Tip of the Trade: Osiris Network Integrity Monitor

One of the more vexing tasks for the network or system administrator is setting up host integrity monitoring. Theoretically, an integrity monitor watches for suspicious changes and sends an alert when it detects a problem. In the real world, they are often difficult to set up and require a lot of fine-tuning before a balance is struck between too many false alarms and those not suspicious enough. One of the better, easier-to-manage integrity monitors is Osiris.

In the market for a network-capable integrity monitor? Osiris offers easy manageability through its three primary components, a management console, a scan agent and a CLI management application.

Discuss this article in the ServerWatch discussion forum

Osiris is perfect for admins who need a network-capable integrity monitor. It has three primary components: a management console (osirsimd), a scan agent (osirisd) and a CLI management application (osiris) that runs on the Osiris server. The server collects information from the remote scan agents, then sends reports to the network administrator and can be configured to log everything as well. Osiris supports only e-mail alerts; you don't get fancy paging or SMS options, so most admins enable both e-mail alerting and logging. It supports manual scans, scheduled scans, and encrypts all network transmissions with SSL.

Osiris cannot determine if changes are malicious or not; it simply reports changes. It takes periodic filesystem snapshots and stores them in a database on the Osiris server (which is also called the central management host). You, the ace administrator, configure what you want monitored and what sort of changes should trigger alerts, which are then e-mailed to the administrator. Osiris monitors files and file attributes (such as checksum, permissions, owner, uid and gid) and all kinds of system information, like kernel modules and user and group lists. It's very configurable, and the administration manual is exceptionally clear and thorough.

The Osiris server should be locked down as tightly as possible, with access restricted to Osiris admins. By default, the server accepts logins only from the localhost, although you can also enable remote logins. If you do, lock them down tightly! The management host is capable of supervising all kinds of networks hosts across the Internet and other networks, but it's safer to not extend it through firewalls. If the management host is compromised, the entire installation is worthless.

Find downloads and all kinds of helpful information at Osiris.Shmoo.com.

This article was originally published on May 22, 2007
Page 1 of 1

Thanks for your registration, follow us on our social networks to keep up-to-date