This expansion contains the following key terms:
SSH-based
: The file integrity scan is (usually) performed over an
ssh-connection. Usually the computer being scanned (called the client) and
the computer initiating the scan (called the controller
) are different
computers.
Trust Enforcement
: following the scan, `trust' is enforced in the
client, due to the integrity of its files.
Locally Trusted Host
: the client apparently trusts the controller
to use an ssh-connection to perform commands on it. The client therefore
locally trusts the controller. Hence, locally trusted host.
stealth is based on an idea by Hans Gankema and Kees Visser, both at the Center for Information Technology of the University of Groningen.
stealth's main task is to perform file integrity tests. However, the testing will leave virtually no sediments on the tested computer. Therefore, stealth has stealthy characteristics. I consider this an important security improving feature of stealth.
The controller itself only needs two kinds of outgoing services: ssh(1) to reach its clients, and some mail transport agent (e.g., sendmail(1)) to forward its outgoing mail to some mail-hub.
Here is what happens when stealth is run:
--daemon
is given, stealth runs as a
backgrond (daemon) process, writing its process ID in a separate file. Using
--repeat <seconds>
the scan is rerun every <seconds>
seconds after
completing the previous integrity scan. When merely --daemon
is
specified the scan is performed only once, whereafter stealth waits until it is
reactivated through the stealth --rerun <pid>
command.
-printf
method to produce file-integrity related statistics. Most of these programs
write file names at the end of generated lines. This characteristic is used by
an internal routine of stealth to detect changes in the generated output,
which could indicate some malignant software, like an installed root-kit.
Alternatively, the command-line options --reload, --rerun, --suspend,
--resume
and --terminate
may be provided to communicate with an existing
stealth daemon. These options require but one argument: the pathname to a pid-file
of a running stealth.
--reload <pidfile>
command-line option,
the stealth daemon corresponding to pidfile
reloads its policy and skip
files, immediately followed by another integrity scan;
--rerun <pidfile>
command-line option, the
stealth daemon corresponding to pidfile
performs another integrity scan;
--terminate <pid>
command-line option, the
stealth daemon corresponding to pidfile
terminates. The daemon is also
terminated if it receives a SIGTERM
or SIGINT
signal.
The options --suspend
and --rerun
(see section 5.7) were
implemented to allow safe rotations of stealth's report file.
--keep-alive
is now --daemon
;
--suppress
is now --suspend
;
--echo-commands
: replaced by --log
;
--only-stdout
: replaced by --stdout
;
--quiet
: replaced by --verbosity
;
--debug
(option --verbosity
or --dry-run
could be used
instead);
--no-child-processes
;
--parse-config-file
;
--daemon
: run as background (daemon) process;
--dry-run
: no integrity scans or reloads are performed;
--log
: log messages are written to a file;
--logmail
: mail sent by stealth is also logged;
--no-mail
: mail is not sent;
--parse-policy-file
: parse the policy file;
--stdout
: messages are (also) written to the std. output
stream;
--suspend
: suspends a currently active stealth process;
--syslog
: write syslog messages;
--syslog-facility
: sets the syslog facility to use;
--syslog-priority
: sets the syslog priority to use;
--syslog-tag
: specifies an identifier that is prefixed to
syslog messages;
--verbosity <value>
: determines the amount of logged
information.
%%
, is optional, and may contain
(some) long option specifications. See section 5.2 for
details.