.TH "stealth" "1" "2005\-2014" "stealth_3\&.00\&.00\&.tar\&.gz" "Security Enhancement" .PP .SH "NAME" stealth \- Stealthy File Integrity Scanner .PP .SH "SYNOPSIS" \fBstealth\fP \-\-daemon pidfile \-\-dry\-run \-\-log \-\-logmail .br \-\-max\-size [BKMG] \-\-no\-mail \-\-parse\-policy\-file .br \-\-random\-interval \-\-repeat .br \-\-run\-command \-\-skip\-files \-\-stdout \-\-syslog .br \-\-syslog\-facility \-\-syslog\-priority \-\-syslog\-tag .br \-\-verbosity policy .PP \fBstealth\fP {\-\-reload,\-\-rerun,\-\-resume,\-\-suspend,\-\-terminate} pidfile .PP \fBstealth\fP \-\-help \-\-version .PP .SH "DESCRIPTION" .PP The name of the \fBstealth\fP program is an acronym of: .RS \fBSSH\-based Trust Enforcement Acquired through a Locally Trusted Host\&.\fP .RE \fBstealth\fP is based on an idea by \fIHans Gankema\fP and \fIKees Visser\fP, both at the Center for Information Technology of the University of Groningen\&. \fIHopko Meijering\fP provided valuable suggestions for improvement\&. .PP \fBstealth\fP\(cq\&s main task is to perform file integrity tests\&. However, the testing itself will leave no sediments on the tested computer\&. Therefore, \fBstealth\fP has \fIstealthy\fP characteristics\&. This is considered an important feature, improving the security (integrity) of the software of computers monitored by \fBstealth\fP\&. .PP On the other hand, one should realize that \fBstealth\fP intends to be just another security tool: other security measures like firewalls, portscanners, intrusion detection systems, dropping unencrypted protocols, etc\&. are usually required to improve or promote the security of a group of computers that are connected to the Internet\&. .PP \fBstealth\fP uses a policy file to determine the actions to perform\&. Each policy file is uniquely associated with a host to be tested\&. This host (called the \fIclient\fP below) trusts the computer on which \fBstealth\fP runs, called the \fIcontroller\fP (hence: a \fILocally Trusted Host\fP)\&. The controller performs tasks (normally file integrity tests) that \fIEnforce\fP the \fITrust\fP we have in the client computer\&. Since almost all integrity tests can be run on the client, one controller can control many clients, even if the controller itself uses aged hard\- and software components\&. .PP As the controller and the client normally are different computers, the controller must communicate with the client in a secure fashion\&. This is realized using SSH\&. So, there\(cq\&s another element of `local trust\(cq\& involved here: the client should permit the controller to set up a secure SSH connection allowing the controller to access sensitive files and private parts of the client\(cq\&s file system\&. .PP \fBIt is important to ensure that there is no public access to the controller\&. All inbound services should be denied\&. The only access to the controller should be via its console and the controller should be placed in a physically secure location\&. Sensitive information of clients are stored in the controller, and passwordless access to clients can be obtained from the controller by anyone who gains (root)\-access\fP\&. .PP The controller itself normally only uses two kinds of outgoing services: \fBSSH\fP to reach its clients, and some mail transport agent (e\&.g\&., \fBsendmail\fP(1)) to forward its outgoing mail to some mail\-hub\&. .PP Here is what happens when \fBstealth\fP is run using the first synopsis: .IP o First, the \fIpolicy\fP file is read\&. This determines the actions to be performed, and the values of several variables that are used by \fBstealth\fP\&. .IP .IP o If the command\-line option \f(CW\-\-daemon pidfile\fP is specified, \fBstealth\fP runs as a backgrond process, writing its process id in the file \f(CWpifile\fP\&. .IP With \f(CW\-\-repeat \fP the scan is rerun every \f(CW\fP seconds\&. The number of seconds until the next rerun is restricted by \fBstealth\fP to a value of at least 60\&. However, using the \f(CW\-\-rerun pidfile\fP option a daemon \fBstealth\fP another integrity scan can be requested after a shorter interval\&. .IP When \f(CW\-\-daemon\fP is specified the scan is performed just once, whereafter \fBstealth\fP waits until another integrity scan is requested using the \fBstealth\fP \f(CW\-\-rerun pidfile\fP invokation .IP .IP o Next, the controller opens a command shell on the client using \fBssh\fP(1), and a command shell on itself using \fBsh\fP(1)\&. .IP .IP o Once the command shells are available, commands defined in the policy file are executed in their order of appearance\&. Examples are given below\&. Normally, return values of the programs are tested\&. When return values are tested \fBstealth\fP terminates when a non\-zero return value is received\&. If this happens, a message stating the reason why \fBstealth\fP terminated is written to the report file (and into the mail message sent by \fBstealth\fP)\&. In some cases (e\&.g\&., when the report file could not be written), the message is written to the standard error stream\&. .IP .IP o In most cases, integrity tests can be controlled using the \fBfind\fP(1) program, calling programs like \fBls\fP(1), \fBsha1sum\fP(1) or its own \f(CW\-printf\fP method to produce file\-integrity related statistics\&. Most of these programs write file names at the end of generated lines\&. This characteristic is used by an internal routine of \fBstealth\fP to detect changes in the generated output, which could indicate some harmful intent, like an installed \fIroot\-kit\fP\&. .IP .IP o When changes are detected, they are logged in a \fIreport file\fP, to which information is always appended\&. \fBStealth\fP never reduces the report file\(cq\&s size or rewrites its contents\&. Whenever information is added to the report file (exceeding a plain time stamp) the appended information is e\-mailed to a configurable e\-mail address for further (human) processing\&. Usually the e\-mail is sent to the systems manager of the tested client\&. \fBStealth\fP follows the `dark cockpit\(cq\& approach in the sense that no mail is sent when no changes were detected\&. .IP .IP o When the \f(CW\-\-repeat\fP or \f(CW\-\-rerun\fP options are issued, the report file should not be rotated by, e\&.g\&., a log\-rotating process, but the report file may safely be rotated between a pair of \f(CW\-\-suppress\fP and \f(CW\-\-resume\fP commands\&. .PP .SH "REPORT FILE ROTATION" Since \fBstealth\fP only appends information to the report file, the report file\(cq\&s size may eventually become prohibitively large, and log\-rotation may be desirable\&. It is of course possible to issue a \f(CW\-\-terminate\fP command, rotate the logfiles, and restart \fBstealth\fP, but \fBstealth\fP also offers a facility to temporarily suspend integrity scans performed by a \fBstealth\fP daemon process: .IP o Calling \fBstealth\fP with the option \f(CW\-\-suspend \fP suspends the daemon\(cq\&s integrity scans\&. If \fBstealth\fP is actually performing a series of integrity scans when \f(CW\-\-suspend\fP is issued, the currently executing command is first completed after which the \f(CW\-\-suspend\fP command completes\&. Once the \fBstealth\fP daemon has been suspended, automatic or explicit integrity scan requests are denied, and the daemon can only be instructed to resume its scanning tasks (\fBstealth\fP \-\-resume ) or to terminate (\fBstealth\fP \-\-terminate )\&. .IP .IP o Once `\fBstealth\fP \f(CW\-\-suspend \fP\(cq\& has returned, the report file may safely be rotated (using, e\&.g\&., \fBlogrotate\fP(1)), and a new (empty) report file may optionally be created by the logrotation process\&. .IP .IP o Once the log\-rotation has been completed, the log\-rotation process should issue the command `\fBstealth\fP \f(CW\-\-resume \fP\(cq\&\&. This resumes the activities of a suspended \fBstealth\fP daemon process, immediately performing the next integrity scan\&. Following this the \fBstealth\fP daemon is back to its original integrity scanning mode\&. Here is an example of \fBlogrotate\fP(1) specification rotating \fBstealth\fP log\-files: .nf /root/stealth/host/report { weekly rotate 12 compress missingok prerotate /usr/bin/stealth \-\-suppress /run/stealth\&.host endscript postrotate /usr/bin/stealth \-\-resume /run/stealth\&.host endscript } .fi .PP .SH "RELOAD, RERUN AND TERMINATE" .PP Here is what happens when \fBstealth\fP is run using the second synopsis: .IP o When started as \fBstealth\fP \f(CW\-\-reload \fP, the \fBstealth\fP daemon process reloads its policy file and (if specified) \f(CW\-\-skip\-files\fP specification file\&. Next the \fBstealth\fP daemon process performs a file integrity scan using the information in the re\-read policy and skip\-files files\&. \fBStealth\fP can reload the (modified) contents of the originally specified policy\- and skip\-files names\&. If another policy and/or skip\-files files must be used another \fBstealth\fP process must be started, for which these new filenames are specified\&. .IP .IP o When started as \fBstealth\fP \f(CW\-\-rerun \fP, the \fBstealth\fP daemon performs another scan (unless it has been suspended using \fBstealth\fP \f(CW\-\-suspend \fP)\&. .IP .IP o When started as \fBstealth\fP \f(CW\-\-terminate pidfile\fP, the \fBstealth\fP daemon is terminated\&. .PP .SH "OPEN SSH LINK TO CLIENTS" .PP Once \fBstealth\fP is started as a foreground or daemon process performing file integrity scans one one \fBssh\fP(1) connection is opened to the client\&. This connection remains active during \fBstealth\fP\(cq\&s lifetime to minimize the number of \fBsshd\fP entries caused by \fBstealth\fP in the client\(cq\&s log files\&. .PP .SH "THE POLICY FILE" .PP The policy file consists of two sections, the second section is optional, and starts at a line merely containing \f(CW%%\fP\&. .PP The policy file\(cq\&s first section consists of two sets of data: \fIuse directives\fP (starting with the keyword \fBUSE\fP) and \fIcommands\fP\&. Blank lines and information beyond hash\-marks (#) are ignored, while lines following lines terminating in backslashes (\e) are concatenated (\fIen passant\fP removing these trailing backslashes)\&. Initial white space on lines of the policy file is ignored\&. .PP The (optional) second section starts at a line merely containing \f(CW%%\fP\&. Following this separating line long option specifications can be entered (see below at section \fBOPTIONS\fP)\&. .PP .SH "DEFINE DIRECTIVES" .PP \fBDEFINE\fP directives are used to associate longer strings of text with certain symbols\&. E\&.g\&., after \f(CWDEFINE FINDARGS \-xdev \-type f \-exec /usr/bin/sha1sum {} \e;\fP the specification \f(CW${FINDARGS}\fP may be used in \fBUSE DIRECTIVES\fP and \fBcommands\fP (see below) to use the text associated with the \fBFINDARGS\fP symbol\&. .PP Note that \fBDEFINE\fP symbols may also be used in the definition of other \fBDEFINE\fP symbols as well\&. Direct or indirect circular definitions should be avoided, as they are either not or incompletely expanded\&. .PP .SH "USE DIRECTIVES" .PP The following \fBUSE\fP directives may be specified (directives are written in capitals, and should appear exactly as written below: letter casing is preserved)\&. Specifications in angular brackets (like \f(CW\fP) represent specifications to be provided by \fBstealth\fP\(cq\&s users: .IP o \fBUSE BASE\fP \f(CW\fP .br \fBBASE\fP defines the directory from where \fBstealth\fP operates\&. All subsequent relative path specifications are interpreted relative to \fBBASE\fP\&. \fIBy default\fP this is the directory where \fBstealth\fP was started\&. .br \fBBASE\fP and other non\-existing paths are created automatically by \fBstealth\fP if not yet existing\&. .br Example: .br \f(CWUSE BASE /root/client\fP .IP .IP o \fBUSE DD\fP \f(CW
\fP .br The \fBDD\fP specification uses \f(CW/bin/dd\fP as default, and defines the location of the \fBdd\fP(1) program, both on the server and on the client\&. The \fBDD\fP program is used to copy files between the client and the controller over the existing ssh\-connection\&. The program specified here is only used by \fBstealth\fP when executing \f(CWPUT\fP and \f(CWGET\fP commands (described below)\&. .br Example showing the default: .br \f(CWUSE DD /bin/dd\fP .IP .IP o \fBUSE DIFF\fP \f(CW\fP .br The default \fBDIFF\fP specification uses \f(CW/usr/bin/diff\fP, and defines the location of the \fBdiff\fP(1) program on the controller\&. The \fBdiff\fP(1) program is used to compare a formerly created logfile of an integrity check with a newly created logfile\&. .br Example showing the default: .br \f(CWUSE DIFF /usr/bin/diff\fP .IP .IP o \fBUSE DIFFPREFIX\fP \f(CW\fP .br The \fBDIFFPREFIX\fP specification defines the size of the prefix added by the \f(CWDIFF\fP command to lines produced by commands executed through \fBstealth\fP\&. .IP The default \f(CW/usr/bin/diff\fP program prefixes lines by either `\f(CW> \fP\(cq\& or `\f(CW< \fP\(cq\&\&. The default value for \f(CW\fP is therefore equal to 2\&. .br Example showing the default: .br \f(CWUSE DIFFPREFIX 2\fP .IP .IP o \fBUSE EMAIL\fP \f(CW
\fP .br The \fBEMAIL\fP specification defines the email\-address to receive the report of the integrity scan of the client\&. The `dark cockpit\(cq\& philosophy is followed here: mail is only sent when a modification is detected\&. .br Example showing the default (apparently an email address on the controller): .br \f(CWUSE EMAIL root\fP .IP .IP o \fBUSE MAILER\fP \f(CW\fP .br The \fBMAILER\fP specification defines the program that to send e\-mail to the \fBEMAIL\fP\-address\&. Contrary to \fBDIFF\fP and \fBDD\fP and (see below) \fBSH\fP and \fBSSH\fP, \fBMAILER\fP is run as a \f(CW/bin/sh\fP command, to allow shell\-scripts to process the mail too\&. By default \fBMAILER\fP is defined as \fB/usr/bin/mail\fP\&. \fBMAILER\fP is called with the following arguments: .br \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- .br \fBMAILARGS\fP, see below; .br \fBEMAIL\fP, the addressee of the mail\&. .br \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- .br Example showing the default: .br \f(CWUSE MAILER /usr/bin/mail\fP .IP As an alternative, the script \f(CWstealthmail\fP is provided\&. It offers a convenient filter sorting \fBstealth\fP\(cq\&s output and keeping only lines containing the text \f(CWADDED\fP, \f(CWMODIFIED\fP, \f(CWREMOVED\fP or \f(CWSTEALTH\fP\&. Usually these lines are the ones system managers are interested in\&. The report and log files can always be consulted to determine the actual nature of the changes\&. .IP .IP o \fBUSE MAILARGS\fP \f(CW\fP .br The \fBMAILARGS\fP specification defines the arguments that are passed to \f(CWMAILER\fP, followed by the \f(CWEMAIL\fP specification\&. .br Example showing the default: .br \f(CWUSE MAILARGS \-s \(dq\&STEALTH scan report\(dq\&\fP .br Note that blanks may be used in the subject specification: use double or single quotes to define elements containing blanks\&. Use \f(CW\e\(dq\&\fP to use a double quote in a string that itself is delimted by double quotes; use \f(CW\e\(cq\&\fP to use a single quote in a string that itself is delimted by single quotes\&. .IP .IP o \fBUSE REPORT\fP \f(CW\fP .br \fBREPORT\fP defines the name of the reportfile\&. Information is always appended to this file\&. At each \fBstealth\fP integrity scan a \fItime marker line\fP is written to the report file\&. Only when (in addition to the marker line) additional information is appended to the report file the added contents of the report file are mailed to the mail address specified in the \fBUSE EMAIL\fP specification\&. .br Example showing the default: .br \f(CWUSE REPORT report\fP .IP .IP o \fBUSE SH\fP \f(CW\fP .br The \fBSH\fP specification uses \f(CW/bin/sh\fP as default, and defines the command shell used by the controller to execute commands on itself\&. .br Example showing the default: .br \f(CWUSE SH /bin/sh\fP .IP .IP o \fBUSE SSH\fP \f(CW\fP .br \fBThe SSH specification has no default\fP, and \fImust\fP be specified\&. Assuming the client \fItrusts\fP the controller (which is, after all, what this program is all about; so this should not be a very strong assumption), preferably the public ssh\-identity key of the controller should be placed in the client\(cq\&s root \f(CW\&.ssh/authorized_keys\fP file, granting the controller root access to the client\&. Root access is normally needed to gain access to all directories and files of the client\(cq\&s file system\&. .IP In practice, connecting to a account using the \fBsh\fP(1) shell is preferred\&. When another shell is already used by that account, one should make sure that that shell doesn\(cq\&t define its own redirections for standard input and standard output\&. One way to accomplish that is for force the execution of \f(CW/bin/sh\fP in the \fBUSE SSH\fP specification\&. Examples: .nf # root\(cq\&s shell is /bin/sh: USE SSH root@client \-T \-q # root uses another shell USE SSH root@client \-T \-q exec /bin/bash # an alternative: USE SSH root@client \-T \-q exec /bin/bash \-\-noprofile .fi .PP In some installations \fBstealth\fP is used to inspect the computer itself, even though this is \fInot\fP recommended, as it breaks one of the main reasons for \fBstealth\fP\(cq\&s existence\&. In situations where \fBstealth\fP is used to monitor the integrity of the \f(CWlocalhost\fP, \f(CW/bin/bash\fP could be specified with the \f(CWUSE SSH\fP directive\&. For example: .nf # For stealth inspecting localhost: USE SSH /bin/bash \-\-noprofile .fi .PP .SH "COMMANDS" .PP Following the \fBUSE\fP specifications, \fIcommands\fP can be specified\&. The commands are executed in their order of appearance in the policy file\&. Processing continues until the last command has been processed or until a tested command (see below) returns a non\-zero return value\&. .PP .SH "LABEL COMMANDS" .PP The following \fBLABEL\fP commands are available: .IP o \fBLABEL\fP \f(CW\fP .br This defines a text\-label which is written to the \fBREPORT\fP file, in front of the output generated by the next \fBCHECK\fP\-command\&. If the next \fBCHECK\fP\-command generates no output, the text\-label is not written to the \fBREPORT\fP\-file\&. Once a \fBLABEL\fP has been defined, it is used until it is redefined by the next \fBLABEL\fP\&. Use an empty \fBLABEL\fP specification to suppress the printing of labels\&. .IP The text may contain \f(CW\en\fP characters (two characters) which are transformed to a newline character\&. .IP Example: .br \f(CWLABEL Inspecting files in /etc\enIncluding subdirectories\fP .br \f(CWLABEL\fP .br (In this example the latter \fBLABEL\fP specification erases the former label text)\&. .PP .SH "LOCAL COMMANDS" .PP \fBLOCAL\fP commands are executed on the controller itself: .IP o \fBLOCAL\fP \f(CW\fP .br Execute \f(CWcommand\fP on the controller, using the \fBSH\fP command shell\&. The command must succeed (i\&.e\&., must return a zero exit value)\&. .br Example: .br \f(CWLOCAL scp rootsh@client:/usr/bin/sha1sum /tmp\fP .br This command copies the client\(cq\&s \fBsha1sum\fP(1) program to the controller\&. .IP .IP o \fBLOCAL NOTEST\fP \f(CW\fP .br Execute \f(CWcommand\fP on the controller, using the \fBSH\fP command shell\&. The command may or may not succeed\&. .br Example: .br \f(CWLOCAL NOTEST mkdir /tmp/subdir\fP .br This command creates \f(CW/tmp/subdir\fP on the controller\&. The command fails if the directory cannot be created, but this does not terminate \fBstealth\fP\&. .IP .IP o \fBLOCAL CHECK\fP [\fBLOG =\fP] \f(CW [pathOffset] \fP .br Execute \f(CWcommand\fP on the controller, using the \fBSH\fP command shell\&. The command must succeed\&. The output of this command is compared to the output of this command generated during the previous integrity check run by \fBstealth\fP\&. .IP The phrase \fBLOG =\fP is optional\&. \f(CWPathOffset\fP is also optional\&. If specified it defines the (0\-based) offset where path\-names of inspected files start in lines produced by \f(CW\fP\&. By default \fBstealth\fP assumes that the first occurrence of a forward slash defines the first character of the path\-names of inspected files\&. .IP For example, if diff\-output looks like this: .nf 01234567890123456789012345678901234567890 (column offsets) 33c33 < 90d8b506d249634c4ff80b9018644567 filename\-specification \-\-\- > b88d0b77db74cc4a742d7bc26cdd2a1e filename\-specification .fi then the specification .nf LOCAL CHECK logfile 36 command\-to\-be\-executed .fi informs \fBstealth\fP where to find the filename specifications in the diff\-output\&. Using the standard \f(CW/usr/bin/diff\fP command, this offset equals 2 + the offset of the \f(CWfilename\-specification\fP found in \f(CWcommand\-to\-be\-executed\fP\&. .IP Any differences between the previous and current output are written to \fBREPORT\fP\&. If differences were found, the existing \f(CWlogfile\fP name is renamed to \f(CWlogfile\&.YYMMDD\-HHMMSS\fP, with \f(CWYYMMDD\-HHMMSS\fP the (UTC) datetime\-stamp at the time \fBstealth\fP was run\&. .IP Note that eventually many \f(CWlogfile\&.YYMMDD\-HHMMSS\fP files could be created: It is up to the controller\(cq\&s systems manager to decide what to do with old datetime\-stamped logfiles\&. .IP The \f(CWlogfile\fP specifications may use relative and absolute paths\&. When relative paths are used, these paths are relative to \fBBASE\fP\&. When the directories implied by the \f(CWlogfile\fP specifications do not yet exist, they are created first\&. .IP Example: .br \f(CWLOCAL CHECK LOG = local/sha1sum sha1sum /tmp/sha1sum\fP .br This command checks the SHA1 sum of the \f(CW/tmp/sha1sum\fP program\&. The resulting output is saved at \fBBASE\fP\f(CW/local/sha1sum\fP\&. The program must succeed (i\&.e\&., \f(CWsha1sum\fP must return a zero exit\-value)\&. .IP .IP o \fBLOCAL NOTEST CHECK\fP \f(CW [pathOffset] \fP .br Execute \f(CWcommand\fP on the controller, using the \fBSH\fP command shell\&. The command may or may not succeed\&. Otherwise, the command performs exactly like the \fBLOCAL CHECK \&.\&.\&.\fP command, discussed above\&. .IP Example: .br \f(CWLOCAL NOTEST CHECK LOG=local/sha1sum sha1sum /tmp/sha1sum\fP .br This command checks the SHA1 sum of the \f(CW/tmp/sha1sum\fP program\&. The resulting output is saved at \fBBASE\fP\f(CW/local/sha1sum\fP\&. The program must succeed (i\&.e\&., \f(CWsha1sum\fP must return a zero exit\-value)\&. .PP Note that the \fBscp\fP(1) command can be used to copy files between the client and the controller, using a local command\&. This, however, is discouraged, as a separate \fBssh\fP(1)\-connection is required for each separate \fBscp\fP(1) command\&. This subtlety was brought to the author\(cq\&s attention by Hopko Meijerink (\f(CWh\&.meijering@rug\&.nl\fP)\&. .PP New \fBssh\fP(1) connections may be difficult to establish if the used ssh\-key is passphrase\-protected (but it is not impossible to do so, see e\&.g\&., \fBssh\-cron\fP(1)), and using an ssh\-key without a passphrase is discouraged as client computers are immediagely compromised too, once the controller is compromised\&. Furthermore, using \fBscp\fP(1) results in several additional entries showing \fBsshd\fP(1) connections in the client\(cq\&s logfiles, which in turn may disclose information that the client is intensively monitored\&. .PP To copy files between the client and the controller, the \f(CWGET\fP and \f(CWPUT\fP commands (described below) should be used instead, as these commands use the existing \fBssh\fP(1) connection\&. In general, \f(CWLOCAL\fP commands should not be used to establish additional \fBssh\fP(1) connections to a client\&. .PP .SH "REMOTE COMMANDS" .PP Remote commands are commands executed on the client using the \fBSSH\fP shell\&. These commands are executed using the standard \f(CWPATH\fP set for the \fBSSH\fP shell\&. However, it is advised to specify the full pathname to the programs to be executed, to prevent ``trojan approaches\(cq\&\(cq\& where a trojan horse is installed in an `earlier\(cq\& directory of the \f(CWPATH\fP\-specification than the intended program\&. .PP Two special remote commands are \f(CWGET\fP and \f(CWPUT\fP, which can be used to copy files between the client and the controller\&. Internally, \f(CWGET\fP and \f(CWPUT\fP use the \f(CWDD\fP specification\&. If a non\-default specification is used, one should ensure that the alternate program accepts \fBdd\fP(1)\(cq\&s \f(CWif=, of=, bs=\fP and \f(CWcount=\fP options\&. With \f(CWGET\fP the options \f(CWbs=, count=\fP and \f(CWof=\fP are used, with \f(CWPUT\fP the options \f(CWbs=, count=\fP and \f(CWif=\fP are used\&. Normally there should be no need to alter the default \f(CWDD\fP specification\&. .PP The \f(CWGET\fP command may be used as follows: .IP o \fBGET\fP \f(CW \fP .br Copy the file indicated by \f(CWclient\-path\fP at the client to \f(CWlocal\-path\fP at the controller\&. \f(CWclient\-path\fP must be the full path of an existing file on the client, \f(CWlocal\-path\fP may either be a local directory, in which case the client\(cq\&s file name is used, or another file name may be specified, in which case the client\(cq\&s file is copied to the specified local filename\&. If the local file already exists, it is overwritten by the copy\-procedure\&. .IP Example: .br \f(CWGET /usr/bin/sha1sum /tmp\fP .br The program \f(CW/usr/bin/sha1sum\fP, available at the client, is copied to the controller\(cq\&s \f(CW/tmp\fP directory\&. If, for whatever reason, copying fails, then \fBstealth\fP terminates\&. .IP .IP o \fBGET NOTEST\fP \f(CW \fP .br Copy the file indicated by \f(CWclient\-path\fP at the client to \f(CWlocal\-path\fP at the controller\&. \f(CWclient\-path\fP must be the full path of an existing file on the client, \f(CWlocal\-path\fP may either be a local directory, in which case the client\(cq\&s file name is used, or another file name may be specified, in which case the client\(cq\&s file is copied to the specified local filename\&. If the local file already exists, it is overwritten by the copy\-procedure\&. .IP Example: .br \f(CWGET NOTEST /usr/bin/sha1sum /tmp\fP .br The program \f(CW/usr/bin/sha1sum\fP, available at the client, is copied to the controller\(cq\&s \f(CW/tmp\fP directory\&. Remaining commands in the policy file are executed, even if the copying process wasn\(cq\&t successful\&. .PP The \f(CWPUT\fP command may be used as follows: .IP o \fBPUT\fP \f(CW \fP .br Copy the file indicated by \f(CWlocal\-path\fP at the controller to \f(CWremote\-path\fP at the client\&. The argument \f(CWlocal\-path\fP must be the full path of an existing file on the controller\&. The argument \f(CWremote\-path\fP must be the full path to a file on the client\&. If the remote file already exists, it is overwritten by \f(CWPUT\fP\&. .IP Example: .br \f(CWPUT /tmp/sha1sum /usr/bin/sha1sum\fP .br The program \f(CW/tmp/sha1sum\fP, available at the controller, is copied to the client as \f(CWusr/bin/sha1sum\fP\&. If the copying fails, \fBstealth\fP terminates\&. .IP .IP o \fBPUT NOTEST\fP \f(CW \fP .br Copy the file indicated by \f(CWlocal\-path\fP at the controller to \f(CWremote\-path\fP at the client\&. The argument \f(CWlocal\-path\fP must be the full path of an existing file on the controller\&. The argument \f(CWremote\-path\fP must be the full path to a file on the client\&. If the remote file already exists, it is overwritten by \f(CWPUT\fP\&. .IP Example: .br \f(CWPUT NOTEST /tmp/sha1sum /usr/bin/sha1sum\fP .br Copy the file indicated by \f(CWlocal\-path\fP at the controller to \f(CWremote\-path\fP at the client\&. The argument \f(CWlocal\-path\fP must be the full path of an existing file on the controller\&. The argument \f(CWremote\-path\fP must be the full path to a file on the client\&. If the remote file already exists, it is overwritten by \f(CWPUT\fP\&. Remaining commands in the policy file are executed, even if the copying process wasn\(cq\&t successful\&. .PP Plain commands can be executed on the client computer by merely specifying them\&. Of course, this implies that programs on the client which are named, e\&.g\&., \f(CWLABEL\fP, \f(CWLOCAL\fP or \f(CWUSE\fP, cannot be executed, since these names are interpreted otherwise by \fBstealth\fP\&. It\(cq\&s unlikely that this restriction presents much of a problem\&.\&.\&.\&. .PP The following commands are available for execution on the client: .IP o \f(CW\fP .br Execute \f(CWcommand\fP on the client, using the \fBSSH\fP command shell\&. The command must succeed (i\&.e\&., must return a zero exit value)\&. However, any output generated by the the command is ignored\&. .br Example: .br \f(CW/usr/bin/find /tmp \-type f \-exec /bin/rm {} \e;\fP .br This command will remove all ordinary files in and below the client\(cq\&s \f(CW/tmp\fP directory\&. .IP .IP o \fBNOTEST\fP \f(CW\fP .br Execute \f(CWcommand\fP on the client, using the \fBSSH\fP command shell\&. The command may or may not succeed\&. .br Example: .br \f(CWNOTEST /usr/bin/find /tmp \-type f \-exec /bin/rm {} \e;\fP .br Same as the previous command, but this time the exit value of \f(CW/usr/bin/find\fP is not interpreted\&. .IP .IP o \fBCHECK\fP [\fBLOG =\fP] \f(CW [pathOffset] \fP .br Execute \f(CWcommand\fP on the client, using the \fBSSH\fP command shell\&. The phrase \fBLOG = \fP is optional\&. The \f(CW[pathOffset]\fP specification is also optional, and has the same meaning as for the \f(CWLOCAL CHECK\fP command, described above\&. The command must succeed\&. The output of this command is compared to the output of this command generated during the previous run of \fBstealth\fP\&. Any differences are written to \fBREPORT\fP\&. If differences were found, the existing \f(CWlogfile\fP name is renamed to \f(CWlogfile\&.YYMMDD\-HHMMSS\fP, with \f(CWYYMMDD\-HHMMSS\fP the datetime\-stamp at the time \fBstealth\fP was run\&. .IP Note that the command is executed on the client, but the logfile is kept on the controller\&. This command represents the core of the method implemented by \fBstealth\fP: there will be no residues of the actions performed by \fBstealth\fP on the client computers\&. .IP Several examples (note the use of the backslash as line continuation characters): .IP \f(CWCHECK LOG = remote/ls\&.root \e\fP .br \f(CW /usr/bin/find / \e\fP .br \f(CW \-xdev \-perm /6111 \-type f \-exec /bin/ls \-l {} \e;\fP .IP All suid/gid/executable files on the same device as the root\-directory (/) on the client computer are listed with their permissions, owner and size information\&. The resulting listing is written on the file \fBBASE\fP\f(CW/remote/ls\&.root\fP\&. .IP \f(CWCHECK remote/sha1\&.root \e\fP .br \f(CW /usr/bin/find / \e\fP .br \f(CW \-xdev \-perm /6111 \-type f \-exec /usr/bin/sha1sum {} \e;\fP .IP The SHA1 checksums of all suid/gid/executable files on the same device as the root\-directory (/) on the client computer are determined\&. The resulting listing is written on the file \fBBASE\fP\f(CW/remote/sha1\&.root\fP\&. .IP .IP o \fBNOTEST CHECK\fP [\fBLOG =\fP] \f(CW [pathOffset] \fP .br Execute \f(CWcommand\fP on the client, using the \fBSSH\fP command shell\&. The phrase \fBLOG =\fP is optional\&. The \f(CW[pathOffset]\fP is also optional, and has the same meaning as for the \f(CWLOCAL CHECK\fP command, described above\&. The command may or may not succeed\&. Otherwise, the program acts identically as the \fBCHECK \&.\&.\&.\fP command, described above\&. .IP Example: .br \f(CWNOTEST CHECK LOG = remote/sha1\&.root \e\fP .br \f(CW /usr/bin/find / \e\fP .br \f(CW \-xdev \-perm /6111 \-type f \-exec /usr/bin/sha1sum {} \e;\fP .IP The SHA1 checksums of all suid/gid/executable files on the same device as the root\-directory (/) on the client computer are determined\&. The resulting listing is written on the file \fBBASE\fP\f(CW/remote/sha1\&.root\fP\&. \fBstealth\fP does not terminate if the \f(CW/usr/bin/find\fP program returns a non\-zero exit value\&. .PP The maximum download size (using GET or CHECK) can be specified using the \f(CW\-\-max\-size\fP option, see below\&. By default this size is set at 10M\&. .PP .SH "OPTIONS" .PP Short options are provided between parentheses, immediately following their long option equivalents\&. Option descriptions starting with (C) can only be used on the command\-line, and are ignored when specified in the second section of the policy file\&. .PP .IP o \f(CW\-\-daemon (\-d) \fP: (C) run as background (daemon) process\&. tt specifies the absolute filename of the pid\-file used for communication with the daemon process; .IP o \f(CW\-\-dry\-run\fP: (C) no integrity scans or reloads are performed, but are assumed OK\&. Remaining tasks are normally performed; .IP o \f(CW\-\-help (\-h)\fP: (C) Display help information and exit; .IP o \f(CW\-\-log (\-L) \fP: log messages are appended to `path\(cq\&\&. If path does not exist, it is first created; .IP o \f(CW\-\-logmail\fP: mail sent by \fBstealth\fP is logged (requires \f(CW\-\-log\fP or \f(CW\-\-syslog\fP); .IP o \f(CW\-\-max\-size [BKMG]\fP: files retrieved by \f(CWGET\fP commands may at most have \f(CW\fP bytes (B), KBytes (K), MBytes (M), GBytes (G)\&. The default size is 10M, the default unit is B\&. .IP o \f(CW\-\-no\-mail\fP: mail is not sent\&. By default mail is sent as configured in the policy\-file (\f(CW\-\-logmail\fP can be specified independently from \f(CW\-\-no\-mail\fP); .IP o \f(CW\-\-parse\-policy\-file (\-p)\fP: (C) parse the policy file, after which \fBstealth\fP ends\&. .br Specify once to see the numbered commands; .br twice to see the policy file parsing steps as well\&. .br Results are written to the std\&. output\&. .IP o \f(CW\-\-random\-interval (\-i) [m]>\fP: start the scan a random interval of seconds (or minutes if an `m\(cq\& is appended (no blanks) to ) following the delay specified at \f(CW\-\-repeat\fP (see below)\&. This option requires specification of the \f(CW\-\-repeat\fP option; .IP o \f(CW\-\-reload \fP: (C) reloads the configuration and skip\-files and restarts the scan of the \fBstealth\fP daemon process\&. .IP o \f(CW\-\-repeat \fP: wake up and perform an integrity scan at interrupts or after \f(CW\fP seconds (or minutes if an `m\(cq\& is appended (no blanks) to ) after completing the previous integrity scan\&. The option \f(CW\-\-random\-interval\fP can be used to add a random delay to \f(CW\fP until the next integrity scan is performed\&. .IP o \f(CW\-\-rerun \fP: start executing the integrity scan commands that are specifed in the \fBstealth\fP daemon process\(cq\&s policy file; .IP o \f(CW\-\-resume \fP: (C) resume a suspended \fBstealth\fP process, implies \f(CW\-\-rerun\fP; .IP o \f(CW\-\-run\-command (\-r) \fP: (C) Only execute command number (natural number)\&. Command numbers are shown by \fBstealth\fP \f(CW\-\-\-parse\-policy\-file\fP; .IP o \f(CW\-\-skip\-files (\-s) \fP: all entries in \f(CWskippath\fP (specified using an \fIabsolute path\fP) are skipped\&. Their integrity is not monitored\&. If an entry is already present in a log file then \fBstealth\fP once generates an \f(CWIGNORING\fP message in the mail sent to the address specified at \f(CWEMAIL\fP in the policy file\&. Each entry mentioned in \f(CWfilepath\fP must be on a line of its own and must be specified using absolute paths\&. Entries ending in a slash are assumed to be directories whose full contents must be skipped\&. Other entries are interpreted as the path names of files to skip\&. Initial and trailing blanks, empty lines and lines having a \f(CW#\fP as their 1st non blank character are ignored\&. .IP o \f(CW\-\-stdout (\-o)\fP: messages are (also) written to the std\&. output stream (not available when for option \f(CW\-\-daemon\fP); .IP o \f(CW\-\-suspend \fP: (C) suspends a currently active \fBstealth\fP process\&. Use \f(CW\-\-resume\fP to re\-activate an \fBstealth\fP daemon or \f(CW\-\-terminate\fP to end an \fBstealth\fP daemon; .IP o \f(CW\-\-syslog\fP: write syslog messages; .IP o \f(CW\-\-syslog\-facility \fP: syslog facility to use\&. By default facility DAEMON is used; .IP o \f(CW\-\-syslog\-priority \fP: syslog priority to use\&. By default priority NOTICE is used; .IP o \f(CW\-\-syslog\-tag \fP: \f(CW\fP specifies the identifier that is prefixed to syslog messages\&. By default the tag `STEALTH\(cq\& is used, see also the next section; .IP o \f(CW\-\-terminate \fP: (C) terminate a currently active \fBstealth\fP process; .IP o \f(CW\-\-time\-stamp (\-t) \fP: the time\-stamps to use\&. By default UTC\&. To use the local time specify \f(CW\-\-time\-stamp LT\fP\&. The \f(CW\-\-time\-stamp\fP option does not apply to time\-stamps generated by syslog (see also the next section); .IP o \f(CW\-\-usage\fP: (C) Display help information and exit; .IP o \f(CW\-\-verbosity \fP: determines the amount of logged information\&. Requires options \f(CW\-\-log\fP or \f(CW\-\-syslog\fP\&. Possible values are: .br 0: nothing is logged .br 1: mode reports and policy commands .br 2: also: ipc commands and actions .br 3: also: integrity scan informative messages .IP o \f(CW\-\-version (\-v)\fP: (C) Display \fBstealth\fP\(cq\&s version information and terminate; .PP .IP o \f(CW\fP: absolute filename of a file that is used for communication with a \fBstealth\fP daemon process; .IP o \f(CWpolicy\fP: path to the policy file; .PP Only one of the options \f(CW\-\-daemon, \-\-reload, \-\-rerun, \-\-resume, \-\-suspend,\fP and \f(CW\-\-terminate\fP can be specified\&. The options \f(CW\-\-reload, \-\-rerun, \-\-resume, \-\-suspend,\fP and \f(CW\-\-terminate\fP ignore any other options\&. .PP The following options are still recognized for backward compatibility with \fBstealth\fP pre\-3\&.00 versions and will be removed in future versions\&. They generate error messages suggesting alternatives: .PP .IP o \f(CW\-\-echo\-commands (\-e)\fP: echo commands to std error when they are processed; use \f(CW\-\-log\fP instead\&. .IP o \f(CW\-\-keep\-alive\fP: run as a daemon; use \f(CW\-\-daemon\fP instead\&. .IP o \f(CW\-\-only\-stdout\fP: scan report is written to stdout; use \f(CW\-\-stdout\fP instead\&. .IP o \f(CW\-\-quiet (\-q)\fP: suppresses progress messages written to stderr; use \f(CW\-\-verbosity 0\fP instead\&. .IP o \f(CW\-\-suppress \fP: suppresses a currently active \fBstealth\fP process; use \f(CW\-\-suspend\fP instead\&. .PP The following options were discontinued starting with \fBstealth\fP version 3\&.00\&.00: .IP o \f(CW\-\-debug\fP (option \f(CW\-\-verbosity\fP or \f(CW\-\-dry\-run\fP could be used instead); .IP o \f(CW\-\-no\-child\-processes\fP; .IP o \f(CW\-\-parse\-config\-file\fP\&. .PP When specifying long options in policy files the initial hyphens should be omitted\&. Here are some examples: .nf %% log /tmp/stealth\&.log verbosity 3 .fi .PP .SH "RSYSLOG FILTERING" .PP When using \fBrsyslogd\fP(1) property based filters may be used to filter syslog messages and write them to a file of your choice\&. E\&.g\&., to filter messages starting with the syslog message tag (e\&.g\&., \f(CWSTEALTH\fP) use .nf :syslogtag, isequal, \(dq\&STEALTH:\(dq\& /var/log/stealth\&.log :syslogtag, isequal, \(dq\&STEALTH:\(dq\& ~ .fi Note that the colon is part of the tag, but is not specified with the \f(CWsyslog\-tag\fP option\&. .PP This causes all messages having the \f(CWSTEALTH:\fP tag to be written on \f(CW/var/log/stealth\&.log\fP after which they are discarded\&. More extensive filtering is also supported, see, e\&.g\&., \f(CWhttp://www\&.rsyslog\&.com/doc/rsyslog_conf_filter\&.html\fP and \f(CWhttp://www\&.rsyslog\&.com/doc/property_replacer\&.html\fP .PP Time stamps written by \f(CWrsyslogd\fP are not controlled by \fBstealth\fP\(cq\&s \f(CW\-\-time\-stamp\fP option, but, e\&.g\&., by a \f(CWTZ\fP specification in \f(CW/etc/default/rsyslog\fP\&. Simply add the line .nf export TZ=UTC .fi to \f(CW/etc/default/rsyslog\fP, followed by restarting \f(CWrsyslogd\fP configures \f(CWrsyslogd\fP to generate time stamps using UTC\&. .PP .SH "DEPLOYMENT SUMMARY" The following summarizes the advised steps to perform when installing stealth\&. All these steps are elaborated upon in \fBstealth\fP\(cq\&s \fIUser Guide\fP (chapter \fIRunning `stealth\(cq\&\fP): .IP o Install \fBstealth\fP (e\&.g\&., use \fBdpkg\fP(1) to install the \fB\&.deb\fP file); .IP o Construct one or more policy files; .IP o Automate running \fBstealth\fP using \fBcron\fP(1) (possibly calling \fBstealthcron\fP); .IP o Set up automated log\-file rotation, using, e\&.g\&., \fBstealthcleanup\fP and \fBlogrotate\fP(1), defining one or more \f(CW/etc/logrotate\&.d/stealth\&.\&.\&.\fP configuration files\&. .PP .SH "FILES" .PP \f(CW/usr/share/doc/stealth/\fP; .br the \f(CWpolicy\fP file; .br files under the \fBBASE\fP directory as defined in the \f(CWpolicy\fP file; .br the report file as defined by the policy\(cq\&s \fBUSE REPORT\fP directive\&. .PP .SH "SEE ALSO" \fBcron\fP(1), \fBdd\fP(1), \fBdiff\fP(1), \fBdpkg\fP(1), \fBfind\fP(1), \fBlogrotate\fP(1), \fBls\fP(1), \fBmail\fP(1), \fBsha1sum\fP(1), \fBpasswd\fP(5), \fBrsyslog\fP(1), \fBsendmail\fP(1), \fBsh\fP(1), \fBssh\fP(1), \fBssh\-cron\fP(1) .PP .SH "DIAGNOSTICS" By default, executed commands are echoed to stderr\&. Use \fB\-q\fP to suppress this echoing\&. .PP .SH "BUGS" .PP None reported .PP .SH "COPYRIGHT" This is free software, distributed under the terms of the `GNU General Public License\(cq\&\&. Copyright remains with the author\&. \fBStealth\fP is found at \f(CWhttp://stealth\&.sourceforge\&.net/\fP\&. .PP .SH "ORGANIZATION" Center for Information Technology, University of Groningen\&. .PP .SH "AUTHOR" Frank B\&. Brokken (\fBf\&.b\&.brokken@rug\&.nl\fP)\&.