1 | .TH SAMHAIN 8 "07 August 2004" "" "Samhain manual"
|
---|
2 | .SH NAME
|
---|
3 | samhain \- check file integrity
|
---|
4 | .SH SYNOPSIS
|
---|
5 | .SS "INITIALIZING, UPDATING, AND CHECKING"
|
---|
6 | .PP
|
---|
7 |
|
---|
8 | .B samhain
|
---|
9 | {
|
---|
10 | .I \-t init|\-\-set\-checksum\-test=init
|
---|
11 | } [\-\-init2stdout] [\-r DEPTH|\-\-recursion=DEPTH] [log-options]
|
---|
12 |
|
---|
13 | .B samhain
|
---|
14 | {
|
---|
15 | .I \-t update|\-\-set\-checksum\-test=update
|
---|
16 | } [\-D | \-\-daemon | \-\-foreground] [\-\-forever] [\-r DEPTH|\-\-recursion=DEPTH] [log-options]
|
---|
17 |
|
---|
18 | .B samhain
|
---|
19 | {
|
---|
20 | .I \-t check|\-\-set\-checksum\-test=check
|
---|
21 | } [\-D | \-\-daemon | \-\-foreground] [\-\-forever] [\-r DEPTH,\-\-recursion=DEPTH] [log-options]
|
---|
22 |
|
---|
23 | .SS "LISTING THE DATABASE"
|
---|
24 | .PP
|
---|
25 |
|
---|
26 | .B samhain
|
---|
27 | [\-a | \-\-full\-detail]
|
---|
28 | [\-\-delimited]
|
---|
29 | \-d
|
---|
30 | .IR file |
|
---|
31 | .RI \-\-list\-database= file
|
---|
32 |
|
---|
33 | .SS "VERIFYING AN AUDIT TRAIL"
|
---|
34 | .PP
|
---|
35 |
|
---|
36 | .B samhain
|
---|
37 | [\-j | \-\-just\-list]
|
---|
38 | \-L
|
---|
39 | .IR logfile |
|
---|
40 | .RI \-\-verify\-log= logfile
|
---|
41 |
|
---|
42 | .B samhain
|
---|
43 | \-M
|
---|
44 | .IR mailbox |
|
---|
45 | .RI \-\-verify\-mail= mailbox
|
---|
46 |
|
---|
47 |
|
---|
48 | .SS "MISCELLANEOUS"
|
---|
49 | .PP
|
---|
50 |
|
---|
51 | .B samhain
|
---|
52 | .RI \-\-server\-port= portnumber
|
---|
53 |
|
---|
54 | .B samhain
|
---|
55 | \-H
|
---|
56 | .I string
|
---|
57 | |
|
---|
58 | .RI \-\-hash\-string= string
|
---|
59 |
|
---|
60 | .B samhain
|
---|
61 | \-c | \-\-copyright
|
---|
62 |
|
---|
63 | .B samhain
|
---|
64 | \-v | \-\-version
|
---|
65 |
|
---|
66 | .B samhain
|
---|
67 | \-h | \-\-help
|
---|
68 |
|
---|
69 | .B samhain
|
---|
70 | \-V key@/path/to/executable | \-\-add\-key=key@/path/to/executable
|
---|
71 |
|
---|
72 | .SS "SERVER STARTUP"
|
---|
73 | .PP
|
---|
74 |
|
---|
75 | .B yule
|
---|
76 | [\-q | \-\-qualified]
|
---|
77 | [
|
---|
78 | .RI \-\-chroot= chrootdir ]
|
---|
79 | [\-D | \-\-daemon | \-\-foreground]
|
---|
80 | [log-options]
|
---|
81 |
|
---|
82 | .SS "SERVER MISCELLANEOUS"
|
---|
83 | .PP
|
---|
84 |
|
---|
85 | .B yule
|
---|
86 | [\-P
|
---|
87 | .I password
|
---|
88 | |
|
---|
89 | .RI \-\-password= password ]
|
---|
90 |
|
---|
91 | .B yule
|
---|
92 | [\-G | \-\-gen-password]
|
---|
93 |
|
---|
94 | .SS "LOG OPTIONS"
|
---|
95 | .PP
|
---|
96 |
|
---|
97 | [\-s
|
---|
98 | .I threshold
|
---|
99 | |
|
---|
100 | .RI \-\-set\-syslog\-severity= threshold ]
|
---|
101 | [\-l
|
---|
102 | .I threshold
|
---|
103 | |
|
---|
104 | .RI \-\-set\-log\-severity= threshold ]
|
---|
105 | [\-m
|
---|
106 | .I threshold
|
---|
107 | |
|
---|
108 | .RI \-\-set\-mail\-severity= threshold ]
|
---|
109 | [\-e
|
---|
110 | .I threshold
|
---|
111 | |
|
---|
112 | .RI \-\-set\-export\-severity= threshold ]
|
---|
113 | [\-p
|
---|
114 | .I threshold
|
---|
115 | |
|
---|
116 | .RI \-\-set\-print\-severity= threshold ]
|
---|
117 | [\-x
|
---|
118 | .I threshold
|
---|
119 | |
|
---|
120 | .RI \-\-set\-external\-severity= threshold ]
|
---|
121 | [
|
---|
122 | .RI \-\-set\-prelude\-severity= threshold ]
|
---|
123 | [
|
---|
124 | .RI \-\-set\-database\-severity= threshold ]
|
---|
125 | [
|
---|
126 | .RI \-\-enable\-trace ]
|
---|
127 | [
|
---|
128 | .RI \-\-trace\-logfile= tracefile ]
|
---|
129 |
|
---|
130 |
|
---|
131 |
|
---|
132 | .SH WARNING
|
---|
133 | .PP
|
---|
134 | The information in this man page is not always up to date.
|
---|
135 | The authoritative documentation is the user manual.
|
---|
136 |
|
---|
137 | .SH DESCRIPTION
|
---|
138 | .PP
|
---|
139 | .B samhain
|
---|
140 | is a file integrity / intrusion detection system both for single hosts
|
---|
141 | and networks.
|
---|
142 | It consists of a monitoring application
|
---|
143 | .RB ( samhain )
|
---|
144 | running on
|
---|
145 | individual hosts, and (optionally) a central log server
|
---|
146 | .RB ( yule ).
|
---|
147 | Currently, samhain can monitor the
|
---|
148 | integrity of files/directories, and (optionally) also
|
---|
149 | check for kernel rootkits
|
---|
150 | (Linux and FreeBSD only), search the disk for SUID/SGID,
|
---|
151 | and watch for login/logout events.
|
---|
152 | .PP
|
---|
153 | .B samhain/yule
|
---|
154 | can log by email, to a tamper-resistant, signed log file,
|
---|
155 | to syslog, to the Prelude IDS, to a MySQL/PostgreSQL/Oracle database,
|
---|
156 | and/or to stdout
|
---|
157 | .RI ( /dev/console
|
---|
158 | if run as daemon).
|
---|
159 | .B samhain/yule
|
---|
160 | can run as a daemon, and can use a time server instead of the host's
|
---|
161 | system clock. Most of the functionality is defined by a
|
---|
162 | configuration file that is read at startup.
|
---|
163 | .PP
|
---|
164 | Most options of these usually would be set in the configuration file.
|
---|
165 | Options given on the command line will override
|
---|
166 | those in the configuration file.
|
---|
167 |
|
---|
168 | .SS "OPTIONS FOR INITIALIZING, UPDATING, AND CHECKING"
|
---|
169 | .PP
|
---|
170 |
|
---|
171 | .B samhain
|
---|
172 | .I "\-t init, \-\-set\-checksum-test=init"
|
---|
173 | .RI [ options ]
|
---|
174 |
|
---|
175 | Initialize the database of file signatures. The path to the
|
---|
176 | database is compiled in, and initializing will
|
---|
177 | .B append
|
---|
178 | to the respective file (or create it, if it does not exist).
|
---|
179 | .B "It is ok to append to e.g. a JPEG image, but it is an error"
|
---|
180 | .B "to append to an already existing file signature database."
|
---|
181 | .PP
|
---|
182 | .TP
|
---|
183 | [\-\-init2stdout]
|
---|
184 | Write the database to stdout.
|
---|
185 | .TP
|
---|
186 | [\-r DEPTH|\-\-recursion=DEPTH]
|
---|
187 | Set the (global) recursion depth.
|
---|
188 |
|
---|
189 | .PP
|
---|
190 | .B samhain
|
---|
191 | .I "\-t update, \-\-set\-checksum-test=update"
|
---|
192 | .RI [ options ]
|
---|
193 |
|
---|
194 | Update the database of file signatures. The path to the
|
---|
195 | database is compiled in, and updating will
|
---|
196 | .B overwrite
|
---|
197 | the database, starting from the start of the database (which may not be
|
---|
198 | identical to the start of the file \- see above).
|
---|
199 | .PP
|
---|
200 | .TP
|
---|
201 | [\-r DEPTH|\-\-recursion=DEPTH]
|
---|
202 | Set the (global) recursion depth.
|
---|
203 | .TP
|
---|
204 | [\-D|\-\-daemon]
|
---|
205 | Run as daemon. File checks are performed as specified by the timing
|
---|
206 | options in the configuration file. Updates are saved after each file check.
|
---|
207 | .TP
|
---|
208 | [\-\-foreground]
|
---|
209 | Run in the foreground. This will cause samhain to exit after the update,
|
---|
210 | unless the option
|
---|
211 | .I "\-\-forever"
|
---|
212 | is used.
|
---|
213 | .TP
|
---|
214 | [\-\-forever]
|
---|
215 | If not running as daemon, do not exit after finishing the update, but
|
---|
216 | loop forever, and perform checks with corresponding database updates
|
---|
217 | according to the timing options in the
|
---|
218 | configuration file.
|
---|
219 |
|
---|
220 | .PP
|
---|
221 | .B samhain
|
---|
222 | .I "\-t check, \-\-set\-checksum-test=check"
|
---|
223 | .RI [ options ]
|
---|
224 |
|
---|
225 | Check the filesystem against the database of file signatures.
|
---|
226 | The path to the database is compiled in.
|
---|
227 | .PP
|
---|
228 | .TP
|
---|
229 | [\-r DEPTH|\-\-recursion=DEPTH]
|
---|
230 | Set the (global) recursion depth.
|
---|
231 | .TP
|
---|
232 | [\-D|\-\-daemon]
|
---|
233 | Run as daemon. File checks are performed as specified by the timing
|
---|
234 | options in the configuration file.
|
---|
235 | .TP
|
---|
236 | [\-\-foreground]
|
---|
237 | Run in the foreground. This will cause samhain to exit after the file check,
|
---|
238 | unless the option
|
---|
239 | .I "\-\-forever"
|
---|
240 | is used.
|
---|
241 | .TP
|
---|
242 | [\-\-forever]
|
---|
243 | If not running as daemon, do not exit after finishing the check, but
|
---|
244 | loop forever, and perform checks according to the timing options in the
|
---|
245 | configuration file.
|
---|
246 |
|
---|
247 | .SS "OPTIONS FOR LISTING THE DATABASE"
|
---|
248 | .PP
|
---|
249 |
|
---|
250 | .B samhain
|
---|
251 | [\-a | \-\-full\-detail]
|
---|
252 | [\-\-delimited]
|
---|
253 | \-d
|
---|
254 | .IR file |
|
---|
255 | .RI \-\-list\-database= file
|
---|
256 |
|
---|
257 | List the entries in the file signature database in a
|
---|
258 | .B ls \-l
|
---|
259 | like format.
|
---|
260 | .PP
|
---|
261 | .TP
|
---|
262 | [\-a | \-\-full\-detail]
|
---|
263 | List all informations for each file, not only those you would get
|
---|
264 | with ls \-l. Must precede the \-d option.
|
---|
265 | .TP
|
---|
266 | [\-\-delimited]
|
---|
267 | List all informations for each file, in a comma-separated format.
|
---|
268 | Must precede the \-d option.
|
---|
269 | .TP
|
---|
270 | .RI [\-\-list\-file= file ]
|
---|
271 | List the literal content of the given file as stored in the database.
|
---|
272 | Content is not stored by default, must be enabled in the runtime
|
---|
273 | configuration file. Must precede the \-d option.
|
---|
274 |
|
---|
275 | .SS "OPTIONS TO VERIFY AN AUDIT TRAIL"
|
---|
276 | .PP
|
---|
277 |
|
---|
278 | These options will only work, if the executable used for verifying the
|
---|
279 | audit trail is compiled with the same \-\-enable\-base=... option as the
|
---|
280 | executable of the reporting process.
|
---|
281 |
|
---|
282 | .B samhain
|
---|
283 | [\-j | \-\-just\-list]
|
---|
284 | \-L
|
---|
285 | .IR logfile |
|
---|
286 | .RI \-\-verify\-log= logfile
|
---|
287 |
|
---|
288 | Verify the integrity of a signed logfile. The signing key is
|
---|
289 | auto\-generated on startup, and sent by email.
|
---|
290 | .B samhain
|
---|
291 | will ask for the key. Instead of entering the key, you can also enter
|
---|
292 | the path to the mailbox holding the respective email message.
|
---|
293 | .PP
|
---|
294 | .TP
|
---|
295 | [\-j | \-\-just\-list]
|
---|
296 | Just list the logfile, do not verify it. This option must come
|
---|
297 | .BR first .
|
---|
298 | It is mainly intended for listing the content of an obfuscated logfile, if
|
---|
299 | .B samhain
|
---|
300 | is compiled with the
|
---|
301 | .B stealth
|
---|
302 | option.
|
---|
303 |
|
---|
304 | .B samhain
|
---|
305 | \-M
|
---|
306 | .IR mailbox |
|
---|
307 | .RI \-\-verify\-mail= mailbox
|
---|
308 |
|
---|
309 | Verify the integrity of the email reports from samhain. All reports must be
|
---|
310 | in the same file.
|
---|
311 |
|
---|
312 | .SS "MISCELLANEOUS OPTIONS"
|
---|
313 | .PP
|
---|
314 |
|
---|
315 | .B samhain
|
---|
316 | .RI \-\-server\-port= portnumber
|
---|
317 |
|
---|
318 | Choose the port on the server host to which the client will connect.
|
---|
319 |
|
---|
320 | .B samhain
|
---|
321 | \-H
|
---|
322 | .I string
|
---|
323 | |
|
---|
324 | .RI \-\-hash\-string= string
|
---|
325 |
|
---|
326 | Compute the TIGER192 checksum of a string. If the string starts with
|
---|
327 | a '/', it is considered as a pathname, and the checksum of the corresponding
|
---|
328 | file will be computed.
|
---|
329 |
|
---|
330 | .B samhain
|
---|
331 | \-c | \-\-copyright
|
---|
332 |
|
---|
333 | Print the copyright statement.
|
---|
334 |
|
---|
335 | .B samhain
|
---|
336 | \-v | \-\-version
|
---|
337 |
|
---|
338 | Show version and compiled-in options.
|
---|
339 |
|
---|
340 | .B samhain
|
---|
341 | \-h | \-\-help
|
---|
342 |
|
---|
343 | Print supported command line options (depending on compilation options).
|
---|
344 |
|
---|
345 | .B samhain
|
---|
346 | \-V key@/path/to/executable | \-\-add\-key=key@/path/to/executable
|
---|
347 |
|
---|
348 | See the section "SECURITY" below.
|
---|
349 |
|
---|
350 | .SS "SERVER STARTUP OPTIONS"
|
---|
351 | .PP
|
---|
352 |
|
---|
353 | .B yule
|
---|
354 | [\-q | \-\-qualified]
|
---|
355 | [
|
---|
356 | .RI \-\-chroot= chrootdir ]
|
---|
357 | [\-D | \-\-daemon | \-\-foreground]
|
---|
358 | [log-options]
|
---|
359 |
|
---|
360 | Start the server, which is named
|
---|
361 | .B yule
|
---|
362 | by default. If the server is started with superuser privileges,
|
---|
363 | it will drop them after startup.
|
---|
364 | .PP
|
---|
365 | .TP
|
---|
366 | [\-q | \-\-qualified]
|
---|
367 | Log client hostnames with fully qualified path. The default is to
|
---|
368 | log only the leftmost domain label (i.e. the hostname).
|
---|
369 | .TP
|
---|
370 | [
|
---|
371 | .RI \-\-chroot= chrootdir ]
|
---|
372 | Chroot to the listed directory after startup.
|
---|
373 | .TP
|
---|
374 | [\-D | \-\-daemon]
|
---|
375 | Run as daemon.
|
---|
376 | .TP
|
---|
377 | [\-\-foreground]
|
---|
378 | Run in the foreground.
|
---|
379 |
|
---|
380 |
|
---|
381 | .SS "MISCELLANEOUS SERVER OPTIONS"
|
---|
382 | .PP
|
---|
383 |
|
---|
384 | .B yule
|
---|
385 | [\-G | \-\-gen-password]
|
---|
386 |
|
---|
387 | Generate a random 8\-byte password and print it out in hexadecimal notation.
|
---|
388 |
|
---|
389 |
|
---|
390 | .B yule
|
---|
391 | [\-P
|
---|
392 | .I password
|
---|
393 | |
|
---|
394 | .RI \-\-password= password ]
|
---|
395 |
|
---|
396 | Use the given
|
---|
397 | .I password
|
---|
398 | and generate an entry suitable for the [Clients] section of the
|
---|
399 | configuration file.
|
---|
400 |
|
---|
401 | .SS "LOGGING OPTIONS"
|
---|
402 | .PP
|
---|
403 |
|
---|
404 | Depending on the compilation options, some logging facilities may not
|
---|
405 | be available in your executable.
|
---|
406 | .PP
|
---|
407 | .TP
|
---|
408 | .I "\-s threshold, \-\-set\-syslog\-severity=threshold"
|
---|
409 | Set the threshold for logging events via syslogd(8).
|
---|
410 | Possible values are
|
---|
411 | .IR debug ,
|
---|
412 | .IR info ,
|
---|
413 | .IR notice ,
|
---|
414 | .IR warn ,
|
---|
415 | .IR mark ,
|
---|
416 | .IR err ,
|
---|
417 | .IR crit ,
|
---|
418 | .IR alert ,
|
---|
419 | and
|
---|
420 | .IR none .
|
---|
421 | By default, everything equal to and above the threshold will be logged.
|
---|
422 | Time stamps have the priority
|
---|
423 | .IR warn ,
|
---|
424 | system\-level errors have the priority
|
---|
425 | .IR err ,
|
---|
426 | and important start\-up messages the priority
|
---|
427 | .IR alert .
|
---|
428 | The signature key for the log file will never be logged to syslog or the
|
---|
429 | log file itself.
|
---|
430 | .TP
|
---|
431 | .I "\-l threshold, \-\-set\-log\-severity=threshold"
|
---|
432 | Set the threshold for logging events to the log file.
|
---|
433 | .TP
|
---|
434 | .I "\-m threshold, \-\-set\-mail\-severity=threshold"
|
---|
435 | Set the threshold for logging events via e\-mail.
|
---|
436 | .TP
|
---|
437 | .I "\-e threshold, \-\-set\-export\-severity=threshold"
|
---|
438 | Set the threshold for forwarding events via TCP to a log server.
|
---|
439 | .TP
|
---|
440 | .I "\-x threshold, \-\-set\-extern\-severity=threshold"
|
---|
441 | Set the threshold for calling external logging programs/scripts (if any are
|
---|
442 | defined in the configuration file).
|
---|
443 | .TP
|
---|
444 | .I "\-p threshold, \-\-set\-print\-severity=threshold"
|
---|
445 | Set the threshold for logging events to stdout.
|
---|
446 | If
|
---|
447 | .B samhain
|
---|
448 | runs as a daemon, this is redirected to /dev/console.
|
---|
449 | .TP
|
---|
450 | .I "\-\-set\-prelude\-severity=threshold"
|
---|
451 | Set the threshold for logging events to the Prelude IDS.
|
---|
452 | .TP
|
---|
453 | .I "\-\-set\-database\-severity=threshold"
|
---|
454 | Set the threshold for logging events to the MySQL/PostgreSQL/Oracle
|
---|
455 | database.
|
---|
456 |
|
---|
457 |
|
---|
458 |
|
---|
459 | .SH SIGNALS
|
---|
460 | .TP
|
---|
461 | .I SIGUSR1
|
---|
462 | Switch on/off maximum verbosity for console output.
|
---|
463 | .TP
|
---|
464 | .I SIGUSR2
|
---|
465 | Suspend/continue the process, and
|
---|
466 | (on suspend) send a message
|
---|
467 | to the server. This message has the same priority as timestamps.
|
---|
468 | This signal
|
---|
469 | allows to run
|
---|
470 | .I samhain -t init -e none
|
---|
471 | on the client
|
---|
472 | to regenerate the database, with download of the configuration file
|
---|
473 | from the server, while the daemon is suspended (normally you would get
|
---|
474 | errors because of concurrent access to the server by two processes from
|
---|
475 | the
|
---|
476 | .IR "same host" ")."
|
---|
477 | .TP
|
---|
478 | .I SIGHUP
|
---|
479 | Reread the configuration file.
|
---|
480 | .TP
|
---|
481 | .I SIGTERM
|
---|
482 | Terminate.
|
---|
483 | .TP
|
---|
484 | .I SIGQUIT
|
---|
485 | Terminate after processing all pending requests from clients.
|
---|
486 | .TP
|
---|
487 | .I SIGABRT
|
---|
488 | Unlock the log file, pause for three seconds, then proceed,
|
---|
489 | eventually re-locking the log file and starting a fresh audit trail
|
---|
490 | on next access.
|
---|
491 | .TP
|
---|
492 | .I SIGTTOU
|
---|
493 | Force a file check (only client/standalone, and only in daemon mode).
|
---|
494 |
|
---|
495 |
|
---|
496 | .SH DATABASE
|
---|
497 | The database (default name
|
---|
498 | .IR samhain_file )
|
---|
499 | is a binary file, which can be created or updated using the
|
---|
500 | .B \-t
|
---|
501 | .I init
|
---|
502 | or the
|
---|
503 | .B \-t
|
---|
504 | .I update
|
---|
505 | option.
|
---|
506 | If you use
|
---|
507 | .B \-t
|
---|
508 | .IR init ,
|
---|
509 | you need to
|
---|
510 | .I remove
|
---|
511 | the old database first,
|
---|
512 | otherwise the new version will be
|
---|
513 | .I appended
|
---|
514 | to the old one.
|
---|
515 | The file may be (clear text) signed by PGP/GnuPG.
|
---|
516 | .br
|
---|
517 | It is recommended to use GnuPG with the options
|
---|
518 | .B gpg
|
---|
519 | .I -a --clearsign --not-dash-escaped
|
---|
520 | .br
|
---|
521 | .B samhain
|
---|
522 | will check the signature, if compiled with support for that.
|
---|
523 | .PP
|
---|
524 | At startup
|
---|
525 | .B samhain
|
---|
526 | will compute the checksum of the database, and verify it for
|
---|
527 | each further access. This checksum is not stored on disk (i.e. is lost
|
---|
528 | after program termination), as there is no secure way to store it.
|
---|
529 |
|
---|
530 | .SH LOG FILE
|
---|
531 | .PP
|
---|
532 | Each entry in the log file has the format
|
---|
533 | .BR "Severity : [Timestamp] Message" ,
|
---|
534 | where the timestamp may be obtained from a time server rather than from
|
---|
535 | the system clock, if
|
---|
536 | .B samhain
|
---|
537 | has been compiled with support for this.
|
---|
538 | Each entry is followed by a
|
---|
539 | .IR signature ,
|
---|
540 | which is computed as
|
---|
541 | .BR "Hash(Entry Key_N)" ,
|
---|
542 | and
|
---|
543 | .B Key_N
|
---|
544 | is computed as
|
---|
545 | .BR "Hash(Key_N\-1)" ,
|
---|
546 | i.e. only knowledge of the first signature key in this chain allows to
|
---|
547 | verify the integrity of the log file. This first key is autogenerated
|
---|
548 | and e\-mailed to the designated recipient.
|
---|
549 | .PP
|
---|
550 | The default name of the log file is
|
---|
551 | .IR samhain_log .
|
---|
552 | To prevent multiple instances of
|
---|
553 | .B samhain
|
---|
554 | from writing to the same log file, the log file is locked by creating a
|
---|
555 | .IR "lock file" ,
|
---|
556 | which is normally deleted at program termination.
|
---|
557 | The default name of the
|
---|
558 | .I "lock file"
|
---|
559 | is
|
---|
560 | .IR samhain.lock .
|
---|
561 | If
|
---|
562 | .B samhain
|
---|
563 | is terminated abnormally, i.e. with kill \-9,
|
---|
564 | a stale lock file might remain, but usually
|
---|
565 | .B samhain
|
---|
566 | will be able to recognize that and remove the stale lock file
|
---|
567 | on the next startup.
|
---|
568 | .PP
|
---|
569 | .SH EMAIL
|
---|
570 | .PP
|
---|
571 | E\-mails are sent (using built-in SMTP code)
|
---|
572 | to one recipient only.
|
---|
573 | The subject line contains timestamp
|
---|
574 | and hostname, which are repeated in the message body.
|
---|
575 | The body of the mail contains a line with a
|
---|
576 | .I signature
|
---|
577 | similar to that in the log file, computed from the message and a
|
---|
578 | key. The key is iterated by a hash chain, and the initial
|
---|
579 | key is revealed in the first email sent.
|
---|
580 | Obviously, you have to believe that this first e\-mail is
|
---|
581 | authentical ...
|
---|
582 | .PP
|
---|
583 | .SH CLIENT/SERVER USAGE
|
---|
584 | .PP
|
---|
585 | To monitor several machines, and collecting data by a central log server,
|
---|
586 | .B samhain
|
---|
587 | may be compiled as a client/server application. The log server
|
---|
588 | .RB ( yule )
|
---|
589 | will accept connection
|
---|
590 | requests from registered clients only. With each client, the server will first
|
---|
591 | engage in a challenge/response protocol for
|
---|
592 | .I authentication
|
---|
593 | of the client and
|
---|
594 | .I establishing
|
---|
595 | a
|
---|
596 | .IR "session key" .
|
---|
597 | .PP
|
---|
598 | This protocol requires on the client side a
|
---|
599 | .IR "password" ,
|
---|
600 | and on the server side a
|
---|
601 | .IR "verifier"
|
---|
602 | that is computed from the
|
---|
603 | .IR "password" .
|
---|
604 | .PP
|
---|
605 | To
|
---|
606 | .I register
|
---|
607 | a client, simply do the following:
|
---|
608 | .br
|
---|
609 | First, with the included utility program
|
---|
610 | .B samhain_setpwd
|
---|
611 | re\-set the compiled\-in default password of the
|
---|
612 | client executable to your preferred
|
---|
613 | value (with no option, a short usage help is printed).
|
---|
614 | To allow for non-printable chars, the new value
|
---|
615 | must be given as a 16\-digit hexadecimal string
|
---|
616 | (only 0123456789ABCDEF in string), corresponding to an 8-byte password.
|
---|
617 | .br
|
---|
618 | Second, after re\-setting the password in the client executable,
|
---|
619 | you can use the server's convenience function
|
---|
620 | .B yule
|
---|
621 | .B \-P
|
---|
622 | .I password
|
---|
623 | that will take as input the (16\-digit hex) password,
|
---|
624 | compute the corresponding verifier, and outputs a default configuration file
|
---|
625 | entry to register the client.
|
---|
626 | .br
|
---|
627 | Third, in the configuration file for the server, under the [Clients] section,
|
---|
628 | enter
|
---|
629 | the suggested registration entry of the form
|
---|
630 | .IR "Client=hostname@salt@verifier" ,
|
---|
631 | where
|
---|
632 | .I hostname
|
---|
633 | must be the (fully qualified) hostname of the machine on
|
---|
634 | which the client will run.
|
---|
635 | .B "Don't forget to reload the server configuration thereafter."
|
---|
636 | .PP
|
---|
637 | If a connection attempt is made, the server will lookup the entry for
|
---|
638 | the connecting host, and use the corresponding value for the
|
---|
639 | .I verifier
|
---|
640 | to engage in the session key exchange. Failure to verify the client's
|
---|
641 | response(s) will result in aborting the connection.
|
---|
642 | .PP
|
---|
643 | .SH STEALTH
|
---|
644 | .PP
|
---|
645 | .B samhain
|
---|
646 | may be compiled with support for a
|
---|
647 | .I stealth
|
---|
648 | mode of operation, meaning that
|
---|
649 | the program can be run without any obvious trace of its presence
|
---|
650 | on disk. The supplied facilities are simple - they are more
|
---|
651 | sophisticated than just running the program under a different name,
|
---|
652 | and might thwart efforts using 'standard' Unix commands,
|
---|
653 | but they will not resist a search using dedicated utilities.
|
---|
654 | .PP
|
---|
655 | In this mode, the runtime executable will hold no
|
---|
656 | printable strings, and the configuration file is expected to be
|
---|
657 | a postscript file with
|
---|
658 | .I uncompressed
|
---|
659 | image data, wherein
|
---|
660 | the configuration data are hidden by steganography.
|
---|
661 | To create such a file from an existing image, you may use e.g.
|
---|
662 | the program
|
---|
663 | .BR convert (1),
|
---|
664 | which is part of the
|
---|
665 | .BR ImageMagick (1)
|
---|
666 | package, such as:
|
---|
667 | .B "convert +compress"
|
---|
668 | .IR "ima.jpg ima.ps" .
|
---|
669 | .PP
|
---|
670 | To hide/extract the configuration data within/from the postscript file,
|
---|
671 | a utility program
|
---|
672 | .B samhain_stealth
|
---|
673 | is provided.
|
---|
674 | Use it without options to get help.
|
---|
675 | .PP
|
---|
676 | Database and log file may be e.g. existing image files, to which
|
---|
677 | data are appended, xor'ed with some constant to mask them as binary data.
|
---|
678 | .PP
|
---|
679 | The user is responsible by herself for re-naming the compiled
|
---|
680 | executable(s) to unsuspicious names, and choosing (at compile time)
|
---|
681 | likewise unsuspicious names for config file, database, and log (+lock) file.
|
---|
682 | .PP
|
---|
683 | .SH SECURITY
|
---|
684 | .PP
|
---|
685 | For security reasons,
|
---|
686 | .B samhain
|
---|
687 | will not write log or data files in a directory, remove the lock file,
|
---|
688 | or read the configuration file, if any element
|
---|
689 | in the path is owned or writeable by an untrusted user (including
|
---|
690 | group-writeable files with untrusted users in the group, and world-writeable
|
---|
691 | files).
|
---|
692 | .br
|
---|
693 | .I root
|
---|
694 | and the
|
---|
695 | .I effective
|
---|
696 | user are always trusted. You can add more users in the configuration file.
|
---|
697 | .PP
|
---|
698 | Using a
|
---|
699 | .I "numerical host address"
|
---|
700 | in the e\-mail address is more secure than
|
---|
701 | using the hostname (does not require
|
---|
702 | DNS lookup).
|
---|
703 | .PP
|
---|
704 | If you use a
|
---|
705 | .I precompiled
|
---|
706 | .B samhain
|
---|
707 | executable (e.g. from a
|
---|
708 | binary distribution), in principle a prospective intruder could easily
|
---|
709 | obtain a copy of the executable and analyze it in advance. This will
|
---|
710 | enable her/him to generate fake audit trails and/or generate
|
---|
711 | a trojan for this particular binary distribution.
|
---|
712 | .br
|
---|
713 | For this reason, it is possible for the user to add more key material into
|
---|
714 | the binary executable. This is done with the command:
|
---|
715 | .PP
|
---|
716 | .BI "samhain " \-\-add\-key=key@/path/to/executable
|
---|
717 | .PP
|
---|
718 | This will read the file
|
---|
719 | .I /path/to/executable, add the key
|
---|
720 | .I key,
|
---|
721 | which should not contain a '@' (because it has a special meaning, separating
|
---|
722 | key from path), overwrite any key previously set by this command, and
|
---|
723 | write the new binary to the location
|
---|
724 | .I /path/to/executable.out
|
---|
725 | (i.e. with .out appended). You should then copy the new binary to the location
|
---|
726 | of the old one (i.e. overwrite the old one).
|
---|
727 | .PP
|
---|
728 | .B Note that using a precompiled samhain executable from a binary
|
---|
729 | .B package distribution is not recommended unless you add in key material as
|
---|
730 | .B described here.
|
---|
731 |
|
---|
732 | .PP
|
---|
733 | .SH NOTES
|
---|
734 | .PP
|
---|
735 | For initializing the key(s),
|
---|
736 | .I "/dev/random"
|
---|
737 | is used, if available. This is a
|
---|
738 | device supplying cryptographically strong
|
---|
739 | (non-deterministic) random noise. Because it is slow,
|
---|
740 | .B samhain
|
---|
741 | might appear to hang at startup. Doing some random things
|
---|
742 | (performing rain dances, spilling coffee, hunting the mouse) might speed up
|
---|
743 | things. If you do not have
|
---|
744 | .IR "/dev/random" ,
|
---|
745 | lots of statistics from
|
---|
746 | .BR vmstat (8)
|
---|
747 | and the like will be pooled and mixed by a hash function.
|
---|
748 | .PP
|
---|
749 | Some hosts might check whether the sender of the mail is valid.
|
---|
750 | Use only
|
---|
751 | .I "login names"
|
---|
752 | for the sender.
|
---|
753 | .br
|
---|
754 | For sending mails, you may need to set a relay host for the sender domain
|
---|
755 | in the configuration file.
|
---|
756 | .PP
|
---|
757 | .SH BUGS
|
---|
758 | .PP
|
---|
759 | Whoever has the original signature key may change the log file and send fake
|
---|
760 | e\-mails. The signature keys are e\-mailed at program startup
|
---|
761 | with a one\-time pad encryption.
|
---|
762 | This should be safe against an eavesdropper on the network,
|
---|
763 | but not against someone with read access to the binary,
|
---|
764 | .I if
|
---|
765 | she has caught
|
---|
766 | the e\-mail.
|
---|
767 | .PP
|
---|
768 | .SH FILES
|
---|
769 | .PP
|
---|
770 | .I /etc/samhainrc
|
---|
771 | .br
|
---|
772 | .I /usr/local/man/man8/samhain.8
|
---|
773 | .br
|
---|
774 | .I /usr/local/man/man5/samhainrc.5
|
---|
775 | .br
|
---|
776 | .I /var/log/samhain_log
|
---|
777 | .br
|
---|
778 | .I /var/lib/samhain/samhain_file
|
---|
779 | .br
|
---|
780 | .I /var/lib/samhain/samhain.html
|
---|
781 | .br
|
---|
782 | .I /var/run/samhain.pid
|
---|
783 |
|
---|
784 | .SH SEE ALSO
|
---|
785 | .PP
|
---|
786 | .BR samhainrc (5)
|
---|
787 |
|
---|
788 | .SH AUTHOR
|
---|
789 | .PP
|
---|
790 | Rainer Wichmann (http://la\-samhna.de)
|
---|
791 | .SH BUG REPORTS
|
---|
792 | .PP
|
---|
793 | If you find a bug in
|
---|
794 | .BR samhain ,
|
---|
795 | please send electronic mail to
|
---|
796 | .IR support@la\-samhna.de .
|
---|
797 | Please include your operating system and its revision, the version of
|
---|
798 | .BR samhain ,
|
---|
799 | what C compiler you used to compile it, your 'configure' options, and
|
---|
800 | any information that you deem helpful.
|
---|
801 | .PP
|
---|
802 | .SH COPYING PERMISSIONS
|
---|
803 | .PP
|
---|
804 | Copyright (\(co) 1999, 2004 Rainer Wichmann
|
---|
805 | .PP
|
---|
806 | Permission is granted to make and distribute verbatim copies of
|
---|
807 | this manual page provided the copyright notice and this permission
|
---|
808 | notice are preserved on all copies.
|
---|
809 | .ig
|
---|
810 | Permission is granted to process this file through troff and print the
|
---|
811 | results, provided the printed document carries copying permission
|
---|
812 | notice identical to this one except for the removal of this paragraph
|
---|
813 | (this paragraph not being relevant to the printed manual page).
|
---|
814 | ..
|
---|
815 | .PP
|
---|
816 | Permission is granted to copy and distribute modified versions of this
|
---|
817 | manual page under the conditions for verbatim copying, provided that
|
---|
818 | the entire resulting derived work is distributed under the terms of a
|
---|
819 | permission notice identical to this one.
|
---|
820 |
|
---|
821 |
|
---|
822 |
|
---|