Samhain
Copyright
© 2002-2004 by Rainer Wichmann
This is version 2.0 of the Samhain manual.
Table of Contents
Introduction
Compiling and installing
Overview
Requirements
Download and extract
Configuring the source
Build
Install
Customize
Initialize the baseline database
Run samhain
Files and directory layout
General usage notes
How to invoke
Using daemontool (or similar utilities)
Controlling the daemon
Signals
PID file
Log file rotation
Updating the file signature database
Improving the signal-to-noise ratio
Runtime options: command-line & configuration file
Support / Bugs / Problems
Configuration of logging facilities
Severity levels and classes of log messages
Overview of logging facilities
Activating logging facilities and filtering messages
E-mail
Log file
Log server
External facilities
Console
Prelude
Syslog
SQL Database
Configuration —
samhain
, the file monitor
Usage overview
Available checksum functions
File signatures
Defining which files/directories to monitor
Excluding files and/or subdirectories (All except …)
Timing file checks
Initializing, updating, or checking
The file signature database
Checking the file system for SUID/SGID binaries
Detecting Kernel rootkits
Monitoring login/logout events
Checking mounted filesystem policies
Checking sensitive files owned by users
Modules
Performance tuning
yule
, the log server
General
Important installation notes
Registering a client
Enabling logging to the server
Enabling baseline database / configuration file download from the server
Rules for logging of client messages
Detecting 'dead' clients
The HTML server status page
Chroot
Restrict access with libwrap (tcp wrappers)
Sending commands to clients
Syslog logging
Performance tuning
Hooks for External Programs
Pipes
System V message queue
Calling external programs
Additional Features — Signed Configuration/Database Files
The samhainadmin script
Additional Features — Stealth
Hiding the executable
Packing the executable
Deployment to remote hosts
Method A: The deployment system
Method B: The native package manager
Security Design
Usage
Integrity of the executable
Client executable integrity
The server
General
List of options for the ./configure script
General
Optional modules to perfor additional checks
OpenPGP Signatures on Configuration/Database Files
Client/Server Connectivity
Paths
List of command line options
General
samhain
yule
List of configuration file options
General
Files to check
Severity of events
Logging thresholds
Watching login/logout events
Checking for kernel module rootkits
Checking for SUID/SGID files
Database
Miscellaneous
External
Clients
List of database fields
General
Modules
Syslog
Next >>>
Introduction