Index: trunk/docs/FAQ.html
===================================================================
--- trunk/docs/FAQ.html (revision 591)
+++ trunk/docs/FAQ.html (revision 1)
@@ -31,5 +31,4 @@
div.warnblock {
background: #b6c5f2; color: #000;
- background: #ffffcc; color: #000;
margin: 1em; padding: 0 1em 0 1em;
border-width: 1px;
@@ -130,14 +129,5 @@
Rainer Wichmann
-
-
- - If you encounter problems after installing samhain, disable daemon
- mode and run it in the foreground with
- samhain --foreground [more options] for debugging.
- - If you have problems getting client/server mode to work, please check
- the HOWTO client+server troubleshooting document.
-
-
FAQ Revised: Monday 17 September 2018 15:13:17
+FAQ Revised: Saturday 17 September 2005 09:10:07
Table of Contents
@@ -147,19 +137,16 @@
1.2. samhain exits with the message "Untrusted path" for config/log/pid/database files
1.3. It does not log anything / Can't stop logging to console
-1.4. samhain exits with the message "Record with bad version number in file signature database"
-1.5. Client cannot self-resolve, but nslookup works fine
-1.6. Server logs hostname instead of FQDN (or vice versa)
+1.4. Client cannot self-resolve, but nslookup works fine
2. Build and install
3. File checking
@@ -221,5 +208,4 @@
7.3. I don't want the client TIMESTAMP messages in the SQL database
7.4. What does the log_ref field mean ?
-7.5. How can I check what is in the database ?
@@ -281,9 +267,5 @@
is a bad idea, because samhain will open the device and write (i.e. it is
a very inefficient method).
-1.4. samhain exits with the message "Record with bad version number in file signature database"
-This typically happens when the initialisation of the database has been
-done repeatedly, i.e. by using '-t init' multiple times, without (re)moving
-the previous database first before an initialisation.
-1.5. Client cannot self-resolve, but nslookup works fine
+1.4. Client cannot self-resolve, but nslookup works fine
- Nslookup is a program to query Internet domain name servers.
@@ -336,15 +318,16 @@
xxx.xxx.xxx.xxx myhost.mydomain.tld myhost
-1.6. Server logs hostname instead of FQDN (or vice versa)
-The default is to log the hostname only, if you want the FQDN
-then there is an option for the server configuration:
-
- [Misc]
- SetStripDomain = true / false
-
2. Build and install
-- 2.1. "make" loops infinitely !
+- 2.1. [Fedora Core] Cannot compile with --enable-khide
+- The Fedora Core kernel is patched to unconditionally deny reading
+from /dev/kmem. Compiling the stealth kernel modules is not possible
+under these circumstances.
+- 2.2. [Fedora Core] Cannot compile with --with-kcheck
+- The Fedora Core kernel is patched to unconditionally deny reading
+from /dev/kmem. Checking the kernel for the presence of rootkits is
+not possible under these circumstances.
+- 2.3. "make" loops infinitely !
- This may happen (e.g. when building via NFS for multiple architectures)
if the relative timestamps in the source directory are
@@ -353,9 +336,9 @@
"touch * && make distclean" in the source directory
to recover.
-- 2.2. Why does static compiling (
--enable-static) on Solaris fail ?
+- 2.4. Why does static compiling (
--enable-static) on Solaris fail ?
- Ingo Rogalsky has provided the following information: It isn't possible
to link Samhain statically with Solaris. This
is a Solaris issue (see Sun Infodoc ID12624) and not a samhain problem.
-- 2.3. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'
+- 2.5. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'
- For Linux, this is a known problem with --enable-static if you compile
in MySQL support. The problem is that the
@@ -373,5 +356,5 @@
client_libs variable, and remove all instances
of -lnss_files and -lnss_dns.
-- 2.4. The executable is corrupted after installation
+- 2.6. The executable is corrupted after installation
- The executable will get stripped during the installation. On
suitable systems (i386 Linux/FreeBSD currently), additionally
@@ -383,40 +366,11 @@
executable, therefore trying to strip manually after installation
will corrupt the executable.
-- 2.5. --enable-xml-log has no effect
+- 2.7. --enable-xml-log has no effect
- If you have compiled for stealth, you won't see much, because if
obfuscated, then both a 'normal' and an XML logfile look,
well ... obfuscated. Use
samhain -jL /path/to/logfile
to view the logfile.
-- 2.6. ./install-sh: strip: not found (Solaris)
+- 2.8. ./install-sh: strip: not found (Solaris)
- Install the SUNWbtool package.
-- 2.7. What is sh_tiger1.s?
-- This is a precompiled assembly file for the i386 architecture
-generated from sh_tiger1.c using gcc 3.4.0 with the following options,
-that were found to generate the fastest code:
-
- -O1 -fno-delayed-branch -fexpensive-optimizations -fstrength-reduce
- -fpeephole2 -fschedule-insns2 -fregmove -frename-registers -fweb
- -momit-leaf-frame-pointer -funroll-loops
-
-These options were determined using
-acovea 5.1.1
-by Scott Robert Ladd. The file is provided as precompiled assembly
-because different versions of gcc can have very different performance,
-require different options to compile optimal code, and
-it would be impossible to maintain a library of optimal compile options
-for every version of gcc.
-- 2.8. Why does static compiling (
--enable-static) on MaxOS X fail ?
-- Static linking is not supported on MacOS X, see
-Technical Q&A QA1118.
-This is a MacOS X issue and not a bug in samhain.
-- 2.9. Why does compiling with MySQL fail on Solaris ?
-- The reason is often the shell script 'mysql_config' that comes as part
-of MySQL. This script is intended to print appropriate compiler flags for
-compiling applications that use MySQL. Unfortunately, since Sun compiles
-MySQL with the Solaris compiler, this script outputs options for the Solaris
-compiler (i.e. unsuitable for gcc). To solve this problem, you need to move
-this script (i.e. 'mysql_config') out of your PATH before running
-./configure (unless of course you are using the Solaris compiler
-rather than gcc).
3. File checking
@@ -482,5 +436,5 @@
as "localhost" to the server, thus the server
needs to trust the client name
-as reported by the client itself, and suppress all errors on resolving
+as reported by the client itself, and suppress all eroors on resolving
this name to the apparent address. In the server configuration:
@@ -600,6 +554,5 @@
Alternatively, you can scp the database
- to the client, run samhain -t update -l none --foreground
- (you
+ to the client, run samhain -t update -l none (you
need to avoid logging because otherwise you will get in conflict with
the running samhain daemon), and then scp the
@@ -790,5 +743,5 @@
2.) In your client or server configuration file, you are using
- the option for a custom message header, but without paying attention
+ the option for a custum message header, but without paying attention
to preserving the XML format.
@@ -800,5 +753,5 @@
This will enable/disable logging of the server timestamp for client
- messages. The server timestamp will be written to a separate record,
+ messages. The server timestamp will be written to a seperate record,
with log_ref set to the value of
log_index of the corresponding client message.
@@ -840,13 +793,4 @@
number of the corresponding client message). Zero indicates a message
by the server itself (e.g. the server's start message).
-
7.5. How can I check what is in the database ?
-Use a command line client to login to the database and query it:
-
- sh$ mysql -u <user_name> -p <database_name>
- Enter password: ****
- mysql> SELECT log_index,log_ref,log_host,log_sev,log_msg,path FROM <table_name> WHERE entry_status = 'NEW' ORDER BY log_index;
- ....
- mysql> \q
-