head 1.1; branch 1.1.1; access ; symbols sid-20150923-base:1.1.1.1 CROOKS:1.1.1; locks ; strict; comment @# @; 1.1 date 2015.09.24.01.05.17; author agc; state Exp; branches 1.1.1.1; next ; commitid gUyHqXFKvRffurCy; 1.1.1.1 date 2015.09.24.01.05.17; author agc; state Exp; branches ; next ; commitid gUyHqXFKvRffurCy; desc @@ 1.1 log @Initial revision @ text @# $NetBSD: Makefile,v 1.2 2011/09/01 05:07:12 agc Exp $ .include PROG= sid SRCS+= crc32c.c SRCS+= diff_subr.c SRCS+= diffdir.c SRCS+= diffreg.c SRCS+= sha2.c SRCS+= sha256hl.c SRCS+= sha512hl.c SRCS+= sid.c SRCS+= main.c BINDIR= /usr/bin CPPFLAGS+= -I${.CURDIR}/../dist # this is needed otherwise complaints of strftime(..."%c") only yielding # two digits in some locales warning CPPFLAGS.diffreg.c+= -Wno-format-y2k MAN= sid.1 .ifndef PRODUCTION CPPFLAGS+=-g -O0 LDFLAGS+=-g -O0 .endif WARNS= 5 DIST= ${.CURDIR}/../dist .PATH: ${DIST} .include t: ${PROG} @@echo "1. basics" ./${PROG} -g -f ${DIST}/sid.conf -o 1.out diff 1.expected 1.out rm -f 1.out @@echo "2. prefix" mkdir -p fs/bin fs/etc fs/lib fs/sbin -for d in bin etc lib sbin; do \ (cd /$$d && pax -rwpp . ${.CURDIR}/fs/$$d) \ done rm -f copy.sql ./${PROG} -g -p fs -f conf2 -o 2.out diff 2.expected 2.out rm -f 2.out @@echo "3. touch and verify" touch 'fs/bin/ bin interloper ' ./${PROG} -g -p fs -f conf2 -o 3.out -diff 2.expected 3.out @@echo "4. use netdiff to check got against expected" ./${PROG} -p fs -f conf2 -t 2.expected > 4.out -diff 4.expected 4.out rm -f 4.out @@echo "5. use netdiff in memory to check got against expected" ./${PROG} -p fs -f conf2 2.expected > 5.out diff 5.expected 5.out rm -f 5.out @@echo "6. use netdiff in memory to check got against expected, verbose" ./${PROG} -v -p fs -f conf2 2.expected > 6.out diff 6.expected 6.out rm -f 6.out rm -f 3.out 'fs/bin bin interloper ' rm -rf 2.out fs @ 1.1.1.1 log @sid is a Static Intrusion Detection and integrity checking system, designed to be efficient (by using mmap(2) to open any regular files it needs to check) and as unintrusively as possible. It uses in-memory diff(1) functionality by default through libnetdiff(3), falling back to temporary files if there is not enough memory to complete the full set of checks. To that end, on a heavily (output) network-bound machine, it takes 15 seconds elapsed, and 1 second system time, to check the root file system, running at the maxiumum nice value. When running, no output drops were observed at the interface. It uses a configuration file to govern the checks it makes. The syntax is borrowed from the old aide program, without any of the disadvantages of aide (GPL, default verbosity, static database usage, no fs flags checking, GNU regexps, unusual digest types). See the included sid.conf file. The following checks can be specified: a: atime b: block count c: ctime crc32c: crc32c checksum f: flags ftype: file type g: group i: inode l: link target m: mtime n: number of links p: permissions s: size sha256: sha256 checksum sha512: sha512 checksum u: user Checking rules are specified with an embedded '=' sign after the rule: RegFile = crc32c+f+ftype+g+l+p+s+sha256+u LogFile = ftype+g+l+n+p+u Comments are introduced with '#' and continue to the end of line. Directory entries are specified in the configuration file using regular expressions (much more expressive than fnmatch(3)). Directory entries may be specified in 3 ways: 1. checks - give directory entries and rules for recursive checking /bin RegFile # apply the custom rule to the files in /bin /boot RegFile # apply the custom rule to the files in /boot /cfg RegFile # apply the custom rule to the files in /cfg /etc RegFile # same for /etc 2. ignores - specify which directory entries not to check # don't check scratch dir in /usr/local/ccsc/data !/usr/local/ccsc/data and # ignore various per-host config files !/etc/resolv.conf 3. exact matches # more specific tests =/var/tmp$ p+i+n+u+g+s+b+f The default configuration file is /etc/sid.conf, and the output file for now lives in /root/db.sid New files will show up as follows: # touch /root/newfile # nice time sid /root/db.sid 896a897 > {"name":"/root/newfile","crc32c":0,"flags":0,"ftype":100000,"gid":0,"linkname":"/root/newfile","perms":0644,"size":0,"sha256":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","uid":0} 13.888u 1.428s 0:23.82 64.2% 86+173k 1107+0io 8879pf+0w # but will not show up when unlinked: # rm /root/newfile # nice time sid /root/db.sid 13.844u 0.965s 0:15.05 98.3% 86+173k 0+0io 0pf+0w # To generate a database which can be used for later verification, the -g option is used. It can also be used with the -p prefix option to specify a leading prefix. So, for example, if a directory "/build/amd64/fs" contains a representation of the file system as it will later be installed, and using the configuration file in the target file system to configure the database, the command to generate a database would be: sid -g -p /build/amd64/fs -f /build/amd64/fs/etc/sid.conf \ -o /build/amd64/fs/root/db.sid @ text @@