■ [osiris]最新版osiris-4.1.8をTigerへインストールする
Tigerをインストールしたので最新版osirisで某噂の検証をしてみる。osirisのHP(http://osiris.shmoo.com/)から最新版の4.1.8をダウンロードする。なんか、S/MIMEモジュールとかいろいろ機能拡張されているなぁ。とりあえず今回は本体のみダウンロード。TigerにはあらかじめXcodeをインストールしておく必要がある。
最新版ではWindows2003Serverなどの対応が追加されている他filterの編集方法などが変更されている(後述)ので注意が必要である。
注)4月30日現在下記設定をしてもいくつか不具合がみられるので注意。
Filterの設定が適切に反映されていないようにみえる
osirisを再起動すると管理対象ホストの設定の一部が無効になる
しかたないで3.0.4をインストールしてみたのだが、こちらはちゃんと動作しているようだ。なんだかなぁ。とりえあず検証用途には3.0.4をオススメ。(誰に?)
■ [osiris]configure
ダウンロードしたファイルを展開する。
[code]$ tar zxvf ./osiris-4.1.8.tar.gz
$ ls ./osiris-4.1.8
AUTHORS INSTALL Makefile.in TODO bootstrap config.sub depcomp mkinstalldirs
COPYING LICENSE NEWS acinclude.m4 config.guess configure install-sh src
ChangeLog Makefile.am README aclocal.m4 config.h.in configure.ac missing[/code]
まずはconfigureオプションの調査だが、最新版ももちろんOSX標準対応なのでオプションは特に不要。
[code]
$ ./configure
(中略)
Osiris (c) 2000-2005 The Shmoo Group (TSG)
—————————————————–
==> Configuration Complete.
==> Osiris has been configured with the following options:
Host: powerpc-apple-darwin8.0.0
Compiler: gcc
Compiler flags: -Wall -g -O2
Preprocessor flags:
Linker flags:
Libraries: -lpthread -lssl -lcrypto -lresolv
Privlege Separation: yes
SSL Location: (system)
Osiris Root Directory: /usr/local/osiris
Osiris user: osiris
Osiris MD Directory: /usr/local/osiris
Osiris MD user: osiris
Osiris MD config dir: /usr/local/osiris
======================================
Found Scan Agent Modules:
==> mod_groups
==> mod_kmods
==> mod_ports
==> mod_users
======================================
==> use one of the following targets:
all: make everything, agent, CLI and management console.
agent: create scan agent installer package.
console: create management console installer package.
install: run installation script.
clean: remove object files.[/code]
これでconfigure完了。
■ [osiris]osirisクライアント/コンソールを個別にmake
osirisではマネージメントコンソールとスキャンクライントが連携して動作する仕様で、管理用のマシンにはマネージメントコンソール、管理対象にはスキャンクライアントと別々にインストールして設置することが可能である。多数の管理対象がある場合にはコンソール/クライアントを個別にmakeしてインストールパッケージを作っておくことができる。
[code]$ make console
(中略)
————————————————————————-
building release tarball: src/install/osiris-console-4.1.8-release-powerpc-Darwin-8.0.0.tar
installer package contents:
total 3744
-rw-r–r– 1 username username 5130 Apr 30 12:11 LICENSE
drwxr-xr-x 17 username username 578 Apr 30 12:11 configs
drwxr-xr-x 5 username username 170 Apr 30 12:11 darwin
-rwxr-xr– 1 username username 31187 Apr 30 12:11 install.sh
-rwxr-xr-x 1 username username 863568 Apr 30 12:11 osiris
-rwxr-xr-x 1 username username 125152 Apr 30 12:11 osirisd
-rwxr-xr-x 1 username username 877192 Apr 30 12:11 osirismd
-rw-r–r– 1 username username 80 Apr 30 12:11 version.h
————————————————————————-
installer package created.[/code]
これでsrc/install/以下にコンソール用パッケージosiris-console-4.1.8-release-powerpc-Darwin-8.0.0.tar.gzが作成される。make cleanしてから続いてクライアント用パッケージを作成する。
[code]$ make agent
(中略)
————————————————————————-
building release tarball: src/install/osiris-agent-4.1.8-release-powerpc-Darwin-8.0.0.tar
installer package contents:
total 336
-rw-r–r– 1 username username 5130 Apr 30 12:13 LICENSE
drwxr-xr-x 5 username username 170 Apr 30 12:13 darwin
-rwxr-xr– 1 username username 31187 Apr 30 12:13 install.sh
-rwxr-xr-x 1 username username 125152 Apr 30 12:13 osirisd
-rw-r–r– 1 username username 80 Apr 30 12:13 version.h
————————————————————————-
installer package created.[/code]
これでsrc/install/以下にコンソール用パッケージosiris-agent-4.1.8-release-powerpc-Darwin-8.0.0.tar.gzが作成される。それぞれのパッケージは以下のコマンドでインストールできる。
[code]$ tar zxvf ./osiris*
$ cd osiris*
$ sudo ./install.sh[/code]
■ [osiris]osirisクライアント/コンソールを一緒にmake
ほとんどの場合最初のインストールはこちらでいいと思う。クライアントとコンソールを一気にmakeしてインストールできる。
[code]$ make all
(中略)
Build Successful!
To create management console install package: ‘make console’
To create scan agent install package: ‘make agent’
Documentation is also online at: http://osiris.shmoo.com[/code]
このメッセージが出たらインストール準備が完了。次のコマンドでインストールを行う。
[code]$ sudo make install[/code]
■ [osiris]osirisのインストール
ここからは出力にコメントしていく。
[code]$ sudo make install
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password: ←管理者パスワード
(中略)
Continue with installation? (y/n) [y] ←インストール継続の確認
Osiris Scanning Daemon Version
4.1.8-release
“4.1.8-release” for Darwin 8.0.0
Copyright (c) 2005 Brian Wotring. All Rights Reserved.
This installation was configured and built to run as osiris
agent user name: osiris
management user name: osiris
This installation was configured and built to use osiris
agent root directory: /usr/local/osiris
management root directory: /usr/local/osiris
The username and directory will be created during the
installation process if they do not already exist.
By installing this product you agree that you have read the
LICENSE file and will comply with its terms.
———————————————————————
==> creating user and group (osiris, osiris).
==> creating Osiris user and group with uid/gid 502.
==> group ‘osiris’ added.
==> user ‘osiris’ added.
==> using existing Osiris management console user.
Install osiris agent? (y/n) [y] ←クライアントのインストール確認
Install management console? (y/n) [y] ←コンソールのインストール確認
Install CLI? (y/n) [y] ←コマンドラインのインストール確認
Installation directory for binaries: [/usr/local/sbin] ←インストール先確認
Installation directory doesn’t exist, creating.
==> installed osiris CLI: /usr/local/sbin/osiris
Osiris scan agent root directory doesn’t exist, creating.
==> installed scan agent: /usr/local/sbin/osirisd
==> installed management console /usr/local/sbin/osirismd
==> installed default scan configs.
==> updated: /etc/hostconfig –> OSIRISSERVER=-YES-
==> installing StartupItem for the Osiris Scan Agent.
==> installed /System/Library/StartupItems/Osiris/Osiris
==> change owner and permissions on /usr/local/sbin/osiris
-rwxr-xr-x 1 root wheel 1412536 Apr 30 12:26 /usr/local/sbin/osiris
==> change owner and permissions on /usr/local/sbin/osirisd
-rwxr-xr-x 1 root wheel 483060 Apr 30 12:26 /usr/local/sbin/osirisd
==> change owner permissions on /usr/local/sbin/osirismd
-rwsr-xr-x 1 osiris osiris 1721788 Apr 30 12:26 /usr/local/sbin/osirismd
==================================================================
Osiris has been installed, but is not currently running. Startup
scripts have been installed so that the necessary services will
be started on boot.
Start management console now? (y/n) [y] ←コンソール起動確認
osirismd: missing configuration file,
==> created default in: /usr/local/osiris/osirismd.conf.
unable to load server certificate (/usr/local/osiris/certs/osirismd.crt)
==> creating one.
Generating RSA key, 2048 bit long modulus.
…………………………………………..+++
……………………………………………………………………+++
Start scan agent now? (y/n) [y] ←クライアントの起動確認
Documentation is included with this source and available online at:
http://osiris.shmoo.com/docs
(c) 2005 – Brian Wotring[/code]
これでインストールと起動が完了。続いて設定を行う。
■ [osiris]CLIでの設定
まずはCLIで管理者としてログインし設定を行う。
[code]$ /usr/local/sbin/osiris
Osiris Shell Interface – version 4.1.8-release
unable to load root certificate for management host:
(/Users/username/.osiris/osiris_root.pem)
>>> fetching root certificate from management host (127.0.0.1).
The authenticity of host ‘127.0.0.1’ can’t be established.
[ server certificate ]
subject = /C=US/CN=Osiris Management Console/OU=Osiris Host Integrity System
issuer = /C=US/CN=Osiris Management Console/OU=Osiris Host Integrity System
key size: 2048 bit
MD5 fingerprint: 30:87:07:74:08:7B:5D:83:52:FD:63:6F:6B:32:5F:7D
Verify the fingerprint specified above.
Are you sure you want to continue connecting (yes/no)? yes ←設定を続けるか確認
>>> authenticating to (127.0.0.1)
User: admin ←管理者は「admin」でログインする
Password: ←最初は設定されていないのでリターンキー
connected to management console, code version (4.1.8-release).
hello.
WARNING: your password is empty, use the ‘passwd’ command
to set your password.
osiris-4.1.8-release: passwd ←まずはadminのパスワードを設定
User: admin
Password: ←管理用パスワードを入力 確認がないので注意
>>> user: (admin) updated.[/code]
これで管理者でのログインは完了。以下のコマンドでヘルプが表示される。
[code]osiris-4.1.8-release: ?
[ Management Commands ]
mhost host new-user edit-filters
edit-mhost edit-host edit-user print-filters
print-mhost-config list-hosts list-users
test-notify new-host delete-user test-filter
[ Host commands ]
status list-configs start-scan list-db
watch-host new-config stop-scan baseline
disable-host push-config print-log set-baseline
host-details edit-config list-logs print-db
print-host-config print-config print-db-errors
rm-host rm-config print-db-header
init drop-config rm-db
config verify-config unset-baseline
[ Misc commands ]
help version quit ssl
For help with a specific command, try: help [/code]
■ [osiris]管理用ホストを設定する
[code]osiris-4.1.8-release: edit-mhost
[ edit management host (127.0.0.1) ]
> syslog facility [DAEMON]:
> control port [2266]:
> http control port [0]: 10080
> notify email (default for hosts) []: [email protected]
> notification smtp host [127.0.0.1]: smtp.yourdomain.com
> notification smtp port [25]:
> authorized hosts:
127.0.0.1
Modify authorization list (y/n)? [n]
[ management config (127.0.0.1) ]
syslog_facility = DAEMON
control_port = 2266
http_port = 10080
http_host =
notify_email = [email protected]
notify_app =
notify_smtp_host = smtp.yourdomain.com
notify_smtp_port = 25
hosts_directory =
allow = 127.0.0.1
Is this correct (y/n)? y
>>> management host configuration has been saved.[/code]
■ [osiris]管理対象ホストの追加
まずは自ホストを管理対象に加えておく。
[code]osiris-4.1.8-release: new-host
[ new host ]
> name this host []: myhost
> hostname/IP address []: 127.0.0.1
> description []: iMacG4
> agent port [2265]:
> enable log files for this host? (yes/no) [no]:
Scan Databases:
=> keep archives of scan databases? Enabling this option means that the
database generated with each scan is saved, even if there are no changes
detected. Because of disk space, this option is not recommended
unless your security policy requires it. (yes/no) [no]:
↑スキャンDBをアーカイブしておくオプション
=> auto-accept changes? Enabling this option means that detected
changes are reported only once, and the baseline database is
automatically set when changes are detected. (yes/no) [yes]:
↑変更を自動承認する設定 これをnoにすると承認するまで変更通知メールが何度も来る
=> purge database store? Enabling this option means that none
of the scan databases are saved. That is, whenever the baseline
database is set, the previous one is deleted. (yes/no): [yes]:
↑常に最新のスキャンDBだけで運用する設定
Notifications:
=> enable email notification for this host? (yes/no) [no]: yes
=> send notification on scheduled scans failures? (yes/no) [no]: yes
=> send scan notification, even when no changes detected (yes/no) [no]:
=> send notification when agent has lost session key (yes/no) [no]: yes
=> notification email (default uses mhost address) []:
Scheduling:
> configure scan scheduling information? (yes/no) [no]: yes
[ scheduling information for myhost ]
Scheduling information consists of a start time and a frequency value.
The frequency is a specified number of minutes between each scan, starting
from the start time. The default is the current time. Specify the start
time in the following format: mm/dd/yyyy HH:MM
enter the start date and time
using ‘mm/dd/yyyy HH:MM’ format: [Sat Apr 30 13:07:15 2005]
enter scan frequency in minutes: [1440] 720
> enable this host? (yes/no) [yes]:
host => myhost
hostname/IP address => 127.0.0.1
description => iMacG4
agent port => 2265
host type => generic
log enabled => no
archive scans => no
auto accept => yes
purge databases => yes
notifications enabled => yes
notifications always => no
notify on rekey => yes
notify on scan fail => yes
notify email => (management config)
scans starting on => Sat Apr 30 13:07:15 2005
scan frequency => every 720 minutes
enabled => yes
Is this correct (y/n)? y
>>> new host (myhost) has been created.
Initialize this host? (yes/no): yes
Initializing a host will push over a configuration, start
a scan, and set the created database to be the
trusted database.
Are you sure you want to initialize this host (yes/no): yes
OS Name: Darwin
OS Version: 8.0.0
use the default configuration for this OS? (yes/no): yes
>>> configuration (default.darwin) has been pushed.
>>> scanning process was started on host: myhost[/code]
■ [osiris]管理対象ホストの設定変更
[code]osiris-4.1.8-release: host myhost
myhost is alive.
osiris-4.1.8-release[myhost]: edit-config ←ここでviでの設定変更モードになる
>>> configuration file has changed, updating…
>>> configuration: (default.darwin) has been updated.
osiris-4.1.8-release[myhost]: push-config ←ここで設定変更をホストに反映する
>>> the configuration: (default.darwin) has been pushed to host: myhost
osiris-4.1.8-release[myhost]: print-config ←設定内容を表示
config name: default.darwin
ID: 946090b8
status: valid
errors: 0
warnings: 0
lines: 57
——– begin config file ——–
# Default Configuration for Mac OS X.
Recursive no
FollowLinks no
IncludeAll
Hash md5
Include mod_users
Include mod_groups
Include mod_kmods
Recursive no
Include file( “mach_kernel” )
Recursive yes
Include executable
IncludeAll
IncludeAll
IncludeAll
IncludeAll
IncludeAll
IncludeAll
←ここから追加分
Recursive yes
IncludeAll
Recursive yes
IncludeAll
Recursive yes
IncludeAll
←ここまで
# EOF
——– end config file ——–[/code]
■ [osiris]Filter設定の追加
[code]osiris-4.1.8-release: edit-filters ←ここからviで設定を編集(ウィザードは廃止された)
>>> comparison filters have been saved.
osiris-4.1.8-release: print-filters ←設定を表示
Exclude anything matching the following regular expressions:
host=*;path=*;exclude: device ctime ; ←Filterの書式は3.xから変更なし
host=*;path=/etc;include only: perm uid gid new missing ;
host=*;path=/Applications;include only: perm uid gid new missing ;
host=*;path=/Users/username;include only: perm uid gid new missing ;
4 comparison filters.[/code]
ids, oldhatena, osiris
Loading...