source: trunk/docs/FAQ.html

Last change on this file was 553, checked in by katerina, 5 years ago

Fix for ticket #443 (Incompatibility with older gpg versions).

File size: 39.0 KB
Line 
1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
2<html><head>
3<title>Frequently Asked Questions for Samhain</title>
4<meta name="author" content="Rainer Wichmann">
5
6<style type="text/css">
7<!--
8
9html { background: #eee; color: #000; }
10
11body { background: #eee; color: #000; margin: 0; padding: 0;}
12
13div.body {
14 background: #fff; color: #000;
15 margin: 0 1em 0 1em; padding: 1em;
16 font-family: serif;
17 font-size: 1em; line-height: 1.2em;
18 border-width: 0 1px 0 1px;
19 border-style: solid;
20 border-color: #aaa;
21}
22
23div.block {
24 background: #b6c5f2; color: #000;
25 margin: 1em; padding: 0 1em 0 1em;
26 border-width: 1px;
27 border-style: solid;
28 border-color: #2d4488;
29}
30
31div.warnblock {
32 background: #b6c5f2; color: #000;
33 background: #ffffcc; color: #000;
34 margin: 1em; padding: 0 1em 0 1em;
35 border-width: 1px;
36 border-style: solid;
37 border-color: #FF9900;
38}
39
40table {
41 background: #F8F8F8; color: #000;
42 margin: 1em;
43 border-width: 0 0 0 1px;
44 border-style: solid;
45 border-color: #C0C0C0;
46}
47
48td {
49 border-width: 0 1px 1px 0;
50 border-style: solid;
51 border-color: #C0C0C0;
52}
53
54th {
55 background: #F8F8FF;
56 border-width: 1px 1px 2px 0;
57 border-style: solid;
58 border-color: #C0C0C0;
59}
60
61
62/* body text, headings, and rules */
63
64p { margin: 0; text-indent: 0em; margin: 0 0 0.5em 0 }
65
66h1, h2, h3, h4, h5, h6 {
67 color: #206020; background: transparent;
68 font-family: Optima, Arial, Helvetica, sans-serif;
69 font-weight: normal;
70}
71
72h1 { font-size: 1.69em; margin: 1.4em 0 0.4em 0; }
73h2 { font-size: 1.44em; margin: 1.4em 0 0.4em 0; }
74h3 { font-size: 1.21em; margin: 1.4em 0 0.4em 0; }
75h4 { font-size: 1.00em; margin: 1.4em 0 0.4em 0; }
76h5 { font-size: 0.81em; margin: 1.4em 0 0.4em 0; }
77h6 { font-size: 0.64em; margin: 1.4em 0 0.4em 0; }
78
79hr {
80 color: transparent; background: transparent;
81 height: 0px; margin: 0.6em 0;
82 border-width: 1px ;
83 border-style: solid;
84 border-color: #999;
85}
86
87/* bulleted lists and definition lists */
88
89ul { margin: 0 1em 0.6em 2em; padding: 0; }
90li { margin: 0.4em 0 0 0; }
91
92dl { margin: 0.6em 1em 0.6em 2em; }
93dt { color: #285577; }
94
95tt { color: #602020; }
96
97/* links */
98
99a.link {
100 color: #33c; background: transparent;
101 text-decoration: none;
102}
103
104a:hover {
105 color: #000; background: transparent;
106}
107
108body > a {
109 font-family: Optima, Arial, Helvetica, sans-serif;
110 font-size: 0.81em;
111}
112
113h1, h2, h3, h4, h5, h6 {
114 color: #2d5588; background: transparent;
115 font-family: Optima, Arial, Helvetica, sans-serif;
116 font-weight: normal;
117}
118
119 -->
120</style></head>
121<body>
122<div class="body">
123<p style="text-align: center; background: #ccc; border: 1px solid #2d5588;"><a
124 style="text-decoration: none;"
125 href="http://www.la-samhna.de/samhain/">samhain file integrity
126 scanner</a>&nbsp;|&nbsp;<a style="text-decoration: none;"
127 href="http://www.la-samhna.de/samhain/s_documentation.html">online
128 documentation</a></p>
129<br><center><h1><a name="FAQ-top">Frequently Asked Questions for Samhain</a></h1></center>
130<br><center><h2>Rainer Wichmann</h2></center>
131<hr>
132<div class="warnblock">
133<ul>
134 <li>If you encounter problems after installing samhain, disable daemon
135 mode and run it in the foreground with
136 <tt>samhain --foreground [more options]</tt> for debugging.</li>
137 <li>If you have problems getting client/server mode to work, please check
138 the <a href="http://www.la-samhna.de/samhain/HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a> document.</li>
139</ul>
140</div>
141<p><i>FAQ Revised: Monday 17 September 2018 15:13:17</i></p>
142<hr><h2>Table of Contents</h2>
143<dl>
144<dt><b>1. Most frequently</b></dt>
145<dd><ul>
146<li><a href="#Most frequently0">1.1. Owner not trustworthy / Group writeable and member not trustworthy</a></li>
147<li><a href="#Most frequently1">1.2. samhain exits with the message &quot;Untrusted path&quot; for config/log/pid/database files</a></li>
148<li><a href="#Most frequently2">1.3. It does not log anything / Can't stop logging to console</a></li>
149<li><a href="#Most frequently3">1.4. samhain exits with the message &quot;Record with bad version number in file signature database&quot;</a></li>
150<li><a href="#Most frequently4">1.5. Client cannot self-resolve, but nslookup works fine</a></li>
151<li><a href="#Most frequently5">1.6. Server logs hostname instead of FQDN (or vice versa)</a></li>
152</ul></dd>
153<dt><b>2. Build and install</b></dt>
154<dd><ul>
155<li><a href="#Build and install0">2.1. &quot;make&quot; loops infinitely !</a></li>
156<li><a href="#Build and install1">2.2. Why does static compiling (<code>--enable-static</code>) on Solaris fail ?</a></li>
157<li><a href="#Build and install2">2.3. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'</a></li>
158<li><a href="#Build and install3">2.4. The executable is corrupted after installation</a></li>
159<li><a href="#Build and install4">2.5. --enable-xml-log has no effect</a></li>
160<li><a href="#Build and install5">2.6. ./install-sh: strip: not found (Solaris)</a></li>
161<li><a href="#Build and install6">2.7. What is sh_tiger1.s?</a></li>
162<li><a href="#Build and install7">2.8. Why does static compiling (<code>--enable-static</code>) on MaxOS X fail ?</a></li>
163<li><a href="#Build and install8">2.9. Why does compiling with MySQL fail on Solaris ?</a></li>
164</ul></dd>
165<dt><b>3. File checking</b></dt>
166<dd><ul>
167<li><a href="#File checking0">3.1. How can I exclude a (sub-)directory ?</a></li>
168<li><a href="#File checking1">3.2. In messages about policy violations, what does the code after POLICY [XYZ]
169mean ?</a></li>
170<li><a href="#File checking2">3.3. Does samhain support prelink ?</a></li>
171<li><a href="#File checking3">3.4. I get error messages about 'subdirectory count != hardlinks'</a></li>
172</ul></dd>
173<dt><b>4. Client/Server</b></dt>
174<dd><ul>
175<li><a href="#Client/Server0">4.1. I don't want to poke a hole into my firewall to let the client connect to the server !</a></li>
176<li><a href="#Client/Server1">4.2. The client sends 127.0.0.1 (or some other numerical address) as its name to the log server</a></li>
177<li><a href="#Client/Server2">4.3. The server wants to send rc.ip-adress rather than rc.fqdn to the client</a></li>
178<li><a href="#Client/Server3">4.4. Cannot resolve client name host=XXX</a></li>
179<li><a href="#Client/Server4">4.5. Cannot resolve socket peer IP for client host=XXX peer=YYY</a></li>
180<li><a href="#Client/Server5">4.6. Reverse lookup of socket peer failed host=XXX peer=YYY obj=ZZZ</a></li>
181<li><a href="#Client/Server6">4.7. No socket peer alias matches client name host=XXX peer=YYY</a></li>
182<li><a href="#Client/Server7">4.8. Session key negotiation failed</a></li>
183<li><a href="#Client/Server8">4.9. Invalid connection attempt: Not in client list</a></li>
184<li><a href="#Client/Server9">4.10. Invalid connection attempt: Session key mismatch</a></li>
185<li><a href="#Client/Server10">4.11. How do I update the file signature database ?</a></li>
186<li><a href="#Client/Server11">4.12. Time limit exceeded</a></li>
187<li><a href="#Client/Server12">4.13. Invalid connection attempt: Signature mismatch</a></li>
188<li><a href="#Client/Server13">4.14. [Server] PANIC .. Address already in use&nbsp; &nbsp;subroutine=bind</a></li>
189</ul></dd>
190<dt><b>5. Email</b></dt>
191<dd><ul>
192<li><a href="#Email0">5.1. Reverse lookup failed</a></li>
193<li><a href="#Email1">5.2. From daemon@example.com</a></li>
194<li><a href="#Email2">5.3. How do I define more than one email addresses ?</a></li>
195</ul></dd>
196<dt><b>6. Misc</b></dt>
197<dd><ul>
198<li><a href="#Misc0">6.1. Error message: &quot;Invalid line XYZ in configuration file&quot;</a></li>
199<li><a href="#Misc1">6.2. Why do I get a local logfile if I log to the server ?</a></li>
200<li><a href="#Misc2">6.3. Why is there no NIS support with a static samhain executable on Linux ?</a></li>
201<li><a href="#Misc3">6.4. Why do I get hundreds of messages about modified CTIME ?</a></li>
202<li><a href="#Misc4">6.5. PANIC &mdash; File not accessible</a></li>
203<li><a href="#Misc5">6.6. How can I avoid error messages for invalid UIDs (no such user) ?</a></li>
204<li><a href="#Misc6">6.7. [Redhat] The /etc/init.d/(samhain|yule) init script hangs</a></li>
205<li><a href="#Misc7">6.8. The /etc/init.d/(samhain|yule) init script exits with: execvp: No such file or directory</a></li>
206<li><a href="#Misc8">6.9. Why am I not receiving the &quot;BEGIN LOGKEY&quot; message by email ?</a></li>
207<li><a href="#Misc9">6.10. Why does console logging fail if I compile with
208 <code>--enable-(micro-)stealth</code> ?</a></li>
209<li><a href="#Misc10">6.11. I need a list for my schedule !</a></li>
210<li><a href="#Misc11">6.12. The hiding kernel module has no effect !</a></li>
211<li><a href="#Misc12">6.13. What does the message &quot;Large lstat/open overhead&quot; mean ?</a></li>
212<li><a href="#Misc13">6.14. What does the message &quot;Device not available path=/dev/random&quot; mean ? I have /dev/random !</a></li>
213<li><a href="#Misc14">6.15. Logging to an external program fails; the program receives no data
214 on stdin !</a></li>
215<li><a href="#Misc15">6.16. SIGILL on AIX</a></li>
216</ul></dd>
217<dt><b>7. Database</b></dt>
218<dd><ul>
219<li><a href="#Database0">7.1. Why are client messages corrupted / incompletely stored in the DB ?</a></li>
220<li><a href="#Database1">7.2. I want / don't want the server timestamps (for client messages) in the SQL database</a></li>
221<li><a href="#Database2">7.3. I don't want the client TIMESTAMP messages in the SQL database</a></li>
222<li><a href="#Database3">7.4. What does the log_ref field mean ?</a></li>
223<li><a href="#Database4">7.5. How can I check what is in the database ?</a></li>
224</ul></dd>
225</dl>
226<hr><h2>1. Most frequently</h2>
227<dl>
228<dt><b><a name="Most frequently0">1.1. Owner not trustworthy / Group writeable and member not trustworthy</a></b></dt>
229<dd>An untrusted user (might be an untrusted group member
230 for group writeable files/directories) owns or can write to an
231 element in the path listed in the error message. This concerns
232 the configuration file, the log file, and the database file.
233 The offending element in the path is identified as obj=/xxx in the
234 error message.
235 To fix the problem, see next entry.<br><br></dd>
236<dt><b><a name="Most frequently1">1.2. samhain exits with the message &quot;Untrusted path&quot; for config/log/pid/database files</a></b></dt>
237<dd>Paths to critical
238 files (e.g. the configuration file) must be writeable by trusted users
239 only.
240 If a path element is group writeable, all group members must be trusted.
241 By default, only <i>root</i> and the (effective) <i>user</i> of
242 the program are trusted. To add trusted users, use the compile time
243 option
244<div class="block"><pre>
245$ ./configure --with-trusted=0,...
246</pre></div>
247 or the configure file option:
248<div class="block"><pre>
249[Misc]
250TrustedUser=username
251</pre></div>
252If the path to the configuration file itself is writeable
253 by other users than <i>root</i> and the
254 <i>effective user</i>
255 these must be defined as trusted already
256 at compile time.<br><br></dd>
257<dt><b><a name="Most frequently2">1.3. It does not log anything / Can't stop logging to console</a></b></dt>
258<dd>(1) There is a section in the manual dealing with
259logging and filtering.<br />
260
261(2) To log to the console:
262<div class="block"><pre>
263$ samhain -p info ...
264</pre></div>
265or in the configuration file:
266<div class="block"><pre>
267[Log]
268PrintSeverity=info
269</pre></div>
270
271To <i>stop</i> logging to the console:
272<div class="block"><pre>
273$ samhain -p none ...
274</pre></div>
275or in the configuration file:
276<div class="block"><pre>
277[Log]
278PrintSeverity=none
279</pre></div>
280Defining <tt>/dev/null</tt> as console device works as well, but
281is a bad idea, because samhain will open the device and write (i.e. it is
282a very inefficient method).<br><br></dd>
283<dt><b><a name="Most frequently3">1.4. samhain exits with the message &quot;Record with bad version number in file signature database&quot;</a></b></dt>
284<dd>This typically happens when the initialisation of the database has been
285done repeatedly, i.e. by using '-t init' multiple times, without (re)moving
286the previous database first before an initialisation.<br><br></dd>
287<dt><b><a name="Most frequently4">1.5. Client cannot self-resolve, but nslookup works fine</a></b></dt>
288<dd><ul>
289<li>Nslookup is a program to query Internet domain name servers.
290</li>
291<li>Applications (like samhain) are not supposed to query DNS servers
292 directly. Rather, they are supposed to query the resolver library that:
293 <ul>
294 <li>is provided by the operating system,</li>
295 <li>configured by the system administrator,</li>
296 <li>may use several different method to determine host names, as
297 configured in <tt>/etc/nsswitch.conf</tt>, and</li>
298 <li>usually is configured to give precedence to
299 the <tt>/etc/hosts</tt> file.</li>
300 </ul>
301</li>
302<li>Therefore, whether nslookup gives correct answers may be completely
303 irrelevant. For self-resolving the own hostname, the resolver
304 library probably will use <tt>/etc/hosts</tt>, rather than
305 querying a DNS server.
306</li>
307</ul>
308<p>
309Below you can find some examples of good and bad <tt>/etc/hosts</tt> files:
310</p>
311<div class="block"><pre>
312 # CORRECT
313 #
314 127.0.0.1 localhost
315 xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
316</pre></div>
317
318<div class="block"><pre>
319 # CORRECT
320 #
321 127.0.0.1 localhost.localdomain localhost
322 xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
323</pre></div>
324
325<div class="block"><pre>
326 # BAD
327 #
328 127.0.0.1 myhost.mydomain.tld localhost
329 xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
330</pre></div>
331
332<div class="block"><pre>
333 # BAD
334 #
335 127.0.0.1 localhost myhost
336 xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
337</pre></div><br><br></dd>
338<dt><b><a name="Most frequently5">1.6. Server logs hostname instead of FQDN (or vice versa)</a></b></dt>
339<dd>The default is to log the hostname only, if you want the FQDN
340then there is an option for the server configuration:
341<div class="block"><pre>
342 [Misc]
343 SetStripDomain = true / false
344</pre></div><br><br></dd>
345</dl>
346<hr><h2>2. Build and install</h2>
347<dl>
348<dt><b><a name="Build and install0">2.1. &quot;make&quot; loops infinitely !</a></b></dt>
349<dd>This may happen (e.g. when building via NFS for multiple architectures)
350 if the relative timestamps in the source directory are
351 wrong (time not in sync on different machines) or some intermediate
352 target is unusable (up-to-date, but built for a different OS). Use
353 &quot;touch * &amp;&amp; make distclean&quot; in the source directory
354 to recover.<br><br></dd>
355<dt><b><a name="Build and install1">2.2. Why does static compiling (<code>--enable-static</code>) on Solaris fail ?</a></b></dt>
356<dd>Ingo Rogalsky has provided the following information: It isn't possible
357 to link Samhain statically with Solaris. This
358 is a Solaris issue (see Sun Infodoc ID12624) and not a samhain problem.<br><br></dd>
359<dt><b><a name="Build and install2">2.3. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'</a></b></dt>
360<dd>For Linux, this is a known problem with --enable-static if you compile
361 in MySQL support. The problem is that the
362 <tt>mysql_config</tt> that comes as part of the MySQL
363 distribution script incorrectly lists dependencies on
364 the libnss_files and libnss_dns libraries which are only available as
365 shared libraries, so the linker cannot find the static libraries.
366
367 You can check this by inspecting the output of
368 <code>mysql_config --libs</code>. The version of
369 <tt>mysql_config</tt> that comes with the RedHat mysql
370 RPM (RedHat 9) does not have this bug; the one distributed by the MySQL
371 people has. You can fix the problem by editing
372 <tt>mysql_config</tt>: search for the
373 <i>client_libs</i> variable, and remove all instances
374 of <i>-lnss_files</i> and <i>-lnss_dns</i>.<br><br></dd>
375<dt><b><a name="Build and install3">2.4. The executable is corrupted after installation</a></b></dt>
376<dd>The executable will get stripped during the installation. On
377 suitable systems (i386 Linux/FreeBSD currently), additionally
378 the &quot;sstrip&quot;
379 utility (copyright 1999 by Brian Raiter, under the GNU GPL)
380 will be used to strip the executable even more, to prevent
381 debugging with the GNU &quot;gdb&quot; debugger.
382 The &quot;strip&quot; utility cannot handle the resulting
383 executable, therefore trying to strip manually after installation
384 will corrupt the executable.<br><br></dd>
385<dt><b><a name="Build and install4">2.5. --enable-xml-log has no effect</a></b></dt>
386<dd>If you have compiled for stealth, you won't see much, because if
387 obfuscated, then both a 'normal' and an XML logfile look,
388 well ... obfuscated. Use <code>samhain -jL /path/to/logfile</code>
389 to view the logfile.<br><br></dd>
390<dt><b><a name="Build and install5">2.6. ./install-sh: strip: not found (Solaris)</a></b></dt>
391<dd>Install the SUNWbtool package.<br><br></dd>
392<dt><b><a name="Build and install6">2.7. What is sh_tiger1.s?</a></b></dt>
393<dd>This is a precompiled assembly file for the i386 architecture
394generated from sh_tiger1.c using gcc 3.4.0 with the following options,
395that were found to generate the fastest code:
396<pre>
397 -O1 -fno-delayed-branch -fexpensive-optimizations -fstrength-reduce
398 -fpeephole2 -fschedule-insns2 -fregmove -frename-registers -fweb
399 -momit-leaf-frame-pointer -funroll-loops
400</pre>
401These options were determined using
402<a href="http://www.coyotegulch.com/products/acovea/">acovea</a> 5.1.1
403by Scott Robert Ladd. The file is provided as precompiled assembly
404because different versions of gcc can have very different performance,
405require different options to compile optimal code, and
406it would be impossible to maintain a library of optimal compile options
407for every version of gcc.<br><br></dd>
408<dt><b><a name="Build and install7">2.8. Why does static compiling (<code>--enable-static</code>) on MaxOS X fail ?</a></b></dt>
409<dd>Static linking is not supported on MacOS X, see
410<a href="http://developer.apple.com/qa/qa2001/qa1118.html">Technical Q&A QA1118</a>.
411This is a MacOS X issue and not a bug in samhain.<br><br></dd>
412<dt><b><a name="Build and install8">2.9. Why does compiling with MySQL fail on Solaris ?</a></b></dt>
413<dd>The reason is often the shell script 'mysql_config' that comes as part
414of MySQL. This script is intended to print appropriate compiler flags for
415compiling applications that use MySQL. Unfortunately, since Sun compiles
416MySQL with the Solaris compiler, this script outputs options for the Solaris
417compiler (i.e. unsuitable for gcc). To solve this problem, you need to move
418this script (i.e. 'mysql_config') out of your PATH before running
419<tt>./configure</tt> (unless of course you are using the Solaris compiler
420rather than gcc).<br><br></dd>
421</dl>
422<hr><h2>3. File checking</h2>
423<dl>
424<dt><b><a name="File checking0">3.1. How can I exclude a (sub-)directory ?</a></b></dt>
425<dd><div class="block"><pre>
426[IgnoreAll]
427dir=-1/ignore/this/subdirectory
428</pre></div><br><br></dd>
429<dt><b><a name="File checking1">3.2. In messages about policy violations, what does the code after POLICY [XYZ]
430mean ?</a></b></dt>
431<dd>This code indicates which items are modified (e.g. C = checksum). You can
432find a description in section 5.4.9 in the user manual. It is there because
433then you can see in the message list of the Beltane web console what has been
434modified, without the need to look at the message in detail.<br><br></dd>
435<dt><b><a name="File checking2">3.3. Does samhain support prelink ?</a></b></dt>
436<dd>Yes. There is a special checking policy [Prelink]. Directories with
437prelinked executables / shared libraries (see /etc/prelink.conf) should be
438placed under this policy, rather than under the [ReadOnly] policy.<br><br></dd>
439<dt><b><a name="File checking3">3.4. I get error messages about 'subdirectory count != hardlinks'</a></b></dt>
440<dd>Some filesystems do not always follow the rule that the number
441of directory
442hardlinks equals the number of subdirectories. E.g. the root directory of
443reiserfs partitions generally seems to have two additional hardlinks.
444To account for such exceptions, you can either switch off the
445hardlink check globally, or specify exceptions:
446<div class="block"><pre>
447[Misc]
448# Switch off hardlink check
449#
450UseHardlinkCheck=no
451</pre></div>
452<div class="block"><pre>
453[Misc]
454# Specify exceptions for the hardlink check
455#
456HardlinkOffset=N:/path
457</pre></div>
458Here, N is the numerical offset (actual - expected hardlinks) for
459'/path'. For multiple exceptions, use
460this options multiple times (note that '/path N:/path2' would itself be a valid
461path, so using the option only once with multiple exceptions on the same line
462would be ambiguous).<br><br></dd>
463</dl>
464<hr><h2>4. Client/Server</h2>
465<dl>
466<dt><b><a name="Client/Server0">4.1. I don't want to poke a hole into my firewall to let the client connect to the server !</a></b></dt>
467<dd>Pat Smith has posted the following solution. On the client, create
468an iptable rule as follows (<i>note: you probably don't need this if you
469configure / compile in 127.0.0.1 as the server address</i>):
470<div class="block"><pre>
471iptables -t nat -A OUTPUT -p tcp -m tcp --dport 49777 -d <i>server-ip</i> -j REDIRECT
472</pre></div>
473
474On the server, create an ssh tunnel for each client outside the firewall:
475
476<div class="block"><pre>
477ssh -f -C -R 49777:localhost:49777 -N <i>client-ip</i>
478</pre></div>
479
480It is necessary that each client has a distinct name, and that the server
481knows the name of the client. With the setup above, each client will appear
482as &quot;localhost&quot; to the server, thus the server
483needs to trust the client name
484as reported by the client itself, and suppress all errors on resolving
485this name to the apparent address. In the server configuration:
486
487<div class="block"><pre>
488[Misc]
489SetClientFromAccept = false
490SeverityLookup = debug
491</pre></div>
492
493Obviously, self-resolving must work on the client machine, otherwise
494you are in trouble (see next issue).<br><br></dd>
495<dt><b><a name="Client/Server1">4.2. The client sends 127.0.0.1 (or some other numerical address) as its name to the log server</a></b></dt>
496<dd>See 'Client cannot self-resolve' in the 'Most frequently' section<br><br></dd>
497<dt><b><a name="Client/Server2">4.3. The server wants to send rc.ip-adress rather than rc.fqdn to the client</a></b></dt>
498<dd>The client self-resolves to its ip address.
499See 'Client cannot self-resolve' in the 'Most frequently' section<br><br></dd>
500<dt><b><a name="Client/Server3">4.4. Cannot resolve client name host=XXX</a></b></dt>
501<dd><div class="block"><pre>
502The server must be able to determine the client name.
503This is because only authenticated connections from registered
504clients are allowed, and
505the server must be able to check the client hostname against the list of
506allowed hosts, and look up the password verifier for that
507host.
508</pre></div>
509There are two different ways to accomplish this. Unfortunately, judging
510from customer feedback as well from common sense, both do not work very well
511with a messed up local DNS (including /etc/hosts files) and/or
512&uuml;berparanoid or misconfigured firewalls (in case of connections
513across one).
514<ul>
515 <li>
516 <p>
517 <i>First method: Determine client name on client, and
518 try to cross-check on server</i>
519 <p>
520 <p>
521 This does not work for a number of people because (1) the
522 <tt>/etc/hosts</tt> file on the client machine has errors
523 (yes, there are plenty machines with a completely
524 messed up <tt>/etc/hosts</tt> file), (2) the
525 server cannot resolve the client address because the local DNS is
526 f***ed up, or (3) the client machine has multiple network interfaces, and
527 the interface used is not the one the client name resolves to.
528 </p>
529 <p>
530 If the client uses the wrong interface on a multi-interface machine,
531 there is a config file option
532 <tt>SetBindAddress=</tt><i>IP address</i>
533 that allows to choose the interface the client will use for
534 outgoing connections.
535 </p>
536 <p>
537 If you want to download the config file from the server, you
538 should instead use the corresponding command line
539 <tt>--bind-address=</tt><i>IP address</i>
540 to select the interface.
541 </p>
542
543 <p>
544 If you encounter problems, you may (1) fix your
545 <tt>/etc/hosts</tt> file(s), (2) fix your local DNS, or
546 (3) switch to the second method.
547 </p>
548 <p>
549 Errors in name resolving/cross-checking can be avoided by setting a
550 very low severity (lower than the logging threshold), e.g.
551 </p>
552 <p>
553 <tt>SeverityLookup=</tt><i>debug</i>
554 </p>
555 <p>
556 in the <i>Misc</i> section of the server configuration,
557 if you prefer running <i>unsafe</i> at any speed
558 instead of fixing the problem (you have been warned). Doing so will
559 allow an attacker to pose as the client.
560 </p>
561 </li>
562 <li>
563 <p><i>Second method: Use address of connecting entity as
564 known to the communication layer</i></p>
565 <p>
566 This has been dropped as default
567 long ago because it may not always be the
568 address of the client machine.
569 To enable this method, use
570 </p>
571 <p>
572 <tt>SetClientFromAccept=</tt><i>true</i>
573 </p>
574 <p>
575 in the <i>Misc</i> section of the server configuration
576 file. If the address cannot be resolved, or reverse lookup of the
577 resolved name fails, <i>no</i> error message will be issued,
578 but the numerical address will be used.
579 </p>
580 </li>
581</ul><br><br></dd>
582<dt><b><a name="Client/Server4">4.5. Cannot resolve socket peer IP for client host=XXX peer=YYY</a></b></dt>
583<dd>See above<br><br></dd>
584<dt><b><a name="Client/Server5">4.6. Reverse lookup of socket peer failed host=XXX peer=YYY obj=ZZZ</a></b></dt>
585<dd>See above<br><br></dd>
586<dt><b><a name="Client/Server6">4.7. No socket peer alias matches client name host=XXX peer=YYY</a></b></dt>
587<dd>See above<br><br></dd>
588<dt><b><a name="Client/Server7">4.8. Session key negotiation failed</a></b></dt>
589<dd>See the document <a href="HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a><br><br></dd>
590<dt><b><a name="Client/Server8">4.9. Invalid connection attempt: Not in client list</a></b></dt>
591<dd>See the document <a href="HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a><br><br></dd>
592<dt><b><a name="Client/Server9">4.10. Invalid connection attempt: Session key mismatch</a></b></dt>
593<dd>See the document <a href="HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a><br><br></dd>
594<dt><b><a name="Client/Server10">4.11. How do I update the file signature database ?</a></b></dt>
595<dd>If you keep the file signature database on the server,
596 the database is supposed to be updated on the server, using the
597 <a href="http://www.la-samhna.de/beltane/">beltane</a>
598 web-based console (currently in beta) and the
599 log messages from the client.
600 <p>
601 Alternatively, you can <code>scp</code> the database
602 to the client, run <code>samhain -t update -l none --foreground</code>
603 (you
604 need to avoid logging because otherwise you will get in conflict with
605 the running samhain daemon), and then <code>scp</code> the
606 database back to the server. Actually, with a properly set up
607 &quot;ssh&quot;, using RSA/DSA authentication
608 and ssh-agent you could write a script to automate this.<br><br></dd>
609<dt><b><a name="Client/Server11">4.12. Time limit exceeded</a></b></dt>
610<dd>The respective client for that this message is generated has not
611 sent anything for some interval of time (default 84600 sec = 1 day).
612 The interval can be set as follows:
613<div class="block"><pre>
614 [Misc]
615 # unit is seconds
616 SetClientTimeLimit=NNN
617</pre></div>
618
619 This feature has the purpose to detect if a client is dead. You
620 might want to ensure that timestamps are sent to the server:
621<div class="block"><pre>
622 [Log]
623 ExportSeverity=mark
624</pre></div>
625 If you don't want to use this feature, set the time limit to some
626 very large value.<br><br></dd>
627<dt><b><a name="Client/Server12">4.13. Invalid connection attempt: Signature mismatch</a></b></dt>
628<dd>Clients sign their messages using a session key negotiated
629 with the server. The message indicates that the server could
630 not verify the signature. This may be caused by a running two
631 instances of samhain on the same client machine, both of them
632 accessing the server (and negotiating different session keys
633 ...). The system will recover automatically from the problem
634 by forcing the failed client to negotiate a fresh session key.<br><br></dd>
635<dt><b><a name="Client/Server13">4.14. [Server] PANIC .. Address already in use&nbsp; &nbsp;subroutine=bind</a></b></dt>
636<dd>The server cannot bind to its port because the port is already used.
637 Maybe you have accidentially already an instance of the
638 server running.<br><br></dd>
639</dl>
640<hr><h2>5. Email</h2>
641<dl>
642<dt><b><a name="Email0">5.1. Reverse lookup failed</a></b></dt>
643<dd>Fix your DNS (reverse lookup: numerical IP address to FQDN, to verify
644 FQDN to numerical IP address).
645<div class="block"><pre>
646Whether &quot;nslookup&quot; works is not very informative, because
647&quot;nslookup&quot; does not use the resolver library of the operating
648system. Therefore,
649it is not exactly the
650best tool for debugging name resolving problems (see the book
651&quot;DNS and bind&quot;).
652</pre></div><br><br></dd>
653<dt><b><a name="Email1">5.2. From daemon@example.com</a></b></dt>
654<dd>samhain fails to resolve the
655 self-address of the host.
656See 'Client cannot self-resolve' in the 'Most frequently' section.<br><br></dd>
657<dt><b><a name="Email2">5.3. How do I define more than one email addresses ?</a></b></dt>
658<dd>Use <tt>SetMailAddress=...</tt> multiple times (upt to eight addresses
659are possible, with at most 63 characters per address):
660<div class="block"><pre>
661[Misc]
662SetMailAddress=aaa@foo.com
663SetMailAddress=bbb@foo.com
664</pre></div><br><br></dd>
665</dl>
666<hr><h2>6. Misc</h2>
667<dl>
668<dt><b><a name="Misc0">6.1. Error message: &quot;Invalid line XYZ in configuration file&quot;</a></b></dt>
669<dd>This message indicates that line XYZ in the configuration file contains
670an unrecognized directive. The primary reasons are:<br />
671
672(a) The directive should be placed into a particular section of the
673configuration file, but the section header is not present (or you forgot
674to uncomment it).<br />
675
676(b) Samhain is compiled without support for this directive.<br />
677
678(c) You have a typo in the directive.<br /><br><br></dd>
679<dt><b><a name="Misc1">6.2. Why do I get a local logfile if I log to the server ?</a></b></dt>
680<dd>Because you can use all log facilities in parallel. You should
681 switch off in the config file what you don't want/need:
682<div class="block"><pre>
683 [Log]
684 # local log file
685 LogSeverity=none
686</pre></div><br><br></dd>
687<dt><b><a name="Misc2">6.3. Why is there no NIS support with a static samhain executable on Linux ?</a></b></dt>
688<dd>Some functions (including NIS) require
689 libraries that are only available as shared libraries
690 with modern GLIBC versions. While you can always compile a static
691 executable, normally it would still open the shared library at runtime.
692 As of version 1.8.11, samhain avoids this by providing replacement
693 functions from uClibc. However, these do not include NIS support.<br><br></dd>
694<dt><b><a name="Misc3">6.4. Why do I get hundreds of messages about modified CTIME ?</a></b></dt>
695<dd>This happens because some
696 backup applications reset the atime/mtime timestamps, which causes
697 the ctime timestamp to be modified (rootkits avoid this by
698 temporarily resetting the system clock to the original ctime ...).
699 <p>
700 To fix this problem, read the manual of your backup application, or
701 redefine the ReadOnly policy to <i>not</i> check
702 the ctime timestamp:
703<div class="block"><pre>
704 [Misc]
705 RedefReadOnly=-CTM
706</pre></div>
707<div class="warnblock"><pre>
708 Order matters - you must <i>first</i> redefine
709 ReadOnly <i>before</i> you use it
710</pre></div><br><br></dd>
711<dt><b><a name="Misc4">6.5. PANIC &mdash; File not accessible</a></b></dt>
712<dd>Most likely permission denied because of unsufficient privileges.<br><br></dd>
713<dt><b><a name="Misc5">6.6. How can I avoid error messages for invalid UIDs (no such user) ?</a></b></dt>
714<dd>Set SeverityNames to a low value
715<div class="block"><pre>
716[EventSeverity]
717SeverityNames=debug
718</pre></div><br><br></dd>
719<dt><b><a name="Misc6">6.7. [Redhat] The /etc/init.d/(samhain|yule) init script hangs</a></b></dt>
720<dd>Redhat uses &quot;initlog&quot; (see
721 <code>man initlog</code>) in initscripts. If it hangs, most probably
722 samhain/yule runs in the foreground rather than as daemon. Set
723 daemon mode in the configuration file:
724<div class="block"><pre>
725[Misc]
726Daemon=yes
727</pre></div><br><br></dd>
728<dt><b><a name="Misc7">6.8. The /etc/init.d/(samhain|yule) init script exits with: execvp: No such file or directory</a></b></dt>
729<dd>Either the program is not installed, or it is not in the PATH (the one
730 used by the init script, which may be different from your PATH).<br><br></dd>
731<dt><b><a name="Misc8">6.9. Why am I not receiving the &quot;BEGIN LOGKEY&quot; message by email ?</a></b></dt>
732<dd>This message (which contains the key to verify the log file) is generated
733 when logging to the log file starts. It has the severity &quot;ALRT&quot;,
734 thus you should make sure that you have set the logging threshold for
735 email correctly to receive it.<br><br></dd>
736<dt><b><a name="Misc9">6.10. Why does console logging fail if I compile with
737 <code>--enable-(micro-)stealth</code> ?</a></b></dt>
738<dd>The default logging options are more &quot;stealthy&quot;. Set the
739 threshold explicitely rather than relying on the default.<br><br></dd>
740<dt><b><a name="Misc10">6.11. I need a list for my schedule !</a></b></dt>
741<dd>You can have the same effect with a list of schedules. See the section
742&quot;Timing file checks&quot; in the manual.<br><br></dd>
743<dt><b><a name="Misc11">6.12. The hiding kernel module has no effect !</a></b></dt>
744<dd>Most probably you compiled using the wrong &quot;System.map&quot; file.<br><br></dd>
745<dt><b><a name="Misc12">6.13. What does the message &quot;Large lstat/open overhead&quot; mean ?</a></b></dt>
746<dd>Your system needs several seconds to proceed from an lstat() system call
747 to an open() system call. This is a tremenduous overhead, and
748 indicates that either your system has a really severe performance problem,
749 or someone tries to slow down samhain.<br><br></dd>
750<dt><b><a name="Misc13">6.14. What does the message &quot;Device not available path=/dev/random&quot; mean ? I have /dev/random !</a></b></dt>
751<dd>/dev/random blocks unless there is some entropy it can deliver. Samhain
752 will time out and fall back on /dev/urandom after some seconds to avoid
753 hanging for a potentially long time. It will try /dev/random again next
754 time it needs entropy.<br><br></dd>
755<dt><b><a name="Misc14">6.15. Logging to an external program fails; the program receives no data
756 on stdin !</a></b></dt>
757<dd>Probably your program is not designed to <i>wait for input</i>, but exits
758 if reading fails (because there is no data <i>yet</i>). You may want to
759 let your program wait for the terminating &quot;[EOF]&quot; line.<br><br></dd>
760<dt><b><a name="Misc15">6.16. SIGILL on AIX</a></b></dt>
761<dd>For each scanned file, samhain needs to
762 store some information in memory (e.g. to recognize changes that have
763 already been reported, and avoid duplicate reports). On AIX, if you are
764 checking a <i>really huge</i> number of files,
765 memory usage may exceed the default limit of 256 MB, and the process may
766 terminate with SIGILL.
767 <p>
768 The problem can be solved by linking with the flag
769 <code>-bmaxdata:0x80000000</code>. This allows the application to
770 access up to 8 segments (where each segment is 256MB).
771 <p>
772 If you are using gcc, you need to use instead
773 the flag <code>-Wl,bmaxdata:0x80000000</code>, which tells
774 gcc to pass on the
775 <i>bmaxdata</i>
776 flag to the AIX linker. You can use the LDFLAGS environment variable to
777 pass linker flags to the configure script:
778<div class="block"><pre>
779 export LDFLAGS="-Wl,bmaxdata:0x80000000"
780</pre></div><br><br></dd>
781</dl>
782<hr><h2>7. Database</h2>
783<dl>
784<dt><b><a name="Database0">7.1. Why are client messages corrupted / incompletely stored in the DB ?</a></b></dt>
785<dd>Because the messages are not in XML format, and therefore incorrectly
786 parsed. The most frequent reasons are:
787<div class="block"><pre>
788 1.) Your server is compiled with --enable-xml-log, but your client(s)
789 is/are not.
790
791 2.) In your client or server configuration file, you are using
792 the option for a custom message header, but without paying attention
793 to preserving the XML format.
794</pre></div><br><br></dd>
795<dt><b><a name="Database1">7.2. I want / don't want the server timestamps (for client messages) in the SQL database</a></b></dt>
796<dd><div class="block"><pre>
797[Database]
798SetDBServerTstamp = true/false
799</pre></div>
800
801 This will enable/disable logging of the server timestamp for client
802 messages. The server timestamp will be written to a separate record,
803 with <i>log_ref</i> set to the value of
804 <i>log_index</i> of the corresponding client message.<br><br></dd>
805<dt><b><a name="Database2">7.3. I don't want the client TIMESTAMP messages in the SQL database</a></b></dt>
806<dd><div class="block"><pre>
807 Sending timestamps from the client allows the server to detect if
808 a client is not running anymore (use SetClientTimeLimit=NNN in the
809 [Misc] section of the server config file to set the number of seconds
810 after which the server will issue an error message if no timestamp has
811 been received).
812</pre></div>
813
814 However, you might not want to log these timestamps to the database
815 (or other log facilities). To filter them, you can use two methods
816 (examples are for the SQL database).
817 The first
818 one has the disadvantage that only messages of
819 severity <i>err</i> or higher will be logged:
820<div class="block"><pre>
821 [Misc]
822 UseClientSeverity=yes
823
824 [Log]
825 DatabaseSeverity=err
826</pre></div>
827
828 The second method is more specific &mdash; log everything not
829 belonging to the STAMP class of messages:
830<div class="block"><pre>
831 [Misc]
832 UseClientClass=yes
833
834 [Log]
835 DatabaseClass=PANIC RUN FIL TCP ERR ENET EINPUT
836</pre></div><br><br></dd>
837<dt><b><a name="Database3">7.4. What does the log_ref field mean ?</a></b></dt>
838<dd>NULL are client messages. Nonzero integer is a server timestamp
839 for a client message (where log_ref indicates the log_index entry
840 number of the corresponding client message). Zero indicates a message
841 by the server itself (e.g. the server's start message).<br><br></dd>
842<dt><b><a name="Database4">7.5. How can I check what is in the database ?</a></b></dt>
843<dd>Use a command line client to login to the database and query it:
844<div class="block"><pre>
845 sh$ mysql -u &lt;user_name&gt; -p &lt;database_name&gt;
846 Enter password: ****
847 mysql&gt; SELECT log_index,log_ref,log_host,log_sev,log_msg,path FROM &lt;table_name&gt; WHERE entry_status = 'NEW' ORDER BY log_index;
848 ....
849 mysql&gt; \q
850</pre></div><br><br></dd>
851</dl>
852<hr>
853
854<p>Copyright (c) 2004 Rainer Wichmann</p>
855
856<p><i>This list of questions and answers was generated by
857<a href="http://www.makefaq.org/">makefaq</a>.</i>
858
859</div>
860</body>
861</html>
Note: See TracBrowser for help on using the repository browser.