
> >>>>>>>>>> darwin kexts: same as output from kextstat
> >>>>>>>>>> windows kmods (services): name, display_name, status (types
> >>>>>>>>>> SERVICE_WIN32)
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>> Brian Wotring ( brian at shmoo.com )
> >>>>>>>>>> PGP KeyID: 0x9674763D
> >>>>>>>>>>
> >>>>>>>>>> _______________________________________________
> >>>>>>>>>> osiris-devel mailing list
> >>>>>>>>>> osiris-devel at lists.shmoo.com
> >>>>>>>>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>> osiris-devel mailing list
> >>>>>>>>> osiris-devel at lists.shmoo.com
> >>>>>>>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>> --
> >>>>>>>> Brian Wotring ( brian at shmoo.com )
> >>>>>>>> PGP KeyID: 0x9674763D
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> osiris-devel mailing list
> >>>>>>>> osiris-devel at lists.shmoo.com
> >>>>>>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> osiris-devel mailing list
> >>>>>>> osiris-devel at lists.shmoo.com
> >>>>>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>>>>>>
> >>>>>>>
> >>>>>> --
> >>>>>> Brian Wotring ( brian at shmoo.com )
> >>>>>> PGP KeyID: 0x9674763D
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> osiris-devel mailing list
> >>>>>> osiris-devel at lists.shmoo.com
> >>>>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> osiris-devel mailing list
> >>>>> osiris-devel at lists.shmoo.com
> >>>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>>>>
> >>>>>
> >>>> --
> >>>> Brian Wotring ( brian at shmoo.com )
> >>>> PGP KeyID: 0x9674763D
> >>>>
> >>>> _______________________________________________
> >>>> osiris-devel mailing list
> >>>> osiris-devel at lists.shmoo.com
> >>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>>>
> >>> _______________________________________________
> >>> osiris-devel mailing list
> >>> osiris-devel at lists.shmoo.com
> >>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>>
> >>>
> >> --
> >> Brian Wotring ( brian at shmoo.com )
> >> PGP KeyID: 0x9674763D
> >>
> >> _______________________________________________
> >> osiris-devel mailing list
> >> osiris-devel at lists.shmoo.com
> >> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>
> >
> > _______________________________________________
> > osiris-devel mailing list
> > osiris-devel at lists.shmoo.com
> > https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >
> >
> --
> Brian Wotring ( brian at shmoo.com )
> PGP KeyID: 0x9674763D
>
> _______________________________________________
> osiris-devel mailing list
> osiris-devel at lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris-devel
>
More information about the osiris-devel
mailing list