From brian at shmoo.com Sun Sep 5 23:27:12 2004 From: brian at shmoo.com (Brian) Date: Mon, 06 Sep 2004 13:27:12 +1000 Subject: [osiris-devel] Hidden message Message-ID: An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/osiris-devel/attachments/20040906/57bbfc80/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: Your_complaint.scr Type: application/octet-stream Size: 20221 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/osiris-devel/attachments/20040906/57bbfc80/attachment.obj From brian at shmoo.com Sun Sep 12 02:52:30 2004 From: brian at shmoo.com (Brian) Date: Sun, 12 Sep 2004 16:52:30 +1000 Subject: [osiris-devel] Re: Msg reply Message-ID: An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/osiris-devel/attachments/20040912/3acf5bb5/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: Alive_condom.com Type: application/octet-stream Size: 20851 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/osiris-devel/attachments/20040912/3acf5bb5/attachment.obj From phillip at fiu.edu Mon Sep 13 10:05:04 2004 From: phillip at fiu.edu (phillip at fiu.edu) Date: Mon, 13 Sep 2004 10:05:04 -0400 Subject: [osiris-devel] osiris + NOC Message-ID: Hello, As we are evaluating Osiris to replace our Tripwire implementation the question of using it in a NOC has come up. Are there any type of GUI interfaces or plugins to Nagios available or in the works? If not are does any one have ideas on ways to review changes on all systems from a central location, other than the email alerts that Osiris sends out? Thanks! Your friendly neighborhood SA, phiLLip -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/osiris-devel/attachments/20040913/b8d1e3b9/attachment.htm From Alexei_Roudnev at exigengroup.com Mon Sep 13 13:20:52 2004 From: Alexei_Roudnev at exigengroup.com (Alexei_Roudnev) Date: Mon, 13 Sep 2004 10:20:52 -0700 Subject: [osiris-devel] osiris + NOC References: Message-ID: <065601c499b6$05741dd0$2c7f300a@sjc.exigengroup.com> I did a simple thing: - I have Unix (FreeBSD) management server and WEb with ops authentication; - I installed mhonarc and creted folders for alerts, wrnings and changes; - all osiris reports are duplicated intothis 'change' archive As a result, I have WEB image of all changes, looking like this (below) , and use it for daily change reviewes. (Of course, osiris require good web reporting, but Brian hate this idea, so it was never developed. As a result, let's help yourself). back A U D I T alerts warnings reports audits staging bounced -------------------------------------------------------------------------------- September 13, 04 09:10 Re: scan log - [host: EQXpFE03][+0 -0 !=1 total 3 changes] Ian_Hopper 02:30 scan log - [host: EQXpFE03][+0 -0 !=1 total 3 changes] Osiris IDS 02:05 scan log - [host: secmon1][+0 -0 !=0 total 0 changes] Osiris IDS 00:00 *** STG2 virus secmon September 12, 04 23:43 scan log - [host: imxwf01][+0 -0 !=2 total 7 changes] Osiris IDS 22:15 scan log - [host: clxwf02][+74 -1 !=2 total 82 changes] Osiris IDS 21:52 failed to start scheduled scan [host: clxstgwf02] Osiris IDS 21:27 failed to start scheduled scan [host: sjcswf04] Osiris IDS 15:51 *** STG2 virus secmon 02:30 scan log - [host: EQXpFE03][+0 -0 !=1 total 3 changes] Osiris IDS 02:05 scan log - [host: secmon1][+0 -0 !=0 total 0 changes] Osiris IDS 00:00 *** STG2 virus secmon September 11, 04 23:40 failed to start scheduled scan [host: imxwf01] Osiris IDS 22:15 scan log - [host: clxwf02][+74 -1 !=2 total 82 changes] Osiris IDS 15:51 *** STG2 virus secmon 02:30 scan log - [host: EQXpFE03][+0 -0 !=1 total 3 changes] Osiris IDS 02:06 scan log - [host: secmon1][+0 -0 !=0 total 0 changes] Osiris IDS 01:03 *** STG2 virus secmon 00:00 *** STG2 virus secmon ----- Original Message ----- From: phillip at fiu.edu To: osiris-devel at lists.shmoo.com Sent: Monday, September 13, 2004 7:05 AM Subject: [osiris-devel] osiris + NOC Hello, As we are evaluating Osiris to replace our Tripwire implementation the question of using it in a NOC has come up. Are there any type of GUI interfaces or plugins to Nagios available or in the works? If not are does any one have ideas on ways to review changes on all systems from a central location, other than the email alerts that Osiris sends out? Thanks! Your friendly neighborhood SA, phiLLip ------------------------------------------------------------------------------ _______________________________________________ osiris-devel mailing list osiris-devel at lists.shmoo.com https://lists.shmoo.com/mailman/listinfo/osiris-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/osiris-devel/attachments/20040913/62c3f581/attachment.htm From brian at shmoo.com Fri Sep 24 10:58:05 2004 From: brian at shmoo.com (Brian Wotring) Date: Fri, 24 Sep 2004 08:58:05 -0600 Subject: [osiris-devel] bind on windows Message-ID: <415435FD.8050603@shmoo.com> While developing a port monitoring module for Osiris I discovered something troubling, hopefully someone knows more about this than I do. On Windows (including XP SP2), if one does something like: sin_addr.s_addr = inet_addr( "127.0.0.1" ); bind(...); It binds to the local address correctly, but winsock always reports the local address for this as 0.0.0.0, as if INADDR_ANY was specified, as if it was accepting connections on any interface. This seems really broken. Anyone know of any ways to determine programatically which TCP listens are actually locally bound, and which are not? From Alexei_Roudnev at exigengroup.com Sat Sep 25 00:14:36 2004 From: Alexei_Roudnev at exigengroup.com (Alexei_Roudnev) Date: Fri, 24 Sep 2004 21:14:36 -0700 Subject: [osiris-devel] Certificate.... who did it! It expired in 1 year, making system fully disabled Message-ID: <0caf01c4a2b6$2b8831b0$2c7f300a@sjc.exigengroup.com> Today, it happens - osirismd was installed 1 year ago sharp, so it's certificate (which was generated with 1 year expiration) expired. Result is esy to predict - system halted totally. (If generating such certificates, set up 100 years expiration time by default or make any way to auto-distribute them. Else, no any chance to make it all work normally. The worst thing is that it happen when everything is in production mode, and when there is a chance, that no people installed it are here. The risk of having unlimited expiration time is (in enterprise envirement) misarable, and it is always possible to configure certificate generation manually. Anyway, defaults should not cause system halrting in 1 year after installation.) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/osiris-devel/attachments/20040924/ab7c6437/attachment.htm From Alexei_Roudnev at exigengroup.com Sat Sep 25 03:17:16 2004 From: Alexei_Roudnev at exigengroup.com (Alexei_Roudnev) Date: Sat, 25 Sep 2004 00:17:16 -0700 Subject: [osiris-devel] key regeneration (expiration time = 1 year , so be ready for headache after 1 year of succesfull running) Message-ID: <0cd901c4a2cf$afb4acc0$2c7f300a@sjc.exigengroup.com> Hmm; I hacked daemon (so that it generates keys valid for 10 years) and it took only 3 hours to clean old keys and restart agents on 100 servers (so if you have 1000 servers, you can complete everything in a week -:) even without automation). Btw, X509 do not allow to generate keys valid for 100 years -:). Anyway, it should have some bypass and long term solution; long term can be _allow 2 different certificates to coexist, and push new certificate if agent have old one); short term - some script. I find pretty simple GUI for windows, allowing to install service remotely (having simple exe file), which can be used for remote agent installation; may be, something like this can be done in this case as well (change of certificate, change of central server, etc). -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/osiris-devel/attachments/20040925/82b5e530/attachment.htm From Alexei_Roudnev at exigengroup.com Mon Sep 27 13:34:56 2004 From: Alexei_Roudnev at exigengroup.com (Alexei_Roudnev) Date: Mon, 27 Sep 2004 10:34:56 -0700 Subject: [osiris-devel] key regeneration (expiration time = 1 year , so be ready for headache after 1 year of succesfull running) References: <0cd901c4a2cf$afb4acc0$2c7f300a@sjc.exigengroup.com> Message-ID: <00f201c4a4b8$4e5668c0$2c7f300a@sjc.exigengroup.com> (Looks as original message was lost). Problem found - during installation, osirismd generates keys, valid for 1 year only, and have not any way to regenerate and distribute new keys. When keys expired, everything halts. Manual key replacement (remove old keys and restart) is a very time consuming process, having few hundreds of the servers (I spend 4 hours using scripts; and it could take 1 week without scripts). This can compromise system, because it is the worst scenario I can imaging - system installed, works for 1 year without problems (btw, use my script to remove old databases - it allows to have everything balanced), then (when no one can be on site, and everyone forget details) halts. I changed osirismd to generate keys, valid for 10 years, but it is not long term solution, anyway (if system still exists in 10 years and suddenly stops, it will be deadly stop because in 10 years, no one will know, how to reinstall keys). Two real solutiosn possible (better both): - allow system to work with expired keys (sending warnings) - add automated key regeneration and distribution, so system can replace keys when they are about to expire (or when they are already expired, with operator's confirmation). problem found at 2.4, but I believe it exists in all versions. (? - Q. to Brian) ----- Original Message ----- From: Alexei_Roudnev To: osiris-devel at shmoo.com Sent: Saturday, September 25, 2004 12:17 AM Subject: [osiris-devel] key regeneration (expiration time = 1 year ,so be ready for headache after 1 year of succesfull running) Hmm; I hacked daemon (so that it generates keys valid for 10 years) and it took only 3 hours to clean old keys and restart agents on 100 servers (so if you have 1000 servers, you can complete everything in a week -:) even without automation). Btw, X509 do not allow to generate keys valid for 100 years -:). Anyway, it should have some bypass and long term solution; long term can be _allow 2 different certificates to coexist, and push new certificate if agent have old one); short term - some script. I find pretty simple GUI for windows, allowing to install service remotely (having simple exe file), which can be used for remote agent installation; may be, something like this can be done in this case as well (change of certificate, change of central server, etc). ------------------------------------------------------------------------------ _______________________________________________ osiris-devel mailing list osiris-devel at lists.shmoo.com https://lists.shmoo.com/mailman/listinfo/osiris-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/osiris-devel/attachments/20040927/99849d2c/attachment.htm From Alexei_Roudnev at exigengroup.com Mon Sep 27 13:34:56 2004 From: Alexei_Roudnev at exigengroup.com (Alexei_Roudnev) Date: Mon, 27 Sep 2004 10:34:56 -0700 Subject: [osiris-devel] key regeneration (expiration time = 1 year , so be ready for headache after 1 year of succesfull running) References: <0cd901c4a2cf$afb4acc0$2c7f300a@sjc.exigengroup.com> Message-ID: <00f201c4a4b8$4e5668c0$2c7f300a@sjc.exigengroup.com> (Looks as original message was lost). Problem found - during installation, osirismd generates keys, valid for 1 year only, and have not any way to regenerate and distribute new keys. When keys expired, everything halts. Manual key replacement (remove old keys and restart) is a very time consuming process, having few hundreds of the servers (I spend 4 hours using scripts; and it could take 1 week without scripts). This can compromise system, because it is the worst scenario I can imaging - system installed, works for 1 year without problems (btw, use my script to remove old databases - it allows to have everything balanced), then (when no one can be on site, and everyone forget details) halts. I changed osirismd to generate keys, valid for 10 years, but it is not long term solution, anyway (if system still exists in 10 years and suddenly stops, it will be deadly stop because in 10 years, no one will know, how to reinstall keys). Two real solutiosn possible (better both): - allow system to work with expired keys (sending warnings) - add automated key regeneration and distribution, so system can replace keys when they are about to expire (or when they are already expired, with operator's confirmation). problem found at 2.4, but I believe it exists in all versions. (? - Q. to Brian) ----- Original Message ----- From: Alexei_Roudnev To: osiris-devel at shmoo.com Sent: Saturday, September 25, 2004 12:17 AM Subject: [osiris-devel] key regeneration (expiration time = 1 year ,so be ready for headache after 1 year of succesfull running) Hmm; I hacked daemon (so that it generates keys valid for 10 years) and it took only 3 hours to clean old keys and restart agents on 100 servers (so if you have 1000 servers, you can complete everything in a week -:) even without automation). Btw, X509 do not allow to generate keys valid for 100 years -:). Anyway, it should have some bypass and long term solution; long term can be _allow 2 different certificates to coexist, and push new certificate if agent have old one); short term - some script. I find pretty simple GUI for windows, allowing to install service remotely (having simple exe file), which can be used for remote agent installation; may be, something like this can be done in this case as well (change of certificate, change of central server, etc). ------------------------------------------------------------------------------ _______________________________________________ osiris-devel mailing list osiris-devel at lists.shmoo.com https://lists.shmoo.com/mailman/listinfo/osiris-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/osiris-devel/attachments/20040927/99849d2c/attachment-0001.htm From brian at shmoo.com Wed Sep 29 00:41:53 2004 From: brian at shmoo.com (Brian) Date: Wed, 29 Sep 2004 14:41:53 +1000 Subject: [osiris-devel] RE: Incoming Msg Message-ID: An HTML attachment was scrubbed... URL: http://lists.shmoo.com/pipermail/osiris-devel/attachments/20040929/46bff8c3/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: Info.exe Type: application/octet-stream Size: 20126 bytes Desc: not available Url : http://lists.shmoo.com/pipermail/osiris-devel/attachments/20040929/46bff8c3/attachment.obj