source: trunk/docs/HOWTO-samhain-on-windows.html@ 322

Last change on this file since 322 was 307, checked in by katerina, 14 years ago

Fix for ticket #229 (malfunction on CentOS 4.8 / gcc4), documentation update.

File size: 14.0 KB
Line 
1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
2<html>
3<head>
4<title>HOWTO Samhain on Windows</title>
5<style type="text/css">
6<!--
7
8html { background: #eee; color: #000; }
9
10body { background: #eee; color: #000; margin: 0; padding: 0;}
11
12div.body {
13 background: #fff; color: #000;
14 margin: 0 1em 0 1em; padding: 1em;
15 font-family: serif;
16 font-size: 1em; line-height: 1.2em;
17 border-width: 0 1px 0 1px;
18 border-style: solid;
19 border-color: #aaa;
20}
21
22div.block {
23 background: #b6c5f2; color: #000;
24 margin: 1em; padding: 0 1em 0 1em;
25 border-width: 1px;
26 border-style: solid;
27 border-color: #2d4488;
28}
29
30div.warnblock {
31 background: #b6c5f2; color: #000;
32 margin: 1em; padding: 0 1em 0 1em;
33 border-width: 1px;
34 border-style: solid;
35 border-color: #FF9900;
36}
37
38table {
39 background: #F8F8F8; color: #000;
40 margin: 1em;
41 border-width: 0 0 0 1px;
42 border-style: solid;
43 border-color: #C0C0C0;
44}
45
46td {
47 border-width: 0 1px 1px 0;
48 border-style: solid;
49 border-color: #C0C0C0;
50}
51
52th {
53 background: #F8F8FF;
54 border-width: 1px 1px 2px 0;
55 border-style: solid;
56 border-color: #C0C0C0;
57}
58
59
60/* body text, headings, and rules */
61
62p { margin: 0; text-indent: 0em; margin: 0 0 0.5em 0 }
63
64h1, h2, h3, h4, h5, h6 {
65 color: #206020; background: transparent;
66 font-family: Optima, Arial, Helvetica, sans-serif;
67 font-weight: normal;
68}
69
70h1 { font-size: 1.69em; margin: 1.4em 0 0.4em 0; }
71h2 { font-size: 1.44em; margin: 1.4em 0 0.4em 0; }
72h3 { font-size: 1.21em; margin: 1.4em 0 0.4em 0; }
73h4 { font-size: 1.00em; margin: 1.4em 0 0.4em 0; }
74h5 { font-size: 0.81em; margin: 1.4em 0 0.4em 0; }
75h6 { font-size: 0.64em; margin: 1.4em 0 0.4em 0; }
76
77hr {
78 color: transparent; background: transparent;
79 height: 0px; margin: 0.6em 0;
80 border-width: 1px ;
81 border-style: solid;
82 border-color: #999;
83}
84
85/* bulleted lists and definition lists */
86
87ul { margin: 0 1em 0.6em 2em; padding: 0; }
88li { margin: 0.4em 0 0 0; }
89
90dl { margin: 0.6em 1em 0.6em 2em; }
91dt { color: #285577; }
92
93tt { color: #602020; }
94
95/* links */
96
97a.link {
98 color: #33c; background: transparent;
99 text-decoration: none;
100}
101
102a:hover {
103 color: #000; background: transparent;
104}
105
106body > a {
107 font-family: Optima, Arial, Helvetica, sans-serif;
108 font-size: 0.81em;
109}
110
111h1, h2, h3, h4, h5, h6 {
112 color: #2d5588; background: transparent;
113 font-family: Optima, Arial, Helvetica, sans-serif;
114 font-weight: normal;
115}
116
117 -->
118</style></head>
119<body>
120<div class="body">
121<p style="text-align: center; background: #ccc; border: 1px solid #2d5588;"><a
122 style="text-decoration: none;"
123 href="http://www.la-samhna.de/samhain/">samhain file integrity
124 scanner</a>&nbsp;|&nbsp;<a style="text-decoration: none;"
125 href="http://www.la-samhna.de/samhain/s_documentation.html">online
126 documentation</a></p>
127<br><center>
128<h1>Using Samhain on Windows</h1>
129</center>
130<br>
131<hr>
132<p>
133This document aims to explain how to compile and run
134samhain on Windows with the
135<b>Cygwin</b> POSIX emulation layer, and how to install it as a service.
136These instructions have been written by Kris Dom,
137who has tested this on WinXP Professional, with additions by Geries Handal
138and Jorge Morgado.
139</p>
140<div class="block">
141<h3>Interix / Services For UNIX</h3>
142<p>
143Samhain can also be used with Interix/SFU 3.5. Note that in Interix,
144the Windows
145filesystem is referred as <tt>/dev/fs/C</tt>, while in Cygwin it
146is <tt>/cygdrive/c</tt> (both refers to the <tt>C:</tt> drive; other drives
147are analogous).
148</p><p>
149Older versions of samhain would need to be built with
150<tt>./configure&nbsp;--disable-mail</tt> (i.e. without support for email
151logging) because Interix does not provide some of the required functionality
152to build the email module. This issue should be fixed as of samhain
153version 2.0.7 (not tested).<br />
154[Based on information kindly provided by Geries Handal].
155</p>
156</div>
157
158<h2>Cygwin installation procedure to compile samhain</h2>
159
160<h3>Cygwin download</h3>
161
162<ul>
163<li>
164Make a temporary directory to store cygwin installer (e.g. c:\temp\cygwin)
165</li>
166<li>
167Surf to <a href="http://www.cygwin.com">http://www.cygwin.com</a>
168to download cygwin
169</li>
170<li>
171Use the &quot;install or update now (using setup.exe)&quot; to
172download the installer in c:\temp\cygwin
173</li>
174<li>
175Execute &quot;setup.exe&quot; in c:\temp\cygwin
176</li>
177<li>
178Choose the &quot;download from the Internet&quot; option
179</li>
180<li>
181Choose &quot;c:\temp\cygwin&quot; as 'Local Package Directory'
182</li>
183<li>
184Choose an FTP site
185</li>
186<li>
187Click on 'Default' just after 'All' to change the installation type
188from 'Default' to 'Install'. This will most likely install way too much
189stuff but I am not familiar with Cygwin, so this way I know that all libs and
190compilers are installed.
191</li>
192<li>
193Let it download the stuff (there is a lot to download so be patient).
194</li>
195</ul>
196<div class="block">
197<p>
198You don't need to download and install All packages. It is enough to keep
199the Default and then add the following additional packages:
200</p>
201<p>
202 Category Devel -> gcc: C compiler upgrade helper<br/>
203 Category Devel -> make: The GNU version of the 'make' utility<br/>
204 Category Libs -> minires: A simple synchronous non caching stub resolver<br/>
205</p>
206<p>
207When selecting these packages, Cygwin installer will automatically add
208other packages based on their dependencies.
209The package minires is only necessary for a minimal Cygwin installation
210(below). [Kindly pointed out by Jorge Morgado].
211</p>
212</div>
213
214<h3>Cygwin installation</h3>
215
216<ul>
217<li>
218When the download is complete you have the Cygwin software in the
219temporary directory, however, it still needs to be installed.
220</li>
221<li>
222To install, execute the &quot;setup.exe&quot; in &quot;c:\temp\cygwin&quot;
223</li>
224<li>
225Choose the &quot;Install from local directory&quot; option.
226</li>
227<li>
228Choose &quot;C:\Cygwin&quot; as root directory (this will be the Unix '/')
229</li>
230<li>
231Choose the Local Package Directory: &quot;c:\temp\cygwin&quot;
232</li>
233<li>
234Click on 'Default' just after 'All' to change the installation type
235from 'Default' to 'Install'.
236</li>
237<li>
238Let it install Cygwin (this will take some time so be patient).
239</li>
240</ul>
241
242<h3>Samhain install procedure (used 'samhain 1.8.7a' in this procedure)</h3>
243<p>
244(in the following procedure I use my personal preferences)
245</p>
246
247<ul>
248<li>
249Start up Cygwin using the &quot;Cygwin&quot; icon on the desktop (a classic
250Unix environment will be started).
251</li>
252<li>
253Download the 'samhain' gzip/tar (I always put in my home directory)
254</li>
255<li>
256Make directories to install samhain (taking into account the configure
257options):<br />
258&nbsp; &nbsp;<tt>$ mkdir /usr/local/sbin</tt><br />
259&nbsp; &nbsp;<tt>$ mkdir /usr/local/var</tt><br />
260&nbsp; &nbsp;<tt>$ mkdir /usr/local/log</tt><br />
261&nbsp; &nbsp;<tt>$ mkdir /usr/local/tmp</tt><br />
262</li>
263<li>Go to the home directory:<br />
264&nbsp; &nbsp;<tt>$ cd $HOME</tt>
265</li>
266<li>Un-gzip and untar the samhain package:<br />
267&nbsp; &nbsp;<tt>$ gunzip samhain-1.8.7a.tar.gz</tt><br />
268&nbsp; &nbsp;<tt>$ tar xvf samhain-1.8.7a.tar</tt><br />
269</li>
270<li>Go to the samhain directory:<br />
271&nbsp; &nbsp;<tt>$ cd samhain-1.8.7a</tt><br />
272</li>
273<li>Configure:<br />
274&nbsp; &nbsp;<tt>$ ./configure --enable-xml-log=yes --with-tmp-dir=/usr/local/tmp --with-config-file=/usr/local/etc/samhainrc --with-log-file=/usr/local/log/samhain.log --with-pid-file=/usr/local/var/samhain.pid --with-state-dir=/usr/local/var</tt><br />
275<div class="block">
276<p>
277In my experience, the paths given in the 'configure' command should refer to
278the Cygwin filesystem view, i.e. <tt>/cygdrive/c/...</tt>, otherwise
279samhain may not work from a pure DOS shell, and may not run as a Windows
280service [Rainer Wichmann].
281</p>
282</div>
283</li>
284<li>Make the binary:<br />
285&nbsp; &nbsp;<tt>$ make</tt><br />
286</li>
287<li>Install samhain:<br />
288&nbsp; &nbsp;<tt>$ make install</tt><br />
289</li>
290<li>Now configure the &quot;/usr/local/etc/samhainrc&quot; file.<br />
291Remember: &quot;C:\&quot; -&gt; &quot;/cygdrive/c/&quot;
292</li>
293<li>Initialize the samhain local baseline database:<br />
294&nbsp; &nbsp;<tt>$ /usr/local/sbin/samhain -t init</tt><br />
295</li>
296<li>Start it up:<br />
297&nbsp; &nbsp;<tt>$ /usr/local/sbin/samhain -t check</tt><br />
298</li>
299</ul>
300
301
302<h2>Cygwin minimal installation procedure to run samhain</h2>
303
304<ul>
305<li>
306Files needed to create a service (from NT/W2K Resource Kit):
307 <ul>
308 <li>
309 instsrv.exe
310 </li>
311 <li>
312 srvany.exe
313 </li>
314 </ul>
315</li>
316<li>
317First copy these files to the &quot;%winnt%\system32&quot; directory.
318</li>
319<li>
320Files needed to run the 'samhain.exe'. Copy the following .dll from the
321Cygwin setup (c:\Cygwin\bin) to the &quot;%winnt%\system32&quot; directory:
322 <ul>
323 <li>
324 cygwin1.dll
325 </li>
326 <li>
327 cygminires.dll
328 </li>
329 </ul>
330</li>
331<li>
332Files needed from c:\Cygwin\bin to create the /etc/passwd and /etc/group files:
333 <ul>
334 <li>
335 mkpasswd.exe
336 </li>
337 <li>
338 mkgroup.exe
339 </li>
340 </ul>
341<p>
342To generate these files on a minimal Cygwin installation execute - on a
343Windows Command Prompt:
344</p><p>
345&nbsp; &nbsp;<tt>mkdir c:\etc</tt><br />
346&nbsp; &nbsp;<tt>path\to\mkpasswd.exe -l > c:\etc\passwd</tt><br />
347&nbsp; &nbsp;<tt>path\to\mkgroup.exe -l > c:\etc\group</tt>
348</p><p>
349IMPORTANT NOTE: You should re-create these two files, each time the
350Windows users and groups accounts database changes. Failing to do this
351might generate critical log messages (depending on your configuration
352file).
353</p>
354</li>
355<li>
356Create a directory structure for samhain (following the compilation options
357you used)<br />
358&nbsp; &nbsp;- in a DOS box (or via Windows Explorer)<br />
359&nbsp; &nbsp;<tt>mkdir c:\usr</tt><br />
360&nbsp; &nbsp;<tt>mkdir c:\usr\local</tt><br />
361&nbsp; &nbsp;<tt>mkdir c:\usr\local\sbin</tt><br />
362&nbsp; &nbsp;<tt>mkdir c:\usr\local\var</tt><br />
363&nbsp; &nbsp;<tt>mkdir c:\usr\local\tmp</tt><br />
364&nbsp; &nbsp;<tt>mkdir c:\usr\local\log</tt><br />
365&nbsp; &nbsp;<tt>mkdir c:\usr\local\etc</tt><br />
366</li>
367<li>
368Use the &quot;instsrv.exe&quot; binary to create a new service:<br />
369&nbsp; &nbsp;<tt>instsrv.exe samhain c:\windows\system32\srvany.exe</tt><br />
370&nbsp; &nbsp;(this will create a service called &quot;Samhain&quot; that will
371start the &quot;srvany.exe&quot; process).
372</li>
373<li>Now edit the registry to change the startup parameters for the newly
374created service:
375 <ul>
376 <li>regedit</li>
377 <li>HKEY_LOCAL_MACHINE-&gt;SYSTEM-&gt;CurrentControlSet-&gt;Services-&gt;Samhain</li>
378 <li>Add a String value (type: REG_SZ called: &quot;Description&quot;) under the 'Samhain' key</li>
379 <li>Open the newly created &quot;Description&quot; value and fill in a description for the 'Samhain' service</li>
380 <li>Add a key to specify what file the &quot;srvany.exe&quot; process must start:<br />
381 &nbsp; &nbsp;Edit-&gt;New-&gt;Key called &quot;Parameters&quot;
382 </li>
383 <li>Under the newly created &quot;Parameters&quot; key, add a new String
384 value called &quot;Application&quot;.<br />
385 &nbsp; &nbsp;The value for &quot;Application&quot;
386 should be &quot;c:\usr\local\sbin\samhain.exe&quot;.</li>
387 </ul>
388</li>
389<li>
390Make sure that in the &quot;samhainrc&quot; file, you have used
391&quot;/cygdrive/c&quot; to refer to &quot;c:&quot;
392</li>
393<li>
394Initialize the samhain baseline database first:<br />
395&nbsp; &nbsp;<tt>c:\usr\local\sbin\samhain -t init</tt><br />
396</li>
397<li>
398Reboot (it is Windows so ...)
399</li>
400</ul>
401<div class="block">
402<p>
403It seems that start/stop/restart the service does not work if samhain
404is configured to run as a daemon, because the Windows service manager
405cannot track the forked daemon process.
406</p>
407<p>Therefore, if you run Samhain as a Windows service, it might be better
408to configure it as a 'normal' process which does not fork a daemon:
409<ul>
410 <li>
411 Set 'Daemon = no' in the samhainrc configuration file.
412 </li>
413 <li>
414 Edit the key HKEY_LOCAL_MACHINE-&gt;SYSTEM-&gt;CurrentControlSet-&gt;Services-&gt;Samhain->Parameters to add a string value named 'AppParameters', with
415 the value '--forever'.
416 </li>
417</ul>
418[Rainer Wichmann].
419</p>
420</div>
421<p>
422Also see <a href="http://support.microsoft.com/kb/q137890/">http://support.microsoft.com/kb/q137890/</a> for information regarding the creation of a
423user-defined service.
424</p>
425<p>
426Note: the first time I tried to install samhain as an NT service, I first
427installed a default Cygwin on the system. This however made things much more
428complex. I think when there is no Cygwin installed, it is more easy to install
429Samhain as a service.
430</p>
431
432
433<h2>Troubleshooting samhain</h2>
434
435<p>
436[Rainer Wichmann] I had some problems at first getting it to run as a
437Windows service. Some tips:
438<ul>
439 <li>
440 Running samhain from a pure DOS shell (outside the Cygwin environment)
441 helps to identify problems, in particular if it refuses to start
442 as a Windows service.
443 </li>
444 <li>
445 I found it neccessary to put the <tt>cygwin1.dll</tt> DLL into the
446 same directory as the <tt>samhain.exe</tt> executable. Also, you
447 can use the command <tt>ldd ./samhain.exe</tt> to identify further
448 Cygwin-specific DLL that may be required (if any).
449 </li>
450 <li>
451 Also, I found it neccessary to use Cygwin-style paths
452 (<tt>/cygdrive/c/...</tt>) in the './configure ..' command when
453 compiling samhain.
454 </li>
455</ul>
456</p>
457
458<p>
459[Tip from Jorge Morgado] If you, like me, have a Windows server not part of any domain and (for
460security reasons) you even turn off DNS resolution, you might probably get
461the following error when initializing the baseline database:
462</p>
463<pre>
464 --------- sh_unix.c --- 1487 ---------
465 According to uname, your nodename is yourcomputername, but your resolver
466 library cannot resolve this nodename to a FQDN.
467 Rather, it resolves this to yourcomputername.
468 For more information, see the entry about self-resolving under
469 'Most frequently' in the FAQ that you will find in the docs/ subdirectory
470 ----------------------------------------------
471</pre>
472<p>
473To fix this problem open the Registry Editor and create the following
474entries under the key
475HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
476</p>
477<p>
478<tt>
479Name: Domain<br/>
480Type: REG_SZ<br/>
481Data: your.domain.name
482</tt>
483</p><p>
484<tt>
485Name: NV Domain<br/>
486Type: REG_SZ<br/>
487Data: your.domain.name
488</tt>
489</p><p>
490The NV Domain registry value contains the computer's primary DNS suffix
491while the Domain registry value contains the computer's primary DNS
492domain. This will make the warning message go away.
493</p>
494</div>
495</body>
496</html>
Note: See TracBrowser for help on using the repository browser.