Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 27th, 2015
Linux Security Week: March 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Interview with Brian Wotring, Lead Developer for the Osiris Project Print E-mail
User Rating:      How can I rate this item?
Features Brian Wotring is currently the lead developer for the Osiris project and president of Host Integrity, Inc. He is also the founder of, an online database of known good file signatures. Brian is the co-author of Mac OS X Security and a long-standing member of the Shmoo Group, an organization of security and cryptography professionals. Brian, what are you up to these days? Any new projects on the horizon?

Brian Wotring: Right now my time is divided between Osiris and my own company that provides host integrity services and consulting. I'm at the point where I have dreams about host integrity assurance.

Currently, the Osiris project is very active. We are actively polishing the main/ stable branch of the code, pushing new features into the bleeding edge branch, and establishing official support for additional platforms. This being the case, I'm not taking on any new projects right now. What do you do when you are away from computers?

Brian Wotring: I enjoy all types of music. I am currently playing guitar for a rock band. Basically, I like to make noise. How did you come up with the name Osiris?

Brian Wotring: Preston Norvell, the founder of the Osiris project, was the one who gave Osiris its name. Osiris is an Egyptian god that was the lord of the underworld, and the judge of souls. It was believed that when a person died, their heart was put on a scale opposite a feather. If the heart and the feather balanced, the recently deceased was allowed to enter the afterlife. Otherwise, they were cast into nothingness.

The first version of Osiris actually contained two applications, "osiris" and "scale". The "osiris" application scanned the file-system while "scale" compared the data against the known goods and generated a report. How is Osiris different from other file-integrity programs?

Brian Wotring: There are many. The biggest difference is that Osiris does more than just monitor the integrity of files. It is very important to monitor files but if your goal is to ensure that your host environment is sane, then there are other areas that you need to keep tabs on. At least, it makes sense to also monitor kernel modules, the details of changes to user and group databases, open network ports, kernel state, etc.

The Osiris scan agent runs with privilege separation. It has a built in scheduler and notification system. You can use regular expression based filters to minimize noise.

The scanned hosts never store their scan information on disk. Instead, all of the data is stored on a single management console.

Osiris is also designed to be friendly for forensics, or damage assessment. It is possible to have each scan (and log) archived to make it easy to construct a timeline in the event of a compromise. Database files are platform independent so they can be analyzed on other platforms without much headache.

Osiris runs on the NT based versions of Windows. Many of the existing file integrity applications are mainly designed for UNIX.

Finally, Osiris has a basic anti-tampering mechanism as part of the communication protocol that is used between a scan agent and the management console. There are file-integrity programs out there like Aide, Samhain, integrit, etc.. How come you didn't modify one of the existing programs? Why a new program?

Brian Wotring: There were no existing projects to modify. Osiris arose from the desire to build something better than Tripwire. At the time, the only other application out there that we knew of was AIDE, a Tripwire clone. The idea behind the academic version of Tripwire was very cool, but almost everyone I knew who used it, eventually shelved it. Dealing with legitimate changes to a monitored host was somewhat cumbersome.

The goal of the Osiris project is to build a host integrity application that is easy to configure and wouldn't pollute your mailbox. Preston Norvell, Bruce Potter, and myself developed the first versions of Osiris. We wanted to take things a step further by providing a centrally managed system that scanned more than just files. That is, move beyond file integrity checking and into host integrity monitoring.

That being said, I think that some of the other file integrity applications you mention are very useful. Samhain, for example, is a very well-built application. There are some things that Osiris does better, and some things that Samhain does better. How critical is file-integrity?

Brian Wotring: Very. This is something that I have become very passionate about and either I'm starting to turn into one of those crazy people, or it's just catching on too slow.

So much attention is directed towards perimeter security, and for good reason. However, it makes no sense to me to spend so much energy building up a defensive perimeter and, in comparison, almost ignore the internal terrain. If an undetected breach occurs, the potential for loss can be great.

Most countries have militaries to defend their borders; they have various levels of law enforcement for inside their borders. Banks put alarms on their doors, but they also place cameras and armed guards inside the bank. There are so many analogies for this that it hurts my brain.

Look back on the last year and think about some of the big compromises we heard about. There was the GNU ftp site, the Gentoo rsync server , some of the Debian development boxes, and even the Linux CVS repository was breached. What critical files were modified, what private information was compromised? How far did the attackers get into the network? How did they obtain root? These are all questions that will need to be answered.

Host integrity monitoring is not even close to being a perfect solution but the software that exists today can really go a long way towards maintaining visibility at the host level. Anything you want to say to managers to help encourage them to allow their administrators or require their admins to install file-integrity software?

Brian Wotring: Don't rely on perimeter security alone. Attacks do not always originate from the outside. Software like Samhain and Osiris has come a long way since the academic release of Tripwire. These types of systems serve a real purpose and are an essential part of any security policy. We are far beyond file integrity checkers at this point.

Monitoring files is useful, but not complete. To be able to construct a more detailed audit trail, additional elements in the host's environment need to be monitored. For example, suppose I received an alert that claims the MD5 of an /etc/passwd file has changed. That's lovely, but how can you tell the difference between a legitimate change to a current user entry and the addition of a user with uid 0? Modern Host Integrity tools can. They can monitor log files, look for rogue suid files, and monitor kernel modules and extensions. By monitoring more than just files, it is a lot harder for an attacker to alter the environment of a host without being detected. How did you guys come up with that one?

Brian Wotring: It was the nickname of one of the members. He had the domain name already, and we were poor... so we used it. Brian, thank you for the interview and we wish you and your projects the best of luck!

Duane Dunston is an Information Technology Specialist (Security) for the National Climatic Data Center. He was previously a contractor for STG Inc. for the same organization. He received his B.A. and M.S. degrees from Pfeiffer University and he has his GSEC certification from SANS. Hey, Ann Curry!

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Tech Companies, Privacy Advocates Call for NSA Reform
Google warns of unauthorized TLS certificates trusted by almost all OSes
How Kevin Mitnick hacked the audience at CeBIT 2015
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.