[1] | 1 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
---|
| 2 | <html><head>
|
---|
| 3 | <title>Frequently Asked Questions for Samhain</title>
|
---|
| 4 | <meta name="author" content="Rainer Wichmann">
|
---|
| 5 |
|
---|
| 6 | <style type="text/css">
|
---|
| 7 | <!--
|
---|
| 8 |
|
---|
| 9 | html { background: #eee; color: #000; }
|
---|
| 10 |
|
---|
| 11 | body { background: #eee; color: #000; margin: 0; padding: 0;}
|
---|
| 12 |
|
---|
| 13 | div.body {
|
---|
| 14 | background: #fff; color: #000;
|
---|
| 15 | margin: 0 1em 0 1em; padding: 1em;
|
---|
| 16 | font-family: serif;
|
---|
| 17 | font-size: 1em; line-height: 1.2em;
|
---|
| 18 | border-width: 0 1px 0 1px;
|
---|
| 19 | border-style: solid;
|
---|
| 20 | border-color: #aaa;
|
---|
| 21 | }
|
---|
| 22 |
|
---|
| 23 | div.block {
|
---|
| 24 | background: #b6c5f2; color: #000;
|
---|
| 25 | margin: 1em; padding: 0 1em 0 1em;
|
---|
| 26 | border-width: 1px;
|
---|
| 27 | border-style: solid;
|
---|
| 28 | border-color: #2d4488;
|
---|
| 29 | }
|
---|
| 30 |
|
---|
| 31 | div.warnblock {
|
---|
| 32 | background: #b6c5f2; color: #000;
|
---|
| 33 | margin: 1em; padding: 0 1em 0 1em;
|
---|
| 34 | border-width: 1px;
|
---|
| 35 | border-style: solid;
|
---|
| 36 | border-color: #FF9900;
|
---|
| 37 | }
|
---|
| 38 |
|
---|
| 39 | table {
|
---|
| 40 | background: #F8F8F8; color: #000;
|
---|
| 41 | margin: 1em;
|
---|
| 42 | border-width: 0 0 0 1px;
|
---|
| 43 | border-style: solid;
|
---|
| 44 | border-color: #C0C0C0;
|
---|
| 45 | }
|
---|
| 46 |
|
---|
| 47 | td {
|
---|
| 48 | border-width: 0 1px 1px 0;
|
---|
| 49 | border-style: solid;
|
---|
| 50 | border-color: #C0C0C0;
|
---|
| 51 | }
|
---|
| 52 |
|
---|
| 53 | th {
|
---|
| 54 | background: #F8F8FF;
|
---|
| 55 | border-width: 1px 1px 2px 0;
|
---|
| 56 | border-style: solid;
|
---|
| 57 | border-color: #C0C0C0;
|
---|
| 58 | }
|
---|
| 59 |
|
---|
| 60 |
|
---|
| 61 | /* body text, headings, and rules */
|
---|
| 62 |
|
---|
| 63 | p { margin: 0; text-indent: 0em; margin: 0 0 0.5em 0 }
|
---|
| 64 |
|
---|
| 65 | h1, h2, h3, h4, h5, h6 {
|
---|
| 66 | color: #206020; background: transparent;
|
---|
| 67 | font-family: Optima, Arial, Helvetica, sans-serif;
|
---|
| 68 | font-weight: normal;
|
---|
| 69 | }
|
---|
| 70 |
|
---|
| 71 | h1 { font-size: 1.69em; margin: 1.4em 0 0.4em 0; }
|
---|
| 72 | h2 { font-size: 1.44em; margin: 1.4em 0 0.4em 0; }
|
---|
| 73 | h3 { font-size: 1.21em; margin: 1.4em 0 0.4em 0; }
|
---|
| 74 | h4 { font-size: 1.00em; margin: 1.4em 0 0.4em 0; }
|
---|
| 75 | h5 { font-size: 0.81em; margin: 1.4em 0 0.4em 0; }
|
---|
| 76 | h6 { font-size: 0.64em; margin: 1.4em 0 0.4em 0; }
|
---|
| 77 |
|
---|
| 78 | hr {
|
---|
| 79 | color: transparent; background: transparent;
|
---|
| 80 | height: 0px; margin: 0.6em 0;
|
---|
| 81 | border-width: 1px ;
|
---|
| 82 | border-style: solid;
|
---|
| 83 | border-color: #999;
|
---|
| 84 | }
|
---|
| 85 |
|
---|
| 86 | /* bulleted lists and definition lists */
|
---|
| 87 |
|
---|
| 88 | ul { margin: 0 1em 0.6em 2em; padding: 0; }
|
---|
| 89 | li { margin: 0.4em 0 0 0; }
|
---|
| 90 |
|
---|
| 91 | dl { margin: 0.6em 1em 0.6em 2em; }
|
---|
| 92 | dt { color: #285577; }
|
---|
| 93 |
|
---|
| 94 | tt { color: #602020; }
|
---|
| 95 |
|
---|
| 96 | /* links */
|
---|
| 97 |
|
---|
| 98 | a.link {
|
---|
| 99 | color: #33c; background: transparent;
|
---|
| 100 | text-decoration: none;
|
---|
| 101 | }
|
---|
| 102 |
|
---|
| 103 | a:hover {
|
---|
| 104 | color: #000; background: transparent;
|
---|
| 105 | }
|
---|
| 106 |
|
---|
| 107 | body > a {
|
---|
| 108 | font-family: Optima, Arial, Helvetica, sans-serif;
|
---|
| 109 | font-size: 0.81em;
|
---|
| 110 | }
|
---|
| 111 |
|
---|
| 112 | h1, h2, h3, h4, h5, h6 {
|
---|
| 113 | color: #2d5588; background: transparent;
|
---|
| 114 | font-family: Optima, Arial, Helvetica, sans-serif;
|
---|
| 115 | font-weight: normal;
|
---|
| 116 | }
|
---|
| 117 |
|
---|
| 118 | -->
|
---|
| 119 | </style></head>
|
---|
| 120 | <body>
|
---|
| 121 | <div class="body">
|
---|
| 122 | <p style="text-align: center; background: #ccc; border: 1px solid #2d5588;"><a
|
---|
| 123 | style="text-decoration: none;"
|
---|
| 124 | href="http://www.la-samhna.de/samhain/">samhain file integrity
|
---|
| 125 | scanner</a> | <a style="text-decoration: none;"
|
---|
| 126 | href="http://www.la-samhna.de/samhain/s_documentation.html">online
|
---|
| 127 | documentation</a></p>
|
---|
| 128 | <br><center><h1><a name="FAQ-top">Frequently Asked Questions for Samhain</a></h1></center>
|
---|
| 129 | <br><center><h2>Rainer Wichmann</h2></center>
|
---|
| 130 | <hr>
|
---|
[19] | 131 | <p><i>FAQ Revised: Tuesday 31 January 2006 21:28:35</i></p>
|
---|
[1] | 132 | <hr><h2>Table of Contents</h2>
|
---|
| 133 | <dl>
|
---|
| 134 | <dt><b>1. Most frequently</b></dt>
|
---|
| 135 | <dd><ul>
|
---|
| 136 | <li><a href="#Most frequently0">1.1. Owner not trustworthy / Group writeable and member not trustworthy</a></li>
|
---|
| 137 | <li><a href="#Most frequently1">1.2. samhain exits with the message "Untrusted path" for config/log/pid/database files</a></li>
|
---|
| 138 | <li><a href="#Most frequently2">1.3. It does not log anything / Can't stop logging to console</a></li>
|
---|
| 139 | <li><a href="#Most frequently3">1.4. Client cannot self-resolve, but nslookup works fine</a></li>
|
---|
| 140 | </ul></dd>
|
---|
| 141 | <dt><b>2. Build and install</b></dt>
|
---|
| 142 | <dd><ul>
|
---|
| 143 | <li><a href="#Build and install0">2.1. [Fedora Core] Cannot compile with --enable-khide</a></li>
|
---|
| 144 | <li><a href="#Build and install1">2.2. [Fedora Core] Cannot compile with --with-kcheck</a></li>
|
---|
| 145 | <li><a href="#Build and install2">2.3. "make" loops infinitely !</a></li>
|
---|
| 146 | <li><a href="#Build and install3">2.4. Why does static compiling (<code>--enable-static</code>) on Solaris fail ?</a></li>
|
---|
| 147 | <li><a href="#Build and install4">2.5. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'</a></li>
|
---|
| 148 | <li><a href="#Build and install5">2.6. The executable is corrupted after installation</a></li>
|
---|
| 149 | <li><a href="#Build and install6">2.7. --enable-xml-log has no effect</a></li>
|
---|
| 150 | <li><a href="#Build and install7">2.8. ./install-sh: strip: not found (Solaris)</a></li>
|
---|
[19] | 151 | <li><a href="#Build and install8">2.9. What is sh_tiger1.s?</a></li>
|
---|
[1] | 152 | </ul></dd>
|
---|
| 153 | <dt><b>3. File checking</b></dt>
|
---|
| 154 | <dd><ul>
|
---|
| 155 | <li><a href="#File checking0">3.1. How can I exclude a (sub-)directory ?</a></li>
|
---|
| 156 | <li><a href="#File checking1">3.2. In messages about policy violations, what does the code after POLICY [XYZ]
|
---|
| 157 | mean ?</a></li>
|
---|
| 158 | <li><a href="#File checking2">3.3. Does samhain support prelink ?</a></li>
|
---|
| 159 | <li><a href="#File checking3">3.4. I get error messages about 'subdirectory count != hardlinks'</a></li>
|
---|
| 160 | </ul></dd>
|
---|
| 161 | <dt><b>4. Client/Server</b></dt>
|
---|
| 162 | <dd><ul>
|
---|
| 163 | <li><a href="#Client/Server0">4.1. I don't want to poke a hole into my firewall to let the client connect to the server !</a></li>
|
---|
| 164 | <li><a href="#Client/Server1">4.2. The client sends 127.0.0.1 (or some other numerical address) as its name to the log server</a></li>
|
---|
| 165 | <li><a href="#Client/Server2">4.3. The server wants to send rc.ip-adress rather than rc.fqdn to the client</a></li>
|
---|
| 166 | <li><a href="#Client/Server3">4.4. Cannot resolve client name host=XXX</a></li>
|
---|
| 167 | <li><a href="#Client/Server4">4.5. Cannot resolve socket peer IP for client host=XXX peer=YYY</a></li>
|
---|
| 168 | <li><a href="#Client/Server5">4.6. Reverse lookup of socket peer failed host=XXX peer=YYY obj=ZZZ</a></li>
|
---|
| 169 | <li><a href="#Client/Server6">4.7. No socket peer alias matches client name host=XXX peer=YYY</a></li>
|
---|
| 170 | <li><a href="#Client/Server7">4.8. Session key negotiation failed</a></li>
|
---|
| 171 | <li><a href="#Client/Server8">4.9. Invalid connection attempt: Not in client list</a></li>
|
---|
| 172 | <li><a href="#Client/Server9">4.10. Invalid connection attempt: Session key mismatch</a></li>
|
---|
| 173 | <li><a href="#Client/Server10">4.11. How do I update the file signature database ?</a></li>
|
---|
| 174 | <li><a href="#Client/Server11">4.12. Time limit exceeded</a></li>
|
---|
| 175 | <li><a href="#Client/Server12">4.13. Invalid connection attempt: Signature mismatch</a></li>
|
---|
| 176 | <li><a href="#Client/Server13">4.14. [Server] PANIC .. Address already in use subroutine=bind</a></li>
|
---|
| 177 | </ul></dd>
|
---|
| 178 | <dt><b>5. Email</b></dt>
|
---|
| 179 | <dd><ul>
|
---|
| 180 | <li><a href="#Email0">5.1. Reverse lookup failed</a></li>
|
---|
| 181 | <li><a href="#Email1">5.2. From daemon@example.com</a></li>
|
---|
| 182 | <li><a href="#Email2">5.3. How do I define more than one email addresses ?</a></li>
|
---|
| 183 | </ul></dd>
|
---|
| 184 | <dt><b>6. Misc</b></dt>
|
---|
| 185 | <dd><ul>
|
---|
| 186 | <li><a href="#Misc0">6.1. Error message: "Invalid line XYZ in configuration file"</a></li>
|
---|
| 187 | <li><a href="#Misc1">6.2. Why do I get a local logfile if I log to the server ?</a></li>
|
---|
| 188 | <li><a href="#Misc2">6.3. Why is there no NIS support with a static samhain executable on Linux ?</a></li>
|
---|
| 189 | <li><a href="#Misc3">6.4. Why do I get hundreds of messages about modified CTIME ?</a></li>
|
---|
| 190 | <li><a href="#Misc4">6.5. PANIC — File not accessible</a></li>
|
---|
| 191 | <li><a href="#Misc5">6.6. How can I avoid error messages for invalid UIDs (no such user) ?</a></li>
|
---|
| 192 | <li><a href="#Misc6">6.7. [Redhat] The /etc/init.d/(samhain|yule) init script hangs</a></li>
|
---|
| 193 | <li><a href="#Misc7">6.8. The /etc/init.d/(samhain|yule) init script exits with: execvp: No such file or directory</a></li>
|
---|
| 194 | <li><a href="#Misc8">6.9. Why am I not receiving the "BEGIN LOGKEY" message by email ?</a></li>
|
---|
| 195 | <li><a href="#Misc9">6.10. Why does console logging fail if I compile with
|
---|
| 196 | <code>--enable-(micro-)stealth</code> ?</a></li>
|
---|
| 197 | <li><a href="#Misc10">6.11. I need a list for my schedule !</a></li>
|
---|
| 198 | <li><a href="#Misc11">6.12. The hiding kernel module has no effect !</a></li>
|
---|
| 199 | <li><a href="#Misc12">6.13. What does the message "Large lstat/open overhead" mean ?</a></li>
|
---|
| 200 | <li><a href="#Misc13">6.14. What does the message "Device not available path=/dev/random" mean ? I have /dev/random !</a></li>
|
---|
| 201 | <li><a href="#Misc14">6.15. Logging to an external program fails; the program receives no data
|
---|
| 202 | on stdin !</a></li>
|
---|
| 203 | <li><a href="#Misc15">6.16. SIGILL on AIX</a></li>
|
---|
| 204 | </ul></dd>
|
---|
| 205 | <dt><b>7. Database</b></dt>
|
---|
| 206 | <dd><ul>
|
---|
| 207 | <li><a href="#Database0">7.1. Why are client messages corrupted / incompletely stored in the DB ?</a></li>
|
---|
| 208 | <li><a href="#Database1">7.2. I want / don't want the server timestamps (for client messages) in the SQL database</a></li>
|
---|
| 209 | <li><a href="#Database2">7.3. I don't want the client TIMESTAMP messages in the SQL database</a></li>
|
---|
| 210 | <li><a href="#Database3">7.4. What does the log_ref field mean ?</a></li>
|
---|
[19] | 211 | <li><a href="#Database4">7.5. How can I check what is in the database ?</a></li>
|
---|
[1] | 212 | </ul></dd>
|
---|
| 213 | </dl>
|
---|
| 214 | <hr><h2>1. Most frequently</h2>
|
---|
| 215 | <dl>
|
---|
| 216 | <dt><b><a name="Most frequently0">1.1. Owner not trustworthy / Group writeable and member not trustworthy</a></b></dt>
|
---|
| 217 | <dd>An untrusted user (might be an untrusted group member
|
---|
| 218 | for group writeable files/directories) owns or can write to an
|
---|
| 219 | element in the path listed in the error message. This concerns
|
---|
| 220 | the configuration file, the log file, and the database file.
|
---|
| 221 | The offending element in the path is identified as obj=/xxx in the
|
---|
| 222 | error message.
|
---|
| 223 | To fix the problem, see next entry.<br><br></dd>
|
---|
| 224 | <dt><b><a name="Most frequently1">1.2. samhain exits with the message "Untrusted path" for config/log/pid/database files</a></b></dt>
|
---|
| 225 | <dd>Paths to critical
|
---|
| 226 | files (e.g. the configuration file) must be writeable by trusted users
|
---|
| 227 | only.
|
---|
| 228 | If a path element is group writeable, all group members must be trusted.
|
---|
| 229 | By default, only <i>root</i> and the (effective) <i>user</i> of
|
---|
| 230 | the program are trusted. To add trusted users, use the compile time
|
---|
| 231 | option
|
---|
| 232 | <div class="block"><pre>
|
---|
| 233 | $ ./configure --with-trusted=0,...
|
---|
| 234 | </pre></div>
|
---|
| 235 | or the configure file option:
|
---|
| 236 | <div class="block"><pre>
|
---|
| 237 | [Misc]
|
---|
| 238 | TrustedUser=username
|
---|
| 239 | </pre></div>
|
---|
| 240 | If the path to the configuration file itself is writeable
|
---|
| 241 | by other users than <i>root</i> and the
|
---|
| 242 | <i>effective user</i>
|
---|
| 243 | these must be defined as trusted already
|
---|
| 244 | at compile time.<br><br></dd>
|
---|
| 245 | <dt><b><a name="Most frequently2">1.3. It does not log anything / Can't stop logging to console</a></b></dt>
|
---|
| 246 | <dd>(1) There is a section in the manual dealing with
|
---|
| 247 | logging and filtering.<br />
|
---|
| 248 |
|
---|
| 249 | (2) To log to the console:
|
---|
| 250 | <div class="block"><pre>
|
---|
| 251 | $ samhain -p info ...
|
---|
| 252 | </pre></div>
|
---|
| 253 | or in the configuration file:
|
---|
| 254 | <div class="block"><pre>
|
---|
| 255 | [Log]
|
---|
| 256 | PrintSeverity=info
|
---|
| 257 | </pre></div>
|
---|
| 258 |
|
---|
| 259 | To <i>stop</i> logging to the console:
|
---|
| 260 | <div class="block"><pre>
|
---|
| 261 | $ samhain -p none ...
|
---|
| 262 | </pre></div>
|
---|
| 263 | or in the configuration file:
|
---|
| 264 | <div class="block"><pre>
|
---|
| 265 | [Log]
|
---|
| 266 | PrintSeverity=none
|
---|
| 267 | </pre></div>
|
---|
| 268 | Defining <tt>/dev/null</tt> as console device works as well, but
|
---|
| 269 | is a bad idea, because samhain will open the device and write (i.e. it is
|
---|
| 270 | a very inefficient method).<br><br></dd>
|
---|
| 271 | <dt><b><a name="Most frequently3">1.4. Client cannot self-resolve, but nslookup works fine</a></b></dt>
|
---|
| 272 | <dd><ul>
|
---|
| 273 | <li>Nslookup is a program to query Internet domain name servers.
|
---|
| 274 | </li>
|
---|
| 275 | <li>Applications (like samhain) are not supposed to query DNS servers
|
---|
| 276 | directly. Rather, they are supposed to query the resolver library that:
|
---|
| 277 | <ul>
|
---|
| 278 | <li>is provided by the operating system,</li>
|
---|
| 279 | <li>configured by the system administrator,</li>
|
---|
| 280 | <li>may use several different method to determine host names, as
|
---|
| 281 | configured in <tt>/etc/nsswitch.conf</tt>, and</li>
|
---|
| 282 | <li>usually is configured to give precedence to
|
---|
| 283 | the <tt>/etc/hosts</tt> file.</li>
|
---|
| 284 | </ul>
|
---|
| 285 | </li>
|
---|
| 286 | <li>Therefore, whether nslookup gives correct answers may be completely
|
---|
| 287 | irrelevant. For self-resolving the own hostname, the resolver
|
---|
| 288 | library probably will use <tt>/etc/hosts</tt>, rather than
|
---|
| 289 | querying a DNS server.
|
---|
| 290 | </li>
|
---|
| 291 | </ul>
|
---|
| 292 | <p>
|
---|
| 293 | Below you can find some examples of good and bad <tt>/etc/hosts</tt> files:
|
---|
| 294 | </p>
|
---|
| 295 | <div class="block"><pre>
|
---|
| 296 | # CORRECT
|
---|
| 297 | #
|
---|
| 298 | 127.0.0.1 localhost
|
---|
| 299 | xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
|
---|
| 300 | </pre></div>
|
---|
| 301 |
|
---|
| 302 | <div class="block"><pre>
|
---|
| 303 | # CORRECT
|
---|
| 304 | #
|
---|
| 305 | 127.0.0.1 localhost.localdomain localhost
|
---|
| 306 | xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
|
---|
| 307 | </pre></div>
|
---|
| 308 |
|
---|
| 309 | <div class="block"><pre>
|
---|
| 310 | # BAD
|
---|
| 311 | #
|
---|
| 312 | 127.0.0.1 myhost.mydomain.tld localhost
|
---|
| 313 | xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
|
---|
| 314 | </pre></div>
|
---|
| 315 |
|
---|
| 316 | <div class="block"><pre>
|
---|
| 317 | # BAD
|
---|
| 318 | #
|
---|
| 319 | 127.0.0.1 localhost myhost
|
---|
| 320 | xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
|
---|
| 321 | </pre></div><br><br></dd>
|
---|
| 322 | </dl>
|
---|
| 323 | <hr><h2>2. Build and install</h2>
|
---|
| 324 | <dl>
|
---|
| 325 | <dt><b><a name="Build and install0">2.1. [Fedora Core] Cannot compile with --enable-khide</a></b></dt>
|
---|
| 326 | <dd>The Fedora Core kernel is patched to unconditionally deny reading
|
---|
| 327 | from /dev/kmem. Compiling the stealth kernel modules is not possible
|
---|
| 328 | under these circumstances.<br><br></dd>
|
---|
| 329 | <dt><b><a name="Build and install1">2.2. [Fedora Core] Cannot compile with --with-kcheck</a></b></dt>
|
---|
| 330 | <dd>The Fedora Core kernel is patched to unconditionally deny reading
|
---|
| 331 | from /dev/kmem. Checking the kernel for the presence of rootkits is
|
---|
| 332 | not possible under these circumstances.<br><br></dd>
|
---|
| 333 | <dt><b><a name="Build and install2">2.3. "make" loops infinitely !</a></b></dt>
|
---|
| 334 | <dd>This may happen (e.g. when building via NFS for multiple architectures)
|
---|
| 335 | if the relative timestamps in the source directory are
|
---|
| 336 | wrong (time not in sync on different machines) or some intermediate
|
---|
| 337 | target is unusable (up-to-date, but built for a different OS). Use
|
---|
| 338 | "touch * && make distclean" in the source directory
|
---|
| 339 | to recover.<br><br></dd>
|
---|
| 340 | <dt><b><a name="Build and install3">2.4. Why does static compiling (<code>--enable-static</code>) on Solaris fail ?</a></b></dt>
|
---|
| 341 | <dd>Ingo Rogalsky has provided the following information: It isn't possible
|
---|
| 342 | to link Samhain statically with Solaris. This
|
---|
| 343 | is a Solaris issue (see Sun Infodoc ID12624) and not a samhain problem.<br><br></dd>
|
---|
| 344 | <dt><b><a name="Build and install4">2.5. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'</a></b></dt>
|
---|
| 345 | <dd>For Linux, this is a known problem with --enable-static if you compile
|
---|
| 346 | in MySQL support. The problem is that the
|
---|
| 347 | <tt>mysql_config</tt> that comes as part of the MySQL
|
---|
| 348 | distribution script incorrectly lists dependencies on
|
---|
| 349 | the libnss_files and libnss_dns libraries which are only available as
|
---|
| 350 | shared libraries, so the linker cannot find the static libraries.
|
---|
| 351 |
|
---|
| 352 | You can check this by inspecting the output of
|
---|
| 353 | <code>mysql_config --libs</code>. The version of
|
---|
| 354 | <tt>mysql_config</tt> that comes with the RedHat mysql
|
---|
| 355 | RPM (RedHat 9) does not have this bug; the one distributed by the MySQL
|
---|
| 356 | people has. You can fix the problem by editing
|
---|
| 357 | <tt>mysql_config</tt>: search for the
|
---|
| 358 | <i>client_libs</i> variable, and remove all instances
|
---|
| 359 | of <i>-lnss_files</i> and <i>-lnss_dns</i>.<br><br></dd>
|
---|
| 360 | <dt><b><a name="Build and install5">2.6. The executable is corrupted after installation</a></b></dt>
|
---|
| 361 | <dd>The executable will get stripped during the installation. On
|
---|
| 362 | suitable systems (i386 Linux/FreeBSD currently), additionally
|
---|
| 363 | the "sstrip"
|
---|
| 364 | utility (copyright 1999 by Brian Raiter, under the GNU GPL)
|
---|
| 365 | will be used to strip the executable even more, to prevent
|
---|
| 366 | debugging with the GNU "gdb" debugger.
|
---|
| 367 | The "strip" utility cannot handle the resulting
|
---|
| 368 | executable, therefore trying to strip manually after installation
|
---|
| 369 | will corrupt the executable.<br><br></dd>
|
---|
| 370 | <dt><b><a name="Build and install6">2.7. --enable-xml-log has no effect</a></b></dt>
|
---|
| 371 | <dd>If you have compiled for stealth, you won't see much, because if
|
---|
| 372 | obfuscated, then both a 'normal' and an XML logfile look,
|
---|
| 373 | well ... obfuscated. Use <code>samhain -jL /path/to/logfile</code>
|
---|
| 374 | to view the logfile.<br><br></dd>
|
---|
| 375 | <dt><b><a name="Build and install7">2.8. ./install-sh: strip: not found (Solaris)</a></b></dt>
|
---|
| 376 | <dd>Install the SUNWbtool package.<br><br></dd>
|
---|
[19] | 377 | <dt><b><a name="Build and install8">2.9. What is sh_tiger1.s?</a></b></dt>
|
---|
| 378 | <dd>This is a precompiled assembly file for the i386 architecture
|
---|
| 379 | generated from sh_tiger1.c using gcc 3.4.0 with the following options,
|
---|
| 380 | that were found to generate the fastest code:
|
---|
| 381 | <pre>
|
---|
| 382 | -O1 -fno-delayed-branch -fexpensive-optimizations -fstrength-reduce
|
---|
| 383 | -fpeephole2 -fschedule-insns2 -fregmove -frename-registers -fweb
|
---|
| 384 | -momit-leaf-frame-pointer -funroll-loops
|
---|
| 385 | </pre>
|
---|
| 386 | These options were determined using
|
---|
| 387 | <a href="http://www.coyotegulch.com/products/acovea/">acovea</a> 5.1.1
|
---|
| 388 | by Scott Robert Ladd. The file is provided as precompiled assembly
|
---|
| 389 | because different versions of gcc can have very different performance,
|
---|
| 390 | require different options to compile optimal code, and
|
---|
| 391 | it would be impossible to maintain a library of optimal compile options
|
---|
| 392 | for every version of gcc.<br><br></dd>
|
---|
[1] | 393 | </dl>
|
---|
| 394 | <hr><h2>3. File checking</h2>
|
---|
| 395 | <dl>
|
---|
| 396 | <dt><b><a name="File checking0">3.1. How can I exclude a (sub-)directory ?</a></b></dt>
|
---|
| 397 | <dd><div class="block"><pre>
|
---|
| 398 | [IgnoreAll]
|
---|
| 399 | dir=-1/ignore/this/subdirectory
|
---|
| 400 | </pre></div><br><br></dd>
|
---|
| 401 | <dt><b><a name="File checking1">3.2. In messages about policy violations, what does the code after POLICY [XYZ]
|
---|
| 402 | mean ?</a></b></dt>
|
---|
| 403 | <dd>This code indicates which items are modified (e.g. C = checksum). You can
|
---|
| 404 | find a description in section 5.4.9 in the user manual. It is there because
|
---|
| 405 | then you can see in the message list of the Beltane web console what has been
|
---|
| 406 | modified, without the need to look at the message in detail.<br><br></dd>
|
---|
| 407 | <dt><b><a name="File checking2">3.3. Does samhain support prelink ?</a></b></dt>
|
---|
| 408 | <dd>Yes. There is a special checking policy [Prelink]. Directories with
|
---|
| 409 | prelinked executables / shared libraries (see /etc/prelink.conf) should be
|
---|
| 410 | placed under this policy, rather than under the [ReadOnly] policy.<br><br></dd>
|
---|
| 411 | <dt><b><a name="File checking3">3.4. I get error messages about 'subdirectory count != hardlinks'</a></b></dt>
|
---|
| 412 | <dd>Some filesystems do not always follow the rule that the number
|
---|
| 413 | of directory
|
---|
| 414 | hardlinks equals the number of subdirectories. E.g. the root directory of
|
---|
| 415 | reiserfs partitions generally seems to have two additional hardlinks.
|
---|
| 416 | To account for such exceptions, you can either switch off the
|
---|
| 417 | hardlink check globally, or specify exceptions:
|
---|
| 418 | <div class="block"><pre>
|
---|
| 419 | [Misc]
|
---|
| 420 | # Switch off hardlink check
|
---|
| 421 | #
|
---|
| 422 | UseHardlinkCheck=no
|
---|
| 423 | </pre></div>
|
---|
| 424 | <div class="block"><pre>
|
---|
| 425 | [Misc]
|
---|
| 426 | # Specify exceptions for the hardlink check
|
---|
| 427 | #
|
---|
| 428 | HardlinkOffset=N:/path
|
---|
| 429 | </pre></div>
|
---|
| 430 | Here, N is the numerical offset (actual - expected hardlinks) for
|
---|
| 431 | '/path'. For multiple exceptions, use
|
---|
| 432 | this options multiple times (note that '/path N:/path2' would itself be a valid
|
---|
| 433 | path, so using the option only once with multiple exceptions on the same line
|
---|
| 434 | would be ambiguous).<br><br></dd>
|
---|
| 435 | </dl>
|
---|
| 436 | <hr><h2>4. Client/Server</h2>
|
---|
| 437 | <dl>
|
---|
| 438 | <dt><b><a name="Client/Server0">4.1. I don't want to poke a hole into my firewall to let the client connect to the server !</a></b></dt>
|
---|
| 439 | <dd>Pat Smith has posted the following solution. On the client, create
|
---|
| 440 | an iptable rule as follows (<i>note: you probably don't need this if you
|
---|
| 441 | configure / compile in 127.0.0.1 as the server address</i>):
|
---|
| 442 | <div class="block"><pre>
|
---|
| 443 | iptables -t nat -A OUTPUT -p tcp -m tcp --dport 49777 -d <i>server-ip</i> -j REDIRECT
|
---|
| 444 | </pre></div>
|
---|
| 445 |
|
---|
| 446 | On the server, create an ssh tunnel for each client outside the firewall:
|
---|
| 447 |
|
---|
| 448 | <div class="block"><pre>
|
---|
| 449 | ssh -f -C -R 49777:localhost:49777 -N <i>client-ip</i>
|
---|
| 450 | </pre></div>
|
---|
| 451 |
|
---|
| 452 | It is necessary that each client has a distinct name, and that the server
|
---|
| 453 | knows the name of the client. With the setup above, each client will appear
|
---|
| 454 | as "localhost" to the server, thus the server
|
---|
| 455 | needs to trust the client name
|
---|
| 456 | as reported by the client itself, and suppress all eroors on resolving
|
---|
| 457 | this name to the apparent address. In the server configuration:
|
---|
| 458 |
|
---|
| 459 | <div class="block"><pre>
|
---|
| 460 | [Misc]
|
---|
| 461 | SetClientFromAccept = false
|
---|
| 462 | SeverityLookup = debug
|
---|
| 463 | </pre></div>
|
---|
| 464 |
|
---|
| 465 | Obviously, self-resolving must work on the client machine, otherwise
|
---|
| 466 | you are in trouble (see next issue).<br><br></dd>
|
---|
| 467 | <dt><b><a name="Client/Server1">4.2. The client sends 127.0.0.1 (or some other numerical address) as its name to the log server</a></b></dt>
|
---|
| 468 | <dd>See 'Client cannot self-resolve' in the 'Most frequently' section<br><br></dd>
|
---|
| 469 | <dt><b><a name="Client/Server2">4.3. The server wants to send rc.ip-adress rather than rc.fqdn to the client</a></b></dt>
|
---|
| 470 | <dd>The client self-resolves to its ip address.
|
---|
| 471 | See 'Client cannot self-resolve' in the 'Most frequently' section<br><br></dd>
|
---|
| 472 | <dt><b><a name="Client/Server3">4.4. Cannot resolve client name host=XXX</a></b></dt>
|
---|
| 473 | <dd><div class="block"><pre>
|
---|
| 474 | The server must be able to determine the client name.
|
---|
| 475 | This is because only authenticated connections from registered
|
---|
| 476 | clients are allowed, and
|
---|
| 477 | the server must be able to check the client hostname against the list of
|
---|
| 478 | allowed hosts, and look up the password verifier for that
|
---|
| 479 | host.
|
---|
| 480 | </pre></div>
|
---|
| 481 | There are two different ways to accomplish this. Unfortunately, judging
|
---|
| 482 | from customer feedback as well from common sense, both do not work very well
|
---|
| 483 | with a messed up local DNS (including /etc/hosts files) and/or
|
---|
| 484 | überparanoid or misconfigured firewalls (in case of connections
|
---|
| 485 | across one).
|
---|
| 486 | <ul>
|
---|
| 487 | <li>
|
---|
| 488 | <p>
|
---|
| 489 | <i>First method: Determine client name on client, and
|
---|
| 490 | try to cross-check on server</i>
|
---|
| 491 | <p>
|
---|
| 492 | <p>
|
---|
| 493 | This does not work for a number of people because (1) the
|
---|
| 494 | <tt>/etc/hosts</tt> file on the client machine has errors
|
---|
| 495 | (yes, there are plenty machines with a completely
|
---|
| 496 | messed up <tt>/etc/hosts</tt> file), (2) the
|
---|
| 497 | server cannot resolve the client address because the local DNS is
|
---|
| 498 | f***ed up, or (3) the client machine has multiple network interfaces, and
|
---|
| 499 | the interface used is not the one the client name resolves to.
|
---|
| 500 | </p>
|
---|
| 501 | <p>
|
---|
| 502 | If the client uses the wrong interface on a multi-interface machine,
|
---|
| 503 | there is a config file option
|
---|
| 504 | <tt>SetBindAddress=</tt><i>IP address</i>
|
---|
| 505 | that allows to choose the interface the client will use for
|
---|
| 506 | outgoing connections.
|
---|
| 507 | </p>
|
---|
| 508 | <p>
|
---|
| 509 | If you want to download the config file from the server, you
|
---|
| 510 | should instead use the corresponding command line
|
---|
| 511 | <tt>--bind-address=</tt><i>IP address</i>
|
---|
| 512 | to select the interface.
|
---|
| 513 | </p>
|
---|
| 514 |
|
---|
| 515 | <p>
|
---|
| 516 | If you encounter problems, you may (1) fix your
|
---|
| 517 | <tt>/etc/hosts</tt> file(s), (2) fix your local DNS, or
|
---|
| 518 | (3) switch to the second method.
|
---|
| 519 | </p>
|
---|
| 520 | <p>
|
---|
| 521 | Errors in name resolving/cross-checking can be avoided by setting a
|
---|
| 522 | very low severity (lower than the logging threshold), e.g.
|
---|
| 523 | </p>
|
---|
| 524 | <p>
|
---|
| 525 | <tt>SeverityLookup=</tt><i>debug</i>
|
---|
| 526 | </p>
|
---|
| 527 | <p>
|
---|
| 528 | in the <i>Misc</i> section of the server configuration,
|
---|
| 529 | if you prefer running <i>unsafe</i> at any speed
|
---|
| 530 | instead of fixing the problem (you have been warned). Doing so will
|
---|
| 531 | allow an attacker to pose as the client.
|
---|
| 532 | </p>
|
---|
| 533 | </li>
|
---|
| 534 | <li>
|
---|
| 535 | <p><i>Second method: Use address of connecting entity as
|
---|
| 536 | known to the communication layer</i></p>
|
---|
| 537 | <p>
|
---|
| 538 | This has been dropped as default
|
---|
| 539 | long ago because it may not always be the
|
---|
| 540 | address of the client machine.
|
---|
| 541 | To enable this method, use
|
---|
| 542 | </p>
|
---|
| 543 | <p>
|
---|
| 544 | <tt>SetClientFromAccept=</tt><i>true</i>
|
---|
| 545 | </p>
|
---|
| 546 | <p>
|
---|
| 547 | in the <i>Misc</i> section of the server configuration
|
---|
| 548 | file. If the address cannot be resolved, or reverse lookup of the
|
---|
| 549 | resolved name fails, <i>no</i> error message will be issued,
|
---|
| 550 | but the numerical address will be used.
|
---|
| 551 | </p>
|
---|
| 552 | </li>
|
---|
| 553 | </ul><br><br></dd>
|
---|
| 554 | <dt><b><a name="Client/Server4">4.5. Cannot resolve socket peer IP for client host=XXX peer=YYY</a></b></dt>
|
---|
| 555 | <dd>See above<br><br></dd>
|
---|
| 556 | <dt><b><a name="Client/Server5">4.6. Reverse lookup of socket peer failed host=XXX peer=YYY obj=ZZZ</a></b></dt>
|
---|
| 557 | <dd>See above<br><br></dd>
|
---|
| 558 | <dt><b><a name="Client/Server6">4.7. No socket peer alias matches client name host=XXX peer=YYY</a></b></dt>
|
---|
| 559 | <dd>See above<br><br></dd>
|
---|
| 560 | <dt><b><a name="Client/Server7">4.8. Session key negotiation failed</a></b></dt>
|
---|
| 561 | <dd>See the document <a href="HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a><br><br></dd>
|
---|
| 562 | <dt><b><a name="Client/Server8">4.9. Invalid connection attempt: Not in client list</a></b></dt>
|
---|
| 563 | <dd>See the document <a href="HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a><br><br></dd>
|
---|
| 564 | <dt><b><a name="Client/Server9">4.10. Invalid connection attempt: Session key mismatch</a></b></dt>
|
---|
| 565 | <dd>See the document <a href="HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a><br><br></dd>
|
---|
| 566 | <dt><b><a name="Client/Server10">4.11. How do I update the file signature database ?</a></b></dt>
|
---|
| 567 | <dd>If you keep the file signature database on the server,
|
---|
| 568 | the database is supposed to be updated on the server, using the
|
---|
| 569 | <a href="http://www.la-samhna.de/beltane/">beltane</a>
|
---|
| 570 | web-based console (currently in beta) and the
|
---|
| 571 | log messages from the client.
|
---|
| 572 | <p>
|
---|
| 573 | Alternatively, you can <code>scp</code> the database
|
---|
| 574 | to the client, run <code>samhain -t update -l none</code> (you
|
---|
| 575 | need to avoid logging because otherwise you will get in conflict with
|
---|
| 576 | the running samhain daemon), and then <code>scp</code> the
|
---|
| 577 | database back to the server. Actually, with a properly set up
|
---|
| 578 | "ssh", using RSA/DSA authentication
|
---|
| 579 | and ssh-agent you could write a script to automate this.<br><br></dd>
|
---|
| 580 | <dt><b><a name="Client/Server11">4.12. Time limit exceeded</a></b></dt>
|
---|
| 581 | <dd>The respective client for that this message is generated has not
|
---|
| 582 | sent anything for some interval of time (default 84600 sec = 1 day).
|
---|
| 583 | The interval can be set as follows:
|
---|
| 584 | <div class="block"><pre>
|
---|
| 585 | [Misc]
|
---|
| 586 | # unit is seconds
|
---|
| 587 | SetClientTimeLimit=NNN
|
---|
| 588 | </pre></div>
|
---|
| 589 |
|
---|
| 590 | This feature has the purpose to detect if a client is dead. You
|
---|
| 591 | might want to ensure that timestamps are sent to the server:
|
---|
| 592 | <div class="block"><pre>
|
---|
| 593 | [Log]
|
---|
| 594 | ExportSeverity=mark
|
---|
| 595 | </pre></div>
|
---|
| 596 | If you don't want to use this feature, set the time limit to some
|
---|
| 597 | very large value.<br><br></dd>
|
---|
| 598 | <dt><b><a name="Client/Server12">4.13. Invalid connection attempt: Signature mismatch</a></b></dt>
|
---|
| 599 | <dd>Clients sign their messages using a session key negotiated
|
---|
| 600 | with the server. The message indicates that the server could
|
---|
| 601 | not verify the signature. This may be caused by a running two
|
---|
| 602 | instances of samhain on the same client machine, both of them
|
---|
| 603 | accessing the server (and negotiating different session keys
|
---|
| 604 | ...). The system will recover automatically from the problem
|
---|
| 605 | by forcing the failed client to negotiate a fresh session key.<br><br></dd>
|
---|
| 606 | <dt><b><a name="Client/Server13">4.14. [Server] PANIC .. Address already in use subroutine=bind</a></b></dt>
|
---|
| 607 | <dd>The server cannot bind to its port because the port is already used.
|
---|
| 608 | Maybe you have accidentially already an instance of the
|
---|
| 609 | server running.<br><br></dd>
|
---|
| 610 | </dl>
|
---|
| 611 | <hr><h2>5. Email</h2>
|
---|
| 612 | <dl>
|
---|
| 613 | <dt><b><a name="Email0">5.1. Reverse lookup failed</a></b></dt>
|
---|
| 614 | <dd>Fix your DNS (reverse lookup: numerical IP address to FQDN, to verify
|
---|
| 615 | FQDN to numerical IP address).
|
---|
| 616 | <div class="block"><pre>
|
---|
| 617 | Whether "nslookup" works is not very informative, because
|
---|
| 618 | "nslookup" does not use the resolver library of the operating
|
---|
| 619 | system. Therefore,
|
---|
| 620 | it is not exactly the
|
---|
| 621 | best tool for debugging name resolving problems (see the book
|
---|
| 622 | "DNS and bind").
|
---|
| 623 | </pre></div><br><br></dd>
|
---|
| 624 | <dt><b><a name="Email1">5.2. From daemon@example.com</a></b></dt>
|
---|
| 625 | <dd>samhain fails to resolve the
|
---|
| 626 | self-address of the host.
|
---|
| 627 | See 'Client cannot self-resolve' in the 'Most frequently' section.<br><br></dd>
|
---|
| 628 | <dt><b><a name="Email2">5.3. How do I define more than one email addresses ?</a></b></dt>
|
---|
| 629 | <dd>Use <tt>SetMailAddress=...</tt> multiple times (upt to eight addresses
|
---|
| 630 | are possible, with at most 63 characters per address):
|
---|
| 631 | <div class="block"><pre>
|
---|
| 632 | [Misc]
|
---|
| 633 | SetMailAddress=aaa@foo.com
|
---|
| 634 | SetMailAddress=bbb@foo.com
|
---|
| 635 | </pre></div><br><br></dd>
|
---|
| 636 | </dl>
|
---|
| 637 | <hr><h2>6. Misc</h2>
|
---|
| 638 | <dl>
|
---|
| 639 | <dt><b><a name="Misc0">6.1. Error message: "Invalid line XYZ in configuration file"</a></b></dt>
|
---|
| 640 | <dd>This message indicates that line XYZ in the configuration file contains
|
---|
| 641 | an unrecognized directive. The primary reasons are:<br />
|
---|
| 642 |
|
---|
| 643 | (a) The directive should be placed into a particular section of the
|
---|
| 644 | configuration file, but the section header is not present (or you forgot
|
---|
| 645 | to uncomment it).<br />
|
---|
| 646 |
|
---|
| 647 | (b) Samhain is compiled without support for this directive.<br />
|
---|
| 648 |
|
---|
| 649 | (c) You have a typo in the directive.<br /><br><br></dd>
|
---|
| 650 | <dt><b><a name="Misc1">6.2. Why do I get a local logfile if I log to the server ?</a></b></dt>
|
---|
| 651 | <dd>Because you can use all log facilities in parallel. You should
|
---|
| 652 | switch off in the config file what you don't want/need:
|
---|
| 653 | <div class="block"><pre>
|
---|
| 654 | [Log]
|
---|
| 655 | # local log file
|
---|
| 656 | LogSeverity=none
|
---|
| 657 | </pre></div><br><br></dd>
|
---|
| 658 | <dt><b><a name="Misc2">6.3. Why is there no NIS support with a static samhain executable on Linux ?</a></b></dt>
|
---|
| 659 | <dd>Some functions (including NIS) require
|
---|
| 660 | libraries that are only available as shared libraries
|
---|
| 661 | with modern GLIBC versions. While you can always compile a static
|
---|
| 662 | executable, normally it would still open the shared library at runtime.
|
---|
| 663 | As of version 1.8.11, samhain avoids this by providing replacement
|
---|
| 664 | functions from uClibc. However, these do not include NIS support.<br><br></dd>
|
---|
| 665 | <dt><b><a name="Misc3">6.4. Why do I get hundreds of messages about modified CTIME ?</a></b></dt>
|
---|
| 666 | <dd>This happens because some
|
---|
| 667 | backup applications reset the atime/mtime timestamps, which causes
|
---|
| 668 | the ctime timestamp to be modified (rootkits avoid this by
|
---|
| 669 | temporarily resetting the system clock to the original ctime ...).
|
---|
| 670 | <p>
|
---|
| 671 | To fix this problem, read the manual of your backup application, or
|
---|
| 672 | redefine the ReadOnly policy to <i>not</i> check
|
---|
| 673 | the ctime timestamp:
|
---|
| 674 | <div class="block"><pre>
|
---|
| 675 | [Misc]
|
---|
| 676 | RedefReadOnly=-CTM
|
---|
| 677 | </pre></div>
|
---|
| 678 | <div class="warnblock"><pre>
|
---|
| 679 | Order matters - you must <i>first</i> redefine
|
---|
| 680 | ReadOnly <i>before</i> you use it
|
---|
| 681 | </pre></div><br><br></dd>
|
---|
| 682 | <dt><b><a name="Misc4">6.5. PANIC — File not accessible</a></b></dt>
|
---|
| 683 | <dd>Most likely permission denied because of unsufficient privileges.<br><br></dd>
|
---|
| 684 | <dt><b><a name="Misc5">6.6. How can I avoid error messages for invalid UIDs (no such user) ?</a></b></dt>
|
---|
| 685 | <dd>Set SeverityNames to a low value
|
---|
| 686 | <div class="block"><pre>
|
---|
| 687 | [EventSeverity]
|
---|
| 688 | SeverityNames=debug
|
---|
| 689 | </pre></div><br><br></dd>
|
---|
| 690 | <dt><b><a name="Misc6">6.7. [Redhat] The /etc/init.d/(samhain|yule) init script hangs</a></b></dt>
|
---|
| 691 | <dd>Redhat uses "initlog" (see
|
---|
| 692 | <code>man initlog</code>) in initscripts. If it hangs, most probably
|
---|
| 693 | samhain/yule runs in the foreground rather than as daemon. Set
|
---|
| 694 | daemon mode in the configuration file:
|
---|
| 695 | <div class="block"><pre>
|
---|
| 696 | [Misc]
|
---|
| 697 | Daemon=yes
|
---|
| 698 | </pre></div><br><br></dd>
|
---|
| 699 | <dt><b><a name="Misc7">6.8. The /etc/init.d/(samhain|yule) init script exits with: execvp: No such file or directory</a></b></dt>
|
---|
| 700 | <dd>Either the program is not installed, or it is not in the PATH (the one
|
---|
| 701 | used by the init script, which may be different from your PATH).<br><br></dd>
|
---|
| 702 | <dt><b><a name="Misc8">6.9. Why am I not receiving the "BEGIN LOGKEY" message by email ?</a></b></dt>
|
---|
| 703 | <dd>This message (which contains the key to verify the log file) is generated
|
---|
| 704 | when logging to the log file starts. It has the severity "ALRT",
|
---|
| 705 | thus you should make sure that you have set the logging threshold for
|
---|
| 706 | email correctly to receive it.<br><br></dd>
|
---|
| 707 | <dt><b><a name="Misc9">6.10. Why does console logging fail if I compile with
|
---|
| 708 | <code>--enable-(micro-)stealth</code> ?</a></b></dt>
|
---|
| 709 | <dd>The default logging options are more "stealthy". Set the
|
---|
| 710 | threshold explicitely rather than relying on the default.<br><br></dd>
|
---|
| 711 | <dt><b><a name="Misc10">6.11. I need a list for my schedule !</a></b></dt>
|
---|
| 712 | <dd>You can have the same effect with a list of schedules. See the section
|
---|
| 713 | "Timing file checks" in the manual.<br><br></dd>
|
---|
| 714 | <dt><b><a name="Misc11">6.12. The hiding kernel module has no effect !</a></b></dt>
|
---|
| 715 | <dd>Most probably you compiled using the wrong "System.map" file.<br><br></dd>
|
---|
| 716 | <dt><b><a name="Misc12">6.13. What does the message "Large lstat/open overhead" mean ?</a></b></dt>
|
---|
| 717 | <dd>Your system needs several seconds to proceed from an lstat() system call
|
---|
| 718 | to an open() system call. This is a tremenduous overhead, and
|
---|
| 719 | indicates that either your system has a really severe performance problem,
|
---|
| 720 | or someone tries to slow down samhain.<br><br></dd>
|
---|
| 721 | <dt><b><a name="Misc13">6.14. What does the message "Device not available path=/dev/random" mean ? I have /dev/random !</a></b></dt>
|
---|
| 722 | <dd>/dev/random blocks unless there is some entropy it can deliver. Samhain
|
---|
| 723 | will time out and fall back on /dev/urandom after some seconds to avoid
|
---|
| 724 | hanging for a potentially long time. It will try /dev/random again next
|
---|
| 725 | time it needs entropy.<br><br></dd>
|
---|
| 726 | <dt><b><a name="Misc14">6.15. Logging to an external program fails; the program receives no data
|
---|
| 727 | on stdin !</a></b></dt>
|
---|
| 728 | <dd>Probably your program is not designed to <i>wait for input</i>, but exits
|
---|
| 729 | if reading fails (because there is no data <i>yet</i>). You may want to
|
---|
| 730 | let your program wait for the terminating "[EOF]" line.<br><br></dd>
|
---|
| 731 | <dt><b><a name="Misc15">6.16. SIGILL on AIX</a></b></dt>
|
---|
| 732 | <dd>For each scanned file, samhain needs to
|
---|
| 733 | store some information in memory (e.g. to recognize changes that have
|
---|
| 734 | already been reported, and avoid duplicate reports). On AIX, if you are
|
---|
| 735 | checking a <i>really huge</i> number of files,
|
---|
| 736 | memory usage may exceed the default limit of 256 MB, and the process may
|
---|
| 737 | terminate with SIGILL.
|
---|
| 738 | <p>
|
---|
| 739 | The problem can be solved by linking with the flag
|
---|
| 740 | <code>-bmaxdata:0x80000000</code>. This allows the application to
|
---|
| 741 | access up to 8 segments (where each segment is 256MB).
|
---|
| 742 | <p>
|
---|
| 743 | If you are using gcc, you need to use instead
|
---|
| 744 | the flag <code>-Wl,bmaxdata:0x80000000</code>, which tells
|
---|
| 745 | gcc to pass on the
|
---|
| 746 | <i>bmaxdata</i>
|
---|
| 747 | flag to the AIX linker. You can use the LDFLAGS environment variable to
|
---|
| 748 | pass linker flags to the configure script:
|
---|
| 749 | <div class="block"><pre>
|
---|
| 750 | export LDFLAGS="-Wl,bmaxdata:0x80000000"
|
---|
| 751 | </pre></div><br><br></dd>
|
---|
| 752 | </dl>
|
---|
| 753 | <hr><h2>7. Database</h2>
|
---|
| 754 | <dl>
|
---|
| 755 | <dt><b><a name="Database0">7.1. Why are client messages corrupted / incompletely stored in the DB ?</a></b></dt>
|
---|
| 756 | <dd>Because the messages are not in XML format, and therefore incorrectly
|
---|
| 757 | parsed. The most frequent reasons are:
|
---|
| 758 | <div class="block"><pre>
|
---|
| 759 | 1.) Your server is compiled with --enable-xml-log, but your client(s)
|
---|
| 760 | is/are not.
|
---|
| 761 |
|
---|
| 762 | 2.) In your client or server configuration file, you are using
|
---|
[19] | 763 | the option for a custom message header, but without paying attention
|
---|
[1] | 764 | to preserving the XML format.
|
---|
| 765 | </pre></div><br><br></dd>
|
---|
| 766 | <dt><b><a name="Database1">7.2. I want / don't want the server timestamps (for client messages) in the SQL database</a></b></dt>
|
---|
| 767 | <dd><div class="block"><pre>
|
---|
| 768 | [Database]
|
---|
| 769 | SetDBServerTstamp = true/false
|
---|
| 770 | </pre></div>
|
---|
| 771 |
|
---|
| 772 | This will enable/disable logging of the server timestamp for client
|
---|
| 773 | messages. The server timestamp will be written to a seperate record,
|
---|
| 774 | with <i>log_ref</i> set to the value of
|
---|
| 775 | <i>log_index</i> of the corresponding client message.<br><br></dd>
|
---|
| 776 | <dt><b><a name="Database2">7.3. I don't want the client TIMESTAMP messages in the SQL database</a></b></dt>
|
---|
| 777 | <dd><div class="block"><pre>
|
---|
| 778 | Sending timestamps from the client allows the server to detect if
|
---|
| 779 | a client is not running anymore (use SetClientTimeLimit=NNN in the
|
---|
| 780 | [Misc] section of the server config file to set the number of seconds
|
---|
| 781 | after which the server will issue an error message if no timestamp has
|
---|
| 782 | been received).
|
---|
| 783 | </pre></div>
|
---|
| 784 |
|
---|
| 785 | However, you might not want to log these timestamps to the database
|
---|
| 786 | (or other log facilities). To filter them, you can use two methods
|
---|
| 787 | (examples are for the SQL database).
|
---|
| 788 | The first
|
---|
| 789 | one has the disadvantage that only messages of
|
---|
| 790 | severity <i>err</i> or higher will be logged:
|
---|
| 791 | <div class="block"><pre>
|
---|
| 792 | [Misc]
|
---|
| 793 | UseClientSeverity=yes
|
---|
| 794 |
|
---|
| 795 | [Log]
|
---|
| 796 | DatabaseSeverity=err
|
---|
| 797 | </pre></div>
|
---|
| 798 |
|
---|
| 799 | The second method is more specific — log everything not
|
---|
| 800 | belonging to the STAMP class of messages:
|
---|
| 801 | <div class="block"><pre>
|
---|
| 802 | [Misc]
|
---|
| 803 | UseClientClass=yes
|
---|
| 804 |
|
---|
| 805 | [Log]
|
---|
| 806 | DatabaseClass=PANIC RUN FIL TCP ERR ENET EINPUT
|
---|
| 807 | </pre></div><br><br></dd>
|
---|
| 808 | <dt><b><a name="Database3">7.4. What does the log_ref field mean ?</a></b></dt>
|
---|
| 809 | <dd>NULL are client messages. Nonzero integer is a server timestamp
|
---|
| 810 | for a client message (where log_ref indicates the log_index entry
|
---|
| 811 | number of the corresponding client message). Zero indicates a message
|
---|
| 812 | by the server itself (e.g. the server's start message).<br><br></dd>
|
---|
[19] | 813 | <dt><b><a name="Database4">7.5. How can I check what is in the database ?</a></b></dt>
|
---|
| 814 | <dd>Use a command line client to login to the database and query it:
|
---|
| 815 | <div class="block"><pre>
|
---|
| 816 | sh$ mysql -u <user_name> -p <database_name>
|
---|
| 817 | Enter password: ****
|
---|
| 818 | mysql> SELECT log_index,log_ref,log_host,log_sev,log_msg,path FROM <table_name> WHERE entry_status = 'NEW' ORDER BY log_index;
|
---|
| 819 | ....
|
---|
| 820 | mysql> \q
|
---|
| 821 | </pre></div><br><br></dd>
|
---|
[1] | 822 | </dl>
|
---|
| 823 | <hr>
|
---|
| 824 |
|
---|
| 825 | <p>Copyright (c) 2004 Rainer Wichmann</p>
|
---|
| 826 |
|
---|
| 827 | <p><i>This list of questions and answers was generated by
|
---|
| 828 | <a href="http://www.makefaq.org/">makefaq</a>.</i>
|
---|
| 829 |
|
---|
| 830 | </div>
|
---|
| 831 | </body>
|
---|
| 832 | </html>
|
---|