Host Integrity Monitoring Using Osiris and Samhain
A survival guide for the future of computing, this book provides the information necessary to understand the what, why, and how of host integrity monitoring.
TABLE OF CONTENTS Host Integrity Monitoring Using Osiris and Samhain
Scan Agents
Scan agents must be deployed onto every host that you want to monitor. The agent is a lightweight daemon that periodically collects information from the host environment and securely transmits that data back to the console. This section covers everything you need to know about Osiris scan agents, including an overview of the agent itself and its installation, configuration, and administration.
Scan Agent Overview
On UNIX systems, the scan agent is a daemon called osirisd and is installed in /usr/local/sbin by default. This daemon implements a form of privilege separation. Upon start-up, there are two osirisd processes: one running with root privileges and one running with non-root privileges (usually the Osiris user). The non-root process handles all of the work; the root process is mostly idle. When the agent needs to access a file or element of the environment that requires root privileges, it asks the root process to do the work and return a file handle or the requested data. The root run process never opens any network ports and is only capable of performing a limited number of tasks. When the agent is asked to perform a scan, it forks another process to handle collecting and sending the information.
On Windows, the scan agent is a service that is run as Administrator. This service is always installed in %SystemRoot%\osirisd.exe and, by default, is started automatically upon boot. The scan agent on Windows is multithreaded so that all scans spawn a new threat.
The...
Copyright Syngress Publishing, Inc. 2005 under license agreement with Books24x7
