osiris documentation

osiris user documentation

This document serves to give the user/administrator of osiris an understanding of its behaviour, and uses. At the time of this writing, osiris development was at version 1.3.

Introduction

What osiris does.

The Osiris application compares one catalog of executable files with another catalog of executable files. Osiris catalogs specified directories of files (including hashes ( currently MD5 or SHA ), modification dates, file attributes, uid, gid, and suid into a specified database (and/or to standard output as directed).

The second program, scale, compares two such databases against each other. It will output, to a file, any differences it finds between the two catalogs (including missing or additional files, differing or same hashes, modification dates, and file attributes). Together, the two programs give an administrator the tools to follow changes in files on a server or workstation. This keeps an administrator apprised of possible attacks and/or nasty little trojans, and is the main reason for the existence of Osiris.

Requirements

- root privileges.
- ANSI C compiler ( gdbm is included ).
- tested platforms: Solaris 2.6, FreeBSD 3.1, Linux ( RH6.1 ), OSX.
- curses library recommended, not required.

Using osiris and scale

The current usage statement for osiris is as follows:

usage: osiris -i path... -o path [-a hash] [-v] [-x] [-l] [-q] [-h] [-O] [-psychonazi]

-i	list of directories to scan ( recursive ). Relative or absolute paths can be used.
-a	hash algorithm to use when creating checksums of files. Currently, the only supported hash algorithms are MD5 and SHA. For example, to run osiris on the current directory using md5, do: osiris -i . -o left.osi -a MD5 The default algorithm used is MD5.
-o	path to store the database file created. For example: /tmp/left.osi. This field is required.
-v	dump output to console, default if -o is not used. This will display what is written to the database. If you wish to only see what is written to the database you can use the -q -v options. This forces all output to the console, only the material written to the database is shown, errors and results are not.
-h	display the usage and syntax message.
-q	quiet mode, not output to console, except in the case of database overwrite prompts.
-x	log -only- those files with the executable bit set. This logs only those files that are executable, suid, or guid.
-l	traverse symlinks to other directories. This can be dangerous if you have a sequence of loops that are circular in fashion. It is possible for osiris to continue until the database becomes too large for the disk, or memory resources are exhausted.
-O	no prompt for database overwrite ( use with -q guarantees no console output ). This will overwrite any existing databases without prompting.
-psychonazi	this mode will log every single file that can be opened. Use with caution.