Osiris monitora periodicamente um ou mais hosts em busca de alguma modificação. Armazena registros detalhados de mudanças no sistema de arquivos, de usuários e grupos, e módulos do kernel, e muito mais. Osiris pode ser configurado para enviar e-mail para o administrador com todos esses logs. As máquinas são periodicamentes verificadas e, se desejar, os registros podem ser mantidos para uma análise posterior (forense). Osiris mantém o administrador informado sobre possíveis ataques e/ou trojans. O objetivo é isolar as mudanças que indicam um sistema comprometido (invadido). O osiris utiliza criptografia e autentição (OpenSSL) em todos os componentes. Pode ser utilizado para monitorar Host Linux/Unix, OSX, e Windows.
O osiris é dividido em 3 componentes:
- osirismd – O daemon do servidor osiris.
- osirisd – O agente instalado no cliente.
- osiris – Utilitário de linha de comando utilizado para administração do servidor osiris.
No servidor osiris
# apt-get install osiris osirismd osirisd
# osiris
1 2 3 4 5 6 7 8 9 10 11 12 13 |
Osiris Shell Interface - version 4.2.3-release unable to load root certificate for management host: (/root/.osiris/osiris_root.pem) >>> fetching root certificate from management host (localhost). The authenticity of host '127.0.0.1' can't be established. [ server certificate ] subject = /C=US/CN=Osiris Management Console/OU=Osiris Host Integrity System issuer = /C=US/CN=Osiris Management Console/OU=Osiris Host Integrity System key size: 2048 bit MD5 fingerprint: 84:28:18:89:0F:7E:0C:5B:AE:B6:57:8B:38:B7:44:EF Verify the fingerprint specified above. Are you sure you want to continue connecting (yes/no)? yes >>> authenticating to (127.0.0.1) |
Faça login com usuário admin, pressione ENTER na senha
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
User: admin Password: connected to management console, code version (4.2.3-release). hello. WARNING: your password is empty, use the 'passwd' command to set your password. osiris-4.2.3-release: passwd User: admin Password: >>> user: (admin) updated. osiris-4.2.3-release: edit-mhost [ edit management host (127.0.0.1) ] > syslog facility [DAEMON]: > control port [2266]: > http host name (uses system name by default) []: > http control port [0]: 2267 > notify email (default for hosts) []: > notification smtp host [127.0.0.1]: > notification smtp port [25]: > authorized hosts: 127.0.0.1 Modify authorization list (y/n)? [n] y s) show current listing. a) add a new authorized host. r) remove authorized host. q) quit > a > authorized hostname/IP (*=wildcard): 10.1.1.* s) show current listing. a) add a new authorized host. r) remove authorized host. q) quit > q [ management config (127.0.0.1) ] syslog_facility = DAEMON control_port = 2266 http_port = 2267 http_host = notify_email = notify_smtp_host = 127.0.0.1 notify_smtp_port = 25 hosts_directory = allow = 127.0.0.1 allow = 10.1.1.* Is this correct (y/n)? y >>> management host configuration has been saved. osiris-4.2.3-release: quit |
Vamos iniciar o daemon do osiris no cliente:
cliente:~# apt-get install osirisd
Vamos retornar ao servidor osiris e cadastrar a máquina cliente (hostname – cliente / IP – 10.1.1.100)
# osiris
1 2 3 4 5 6 7 |
osiris-4.0.1-release: new-host [ new host ] > name this host []: cliente > hostname/IP address []: 10.1.1.100 > description []: Agente da Maquina Cliente > agent port [2265]: > enable log files for this host? (yes/no) [no]: |
É recomendável que você aceite os padrões nas próximas configurações, as opções são auto explicativas
1 2 3 4 5 6 7 8 9 10 11 |
Scan Databases: => keep archives of scan databases? Enabling this option means that the database generated with each scan is saved, even if there are no changes detected. Because of disk space, this option is not recommended unless your security policy requires it. (yes/no) [no]: => auto-accept changes? Enabling this option means that detected changes are reported only once, and the baseline database is automatically set when changes are detected. (yes/no) [yes]: => purge database store? Enabling this option means that none of the scan databases are saved. That is, whenever the baseline database is set, the previous one is deleted. (yes/no): [yes]: |
Vamos acertar as configurações de notificações:
1 2 3 4 5 6 |
Notifications: => enable admin <a title="Dicas-de-Linux-Email" href="http://www.dicasdelinux.com.br/categoria/3/correio-eletranico.html">email</a> notification for this host? (yes/no) [no]: yes => send notification on scheduled scans failures? (yes/no) [no]: yes => send scan notification, even when no changes detected (yes/no) [no]: => send notification when agent has lost session key (yes/no) [no] : yes => notification <a title="Dicas-de-Linux-Email" href="http://www.dicasdelinux.com.br/categoria/3/correio-eletranico.html">email</a> (default uses mhost address) []: |
Vamos tratar agora da frequência do agendamento:
1 2 3 4 5 6 7 8 9 10 |
> configure scan scheduling information? (yes/no) [no]: yes [ scheduling information for cliente ] Scheduling information consists of a start time and a frequency value. The frequency is a specified number of minutes between each scan, starting from the start time. The default is the current time. Specify the start time in the following format: mm/dd/yyyy HH:MM enter the start date and time using 'mm/dd/yyyy HH:MM' format: [Mon Aug 2 08:00:00 2011] enter scan frequency in minutes: [1440] > activate this host? (yes/no) [yes]: |
Nesta configuração a primeira verificação acontece imediatamente a cada 24horas uma nova verificação.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
host => cliente hostname/IP address => 10.1.1.100 description => Agente da Maquina Cliente agent port => 2265 host type => generic log enabled => no archive scans => no auto accept => yes purge databases => yes notifications enabled => yes notifications always => no notify on rekey => yes notify on scan fail => yes notify <a title="Dicas-de-Linux-Email" href="http://www.dicasdelinux.com.br/categoria/3/correio-eletranico.html">email</a> => (management config) scans starting on => Mon Aug 1 08:00:00 2011 scan frequency => daily (every 1440 minutes). enabled => yes Is this correct (y/n)? y >>> new host (cliente) has been created. Initializing a host will push over a configuration, start a scan, and set the created database to be the trusted database. Are you sure you want to initialize this host (yes/no): yes OS Name: Linux OS Version: 2.6.32-5-686 use the default configuration for this OS? (yes/no): yes >>> configuration (default.linux) has been pushed. >>> scanning process was started on host: cliente osiris-4.2.3-release: |
A listagem de arquivos a serem verificados no cliente está definido no arquivo default.linux.
Vamos verificar se a base de dados do cliente foi criada corretamente:
1 2 3 4 5 6 7 |
osiris-4.2.3-release: databases cliente This may take a while... [ name ] [ created ] * 1 Mon Aug 1 08:35:27 total: 1 (*) denotes the base database for this host. osiris-4.2.3-release: |
Se aparecer incomplete, significa que algo não funcionou.
Vamos analisar o host cliente no prompt do osiris
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
osiris-4.2.3-release: host cliente osiris-4.2.3-release[cliente]: list-db This may take a while... [ name ] [ created ] * 1 Mon Aug 1 08:35:27 total: 1 (*) denotes the base database for this host. osiris-4.2.3-release[cliente]: status [ current status of host: cliente ] current time: Mon Aug 1 22:37:12 2011 up since: Mon Aug 1 22:31:47 2011 last config push: Mon Aug 1 22:35:13 2011 configuration id: 44ef5472 agent status: idle. config status: current config is valid. osiris version: 4.2.3-release OS: Linux 2.6.32-5-686 |
Vamos analisar o log no cliente
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
osiris-4.2.3-release[cliente]: list-logs This may take a while... [ name ] [ date ] log.temp Mon Aug 1 22:43:37 total: 1 osiris-4.2.3-release[cliente]: print-log log.temp -------- begin log file -------- compare time: Mon Aug 1 22:43:37 2011 host: cliente scan config: default.linux (44ef5472) log file: no log file generated, see system log. base database: 1 compare database: 2 Change Statistics: ---------------------------------- checksums: 0 SUID files: 0 root-owned files: 0 file permissions: 0 new: 0 missing: 0 total differences: 0 -------- end log file -------- osiris-4.2.3-release[cliente]: q osiris-4.2.3-release[cliente]: quit |
O prompt do osiris é rico em opções e caso desejem maiores informações vale uma visita ao site do desenvolvedor (http://osiris.shmoo.com/handbook.html)
Espero que tenham gostado post e não se esqueçam de votar em nosso portal no TOP30, e também não deixem de assinar.
[twitter-follow screen_name=’rpinheiro2k’]