LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 21st, 2014
Linux Security Week: April 7th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Mass deploying Osiris Print E-mail
User Rating:      How can I rate this item?
Posted by Duane Dunston   
Features Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel.

Osiris can be deployed locally or it can be deployed on another continent. One of the major features that makes that possible and secure is the secure communication channel that is used to communicate with the client. Osiris uses SSL for communication between the client and server. Another feature of Osiris is that it is portable across a few platforms including Linux, BSD's, Windows, AIX, Solaris, MacOS, etc.. Osiris has many other features like:

  • logging to syslog
  • emailing alerts
  • filtering out recurring alerts
  • detecting new accounts being created or deleted
  • monitoring kernel modules
  • configuring what attributes of a file to scan
  • manually starting scans
  • scheduling a scan
and many other features.

It should be noted that the central server or the server maintaining the management console should be kept secure and limited access allowed to the server except for those administering the osiris management console and the clients that will need to communicate with it. By default, the management console will only allow incoming login connections from the localhost (127.0.0.1) and any other hosts will need to be added. Those allowed access to the management console can log onto the server directly or log in remotely with the osiris commandline client, provided their IP is allowed to connect. If the central server is kept secure and a client is compromised and the attacker deletes or kills the osiris client, no problem. The central server maintains the configuration file and the database. All that needs to be done is for the client reinstalled on the compromised system, preferrably with a static binary as this article describes, then the admin logins into the management console, pushes a scan config file over, initiates a scan and it will send the results back and compare it against the database on the central server, so you can still see what the attacker did on the computer.

This article discusses how to mass deploy Osiris in a Linux environment. This is useful for environments with a large number of computer systems they want to deploy Osiris too. This applies if Osiris is going to be installed and managed locally or 2,000 miles from where the managment console is located. The mass deployment is done using the program "remote_update.pl". It uses SSH to execute commands on multiple machines and logs the output to a file for each system it logs into. It has the ability to only run commands on servers that failed during a previous run. Also, multiple machines can be logged into at once. Since remote_update.pl requires a password that is located in a text file, the program "ccrypt" will be used to encrypt the text file and decrypted on the fly when remote_update.pl is executed. There are other programs that can be used such as GnuPG but ccrypt was chosen because it too is portable across many Operating systms Linux, Solaris, AIX, BSD's, Windows, etc. and can be quickly deployed.

Osiris - http://osiris.shmoo.com/
remote_update.pl - http://store.z-kat.com/~valankar/
ccrypt - http://ccrypt.sourceforge.net/ (or some other commandline file encryption program like GnuPG. This tutorial will discuss ccrypt.)

If you know how to install Osiris as a static binary on other OS's, please email me with the instructions and I'll add it to this article.

Osiris

Untar the distributions to "/tmp/".

/bin/tar -xzvf osiris-x.x.x.tar.gz
cd osiris-x.x.x-release

First edit the file: "src/install/install.sh" and change the line:

INTERACTIVE=1

to

INTERACTIVE=0

This will prevent the "remote_update.pl" program from prompting you for input when Osiris is installed on the remote systems. Change any other options you need in that file.

If you will be running Osiris on multiple Linux versions, you can compile it as a static binary on one Linux system and then push that binary out to the other Linux systems. If you want to do this, then add this before running ./configure: export CFLAGS="-static $CFLAGS"

Now to compile Osiris:

./configure

or as a static binary:

export CFLAGS="-static $CFLAGS"
./configure
/bin/make
/bin/make agent
/bin/make console1 (optional)

1(Note: Run this command to create static binaries of the management console.)

In the source directory there will be a tarball created of the agent that was just compiled. It is located under the Osiris source directory in: "src/install" It will have the name format of: osiris-version-release-kernel-version-architecture.tar.gz

/bin/ls src/install/

You should see something like:

osiris-agent-x.x.x-release-Linux.2.4.26.tar.gz

(if you ran:

/bin/make console

you will also see osiris-console-x.x.x-release-Linux.2.4.26.tar.gz)

remote_update.pl

Untar the "remote_update.pl" tarball:

/bin/tar xzvf remote_update-x.x.tar.gz
/bin/cp remote_update-x.x/remote_update.pl /usr/sbin

create a directory called "osiris/" under "/tmp/":

/bin/mkdir /tmp/osiris
cd /tmp/osiris

Create the directories: "files/" and "scripts/" and a text file named "hosts" and "password" in the root of "/tmp/osiris/":

/bin/mkdir /tmp/osiris/{files,scripts}
/usr/bin/touch /tmp/osiris/{hosts,password}

Copy the files that you want to transfer to the directory "files/"

/bin/cp /tmp/osiris-x.x.x/src/install/osiris-agent-x.x.x-release-Linux-2.4.26-1-686.tar.gz /tmp/osiris/files

(Optionally you can copy over the management console to some hosts but it is recommended to copy it to only a few computers. In particular, just those that will be managing the Osiris file-integrity program.)

Then, create a script that will untar the Osiris distribution and run the install program on the remote systems and put that script in "scripts/".

Here is a sample script called "Osiris-deploy.sh":

##################### /tmp/osiris/scripts/Osiris-deploy.sh ##########################
#!/bin/sh

/bin/tar -xzvf ./files/osiris-agent-x.x.x-release-Linux-2.4.26-1-686.tar.gz
# I like to be sure the temporary remote directory is owned by the user that is logging
# in so all temporary files and directories are removed
/bin/chown -R user:user /home/user/.remote_update/
cd ./osiris-agent-x.x.x-release
./install.sh
##################### /tmp/osiris/scripts/Osiris-deploy.sh ##########################

Make the file executable and copy it to the "scripts/" directory:

/bin/chmod +x Osiris-deploy.sh
/bin/cp Osiris-deploy.sh /tmp/osiris/scripts/

Next, specify in the "hosts" file a list of hosts, one per line, to deploy Osiris on. For example,

##################### /tmp/osiris/hosts ##########################
host1
127.0.0.1
myhost.domain.net
##################### /tmp/osiris/hosts ##########################

ccrypt

The program ccrypt will be installed based on the distribution you are using, OS, and the format you choose to use. It comes as a static binary, RPM, or source. For debian I ran:

/usr/sbin/apt-get install ccrypt

Now comes the really imporant part, the "password" file. The remote_update program comes with a sample password file so you can peruse that for more information.

Below is an example of how to setup the password file: and a list of passwords for root. The remote_update program will try each password until it succeeds or fails. Here is a sample password file called "password":

##################### /tmp/osiris/password ##########################
# 1. Be sure no one is looking over you shoulder during this part!
# 2. Be sure you type the passwords correctly.
# 3. The username must be at the beginning of the line and the password
# has to be one tab over and underneath the username for that particular user.
# 4. There are some exceptions to this so read the "example_password.txt" file
# in the source directory of remote_update
# 5. remote_update will keep trying until there are no more user/password combinations or until it suceeds

duane
password1
password2
password3
password4
ryan
password1
password2
root
password1
password2

##################### /tmp/osiris/password ##########################

Immediately encrypt the file with "ccrypt" (or GnuPG):

/usr/bin/ccrypt -e password

After you type a password to encrypt the file it will give the file a ".cpt" extension.

All Together now

Be sure that that the "hosts" file is located in the root of "/tmp/osiris/". Now you are ready to deploy Osiris with the command:

/usr/bin/ccat password.cpt | /usr/sbin/remote_update.pl -v -p - -d /tmp/osiris

Here is what is going on. First you decrypt the contents of the "password.cpt" file (/usr/bin/ccat password.cpt) and pipe it into the remote_update program and tell it to get the password from standard input: (| /usr/sbin/remote_update.pl -p - ) then specify the directory where the scripts and files to copy over is located (-d /tmp/osiris). I have a sick and personal thing about seeing stuff moving on my terminals so I specified the verbose switch (-v). For each host specified in the hosts file under "/tmp/osiris" there will be a ".log" file created with the verbose output from the remote system under the "/tmp/osiris/" directory. This is the same output as the (-v) switch on the commandline. If there are any errors with installing osiris on some hosts you can specify the (-f) switch and remote_update will only retry the hosts that failed.

/usr/bin/ccat password.cpt | /usr/sbin/remote_update.pl -v -f -p - -d /tmp/osiris

Under the directory "/tmp/osiris" there will be a ".log" file for each hosts specified in the "hosts" file.

Now you have three great programs to work with, Osiris, remote_update.pl, and ccrypt. Remote_update.pl can be used for a wide variety of purposes when you are administering a lot of computer systems at once.


Duane Dunston received his B.A. and M.S. degrees from Pfeiffer University and he has his GSEC certification from SANS. Hey,Ann Curry!

Comments
adding new host to Ositis management conWritten by Mohammad Rahin on 2007-08-09 11:14:58
I am very interested in mass deploying Osisris and this article certainly helps. I'd like to know if you any idea on how to automate the process of adding new hosts to Osiris Management Console without using the Osiris CLI interactively. 
 
- Mohammad
Sr. Systems EngineerWritten by J Kirk on 2008-10-01 10:45:58
I have been able to automate the Osiris CLI using an Expect Script 
 
http://oreilly.com/catalog/expect/chapter/ch03.html

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Fixing OpenSSL's Heartbleed flaw will take MONTHS, warns Secunia
Even the most secure cloud storage may not be so secure, study finds
Targeted Attack Uses Heartbleed to Hijack VPN Sessions
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.