source: trunk/man/samhain.8@ 18

Last change on this file since 18 was 3, checked in by rainer, 19 years ago

More fixes for update function, released 2.1.1 version.

File size: 20.0 KB
Line 
1.TH SAMHAIN 8 "07 August 2004" "" "Samhain manual"
2.SH NAME
3samhain \- check file integrity
4.SH SYNOPSIS
5.SS "INITIALIZING, UPDATING, AND CHECKING"
6.PP
7
8.B samhain
9{
10.I \-t init|\-\-set\-checksum\-test=init
11} [\-\-init2stdout] [\-r DEPTH|\-\-recursion=DEPTH] [log-options]
12
13.B samhain
14{
15.I \-t update|\-\-set\-checksum\-test=update
16} [\-D | \-\-daemon | \-\-foreground] [\-\-forever] [\-r DEPTH|\-\-recursion=DEPTH] [log-options]
17
18.B samhain
19{
20.I \-t check|\-\-set\-checksum\-test=check
21} [\-D | \-\-daemon | \-\-foreground] [\-\-forever] [\-r DEPTH,\-\-recursion=DEPTH] [log-options]
22
23.SS "LISTING THE DATABASE"
24.PP
25
26.B samhain
27[\-a | \-\-full\-detail]
28[\-\-delimited]
29\-d
30.IR file |
31.RI \-\-list\-database= file
32
33.SS "VERIFYING AN AUDIT TRAIL"
34.PP
35
36.B samhain
37[\-j | \-\-just\-list]
38\-L
39.IR logfile |
40.RI \-\-verify\-log= logfile
41
42.B samhain
43\-M
44.IR mailbox |
45.RI \-\-verify\-mail= mailbox
46
47
48.SS "MISCELLANEOUS"
49.PP
50
51.B samhain
52\-H
53.I string
54|
55.RI \-\-hash\-string= string
56
57.B samhain
58\-c | \-\-copyright
59
60.B samhain
61\-h | \-\-help
62
63.B samhain
64\-V key@/path/to/executable | \-\-add\-key=key@/path/to/executable
65
66.SS "SERVER STARTUP"
67.PP
68
69.B yule
70[\-q | \-\-qualified]
71[
72.RI \-\-chroot= chrootdir ]
73[\-D | \-\-daemon | \-\-foreground]
74[log-options]
75
76.SS "SERVER MISCELLANEOUS"
77.PP
78
79.B yule
80[\-P
81.I password
82|
83.RI \-\-password= password ]
84
85.B yule
86[\-G | \-\-gen-password]
87
88.SS "LOG OPTIONS"
89.PP
90
91[\-s
92.I threshold
93|
94.RI \-\-set\-syslog\-severity= threshold ]
95[\-l
96.I threshold
97|
98.RI \-\-set\-log\-severity= threshold ]
99[\-m
100.I threshold
101|
102.RI \-\-set\-mail\-severity= threshold ]
103[\-e
104.I threshold
105|
106.RI \-\-set\-export\-severity= threshold ]
107[\-p
108.I threshold
109|
110.RI \-\-set\-print\-severity= threshold ]
111[\-x
112.I threshold
113|
114.RI \-\-set\-external\-severity= threshold ]
115[
116.RI \-\-set\-prelude\-severity= threshold ]
117[
118.RI \-\-set\-database\-severity= threshold ]
119[
120.RI \-\-enable\-trace ]
121[
122.RI \-\-trace\-logfile= tracefile ]
123
124
125
126.SH WARNING
127.PP
128The information in this man page is not always up to date.
129The authoritative documentation is the user manual.
130
131.SH DESCRIPTION
132.PP
133.B samhain
134is a file integrity / intrusion detection system both for single hosts
135and networks.
136It consists of a monitoring application
137.RB ( samhain )
138running on
139individual hosts, and (optionally) a central log server
140.RB ( yule ).
141Currently, samhain can monitor the
142integrity of files/directories, and (optionally) also
143check for kernel rootkits
144(Linux and FreeBSD only), search the disk for SUID/SGID,
145and watch for login/logout events.
146.PP
147.B samhain/yule
148can log by email, to a tamper-resistant, signed log file,
149to syslog, to the Prelude IDS, to a MySQL/PostgreSQL/Oracle database,
150and/or to stdout
151.RI ( /dev/console
152if run as daemon).
153.B samhain/yule
154can run as a daemon, and can use a time server instead of the host's
155system clock. Most of the functionality is defined by a
156configuration file that is read at startup.
157.PP
158Most options of these usually would be set in the configuration file.
159Options given on the command line will override
160those in the configuration file.
161
162.SS "OPTIONS FOR INITIALIZING, UPDATING, AND CHECKING"
163.PP
164
165.B samhain
166.I "\-t init, \-\-set\-checksum-test=init"
167.RI [ options ]
168
169Initialize the database of file signatures. The path to the
170database is compiled in, and initializing will
171.B append
172to the respective file (or create it, if it does not exist).
173.B "It is ok to append to e.g. a JPEG image, but it is an error"
174.B "to append to an already existing file signature database."
175.PP
176.TP
177[\-\-init2stdout]
178Write the database to stdout.
179.TP
180[\-r DEPTH|\-\-recursion=DEPTH]
181Set the (global) recursion depth.
182
183.PP
184.B samhain
185.I "\-t update, \-\-set\-checksum-test=update"
186.RI [ options ]
187
188Update the database of file signatures. The path to the
189database is compiled in, and updating will
190.B overwrite
191the database, starting from the start of the database (which may not be
192identical to the start of the file \- see above).
193.PP
194.TP
195[\-r DEPTH|\-\-recursion=DEPTH]
196Set the (global) recursion depth.
197.TP
198[\-D|\-\-daemon]
199Run as daemon. File checks are performed as specified by the timing
200options in the configuration file. Updates are saved after each file check.
201.TP
202[\-\-foreground]
203Run in the foreground. This will cause samhain to exit after the update,
204unless the option
205.I "\-\-forever"
206is used.
207.TP
208[\-\-forever]
209If not running as daemon, do not exit after finishing the update, but
210loop forever, and perform checks with corresponding database updates
211according to the timing options in the
212configuration file.
213
214.PP
215.B samhain
216.I "\-t check, \-\-set\-checksum-test=check"
217.RI [ options ]
218
219Check the filesystem against the database of file signatures.
220The path to the database is compiled in.
221.PP
222.TP
223[\-r DEPTH|\-\-recursion=DEPTH]
224Set the (global) recursion depth.
225.TP
226[\-D|\-\-daemon]
227Run as daemon. File checks are performed as specified by the timing
228options in the configuration file.
229.TP
230[\-\-foreground]
231Run in the foreground. This will cause samhain to exit after the file check,
232unless the option
233.I "\-\-forever"
234is used.
235.TP
236[\-\-forever]
237If not running as daemon, do not exit after finishing the check, but
238loop forever, and perform checks according to the timing options in the
239configuration file.
240
241.SS "OPTIONS FOR LISTING THE DATABASE"
242.PP
243
244.B samhain
245[\-a | \-\-full\-detail]
246[\-\-delimited]
247\-d
248.IR file |
249.RI \-\-list\-database= file
250
251List the entries in the file signature database in a
252.B ls \-l
253like format.
254.PP
255.TP
256[\-a | \-\-full\-detail]
257List all informations for each file, not only those you would get
258with ls \-l.
259.TP
260[\-\-delimited]
261List all informations for each file, in a comma-separated format.
262
263.SS "OPTIONS TO VERIFY AN AUDIT TRAIL"
264.PP
265
266These options will only work, if the executable used for verifying the
267audit trail is compiled with the same \-\-enable\-base=... option as the
268executable of the reporting process.
269
270.B samhain
271[\-j | \-\-just\-list]
272\-L
273.IR logfile |
274.RI \-\-verify\-log= logfile
275
276Verify the integrity of a signed logfile. The signing key is
277auto\-generated on startup, and sent by email.
278.B samhain
279will ask for the key. Instead of entering the key, you can also enter
280the path to the mailbox holding the respective email message.
281.PP
282.TP
283[\-j | \-\-just\-list]
284Just list the logfile, do not verify it. This option must come
285.BR first .
286It is mainly intended for listing the content of an obfuscated logfile, if
287.B samhain
288is compiled with the
289.B stealth
290option.
291
292.B samhain
293\-M
294.IR mailbox |
295.RI \-\-verify\-mail= mailbox
296
297Verify the integrity of the email reports from samhain. All reports must be
298in the same file.
299
300.SS "MISCELLANEOUS OPTIONS"
301.PP
302
303.B samhain
304\-H
305.I string
306|
307.RI \-\-hash\-string= string
308
309Compute the TIGER192 checksum of a string. If the string starts with
310a '/', it is considered as a pathname, and the checksum of the corresponding
311file will be computed.
312
313.B samhain
314\-c | \-\-copyright
315
316Print the copyright statement.
317
318.B samhain
319\-h | \-\-help
320
321Print supported options (depending on compilation options).
322
323.B samhain
324\-V key@/path/to/executable | \-\-add\-key=key@/path/to/executable
325
326See the section "SECURITY" below.
327
328.SS "SERVER STARTUP OPTIONS"
329.PP
330
331.B yule
332[\-q | \-\-qualified]
333[
334.RI \-\-chroot= chrootdir ]
335[\-D | \-\-daemon | \-\-foreground]
336[log-options]
337
338Start the server, which is named
339.B yule
340by default. If the server is started with superuser privileges,
341it will drop them after startup.
342.PP
343.TP
344[\-q | \-\-qualified]
345Log client hostnames with fully qualified path. The default is to
346log only the leftmost domain label (i.e. the hostname).
347.TP
348[
349.RI \-\-chroot= chrootdir ]
350Chroot to the listed directory after startup.
351.TP
352[\-D | \-\-daemon]
353Run as daemon.
354.TP
355[\-\-foreground]
356Run in the foreground.
357
358
359.SS "MISCELLANEOUS SERVER OPTIONS"
360.PP
361
362.B yule
363[\-G | \-\-gen-password]
364
365Generate a random 8\-byte password and print it out in hexadecimal notation.
366
367
368.B yule
369[\-P
370.I password
371|
372.RI \-\-password= password ]
373
374Use the given
375.I password
376and generate an entry suitable for the [Clients] section of the
377configuration file.
378
379.SS "LOGGING OPTIONS"
380.PP
381
382Depending on the compilation options, some logging facilities may not
383be available in your executable.
384.PP
385.TP
386.I "\-s threshold, \-\-set\-syslog\-severity=threshold"
387Set the threshold for logging events via syslogd(8).
388Possible values are
389.IR debug ,
390.IR info ,
391.IR notice ,
392.IR warn ,
393.IR mark ,
394.IR err ,
395.IR crit ,
396.IR alert ,
397and
398.IR none .
399By default, everything equal to and above the threshold will be logged.
400Time stamps have the priority
401.IR warn ,
402system\-level errors have the priority
403.IR err ,
404and important start\-up messages the priority
405.IR alert .
406The signature key for the log file will never be logged to syslog or the
407log file itself.
408.TP
409.I "\-l threshold, \-\-set\-log\-severity=threshold"
410Set the threshold for logging events to the log file.
411.TP
412.I "\-m threshold, \-\-set\-mail\-severity=threshold"
413Set the threshold for logging events via e\-mail.
414.TP
415.I "\-e threshold, \-\-set\-export\-severity=threshold"
416Set the threshold for forwarding events via TCP to a log server.
417.TP
418.I "\-x threshold, \-\-set\-extern\-severity=threshold"
419Set the threshold for calling external logging programs/scripts (if any are
420defined in the configuration file).
421.TP
422.I "\-p threshold, \-\-set\-print\-severity=threshold"
423Set the threshold for logging events to stdout.
424If
425.B samhain
426runs as a daemon, this is redirected to /dev/console.
427.TP
428.I "\-\-set\-prelude\-severity=threshold"
429Set the threshold for logging events to the Prelude IDS.
430.TP
431.I "\-\-set\-database\-severity=threshold"
432Set the threshold for logging events to the MySQL/PostgreSQL/Oracle
433database.
434
435
436
437.SH SIGNALS
438.TP
439.I SIGUSR1
440Switch on/off maximum verbosity for console output.
441.TP
442.I SIGUSR2
443Suspend/continue the process, and
444(on suspend) send a message
445to the server. This message has the same priority as timestamps.
446This signal
447allows to run
448.I samhain -t init -e none
449on the client
450to regenerate the database, with download of the configuration file
451from the server, while the daemon is suspended (normally you would get
452errors because of concurrent access to the server by two processes from
453the
454.IR "same host" ")."
455.TP
456.I SIGHUP
457Reread the configuration file.
458.TP
459.I SIGTERM
460Terminate.
461.TP
462.I SIGQUIT
463Terminate after processing all pending requests from clients.
464.TP
465.I SIGABRT
466Unlock the log file, pause for three seconds, then proceed,
467eventually re-locking the log file and starting a fresh audit trail
468on next access.
469.TP
470.I SIGTTOU
471Force a file check (only client/standalone, and only in daemon mode).
472
473
474.SH DATABASE
475The database (default name
476.IR samhain_file )
477is a binary file, which can be created or updated using the
478.B \-t
479.I init
480or the
481.B \-t
482.I update
483option.
484If you use
485.B \-t
486.IR init ,
487you need to
488.I remove
489the old database first,
490otherwise the new version will be
491.I appended
492to the old one.
493The file may be (clear text) signed by PGP/GnuPG.
494.br
495It is recommended to use GnuPG with the options
496.B gpg
497.I -a --clearsign --not-dash-escaped
498.br
499.B samhain
500will check the signature, if compiled with support for that.
501.PP
502At startup
503.B samhain
504will compute the checksum of the database, and verify it for
505each further access. This checksum is not stored on disk (i.e. is lost
506after program termination), as there is no secure way to store it.
507
508.SH LOG FILE
509.PP
510Each entry in the log file has the format
511.BR "Severity : [Timestamp] Message" ,
512where the timestamp may be obtained from a time server rather than from
513the system clock, if
514.B samhain
515has been compiled with support for this.
516Each entry is followed by a
517.IR signature ,
518which is computed as
519.BR "Hash(Entry Key_N)" ,
520and
521.B Key_N
522is computed as
523.BR "Hash(Key_N\-1)" ,
524i.e. only knowledge of the first signature key in this chain allows to
525verify the integrity of the log file. This first key is autogenerated
526and e\-mailed to the designated recipient.
527.PP
528The default name of the log file is
529.IR samhain_log .
530To prevent multiple instances of
531.B samhain
532from writing to the same log file, the log file is locked by creating a
533.IR "lock file" ,
534which is normally deleted at program termination.
535The default name of the
536.I "lock file"
537is
538.IR samhain.lock .
539If
540.B samhain
541is terminated abnormally, i.e. with kill \-9,
542a stale lock file might remain, but usually
543.B samhain
544will be able to recognize that and remove the stale lock file
545on the next startup.
546.PP
547.SH EMAIL
548.PP
549E\-mails are sent (using built-in SMTP code)
550to one recipient only.
551The subject line contains timestamp
552and hostname, which are repeated in the message body.
553The body of the mail contains a line with a
554.I signature
555similar to that in the log file, computed from the message and a
556key. The key is iterated by a hash chain, and the initial
557key is revealed in the first email sent.
558Obviously, you have to believe that this first e\-mail is
559authentical ...
560.PP
561.SH CLIENT/SERVER USAGE
562.PP
563To monitor several machines, and collecting data by a central log server,
564.B samhain
565may be compiled as a client/server application. The log server
566.RB ( yule )
567will accept connection
568requests from registered clients only. With each client, the server will first
569engage in a challenge/response protocol for
570.I authentication
571of the client and
572.I establishing
573a
574.IR "session key" .
575.PP
576This protocol requires on the client side a
577.IR "password" ,
578and on the server side a
579.IR "verifier"
580that is computed from the
581.IR "password" .
582.PP
583To
584.I register
585a client, simply do the following:
586.br
587First, with the included utility program
588.B samhain_setpwd
589re\-set the compiled\-in default password of the
590client executable to your preferred
591value (with no option, a short usage help is printed).
592To allow for non-printable chars, the new value
593must be given as a 16\-digit hexadecimal string
594(only 0123456789ABCDEF in string), corresponding to an 8-byte password.
595.br
596Second, after re\-setting the password in the client executable,
597you can use the server's convenience function
598.B yule
599.B \-P
600.I password
601that will take as input the (16\-digit hex) password,
602compute the corresponding verifier, and outputs a default configuration file
603entry to register the client.
604.br
605Third, in the configuration file for the server, under the [Clients] section,
606enter
607the suggested registration entry of the form
608.IR "Client=hostname@salt@verifier" ,
609where
610.I hostname
611must be the (fully qualified) hostname of the machine on
612which the client will run.
613.B "Don't forget to reload the server configuration thereafter."
614.PP
615If a connection attempt is made, the server will lookup the entry for
616the connecting host, and use the corresponding value for the
617.I verifier
618to engage in the session key exchange. Failure to verify the client's
619response(s) will result in aborting the connection.
620.PP
621.SH STEALTH
622.PP
623.B samhain
624may be compiled with support for a
625.I stealth
626mode of operation, meaning that
627the program can be run without any obvious trace of its presence
628on disk. The supplied facilities are simple - they are more
629sophisticated than just running the program under a different name,
630and might thwart efforts using 'standard' Unix commands,
631but they will not resist a search using dedicated utilities.
632.PP
633In this mode, the runtime executable will hold no
634printable strings, and the configuration file is expected to be
635a postscript file with
636.I uncompressed
637image data, wherein
638the configuration data are hidden by steganography.
639To create such a file from an existing image, you may use e.g.
640the program
641.BR convert (1),
642which is part of the
643.BR ImageMagick (1)
644package, such as:
645.B "convert +compress"
646.IR "ima.jpg ima.ps" .
647.PP
648To hide/extract the configuration data within/from the postscript file,
649a utility program
650.B samhain_stealth
651is provided.
652Use it without options to get help.
653.PP
654Database and log file may be e.g. existing image files, to which
655data are appended, xor'ed with some constant to mask them as binary data.
656.PP
657The user is responsible by herself for re-naming the compiled
658executable(s) to unsuspicious names, and choosing (at compile time)
659likewise unsuspicious names for config file, database, and log (+lock) file.
660.PP
661.SH SECURITY
662.PP
663For security reasons,
664.B samhain
665will not write log or data files in a directory, remove the lock file,
666or read the configuration file, if any element
667in the path is owned or writeable by an untrusted user (including
668group-writeable files with untrusted users in the group, and world-writeable
669files).
670.br
671.I root
672and the
673.I effective
674user are always trusted. You can add more users in the configuration file.
675.PP
676Using a
677.I "numerical host address"
678in the e\-mail address is more secure than
679using the hostname (does not require
680DNS lookup).
681.PP
682If you use a
683.I precompiled
684.B samhain
685executable (e.g. from a
686binary distribution), in principle a prospective intruder could easily
687obtain a copy of the executable and analyze it in advance. This will
688enable her/him to generate fake audit trails and/or generate
689a trojan for this particular binary distribution.
690.br
691For this reason, it is possible for the user to add more key material into
692the binary executable. This is done with the command:
693.PP
694.BI "samhain " \-\-add\-key=key@/path/to/executable
695.PP
696This will read the file
697.I /path/to/executable, add the key
698.I key,
699which should not contain a '@' (because it has a special meaning, separating
700key from path), overwrite any key previously set by this command, and
701write the new binary to the location
702.I /path/to/executable.out
703(i.e. with .out appended). You should then copy the new binary to the location
704of the old one (i.e. overwrite the old one).
705.PP
706.B Note that using a precompiled samhain executable from a binary
707.B package distribution is not recommended unless you add in key material as
708.B described here.
709
710.PP
711.SH NOTES
712.PP
713For initializing the key(s),
714.I "/dev/random"
715is used, if available. This is a
716device supplying cryptographically strong
717(non-deterministic) random noise. Because it is slow,
718.B samhain
719might appear to hang at startup. Doing some random things
720(performing rain dances, spilling coffee, hunting the mouse) might speed up
721things. If you do not have
722.IR "/dev/random" ,
723lots of statistics from
724.BR vmstat (8)
725and the like will be pooled and mixed by a hash function.
726.PP
727Some hosts might check whether the sender of the mail is valid.
728Use only
729.I "login names"
730for the sender.
731.br
732For sending mails, you may need to set a relay host for the sender domain
733in the configuration file.
734.PP
735.SH BUGS
736.PP
737Whoever has the original signature key may change the log file and send fake
738e\-mails. The signature keys are e\-mailed at program startup
739with a one\-time pad encryption.
740This should be safe against an eavesdropper on the network,
741but not against someone with read access to the binary,
742.I if
743she has caught
744the e\-mail.
745.PP
746.SH FILES
747.PP
748.I /etc/samhainrc
749.br
750.I /usr/local/man/man8/samhain.8
751.br
752.I /usr/local/man/man5/samhainrc.5
753.br
754.I /var/log/samhain_log
755.br
756.I /var/lib/samhain/samhain_file
757.br
758.I /var/lib/samhain/samhain.html
759.br
760.I /var/run/samhain.pid
761
762.SH SEE ALSO
763.PP
764.BR samhainrc (5)
765
766.SH AUTHOR
767.PP
768Rainer Wichmann (http://la\-samhna.de)
769.SH BUG REPORTS
770.PP
771If you find a bug in
772.BR samhain ,
773please send electronic mail to
774.IR support@la\-samhna.de .
775Please include your operating system and its revision, the version of
776.BR samhain ,
777what C compiler you used to compile it, your 'configure' options, and
778any information that you deem helpful.
779.PP
780.SH COPYING PERMISSIONS
781.PP
782Copyright (\(co) 1999, 2004 Rainer Wichmann
783.PP
784Permission is granted to make and distribute verbatim copies of
785this manual page provided the copyright notice and this permission
786notice are preserved on all copies.
787.ig
788Permission is granted to process this file through troff and print the
789results, provided the printed document carries copying permission
790notice identical to this one except for the removal of this paragraph
791(this paragraph not being relevant to the printed manual page).
792..
793.PP
794Permission is granted to copy and distribute modified versions of this
795manual page under the conditions for verbatim copying, provided that
796the entire resulting derived work is distributed under the terms of a
797permission notice identical to this one.
798
799
800
Note: See TracBrowser for help on using the repository browser.