Samhain

Copyright © 2002-2006 Rainer Wichmann

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. You may obtain a copy of the GNU Free Documentation License from the Free Software Foundation by visiting their Web site or by writing to: Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

Table of Contents

1. Introduction

2. Compiling and installing

2.1. Overview
2.2. Requirements
2.3. Download and extract
2.4. Configuring the source
2.5. Build
2.6. Install
2.7. Customize
2.8. Initialize the baseline database
2.9. Run samhain
2.10. Files and directory layout
2.11. The testsuite

3. General usage notes

3.1. How to invoke
3.2. Using daemontool (or similar utilities)
3.3. Controlling the daemon
3.4. Signals
3.5. PID file
3.6. Log file rotation
3.7. Updating the file signature database
3.8. Improving the signal-to-noise ratio
3.9. Runtime options: command-line & configuration file
3.10. Support / Bugs / Problems

4. Configuration of logging facilities

4.1. General
4.2. Available logging facilities
4.3. Activating logging facilities and filtering messages
4.4. E-mail
4.5. Log file
4.6. Log server
4.7. External facilities
4.8. Console
4.9. Prelude
4.10. Using samhain with nagios
4.11. Syslog
4.12. SQL Database

5. Configuration — samhain, the file monitor

5.1. Usage overview
5.2. Available checksum functions
5.3. File signatures
5.4. Defining file check policies: what, and how, to monitor
5.5. Excluding files and/or subdirectories (All except …)
5.6. Timing file checks
5.7. Initializing, updating, or checking
5.8. The file signature database
5.9. Checking the file system for SUID/SGID binaries
5.10. Detecting Kernel rootkits
5.11. Monitoring login/logout events
5.12. Checking mounted filesystem policies
5.13. Checking sensitive files owned by users
5.14. Checking for hidden/fake/missing processes
5.15. Checking for open ports
5.16. Modules
5.17. Performance tuning

6. yule, the log server

6.1. General
6.2. Important installation notes
6.3. Registering a client
6.4. Enabling logging to the server
6.5. Enabling baseline database / configuration file download from the server
6.6. Rules for logging of client messages
6.7. Detecting 'dead' clients
6.8. The HTML server status page
6.9. Chroot
6.10. Restrict access with libwrap (tcp wrappers)
6.11. Sending commands to clients
6.12. Syslog logging
6.13. Server-to-server relay
6.14. Performance tuning

7. Hooks for External Programs

7.1. Pipes
7.2. System V message queue
7.3. Calling external programs

8. Additional Features — Signed Configuration/Database Files

8.1. The samhainadmin script

9. Additional Features — Stealth

9.1. Hiding the executable
9.2. Packing the executable

10. Deployment to remote hosts

10.1. Method A: The deployment system
10.2. Method B: The native package manager

11. Security Design

11.1. Usage
11.2. Integrity of the executable
11.3. Client executable integrity
11.4. The server
11.5. General

A. List of options for the ./configure script

A.1. General
A.2. Optional modules to perfor additional checks
A.3. OpenPGP Signatures on Configuration/Database Files
A.4. Client/Server Connectivity
A.5. Paths

B. List of command line options

B.1. General
B.2. samhain
B.3. yule

C. List of configuration file options

C.1. General
C.2. Files to check
C.3. Severity of events
C.4. Logging thresholds
C.5. Watching login/logout events
C.6. Checking for kernel module rootkits
C.7. Checking for SUID/SGID files
C.8. Checking for mount options
C.9. Checking for user files
C.10. Checking for hidden/fake/required processes
C.11. Checking for open ports
C.12. Database
C.13. Miscellaneous
C.14. External
C.15. Clients

D. List of database fields

D.1. General
D.2. Modules
D.3. Syslog

		Next
		Introduction