CVS import: othersrc/external/bsd/sid

To: source-changes%NetBSD.org@localhost
Subject: CVS import: othersrc/external/bsd/sid
From: "Alistair G. Crooks" <agc%netbsd.org@localhost>
Date: Thu, 24 Sep 2015 01:05:20 +0000

Module Name:    othersrc
Committed By:   agc
Date:           Thu Sep 24 01:05:20 UTC 2015

Update of /cvsroot/othersrc/external/bsd/sid
In directory ivanova.netbsd.org:/tmp/cvs-serv19893

Log Message:
sid is a Static Intrusion Detection and integrity checking system,
designed to be efficient (by using mmap(2) to open any regular files
it needs to check) and as unintrusively as possible.  It uses
in-memory diff(1) functionality by default through libnetdiff(3),
falling back to temporary files if there is not enough memory to
complete the full set of checks.  To that end, on a heavily (output)
network-bound machine, it takes 15 seconds elapsed, and 1 second
system time, to check the root file system, running at the maxiumum
nice value.  When running, no output drops were observed at the
interface.

It uses a configuration file to govern the checks it makes.  The
syntax is borrowed from the old aide program, without any of the
disadvantages of aide (GPL, default verbosity, static database usage,
no fs flags checking, GNU regexps, unusual digest types).  See the
included sid.conf file.

The following checks can be specified:

        a:             atime
        b:             block count
        c:             ctime
        crc32c:        crc32c checksum
        f:             flags
        ftype:         file type
        g:             group
        i:             inode
        l:             link target
        m:             mtime
        n:             number of links
        p:             permissions
        s:             size
        sha256:        sha256 checksum
        sha512:        sha512 checksum
        u:             user

Checking rules are specified with an embedded '=' sign after the rule:

        RegFile = crc32c+f+ftype+g+l+p+s+sha256+u
        LogFile = ftype+g+l+n+p+u

Comments are introduced with '#' and continue to the end of line.
Directory entries are specified in the configuration file using regular
expressions (much more expressive than fnmatch(3)).

Directory entries may be specified in 3 ways:

1. checks - give directory entries and rules for recursive checking

        /bin RegFile    # apply the custom rule to the files in /bin
        /boot RegFile   # apply the custom rule to the files in /boot
        /cfg RegFile    # apply the custom rule to the files in /cfg
        /etc RegFile    # same for /etc

2. ignores - specify which directory entries not to check

        # don't check scratch dir in /usr/local/ccsc/data
        !/usr/local/ccsc/data
        
and

        # ignore various per-host config files
        !/etc/resolv.conf

3. exact matches

        # more specific tests
        =/var/tmp$      p+i+n+u+g+s+b+f

The default configuration file is /etc/sid.conf, and the output
file for now lives in /root/db.sid

New files will show up as follows:

        # touch /root/newfile
        # nice time sid /root/db.sid
        896a897
        > 
{"name":"/root/newfile","crc32c":0,"flags":0,"ftype":100000,"gid":0,"linkname":"/root/newfile","perms":0644,"size":0,"sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","uid":0}
        13.888u 1.428s 0:23.82 64.2%    86+173k 1107+0io 8879pf+0w
        #

but will not show up when unlinked:

        # rm /root/newfile
        # nice time sid /root/db.sid
        13.844u 0.965s 0:15.05 98.3%    86+173k 0+0io 0pf+0w
        #

To generate a database which can be used for later verification, the
-g option is used.  It can also be used with the -p prefix option to
specify a leading prefix.  So, for example, if a directory
"/build/amd64/fs" contains a representation of the file system as it
will later be installed, and using the configuration file in the
target file system to configure the database, the command to generate
a database would be:

        sid -g -p /build/amd64/fs -f /build/amd64/fs/etc/sid.conf \
                -o /build/amd64/fs/root/db.sid

Status:

Vendor Tag:     CROOKS
Release Tags:   sid-20150923-base
                
N othersrc/external/bsd/sid/Makefile
N othersrc/external/bsd/sid/bin/1.expected
N othersrc/external/bsd/sid/bin/Makefile
N othersrc/external/bsd/sid/bin/2.expected
N othersrc/external/bsd/sid/bin/4.expected
N othersrc/external/bsd/sid/bin/5.expected
N othersrc/external/bsd/sid/bin/6.expected
N othersrc/external/bsd/sid/bin/conf2
N othersrc/external/bsd/sid/dist/diff_subr.c
N othersrc/external/bsd/sid/dist/libsid.3
N othersrc/external/bsd/sid/dist/Makefile
N othersrc/external/bsd/sid/dist/README
N othersrc/external/bsd/sid/dist/crc32c.c
N othersrc/external/bsd/sid/dist/crc32c.h
N othersrc/external/bsd/sid/dist/diffdir.c
N othersrc/external/bsd/sid/dist/diffreg.c
N othersrc/external/bsd/sid/dist/internal.h
N othersrc/external/bsd/sid/dist/main.c
N othersrc/external/bsd/sid/dist/netdiff.h
N othersrc/external/bsd/sid/dist/pathnames.h
N othersrc/external/bsd/sid/dist/sha2.c
N othersrc/external/bsd/sid/dist/sha256hl.c
N othersrc/external/bsd/sid/dist/sha512hl.c
N othersrc/external/bsd/sid/dist/sid.1
N othersrc/external/bsd/sid/dist/sid.c
N othersrc/external/bsd/sid/dist/sid.conf
N othersrc/external/bsd/sid/dist/sid.h
N othersrc/external/bsd/sid/dist/sidsha2.h

No conflicts created by this import

Prev by Date: CVS commit: src/sys/arch/sgimips/dev
Next by Date: CVS import: src/external/bsd/libproc/dist
Previous by Thread: CVS commit: src/sys/arch/sgimips/dev
Next by Thread: CVS import: src/external/bsd/libproc/dist
Indexes:

Home | Main Index | Thread Index | Old Index