Chapter 1: Introduction

Welcome to stealth. The program stealth implements a file integrity scanner. The acronym stealth can be expanded to

SSH-based Trust Enforcement Acquired through a Locally Trusted Host.

This expansion contains the following key terms:

stealth is based on an idea by Hans Gankema and Kees Visser, both at the Center for Information Technology of the University of Groningen.

stealth's main task is to perform file integrity tests. However, the testing will leave virtually no sediments on the tested computer. Therefore, stealth has stealthy characteristics. I consider this an important security improving feature of stealth.

The monitor itself only needs two kinds of outgoing services: ssh(1) to reach its clients, and some mail transport agent (e.g., sendmail(1)) to forward its outgoing mail to some mail-hub.

Here is what happens when stealth is run:

Instead of running in daemon mode, stealth may also run in `foreground' mode. In foreground mode the option --daemon is not specified. When running in foreground mode stealth either performs one integrity scan (and terminates) or, if the --repeat option has been specified, it repeatedly performs integrity scans, at intervals determined by the --repeat and --random-interval options. When --repeat is specified with stealth running in foreground mode a prompt is shown (i.e., `? ') with stealth terminating after pressing the Enter-key.

Alternatively, stealth may run in `inter process communication' mode (IPC mode). IPC mode is characterized by using one of the command-line options --reload, --rerun, --suspend, --resume or --terminate. In IPC-mode stealth communicates with an existing stealth daemon, using the Unix Domain Socket defined by the stealth daemon. These options require but one argument: the location of the Unix Domain Socket defined by a running stealth daemon.

The options --suspend and --resume (see section 5.7) were implemented to allow safe rotations of stealth's log-files.

1.1: What's new in Stealth V.4.03.03

With 4.00.00: