Host Integrity Monitoring Using Osiris and Samhain
By Brian Wotring, Bruce Potter, Marcus J. Ranum
HIGHLIGHT
Host Integrity Monitoring is the only effective means to determine if a malicious hacker has successfully penetrated the perimeter of a network to compromise the target host. Osiris and Samhain are the two most popular tools used for host integrity monitoring, and the creator of Osiris, Brian Wotring, shares his insider expertise in this first ever book on the topic. |
Accurately determine if a malicious attacker has compromised the security measures of your network.
Date: Jun 2005
Pages: 450 (est.)
User level: All |
| SAMPLE CHAPTER : |
Planning |
DESCRIPTION
This book will walk the reader through the process of preparing and deploying open source host integrity monitoring software, specifically, Osiris and Samhain. From the configuration and installation to maintenance, testing, and fine-tuning, this book will cover everything needed to correctly deploy a centralized host integrity monitoring solution. The domain includes home networks on up to large-scale enterprise environments.
Throughout the book, realistic and practical configurations will be provided for common server and desktop platforms. By the end of the book, the reader will not only understand the strengths and limitations of host integrity tools, but also understand how to effectively make use of them in order to integrate them into a security policy.
KEY
SELLING POINTS
- Brian Wotring is the creator of Osiris. He speaks and writes frequently on Osiris for major magazines, Web sites, and trade shows. And, the book can be prominently marketed from the Osiris Web site.
- This is the first book published on host integrity monitoring, despite the widespread deployment of Osiris and Samhain.
- Host Integrity Monitoring is the only way to accurately determine if a malicious attacker has successfully compromised the security measures of your network.
MARKET
INFORMATION
Osiris and Samhain are the two most popular open source tools used by system administrators and security professionals for host integrity monitoring. Approximately 200,000 copies combined have been downloaded in the past two years. Brian Wotring is the creator of Osiris and maintains the Osiris Web site which can be used to market the book.
ABOUT
THE AUTHOR
Brian Wotring is the CTO of Host Integrity, Inc. a company that specializes in providing software to help monitor the integrity of desktop and server environments. Brian studied computer science and mathematics at the University of Alaska and the University of Louisiana. Brian founded and maintains knowngoods.org, an online database of known good file signatures for a number of operating systems. He also is the developer of ctool, an application that provides limited integrity verification for prebound Mac OS X executables. Brian is currently responsible for the continued development of Osiris, an open source host integrity monitoring system. As a long-standing member of The Shmoo Group of security and privacy professionals, Brian has an interest in secure programming practices, data integrity solutions, and software usability. Along with Bruce Potter and Preston Norvell, Brian co-authored the book, Mac OS X Security. Brian has presented at CodeCon and at the Black Hat Briefings security conferences.
Bruce Potter (Technical Editor) is a Senior Associate at Booz Allen Hamilton. Prior to working at Booz Allen Hamilton, Bruce served as a software security consultant for Cigital in Dulles, VA. Bruce is the founder of the Shmoo Group of security professionals. His areas of expertise include wireless security, large-scale network architectures, smartcards, and promotion of secure software engineering practices. Bruce coauthored the books 802.11 Security and Mac OS X Security. He was trained in computer science at the University of Alaska, Fairbanks.
Rainer Wichmann (Techncial Reviewer) is system administrator and research scientist at the University of Hamburg. He has studied physics and astronomy at the University of Heidelberg and received his Ph.D. in astronomy from there. He is responsible for the development of the Samhain host integrity monitoring system, and he has authored various other small applications in the fields of astronomy and computer security. He has written several computer security articles published by Samhain Labs.
Marcus Ranum (Foreword) has been building computer security systems since the late 1980s, when he was an early innovator in designing Internet firewall systems and products. Since that time he has been involved in every aspect of the computer security field: writing, teaching, designing and developing products, consulting, and managing and founding successful product companies. He lives in Morrisdale, PA, with his wife, Katrina, and a small herd of horses, dogs, and cats.
TECHNOLOGY
BACKGROUND
Network-based monitoring tools garner a lot of attention because they provide packet-level visibility into events that affect multiple machines. However seeing the packet sent by an attacker to a vulnerable host only warns you that something has happened, usually when it's too late. In order to identify how the host has responded and whether or not the attack was successful, you usually have to look at the target system. Host-based monitoring tools give granularity that makes attacks visible on the host on which they are installed.
The basic idea behind host integrity monitoring applications is that they detect and report on change to the system. Much of the monitoring is focused on the file system. However, other environmental vectors can be monitored as well. For example, Samhain has the ability to search for rootkits and monitor login and logout activities. Osiris has the ability to monitor the state of loaded kernel extensions and the details of changes to the local user and group databases. Detected change is reported in the form of log files, syslog, the Windows Event Viewer, and possibly emailed to an administrator.
|
