[prev in list] [next in list] [prev in thread] [next in thread]
List: osiris
Subject: Re: [osiris] Scanning fails completely on a Windows2003 server
From: "Alexei Roudnev" <Alexei_Roudnev () exigengroup ! com>
Date: 2003-11-18 23:30:25
Message-ID: 039901c3ae2b$f1a699c0$870ea8c0 () exigengroup ! com
[Download RAW message or body]
[osiris] Scanning fails completely on a Windows2003 server without any errorI do not \
expect big difference between Win2K, Win3K and WinXP, except some protected files...
In reality, we have not very good ideas and very good configurations for Windows \
systems. A few reasons:
- Windows have a real mess in directory usage - every directory can contain variable \
files.
- System changes .ini files and .ddl's on the fly, in some cases;
- services are controlled by registry (registry scan is on TODO list, as I know, but \
then we will have the same problem _finding unchanged parts of it_.
I have a config, which was adapted to scan only few file types (but do it in all \
system directories), and after a few adjastments (such as excluding variable files \
and adding more suffixes) it works fine - we was reported about old incidents we had \
with updates (we had not viruses, but we had a few unsaccesfull updates and a few \
intended changes); but this config is not still perfect. Possible approach is to use \
a list of system files from somewhere in the system, or just to live with my approach \
and adjust config when required.
(Btw, I'd like to have auto-approval mode, for development and staging machines - I \
always have a list of changes in mail archive, so I do not have any case, when I can \
wish _do not approve_ a change on this machines...)
Just FYI - system works on approx. 30 servers (Win2K, Solaris and FreeBSD), no errors \
was found (except minor bugs in CLI and numerous inconveniences in the config \
semantics).
----- Original Message -----
From: Peter.Frey@haufe.de
To: osiris@lists.shmoo.com
Sent: Tuesday, November 18, 2003 1:40 PM
Subject: [osiris] Scanning fails completely on a Windows2003 server without any \
error
Hi,
I have a problem with osiris 2.1.0 in a networked configuration. Scanning fails \
completely on a Windows2003 host without any notice of error or any hint that \
something is wrong with the osiris configuration.
The details. I have an experimental two node configuration with the following \
hosts:
A) vg180472, a Windows XP Pro computer, where osiris is installed and \
configured as management host
B) vg100hrst6, a Windows 2003 Server with Terminal Services (App Mode) and \
Citrix Metaframe
First, I installed Osiris on the client A) and made sure everything is working. \
Actually I installed osiris 2.0.1 on A) and upgraded it to 2.1 later on.
A few weeks later I installed Osiris 2.1 on server B) but did not configure it as \
management host, but added it through the management host on A)
(using new-host). This server is an experimental terminalserver we use to test \
software and configuration changes, and is part of a small Metaframe Server farm \
(with two production terminal servers).
From the osiris management console on A), I see the following:
osiris-2.1.0: list-hosts
[ name ] [ description ] [ enabled ]
vg100hrst6 Test-TS Win2003,MF yes
vg180472 Rechner FreyP yes
osiris-2.1.0: host vg100hrst6
vg100hrst6 is alive.
osiris-2.1.0[vg100hrst6]: status
[ current status of host: vg100hrst6 ]
current time: Tue Nov 18 22:26:37 2003
up since: Tue Nov 11 22:31:22 2003
last config push: Tue Nov 18 20:06:16 2003
configuration id: 65cd10d8
daemon status: idle.
config status: current config is valid.
osiris version: 2.1.0
OS: WindowsServer2003
osiris-2.1.0[vg100hrst6]: host-details
[ host details for: (vg100hrst6) ]
enabled : yes
hostname/IP : VG100HRST6
configs : 1
databases : 2
host type : generic
log enabled : yes
archive scans : no
notify enabled : yes
notify always : no
notify email : peter.frey@haufe.de
scans start : Tue Nov 11 20:06:00 2003
scan period : every 1440 minutes
base DB : 1
description : Test-TS Win2003,MF
osiris-2.1.0[vg100hrst6]: list-configs
[ name ] [ id ]
WindowsServer2003 65cd10d8
total: 1
osiris-2.1.0[vg100hrst6]: verify-config
[ name ] [ id ]
WindowsServer2003 65cd10d8
total: 1
name of config file: WindowsServer2003
the config: WindowsServer2003 is valid.
osiris-2.1.0[vg100hrst6]: push-config
[ name ] [ id ]
WindowsServer2003 65cd10d8
total: 1
name of config file: WindowsServer2003
the config: WindowsServer2003 was succesfully pushed to host: vg100hrst6
The problem is that no scanning happens on server B).
And I do not see what is wrong with the configuration.
osiris-2.1.0[vg100hrst6]: list-db
This may take a while...
[ name ] [ created ]
* 1 Tue Nov 11 14:08:40
2 Tue Nov 18 20:06:16
total: 2
(*) denotes the base database for this host.
osiris-2.1.0[vg100hrst6]: list-logs
This may take a while...
error: no logs exist for this host.
When I try to start scanning manually from the admin console, I get no error \
message, but scanning does not start:
osiris-2.1.0[vg100hrst6]: start-scan
scanning process was started on host: vg100hrst6
osiris-2.1.0[vg100hrst6]: watch-host
[vg100hrst6] is idle... (ctrl-c to abort)
All I get is this "is idle" message.
And the logs remain empty no matter how often I do a start-scan.
On the server B) itself, I see that both services are installed and running:
M:\Documents and Settings\hrsadmin>psservice | grep osiris
SERVICE_NAME: osirisd
SERVICE_NAME: osirismd
M:\Documents and Settings\hrsadmin>psservice query osirisd
PsService v2.11 - local and remote services viewer/controller
Copyright (C) 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com
SERVICE_NAME: osirisd
DISPLAY_NAME: Osiris_IDS_Scanner
(null)
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
M:\Documents and Settings\hrsadmin>psservice query osirismd
PsService v2.11 - local and remote services viewer/controller
Copyright (C) 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com
SERVICE_NAME: osirismd
DISPLAY_NAME: Osiris_IDS_Management
(null)
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
So what could be wrong with my configuration?
The user manual describes the setup/configuration of the management host, but it \
fails short of explaining how to add further hosts.
Do I need to configure osiris on the non-management host vg100hrst6 after \
installation besides to what the installer is doing?
Isnt it sufficient to add further hosts using new-host from the osiris console on \
the management host?
Peter
------------------------------------------------------------------------------
_______________________________________________
osiris mailing list
osiris@lists.shmoo.com
https://lists.shmoo.com/mailman/listinfo/osiris
[Attachment #3 (unknown)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>[osiris] Scanning fails completely on a Windows2003 server without \
any error</TITLE> <META http-equiv=Content-Type content="text/html; \
charset=iso-8859-1"> <META content="MSHTML 6.00.2800.1264" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>I do not expect big difference between Win2K, Win3K
and WinXP, except some protected files...</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>In reality, we have not very good ideas and very
good configurations for Windows systems. A few reasons:</FONT></DIV>
<DIV><FONT face=Arial size=2>- Windows have a real mess in directory usage -
every directory can contain variable files. </FONT></DIV>
<DIV><FONT face=Arial size=2>- System changes .ini files and .ddl's on the fly,
in some cases;</FONT></DIV>
<DIV><FONT face=Arial size=2>- services are controlled by registry (registry
scan is on TODO list, as I know, but then we will have the same problem _finding
unchanged parts of it_.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I have a config, which was adapted to scan only few
file types (but do it in all system directories), and after a few adjastments
(such as excluding variable files and adding more suffixes) it works fine - we
was reported about old incidents we had with updates (we had not viruses, but we
had a few unsaccesfull updates and a few intended changes); but this config is
not still perfect. Possible approach is to use a list of system files from
somewhere in the system, or just to live with my approach and adjust config when
required.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>(Btw, I'd like to have auto-approval mode, for
development and staging machines - I always have a list of changes in mail
archive, so I do not have any case, when I can wish _do not approve_ a change on
this machines...)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Just FYI - system works on approx. 30 servers
(Win2K, Solaris and FreeBSD), no errors was found (except minor bugs in CLI and
numerous inconveniences in the config semantics).</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 \
2px solid; MARGIN-RIGHT: 0px"> <DIV style="FONT: 10pt arial">----- Original Message \
----- </DIV> <DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=Peter.Frey@haufe.de
href="mailto:Peter.Frey@haufe.de">Peter.Frey@haufe.de</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=osiris@lists.shmoo.com
href="mailto:osiris@lists.shmoo.com">osiris@lists.shmoo.com</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, November 18, 2003 1:40
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [osiris] Scanning fails
completely on a Windows2003 server without any error</DIV>
<DIV><BR></DIV>
<P><FONT size=2>Hi,</FONT> </P>
<P><FONT size=2>I have a problem with osiris 2.1.0 in a networked
configuration. Scanning fails completely on a Windows2003 host without any
notice of error or any hint that something is wrong with the osiris
configuration.</FONT></P>
<P><FONT size=2>The details. I have an experimental two node configuration
with the following hosts:</FONT> </P>
<P> <FONT size=2>A) vg180472, a
Windows XP Pro computer, where osiris is installed and configured as
management host</FONT> <BR> <FONT
size=2>B) vg100hrst6, a Windows 2003 Server with Terminal Services (App Mode)
and Citrix Metaframe</FONT> </P>
<P><FONT size=2>First, I installed Osiris on the client A) and made sure
everything is working. Actually I installed osiris 2.0.1 on A) and upgraded it
to 2.1 later on.</FONT></P>
<P><FONT size=2>A few weeks later I installed Osiris 2.1 on server B) but did
not configure it as management host, but added it through the management host
on A)</FONT></P>
<P><FONT size=2>(using new-host). This server is an experimental
terminalserver we use to test software and configuration changes, and is part
of a small Metaframe Server farm (with two production terminal
servers).</FONT></P>
<P><FONT size=2>From the osiris management console on A), I see the
following:</FONT> </P>
<P> <FONT size=2>osiris-2.1.0:
list-hosts</FONT> </P>
<P> <FONT size=2> [ name
] [
description
] \
[ enabled ]</FONT> </P>
<P> <FONT size=2>
vg100hrst6 Test-TS
Win2003,MF \
yes</FONT> <BR> <FONT size=2>
vg180472
Rechner
FreyP \
yes</FONT> </P>
<P> <FONT size=2>osiris-2.1.0: host
vg100hrst6</FONT> <BR> <FONT
size=2>vg100hrst6 is alive.</FONT>
<BR> <FONT
size=2>osiris-2.1.0[vg100hrst6]: status</FONT> </P>
<P> <FONT size=2>[ current status of
host: vg100hrst6 ]</FONT> </P>
<P> <FONT
size=2> current time: Tue Nov 18 22:26:37 2003</FONT>
<BR> <FONT
size=2> up since: Tue Nov 11
22:31:22 2003</FONT> </P>
<P> <FONT size=2> last config
push: Tue Nov 18 20:06:16 2003</FONT>
<BR> <FONT size=2>
configuration id: 65cd10d8</FONT> </P>
<P> <FONT size=2>
daemon status: idle.</FONT> <BR>
<FONT size=2> config status: current config is valid.</FONT>
<BR> <FONT size=2>
osiris version: 2.1.0</FONT> <BR>
<FONT
size=2> \
OS: WindowsServer2003</FONT> </P><BR>
<P> <FONT
size=2>osiris-2.1.0[vg100hrst6]: host-details</FONT> </P>
<P> <FONT size=2>[ host details for:
(vg100hrst6) ]</FONT> </P>
<P> <FONT size=2>
enabled : yes</FONT>
<BR> <FONT size=2>
hostname/IP : VG100HRST6</FONT>
<BR> <FONT size=2>
configs : 1</FONT>
<BR> <FONT size=2>
databases : 2</FONT>
<BR> <FONT size=2> host
type : generic</FONT>
<BR> <FONT size=2> log
enabled : yes</FONT>
<BR> <FONT size=2> archive
scans : no</FONT> <BR> <FONT
size=2> notify enabled : yes</FONT>
<BR> <FONT size=2> notify
always : no</FONT> <BR> <FONT
size=2> notify email : peter.frey@haufe.de</FONT>
<BR> <FONT size=2> scans
start : Tue Nov 11 20:06:00 2003</FONT>
<BR> <FONT size=2> scan
period : every 1440 minutes</FONT>
<BR> <FONT size=2> base
DB : 1</FONT>
<BR> <FONT size=2>
description : Test-TS Win2003,MF</FONT> </P><BR>
<P> <FONT
size=2>osiris-2.1.0[vg100hrst6]: list-configs</FONT> </P>
<P> <FONT size=2> [ name
]
[ id ]</FONT> </P>
<P> <FONT size=2>
WindowsServer2003 65cd10d8</FONT> </P>
<P> <FONT size=2>total: 1</FONT>
</P>
<P> <FONT
size=2>osiris-2.1.0[vg100hrst6]: verify-config</FONT> </P>
<P> <FONT size=2> [ name
]
[ id ]</FONT> </P>
<P> <FONT size=2>
WindowsServer2003 65cd10d8</FONT> </P>
<P> <FONT size=2>total: 1</FONT>
</P>
<P> <FONT size=2>name of config
file: WindowsServer2003</FONT> <BR>
<FONT size=2>the config: WindowsServer2003 is valid.</FONT>
<BR> <FONT
size=2>osiris-2.1.0[vg100hrst6]: push-config</FONT> </P>
<P> <FONT size=2> [ name
]
[ id ]</FONT> </P>
<P> <FONT size=2>
WindowsServer2003 65cd10d8</FONT> </P>
<P> <FONT size=2>total: 1</FONT>
</P>
<P> <FONT size=2>name of config
file: WindowsServer2003</FONT> <BR>
<FONT size=2>the config: WindowsServer2003 was succesfully pushed to host:
vg100hrst6</FONT> </P><BR>
<P><FONT size=2>The problem is that no scanning happens on server B).</FONT>
<BR><FONT size=2>And I do not see what is wrong with the configuration.</FONT>
</P>
<P> <FONT
size=2>osiris-2.1.0[vg100hrst6]: list-db</FONT>
<BR> <FONT size=2>This may take a
while...</FONT> </P>
<P> <FONT size=2> [ name
] \
[ created ]</FONT> </P>
<P> <FONT size=2> *
1   \
; \
Tue Nov 11 14:08:40</FONT> <BR>
<FONT size=2>
2   \
; \
Tue Nov 18 20:06:16</FONT> </P>
<P> <FONT size=2>total: 2</FONT>
<BR> <FONT size=2>(*) denotes the
base database for this host.</FONT> </P>
<P> <FONT
size=2>osiris-2.1.0[vg100hrst6]: list-logs</FONT>
<BR> <FONT size=2>This may take a
while...</FONT> <BR> <FONT
size=2>error: no logs exist for this host.</FONT> </P><BR>
<P><FONT size=2>When I try to start scanning manually from the admin console,
I get no error message,</FONT> <BR><FONT size=2>but scanning does not
start:</FONT> </P><BR>
<P> <FONT
size=2>osiris-2.1.0[vg100hrst6]: start-scan</FONT>
<BR> <FONT size=2>scanning process
was started on host: vg100hrst6</FONT>
<BR> <FONT
size=2>osiris-2.1.0[vg100hrst6]: watch-host</FONT>
<BR> <FONT size=2>[vg100hrst6] is
idle...
(ctrl-c to abort)</FONT> </P><BR>
<P><FONT size=2>All I get is this "is idle" message.</FONT> <BR><FONT
size=2>And the logs remain empty no matter how often I do a start-scan.</FONT>
</P><BR><BR>
<P><FONT size=2>On the server B) itself, I see that both services are
installed and running:</FONT> </P>
<P> <FONT size=2>
</FONT><BR> <FONT
size=2>M:\Documents and Settings\hrsadmin>psservice | grep osiris</FONT>
<BR> <FONT size=2>SERVICE_NAME:
osirisd</FONT> <BR> <FONT
size=2>SERVICE_NAME: osirismd</FONT> </P>
<P> <FONT size=2>M:\Documents and
Settings\hrsadmin>psservice query osirisd</FONT> </P>
<P> <FONT size=2>PsService v2.11 -
local and remote services viewer/controller</FONT>
<BR> <FONT size=2>Copyright (C)
2001-2003 Mark Russinovich</FONT>
<BR> <FONT size=2>Sysinternals -
www.sysinternals.com</FONT> </P>
<P> <FONT size=2>SERVICE_NAME:
osirisd</FONT> <BR> <FONT
size=2>DISPLAY_NAME: Osiris_IDS_Scanner</FONT>
<BR> <FONT size=2>(null)</FONT>
<BR> <FONT
size=2>
TYPE
: 10 WIN32_OWN_PROCESS</FONT> <BR>
<FONT size=2>
STATE
: 4 RUNNING</FONT> <BR> <FONT
size=2>   \
; \
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)</FONT>
<BR> <FONT
size=2> WIN32_EXIT_CODE
: 0 (0x0)</FONT> <BR> <FONT
size=2> SERVICE_EXIT_CODE : 0
(0x0)</FONT> <BR> <FONT
size=2>
CHECKPOINT : 0x0</FONT>
<BR> <FONT
size=2>
WAIT_HINT : 0x0</FONT>
</P><BR>
<P> <FONT size=2>M:\Documents and
Settings\hrsadmin>psservice query osirismd</FONT> </P>
<P> <FONT size=2>PsService v2.11 -
local and remote services viewer/controller</FONT>
<BR> <FONT size=2>Copyright (C)
2001-2003 Mark Russinovich</FONT>
<BR> <FONT size=2>Sysinternals -
www.sysinternals.com</FONT> </P>
<P> <FONT size=2>SERVICE_NAME:
osirismd</FONT> <BR> <FONT
size=2>DISPLAY_NAME: Osiris_IDS_Management</FONT>
<BR> <FONT size=2>(null)</FONT>
<BR> <FONT
size=2>
TYPE
: 10 WIN32_OWN_PROCESS</FONT> <BR>
<FONT size=2>
STATE
: 4 RUNNING</FONT> <BR> <FONT
size=2>   \
; \
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)</FONT>
<BR> <FONT
size=2> WIN32_EXIT_CODE
: 0 (0x0)</FONT> <BR> <FONT
size=2> SERVICE_EXIT_CODE : 0
(0x0)</FONT> <BR> <FONT
size=2>
CHECKPOINT : 0x0</FONT>
<BR> <FONT
size=2>
WAIT_HINT : 0x0</FONT>
</P><BR>
<P><FONT size=2>So what could be wrong with my configuration?</FONT> <BR><FONT
size=2>The user manual describes the setup/configuration of the management
host, but it fails short of explaining how to add further hosts.</FONT></P>
<P><FONT size=2>Do I need to configure osiris on the non-management host
vg100hrst6 after installation besides to what the installer is
doing?</FONT></P>
<P><FONT size=2>Isnt it sufficient to add further hosts using new-host from
the osiris console on the management host?</FONT> </P>
<P><FONT size=2>Peter</FONT> </P>
<P>
<HR>
<P></P>_______________________________________________<BR>osiris mailing
list<BR>osiris@lists.shmoo.com<BR>https://lists.shmoo.com/mailman/listinfo/osiris</BLOCKQUOTE></BODY></HTML>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic