Slashdot Mirror
Host Integrity Monitoring Using Osiris and Samhain
nazarijo (Jose Nazario) writes "When you arrive to work one morning, you find that your coworker's workstation
is acting funny. A quick forensic examination reveals it's been compromised
and used to scan the network for more vulnerabilities. When did this
happen, and where else is this going on in you domain? With a host
integrity monitoring solution, you'll be a lot further along at answering
those questions than piecing it all together after the fact. And you
can accomplish this with two freeware tools, as described in Host
Integrity Monitoring Using Osiris and Samhain, a new book from
Syngress Publishing." Read on for the rest of Nazario's review.
Host Integrity Monitoring Using Osiris and Samhain
author
Brian Wotring, with Bruce Potter and Rainer Wichmann
pages
450
publisher
Syngress
rating
8
reviewer
Jose Nazario
ISBN
1597490180
summary
Use freeware tools to ensure your site's security is intact
Host integrity monitoring is the process by which system and network administrators validate and enforce the security of their systems. This can be a complex suite of approaches, tools, and methodologies, and it can be as simple as looking at loggin output. In the past, tools like Tripwire were used to check the configurations on hosts. The freeware version of this tool was limited in its manageability, which was available mainly in the commercial version.
Tools like Osiris and Samhain came along to fill the gap and have since evolved into mature projects themselves. Like any existing software tool out there, any new book should be evaluated not only on its own but also in he context of the existing documentation. Both Osiris and Samhain have decent amounts of documentation available already (Samhain seems to have a larger user documentation repository online than the Osiris tool does), and the book contributes to these docs quite well.
Host Integrity Monitoring shows you how to set up these tools and put them into production on Windows, UNIX, and OS X. Wotring's writing is fairly good, and his examples are usually pretty clear. The pace of the material is good, and there's not a whole lot of domain-specific expertise beyond system administration skills required to make use of the book. At times some of the formatting of the text gets in the way, but that's trivial compared to the quality of writing (which is pretty good).
Overall the material in the book is decent. The book opens with an overview of what host integrity monitoring is, why you should use it, and some of the basic premises. Then it goes on to discuss Samhain and Osiris, starting with their basic installation and then on to their advanced usage. They differ enough that each project merits its own pieces of documentation, even though they're similar in spirit. You'll learn how to schedule scans, integrate with other tools like Swatch, and in general administer a site installation.
The author of the book, Brian Wotring, is more familiar with Osiris than he is with Samhain, and it shows. More material (100 pages) is devoted to using Osiris than is given to Samhain (60 pages), which is to be expected. The coverage of both is sufficient, though, and fills the major parts of the book.
There are three major strengths to this book over the existing docs. The first is seeing not just the tools themselves covered but also the threats they cover in place. The second is having the two tools covered side by side, allowing you to see how to accomplish the same task with each. And thirdly, there are two appendices that are true gems of this book. The first covers how to get your Linksys Linux based AP device monitored using the Osiris tool, which isn't a small feat. The second is how to write your own modules for Osiris and Samhain, for which this appears to be the only documentation for Osiris (Samhain's website has a How To on writing modules). Again, these add value to the book over the freely available documentation.
I would have liked to have seen the chapters devoted specifically to Osiris and Samhain, chapters 6 (Osiris) and 7 (Samhain) broken up into two or three chapters covering their installation and use. The length of these chapters can make finding some material difficult at times. I would have also have liked to see the use of the "bold is input, normal text is output" technical book convention. In many examples finding the user input text can be challenging.
Host Integrity Monitoring Using Osiris and Samhain is not only about these tools but about how to accomplish host integrity monitoring on the cheap (since the code is freely available). While you can find docs on each project, this book complements those docs nicely and provides a nicely wrapped package about how to get the most out of each tool. If you've been thinking about how to ensure that no one is tampering with your system, these tools, and this book, should definitely make your solutions list.
You can purchase Host Integrity Monitoring Using Osiris and Samhain from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Host integrity monitoring is the process by which system and network administrators validate and enforce the security of their systems. This can be a complex suite of approaches, tools, and methodologies, and it can be as simple as looking at loggin output. In the past, tools like Tripwire were used to check the configurations on hosts. The freeware version of this tool was limited in its manageability, which was available mainly in the commercial version.
Tools like Osiris and Samhain came along to fill the gap and have since evolved into mature projects themselves. Like any existing software tool out there, any new book should be evaluated not only on its own but also in he context of the existing documentation. Both Osiris and Samhain have decent amounts of documentation available already (Samhain seems to have a larger user documentation repository online than the Osiris tool does), and the book contributes to these docs quite well.
Host Integrity Monitoring shows you how to set up these tools and put them into production on Windows, UNIX, and OS X. Wotring's writing is fairly good, and his examples are usually pretty clear. The pace of the material is good, and there's not a whole lot of domain-specific expertise beyond system administration skills required to make use of the book. At times some of the formatting of the text gets in the way, but that's trivial compared to the quality of writing (which is pretty good).
Overall the material in the book is decent. The book opens with an overview of what host integrity monitoring is, why you should use it, and some of the basic premises. Then it goes on to discuss Samhain and Osiris, starting with their basic installation and then on to their advanced usage. They differ enough that each project merits its own pieces of documentation, even though they're similar in spirit. You'll learn how to schedule scans, integrate with other tools like Swatch, and in general administer a site installation.
The author of the book, Brian Wotring, is more familiar with Osiris than he is with Samhain, and it shows. More material (100 pages) is devoted to using Osiris than is given to Samhain (60 pages), which is to be expected. The coverage of both is sufficient, though, and fills the major parts of the book.
There are three major strengths to this book over the existing docs. The first is seeing not just the tools themselves covered but also the threats they cover in place. The second is having the two tools covered side by side, allowing you to see how to accomplish the same task with each. And thirdly, there are two appendices that are true gems of this book. The first covers how to get your Linksys Linux based AP device monitored using the Osiris tool, which isn't a small feat. The second is how to write your own modules for Osiris and Samhain, for which this appears to be the only documentation for Osiris (Samhain's website has a How To on writing modules). Again, these add value to the book over the freely available documentation.
I would have liked to have seen the chapters devoted specifically to Osiris and Samhain, chapters 6 (Osiris) and 7 (Samhain) broken up into two or three chapters covering their installation and use. The length of these chapters can make finding some material difficult at times. I would have also have liked to see the use of the "bold is input, normal text is output" technical book convention. In many examples finding the user input text can be challenging.
Host Integrity Monitoring Using Osiris and Samhain is not only about these tools but about how to accomplish host integrity monitoring on the cheap (since the code is freely available). While you can find docs on each project, this book complements those docs nicely and provides a nicely wrapped package about how to get the most out of each tool. If you've been thinking about how to ensure that no one is tampering with your system, these tools, and this book, should definitely make your solutions list.
You can purchase Host Integrity Monitoring Using Osiris and Samhain from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Host integrity monitoring is the process by which system and network administrators validate and enforce the security of their systems. This can be a complex suite of approaches, tools, and methodologies, and it can be as simple as looking at loggin output. In the past, tools like Tripwire were used to check the configurations on hosts. The freeware version of this tool was limited in its manageability, which was available mainly in the commercial version.
Tools like Osiris and Samhain came along to fill the gap and have since evolved into mature projects themselves. Like any existing software tool out there, any new book should be evaluated not only on its own but also in he context of the existing documentation. Both Osiris and Samhain have decent amounts of documentation available already (Samhain seems to have a larger user documentation repository online than the Osiris tool does), and the book contributes to these docs quite well.
Host Integrity Monitoring shows you how to set up these tools and put them into production on Windows, UNIX, and OS X. Wotring's writing is fairly good, and his examples are usually pretty clear. The pace of the material is good, and there's not a whole lot of domain-specific expertise beyond system administration skills required to make use of the book. At times some of the formatting of the text gets in the way, but that's trivial compared to the quality of writing (which is pretty good).
Overall the material in the book is decent. The book opens with an overview of what host integrity monitoring is, why you should use it, and some of the basic premises. Then it goes on to discuss Samhain and Osiris, starting with their basic installation and then on to their advanced usage. They differ enough that each project merits its own pieces of documentation, even though they're similar in spirit. You'll learn how to schedule scans, integrate with other tools like Swatch, and in general administer a site installation.
The author of the book, Brian Wotring, is more familiar with Osiris than he is with Samhain, and it shows. More material (100 pages) is devoted to using Osiris than is given to Samhain (60 pages), which is to be expected. The coverage of both is sufficient, though, and fills the major parts of the book.
There are three major strengths to this book over the existing docs. The first is seeing not just the tools themselves covered but also the threats they cover in place. The second is having the two tools covered side by side, allowing you to see how to accomplish the same task with each. And thirdly, there are two appendices that are true gems of this book. The first covers how to get your Linksys Linux based AP device monitored using the Osiris tool, which isn't a small feat. The second is how to write your own modules for Osiris and Samhain, for which this appears to be the only documentation for Osiris (Samhain's website has a How To on writing modules). Again, these add value to the book over the freely available documentation.
I would have liked to have seen the chapters devoted specifically to Osiris and Samhain, chapters 6 (Osiris) and 7 (Samhain) broken up into two or three chapters covering their installation and use. The length of these chapters can make finding some material difficult at times. I would have also have liked to see the use of the "bold is input, normal text is output" technical book convention. In many examples finding the user input text can be challenging.
Host Integrity Monitoring Using Osiris and Samhain is not only about these tools but about how to accomplish host integrity monitoring on the cheap (since the code is freely available). While you can find docs on each project, this book complements those docs nicely and provides a nicely wrapped package about how to get the most out of each tool. If you've been thinking about how to ensure that no one is tampering with your system, these tools, and this book, should definitely make your solutions list.
"Samhain" (pronounced "SAOW-an") is "November" in Irish.
Drill baby drill - on Mars
Host Integrity Monitoring Using Osiris and Samhain is not only about these tools but about how to accomplish host integrity monitoring on the cheap (since the code is freely available)
I had to look them up:
Osiris
Samhain
Samhuinn/ Samhain - Celtic Quarter Day: "The Samhuinn Festival serves the seasonally opposite role to Beltane. It was the Celtic New Year, although its practice far precedes the Celtic culture. It marked the end of summer and the time to bring herds in from summer pastures to lowland fields and enclosures for protection. With the signs of approaching winter, it is understandable that the festival should have a strong association with death. The trees are bare and the land barren of the earlier vegetation - nature itself seems to be dying.
Thus it was believed that this was the night of the dead - a time for the spirits of the departed from the previous year to pay one last visit to their relatives before departing for the other-world forever. Also taking advantage of this closeness between the land of the living and the dead were the mischievous and malevolent spirits of the underworld, and measures had to be taken to protect against their pranks. Thus evolved the tradition of modern Hallowe'en to wear masks - originally to disguise oneself against the unwanted attentions of spirits and faeries.
Another Samhuinn tradition was a market fair held in the nearest trading centre. This was a chance to settle business, to trade livestock and produce of the autumn and to revel with friends for one last time before the winter conditions made travel too difficult. Amongst the entertainments were the Goloshan Plays. The main theme of these ancient narratives was the battle between light and dark, summer and winter. The two characters fight to the death, winter overcoming summer as inevitably as the seasons, but the medicine-man steps in to revive the summer figure, thus ensuring the return of spring and light."
> When you arrive to work one morning, you find that your coworker's workstation is acting funny.
Scan results:
Workstation infected with Circus_Clown_Virus
You can't talk about Wikipedia's flaws on Wikipedia
but don't like the Slashdot whore link: Clickey
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
I wonder how long it will take worm/virus/trojan writers to write payloads that attack, disable, or hide from monitoring applications such as these? I suspect that monitoring apps will need to use the same randomized signature tricks that viruses use to avoid easy detection. Perhaps, the ultimate solution is to go back to non-flash ROMs with unbypassable, built-in integrity checking features.
Two wrongs don't make a right, but three lefts do.
When you arrive to work one morning, you find that your coworker's workstation is acting funny.
It won't take my coke. The cup holder keeps spitting it out. And I am expecting to be arrested any moment, as it keeps telling me I'm doing something illegal.
It should be noted that Brian Wotring, the book author, is the lead developer and release manager for Osiris. That probably explains why he knows it better than he knows Samhain...
First thing tomorrow morning, get on co-workers workstation. Obviously his is more fun than mine.
...Danzig or the Misfits???
Don't they deserve equal time?
Microsoft - Integrity - won't fit in the same sentence. More like, "Marginally works - ship it! Patch Later!! Capture Market Share!!!".
try { do() || do_not(); } catch (JediException err) { yoda(err); }
...but back then it was named aide(1). It is a sequel to tripwire(1) - also an excellent choice - and makes a nice adjunct to security(7) and periodic(8). Highly recommended; a real page-turner.
Dewey, what part of this looks like authorities should be involved?
Save yourself $15.28 by buying the book here: Host Integrity Monitoring Using Osiris and Samhain
Here's some useful links for those not in the know:
Osiris
Samhain
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
I've been using tripwire + custom scripts for centralized management for years.
I'm wondering, why hasn't tripwire been improved or forked? It's GPL right?
On a FreeBSD system, you can set the "immutable flag" on a file. Given a high enough system securelevel, that file will be completely resistant to change (including unsetting that flag). This is extremely handy for locking down file signature databases, kernel files, and other likely targets for stealth modification. So long as that portion of the kernel stands intact, the system can never be completely clandestinely owned
Very interesting. This FAQ suggest that OS X retains BSD's immutable flag. In theory, the only way to change this flag in OS X is to reboot in single-user mode. I wonder if a rootkit could force a reboot into single user mode, change these flags, and reboot back to remotely own an OS X machine? I would assume that unless the rootkit can insert something into the single-user mode start-up sequence, the system immutable flag should be fairly safe. The big downside would be that System Update would cease to work (and probably create a corrupt partial update) if the wrong file were locked in this way (security vs. ease-of-use again!).
Two wrongs don't make a right, but three lefts do.
Some useful features that it has which Tripwire doesn't is the ability to monitor kernel system call tables for changes (a common attack vector), and to run as a daemon to alert on changes immediately.
Its definitely worth a look.
MOD PARENT UP!
"Funny" names slow the acceptance of many OSS packages.
Marketing is connecting the mind of the prospective customer with the facts of the project. There is as much need for marketing of OSS as for commercial software. However, marketing is an intellectual challenge as big as programming, and most people don't know how to do both.
You forgot Lying to customers
Looking at logging output in an enterprise environment can be very difficult. To make this really useful you need to aggregate information in a central repository, from all different servers/apps running on many machines. For true heavy duty log analysis you need to resort to tools such as SenSage's log storage/analysis tool.
Any other tool will choke on the volume of information you'll be chugging through in an enterprise environment, unless you pay for a multi-million-dollar Oracle deployment.
A Linux-based product used by Blue Cross/Blue Shield, Yahoo, Lehman Brothers, etc. For true enterprise security you need something like this.
The point is that if you want people to use your software, give it a name that is easy for people.