Host Integrity Monitoring Using Osiris and Samhain
After spending months developing a killer e-commerce site with the latest cutting edge .NET security techniques, placing your hard work on an insecure, unmonitored server practically negates all the effort that went into securing the codified business logic in the first place. While firewalls, DMZs, and Intrustion Detection Systems (IDS) help to retard infiltration by unscrupulous individuals, little can be done if said entity exploits a system weakness and rootkits (takes over administrative capacity) the server.
Host Integrity Monitoring (HIM) is a security management technique that continuously checks the integrity of critical system and application files for any modification, and immediately logs and alerts the designated monitoring administrator of such activities. Thus, although an infiltration may have been successful and unauthorized changes to files may have been made, HIM systems can be used to set a baseline of known files and then identify what files were altered so they can be easily tagged and fixed to prevent worms and rootkits from taking control.
Host Integrity Monitoring Using Osiris and Samhain by Osiris author Brian Wotring is presented in two parts. The first half of the book explains why HIM is critical for any server connected to today s harsh Internet environment, as well as how HIM works. The second half of the book talks about two open source HIM systems, Osiris and Samhain. For .NET developers and system administrators, Osiris is the only choice because it is the only one of the two that sports a native Windows server agent. In addition to providing centralized host integrity monitoring for both Unix and Windows environments, Osiris relies on SSL to communicate between the agent, console, and command-line interface components. Chapter 5 provides an excellent comparison between the two featured HIM systems.
The question readers may ask is do they need to spend nearly $50 to use a free utility that has most of the operating documentation found in the distributed product? The answer is yes, for a couple of reasons. First, Wotring does an excellent job in the first part of the book explaining why HIM systems are critical, as well as how to architect such systems into an already well managed networked server environment. The book also contains detailed walkthroughs of both Osiris and Samhain configuration files (Samhain configurations being particularly convoluted because of its Linux/Unix config file orientation) and, most valuably, the interpretation of the logs each application generates. Understanding and acting upon these outputs are why HIM systems exist in the first place.
Even for that enterprise-level .NET developer who defers server security to the infrastructure group, this and other Syngress titles provide a great education for the complacent coder who thinks it s not my problem. Without a HIM system in place, it will immediately become that coder s problem as they ll be the ones determining if their code was modified by the perpetrator. Those with a HIM system in place will be able to know exactly what was affected, replace the malicious code, and sleep easier at night.
Title: Host Integrity Monitoring Using Osiris and Samhain
Author: Brian Wotring
Publisher: Syngress Publishing, Inc.
Page Count: 450