Brian Wotring is currently the lead developer for the Osiris project and president of Host Integrity, Inc. He is also the founder of knowngoods.org, an online database of known good file signatures. Brian is the co-author of Mac OS X Security and a long-standing member of the Shmoo Group, an organization of security and cryptography professionals.

LinuxSecurity.com: Brian, what are you up to these days? Any new projects on the horizon?

Brian Wotring: Right now my time is divided between Osiris and my own company that provides host integrity services and consulting. I'm at the point where I have dreams about host integrity assurance.

Currently, the Osiris project is very active. We are actively polishing the main/ stable branch of the code, pushing new features into the bleeding edge branch, and establishing official support for additional platforms. This being the case, I'm not taking on any new projects right now.

 

LinuxSecurity.com: What do you do when you are away from computers?

Brian Wotring: I enjoy all types of music. I am currently playing guitar for a rock band. Basically, I like to make noise.

LinuxSecurity.com: How did you come up with the name Osiris?

Brian Wotring: Preston Norvell, the founder of the Osiris project, was the one who gave Osiris its name. Osiris is an Egyptian god that was the lord of the underworld, and the judge of souls. It was believed that when a person died, their heart was put on a scale opposite a feather. If the heart and the feather balanced, the recently deceased was allowed to enter the afterlife. Otherwise, they were cast into nothingness.

The first version of Osiris actually contained two applications, "osiris" and "scale". The "osiris" application scanned the file-system while "scale" compared the data against the known goods and generated a report.

LinuxSecurity.com: How is Osiris different from other file-integrity programs?

Brian Wotring: There are many. The biggest difference is that Osiris does more than just monitor the integrity of files. It is very important to monitor files but if your goal is to ensure that your host environment is sane, then there are other areas that you need to keep tabs on. At least, it makes sense to also monitor kernel modules, the details of changes to user and group databases, open network ports, kernel state, etc.

The Osiris scan agent runs with privilege separation. It has a built in scheduler and notification system. You can use regular expression based filters to minimize noise.

The scanned hosts never store their scan information on disk. Instead, all of the data is stored on a single management console.

Osiris is also designed to be friendly for forensics, or damage assessment. It is possible to have each scan (and log) archived to make it easy to construct a timeline in the event of a compromise. Database files are platform independent so they can be analyzed on other platforms without much headache.

Osiris runs on the NT based versions of Windows. Many of the existing file integrity applications are mainly designed for UNIX.

Finally, Osiris has a basic anti-tampering mechanism as part of the communication protocol that is used between a scan agent and the management console.

LinuxSecurity.com: There are file-integrity programs out there like Aide, Samhain, integrit, etc.. How come you didn't modify one of the existing programs? Why a new program?

Brian Wotring: There were no existing projects to modify. Osiris arose from the desire to build something better than Tripwire. At the time, the only other application out there that we knew of was AIDE, a Tripwire clone. The idea behind the academic version of Tripwire was very cool, but almost everyone I knew who used it, eventually shelved it. Dealing with legitimate changes to a monitored host was somewhat cumbersome.

The goal of the Osiris project is to build a host integrity application that is easy to configure and wouldn't pollute your mailbox. Preston Norvell, Bruce Potter, and myself developed the first versions of Osiris. We wanted to take things a step further by providing a centrally managed system that scanned more than just files. That is, move beyond file integrity checking and into host integrity monitoring.

That being said, I think that some of the other file integrity applications you mention are very useful. Samhain, for example, is a very well-built application. There are some things that Osiris does better, and some things that Samhain does better.

LinuxSecurity.com: How critical is file-integrity?

Brian Wotring: Very. This is something that I have become very passionate about and either I'm starting to turn into one of those crazy people, or it's just catching on too slow.

So much attention is directed towards perimeter security, and for good reason. However, it makes no sense to me to spend so much energy building up a defensive perimeter and, in comparison, almost ignore the internal terrain. If an undetected breach occurs, the potential for loss can be great.

Most countries have militaries to defend their borders; they have various levels of law enforcement for inside their borders. Banks put alarms on their doors, but they also place cameras and armed guards inside the bank. There are so many analogies for this that it hurts my brain.

Look back on the last year and think about some of the big compromises we heard about. There was the GNU ftp site, the Gentoo rsync server , some of the Debian development boxes, and even the Linux CVS repository was breached. What critical files were modified, what private information was compromised? How far did the attackers get into the network? How did they obtain root? These are all questions that will need to be answered.

Host integrity monitoring is not even close to being a perfect solution but the software that exists today can really go a long way towards maintaining visibility at the host level.

LinuxSecurity.com: Anything you want to say to managers to help encourage them to allow their administrators or require their admins to install file-integrity software?

Brian Wotring: Don't rely on perimeter security alone. Attacks do not always originate from the outside. Software like Samhain and Osiris has come a long way since the academic release of Tripwire. These types of systems serve a real purpose and are an essential part of any security policy. We are far beyond file integrity checkers at this point.

Monitoring files is useful, but not complete. To be able to construct a more detailed audit trail, additional elements in the host's environment need to be monitored. For example, suppose I received an alert that claims the MD5 of an /etc/passwd file has changed. That's lovely, but how can you tell the difference between a legitimate change to a current user entry and the addition of a user with uid 0? Modern Host Integrity tools can. They can monitor log files, look for rogue suid files, and monitor kernel modules and extensions. By monitoring more than just files, it is a lot harder for an attacker to alter the environment of a host without being detected.

LinuxSecurity.com: Shmoo.com? How did you guys come up with that one?

Brian Wotring: It was the nickname of one of the members. He had the domain name already, and we were poor... so we used it.

 

LinuxSecurity.com: Brian, thank you for the interview and we wish you and your projects the best of luck!

This email address is being protected from spambots. You need JavaScript enabled to view it. is an Information Technology Specialist (Security) for the National Climatic Data Center. He was previously a contractor for STG Inc. for the same organization. He received his B.A. and M.S. degrees from Pfeiffer University and he has his GSEC certification from SANS. Hey, Ann Curry!