table of contents
- NAME
- SYNOPSIS
- DESCRIPTION
- REPORT FILE ROTATION
- RELOAD, RERUN AND TERMINATE
- OPEN SSH LINK TO CLIENTS
- THE POLICY FILE
- DEFINE DIRECTIVES
- USE DIRECTIVES
- COMMANDS
- LABEL COMMANDS
- LOCAL COMMANDS
- REMOTE COMMANDS
- OPTIONS
- RSYSLOG FILTERING
- DEPLOYMENT SUMMARY
- FILES
- SEE ALSO
- DIAGNOSTICS
- BUGS
- COPYRIGHT
- ORGANIZATION
- AUTHOR
stealth(1) | Security Enhancement | stealth(1) |
NAME¶
stealth - Stealthy File Integrity ScannerSYNOPSIS¶
stealth --daemon pidfile --dry-run --log <path> --logmailDESCRIPTION¶
The name of the stealth program is an acronym of:SSH-based Trust Enforcement Acquired through a Locally
Trusted Host.
stealth is based on an idea by Hans Gankema and Kees
Visser, both at the Center for Information Technology of the University of
Groningen. Hopko Meijering provided valuable suggestions for
improvement.
stealth’s main task is to perform file integrity tests. However,
the testing itself will leave no sediments on the tested computer. Therefore,
stealth has stealthy characteristics. This is considered an
important feature, improving the security (integrity) of the software of
computers monitored by stealth.
On the other hand, one should realize that stealth intends to be just
another security tool: other security measures like firewalls, portscanners,
intrusion detection systems, dropping unencrypted protocols, etc. are usually
required to improve or promote the security of a group of computers that are
connected to the Internet.
stealth uses a policy file to determine the actions to perform. Each
policy file is uniquely associated with a host to be tested. This host (called
the client below) trusts the computer on which stealth runs,
called the controller (hence: a Locally Trusted Host). The
controller performs tasks (normally file integrity tests) that Enforce
the Trust we have in the client computer. Since almost all integrity
tests can be run on the client, one controller can control many clients, even
if the controller itself uses aged hard- and software components.
As the controller and the client normally are different computers, the
controller must communicate with the client in a secure fashion. This is
realized using SSH. So, there’s another element of `local trust’
involved here: the client should permit the controller to set up a secure SSH
connection allowing the controller to access sensitive files and private parts
of the client’s file system.
It is important to ensure that there is no public access to the
controller. All inbound services should be denied. The only access to
the controller should be via its console and the controller should be
placed in a physically secure location. Sensitive information of
clients are stored in the controller, and passwordless access to
clients can be obtained from the controller by anyone who gains
(root)-access.
The controller itself normally only uses two kinds of outgoing services:
SSH to reach its clients, and some mail transport agent (e.g.,
sendmail(1)) to forward its outgoing mail to some mail-hub.
Here is what happens when stealth is run using the first synopsis:
- o
- First, the policy file is read. This determines the actions to be performed, and the values of several variables that are used by stealth.
- o
- If the command-line option --daemon pidfile is specified, stealth runs as a backgrond process, writing its process id in the file pifile.
- With --repeat <seconds> the scan is rerun every <seconds> seconds. The number of seconds until the next rerun is restricted by stealth to a value of at least 60. However, using the --rerun pidfile option a daemon stealth another integrity scan can be requested after a shorter interval.
- When --daemon is specified the scan is performed just once, whereafter stealth waits until another integrity scan is requested using the stealth --rerun pidfile invokation
- o
- Next, the controller opens a command shell on the client using ssh(1), and a command shell on itself using sh(1).
- o
- Once the command shells are available, commands defined in the policy file are executed in their order of appearance. Examples are given below. Normally, return values of the programs are tested. When return values are tested stealth terminates when a non-zero return value is received. If this happens, a message stating the reason why stealth terminated is written to the report file (and into the mail message sent by stealth). In some cases (e.g., when the report file could not be written), the message is written to the standard error stream.
- o
- In most cases, integrity tests can be controlled using the find(1) program, calling programs like ls(1), sha1sum(1) or its own -printf method to produce file-integrity related statistics. Most of these programs write file names at the end of generated lines. This characteristic is used by an internal routine of stealth to detect changes in the generated output, which could indicate some harmful intent, like an installed root-kit.
- o
- When changes are detected, they are logged in a report file, to which information is always appended. Stealth never reduces the report file’s size or rewrites its contents. Whenever information is added to the report file (exceeding a plain time stamp) the appended information is e-mailed to a configurable e-mail address for further (human) processing. Usually the e-mail is sent to the systems manager of the tested client. Stealth follows the `dark cockpit’ approach in the sense that no mail is sent when no changes were detected.
- o
- When the --repeat or --rerun options are issued, the report file should not be rotated by, e.g., a log-rotating process, but the report file may safely be rotated between a pair of --suppress and --resume commands.
REPORT FILE ROTATION¶
Since stealth only appends information to the report file, the report file’s size may eventually become prohibitively large, and log-rotation may be desirable. It is of course possible to issue a --terminate command, rotate the logfiles, and restart stealth, but stealth also offers a facility to temporarily suspend integrity scans performed by a stealth daemon process:- o
- Calling stealth with the option --suspend <pidfile> suspends the daemon’s integrity scans. If stealth is actually performing a series of integrity scans when --suspend is issued, the currently executing command is first completed after which the --suspend command completes. Once the stealth daemon has been suspended, automatic or explicit integrity scan requests are denied, and the daemon can only be instructed to resume its scanning tasks ( stealth --resume <pidfile>) or to terminate ( stealth --terminate <pidfile>).
- o
- Once `stealth --suspend <pidfile>’ has returned, the report file may safely be rotated (using, e.g., logrotate(1)), and a new (empty) report file may optionally be created by the logrotation process.
- o
- Once the log-rotation has been completed, the log-rotation process should
issue the command ` stealth --resume <pidfile>’. This
resumes the activities of a suspended stealth daemon process,
immediately performing the next integrity scan. Following this the
stealth daemon is back to its original integrity scanning mode.
Here is an example of logrotate(1) specification rotating
stealth log-files:
/root/stealth/host/report { weekly rotate 12 compress missingok prerotate /usr/bin/stealth --suppress /run/stealth.host endscript postrotate /usr/bin/stealth --resume /run/stealth.host endscript }
RELOAD, RERUN AND TERMINATE¶
Here is what happens when stealth is run using the second synopsis:- o
- When started as stealth --reload <pidfile>, the stealth daemon process reloads its policy file and (if specified) --skip-files specification file. Next the stealth daemon process performs a file integrity scan using the information in the re-read policy and skip-files files. Stealth can reload the (modified) contents of the originally specified policy- and skip-files names. If another policy and/or skip-files files must be used another stealth process must be started, for which these new filenames are specified.
- o
- When started as stealth --rerun <pidfile>, the stealth daemon performs another scan (unless it has been suspended using stealth --suspend <pidfile>).
- o
- When started as stealth --terminate pidfile, the stealth daemon is terminated.
OPEN SSH LINK TO CLIENTS¶
Once stealth is started as a foreground or daemon process performing file integrity scans one one ssh(1) connection is opened to the client. This connection remains active during stealth’s lifetime to minimize the number of sshd entries caused by stealth in the client’s log files.THE POLICY FILE¶
The policy file consists of two sections, the second section is optional, and starts at a line merely containing %%. The policy file’s first section consists of two sets of data: use directives (starting with the keyword USE) and commands. Blank lines and information beyond hash-marks (#) are ignored, while lines following lines terminating in backslashes (\) are concatenated ( en passant removing these trailing backslashes). Initial white space on lines of the policy file is ignored. The (optional) second section starts at a line merely containing %%. Following this separating line long option specifications can be entered (see below at section OPTIONS).DEFINE DIRECTIVES¶
DEFINE directives are used to associate longer strings of text with certain symbols. E.g., after DEFINE FINDARGS -xdev -type f -exec /usr/bin/sha1sum {} \; the specification ${FINDARGS} may be used in USE DIRECTIVES and commands (see below) to use the text associated with the FINDARGS symbol. Note that DEFINE symbols may also be used in the definition of other DEFINE symbols as well. Direct or indirect circular definitions should be avoided, as they are either not or incompletely expanded.USE DIRECTIVES¶
The following USE directives may be specified (directives are written in capitals, and should appear exactly as written below: letter casing is preserved). Specifications in angular brackets (like <this>) represent specifications to be provided by stealth’s users:- o
- USE BASE <base-irectory>
- o
- USE DD <dd>
- o
- USE DIFF <diff>
- o
- USE DIFFPREFIX <prefix>
- The default /usr/bin/diff program prefixes lines by either `> ’
or `< ’. The default value for <prefix> is therefore equal
to 2.
- o
- USE EMAIL <address>
- o
- USE MAILER <mailer>
- As an alternative, the script stealthmail is provided. It offers a convenient filter sorting stealth’s output and keeping only lines containing the text ADDED, MODIFIED, REMOVED or STEALTH. Usually these lines are the ones system managers are interested in. The report and log files can always be consulted to determine the actual nature of the changes.
- o
- USE MAILARGS <args>
- o
- USE REPORT <reportfile>
- o
- USE SH <sh>
- o
- USE SSH <user>
- In practice, connecting to a account using the sh(1) shell is
preferred. When another shell is already used by that account, one should
make sure that that shell doesn’t define its own redirections for
standard input and standard output. One way to accomplish that is for
force the execution of /bin/sh in the USE SSH specification.
Examples:
# root’s shell is /bin/sh: USE SSH root@client -T -q # root uses another shell USE SSH root@client -T -q exec /bin/bash # an alternative: USE SSH root@client -T -q exec /bin/bash --noprofile
# For stealth inspecting localhost: USE SSH /bin/bash --noprofile
COMMANDS¶
Following the USE specifications, commands can be specified. The commands are executed in their order of appearance in the policy file. Processing continues until the last command has been processed or until a tested command (see below) returns a non-zero return value.LABEL COMMANDS¶
The following LABEL commands are available:- o
- LABEL <text>
- The text may contain \n characters (two characters) which are transformed to a newline character.
- Example:
LOCAL COMMANDS¶
LOCAL commands are executed on the controller itself:- o
- LOCAL <command>
- o
- LOCAL NOTEST <command>
- o
- LOCAL CHECK [LOG =] <logfile> [pathOffset]
<command>
- The phrase LOG = is optional. PathOffset is also optional. If specified it defines the (0-based) offset where path-names of inspected files start in lines produced by <command>. By default stealth assumes that the first occurrence of a forward slash defines the first character of the path-names of inspected files.
- For example, if diff-output looks like this:
01234567890123456789012345678901234567890 (column offsets) 33c33 < 90d8b506d249634c4ff80b9018644567 filename-specification --- > b88d0b77db74cc4a742d7bc26cdd2a1e filename-specification
then the specificationLOCAL CHECK logfile 36 command-to-be-executed
informs stealth where to find the filename specifications in the diff-output. Using the standard /usr/bin/diff command, this offset equals 2 + the offset of the filename-specification found in command-to-be-executed.
- Any differences between the previous and current output are written to REPORT. If differences were found, the existing logfile name is renamed to logfile.YYMMDD-HHMMSS, with YYMMDD-HHMMSS the (UTC) datetime-stamp at the time stealth was run.
- Note that eventually many logfile.YYMMDD-HHMMSS files could be created: It is up to the controller’s systems manager to decide what to do with old datetime-stamped logfiles.
- The logfile specifications may use relative and absolute paths. When relative paths are used, these paths are relative to BASE. When the directories implied by the logfile specifications do not yet exist, they are created first.
- Example:
- o
- LOCAL NOTEST CHECK <logfile> [pathOffset] <command>
- Example:
REMOTE COMMANDS¶
Remote commands are commands executed on the client using the SSH shell. These commands are executed using the standard PATH set for the SSH shell. However, it is advised to specify the full pathname to the programs to be executed, to prevent ``trojan approaches’’ where a trojan horse is installed in an `earlier’ directory of the PATH-specification than the intended program. Two special remote commands are GET and PUT, which can be used to copy files between the client and the controller. Internally, GET and PUT use the DD specification. If a non-default specification is used, one should ensure that the alternate program accepts dd(1)’s if=, of=, bs= and count= options. With GET the options bs=, count= and of= are used, with PUT the options bs=, count= and if= are used. Normally there should be no need to alter the default DD specification. The GET command may be used as follows:- o
- GET <client-path> <local-path>
- Example:
- o
- GET NOTEST <client-path> <local-path>
- Example:
- o
- PUT <local-path> <remote-path>
- Example:
- o
- PUT NOTEST <local-path> <remote-path>
- Example:
- o
- <command>
- o
- NOTEST <command>
- o
- CHECK [LOG =] <logfile> [pathOffset] <command>
- Note that the command is executed on the client, but the logfile is kept on the controller. This command represents the core of the method implemented by stealth: there will be no residues of the actions performed by stealth on the client computers.
- Several examples (note the use of the backslash as line continuation characters):
- CHECK LOG = remote/ls.root \
- All suid/gid/executable files on the same device as the root-directory (/) on the client computer are listed with their permissions, owner and size information. The resulting listing is written on the file BASE/remote/ls.root.
- CHECK remote/sha1.root \
- The SHA1 checksums of all suid/gid/executable files on the same device as the root-directory (/) on the client computer are determined. The resulting listing is written on the file BASE/remote/sha1.root.
- o
- NOTEST CHECK [LOG =] <logfile> [pathOffset]
<command>
- Example:
- The SHA1 checksums of all suid/gid/executable files on the same device as the root-directory (/) on the client computer are determined. The resulting listing is written on the file BASE/remote/sha1.root. stealth does not terminate if the /usr/bin/find program returns a non-zero exit value.
OPTIONS¶
Short options are provided between parentheses, immediately following their long option equivalents. Option descriptions starting with (C) can only be used on the command-line, and are ignored when specified in the second section of the policy file.- o
- --daemon (-d) <path>: (C) run as background (daemon) process. tt<path> specifies the absolute filename of the pid-file used for communication with the daemon process;
- o
- --dry-run: (C) no integrity scans or reloads are performed, but are assumed OK. Remaining tasks are normally performed;
- o
- --help (-h): (C) Display help information and exit;
- o
- --log (-L) <path>: log messages are appended to `path’. If path does not exist, it is first created;
- o
- --logmail: mail sent by stealth is logged (requires --log or --syslog);
- o
- --max-size <size>[BKMG]: files retrieved by GET commands may at most have <size> bytes (B), KBytes (K), MBytes (M), GBytes (G). The default size is 10M, the default unit is B.
- o
- --no-mail: mail is not sent. By default mail is sent as configured in the policy-file (--logmail can be specified independently from --no-mail);
- o
- --parse-policy-file (-p): (C) parse the policy file, after which
stealth ends.
- o
- --random-interval (-i) <interval>[m]>: start the scan a random interval of <interval> seconds (or minutes if an `m’ is appended (no blanks) to <interval>) following the delay specified at --repeat (see below). This option requires specification of the --repeat option;
- o
- --reload <pid-file>: (C) reloads the configuration and skip-files and restarts the scan of the stealth daemon process.
- o
- --repeat <seconds>: wake up and perform an integrity scan at interrupts or after <seconds> seconds (or minutes if an `m’ is appended (no blanks) to <seconds>) after completing the previous integrity scan. The option --random-interval can be used to add a random delay to <seconds> until the next integrity scan is performed.
- o
- --rerun <pid-file>: start executing the integrity scan commands that are specifed in the stealth daemon process’s policy file;
- o
- --resume <pid-file>: (C) resume a suspended stealth process, implies --rerun;
- o
- --run-command (-r) <nr>: (C) Only execute command number <nr> (natural number). Command numbers are shown by stealth ---parse-policy-file;
- o
- --skip-files (-s) <skippath>: all entries in skippath (specified using an absolute path) are skipped. Their integrity is not monitored. If an entry is already present in a log file then stealth once generates an IGNORING message in the mail sent to the address specified at EMAIL in the policy file. Each entry mentioned in filepath must be on a line of its own and must be specified using absolute paths. Entries ending in a slash are assumed to be directories whose full contents must be skipped. Other entries are interpreted as the path names of files to skip. Initial and trailing blanks, empty lines and lines having a # as their 1st non blank character are ignored.
- o
- --stdout (-o): messages are (also) written to the std. output stream (not available when for option --daemon);
- o
- --suspend <pid-file>: (C) suspends a currently active stealth process. Use --resume to re-activate an stealth daemon or --terminate to end an stealth daemon;
- o
- --syslog: write syslog messages;
- o
- --syslog-facility <facility>: syslog facility to use. By default facility DAEMON is used;
- o
- --syslog-priority <priority>: syslog priority to use. By default priority NOTICE is used;
- o
- --syslog-tag <tag>: <tag> specifies the identifier that is prefixed to syslog messages. By default the tag `STEALTH’ is used, see also the next section;
- o
- --terminate <pid-file>: (C) terminate a currently active stealth process;
- o
- --time-stamp (-t) <type>: the time-stamps to use. By default UTC. To use the local time specify --time-stamp LT. The --time-stamp option does not apply to time-stamps generated by syslog (see also the next section);
- o
- --usage: (C) Display help information and exit;
- o
- --verbosity <value>: determines the amount of logged information.
Requires options --log or --syslog. Possible values are:
- o
- --version (-v): (C) Display stealth’s version information and terminate;
- o
- <pid-file>: absolute filename of a file that is used for communication with a stealth daemon process;
- o
- policy: path to the policy file;
- o
- --echo-commands (-e): echo commands to std error when they are processed; use --log instead.
- o
- --keep-alive: run as a daemon; use --daemon instead.
- o
- --only-stdout: scan report is written to stdout; use --stdout instead.
- o
- --quiet (-q): suppresses progress messages written to stderr; use --verbosity 0 instead.
- o
- --suppress <pid-file>: suppresses a currently active stealth process; use --suspend instead.
- o
- --debug (option --verbosity or --dry-run could be used instead);
- o
- --no-child-processes;
- o
- --parse-config-file.
%% log /tmp/stealth.log verbosity 3
RSYSLOG FILTERING¶
When using rsyslogd(1) property based filters may be used to filter syslog messages and write them to a file of your choice. E.g., to filter messages starting with the syslog message tag (e.g., STEALTH) use:syslogtag, isequal, "STEALTH:" /var/log/stealth.log :syslogtag, isequal, "STEALTH:" ~Note that the colon is part of the tag, but is not specified with the syslog-tag option. This causes all messages having the STEALTH: tag to be written on /var/log/stealth.log after which they are discarded. More extensive filtering is also supported, see, e.g., http://www.rsyslog.com/doc/rsyslog_conf_filter.html and http://www.rsyslog.com/doc/property_replacer.html Time stamps written by rsyslogd are not controlled by stealth’s --time-stamp option, but, e.g., by a TZ specification in /etc/default/rsyslog. Simply add the line
export TZ=UTCto /etc/default/rsyslog, followed by restarting rsyslogd configures rsyslogd to generate time stamps using UTC.
DEPLOYMENT SUMMARY¶
The following summarizes the advised steps to perform when installing stealth. All these steps are elaborated upon in stealth’s User Guide (chapter Running `stealth’):- o
- Install stealth (e.g., use dpkg(1) to install the .deb file);
- o
- Construct one or more policy files;
- o
- Automate running stealth using cron(1) (possibly calling stealthcron);
- o
- Set up automated log-file rotation, using, e.g., stealthcleanup and logrotate(1), defining one or more /etc/logrotate.d/stealth... configuration files.
FILES¶
/usr/share/doc/stealth/;SEE ALSO¶
cron(1), dd(1), diff(1), dpkg(1), find(1), logrotate(1), ls(1), mail(1), sha1sum(1), passwd(5), rsyslog(1), sendmail(1), sh(1), ssh(1), ssh-cron(1)DIAGNOSTICS¶
By default, executed commands are echoed to stderr. Use -q to suppress this echoing.BUGS¶
None reportedCOPYRIGHT¶
This is free software, distributed under the terms of the `GNU General Public License’. Copyright remains with the author. Stealth is found at http://stealth.sourceforge.net/.ORGANIZATION¶
Center for Information Technology, University of Groningen.AUTHOR¶
Frank B. Brokken ( f.b.brokken@rug.nl).
2005-2014 | stealth_3.00.00.tar.gz |