Brian Wotring is currently the lead developer for the Osiris project and president
of Host Integrity, Inc. He is also the founder of knowngoods.org,
an online database of known good file signatures. Brian is the co-author of
Mac OS X Security and a long-standing member of the Shmoo
Group, an organization of security and cryptography professionals.
LinuxSecurity.com: Brian, what are you up to these days? Any
new projects on the horizon?
Brian Wotring: Right now my time is divided
between Osiris and my own company that provides host integrity services and
consulting. I'm at the point where I have dreams about host integrity assurance.
Currently, the Osiris project is very active. We are actively
polishing the main/ stable branch of the code, pushing new features into the
bleeding edge branch, and establishing official support for additional platforms. This
being the case, I'm not taking on any new projects right now.
LinuxSecurity.com: What do you do when you are away from computers?
Brian Wotring: I enjoy all types of music. I
am currently playing guitar for a rock band. Basically, I like to make noise.
LinuxSecurity.com: How did you come up with the name Osiris?
Brian Wotring: Preston Norvell, the founder
of the Osiris project, was the one who gave Osiris its name. Osiris is an
Egyptian god that was the lord of the underworld, and the judge of souls. It
was believed that when a person died, their heart was put on a scale opposite
a feather. If the heart and the feather balanced, the recently deceased was
allowed to enter the afterlife. Otherwise, they were cast into nothingness.
The first version of Osiris actually contained two applications,
"osiris" and "scale". The "osiris" application scanned the file-system
while "scale" compared the data against the known goods and generated a
report.
LinuxSecurity.com: How is Osiris different from other file-integrity
programs?
Brian Wotring: There are many. The biggest difference
is that Osiris does more than just monitor the integrity of files. It is very
important to monitor files but if your goal is to ensure that your host environment
is sane, then there are other areas that you need to keep tabs on. At least,
it makes sense to also monitor kernel modules, the details of changes to user
and group databases, open network ports, kernel state, etc.
The Osiris scan agent runs with privilege separation. It has a built in
scheduler and notification system. You can use regular expression based
filters to minimize noise.
The scanned hosts never store their scan information on disk. Instead,
all of the data is stored on a single management console.
Osiris is also designed to be friendly for forensics, or damage
assessment. It is possible to have each scan (and log) archived to make it
easy to construct a timeline in the event of a compromise. Database files
are platform independent so they can be analyzed on other platforms without
much headache.
Osiris runs on the NT based versions of Windows. Many of the
existing file integrity applications are mainly designed for UNIX.
Finally, Osiris has a basic anti-tampering mechanism as part
of the communication protocol that is used between a scan agent and the management
console.
LinuxSecurity.com: There are file-integrity programs out there
like Aide, Samhain, integrit, etc.. How come you didn't modify one of the existing
programs? Why a new program?
Brian Wotring: There were no existing projects
to modify. Osiris arose from the desire to build something better than Tripwire. At
the time, the only other application out there that we knew of was AIDE, a
Tripwire clone. The idea behind the academic version of Tripwire was very
cool, but almost everyone I knew who used it, eventually shelved it. Dealing
with legitimate changes to a monitored host was somewhat cumbersome.
The goal of the Osiris project is to build a host integrity
application that is easy to configure and wouldn't pollute your mailbox. Preston
Norvell, Bruce Potter, and myself developed the first versions of Osiris. We
wanted to take things a step further by providing a centrally managed system
that scanned more than just files. That is, move beyond file integrity checking
and into host integrity monitoring.
That being said, I think that some of the other file integrity
applications you mention are very useful. Samhain, for example, is a very
well-built application. There are some things that Osiris does better, and
some things that Samhain does better.
LinuxSecurity.com: How critical is file-integrity?
Brian Wotring: Very. This is something that
I have become very passionate about and either I'm starting to turn into one
of those crazy people, or it's just catching on too slow.
So much attention is directed towards perimeter security,
and for good reason. However, it makes no sense to me to spend so much energy
building up a defensive perimeter and, in comparison, almost ignore the internal
terrain. If an undetected breach occurs, the potential for loss can be great.
Most countries have militaries to defend their borders; they
have various levels of law enforcement for inside their borders. Banks put
alarms on their doors, but they also place cameras and armed guards inside
the bank. There are so many analogies for this that it hurts my brain.
Look back on the last year and think about some of the big
compromises we heard about. There was the GNU ftp site, the Gentoo rsync server
, some of the Debian development boxes, and even the Linux CVS repository
was breached. What critical files were modified, what private information
was compromised? How far did the attackers get into the network? How did they
obtain root? These are all questions that will need to be answered.
Host integrity monitoring is not even close to being a perfect
solution but the software that exists today can really go a long way towards
maintaining visibility at the host level.
LinuxSecurity.com: Anything you want to say to managers to help
encourage them to allow their administrators or require their admins to install
file-integrity software?
Brian Wotring: Don't rely on perimeter security
alone. Attacks do not always originate from the outside. Software like Samhain
and Osiris has come a long way since the academic release of Tripwire. These
types of systems serve a real purpose and are an essential part of any security
policy. We are far beyond file integrity checkers at this point.
Monitoring files is useful, but not complete. To be able to
construct a more detailed audit trail, additional elements in the host's environment
need to be monitored. For example, suppose I received an alert that claims
the MD5 of an /etc/passwd file has changed. That's lovely, but how
can you tell the difference between a legitimate change to a current user
entry and the addition of a user with uid 0? Modern Host Integrity tools can.
They can monitor log files, look for rogue suid files, and monitor kernel
modules and extensions. By monitoring more than just files, it is a lot harder
for an attacker to alter the environment of a host without being detected.
LinuxSecurity.com: Shmoo.com? How did you guys come up with that
one?
Brian Wotring: It was the nickname of one of
the members. He had the domain name already, and we were poor... so we used
it.
LinuxSecurity.com: Brian, thank you for the interview and we
wish you and your projects the best of luck!
Duane Dunston
is an Information Technology Specialist (Security) for the
National Climatic Data Center. He was previously a contractor for STG Inc.
for the same organization. He received his B.A. and M.S. degrees from
Pfeiffer University and he has his GSEC certification from SANS. Hey, Ann Curry!
Powered by AkoComment! |
