Tigerをインストールしたので最新版osirisで某噂の検証をしてみる。osirisのHP(http://osiris.shmoo.com/)から最新版の4.1.8をダウンロードする。なんか、S/MIMEモジュールとかいろいろ機能拡張されているなぁ。とりあえず今回は本体のみダウンロード。TigerにはあらかじめXcodeをインストールしておく必要がある。
最新版ではWindows2003Serverなどの対応が追加されている他filterの編集方法などが変更されている(後述)ので注意が必要である。
注)4月30日現在下記設定をしてもいくつか不具合がみられるので注意。
Filterの設定が適切に反映されていないようにみえる
osirisを再起動すると管理対象ホストの設定の一部が無効になる
しかたないで3.0.4をインストールしてみたのだが、こちらはちゃんと動作しているようだ。なんだかなぁ。とりえあず検証用途には3.0.4をオススメ。(誰に?)
■ [osiris]configure
ダウンロードしたファイルを展開する。
- $ tar zxvf ./osiris-4.1.8.tar.gz
- $ ls ./osiris-4.1.8
- AUTHORS INSTALL Makefile.in TODO bootstrap config.sub depcomp mkinstalldirs
- COPYING LICENSE NEWS acinclude.m4 config.guess configure install-sh src
- ChangeLog Makefile.am README aclocal.m4 config.h.in configure.ac missing
まずはconfigureオプションの調査だが、最新版ももちろんOSX標準対応なのでオプションは特に不要。
- $ ./configure
- (中略)
- Osiris (c) 2000-2005 The Shmoo Group (TSG)
- -----------------------------------------------------
- ==> Configuration Complete.
- ==> Osiris has been configured with the following options:
- Host: powerpc-apple-darwin8.0.0
- Compiler: gcc
- Compiler flags: -Wall -g -O2
- Preprocessor flags:
- Linker flags:
- Libraries: -lpthread -lssl -lcrypto -lresolv
- Privlege Separation: yes
- SSL Location: (system)
- Osiris Root Directory: /usr/local/osiris
- Osiris user: osiris
- Osiris MD Directory: /usr/local/osiris
- Osiris MD user: osiris
- Osiris MD config dir: /usr/local/osiris
- ======================================
- Found Scan Agent Modules:
- ==> mod_groups
- ==> mod_kmods
- ==> mod_ports
- ==> mod_users
- ======================================
- ==> use one of the following targets:
- all: make everything, agent, CLI and management console.
- agent: create scan agent installer package.
- console: create management console installer package.
- install: run installation script.
- clean: remove object files.
これでconfigure完了。
■ [osiris]osirisクライアント/コンソールを個別にmake
osirisではマネージメントコンソールとスキャンクライントが連携して動作する仕様で、管理用のマシンにはマネージメントコンソール、管理対象にはスキャンクライアントと別々にインストールして設置することが可能である。多数の管理対象がある場合にはコンソール/クライアントを個別にmakeしてインストールパッケージを作っておくことができる。
- $ make console
- (中略)
- -------------------------------------------------------------------------
- building release tarball: src/install/osiris-console-4.1.8-release-powerpc-Darwin-8.0.0.tar
- installer package contents:
- total 3744
- -rw-r--r-- 1 username username 5130 Apr 30 12:11 LICENSE
- drwxr-xr-x 17 username username 578 Apr 30 12:11 configs
- drwxr-xr-x 5 username username 170 Apr 30 12:11 darwin
- -rwxr-xr-- 1 username username 31187 Apr 30 12:11 install.sh
- -rwxr-xr-x 1 username username 863568 Apr 30 12:11 osiris
- -rwxr-xr-x 1 username username 125152 Apr 30 12:11 osirisd
- -rwxr-xr-x 1 username username 877192 Apr 30 12:11 osirismd
- -rw-r--r-- 1 username username 80 Apr 30 12:11 version.h
- -------------------------------------------------------------------------
- installer package created.
これでsrc/install/以下にコンソール用パッケージosiris-console-4.1.8-release-powerpc-Darwin-8.0.0.tar.gzが作成される。make cleanしてから続いてクライアント用パッケージを作成する。
- $ make agent
- (中略)
- -------------------------------------------------------------------------
- building release tarball: src/install/osiris-agent-4.1.8-release-powerpc-Darwin-8.0.0.tar
- installer package contents:
- total 336
- -rw-r--r-- 1 username username 5130 Apr 30 12:13 LICENSE
- drwxr-xr-x 5 username username 170 Apr 30 12:13 darwin
- -rwxr-xr-- 1 username username 31187 Apr 30 12:13 install.sh
- -rwxr-xr-x 1 username username 125152 Apr 30 12:13 osirisd
- -rw-r--r-- 1 username username 80 Apr 30 12:13 version.h
- -------------------------------------------------------------------------
- installer package created.
これでsrc/install/以下にコンソール用パッケージosiris-agent-4.1.8-release-powerpc-Darwin-8.0.0.tar.gzが作成される。それぞれのパッケージは以下のコマンドでインストールできる。
- $ tar zxvf ./osiris*
- $ cd osiris*
- $ sudo ./install.sh
■ [osiris]osirisクライアント/コンソールを一緒にmake
ほとんどの場合最初のインストールはこちらでいいと思う。クライアントとコンソールを一気にmakeしてインストールできる。
- $ make all
- (中略)
- Build Successful!
- To create management console install package: 'make console'
- To create scan agent install package: 'make agent'
- Documentation is also online at: http://osiris.shmoo.com
このメッセージが出たらインストール準備が完了。次のコマンドでインストールを行う。
- $ sudo make install
■ [osiris]osirisのインストール
ここからは出力にコメントしていく。
- $ sudo make install
- We trust you have received the usual lecture from the local System
- Administrator. It usually boils down to these three things:
- #1) Respect the privacy of others.
- #2) Think before you type.
- #3) With great power comes great responsibility.
- Password: ←管理者パスワード
- (中略)
- Continue with installation? (y/n) [y] ←インストール継続の確認
- Osiris Scanning Daemon Version
- 4.1.8-release
- "4.1.8-release" for Darwin 8.0.0
- Copyright (c) 2005 Brian Wotring. All Rights Reserved.
- This installation was configured and built to run as osiris
- agent user name: osiris
- management user name: osiris
- This installation was configured and built to use osiris
- agent root directory: /usr/local/osiris
- management root directory: /usr/local/osiris
- The username and directory will be created during the
- installation process if they do not already exist.
- By installing this product you agree that you have read the
- LICENSE file and will comply with its terms.
- ---------------------------------------------------------------------
- ==> creating user and group (osiris, osiris).
- ==> creating Osiris user and group with uid/gid 502.
- ==> group 'osiris' added.
- ==> user 'osiris' added.
- ==> using existing Osiris management console user.
- Install osiris agent? (y/n) [y] ←クライアントのインストール確認
- Install management console? (y/n) [y] ←コンソールのインストール確認
- Install CLI? (y/n) [y] ←コマンドラインのインストール確認
- Installation directory for binaries: [/usr/local/sbin] ←インストール先確認
- Installation directory doesn't exist, creating.
- ==> installed osiris CLI: /usr/local/sbin/osiris
- Osiris scan agent root directory doesn't exist, creating.
- ==> installed scan agent: /usr/local/sbin/osirisd
- ==> installed management console /usr/local/sbin/osirismd
- ==> installed default scan configs.
- ==> updated: /etc/hostconfig --> OSIRISSERVER=-YES-
- ==> installing StartupItem for the Osiris Scan Agent.
- ==> installed /System/Library/StartupItems/Osiris/Osiris
- ==> change owner and permissions on /usr/local/sbin/osiris
- -rwxr-xr-x 1 root wheel 1412536 Apr 30 12:26 /usr/local/sbin/osiris
- ==> change owner and permissions on /usr/local/sbin/osirisd
- -rwxr-xr-x 1 root wheel 483060 Apr 30 12:26 /usr/local/sbin/osirisd
- ==> change owner permissions on /usr/local/sbin/osirismd
- -rwsr-xr-x 1 osiris osiris 1721788 Apr 30 12:26 /usr/local/sbin/osirismd
- ==================================================================
- Osiris has been installed, but is not currently running. Startup
- scripts have been installed so that the necessary services will
- be started on boot.
- Start management console now? (y/n) [y] ←コンソール起動確認
- osirismd: missing configuration file,
- ==> created default in: /usr/local/osiris/osirismd.conf.
- unable to load server certificate (/usr/local/osiris/certs/osirismd.crt)
- ==> creating one.
- Generating RSA key, 2048 bit long modulus.
- ..................................................+++
- ..............................................................................+++
- Start scan agent now? (y/n) [y] ←クライアントの起動確認
- Documentation is included with this source and available online at:
- http://osiris.shmoo.com/docs
- (c) 2005 - Brian Wotring
これでインストールと起動が完了。続いて設定を行う。
■ [osiris]CLIでの設定
まずはCLIで管理者としてログインし設定を行う。
- $ /usr/local/sbin/osiris
- Osiris Shell Interface - version 4.1.8-release
- unable to load root certificate for management host:
- (/Users/username/.osiris/osiris_root.pem)
- >>> fetching root certificate from management host (127.0.0.1).
- The authenticity of host '127.0.0.1' can't be established.
- [ server certificate ]
- subject = /C=US/CN=Osiris Management Console/OU=Osiris Host Integrity System
- issuer = /C=US/CN=Osiris Management Console/OU=Osiris Host Integrity System
- key size: 2048 bit
- MD5 fingerprint: 30:87:07:74:08:7B:5D:83:52:FD:63:6F:6B:32:5F:7D
- Verify the fingerprint specified above.
- Are you sure you want to continue connecting (yes/no)? yes ←設定を続けるか確認
- >>> authenticating to (127.0.0.1)
- User: admin ←管理者は「admin」でログインする
- Password: ←最初は設定されていないのでリターンキー
- connected to management console, code version (4.1.8-release).
- hello.
- WARNING: your password is empty, use the 'passwd' command
- to set your password.
- osiris-4.1.8-release: passwd ←まずはadminのパスワードを設定
- User: admin
- Password: ←管理用パスワードを入力 確認がないので注意
- >>> user: (admin) updated.
これで管理者でのログインは完了。以下のコマンドでヘルプが表示される。
- osiris-4.1.8-release: ?
- [ Management Commands ]
- mhost host new-user edit-filters
- edit-mhost edit-host edit-user print-filters
- print-mhost-config list-hosts list-users
- test-notify new-host delete-user test-filter
- [ Host commands ]
- status list-configs start-scan list-db
- watch-host new-config stop-scan baseline
- disable-host push-config print-log set-baseline
- host-details edit-config list-logs print-db
- print-host-config print-config print-db-errors
- rm-host rm-config print-db-header
- init drop-config rm-db
- config verify-config unset-baseline
- [ Misc commands ]
- help version quit ssl
- For help with a specific command, try: help <command>
■ [osiris]管理用ホストを設定する
- osiris-4.1.8-release: edit-mhost
- [ edit management host (127.0.0.1) ]
- > syslog facility [DAEMON]:
- > control port [2266]:
- > http control port [0]: 10080
- > notify email (default for hosts) []: username@yourdomain.com
- > notification smtp host [127.0.0.1]: smtp.yourdomain.com
- > notification smtp port [25]:
- > authorized hosts:
- 127.0.0.1
- Modify authorization list (y/n)? [n]
- [ management config (127.0.0.1) ]
- syslog_facility = DAEMON
- control_port = 2266
- http_port = 10080
- http_host =
- notify_email = username@yourdomain.com
- notify_app =
- notify_smtp_host = smtp.yourdomain.com
- notify_smtp_port = 25
- hosts_directory =
- allow = 127.0.0.1
- Is this correct (y/n)? y
- >>> management host configuration has been saved.
■ [osiris]管理対象ホストの追加
まずは自ホストを管理対象に加えておく。
- osiris-4.1.8-release: new-host
- [ new host ]
- > name this host []: myhost
- > hostname/IP address []: 127.0.0.1
- > description []: iMacG4
- > agent port [2265]:
- > enable log files for this host? (yes/no) [no]:
- Scan Databases:
- => keep archives of scan databases? Enabling this option means that the
- database generated with each scan is saved, even if there are no changes
- detected. Because of disk space, this option is not recommended
- unless your security policy requires it. (yes/no) [no]:
- ↑スキャンDBをアーカイブしておくオプション
- => auto-accept changes? Enabling this option means that detected
- changes are reported only once, and the baseline database is
- automatically set when changes are detected. (yes/no) [yes]:
- ↑変更を自動承認する設定 これをnoにすると承認するまで変更通知メールが何度も来る
- => purge database store? Enabling this option means that none
- of the scan databases are saved. That is, whenever the baseline
- database is set, the previous one is deleted. (yes/no): [yes]:
- ↑常に最新のスキャンDBだけで運用する設定
- Notifications:
- => enable email notification for this host? (yes/no) [no]: yes
- => send notification on scheduled scans failures? (yes/no) [no]: yes
- => send scan notification, even when no changes detected (yes/no) [no]:
- => send notification when agent has lost session key (yes/no) [no]: yes
- => notification email (default uses mhost address) []:
- Scheduling:
- > configure scan scheduling information? (yes/no) [no]: yes
- [ scheduling information for myhost ]
- Scheduling information consists of a start time and a frequency value.
- The frequency is a specified number of minutes between each scan, starting
- from the start time. The default is the current time. Specify the start
- time in the following format: mm/dd/yyyy HH:MM
- enter the start date and time
- using 'mm/dd/yyyy HH:MM' format: [Sat Apr 30 13:07:15 2005]
- enter scan frequency in minutes: [1440] 720
- > enable this host? (yes/no) [yes]:
- host => myhost
- hostname/IP address => 127.0.0.1
- description => iMacG4
- agent port => 2265
- host type => generic
- log enabled => no
- archive scans => no
- auto accept => yes
- purge databases => yes
- notifications enabled => yes
- notifications always => no
- notify on rekey => yes
- notify on scan fail => yes
- notify email => (management config)
- scans starting on => Sat Apr 30 13:07:15 2005
- scan frequency => every 720 minutes
- enabled => yes
- Is this correct (y/n)? y
- >>> new host (myhost) has been created.
- Initialize this host? (yes/no): yes
- Initializing a host will push over a configuration, start
- a scan, and set the created database to be the
- trusted database.
- Are you sure you want to initialize this host (yes/no): yes
- OS Name: Darwin
- OS Version: 8.0.0
- use the default configuration for this OS? (yes/no): yes
- >>> configuration (default.darwin) has been pushed.
- >>> scanning process was started on host: myhost
■ [osiris]管理対象ホストの設定変更
- osiris-4.1.8-release: host myhost
- myhost is alive.
- osiris-4.1.8-release[myhost]: edit-config ←ここでviでの設定変更モードになる
- >>> configuration file has changed, updating...
- >>> configuration: (default.darwin) has been updated.
- osiris-4.1.8-release[myhost]: push-config ←ここで設定変更をホストに反映する
- >>> the configuration: (default.darwin) has been pushed to host: myhost
- osiris-4.1.8-release[myhost]: print-config ←設定内容を表示
- config name: default.darwin
- ID: 946090b8
- status: valid
- errors: 0
- warnings: 0
- lines: 57
- -------- begin config file --------
- # Default Configuration for Mac OS X.
- Recursive no
- FollowLinks no
- IncludeAll
- Hash md5
- <System>
- Include mod_users
- Include mod_groups
- Include mod_kmods
- </System>
- <Directory />
- Recursive no
- Include file( "mach_kernel" )
- </Directory>
- <Directory /private/var/root>
- Recursive yes
- Include executable
- </Directory>
- <Directory /bin>
- IncludeAll
- </Directory>
- <Directory /usr/bin>
- IncludeAll
- </Directory>
- <Directory /usr/local/bin>
- IncludeAll
- </Directory>
- <Directory /usr/local/sbin>
- IncludeAll
- </Directory>
- <Directory /sbin>
- IncludeAll
- </Directory>
- <Directory /usr/sbin>
- IncludeAll
- </Directory>
- <Directory /etc> ←ここから追加分
- Recursive yes
- IncludeAll
- </Directory>
- <Directory /Applications>
- Recursive yes
- IncludeAll
- </Directory>
- <Directory /Users/username>
- Recursive yes
- IncludeAll
- </Directory> ←ここまで
- # EOF
- -------- end config file --------
■ [osiris]Filter設定の追加
- osiris-4.1.8-release: edit-filters ←ここからviで設定を編集(ウィザードは廃止された)
- >>> comparison filters have been saved.
- osiris-4.1.8-release: print-filters ←設定を表示
- Exclude anything matching the following regular expressions:
- host=*;path=*;exclude: device ctime ; ←Filterの書式は3.xから変更なし
- host=*;path=/etc;include only: perm uid gid new missing ;
- host=*;path=/Applications;include only: perm uid gid new missing ;
- host=*;path=/Users/username;include only: perm uid gid new missing ;
- 4 comparison filters.
no comment untill now