Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

source: trunk/docs/FAQ.html@ 3

Last change on this file since 3 was 1, checked in by katerina, 19 years ago
Initial import
File size: 35.7 KB

Line
1	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
2	<html><head>
3	<title>Frequently Asked Questions for Samhain</title>
4	<meta name="author" content="Rainer Wichmann">
5
6	<style type="text/css">
7	<!--
8
9	html { background: #eee; color: #000; }
10
11	body { background: #eee; color: #000; margin: 0; padding: 0;}
12
13	div.body {
14	background: #fff; color: #000;
15	margin: 0 1em 0 1em; padding: 1em;
16	font-family: serif;
17	font-size: 1em; line-height: 1.2em;
18	border-width: 0 1px 0 1px;
19	border-style: solid;
20	border-color: #aaa;
21	}
22
23	div.block {
24	background: #b6c5f2; color: #000;
25	margin: 1em; padding: 0 1em 0 1em;
26	border-width: 1px;
27	border-style: solid;
28	border-color: #2d4488;
29	}
30
31	div.warnblock {
32	background: #b6c5f2; color: #000;
33	margin: 1em; padding: 0 1em 0 1em;
34	border-width: 1px;
35	border-style: solid;
36	border-color: #FF9900;
37	}
38
39	table {
40	background: #F8F8F8; color: #000;
41	margin: 1em;
42	border-width: 0 0 0 1px;
43	border-style: solid;
44	border-color: #C0C0C0;
45	}
46
47	td {
48	border-width: 0 1px 1px 0;
49	border-style: solid;
50	border-color: #C0C0C0;
51	}
52
53	th {
54	background: #F8F8FF;
55	border-width: 1px 1px 2px 0;
56	border-style: solid;
57	border-color: #C0C0C0;
58	}
59
60
61	/* body text, headings, and rules */
62
63	p { margin: 0; text-indent: 0em; margin: 0 0 0.5em 0 }
64
65	h1, h2, h3, h4, h5, h6 {
66	color: #206020; background: transparent;
67	font-family: Optima, Arial, Helvetica, sans-serif;
68	font-weight: normal;
69	}
70
71	h1 { font-size: 1.69em; margin: 1.4em 0 0.4em 0; }
72	h2 { font-size: 1.44em; margin: 1.4em 0 0.4em 0; }
73	h3 { font-size: 1.21em; margin: 1.4em 0 0.4em 0; }
74	h4 { font-size: 1.00em; margin: 1.4em 0 0.4em 0; }
75	h5 { font-size: 0.81em; margin: 1.4em 0 0.4em 0; }
76	h6 { font-size: 0.64em; margin: 1.4em 0 0.4em 0; }
77
78	hr {
79	color: transparent; background: transparent;
80	height: 0px; margin: 0.6em 0;
81	border-width: 1px ;
82	border-style: solid;
83	border-color: #999;
84	}
85
86	/* bulleted lists and definition lists */
87
88	ul { margin: 0 1em 0.6em 2em; padding: 0; }
89	li { margin: 0.4em 0 0 0; }
90
91	dl { margin: 0.6em 1em 0.6em 2em; }
92	dt { color: #285577; }
93
94	tt { color: #602020; }
95
96	/* links */
97
98	a.link {
99	color: #33c; background: transparent;
100	text-decoration: none;
101	}
102
103	a:hover {
104	color: #000; background: transparent;
105	}
106
107	body > a {
108	font-family: Optima, Arial, Helvetica, sans-serif;
109	font-size: 0.81em;
110	}
111
112	h1, h2, h3, h4, h5, h6 {
113	color: #2d5588; background: transparent;
114	font-family: Optima, Arial, Helvetica, sans-serif;
115	font-weight: normal;
116	}
117
118	-->
119	</style></head>
120	<body>
121	<div class="body">
122	<p style="text-align: center; background: #ccc; border: 1px solid #2d5588;"><a
123	style="text-decoration: none;"
124	href="http://www.la-samhna.de/samhain/">samhain file integrity
125	scanner</a> \| <a style="text-decoration: none;"
126	href="http://www.la-samhna.de/samhain/s_documentation.html">online
127	documentation</a></p>
128	<br><center><h1><a name="FAQ-top">Frequently Asked Questions for Samhain</a></h1></center>
129	<br><center><h2>Rainer Wichmann</h2></center>
130	<hr>
131	<p><i>FAQ Revised: Saturday 17 September 2005 09:10:07</i></p>
132	<hr><h2>Table of Contents</h2>
133	<dl>
134	<dt><b>1. Most frequently</b></dt>
135	<dd><ul>
136	<li><a href="#Most frequently0">1.1. Owner not trustworthy / Group writeable and member not trustworthy</a></li>
137	<li><a href="#Most frequently1">1.2. samhain exits with the message "Untrusted path" for config/log/pid/database files</a></li>
138	<li><a href="#Most frequently2">1.3. It does not log anything / Can't stop logging to console</a></li>
139	<li><a href="#Most frequently3">1.4. Client cannot self-resolve, but nslookup works fine</a></li>
140	</ul></dd>
141	<dt><b>2. Build and install</b></dt>
142	<dd><ul>
143	<li><a href="#Build and install0">2.1. [Fedora Core] Cannot compile with --enable-khide</a></li>
144	<li><a href="#Build and install1">2.2. [Fedora Core] Cannot compile with --with-kcheck</a></li>
145	<li><a href="#Build and install2">2.3. "make" loops infinitely !</a></li>
146	<li><a href="#Build and install3">2.4. Why does static compiling (<code>--enable-static</code>) on Solaris fail ?</a></li>
147	<li><a href="#Build and install4">2.5. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'</a></li>
148	<li><a href="#Build and install5">2.6. The executable is corrupted after installation</a></li>
149	<li><a href="#Build and install6">2.7. --enable-xml-log has no effect</a></li>
150	<li><a href="#Build and install7">2.8. ./install-sh: strip: not found (Solaris)</a></li>
151	</ul></dd>
152	<dt><b>3. File checking</b></dt>
153	<dd><ul>
154	<li><a href="#File checking0">3.1. How can I exclude a (sub-)directory ?</a></li>
155	<li><a href="#File checking1">3.2. In messages about policy violations, what does the code after POLICY [XYZ]
156	mean ?</a></li>
157	<li><a href="#File checking2">3.3. Does samhain support prelink ?</a></li>
158	<li><a href="#File checking3">3.4. I get error messages about 'subdirectory count != hardlinks'</a></li>
159	</ul></dd>
160	<dt><b>4. Client/Server</b></dt>
161	<dd><ul>
162	<li><a href="#Client/Server0">4.1. I don't want to poke a hole into my firewall to let the client connect to the server !</a></li>
163	<li><a href="#Client/Server1">4.2. The client sends 127.0.0.1 (or some other numerical address) as its name to the log server</a></li>
164	<li><a href="#Client/Server2">4.3. The server wants to send rc.ip-adress rather than rc.fqdn to the client</a></li>
165	<li><a href="#Client/Server3">4.4. Cannot resolve client name host=XXX</a></li>
166	<li><a href="#Client/Server4">4.5. Cannot resolve socket peer IP for client host=XXX peer=YYY</a></li>
167	<li><a href="#Client/Server5">4.6. Reverse lookup of socket peer failed host=XXX peer=YYY obj=ZZZ</a></li>
168	<li><a href="#Client/Server6">4.7. No socket peer alias matches client name host=XXX peer=YYY</a></li>
169	<li><a href="#Client/Server7">4.8. Session key negotiation failed</a></li>
170	<li><a href="#Client/Server8">4.9. Invalid connection attempt: Not in client list</a></li>
171	<li><a href="#Client/Server9">4.10. Invalid connection attempt: Session key mismatch</a></li>
172	<li><a href="#Client/Server10">4.11. How do I update the file signature database ?</a></li>
173	<li><a href="#Client/Server11">4.12. Time limit exceeded</a></li>
174	<li><a href="#Client/Server12">4.13. Invalid connection attempt: Signature mismatch</a></li>
175	<li><a href="#Client/Server13">4.14. [Server] PANIC .. Address already in use   subroutine=bind</a></li>
176	</ul></dd>
177	<dt><b>5. Email</b></dt>
178	<dd><ul>
179	<li><a href="#Email0">5.1. Reverse lookup failed</a></li>
180	<li><a href="#Email1">5.2. From daemon@example.com</a></li>
181	<li><a href="#Email2">5.3. How do I define more than one email addresses ?</a></li>
182	</ul></dd>
183	<dt><b>6. Misc</b></dt>
184	<dd><ul>
185	<li><a href="#Misc0">6.1. Error message: "Invalid line XYZ in configuration file"</a></li>
186	<li><a href="#Misc1">6.2. Why do I get a local logfile if I log to the server ?</a></li>
187	<li><a href="#Misc2">6.3. Why is there no NIS support with a static samhain executable on Linux ?</a></li>
188	<li><a href="#Misc3">6.4. Why do I get hundreds of messages about modified CTIME ?</a></li>
189	<li><a href="#Misc4">6.5. PANIC — File not accessible</a></li>
190	<li><a href="#Misc5">6.6. How can I avoid error messages for invalid UIDs (no such user) ?</a></li>
191	<li><a href="#Misc6">6.7. [Redhat] The /etc/init.d/(samhain\|yule) init script hangs</a></li>
192	<li><a href="#Misc7">6.8. The /etc/init.d/(samhain\|yule) init script exits with: execvp: No such file or directory</a></li>
193	<li><a href="#Misc8">6.9. Why am I not receiving the "BEGIN LOGKEY" message by email ?</a></li>
194	<li><a href="#Misc9">6.10. Why does console logging fail if I compile with
195	<code>--enable-(micro-)stealth</code> ?</a></li>
196	<li><a href="#Misc10">6.11. I need a list for my schedule !</a></li>
197	<li><a href="#Misc11">6.12. The hiding kernel module has no effect !</a></li>
198	<li><a href="#Misc12">6.13. What does the message "Large lstat/open overhead" mean ?</a></li>
199	<li><a href="#Misc13">6.14. What does the message "Device not available path=/dev/random" mean ? I have /dev/random !</a></li>
200	<li><a href="#Misc14">6.15. Logging to an external program fails; the program receives no data
201	on stdin !</a></li>
202	<li><a href="#Misc15">6.16. SIGILL on AIX</a></li>
203	</ul></dd>
204	<dt><b>7. Database</b></dt>
205	<dd><ul>
206	<li><a href="#Database0">7.1. Why are client messages corrupted / incompletely stored in the DB ?</a></li>
207	<li><a href="#Database1">7.2. I want / don't want the server timestamps (for client messages) in the SQL database</a></li>
208	<li><a href="#Database2">7.3. I don't want the client TIMESTAMP messages in the SQL database</a></li>
209	<li><a href="#Database3">7.4. What does the log_ref field mean ?</a></li>
210	</ul></dd>
211	</dl>
212	<hr><h2>1. Most frequently</h2>
213	<dl>
214	<dt><b><a name="Most frequently0">1.1. Owner not trustworthy / Group writeable and member not trustworthy</a></b></dt>
215	<dd>An untrusted user (might be an untrusted group member
216	for group writeable files/directories) owns or can write to an
217	element in the path listed in the error message. This concerns
218	the configuration file, the log file, and the database file.
219	The offending element in the path is identified as obj=/xxx in the
220	error message.
221	To fix the problem, see next entry.<br><br></dd>
222	<dt><b><a name="Most frequently1">1.2. samhain exits with the message "Untrusted path" for config/log/pid/database files</a></b></dt>
223	<dd>Paths to critical
224	files (e.g. the configuration file) must be writeable by trusted users
225	only.
226	If a path element is group writeable, all group members must be trusted.
227	By default, only <i>root</i> and the (effective) <i>user</i> of
228	the program are trusted. To add trusted users, use the compile time
229	option
230	<div class="block"><pre>
231	$ ./configure --with-trusted=0,...
232	</pre></div>
233	or the configure file option:
234	<div class="block"><pre>
235	[Misc]
236	TrustedUser=username
237	</pre></div>
238	If the path to the configuration file itself is writeable
239	by other users than <i>root</i> and the
240	<i>effective user</i>
241	these must be defined as trusted already
242	at compile time.<br><br></dd>
243	<dt><b><a name="Most frequently2">1.3. It does not log anything / Can't stop logging to console</a></b></dt>
244	<dd>(1) There is a section in the manual dealing with
245	logging and filtering.<br />
246
247	(2) To log to the console:
248	<div class="block"><pre>
249	$ samhain -p info ...
250	</pre></div>
251	or in the configuration file:
252	<div class="block"><pre>
253	[Log]
254	PrintSeverity=info
255	</pre></div>
256
257	To <i>stop</i> logging to the console:
258	<div class="block"><pre>
259	$ samhain -p none ...
260	</pre></div>
261	or in the configuration file:
262	<div class="block"><pre>
263	[Log]
264	PrintSeverity=none
265	</pre></div>
266	Defining <tt>/dev/null</tt> as console device works as well, but
267	is a bad idea, because samhain will open the device and write (i.e. it is
268	a very inefficient method).<br><br></dd>
269	<dt><b><a name="Most frequently3">1.4. Client cannot self-resolve, but nslookup works fine</a></b></dt>
270	<dd><ul>
271	<li>Nslookup is a program to query Internet domain name servers.
272	</li>
273	<li>Applications (like samhain) are not supposed to query DNS servers
274	directly. Rather, they are supposed to query the resolver library that:
275	<ul>
276	<li>is provided by the operating system,</li>
277	<li>configured by the system administrator,</li>
278	<li>may use several different method to determine host names, as
279	configured in <tt>/etc/nsswitch.conf</tt>, and</li>
280	<li>usually is configured to give precedence to
281	the <tt>/etc/hosts</tt> file.</li>
282	</ul>
283	</li>
284	<li>Therefore, whether nslookup gives correct answers may be completely
285	irrelevant. For self-resolving the own hostname, the resolver
286	library probably will use <tt>/etc/hosts</tt>, rather than
287	querying a DNS server.
288	</li>
289	</ul>
290	<p>
291	Below you can find some examples of good and bad <tt>/etc/hosts</tt> files:
292	</p>
293	<div class="block"><pre>
294	# CORRECT
295	#
296	127.0.0.1 localhost
297	xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
298	</pre></div>
299
300	<div class="block"><pre>
301	# CORRECT
302	#
303	127.0.0.1 localhost.localdomain localhost
304	xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
305	</pre></div>
306
307	<div class="block"><pre>
308	# BAD
309	#
310	127.0.0.1 myhost.mydomain.tld localhost
311	xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
312	</pre></div>
313
314	<div class="block"><pre>
315	# BAD
316	#
317	127.0.0.1 localhost myhost
318	xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
319	</pre></div><br><br></dd>
320	</dl>
321	<hr><h2>2. Build and install</h2>
322	<dl>
323	<dt><b><a name="Build and install0">2.1. [Fedora Core] Cannot compile with --enable-khide</a></b></dt>
324	<dd>The Fedora Core kernel is patched to unconditionally deny reading
325	from /dev/kmem. Compiling the stealth kernel modules is not possible
326	under these circumstances.<br><br></dd>
327	<dt><b><a name="Build and install1">2.2. [Fedora Core] Cannot compile with --with-kcheck</a></b></dt>
328	<dd>The Fedora Core kernel is patched to unconditionally deny reading
329	from /dev/kmem. Checking the kernel for the presence of rootkits is
330	not possible under these circumstances.<br><br></dd>
331	<dt><b><a name="Build and install2">2.3. "make" loops infinitely !</a></b></dt>
332	<dd>This may happen (e.g. when building via NFS for multiple architectures)
333	if the relative timestamps in the source directory are
334	wrong (time not in sync on different machines) or some intermediate
335	target is unusable (up-to-date, but built for a different OS). Use
336	"touch * && make distclean" in the source directory
337	to recover.<br><br></dd>
338	<dt><b><a name="Build and install3">2.4. Why does static compiling (<code>--enable-static</code>) on Solaris fail ?</a></b></dt>
339	<dd>Ingo Rogalsky has provided the following information: It isn't possible
340	to link Samhain statically with Solaris. This
341	is a Solaris issue (see Sun Infodoc ID12624) and not a samhain problem.<br><br></dd>
342	<dt><b><a name="Build and install4">2.5. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'</a></b></dt>
343	<dd>For Linux, this is a known problem with --enable-static if you compile
344	in MySQL support. The problem is that the
345	<tt>mysql_config</tt> that comes as part of the MySQL
346	distribution script incorrectly lists dependencies on
347	the libnss_files and libnss_dns libraries which are only available as
348	shared libraries, so the linker cannot find the static libraries.
349
350	You can check this by inspecting the output of
351	<code>mysql_config --libs</code>. The version of
352	<tt>mysql_config</tt> that comes with the RedHat mysql
353	RPM (RedHat 9) does not have this bug; the one distributed by the MySQL
354	people has. You can fix the problem by editing
355	<tt>mysql_config</tt>: search for the
356	<i>client_libs</i> variable, and remove all instances
357	of <i>-lnss_files</i> and <i>-lnss_dns</i>.<br><br></dd>
358	<dt><b><a name="Build and install5">2.6. The executable is corrupted after installation</a></b></dt>
359	<dd>The executable will get stripped during the installation. On
360	suitable systems (i386 Linux/FreeBSD currently), additionally
361	the "sstrip"
362	utility (copyright 1999 by Brian Raiter, under the GNU GPL)
363	will be used to strip the executable even more, to prevent
364	debugging with the GNU "gdb" debugger.
365	The "strip" utility cannot handle the resulting
366	executable, therefore trying to strip manually after installation
367	will corrupt the executable.<br><br></dd>
368	<dt><b><a name="Build and install6">2.7. --enable-xml-log has no effect</a></b></dt>
369	<dd>If you have compiled for stealth, you won't see much, because if
370	obfuscated, then both a 'normal' and an XML logfile look,
371	well ... obfuscated. Use <code>samhain -jL /path/to/logfile</code>
372	to view the logfile.<br><br></dd>
373	<dt><b><a name="Build and install7">2.8. ./install-sh: strip: not found (Solaris)</a></b></dt>
374	<dd>Install the SUNWbtool package.<br><br></dd>
375	</dl>
376	<hr><h2>3. File checking</h2>
377	<dl>
378	<dt><b><a name="File checking0">3.1. How can I exclude a (sub-)directory ?</a></b></dt>
379	<dd><div class="block"><pre>
380	[IgnoreAll]
381	dir=-1/ignore/this/subdirectory
382	</pre></div><br><br></dd>
383	<dt><b><a name="File checking1">3.2. In messages about policy violations, what does the code after POLICY [XYZ]
384	mean ?</a></b></dt>
385	<dd>This code indicates which items are modified (e.g. C = checksum). You can
386	find a description in section 5.4.9 in the user manual. It is there because
387	then you can see in the message list of the Beltane web console what has been
388	modified, without the need to look at the message in detail.<br><br></dd>
389	<dt><b><a name="File checking2">3.3. Does samhain support prelink ?</a></b></dt>
390	<dd>Yes. There is a special checking policy [Prelink]. Directories with
391	prelinked executables / shared libraries (see /etc/prelink.conf) should be
392	placed under this policy, rather than under the [ReadOnly] policy.<br><br></dd>
393	<dt><b><a name="File checking3">3.4. I get error messages about 'subdirectory count != hardlinks'</a></b></dt>
394	<dd>Some filesystems do not always follow the rule that the number
395	of directory
396	hardlinks equals the number of subdirectories. E.g. the root directory of
397	reiserfs partitions generally seems to have two additional hardlinks.
398	To account for such exceptions, you can either switch off the
399	hardlink check globally, or specify exceptions:
400	<div class="block"><pre>
401	[Misc]
402	# Switch off hardlink check
403	#
404	UseHardlinkCheck=no
405	</pre></div>
406	<div class="block"><pre>
407	[Misc]
408	# Specify exceptions for the hardlink check
409	#
410	HardlinkOffset=N:/path
411	</pre></div>
412	Here, N is the numerical offset (actual - expected hardlinks) for
413	'/path'. For multiple exceptions, use
414	this options multiple times (note that '/path N:/path2' would itself be a valid
415	path, so using the option only once with multiple exceptions on the same line
416	would be ambiguous).<br><br></dd>
417	</dl>
418	<hr><h2>4. Client/Server</h2>
419	<dl>
420	<dt><b><a name="Client/Server0">4.1. I don't want to poke a hole into my firewall to let the client connect to the server !</a></b></dt>
421	<dd>Pat Smith has posted the following solution. On the client, create
422	an iptable rule as follows (<i>note: you probably don't need this if you
423	configure / compile in 127.0.0.1 as the server address</i>):
424	<div class="block"><pre>
425	iptables -t nat -A OUTPUT -p tcp -m tcp --dport 49777 -d <i>server-ip</i> -j REDIRECT
426	</pre></div>
427
428	On the server, create an ssh tunnel for each client outside the firewall:
429
430	<div class="block"><pre>
431	ssh -f -C -R 49777:localhost:49777 -N <i>client-ip</i>
432	</pre></div>
433
434	It is necessary that each client has a distinct name, and that the server
435	knows the name of the client. With the setup above, each client will appear
436	as "localhost" to the server, thus the server
437	needs to trust the client name
438	as reported by the client itself, and suppress all eroors on resolving
439	this name to the apparent address. In the server configuration:
440
441	<div class="block"><pre>
442	[Misc]
443	SetClientFromAccept = false
444	SeverityLookup = debug
445	</pre></div>
446
447	Obviously, self-resolving must work on the client machine, otherwise
448	you are in trouble (see next issue).<br><br></dd>
449	<dt><b><a name="Client/Server1">4.2. The client sends 127.0.0.1 (or some other numerical address) as its name to the log server</a></b></dt>
450	<dd>See 'Client cannot self-resolve' in the 'Most frequently' section<br><br></dd>
451	<dt><b><a name="Client/Server2">4.3. The server wants to send rc.ip-adress rather than rc.fqdn to the client</a></b></dt>
452	<dd>The client self-resolves to its ip address.
453	See 'Client cannot self-resolve' in the 'Most frequently' section<br><br></dd>
454	<dt><b><a name="Client/Server3">4.4. Cannot resolve client name host=XXX</a></b></dt>
455	<dd><div class="block"><pre>
456	The server must be able to determine the client name.
457	This is because only authenticated connections from registered
458	clients are allowed, and
459	the server must be able to check the client hostname against the list of
460	allowed hosts, and look up the password verifier for that
461	host.
462	</pre></div>
463	There are two different ways to accomplish this. Unfortunately, judging
464	from customer feedback as well from common sense, both do not work very well
465	with a messed up local DNS (including /etc/hosts files) and/or
466	überparanoid or misconfigured firewalls (in case of connections
467	across one).
468	<ul>
469	<li>
470	<p>
471	<i>First method: Determine client name on client, and
472	try to cross-check on server</i>
473	<p>
474	<p>
475	This does not work for a number of people because (1) the
476	<tt>/etc/hosts</tt> file on the client machine has errors
477	(yes, there are plenty machines with a completely
478	messed up <tt>/etc/hosts</tt> file), (2) the
479	server cannot resolve the client address because the local DNS is
480	f***ed up, or (3) the client machine has multiple network interfaces, and
481	the interface used is not the one the client name resolves to.
482	</p>
483	<p>
484	If the client uses the wrong interface on a multi-interface machine,
485	there is a config file option
486	<tt>SetBindAddress=</tt><i>IP address</i>
487	that allows to choose the interface the client will use for
488	outgoing connections.
489	</p>
490	<p>
491	If you want to download the config file from the server, you
492	should instead use the corresponding command line
493	<tt>--bind-address=</tt><i>IP address</i>
494	to select the interface.
495	</p>
496
497	<p>
498	If you encounter problems, you may (1) fix your
499	<tt>/etc/hosts</tt> file(s), (2) fix your local DNS, or
500	(3) switch to the second method.
501	</p>
502	<p>
503	Errors in name resolving/cross-checking can be avoided by setting a
504	very low severity (lower than the logging threshold), e.g.
505	</p>
506	<p>
507	<tt>SeverityLookup=</tt><i>debug</i>
508	</p>
509	<p>
510	in the <i>Misc</i> section of the server configuration,
511	if you prefer running <i>unsafe</i> at any speed
512	instead of fixing the problem (you have been warned). Doing so will
513	allow an attacker to pose as the client.
514	</p>
515	</li>
516	<li>
517	<p><i>Second method: Use address of connecting entity as
518	known to the communication layer</i></p>
519	<p>
520	This has been dropped as default
521	long ago because it may not always be the
522	address of the client machine.
523	To enable this method, use
524	</p>
525	<p>
526	<tt>SetClientFromAccept=</tt><i>true</i>
527	</p>
528	<p>
529	in the <i>Misc</i> section of the server configuration
530	file. If the address cannot be resolved, or reverse lookup of the
531	resolved name fails, <i>no</i> error message will be issued,
532	but the numerical address will be used.
533	</p>
534	</li>
535	</ul><br><br></dd>
536	<dt><b><a name="Client/Server4">4.5. Cannot resolve socket peer IP for client host=XXX peer=YYY</a></b></dt>
537	<dd>See above<br><br></dd>
538	<dt><b><a name="Client/Server5">4.6. Reverse lookup of socket peer failed host=XXX peer=YYY obj=ZZZ</a></b></dt>
539	<dd>See above<br><br></dd>
540	<dt><b><a name="Client/Server6">4.7. No socket peer alias matches client name host=XXX peer=YYY</a></b></dt>
541	<dd>See above<br><br></dd>
542	<dt><b><a name="Client/Server7">4.8. Session key negotiation failed</a></b></dt>
543	<dd>See the document <a href="HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a><br><br></dd>
544	<dt><b><a name="Client/Server8">4.9. Invalid connection attempt: Not in client list</a></b></dt>
545	<dd>See the document <a href="HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a><br><br></dd>
546	<dt><b><a name="Client/Server9">4.10. Invalid connection attempt: Session key mismatch</a></b></dt>
547	<dd>See the document <a href="HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a><br><br></dd>
548	<dt><b><a name="Client/Server10">4.11. How do I update the file signature database ?</a></b></dt>
549	<dd>If you keep the file signature database on the server,
550	the database is supposed to be updated on the server, using the
551	<a href="http://www.la-samhna.de/beltane/">beltane</a>
552	web-based console (currently in beta) and the
553	log messages from the client.
554	<p>
555	Alternatively, you can <code>scp</code> the database
556	to the client, run <code>samhain -t update -l none</code> (you
557	need to avoid logging because otherwise you will get in conflict with
558	the running samhain daemon), and then <code>scp</code> the
559	database back to the server. Actually, with a properly set up
560	"ssh", using RSA/DSA authentication
561	and ssh-agent you could write a script to automate this.<br><br></dd>
562	<dt><b><a name="Client/Server11">4.12. Time limit exceeded</a></b></dt>
563	<dd>The respective client for that this message is generated has not
564	sent anything for some interval of time (default 84600 sec = 1 day).
565	The interval can be set as follows:
566	<div class="block"><pre>
567	[Misc]
568	# unit is seconds
569	SetClientTimeLimit=NNN
570	</pre></div>
571
572	This feature has the purpose to detect if a client is dead. You
573	might want to ensure that timestamps are sent to the server:
574	<div class="block"><pre>
575	[Log]
576	ExportSeverity=mark
577	</pre></div>
578	If you don't want to use this feature, set the time limit to some
579	very large value.<br><br></dd>
580	<dt><b><a name="Client/Server12">4.13. Invalid connection attempt: Signature mismatch</a></b></dt>
581	<dd>Clients sign their messages using a session key negotiated
582	with the server. The message indicates that the server could
583	not verify the signature. This may be caused by a running two
584	instances of samhain on the same client machine, both of them
585	accessing the server (and negotiating different session keys
586	...). The system will recover automatically from the problem
587	by forcing the failed client to negotiate a fresh session key.<br><br></dd>
588	<dt><b><a name="Client/Server13">4.14. [Server] PANIC .. Address already in use   subroutine=bind</a></b></dt>
589	<dd>The server cannot bind to its port because the port is already used.
590	Maybe you have accidentially already an instance of the
591	server running.<br><br></dd>
592	</dl>
593	<hr><h2>5. Email</h2>
594	<dl>
595	<dt><b><a name="Email0">5.1. Reverse lookup failed</a></b></dt>
596	<dd>Fix your DNS (reverse lookup: numerical IP address to FQDN, to verify
597	FQDN to numerical IP address).
598	<div class="block"><pre>
599	Whether "nslookup" works is not very informative, because
600	"nslookup" does not use the resolver library of the operating
601	system. Therefore,
602	it is not exactly the
603	best tool for debugging name resolving problems (see the book
604	"DNS and bind").
605	</pre></div><br><br></dd>
606	<dt><b><a name="Email1">5.2. From daemon@example.com</a></b></dt>
607	<dd>samhain fails to resolve the
608	self-address of the host.
609	See 'Client cannot self-resolve' in the 'Most frequently' section.<br><br></dd>
610	<dt><b><a name="Email2">5.3. How do I define more than one email addresses ?</a></b></dt>
611	<dd>Use <tt>SetMailAddress=...</tt> multiple times (upt to eight addresses
612	are possible, with at most 63 characters per address):
613	<div class="block"><pre>
614	[Misc]
615	SetMailAddress=aaa@foo.com
616	SetMailAddress=bbb@foo.com
617	</pre></div><br><br></dd>
618	</dl>
619	<hr><h2>6. Misc</h2>
620	<dl>
621	<dt><b><a name="Misc0">6.1. Error message: "Invalid line XYZ in configuration file"</a></b></dt>
622	<dd>This message indicates that line XYZ in the configuration file contains
623	an unrecognized directive. The primary reasons are:<br />
624
625	(a) The directive should be placed into a particular section of the
626	configuration file, but the section header is not present (or you forgot
627	to uncomment it).<br />
628
629	(b) Samhain is compiled without support for this directive.<br />
630
631	(c) You have a typo in the directive.<br /><br><br></dd>
632	<dt><b><a name="Misc1">6.2. Why do I get a local logfile if I log to the server ?</a></b></dt>
633	<dd>Because you can use all log facilities in parallel. You should
634	switch off in the config file what you don't want/need:
635	<div class="block"><pre>
636	[Log]
637	# local log file
638	LogSeverity=none
639	</pre></div><br><br></dd>
640	<dt><b><a name="Misc2">6.3. Why is there no NIS support with a static samhain executable on Linux ?</a></b></dt>
641	<dd>Some functions (including NIS) require
642	libraries that are only available as shared libraries
643	with modern GLIBC versions. While you can always compile a static
644	executable, normally it would still open the shared library at runtime.
645	As of version 1.8.11, samhain avoids this by providing replacement
646	functions from uClibc. However, these do not include NIS support.<br><br></dd>
647	<dt><b><a name="Misc3">6.4. Why do I get hundreds of messages about modified CTIME ?</a></b></dt>
648	<dd>This happens because some
649	backup applications reset the atime/mtime timestamps, which causes
650	the ctime timestamp to be modified (rootkits avoid this by
651	temporarily resetting the system clock to the original ctime ...).
652	<p>
653	To fix this problem, read the manual of your backup application, or
654	redefine the ReadOnly policy to <i>not</i> check
655	the ctime timestamp:
656	<div class="block"><pre>
657	[Misc]
658	RedefReadOnly=-CTM
659	</pre></div>
660	<div class="warnblock"><pre>
661	Order matters - you must <i>first</i> redefine
662	ReadOnly <i>before</i> you use it
663	</pre></div><br><br></dd>
664	<dt><b><a name="Misc4">6.5. PANIC — File not accessible</a></b></dt>
665	<dd>Most likely permission denied because of unsufficient privileges.<br><br></dd>
666	<dt><b><a name="Misc5">6.6. How can I avoid error messages for invalid UIDs (no such user) ?</a></b></dt>
667	<dd>Set SeverityNames to a low value
668	<div class="block"><pre>
669	[EventSeverity]
670	SeverityNames=debug
671	</pre></div><br><br></dd>
672	<dt><b><a name="Misc6">6.7. [Redhat] The /etc/init.d/(samhain\|yule) init script hangs</a></b></dt>
673	<dd>Redhat uses "initlog" (see
674	<code>man initlog</code>) in initscripts. If it hangs, most probably
675	samhain/yule runs in the foreground rather than as daemon. Set
676	daemon mode in the configuration file:
677	<div class="block"><pre>
678	[Misc]
679	Daemon=yes
680	</pre></div><br><br></dd>
681	<dt><b><a name="Misc7">6.8. The /etc/init.d/(samhain\|yule) init script exits with: execvp: No such file or directory</a></b></dt>
682	<dd>Either the program is not installed, or it is not in the PATH (the one
683	used by the init script, which may be different from your PATH).<br><br></dd>
684	<dt><b><a name="Misc8">6.9. Why am I not receiving the "BEGIN LOGKEY" message by email ?</a></b></dt>
685	<dd>This message (which contains the key to verify the log file) is generated
686	when logging to the log file starts. It has the severity "ALRT",
687	thus you should make sure that you have set the logging threshold for
688	email correctly to receive it.<br><br></dd>
689	<dt><b><a name="Misc9">6.10. Why does console logging fail if I compile with
690	<code>--enable-(micro-)stealth</code> ?</a></b></dt>
691	<dd>The default logging options are more "stealthy". Set the
692	threshold explicitely rather than relying on the default.<br><br></dd>
693	<dt><b><a name="Misc10">6.11. I need a list for my schedule !</a></b></dt>
694	<dd>You can have the same effect with a list of schedules. See the section
695	"Timing file checks" in the manual.<br><br></dd>
696	<dt><b><a name="Misc11">6.12. The hiding kernel module has no effect !</a></b></dt>
697	<dd>Most probably you compiled using the wrong "System.map" file.<br><br></dd>
698	<dt><b><a name="Misc12">6.13. What does the message "Large lstat/open overhead" mean ?</a></b></dt>
699	<dd>Your system needs several seconds to proceed from an lstat() system call
700	to an open() system call. This is a tremenduous overhead, and
701	indicates that either your system has a really severe performance problem,
702	or someone tries to slow down samhain.<br><br></dd>
703	<dt><b><a name="Misc13">6.14. What does the message "Device not available path=/dev/random" mean ? I have /dev/random !</a></b></dt>
704	<dd>/dev/random blocks unless there is some entropy it can deliver. Samhain
705	will time out and fall back on /dev/urandom after some seconds to avoid
706	hanging for a potentially long time. It will try /dev/random again next
707	time it needs entropy.<br><br></dd>
708	<dt><b><a name="Misc14">6.15. Logging to an external program fails; the program receives no data
709	on stdin !</a></b></dt>
710	<dd>Probably your program is not designed to <i>wait for input</i>, but exits
711	if reading fails (because there is no data <i>yet</i>). You may want to
712	let your program wait for the terminating "[EOF]" line.<br><br></dd>
713	<dt><b><a name="Misc15">6.16. SIGILL on AIX</a></b></dt>
714	<dd>For each scanned file, samhain needs to
715	store some information in memory (e.g. to recognize changes that have
716	already been reported, and avoid duplicate reports). On AIX, if you are
717	checking a <i>really huge</i> number of files,
718	memory usage may exceed the default limit of 256 MB, and the process may
719	terminate with SIGILL.
720	<p>
721	The problem can be solved by linking with the flag
722	<code>-bmaxdata:0x80000000</code>. This allows the application to
723	access up to 8 segments (where each segment is 256MB).
724	<p>
725	If you are using gcc, you need to use instead
726	the flag <code>-Wl,bmaxdata:0x80000000</code>, which tells
727	gcc to pass on the
728	<i>bmaxdata</i>
729	flag to the AIX linker. You can use the LDFLAGS environment variable to
730	pass linker flags to the configure script:
731	<div class="block"><pre>
732	export LDFLAGS="-Wl,bmaxdata:0x80000000"
733	</pre></div><br><br></dd>
734	</dl>
735	<hr><h2>7. Database</h2>
736	<dl>
737	<dt><b><a name="Database0">7.1. Why are client messages corrupted / incompletely stored in the DB ?</a></b></dt>
738	<dd>Because the messages are not in XML format, and therefore incorrectly
739	parsed. The most frequent reasons are:
740	<div class="block"><pre>
741	1.) Your server is compiled with --enable-xml-log, but your client(s)
742	is/are not.
743
744	2.) In your client or server configuration file, you are using
745	the option for a custum message header, but without paying attention
746	to preserving the XML format.
747	</pre></div><br><br></dd>
748	<dt><b><a name="Database1">7.2. I want / don't want the server timestamps (for client messages) in the SQL database</a></b></dt>
749	<dd><div class="block"><pre>
750	[Database]
751	SetDBServerTstamp = true/false
752	</pre></div>
753
754	This will enable/disable logging of the server timestamp for client
755	messages. The server timestamp will be written to a seperate record,
756	with <i>log_ref</i> set to the value of
757	<i>log_index</i> of the corresponding client message.<br><br></dd>
758	<dt><b><a name="Database2">7.3. I don't want the client TIMESTAMP messages in the SQL database</a></b></dt>
759	<dd><div class="block"><pre>
760	Sending timestamps from the client allows the server to detect if
761	a client is not running anymore (use SetClientTimeLimit=NNN in the
762	[Misc] section of the server config file to set the number of seconds
763	after which the server will issue an error message if no timestamp has
764	been received).
765	</pre></div>
766
767	However, you might not want to log these timestamps to the database
768	(or other log facilities). To filter them, you can use two methods
769	(examples are for the SQL database).
770	The first
771	one has the disadvantage that only messages of
772	severity <i>err</i> or higher will be logged:
773	<div class="block"><pre>
774	[Misc]
775	UseClientSeverity=yes
776
777	[Log]
778	DatabaseSeverity=err
779	</pre></div>
780
781	The second method is more specific — log everything not
782	belonging to the STAMP class of messages:
783	<div class="block"><pre>
784	[Misc]
785	UseClientClass=yes
786
787	[Log]
788	DatabaseClass=PANIC RUN FIL TCP ERR ENET EINPUT
789	</pre></div><br><br></dd>
790	<dt><b><a name="Database3">7.4. What does the log_ref field mean ?</a></b></dt>
791	<dd>NULL are client messages. Nonzero integer is a server timestamp
792	for a client message (where log_ref indicates the log_index entry
793	number of the corresponding client message). Zero indicates a message
794	by the server itself (e.g. the server's start message).<br><br></dd>
795	</dl>
796	<hr>
797
798	<p>Copyright (c) 2004 Rainer Wichmann</p>
799
800	<p><i>This list of questions and answers was generated by
801	<a href="http://www.makefaq.org/">makefaq</a>.</i>
802
803	</div>
804	</body>
805	</html>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: