Chapter 5 - Host Integrity Monitoring with Open Source Tools

Osiris and Samhain are the two most popular and widely deployed open source host integrity monitoring products. Each has an agent-based deployment model providing detailed reports about changes to various aspects of a host's environment, including files, network ports, users, groups, kernel modules, kernel state, and user login events. Although they both share the same goals, Osiris and Samhain have different feature sets; therefore, some environments are going to favor one over the other. Osiris consists of three distinct components: a command-line client, a management console, and a scan agent. A scan agent is deployed onto every host that is to be monitored. A single management console stores all of the scan data, the scan agent configurations, and logs; manages scheduling; and handles notifications—it is the brains of the system. The command-line client communicates only with the management console, and only the management console communicates with scan agents. Samhain consists of three components: a console, a server, and a scan agent (often called the client).The agents are deployed onto every host that is to be monitored. A single server acts as a central location for logs, scan configurations, and scan data. The console is a Web-based control center written in hypertext preprocessor (PHP) that presents a unique identifier (UI) that can be used to update databases or edit scan configurations. An optional component is a relational database server.