[osiris-devel] Agent Architecture question

Tue Nov 30 11:06:20 EST 2004

No, it is not currently possible to have the agents initiate scans.  The 
current implementation is very simple.  Having agents initiate scans 
increases the complexity, probably more than most would consider worth it.

I admit that the actual implementation changes to the console and the 
agent to support this are minor.  The real problem here is how to deal 
with authenticating the agents.  The only way that I know of to do this 
  would be to begin issuing client certificates to the agents.  This 
would be a nightmare to manage, at least.

As far as addressing your concerns about monitoring dynamic hosts, a 
simple way to do this is with dynamic DNS.

I hope this helps.

-brian

mailing lists wrote:

>>Second, it made more sense (to me) in the beginning to initiate the
>>connections from the more trusted system, as opposed to receiving them.
>>  The management console is critical in that it is to be a secure store
>>for all of the monitoring data.  If this is compromised, the whole
>>system is almost useless.
>>
>>Third, if the agents initiated connections, it could be argued that the
>>management console would have a harder time detecting that an agent
>>didn't scan when it was supposed to.  That is, it may be easier for a
>>broken agent to go unnoticed.
> 
> 
> However, this makes Osiris plausible only in static environments.  I'm
> not arguing that this is a bad thing -- change management and
> intrusion detection of servers is a serious issue that requires more
> attention than I think most are willing to give.  What this doesn't
> lend well to is the idea of monitoring dynamic environments (at least
> not that I can see).  Being able to slap an agent on every desktop in
> a corporate environment to detect modification of critical system
> files or insertion of prohibited applications would be immensely
> useful.  Of course, this is generally all possible without the
> introduction of the Osiris agent, but I think it lends itself well to
> the framework of the application.
> 
> Is it, through some hack or unnamed configuration setting, possible to
> monitor hosts with dynamically assigned IPs?  Are there plans to
> introduce this feature in the future?  With PKI, this functionality
> shouldn't necessitate any less integrity than the present.
> 
> 
>>There may be other reasos, but these are the main ones that were
>>considered during design and development.  This isn't to say that doing
>>it the other way is wrong, it's just not the way Osiris was built.
>>
>>
>>>Could the communication not have been done with a client push / pull
>>>to the management console instead?  Is it possible to turn off the
>>>listening feature of the agent component and force a push within the
>>>current framework?
>>
>>No, not really.  You could just run a management console on each
>>monitored host, tripwire style, but that doesn't scale very well.
>>
> 
> 
> I'm not disagreeing with the centralized management console.  That
> feature is a requirement in a mature intrusion detection system
> intended for any mid-to-large scale deployment.  In fact, I prefer a
> console that can be accessed through a secure terminal environment as
> opposed to a platform-dependant GUI (though I could settle for a
> webpage, which, as a feature of Osiris, I haven't yet checked out).