Argos does not impose any additional requirements than QEMU. This means that you will need SDL for getting graphics. You can use Argos even without graphics, but this means that you will need an OS image and network access to the guest OS, if you want to do something useful with it. For network emulation to work you will need TUN/TAP interface support compiled in the kernel, or as a module.
Additionally, because of the asynchronous I/O patch you will also need pthreads. If you want to remove this requirement, see section 2.2.2 on how to reverse the installed patches.
Argos had been tested only on a Linux host, so if you encounter any problems with another OS please share your experiences with us.
Having obtained the source code for Argos you will first need to un-pack it. On Linux you can do that by running:
tar zxvf argos-[version].tar.gz
On Solaris the above syntax might not work, in which case you will have to do it in two steps:
gunzip argos-[version].tar.gz
tar xvf argos-[version].tar
Before configuring Argos take note that the QEMU patches for UDMA and asynchronous I/O have already been applied. If you wish to use Argos with a windows image that has been previously installed using QEMU without these patches, you will have to reverse them as described on the following section. If you do plan to install a new OS image, then skip to 2.2.2.
The patches are located in the patches/ directory under you Argos source directory. To reverse them issue the following commands:
patch -R -p1 < patches/qemu_build_patch
patch -R -p1 < patches/qemu_concurrent_io.patch
patch -R -p1 < patches/qemu-piix4-udma.patch
Optionally, you can change the amount of memory Argos consumes. By default Argos requires 1/8 th of extra memory than the amount of virtual RAM. If memory is `cheap', you could configure Argos to consume an extra byte for each byte of virtual RAM instead, to gain 30% better performance.
To apply the former edit the file target-i386/argos.h changing the following 2 lines from
//#define ARGOS_MEMMAP ARGOS_BYTEMAP
#define ARGOS_MEMMAP ARGOS_BITMAP
to
#define ARGOS_MEMMAP ARGOS_BYTEMAP
//#define ARGOS_MEMMAP ARGOS_BITMAP
For most people simply running
./configure should do the trick. Consult the
documentation of QEMU, if you encounter any problems.
Simply run make to compile, and make install as root to install Argos. Default installation places binaries under /usr/local/bin/.
To install an operating system to use with Argos, it is highly recommended that you use QEMU with the kernel module accelerator (KQEMU) to speed-up the process. You can download QEMU with the UDMA and asynchronous I/O patches including the kernel accelerator from the downloads section.
Because of the way Argos is keeping track of memory, you will have to disable virtual memory paging in the OS you are installing. If you need more memory at the guest, simply run Argos allocating more virtual RAM.
QEMU uses disk image files as hard disks. To install an operating
system you will have first have to create such an image. You can do
that by using the qemu-img utility included with QEMU. We recommend using a QEMU copy on write image, which can be created like this:
qemu-img create -f qcow [image name] [size]
e.g. qemu-img create -f qcow root.img 2G will create a 2 gigabyte disk image called `root.img'.
For more information on disk images consult QEMU's documentation.
Startup QEMU to boot from CDROM:
qemu -localtime -m [virtual RAM size in MB] -hda [hard disk image e.g. root.img] -cdrom /dev/cdrom -boot d
Proceed to install the OS as you would normally do.
Similarly as above, but replace the CDROM device with the ISO file image like below:
qemu -localtime -m [virtual RAM size in MB] -hda [hard disk image e.g. root.img] -cdrom slackware-10.2-install-d1.iso -boot d
The number of emulated interfaces can be configured using option -nics [number of nics]. For each of the interfaces a tun interface is created at the host.
Script `/etc/qemu-ifup' if present, is called to configure each tun interface at the host.
A minimal script would simply enable the interface as such:
sudo ifconfig $1 172.20.0.1
A more useful configuration would employ an ethernet bridge, to couple a real host interface and the tun interfaces. The guest OSs could then either use DHCP to get an IP address, or be statically configured.
Ethernet bridge creation:
brctl addbr br0
brctl addif br0 eth0
ifconfig eth0 0.0.0.0 promisc up
`/etc/qemu-ifup':
brctl addif br0 $1
ifconfig $1 0.0.0.0 promisc up
If your DHCP server replies to only known MAC addresses, you can explicitly set the guest's MAC address using the -macaddr. You can then install it to your DHCP server configuration.
Configure the guest OS network, as you would normally do.
You can start Argos manually by issuing the following:
argos -localtime -m [virtual RAM size in MB] -hda [hard disk image e.g. root.img] -snapshot -linux
The -snapshot option forces QEMU to store any changes to the filesystem image in temporarily files, instead of actually updating it. This provides additional security, since malware cannot persistently alter the filesystem.
The -linux option has been introduced by Argos and specifies that the OS run on the guest is Linux. Other OS options are: -win2k and -winxp.
hera.pl is a perl script included in the Argos utilities package that manages the execution of Argos. `Hera' makes sure that both tcpdump and Argos are running at any given time.
To configure hera for your system edit the values on top of the `hera.pl' file:
Whenever Argos detects an attack or is restarted by hera, the logs are moved under the `$log_directory'. There, another directory is created using the current timestamp, where the logs are actually placed. Finally, tpcdump and Argos are restarted.
Under Construction