Stealth V. 4.01.00

Frank B. Brokken

Center for Information Technology, University of Groningen

2005-2015

Table of Contents

Chapter 1: Introduction

1.1: What's new in Stealth V.4.01.00

Chapter 2: Installation

2.1: Compiling and installing Stealth

Chapter 3: Granting access

3.0.1: The monitor's user: creating an ssh-key
3.0.2: The client's account: accepting ssh from the monitor's user
3.0.3: Logging into the account@client account
3.0.4: Using the proper shell

Chapter 4: The `policy' file

4.1: DEFINE directives

4.2: USE directives

4.3: Commands

4.3.1: LABEL commands
4.3.2: LOCAL commands
4.3.3: REMOTE commands
4.3.4: Preventing Controller Denial of Service (--max-size)

Chapter 5: Running `stealth'

5.1: Installing `stealth'

5.2: Stealth command-line and policy file options

5.2.1: Rsyslog filtering

5.3: Construct one or more policy files

5.3.1: DEFINE directives
5.3.2: USE directives
5.3.3: Commands
5.3.3.1: Obtaining the client's sha1sum program
5.3.3.2: Checking the integrity of the client's sha1sum program
5.3.3.3: Checking the client's /usr/bin/find program
5.3.3.4: Checking the client's setuid/setgid files
5.3.3.5: Checking the configuration files in the client's /etc/ directory
5.3.4: The complete `policy' file

5.4: Running `stealth' for the first time

5.4.1: The mailed report
5.4.2: Files under /root/stealth/client

5.5: Subsequent `stealth' runs

5.5.1: All files unaltered
5.5.2: Modifications occurred
5.5.3: Failing LOCAL commands
5.5.4: Skipping (some) integrity checks

5.6: Automating repeated `stealth' runs

5.7: Report File Rotation

5.7.1: Status file cleanup
5.7.2: Using `logrotate' to control report- and status files

Chapter 6: Kick-starting `stealth'

Chapter 7: Usage info

Chapter 8: Errormessages