[1] | 1 | .TH SAMHAIN 8 "07 August 2004" "" "Samhain manual"
|
---|
| 2 | .SH NAME
|
---|
| 3 | samhain \- check file integrity
|
---|
| 4 | .SH SYNOPSIS
|
---|
| 5 | .SS "INITIALIZING, UPDATING, AND CHECKING"
|
---|
| 6 | .PP
|
---|
| 7 |
|
---|
| 8 | .B samhain
|
---|
| 9 | {
|
---|
| 10 | .I \-t init|\-\-set\-checksum\-test=init
|
---|
| 11 | } [\-\-init2stdout] [\-r DEPTH|\-\-recursion=DEPTH] [log-options]
|
---|
| 12 |
|
---|
| 13 | .B samhain
|
---|
| 14 | {
|
---|
| 15 | .I \-t update|\-\-set\-checksum\-test=update
|
---|
[3] | 16 | } [\-D | \-\-daemon | \-\-foreground] [\-\-forever] [\-r DEPTH|\-\-recursion=DEPTH] [log-options]
|
---|
[1] | 17 |
|
---|
| 18 | .B samhain
|
---|
| 19 | {
|
---|
| 20 | .I \-t check|\-\-set\-checksum\-test=check
|
---|
| 21 | } [\-D | \-\-daemon | \-\-foreground] [\-\-forever] [\-r DEPTH,\-\-recursion=DEPTH] [log-options]
|
---|
| 22 |
|
---|
| 23 | .SS "LISTING THE DATABASE"
|
---|
| 24 | .PP
|
---|
| 25 |
|
---|
| 26 | .B samhain
|
---|
| 27 | [\-a | \-\-full\-detail]
|
---|
| 28 | [\-\-delimited]
|
---|
| 29 | \-d
|
---|
| 30 | .IR file |
|
---|
| 31 | .RI \-\-list\-database= file
|
---|
| 32 |
|
---|
| 33 | .SS "VERIFYING AN AUDIT TRAIL"
|
---|
| 34 | .PP
|
---|
| 35 |
|
---|
| 36 | .B samhain
|
---|
| 37 | [\-j | \-\-just\-list]
|
---|
| 38 | \-L
|
---|
| 39 | .IR logfile |
|
---|
| 40 | .RI \-\-verify\-log= logfile
|
---|
| 41 |
|
---|
| 42 | .B samhain
|
---|
| 43 | \-M
|
---|
| 44 | .IR mailbox |
|
---|
| 45 | .RI \-\-verify\-mail= mailbox
|
---|
| 46 |
|
---|
| 47 |
|
---|
| 48 | .SS "MISCELLANEOUS"
|
---|
| 49 | .PP
|
---|
| 50 |
|
---|
| 51 | .B samhain
|
---|
[27] | 52 | .RI \-\-server\-port= portnumber
|
---|
| 53 |
|
---|
| 54 | .B samhain
|
---|
[1] | 55 | \-H
|
---|
| 56 | .I string
|
---|
| 57 | |
|
---|
| 58 | .RI \-\-hash\-string= string
|
---|
| 59 |
|
---|
| 60 | .B samhain
|
---|
| 61 | \-c | \-\-copyright
|
---|
| 62 |
|
---|
| 63 | .B samhain
|
---|
[76] | 64 | \-v | \-\-version
|
---|
| 65 |
|
---|
| 66 | .B samhain
|
---|
[1] | 67 | \-h | \-\-help
|
---|
| 68 |
|
---|
| 69 | .B samhain
|
---|
| 70 | \-V key@/path/to/executable | \-\-add\-key=key@/path/to/executable
|
---|
| 71 |
|
---|
| 72 | .SS "SERVER STARTUP"
|
---|
| 73 | .PP
|
---|
| 74 |
|
---|
| 75 | .B yule
|
---|
| 76 | [\-q | \-\-qualified]
|
---|
| 77 | [
|
---|
| 78 | .RI \-\-chroot= chrootdir ]
|
---|
| 79 | [\-D | \-\-daemon | \-\-foreground]
|
---|
| 80 | [log-options]
|
---|
| 81 |
|
---|
| 82 | .SS "SERVER MISCELLANEOUS"
|
---|
| 83 | .PP
|
---|
| 84 |
|
---|
| 85 | .B yule
|
---|
| 86 | [\-P
|
---|
| 87 | .I password
|
---|
| 88 | |
|
---|
| 89 | .RI \-\-password= password ]
|
---|
| 90 |
|
---|
| 91 | .B yule
|
---|
| 92 | [\-G | \-\-gen-password]
|
---|
| 93 |
|
---|
| 94 | .SS "LOG OPTIONS"
|
---|
| 95 | .PP
|
---|
| 96 |
|
---|
| 97 | [\-s
|
---|
| 98 | .I threshold
|
---|
| 99 | |
|
---|
| 100 | .RI \-\-set\-syslog\-severity= threshold ]
|
---|
| 101 | [\-l
|
---|
| 102 | .I threshold
|
---|
| 103 | |
|
---|
| 104 | .RI \-\-set\-log\-severity= threshold ]
|
---|
| 105 | [\-m
|
---|
| 106 | .I threshold
|
---|
| 107 | |
|
---|
| 108 | .RI \-\-set\-mail\-severity= threshold ]
|
---|
| 109 | [\-e
|
---|
| 110 | .I threshold
|
---|
| 111 | |
|
---|
| 112 | .RI \-\-set\-export\-severity= threshold ]
|
---|
| 113 | [\-p
|
---|
| 114 | .I threshold
|
---|
| 115 | |
|
---|
| 116 | .RI \-\-set\-print\-severity= threshold ]
|
---|
| 117 | [\-x
|
---|
| 118 | .I threshold
|
---|
| 119 | |
|
---|
| 120 | .RI \-\-set\-external\-severity= threshold ]
|
---|
| 121 | [
|
---|
| 122 | .RI \-\-set\-prelude\-severity= threshold ]
|
---|
| 123 | [
|
---|
| 124 | .RI \-\-set\-database\-severity= threshold ]
|
---|
| 125 | [
|
---|
| 126 | .RI \-\-enable\-trace ]
|
---|
| 127 | [
|
---|
| 128 | .RI \-\-trace\-logfile= tracefile ]
|
---|
| 129 |
|
---|
| 130 |
|
---|
| 131 |
|
---|
| 132 | .SH WARNING
|
---|
| 133 | .PP
|
---|
| 134 | The information in this man page is not always up to date.
|
---|
| 135 | The authoritative documentation is the user manual.
|
---|
| 136 |
|
---|
| 137 | .SH DESCRIPTION
|
---|
| 138 | .PP
|
---|
| 139 | .B samhain
|
---|
| 140 | is a file integrity / intrusion detection system both for single hosts
|
---|
| 141 | and networks.
|
---|
| 142 | It consists of a monitoring application
|
---|
| 143 | .RB ( samhain )
|
---|
| 144 | running on
|
---|
| 145 | individual hosts, and (optionally) a central log server
|
---|
| 146 | .RB ( yule ).
|
---|
| 147 | Currently, samhain can monitor the
|
---|
| 148 | integrity of files/directories, and (optionally) also
|
---|
| 149 | check for kernel rootkits
|
---|
| 150 | (Linux and FreeBSD only), search the disk for SUID/SGID,
|
---|
| 151 | and watch for login/logout events.
|
---|
| 152 | .PP
|
---|
| 153 | .B samhain/yule
|
---|
| 154 | can log by email, to a tamper-resistant, signed log file,
|
---|
| 155 | to syslog, to the Prelude IDS, to a MySQL/PostgreSQL/Oracle database,
|
---|
| 156 | and/or to stdout
|
---|
| 157 | .RI ( /dev/console
|
---|
| 158 | if run as daemon).
|
---|
| 159 | .B samhain/yule
|
---|
| 160 | can run as a daemon, and can use a time server instead of the host's
|
---|
| 161 | system clock. Most of the functionality is defined by a
|
---|
| 162 | configuration file that is read at startup.
|
---|
| 163 | .PP
|
---|
| 164 | Most options of these usually would be set in the configuration file.
|
---|
| 165 | Options given on the command line will override
|
---|
| 166 | those in the configuration file.
|
---|
| 167 |
|
---|
| 168 | .SS "OPTIONS FOR INITIALIZING, UPDATING, AND CHECKING"
|
---|
| 169 | .PP
|
---|
| 170 |
|
---|
| 171 | .B samhain
|
---|
| 172 | .I "\-t init, \-\-set\-checksum-test=init"
|
---|
| 173 | .RI [ options ]
|
---|
| 174 |
|
---|
| 175 | Initialize the database of file signatures. The path to the
|
---|
| 176 | database is compiled in, and initializing will
|
---|
| 177 | .B append
|
---|
| 178 | to the respective file (or create it, if it does not exist).
|
---|
| 179 | .B "It is ok to append to e.g. a JPEG image, but it is an error"
|
---|
| 180 | .B "to append to an already existing file signature database."
|
---|
| 181 | .PP
|
---|
| 182 | .TP
|
---|
| 183 | [\-\-init2stdout]
|
---|
| 184 | Write the database to stdout.
|
---|
| 185 | .TP
|
---|
| 186 | [\-r DEPTH|\-\-recursion=DEPTH]
|
---|
| 187 | Set the (global) recursion depth.
|
---|
| 188 |
|
---|
| 189 | .PP
|
---|
| 190 | .B samhain
|
---|
| 191 | .I "\-t update, \-\-set\-checksum-test=update"
|
---|
| 192 | .RI [ options ]
|
---|
| 193 |
|
---|
| 194 | Update the database of file signatures. The path to the
|
---|
| 195 | database is compiled in, and updating will
|
---|
| 196 | .B overwrite
|
---|
| 197 | the database, starting from the start of the database (which may not be
|
---|
| 198 | identical to the start of the file \- see above).
|
---|
| 199 | .PP
|
---|
| 200 | .TP
|
---|
| 201 | [\-r DEPTH|\-\-recursion=DEPTH]
|
---|
| 202 | Set the (global) recursion depth.
|
---|
[3] | 203 | .TP
|
---|
| 204 | [\-D|\-\-daemon]
|
---|
| 205 | Run as daemon. File checks are performed as specified by the timing
|
---|
| 206 | options in the configuration file. Updates are saved after each file check.
|
---|
| 207 | .TP
|
---|
| 208 | [\-\-foreground]
|
---|
| 209 | Run in the foreground. This will cause samhain to exit after the update,
|
---|
| 210 | unless the option
|
---|
| 211 | .I "\-\-forever"
|
---|
| 212 | is used.
|
---|
| 213 | .TP
|
---|
| 214 | [\-\-forever]
|
---|
| 215 | If not running as daemon, do not exit after finishing the update, but
|
---|
| 216 | loop forever, and perform checks with corresponding database updates
|
---|
| 217 | according to the timing options in the
|
---|
| 218 | configuration file.
|
---|
[1] | 219 |
|
---|
| 220 | .PP
|
---|
| 221 | .B samhain
|
---|
| 222 | .I "\-t check, \-\-set\-checksum-test=check"
|
---|
| 223 | .RI [ options ]
|
---|
| 224 |
|
---|
| 225 | Check the filesystem against the database of file signatures.
|
---|
| 226 | The path to the database is compiled in.
|
---|
| 227 | .PP
|
---|
| 228 | .TP
|
---|
| 229 | [\-r DEPTH|\-\-recursion=DEPTH]
|
---|
| 230 | Set the (global) recursion depth.
|
---|
| 231 | .TP
|
---|
| 232 | [\-D|\-\-daemon]
|
---|
| 233 | Run as daemon. File checks are performed as specified by the timing
|
---|
| 234 | options in the configuration file.
|
---|
| 235 | .TP
|
---|
| 236 | [\-\-foreground]
|
---|
| 237 | Run in the foreground. This will cause samhain to exit after the file check,
|
---|
| 238 | unless the option
|
---|
| 239 | .I "\-\-forever"
|
---|
| 240 | is used.
|
---|
| 241 | .TP
|
---|
| 242 | [\-\-forever]
|
---|
| 243 | If not running as daemon, do not exit after finishing the check, but
|
---|
| 244 | loop forever, and perform checks according to the timing options in the
|
---|
| 245 | configuration file.
|
---|
| 246 |
|
---|
| 247 | .SS "OPTIONS FOR LISTING THE DATABASE"
|
---|
| 248 | .PP
|
---|
| 249 |
|
---|
| 250 | .B samhain
|
---|
| 251 | [\-a | \-\-full\-detail]
|
---|
| 252 | [\-\-delimited]
|
---|
| 253 | \-d
|
---|
| 254 | .IR file |
|
---|
| 255 | .RI \-\-list\-database= file
|
---|
| 256 |
|
---|
| 257 | List the entries in the file signature database in a
|
---|
| 258 | .B ls \-l
|
---|
| 259 | like format.
|
---|
| 260 | .PP
|
---|
| 261 | .TP
|
---|
| 262 | [\-a | \-\-full\-detail]
|
---|
| 263 | List all informations for each file, not only those you would get
|
---|
[169] | 264 | with ls \-l. Must precede the \-d option.
|
---|
[1] | 265 | .TP
|
---|
| 266 | [\-\-delimited]
|
---|
| 267 | List all informations for each file, in a comma-separated format.
|
---|
[169] | 268 | Must precede the \-d option.
|
---|
| 269 | .TP
|
---|
| 270 | .RI [\-\-list\-file= file ]
|
---|
| 271 | List the literal content of the given file as stored in the database.
|
---|
| 272 | Content is not stored by default, must be enabled in the runtime
|
---|
| 273 | configuration file. Must precede the \-d option.
|
---|
[1] | 274 |
|
---|
| 275 | .SS "OPTIONS TO VERIFY AN AUDIT TRAIL"
|
---|
| 276 | .PP
|
---|
| 277 |
|
---|
| 278 | These options will only work, if the executable used for verifying the
|
---|
| 279 | audit trail is compiled with the same \-\-enable\-base=... option as the
|
---|
| 280 | executable of the reporting process.
|
---|
| 281 |
|
---|
| 282 | .B samhain
|
---|
| 283 | [\-j | \-\-just\-list]
|
---|
| 284 | \-L
|
---|
| 285 | .IR logfile |
|
---|
| 286 | .RI \-\-verify\-log= logfile
|
---|
| 287 |
|
---|
| 288 | Verify the integrity of a signed logfile. The signing key is
|
---|
| 289 | auto\-generated on startup, and sent by email.
|
---|
| 290 | .B samhain
|
---|
| 291 | will ask for the key. Instead of entering the key, you can also enter
|
---|
| 292 | the path to the mailbox holding the respective email message.
|
---|
| 293 | .PP
|
---|
| 294 | .TP
|
---|
| 295 | [\-j | \-\-just\-list]
|
---|
| 296 | Just list the logfile, do not verify it. This option must come
|
---|
| 297 | .BR first .
|
---|
| 298 | It is mainly intended for listing the content of an obfuscated logfile, if
|
---|
| 299 | .B samhain
|
---|
| 300 | is compiled with the
|
---|
| 301 | .B stealth
|
---|
| 302 | option.
|
---|
| 303 |
|
---|
| 304 | .B samhain
|
---|
| 305 | \-M
|
---|
| 306 | .IR mailbox |
|
---|
| 307 | .RI \-\-verify\-mail= mailbox
|
---|
| 308 |
|
---|
| 309 | Verify the integrity of the email reports from samhain. All reports must be
|
---|
| 310 | in the same file.
|
---|
| 311 |
|
---|
| 312 | .SS "MISCELLANEOUS OPTIONS"
|
---|
| 313 | .PP
|
---|
| 314 |
|
---|
| 315 | .B samhain
|
---|
[27] | 316 | .RI \-\-server\-port= portnumber
|
---|
| 317 |
|
---|
| 318 | Choose the port on the server host to which the client will connect.
|
---|
| 319 |
|
---|
| 320 | .B samhain
|
---|
[1] | 321 | \-H
|
---|
| 322 | .I string
|
---|
| 323 | |
|
---|
| 324 | .RI \-\-hash\-string= string
|
---|
| 325 |
|
---|
| 326 | Compute the TIGER192 checksum of a string. If the string starts with
|
---|
| 327 | a '/', it is considered as a pathname, and the checksum of the corresponding
|
---|
| 328 | file will be computed.
|
---|
| 329 |
|
---|
| 330 | .B samhain
|
---|
| 331 | \-c | \-\-copyright
|
---|
| 332 |
|
---|
| 333 | Print the copyright statement.
|
---|
| 334 |
|
---|
| 335 | .B samhain
|
---|
[76] | 336 | \-v | \-\-version
|
---|
| 337 |
|
---|
| 338 | Show version and compiled-in options.
|
---|
| 339 |
|
---|
| 340 | .B samhain
|
---|
[1] | 341 | \-h | \-\-help
|
---|
| 342 |
|
---|
[76] | 343 | Print supported command line options (depending on compilation options).
|
---|
[1] | 344 |
|
---|
| 345 | .B samhain
|
---|
| 346 | \-V key@/path/to/executable | \-\-add\-key=key@/path/to/executable
|
---|
| 347 |
|
---|
| 348 | See the section "SECURITY" below.
|
---|
| 349 |
|
---|
| 350 | .SS "SERVER STARTUP OPTIONS"
|
---|
| 351 | .PP
|
---|
| 352 |
|
---|
| 353 | .B yule
|
---|
| 354 | [\-q | \-\-qualified]
|
---|
| 355 | [
|
---|
| 356 | .RI \-\-chroot= chrootdir ]
|
---|
| 357 | [\-D | \-\-daemon | \-\-foreground]
|
---|
| 358 | [log-options]
|
---|
| 359 |
|
---|
| 360 | Start the server, which is named
|
---|
| 361 | .B yule
|
---|
| 362 | by default. If the server is started with superuser privileges,
|
---|
| 363 | it will drop them after startup.
|
---|
| 364 | .PP
|
---|
| 365 | .TP
|
---|
| 366 | [\-q | \-\-qualified]
|
---|
| 367 | Log client hostnames with fully qualified path. The default is to
|
---|
| 368 | log only the leftmost domain label (i.e. the hostname).
|
---|
| 369 | .TP
|
---|
| 370 | [
|
---|
| 371 | .RI \-\-chroot= chrootdir ]
|
---|
| 372 | Chroot to the listed directory after startup.
|
---|
| 373 | .TP
|
---|
| 374 | [\-D | \-\-daemon]
|
---|
| 375 | Run as daemon.
|
---|
| 376 | .TP
|
---|
| 377 | [\-\-foreground]
|
---|
| 378 | Run in the foreground.
|
---|
| 379 |
|
---|
| 380 |
|
---|
| 381 | .SS "MISCELLANEOUS SERVER OPTIONS"
|
---|
| 382 | .PP
|
---|
| 383 |
|
---|
| 384 | .B yule
|
---|
| 385 | [\-G | \-\-gen-password]
|
---|
| 386 |
|
---|
| 387 | Generate a random 8\-byte password and print it out in hexadecimal notation.
|
---|
| 388 |
|
---|
| 389 |
|
---|
| 390 | .B yule
|
---|
| 391 | [\-P
|
---|
| 392 | .I password
|
---|
| 393 | |
|
---|
| 394 | .RI \-\-password= password ]
|
---|
| 395 |
|
---|
| 396 | Use the given
|
---|
| 397 | .I password
|
---|
| 398 | and generate an entry suitable for the [Clients] section of the
|
---|
| 399 | configuration file.
|
---|
| 400 |
|
---|
| 401 | .SS "LOGGING OPTIONS"
|
---|
| 402 | .PP
|
---|
| 403 |
|
---|
| 404 | Depending on the compilation options, some logging facilities may not
|
---|
| 405 | be available in your executable.
|
---|
| 406 | .PP
|
---|
| 407 | .TP
|
---|
| 408 | .I "\-s threshold, \-\-set\-syslog\-severity=threshold"
|
---|
| 409 | Set the threshold for logging events via syslogd(8).
|
---|
| 410 | Possible values are
|
---|
| 411 | .IR debug ,
|
---|
| 412 | .IR info ,
|
---|
| 413 | .IR notice ,
|
---|
| 414 | .IR warn ,
|
---|
| 415 | .IR mark ,
|
---|
| 416 | .IR err ,
|
---|
| 417 | .IR crit ,
|
---|
| 418 | .IR alert ,
|
---|
| 419 | and
|
---|
| 420 | .IR none .
|
---|
| 421 | By default, everything equal to and above the threshold will be logged.
|
---|
| 422 | Time stamps have the priority
|
---|
| 423 | .IR warn ,
|
---|
| 424 | system\-level errors have the priority
|
---|
| 425 | .IR err ,
|
---|
| 426 | and important start\-up messages the priority
|
---|
| 427 | .IR alert .
|
---|
| 428 | The signature key for the log file will never be logged to syslog or the
|
---|
| 429 | log file itself.
|
---|
| 430 | .TP
|
---|
| 431 | .I "\-l threshold, \-\-set\-log\-severity=threshold"
|
---|
| 432 | Set the threshold for logging events to the log file.
|
---|
| 433 | .TP
|
---|
| 434 | .I "\-m threshold, \-\-set\-mail\-severity=threshold"
|
---|
| 435 | Set the threshold for logging events via e\-mail.
|
---|
| 436 | .TP
|
---|
| 437 | .I "\-e threshold, \-\-set\-export\-severity=threshold"
|
---|
| 438 | Set the threshold for forwarding events via TCP to a log server.
|
---|
| 439 | .TP
|
---|
| 440 | .I "\-x threshold, \-\-set\-extern\-severity=threshold"
|
---|
| 441 | Set the threshold for calling external logging programs/scripts (if any are
|
---|
| 442 | defined in the configuration file).
|
---|
| 443 | .TP
|
---|
| 444 | .I "\-p threshold, \-\-set\-print\-severity=threshold"
|
---|
| 445 | Set the threshold for logging events to stdout.
|
---|
| 446 | If
|
---|
| 447 | .B samhain
|
---|
| 448 | runs as a daemon, this is redirected to /dev/console.
|
---|
| 449 | .TP
|
---|
| 450 | .I "\-\-set\-prelude\-severity=threshold"
|
---|
| 451 | Set the threshold for logging events to the Prelude IDS.
|
---|
| 452 | .TP
|
---|
| 453 | .I "\-\-set\-database\-severity=threshold"
|
---|
| 454 | Set the threshold for logging events to the MySQL/PostgreSQL/Oracle
|
---|
| 455 | database.
|
---|
| 456 |
|
---|
| 457 |
|
---|
| 458 |
|
---|
| 459 | .SH SIGNALS
|
---|
| 460 | .TP
|
---|
| 461 | .I SIGUSR1
|
---|
| 462 | Switch on/off maximum verbosity for console output.
|
---|
| 463 | .TP
|
---|
| 464 | .I SIGUSR2
|
---|
| 465 | Suspend/continue the process, and
|
---|
| 466 | (on suspend) send a message
|
---|
| 467 | to the server. This message has the same priority as timestamps.
|
---|
| 468 | This signal
|
---|
| 469 | allows to run
|
---|
| 470 | .I samhain -t init -e none
|
---|
| 471 | on the client
|
---|
| 472 | to regenerate the database, with download of the configuration file
|
---|
| 473 | from the server, while the daemon is suspended (normally you would get
|
---|
| 474 | errors because of concurrent access to the server by two processes from
|
---|
| 475 | the
|
---|
| 476 | .IR "same host" ")."
|
---|
| 477 | .TP
|
---|
| 478 | .I SIGHUP
|
---|
| 479 | Reread the configuration file.
|
---|
| 480 | .TP
|
---|
| 481 | .I SIGTERM
|
---|
| 482 | Terminate.
|
---|
| 483 | .TP
|
---|
| 484 | .I SIGQUIT
|
---|
| 485 | Terminate after processing all pending requests from clients.
|
---|
| 486 | .TP
|
---|
| 487 | .I SIGABRT
|
---|
| 488 | Unlock the log file, pause for three seconds, then proceed,
|
---|
| 489 | eventually re-locking the log file and starting a fresh audit trail
|
---|
| 490 | on next access.
|
---|
| 491 | .TP
|
---|
| 492 | .I SIGTTOU
|
---|
| 493 | Force a file check (only client/standalone, and only in daemon mode).
|
---|
| 494 |
|
---|
| 495 |
|
---|
| 496 | .SH DATABASE
|
---|
| 497 | The database (default name
|
---|
| 498 | .IR samhain_file )
|
---|
| 499 | is a binary file, which can be created or updated using the
|
---|
| 500 | .B \-t
|
---|
| 501 | .I init
|
---|
| 502 | or the
|
---|
| 503 | .B \-t
|
---|
| 504 | .I update
|
---|
| 505 | option.
|
---|
| 506 | If you use
|
---|
| 507 | .B \-t
|
---|
| 508 | .IR init ,
|
---|
| 509 | you need to
|
---|
| 510 | .I remove
|
---|
| 511 | the old database first,
|
---|
| 512 | otherwise the new version will be
|
---|
| 513 | .I appended
|
---|
| 514 | to the old one.
|
---|
| 515 | The file may be (clear text) signed by PGP/GnuPG.
|
---|
| 516 | .br
|
---|
| 517 | It is recommended to use GnuPG with the options
|
---|
| 518 | .B gpg
|
---|
| 519 | .I -a --clearsign --not-dash-escaped
|
---|
| 520 | .br
|
---|
| 521 | .B samhain
|
---|
| 522 | will check the signature, if compiled with support for that.
|
---|
| 523 | .PP
|
---|
| 524 | At startup
|
---|
| 525 | .B samhain
|
---|
| 526 | will compute the checksum of the database, and verify it for
|
---|
| 527 | each further access. This checksum is not stored on disk (i.e. is lost
|
---|
| 528 | after program termination), as there is no secure way to store it.
|
---|
| 529 |
|
---|
| 530 | .SH LOG FILE
|
---|
| 531 | .PP
|
---|
| 532 | Each entry in the log file has the format
|
---|
| 533 | .BR "Severity : [Timestamp] Message" ,
|
---|
| 534 | where the timestamp may be obtained from a time server rather than from
|
---|
| 535 | the system clock, if
|
---|
| 536 | .B samhain
|
---|
| 537 | has been compiled with support for this.
|
---|
| 538 | Each entry is followed by a
|
---|
| 539 | .IR signature ,
|
---|
| 540 | which is computed as
|
---|
| 541 | .BR "Hash(Entry Key_N)" ,
|
---|
| 542 | and
|
---|
| 543 | .B Key_N
|
---|
| 544 | is computed as
|
---|
| 545 | .BR "Hash(Key_N\-1)" ,
|
---|
| 546 | i.e. only knowledge of the first signature key in this chain allows to
|
---|
| 547 | verify the integrity of the log file. This first key is autogenerated
|
---|
| 548 | and e\-mailed to the designated recipient.
|
---|
| 549 | .PP
|
---|
| 550 | The default name of the log file is
|
---|
| 551 | .IR samhain_log .
|
---|
| 552 | To prevent multiple instances of
|
---|
| 553 | .B samhain
|
---|
| 554 | from writing to the same log file, the log file is locked by creating a
|
---|
| 555 | .IR "lock file" ,
|
---|
| 556 | which is normally deleted at program termination.
|
---|
| 557 | The default name of the
|
---|
| 558 | .I "lock file"
|
---|
| 559 | is
|
---|
| 560 | .IR samhain.lock .
|
---|
| 561 | If
|
---|
| 562 | .B samhain
|
---|
| 563 | is terminated abnormally, i.e. with kill \-9,
|
---|
| 564 | a stale lock file might remain, but usually
|
---|
| 565 | .B samhain
|
---|
| 566 | will be able to recognize that and remove the stale lock file
|
---|
| 567 | on the next startup.
|
---|
| 568 | .PP
|
---|
| 569 | .SH EMAIL
|
---|
| 570 | .PP
|
---|
| 571 | E\-mails are sent (using built-in SMTP code)
|
---|
| 572 | to one recipient only.
|
---|
| 573 | The subject line contains timestamp
|
---|
| 574 | and hostname, which are repeated in the message body.
|
---|
| 575 | The body of the mail contains a line with a
|
---|
| 576 | .I signature
|
---|
| 577 | similar to that in the log file, computed from the message and a
|
---|
| 578 | key. The key is iterated by a hash chain, and the initial
|
---|
| 579 | key is revealed in the first email sent.
|
---|
| 580 | Obviously, you have to believe that this first e\-mail is
|
---|
| 581 | authentical ...
|
---|
| 582 | .PP
|
---|
| 583 | .SH CLIENT/SERVER USAGE
|
---|
| 584 | .PP
|
---|
| 585 | To monitor several machines, and collecting data by a central log server,
|
---|
| 586 | .B samhain
|
---|
| 587 | may be compiled as a client/server application. The log server
|
---|
| 588 | .RB ( yule )
|
---|
| 589 | will accept connection
|
---|
| 590 | requests from registered clients only. With each client, the server will first
|
---|
| 591 | engage in a challenge/response protocol for
|
---|
| 592 | .I authentication
|
---|
| 593 | of the client and
|
---|
| 594 | .I establishing
|
---|
| 595 | a
|
---|
| 596 | .IR "session key" .
|
---|
| 597 | .PP
|
---|
| 598 | This protocol requires on the client side a
|
---|
| 599 | .IR "password" ,
|
---|
| 600 | and on the server side a
|
---|
| 601 | .IR "verifier"
|
---|
| 602 | that is computed from the
|
---|
| 603 | .IR "password" .
|
---|
| 604 | .PP
|
---|
| 605 | To
|
---|
| 606 | .I register
|
---|
| 607 | a client, simply do the following:
|
---|
| 608 | .br
|
---|
| 609 | First, with the included utility program
|
---|
| 610 | .B samhain_setpwd
|
---|
| 611 | re\-set the compiled\-in default password of the
|
---|
| 612 | client executable to your preferred
|
---|
| 613 | value (with no option, a short usage help is printed).
|
---|
| 614 | To allow for non-printable chars, the new value
|
---|
| 615 | must be given as a 16\-digit hexadecimal string
|
---|
| 616 | (only 0123456789ABCDEF in string), corresponding to an 8-byte password.
|
---|
| 617 | .br
|
---|
| 618 | Second, after re\-setting the password in the client executable,
|
---|
| 619 | you can use the server's convenience function
|
---|
| 620 | .B yule
|
---|
| 621 | .B \-P
|
---|
| 622 | .I password
|
---|
| 623 | that will take as input the (16\-digit hex) password,
|
---|
| 624 | compute the corresponding verifier, and outputs a default configuration file
|
---|
| 625 | entry to register the client.
|
---|
| 626 | .br
|
---|
| 627 | Third, in the configuration file for the server, under the [Clients] section,
|
---|
| 628 | enter
|
---|
| 629 | the suggested registration entry of the form
|
---|
| 630 | .IR "Client=hostname@salt@verifier" ,
|
---|
| 631 | where
|
---|
| 632 | .I hostname
|
---|
| 633 | must be the (fully qualified) hostname of the machine on
|
---|
| 634 | which the client will run.
|
---|
| 635 | .B "Don't forget to reload the server configuration thereafter."
|
---|
| 636 | .PP
|
---|
| 637 | If a connection attempt is made, the server will lookup the entry for
|
---|
| 638 | the connecting host, and use the corresponding value for the
|
---|
| 639 | .I verifier
|
---|
| 640 | to engage in the session key exchange. Failure to verify the client's
|
---|
| 641 | response(s) will result in aborting the connection.
|
---|
| 642 | .PP
|
---|
| 643 | .SH STEALTH
|
---|
| 644 | .PP
|
---|
| 645 | .B samhain
|
---|
| 646 | may be compiled with support for a
|
---|
| 647 | .I stealth
|
---|
| 648 | mode of operation, meaning that
|
---|
| 649 | the program can be run without any obvious trace of its presence
|
---|
| 650 | on disk. The supplied facilities are simple - they are more
|
---|
| 651 | sophisticated than just running the program under a different name,
|
---|
| 652 | and might thwart efforts using 'standard' Unix commands,
|
---|
| 653 | but they will not resist a search using dedicated utilities.
|
---|
| 654 | .PP
|
---|
| 655 | In this mode, the runtime executable will hold no
|
---|
| 656 | printable strings, and the configuration file is expected to be
|
---|
| 657 | a postscript file with
|
---|
| 658 | .I uncompressed
|
---|
| 659 | image data, wherein
|
---|
| 660 | the configuration data are hidden by steganography.
|
---|
| 661 | To create such a file from an existing image, you may use e.g.
|
---|
| 662 | the program
|
---|
| 663 | .BR convert (1),
|
---|
| 664 | which is part of the
|
---|
| 665 | .BR ImageMagick (1)
|
---|
| 666 | package, such as:
|
---|
| 667 | .B "convert +compress"
|
---|
| 668 | .IR "ima.jpg ima.ps" .
|
---|
| 669 | .PP
|
---|
| 670 | To hide/extract the configuration data within/from the postscript file,
|
---|
| 671 | a utility program
|
---|
| 672 | .B samhain_stealth
|
---|
| 673 | is provided.
|
---|
| 674 | Use it without options to get help.
|
---|
| 675 | .PP
|
---|
| 676 | Database and log file may be e.g. existing image files, to which
|
---|
| 677 | data are appended, xor'ed with some constant to mask them as binary data.
|
---|
| 678 | .PP
|
---|
| 679 | The user is responsible by herself for re-naming the compiled
|
---|
| 680 | executable(s) to unsuspicious names, and choosing (at compile time)
|
---|
| 681 | likewise unsuspicious names for config file, database, and log (+lock) file.
|
---|
| 682 | .PP
|
---|
| 683 | .SH SECURITY
|
---|
| 684 | .PP
|
---|
| 685 | For security reasons,
|
---|
| 686 | .B samhain
|
---|
| 687 | will not write log or data files in a directory, remove the lock file,
|
---|
| 688 | or read the configuration file, if any element
|
---|
| 689 | in the path is owned or writeable by an untrusted user (including
|
---|
| 690 | group-writeable files with untrusted users in the group, and world-writeable
|
---|
| 691 | files).
|
---|
| 692 | .br
|
---|
| 693 | .I root
|
---|
| 694 | and the
|
---|
| 695 | .I effective
|
---|
| 696 | user are always trusted. You can add more users in the configuration file.
|
---|
| 697 | .PP
|
---|
| 698 | Using a
|
---|
| 699 | .I "numerical host address"
|
---|
| 700 | in the e\-mail address is more secure than
|
---|
| 701 | using the hostname (does not require
|
---|
| 702 | DNS lookup).
|
---|
| 703 | .PP
|
---|
| 704 | If you use a
|
---|
| 705 | .I precompiled
|
---|
| 706 | .B samhain
|
---|
| 707 | executable (e.g. from a
|
---|
| 708 | binary distribution), in principle a prospective intruder could easily
|
---|
| 709 | obtain a copy of the executable and analyze it in advance. This will
|
---|
| 710 | enable her/him to generate fake audit trails and/or generate
|
---|
| 711 | a trojan for this particular binary distribution.
|
---|
| 712 | .br
|
---|
| 713 | For this reason, it is possible for the user to add more key material into
|
---|
| 714 | the binary executable. This is done with the command:
|
---|
| 715 | .PP
|
---|
| 716 | .BI "samhain " \-\-add\-key=key@/path/to/executable
|
---|
| 717 | .PP
|
---|
| 718 | This will read the file
|
---|
| 719 | .I /path/to/executable, add the key
|
---|
| 720 | .I key,
|
---|
| 721 | which should not contain a '@' (because it has a special meaning, separating
|
---|
| 722 | key from path), overwrite any key previously set by this command, and
|
---|
| 723 | write the new binary to the location
|
---|
| 724 | .I /path/to/executable.out
|
---|
| 725 | (i.e. with .out appended). You should then copy the new binary to the location
|
---|
| 726 | of the old one (i.e. overwrite the old one).
|
---|
| 727 | .PP
|
---|
| 728 | .B Note that using a precompiled samhain executable from a binary
|
---|
| 729 | .B package distribution is not recommended unless you add in key material as
|
---|
| 730 | .B described here.
|
---|
| 731 |
|
---|
| 732 | .PP
|
---|
| 733 | .SH NOTES
|
---|
| 734 | .PP
|
---|
| 735 | For initializing the key(s),
|
---|
| 736 | .I "/dev/random"
|
---|
| 737 | is used, if available. This is a
|
---|
| 738 | device supplying cryptographically strong
|
---|
| 739 | (non-deterministic) random noise. Because it is slow,
|
---|
| 740 | .B samhain
|
---|
| 741 | might appear to hang at startup. Doing some random things
|
---|
| 742 | (performing rain dances, spilling coffee, hunting the mouse) might speed up
|
---|
| 743 | things. If you do not have
|
---|
| 744 | .IR "/dev/random" ,
|
---|
| 745 | lots of statistics from
|
---|
| 746 | .BR vmstat (8)
|
---|
| 747 | and the like will be pooled and mixed by a hash function.
|
---|
| 748 | .PP
|
---|
| 749 | Some hosts might check whether the sender of the mail is valid.
|
---|
| 750 | Use only
|
---|
| 751 | .I "login names"
|
---|
| 752 | for the sender.
|
---|
| 753 | .br
|
---|
| 754 | For sending mails, you may need to set a relay host for the sender domain
|
---|
| 755 | in the configuration file.
|
---|
| 756 | .PP
|
---|
| 757 | .SH BUGS
|
---|
| 758 | .PP
|
---|
| 759 | Whoever has the original signature key may change the log file and send fake
|
---|
| 760 | e\-mails. The signature keys are e\-mailed at program startup
|
---|
| 761 | with a one\-time pad encryption.
|
---|
| 762 | This should be safe against an eavesdropper on the network,
|
---|
| 763 | but not against someone with read access to the binary,
|
---|
| 764 | .I if
|
---|
| 765 | she has caught
|
---|
| 766 | the e\-mail.
|
---|
| 767 | .PP
|
---|
| 768 | .SH FILES
|
---|
| 769 | .PP
|
---|
| 770 | .I /etc/samhainrc
|
---|
| 771 | .br
|
---|
| 772 | .I /usr/local/man/man8/samhain.8
|
---|
| 773 | .br
|
---|
| 774 | .I /usr/local/man/man5/samhainrc.5
|
---|
| 775 | .br
|
---|
| 776 | .I /var/log/samhain_log
|
---|
| 777 | .br
|
---|
| 778 | .I /var/lib/samhain/samhain_file
|
---|
| 779 | .br
|
---|
| 780 | .I /var/lib/samhain/samhain.html
|
---|
| 781 | .br
|
---|
| 782 | .I /var/run/samhain.pid
|
---|
| 783 |
|
---|
| 784 | .SH SEE ALSO
|
---|
| 785 | .PP
|
---|
| 786 | .BR samhainrc (5)
|
---|
| 787 |
|
---|
| 788 | .SH AUTHOR
|
---|
| 789 | .PP
|
---|
| 790 | Rainer Wichmann (http://la\-samhna.de)
|
---|
| 791 | .SH BUG REPORTS
|
---|
| 792 | .PP
|
---|
| 793 | If you find a bug in
|
---|
| 794 | .BR samhain ,
|
---|
| 795 | please send electronic mail to
|
---|
| 796 | .IR support@la\-samhna.de .
|
---|
| 797 | Please include your operating system and its revision, the version of
|
---|
| 798 | .BR samhain ,
|
---|
| 799 | what C compiler you used to compile it, your 'configure' options, and
|
---|
| 800 | any information that you deem helpful.
|
---|
| 801 | .PP
|
---|
| 802 | .SH COPYING PERMISSIONS
|
---|
| 803 | .PP
|
---|
| 804 | Copyright (\(co) 1999, 2004 Rainer Wichmann
|
---|
| 805 | .PP
|
---|
| 806 | Permission is granted to make and distribute verbatim copies of
|
---|
| 807 | this manual page provided the copyright notice and this permission
|
---|
| 808 | notice are preserved on all copies.
|
---|
| 809 | .ig
|
---|
| 810 | Permission is granted to process this file through troff and print the
|
---|
| 811 | results, provided the printed document carries copying permission
|
---|
| 812 | notice identical to this one except for the removal of this paragraph
|
---|
| 813 | (this paragraph not being relevant to the printed manual page).
|
---|
| 814 | ..
|
---|
| 815 | .PP
|
---|
| 816 | Permission is granted to copy and distribute modified versions of this
|
---|
| 817 | manual page under the conditions for verbatim copying, provided that
|
---|
| 818 | the entire resulting derived work is distributed under the terms of a
|
---|
| 819 | permission notice identical to this one.
|
---|
| 820 |
|
---|
| 821 |
|
---|
| 822 |
|
---|