samhain file integrity scanner | online documentation

Using Samhain on Windows

This document aims to explain how to compile and run samhain on Windows with the Cygwin POSIX emulation layer, and how to install it as a service. These instructions have been written by Kris Dom, who has tested this on WinXP Professional.

Interix / Services For UNIX

Samhain can also be used with Interix/SFU 3.5. Note that in Interix, the Windows filesystem is referred as /dev/fs/C, while in Cygwin it is /cygdrive/c (both refers to the C: drive; other drives are analogous).

Older versions of samhain would need to be built with ./configure --disable-mail (i.e. without support for email logging) because Interix does not provide some of the required functionality to build the email module. This issue should be fixed as of samhain version 2.0.7 (not tested).
[Based on information kindly provided by Geries Handal].

Cygwin installation procedure to compile samhain

Cygwin download

Make a temporary directory to store cygwin installer (e.g. c:\temp\cygwin)
Surf to http://www.cygwin.com to download cygwin
Use the "install or update now (using setup.exe)" to download the installer in c:\temp\cygwin
Execute "setup.exe" in c:\temp\cygwin
Choose the "download from the Internet" option
Choose "c:\temp\cygwin" as 'Local Package Directory'
Choose an FTP site
Click on 'Default' just after 'All' to change the installation type from 'Default' to 'Install'. This will most likely install way too much stuff but I am not familiar with Cygwin, so this way I know that all libs and compilers are installed.
Let it download the stuff (there is a lot to download so be patient).

Cygwin installation

When the download is complete you have the Cygwin software in the temporary directory, however, it still needs to be installed.
To install, execute the "setup.exe" in "c:\temp\cygwin"
Choose the "Install from local directory" option.
Choose "C:\Cygwin" as root directory (this will be the Unix '/')
Choose the Local Package Directory: "c:\temp\cygwin"
Click on 'Default' just after 'All' to change the installation type from 'Default' to 'Install'.
Let it install Cygwin (this will take some time so be patient).

Samhain install procedure (used 'samhain 1.8.7a' in this procedure)

(in the following procedure I use my personal preferences)

Start up Cygwin using the "Cygwin" icon on the desktop (a classic Unix environment will be started).
Download the 'samhain' gzip/tar (I always put in my home directory)
Make directories to install samhain (taking into account the configure options):
$ mkdir /usr/local/sbin
$ mkdir /usr/local/var
$ mkdir /usr/local/log
$ mkdir /usr/local/tmp
Go to the home directory:
$ cd $HOME
Un-gzip and untar the samhain package:
$ gunzip samhain-1.8.7a.tar.gz
$ tar xvf samhain-1.8.7a.tar
Go to the samhain directory:
$ cd samhain-1.8.7a
Configure:
$ ./configure --enable-xml-log=yes --with-tmp-dir=/usr/local/tmp --with-config-file=/usr/local/etc/samhainrc --with-log-file=/usr/local/log/samhain.log --with-pid-file=/usr/local/var/samhain.pid --with-state-dir=/usr/local/var
Make the binary:
$ make
Install samhain:
$ make install
Now configure the "/usr/local/etc/samhainrc" file.
Remember: "C:\" -> "/cygdrive/c/"
Initialize the samhain local baseline database:
$ /usr/local/sbin/samhain -t init
Start it up:
$ /usr/local/sbin/samhain -t check

Cygwin minimal installation procedure to run samhain

Files needed to create a service (from NT/W2K Resource Kit):
- instsrv.exe
- srvany.exe
First copy these files to the "%winnt%\system32" directory.
Files needed to run the 'samhain.exe'. Copy the following .dll from the Cygwin setup (c:\Cygwin\bin) to the "%winnt%\system32" directory:
- cygwin1.dll
- cygminires.dll
Create a directory structure for samhain (following the compilation options you used)
- in a DOS box (or via Windows Explorer)
mkdir c:\usr
mkdir c:\usr\local
mkdir c:\usr\local\sbin
mkdir c:\usr\local\var
mkdir c:\usr\local\tmp
mkdir c:\usr\local\log
mkdir c:\usr\local\etc
Use the "instsrv.exe" binary to create a new service:
instsrv.exe samhain c:\windows\system32\srvany.exe
(this will create a service called "Samhain" that will start the "srvany.exe" process).
Now edit the registry to change the startup parameters for the newly created service:
- regedit
- HKEY_LOCAL_MACHINE->SYSTEM->CurrentControlSet->Services->Samhain
- Add a String value (type: REG_SZ called: "Description") under the 'Samhain' key
- Open the newly created "Description" value and fill in a description for the 'Samhain' service
- Add a key to specify what file the "srvany.exe" process must start:
  Edit->New->Key called "Parameters"
- Under the newly created "Parameters" key, add a new String value called "Applications".
  The value for "Applications" should be "c:\usr\local\sbin\samhain.exe".
Make sure that in the "samhainrc" file, you have used "/cygdrive/c" to refer to "c:"
Initialize the samhain baseline database first:
c:\usr\local\sbin\samhain -t init
Reboot (it is Windows so ...)

Note: the first time I tried to install samhain as an NT service, I first installed a default Cygwin on the system. This however made things much more complex. I think when there is no Cygwin installed, it is more easy to install Samhain as a service.