Is anyone here familiar with the Linux-based STEALTH package (for monitoring FS integrity of client systems)? I'm trying to get started with a very simple configuration, but I'm running into trouble (this is running under Ubuntu 14.04):
Config line `USE BASE/root/stealth/10.0.0.79' invalid
STEALTH (2.11.02) started at Fri, 30 May 2014 15:25:00 +0000
Program terminated due to non-zero exit value for
-type f -exec /usr/bin/sha1sum {} \; (EOC Fri May 30 15:25:00 2014 127)
Stealth is creating a binary tmp file in the Stealth server root and generating a "report" file in the start directory, but not much else.
Regarding the "USE BASE...invalid" error, and just to be sure, I manually created the directories in /root, but it didn't help. And, by the way, I am running stealth with sudo.
Everything seems to be configured correctly: I'm able to ssh into root@client from the stealth machine without a password
Here's my "policy" file (I've removed the email directives just for simplicity):
DEFINE SSHCMD /usr/bin/ssh
[email protected] -T -q exec /bin/bash --noprofile
DEFINE EXECSHA1 -xdev -perm +u+s,g+s ( -user root -or -group root ) \
-type f -exec /usr/bin/sha1sum {} \;
USE BASE/root/stealth/10.0.0.79
USE SSH ${SSHCMD}
USE DD /bin/dd
USE DIFF /usr/bin/diff
USE PIDFILE /var/run/stealth-
USE REPORT report
USE SH /bin/sh
GET /usr/bin/sha1sum /root/tmp
LABEL \nchecking the client's /usr/bin/find program
CHECK LOG = remote/binfind /usr/bin/sha1sum /usr/bin/find
LABEL \nsuid/sgid/executable files uid or gid root on the / partition
CHECK LOG = remote/setuidgid /usr/bin/find / ${EXECSHA1}
LABEL \nconfiguration files under /etc
CHECK LOG = remote/etcfiles \
/usr/bin/find /etc -type f -not -perm /6111 \
-not -regex "/etc/(adjtime\|mtab)"\
-exec /usr/bin/sha1sum {} \;
Any ideas?
Thanks,
