Mass deploying Osiris
Posted by Duane Dunston   
Features Osiris is a centralized file-integrity program that uses a client/server architecture to check for changes on a system. A central server maintains the file-integrity database and configuration for a client and at a specified time, sends the configuration file over to the client, runs a scan and sends the results back to the server to compare any changes. Those changes are then sent via email, if configured, to a system admin or group of people. The communication is all done over an encrypted communication channel.

Osiris can be deployed locally or it can be deployed on another continent. One of the major features that makes that possible and secure is the secure communication channel that is used to communicate with the client. Osiris uses SSL for communication between the client and server. Another feature of Osiris is that it is portable across a few platforms including Linux, BSD's, Windows, AIX, Solaris, MacOS, etc.. Osiris has many other features like:

  • logging to syslog
  • emailing alerts
  • filtering out recurring alerts
  • detecting new accounts being created or deleted
  • monitoring kernel modules
  • configuring what attributes of a file to scan
  • manually starting scans
  • scheduling a scan
and many other features.

It should be noted that the central server or the server maintaining the management console should be kept secure and limited access allowed to the server except for those administering the osiris management console and the clients that will need to communicate with it. By default, the management console will only allow incoming login connections from the localhost (127.0.0.1) and any other hosts will need to be added. Those allowed access to the management console can log onto the server directly or log in remotely with the osiris commandline client, provided their IP is allowed to connect. If the central server is kept secure and a client is compromised and the attacker deletes or kills the osiris client, no problem. The central server maintains the configuration file and the database. All that needs to be done is for the client reinstalled on the compromised system, preferrably with a static binary as this article describes, then the admin logins into the management console, pushes a scan config file over, initiates a scan and it will send the results back and compare it against the database on the central server, so you can still see what the attacker did on the computer.

This article discusses how to mass deploy Osiris in a Linux environment. This is useful for environments with a large number of computer systems they want to deploy Osiris too. This applies if Osiris is going to be installed and managed locally or 2,000 miles from where the managment console is located. The mass deployment is done using the program "remote_update.pl". It uses SSH to execute commands on multiple machines and logs the output to a file for each system it logs into. It has the ability to only run commands on servers that failed during a previous run. Also, multiple machines can be logged into at once. Since remote_update.pl requires a password that is located in a text file, the program "ccrypt" will be used to encrypt the text file and decrypted on the fly when remote_update.pl is executed. There are other programs that can be used such as GnuPG but ccrypt was chosen because it too is portable across many Operating systms Linux, Solaris, AIX, BSD's, Windows, etc. and can be quickly deployed.

Osiris - http://osiris.shmoo.com/
remote_update.pl - http://store.z-kat.com/~valankar/
ccrypt - http://ccrypt.sourceforge.net/ (or some other commandline file encryption program like GnuPG. This tutorial will discuss ccrypt.)

If you know how to install Osiris as a static binary on other OS's, please email me with the instructions and I'll add it to this article.

Osiris

Untar the distributions to "/tmp/".

/bin/tar -xzvf osiris-x.x.x.tar.gz
cd osiris-x.x.x-release

First edit the file: "src/install/install.sh" and change the line:

INTERACTIVE=1

to

INTERACTIVE=0

This will prevent the "remote_update.pl" program from prompting you for input when Osiris is installed on the remote systems. Change any other options you need in that file.

If you will be running Osiris on multiple Linux versions, you can compile it as a static binary on one Linux system and then push that binary out to the other Linux systems. If you want to do this, then add this before running ./configure: export CFLAGS="-static $CFLAGS"

Now to compile Osiris:

./configure

or as a static binary:

export CFLAGS="-static $CFLAGS"
./configure
/bin/make
/bin/make agent
/bin/make console1 (optional)

1(Note: Run this command to create static binaries of the management console.)

In the source directory there will be a tarball created of the agent that was just compiled. It is located under the Osiris source directory in: "src/install" It will have the name format of: osiris-version-release-kernel-version-architecture.tar.gz

/bin/ls src/install/

You should see something like:

osiris-agent-x.x.x-release-Linux.2.4.26.tar.gz

(if you ran:

/bin/make console

you will also see osiris-console-x.x.x-release-Linux.2.4.26.tar.gz)

remote_update.pl

Untar the "remote_update.pl" tarball:

/bin/tar xzvf remote_update-x.x.tar.gz
/bin/cp remote_update-x.x/remote_update.pl /usr/sbin

create a directory called "osiris/" under "/tmp/":

/bin/mkdir /tmp/osiris
cd /tmp/osiris

Create the directories: "files/" and "scripts/" and a text file named "hosts" and "password" in the root of "/tmp/osiris/":

/bin/mkdir /tmp/osiris/{files,scripts}
/usr/bin/touch /tmp/osiris/{hosts,password}

Copy the files that you want to transfer to the directory "files/"

/bin/cp /tmp/osiris-x.x.x/src/install/osiris-agent-x.x.x-release-Linux-2.4.26-1-686.tar.gz /tmp/osiris/files

(Optionally you can copy over the management console to some hosts but it is recommended to copy it to only a few computers. In particular, just those that will be managing the Osiris file-integrity program.)

Then, create a script that will untar the Osiris distribution and run the install program on the remote systems and put that script in "scripts/".

Here is a sample script called "Osiris-deploy.sh":

##################### /tmp/osiris/scripts/Osiris-deploy.sh ##########################
#!/bin/sh

/bin/tar -xzvf ./files/osiris-agent-x.x.x-release-Linux-2.4.26-1-686.tar.gz
# I like to be sure the temporary remote directory is owned by the user that is logging
# in so all temporary files and directories are removed
/bin/chown -R user:user /home/user/.remote_update/
cd ./osiris-agent-x.x.x-release
./install.sh
##################### /tmp/osiris/scripts/Osiris-deploy.sh ##########################

Make the file executable and copy it to the "scripts/" directory:

/bin/chmod +x Osiris-deploy.sh
/bin/cp Osiris-deploy.sh /tmp/osiris/scripts/

Next, specify in the "hosts" file a list of hosts, one per line, to deploy Osiris on. For example,

##################### /tmp/osiris/hosts ##########################
host1
127.0.0.1
myhost.domain.net
##################### /tmp/osiris/hosts ##########################

ccrypt

The program ccrypt will be installed based on the distribution you are using, OS, and the format you choose to use. It comes as a static binary, RPM, or source. For debian I ran:

/usr/sbin/apt-get install ccrypt

Now comes the really imporant part, the "password" file. The remote_update program comes with a sample password file so you can peruse that for more information.

Below is an example of how to setup the password file: and a list of passwords for root. The remote_update program will try each password until it succeeds or fails. Here is a sample password file called "password":

##################### /tmp/osiris/password ##########################
# 1. Be sure no one is looking over you shoulder during this part!
# 2. Be sure you type the passwords correctly.
# 3. The username must be at the beginning of the line and the password
# has to be one tab over and underneath the username for that particular user.
# 4. There are some exceptions to this so read the "example_password.txt" file
# in the source directory of remote_update
# 5. remote_update will keep trying until there are no more user/password combinations or until it suceeds

duane
password1
password2
password3
password4
ryan
password1
password2
root
password1
password2

##################### /tmp/osiris/password ##########################

Immediately encrypt the file with "ccrypt" (or GnuPG):

/usr/bin/ccrypt -e password

After you type a password to encrypt the file it will give the file a ".cpt" extension.

All Together now

Be sure that that the "hosts" file is located in the root of "/tmp/osiris/". Now you are ready to deploy Osiris with the command:

/usr/bin/ccat password.cpt | /usr/sbin/remote_update.pl -v -p - -d /tmp/osiris

Here is what is going on. First you decrypt the contents of the "password.cpt" file (/usr/bin/ccat password.cpt) and pipe it into the remote_update program and tell it to get the password from standard input: (| /usr/sbin/remote_update.pl -p - ) then specify the directory where the scripts and files to copy over is located (-d /tmp/osiris). I have a sick and personal thing about seeing stuff moving on my terminals so I specified the verbose switch (-v). For each host specified in the hosts file under "/tmp/osiris" there will be a ".log" file created with the verbose output from the remote system under the "/tmp/osiris/" directory. This is the same output as the (-v) switch on the commandline. If there are any errors with installing osiris on some hosts you can specify the (-f) switch and remote_update will only retry the hosts that failed.

/usr/bin/ccat password.cpt | /usr/sbin/remote_update.pl -v -f -p - -d /tmp/osiris

Under the directory "/tmp/osiris" there will be a ".log" file for each hosts specified in the "hosts" file.

Now you have three great programs to work with, Osiris, remote_update.pl, and ccrypt. Remote_update.pl can be used for a wide variety of purposes when you are administering a lot of computer systems at once.


Duane Dunston received his B.A. and M.S. degrees from Pfeiffer University and he has his GSEC certification from SANS. Hey,Ann Curry!

Comments
adding new host to Ositis management conWritten by Mohammad Rahin on 2007-08-09 11:14:58
I am very interested in mass deploying Osisris and this article certainly helps. I'd like to know if you any idea on how to automate the process of adding new hosts to Osiris Management Console without using the Osiris CLI interactively. 
 
- Mohammad
Sr. Systems EngineerWritten by J Kirk on 2008-10-01 10:45:58
I have been able to automate the Osiris CLI using an Expect Script 
 
http://oreilly.com/catalog/expect/chapter/ch03.html

Only registered users can write comments.
Please login or register.

Powered by AkoComment!