samhain file integrity scanner | online documentation
FAQ Revised: Saturday 17 September 2005 09:10:07
--enable-static
) on Solaris fail ?--enable-(micro-)stealth
?$ ./configure --with-trusted=0,...
[Misc] TrustedUser=username
$ samhain -p info ...
[Log] PrintSeverity=info
$ samhain -p none ...
[Log] PrintSeverity=none
Below you can find some examples of good and bad /etc/hosts files:
# CORRECT # 127.0.0.1 localhost xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
# CORRECT # 127.0.0.1 localhost.localdomain localhost xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
# BAD # 127.0.0.1 myhost.mydomain.tld localhost xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
# BAD # 127.0.0.1 localhost myhost xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
--enable-static
) on Solaris fail ?mysql_config --libs
. The version of
mysql_config that comes with the RedHat mysql
RPM (RedHat 9) does not have this bug; the one distributed by the MySQL
people has. You can fix the problem by editing
mysql_config: search for the
client_libs variable, and remove all instances
of -lnss_files and -lnss_dns.samhain -jL /path/to/logfile
to view the logfile.[IgnoreAll] dir=-1/ignore/this/subdirectory
[Misc] # Switch off hardlink check # UseHardlinkCheck=no
[Misc] # Specify exceptions for the hardlink check # HardlinkOffset=N:/path
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 49777 -d server-ip -j REDIRECT
ssh -f -C -R 49777:localhost:49777 -N client-ip
[Misc] SetClientFromAccept = false SeverityLookup = debug
The server must be able to determine the client name. This is because only authenticated connections from registered clients are allowed, and the server must be able to check the client hostname against the list of allowed hosts, and look up the password verifier for that host.
First method: Determine client name on client, and try to cross-check on server
This does not work for a number of people because (1) the /etc/hosts file on the client machine has errors (yes, there are plenty machines with a completely messed up /etc/hosts file), (2) the server cannot resolve the client address because the local DNS is f***ed up, or (3) the client machine has multiple network interfaces, and the interface used is not the one the client name resolves to.
If the client uses the wrong interface on a multi-interface machine, there is a config file option SetBindAddress=IP address that allows to choose the interface the client will use for outgoing connections.
If you want to download the config file from the server, you should instead use the corresponding command line --bind-address=IP address to select the interface.
If you encounter problems, you may (1) fix your /etc/hosts file(s), (2) fix your local DNS, or (3) switch to the second method.
Errors in name resolving/cross-checking can be avoided by setting a very low severity (lower than the logging threshold), e.g.
SeverityLookup=debug
in the Misc section of the server configuration, if you prefer running unsafe at any speed instead of fixing the problem (you have been warned). Doing so will allow an attacker to pose as the client.
Second method: Use address of connecting entity as known to the communication layer
This has been dropped as default long ago because it may not always be the address of the client machine. To enable this method, use
SetClientFromAccept=true
in the Misc section of the server configuration file. If the address cannot be resolved, or reverse lookup of the resolved name fails, no error message will be issued, but the numerical address will be used.
Alternatively, you can scp
the database
to the client, run samhain -t update -l none
(you
need to avoid logging because otherwise you will get in conflict with
the running samhain daemon), and then scp
the
database back to the server. Actually, with a properly set up
"ssh", using RSA/DSA authentication
and ssh-agent you could write a script to automate this.
[Misc] # unit is seconds SetClientTimeLimit=NNN
[Log] ExportSeverity=mark
Whether "nslookup" works is not very informative, because "nslookup" does not use the resolver library of the operating system. Therefore, it is not exactly the best tool for debugging name resolving problems (see the book "DNS and bind").
[Misc] SetMailAddress=aaa@foo.com SetMailAddress=bbb@foo.com
[Log] # local log file LogSeverity=none
To fix this problem, read the manual of your backup application, or redefine the ReadOnly policy to not check the ctime timestamp:
[Misc] RedefReadOnly=-CTM
Order matters - you must first redefine ReadOnly before you use it
[EventSeverity] SeverityNames=debug
man initlog
) in initscripts. If it hangs, most probably
samhain/yule runs in the foreground rather than as daemon. Set
daemon mode in the configuration file:
[Misc] Daemon=yes
--enable-(micro-)stealth
?
The problem can be solved by linking with the flag
-bmaxdata:0x80000000
. This allows the application to
access up to 8 segments (where each segment is 256MB).
If you are using gcc, you need to use instead
the flag -Wl,bmaxdata:0x80000000
, which tells
gcc to pass on the
bmaxdata
flag to the AIX linker. You can use the LDFLAGS environment variable to
pass linker flags to the configure script:
export LDFLAGS="-Wl,bmaxdata:0x80000000"
1.) Your server is compiled with --enable-xml-log, but your client(s) is/are not. 2.) In your client or server configuration file, you are using the option for a custum message header, but without paying attention to preserving the XML format.
[Database] SetDBServerTstamp = true/false
Sending timestamps from the client allows the server to detect if a client is not running anymore (use SetClientTimeLimit=NNN in the [Misc] section of the server config file to set the number of seconds after which the server will issue an error message if no timestamp has been received).
[Misc] UseClientSeverity=yes [Log] DatabaseSeverity=err
[Misc] UseClientClass=yes [Log] DatabaseClass=PANIC RUN FIL TCP ERR ENET EINPUT
Copyright (c) 2004 Rainer Wichmann
This list of questions and answers was generated by makefaq.