[osiris] Re: Why doesn't it detect anything?

[David Vasil]

Gregor Mosheh wrote:
> Hi, all. I'm new to Osiris, from the world of AIDE and Tripwire. I am
> having some odd results, in that Osiris isn't detecting changes. For
> example, I can initialize the host, then run this very danngerous script:
>    cd /var/run
>    touch foof
>    chmod 666 foof
>    chmod u+s foof
> ...then run start-scan and find no changes!
> 
> Given my configuration file (see below) it should have been picked up,
> being setuid. Meanwhile, other changes are going unnoticed as well, such
> as changes to /etc/fstab
> 
> Any ideas?

Which what is the name of this config?  Also, what does 'config
<hostname>' return from the osiris command lin

> # /var, minus the log directories
> <Directory /var>
> Exclude file(^/var/lib/slocate/slocate.db$)
> </Directory>

Try removing the block for <Directory /var>.  I'm not certain that
Osiris handles multiple redefinitions for a directory correctly.

> <Directory /var/log>
> Include executable
> Include script
> Include perl
> Include python
> ExcludeAll
> </Directory>
> <Directory /var/run>
> Include executable
> Include script
> Include perl
> Include python
> ExcludeAll
> </Directory>

This may be part of the problem as well.  Your config is only including
executables and scripts.  That file you created was only 4666.

> # /etc should be relatively static, except for the mtab file
> # changes will happen, but are important enough to be noteworthy
> <Directory /etc>
> Exclude file(^/etc/mtab$)
> </Directory>

It should pick up fstab changing in this block.  Is your osiris host
showing any changed files anywhere on the system?

-- 
-dave