[osiris] Re: Changing host config file
dave at terriblelies.net
dave at terriblelies.net
Mon Sep 10 10:46:44 EDT 2007
Hari Sekhon wrote:
>
> Dave wrote:
>> This is a bug in md_scan.c:scan_host(). Regardless of whether or not
>> you push-config a new config out to a host, osirismd will always use the
>> config associated with that host's baseline database. One way to fix
>> this would be to have scan_host() first check to see if the remote
>> daemon has a scan config in memory already, if so, use that config; if
>> not, load the baseline database's config.
>>
> This would have a slight problem. If the running daemon had been
> compromised, would it not scan the wrong thing, perhaps intentionally
> missing some area of evil stuff...
An attacker could modify the resident memory of the agent to tell it to no
longer scan certain areas of the system, however, these would show up as
'new' or 'missing' entries in the scan log. I have a feeling if an
attacker has compromised your osirisd process it is already "game over"
for that system.
> The management console should be authoritative for a reason I think...
>
> Problem is, if this is a bug, has it been fixed yet? I didn't see it in
> the changelog.
At the moment, I do not believe it has been fixed. Here is a draft patch
I put together to implement what I suggested as a fix. It needs some
testing to make sure the return codes for osi_host_config_status() cant be
munged, but in the preliminary testing I've done it works as advertised.
> What should I do then, scan and then immediately re-initialize the host?
> This could be a serious problem if I want to reconfigure more hosts...
> I will try to get the latest version and see if that helps...
If you scan, and then re-init the host, the host will have the baseline
database from the re-init and no changes will be shown to you between the
first scan and the re-init.
-dave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: osiris-4.2.3_osirismd_push-config.patch
Type: application/octet-stream
Size: 4491 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/osiris/attachments/20070910/3be921a8/attachment.obj
More information about the osiris
mailing list