portinstall security/osiris
昨日分のFreeBSD 5.3R(というかfreebsd-update後は FreeBSD 5.3-SECURITY だけど)に Osiris(OSIRIS - Host Integrity Monitoring)を入れることに。
んで、表題の通りに普通に叩くと、osirismd(management console)が入らないみたい。「/usr/local/sbin/osirismd がねぇ...何でだ...orz」とか悩んだり。
/usr/ports/security/osiris/Makefile に、
.if defined(WITH_OSIRISMD)
って書いてあったので、/etc/make.conf に
WITH_OSIRISMD= yes
と記述したら無事に入った。やれやれ。ちなみに現在最新版の 4.0.6 が入ります。
しかし何だなぁ。google:freebsd with_osirismd でもたったの2件しかヒットしないんだなぁ。んー。
あんまり使われてないんだなぁ>Osiris 結構良いと思うんだけどなぁ。
って他のホストベースなIDSを使ったことがない私が言うのもアレなんですが。
まぁ、そんな訳で以下は長々とインストールメモ。プロンプトが $ なのは /usr/local/bin/bash だからです。
$ sudo vi /etc/make.conf WITH_OSIRISMD= yes $ cd /usr/ports $ sudo portinstall security/osiris $ ls -l /usr/local/sbin/osiris* r-xr-xr-x 1 root wheel 895780 Dec 8 03:36 /usr/local/sbin/osiris r-xr-xr-x 1 root wheel 124608 Dec 8 03:36 /usr/local/sbin/osirisd r-xr-xr-x 1 root wheel 922540 Dec 8 03:36 /usr/local/sbin/osirismd $ ls -l /usr/local/etc/rc.d/osiris* r-xr-xr-x 1 root wheel 330 Dec 8 03:36 /usr/local/etc/rc.d/osirisd.sh.sample r-xr-xr-x 1 root wheel 497 Dec 8 03:36 /usr/local/etc/rc.d/osirismd.sh.sample $ cd /usr/local/etc/rc.d/ $ sudo cp -p osirisd.sh.sample osirisd.sh $ sudo cp -p osirismd.sh.sample osirismd.sh $ sudo ./osirismd.sh start $ sudo ./osirisd.sh start $ ps aux | grep osiris root 50348 0.0 0.4 3720 2928 p1 S 4:20AM 0:00.00 /usr/local/sbin/osirismd -r /usr/local/osiris root 50349 0.0 0.4 3784 2964 p1 S 4:20AM 0:00.00 /usr/local/sbin/osirismd -r /usr/local/osiris root 50352 0.0 0.2 2912 1592 p1 S 4:20AM 0:00.00 /usr/local/sbin/osirisd -r /usr/local/osiris osiris 50353 0.0 0.3 2940 2072 p1 S 4:20AM 0:00.01 /usr/local/sbin/osirisd -r /usr/local/osiris hoge 50355 0.0 0.1 1516 664 p1 RL+ 4:20AM 0:00.00 grep osiris $ osiris warning: unable to locate an editor. Osiris Shell Interface - version 4.0.6-release unable to load root certificate for management host: (/home/ishi_vm/.osiris/osiris_root.pem) >>> fetching root certificate from management host (localhost). The authenticity of host 'localhost' can't be established. [ server certificate ] subject = /C=US/CN=Osiris Management Console/OU=Osiris Host Integrity System issuer = /C=US/CN=Osiris Management Console/OU=Osiris Host Integrity System key size: 2048 bit MD5 fingerprint: 0D:BF:F3:3C:47:14:D6:8F:20:3F:75:1A:94:03:E9:33 Verify the fingerprint specified above. Are you sure you want to continue connecting (yes/no)? yes >>> authenticating to (localhost) User: admin Password: connected to management console, code version (4.0.6-release). hello. WARNING: your password is empty, use the 'passwd' command to set your password. osiris-4.0.6-release: passwd User: admin Password: >>> user: (admin) updated. osiris-4.0.6-release: exit $ osiris warning: unable to locate an editor. Osiris Shell Interface - version 4.0.6-release >>> authenticating to (localhost) User: admin Password: connected to management console, code version (4.0.6-release). hello. osiris-4.0.6-release: ? [ Management Commands ] mhost host new-user edit-filters edit-mhost edit-host edit-user print-filters print-mhost-config list-hosts list-users test-notify new-host delete-user [ Host commands ] status list-configs start-scan list-db watch-host new-config stop-scan base-db disable-host push-config print-log set-base-db host-details edit-config list-logs print-db print-host-config print-config print-db-errors rm-host rm-config print-db-header init drop-config rm-db config verify-config [ Misc commands ] help version quit ssl For help with a specific command, try: helposiris-4.0.6-release: edit-mhost [ edit management host (localhost) ] > syslog facility [DAEMON]: > control port [2266]: > http host name (uses system name by default) : > http control port [2267]: > notify email (default for hosts) : foo@bar.com > admin email (gets all mail): foo@bar.com > notification smtp host [127.0.0.1]: > notification smtp port [25]: > authorized hosts: 127.0.0.1 Modify authorization list (y/n)? [n] [ management config (localhost) ] syslog_facility = DAEMON control_port = 2266 http_port = 2267 http_host = notify_email = foo@bar.com admin_email = foo@bar.com notify_smtp_host = 127.0.0.1 notify_smtp_port = 25 hosts_directory = allow = 127.0.0.1 Is this correct (y/n)? y >>> management host configuration has been saved. osiris-4.0.6-release: new-host [ new host ] > name this host : hoge > hostname/IP address : 127.0.0.1 > description : > agent port [2265]: > enable log files for this host? (yes/no) [no]: yes Scan Databases: => keep archives of scan databases? Enabling this option means that the database generated with each scan is saved, even if there are no changes detected. Because of disk space, this option is not recommended unless your security policy requires it. (yes/no) [no]: => auto-accept changes? Enabling this option means that detected changes are reported only once, and the baseline database is automatically set when changes are detected. (yes/no) [yes]: no => purge database store? Enabling this option means that none of the scan databases are saved. That is, whenever the baseline database is set, the previous one is deleted. (yes/no): [yes]: Notifications: => enable email notification for this host? (yes/no) [no]: yes => send notification on scheduled scans failures? (yes/no) [no]: yes => send scan notification, even when no changes detected (yes/no) [no]: yes => send notification when agent has lost session key (yes/no) [no]: yes => notification email (default uses mhost address) []: Scheduling: > configure scan scheduling information? (yes/no) [no]: yes [ scheduling information for hoge ] Scheduling information consists of a start time and a frequency value. The frequency is a specified number of minutes between each scan, starting from the start time. The default is the current time. Specify the start time in the following format: mm/dd/yyyy HH:MM enter the start date and time using 'mm/dd/yyyy HH:MM' format: [Wed Dec 8 04:34:29 2004] enter scan frequency in minutes: [1440] > activate this host? (yes/no) [yes]: host => hoge hostname/IP address => 127.0.0.1 description => agent port => 2265 host type => generic log enabled => yes archive scans => no auto accept => no purge databases => yes notifications enabled => yes notifications always => yes notify on rekey => yes notify on scan fail => yes notify email => (management config) scans starting on => Wed Dec 8 04:34:29 2004 scan frequency => daily (every 1440 minutes). enabled => yes Is this correct (y/n)? y >>> new host (hoge) has been created. Initialize this host? (yes/no): yes Initializing a host will push over a configuration, start a scan, and set the created database to be the trusted database. Are you sure you want to initialize this host (yes/no): yes OS Name: FreeBSD OS Version: 5.3-STABLE use the default configuration for this OS? (yes/no): yes >>> configuration (default.freebsd) has been pushed. >>> scanning process was started on host: hoge osiris-4.0.6-release: exit $ sudo vi /usr/local/osiris/configs/default.freebsd $ osiris warning: unable to locate an editor. Osiris Shell Interface - version 4.0.6-release >>> authenticating to (localhost) User: admin Password: connected to management console, code version (4.0.6-release). hello. osiris-4.0.6-release: host hoge hoge is alive. osiris-4.0.6-release[hoge]: list-configs [shared configs] [ name ] [ id ] default.aix 9063034d default.bsdos d39b2f4c default.darwin 043faff0 default.freebsd 2d68ab1b default.irix 8d116316 default.linux 9e115472 default.openbsd ade8f87c default.sunos 653acb07 default.unix-generic 86e8b8aa default.windows2000 7176f20a default.windowsnt 7176f20a default.windowsserve 7176f20a default.windowsxp 4fde5170 total: 13 no local configurations- osiris-4.0.6-release[hoge]: print-config default.freebsd config name: default.freebsd ID: 2d68ab1b status: valid errors: 0 warnings: 0 lines: 46 begin config file -------- Recursive yes FollowLinks no IncludeAll Hash sha Include mod_users Include mod_groups Include mod_kmods IncludeAll IncludeAll IncludeAll IncludeAll IncludeAll IncludeAll IncludeAll IncludeAll IncludeAll IncludeAll IncludeAll IncludeAll # EOF end config file -------- osiris-4.0.6-release[hoge]: status [ current status of host: hoge ] current time: Wed Dec 8 05:07:47 2004 up since: Wed Dec 8 04:20:42 2004 last config push: Wed Dec 8 04:37:43 2004 configuration id: 5d97c904 agent status: idle. config status: current config is valid. osiris version: 4.0.6-release OS: FreeBSD 5.3-STABLE osiris-4.0.6-release[hoge]: host-details [ host details for: (hoge) ] enabled : yes hostname/IP : 127.0.0.1 configs : 0 databases : 1 host type : generic log files : yes archive scans : no auto accept : no purge databases : yes notify enabled : yes notify always : yes notify on rekey : yes notify scan fail : yes notify email : (management config) scans start : Wed Dec 8 04:34:29 2004 scan period : every 1440 minutes base DB : 1 agent port : 2265 description : osiris-4.0.6-release[hoge]: exit osiris-4.0.6-release: print-filters -no filters- osiris-4.0.6-release: edit-filters s) show current filters. a) add a new filter. e) edit a filter. r) remove filter. q) quit > a > host (*=all hosts): [*] > path (*=any path): [*] 1) Include Only (monitor changes only to certain attributes) 2) Exclude (ignore changes to certain attributes) > filter type: 2 csum - checksum device - device number inode - inode number perm - permissions (mode) links - number of hard links uid - user ID gid - group ID mtime - last modification time atime - last access time ctime - last change time dtype - device type bytes - number of bytes blocks - number of blocks bsize - block size osid - owner SID gsid - group SID fileattr - windows file attributes new - not in trusted database missing - not present in latest scan > attributes (comma separated): device does this look correct: ==> host=*;path=*;exclude: device ; (y/n)? y >>> filter added. s) show current filters. a) add a new filter. e) edit a filter. r) remove filter. q) quit > s host=*;path=*;exclude: device ; 1 comparison filters. s) show current filters. a) add a new filter. e) edit a filter. r) remove filter. q) quit > q >>> comparison filters have been saved. osiris-4.0.6-release: start-scan hoge >>> scanning process was started on host: hoge osiris-4.0.6-release: test-notify >>> connecting... >>> notification test message(s) sent. osiris-4.0.6-release: exit
えーと、これは自分のサーバの分なのであっちはちょっと違います>誰となく