samhain file integrity scanner | online documentation
FAQ Revised: Tuesday 31 January 2006 21:28:35
--enable-static) on Solaris fail ?--enable-(micro-)stealth ?$ ./configure --with-trusted=0,...
[Misc] TrustedUser=username
$ samhain -p info ...
[Log] PrintSeverity=info
$ samhain -p none ...
[Log] PrintSeverity=none
Below you can find some examples of good and bad /etc/hosts files:
        # CORRECT
	#
        127.0.0.1  localhost
        xxx.xxx.xxx.xxx myhost.mydomain.tld  myhost
        # CORRECT
	#
        127.0.0.1  localhost.localdomain localhost
        xxx.xxx.xxx.xxx myhost.mydomain.tld  myhost
        # BAD
	#
        127.0.0.1  myhost.mydomain.tld  localhost
        xxx.xxx.xxx.xxx myhost.mydomain.tld  myhost
        # BAD
	#
        127.0.0.1  localhost myhost
        xxx.xxx.xxx.xxx myhost.mydomain.tld  myhost
--enable-static) on Solaris fail ?mysql_config --libs. The version of 
     mysql_config that comes with the RedHat mysql
     RPM (RedHat 9) does not have this bug; the one distributed by the MySQL
     people has. You can fix the problem by editing 
     mysql_config: search for the 
     client_libs variable, and remove all instances 
     of -lnss_files and -lnss_dns.samhain -jL /path/to/logfile
        to view the logfile.
 -O1 -fno-delayed-branch -fexpensive-optimizations -fstrength-reduce 
     -fpeephole2 -fschedule-insns2 -fregmove -frename-registers -fweb 
     -momit-leaf-frame-pointer -funroll-loops
These options were determined using 
acovea 5.1.1 
by  Scott Robert Ladd. The file is provided as precompiled assembly 
because different versions of gcc can have very different performance, 
require different options to compile optimal code, and
it would be impossible to maintain a library of optimal compile options
for every version of gcc.[IgnoreAll] dir=-1/ignore/this/subdirectory
[Misc] # Switch off hardlink check # UseHardlinkCheck=no
[Misc] # Specify exceptions for the hardlink check # HardlinkOffset=N:/path
iptables -t nat -A OUTPUT -p tcp -m tcp --dport 49777 -d server-ip -j REDIRECT
ssh -f -C -R 49777:localhost:49777 -N client-ip
[Misc] SetClientFromAccept = false SeverityLookup = debug
The server must be able to determine the client name. This is because only authenticated connections from registered clients are allowed, and the server must be able to check the client hostname against the list of allowed hosts, and look up the password verifier for that host.
First method: Determine client name on client, and try to cross-check on server
This does not work for a number of people because (1) the /etc/hosts file on the client machine has errors (yes, there are plenty machines with a completely messed up /etc/hosts file), (2) the server cannot resolve the client address because the local DNS is f***ed up, or (3) the client machine has multiple network interfaces, and the interface used is not the one the client name resolves to.
If the client uses the wrong interface on a multi-interface machine, there is a config file option SetBindAddress=IP address that allows to choose the interface the client will use for outgoing connections.
If you want to download the config file from the server, you should instead use the corresponding command line --bind-address=IP address to select the interface.
If you encounter problems, you may (1) fix your /etc/hosts file(s), (2) fix your local DNS, or (3) switch to the second method.
Errors in name resolving/cross-checking can be avoided by setting a very low severity (lower than the logging threshold), e.g.
SeverityLookup=debug
in the Misc section of the server configuration, if you prefer running unsafe at any speed instead of fixing the problem (you have been warned). Doing so will allow an attacker to pose as the client.
Second method: Use address of connecting entity as known to the communication layer
This has been dropped as default long ago because it may not always be the address of the client machine. To enable this method, use
SetClientFromAccept=true
in the Misc section of the server configuration file. If the address cannot be resolved, or reverse lookup of the resolved name fails, no error message will be issued, but the numerical address will be used.
     Alternatively, you can scp the database
     to the client, run samhain -t update -l none (you
     need to avoid logging because otherwise you will get in conflict with
     the running samhain daemon), and then scp the 
     database back to the server. Actually, with a properly set up 
     "ssh", using RSA/DSA authentication 
     and ssh-agent you could write a script to automate this.
        [Misc]
	# unit is seconds
        SetClientTimeLimit=NNN
        [Log]
	ExportSeverity=mark
Whether "nslookup" works is not very informative, because "nslookup" does not use the resolver library of the operating system. Therefore, it is not exactly the best tool for debugging name resolving problems (see the book "DNS and bind").
[Misc] SetMailAddress=aaa@foo.com SetMailAddress=bbb@foo.com
        [Log]
        # local log file
        LogSeverity=none
To fix this problem, read the manual of your backup application, or redefine the ReadOnly policy to not check the ctime timestamp:
        [Misc]
        RedefReadOnly=-CTM
        Order matters - you must first redefine 
        ReadOnly before you use it
[EventSeverity] SeverityNames=debug
man initlog) in initscripts. If it hangs, most probably
     samhain/yule runs in the foreground rather than as daemon. Set
     daemon mode in the configuration file:
[Misc] Daemon=yes
--enable-(micro-)stealth ?
     The problem can be solved by linking with the flag 
     -bmaxdata:0x80000000. This allows the application to
     access up to 8 segments (where each segment is 256MB).
     
     If you are using gcc, you need to use instead
     the flag -Wl,bmaxdata:0x80000000, which tells 
     gcc to pass on the 
     bmaxdata
     flag to the AIX linker. You can use the LDFLAGS environment variable to
     pass linker flags to the configure script:
     export LDFLAGS="-Wl,bmaxdata:0x80000000"
        1.) Your server is compiled with --enable-xml-log, but your client(s)
        is/are not.
        2.) In your client or server configuration file, you are using
        the option for a custom message header, but without paying attention
        to preserving the XML format.
[Database] SetDBServerTstamp = true/false
     Sending timestamps from the client allows the server to detect if
     a client is not running anymore (use SetClientTimeLimit=NNN in the
     [Misc] section of the server config file to set the number of seconds
     after which the server will issue an error message if no timestamp has
     been received).
     [Misc]
     UseClientSeverity=yes
     [Log]
     DatabaseSeverity=err
     [Misc]
     UseClientClass=yes
     [Log]
     DatabaseClass=PANIC RUN FIL TCP ERR ENET EINPUT
     sh$ mysql -u <user_name> -p <database_name>
     Enter password: ****
     mysql> SELECT log_index,log_ref,log_host,log_sev,log_msg,path FROM <table_name> WHERE entry_status = 'NEW' ORDER BY log_index;
     ....
     mysql> \q 
Copyright (c) 2004 Rainer Wichmann
This list of questions and answers was generated by makefaq.