The Samhain Host Integrity Monitoring System

This is version 2.4.0 of the Samhain manual.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. You may obtain a copy of the GNU Free Documentation Licensefrom the Free Software Foundation by visiting their Web site or by writing to: Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

This manual refers to version 4.0.0 of Samhain.


Table of Contents

1. Introduction
1. Backward compatibility
2. Compiling and installing
1. Overview
2. Requirements
3. Download and extract
4. Configuring the source
4.1. Some more configuration options
5. Build
6. Install
6.1. Important make targets
7. Customize
8. Initialize the baseline database
9. Run samhain
10. Files and directory layout
10.1. Trusted users and trusted paths
10.2. Directory layout
10.3. Runtime files
10.4. Installed files
11. The testsuite
3. General usage notes
1. How to invoke
2. Using daemontool (or similar utilities)
3. Controlling the daemon
4. Signals
5. PID file
6. Wait on file check
7. Log file rotation
8. Updating the file signature database
9. Improving the signal-to-noise ratio
10. Runtime options: command-line & configuration file
11. Remarks on the dnmalloc allocator
12. Support / Bugs / Problems
12.1. If samhain appears to hang indefinitely
4. Configuration of logging facilities
1. General
1.1. Severity levels
1.2. Classes
1.3. Error message customization
2. Available logging facilities
3. Activating logging facilities and filtering messages
4. E-mail
4.1. E-mail reports and their integrity
5. Log file
5.1. The log file and its integrity
6. Log server
6.1. Details
7. External facilities
8. Console
9. Prelude
9.1. Prelude-specific command-line options
9.2. Registering to a Prelude manager
10. Using samhain with nagios
11. Syslog
12. SQL Database
12.1. Upgrade to samhain 2.3
12.2. Upgrade to samhain 2.4.4
12.3. Upgrade to samhain 2.8.0+
12.4. Upgrade to samhain 4.0
12.5. MySQL configuration details
5. Configuring samhain, the host integrity monitor
1. Usage overview
2. Available checksum functions
3. File signatures
4. Defining file check policies: what, and how, to monitor
4.1. Monitoring policies
4.2. File/directory specification
4.3. Suppress messages about new/deleted/modified files
4.4. Dynamic database update (modified/disappeared/new files)
4.5. Recursion depth(s)
4.6. Hardlink check
4.7. Check for weird filenames
4.8. Support for prelink
4.9. SELinux attributes and Posix ACLs
4.10. Codes in messages about reported files
4.11. Loose directory checking
4.12. Storing the full content of a file
4.13. Who made changes to a file?
4.14. Skip checksumming for particular files
4.15. Graceful handling of log rotation
5. Excluding files and/or subdirectories (All except...)
6. Timing file checks
6.1. Using a second schedule
7. Initializing, updating, or checking
8. The file signature database
9. Checking the file system for SUID/SGID binaries
9.1. Quarantine SUID/SGID files
9.2. Configuration
10. Detecting Kernel rootkits
11. Monitoring login/logout events
12. Checking mounted filesystem policies
13. Checking sensitive files owned by users
14. Checking for hidden/fake/missing processes
14.1. Example configuration
15. Checking for open ports
15.1. Options
15.2. Example configuration
16. Logfile monitoring/analysis
16.1. Event Correlation
16.2. Reporting non-occurence of an event
16.3. Reporting bursts of similar, repeated events
16.4. Options
16.5. Example configuration
17. Checking the Windows registry
17.1. Options
17.2. Example configuration
18. Modules
19. Performance tuning
20. Storing the full content of a file (aka: WHAT has changed?)
20.1. Example configuration
20.2. Implementation details
21. Inotify support on Linux (instantaneous reports, no I/O load)
21.1. Example configuration
6. Configuring yule, the log server
1. General
2. Important installation notes
3. Registering a client
4. Enabling logging to the server
5. Enabling baseline database / configuration file download from the server
5.1. Configuration file
5.2. Database file
6. Rules for logging of client messages
7. Detecting 'dead' clients
8. The HTML server status page
9. Chroot
10. Restrict access with libwrap (tcp wrappers)
11. Sending commands to clients
11.1. Communicating with the server
11.2. Authenticating to the server
12. Syslog logging
13. Server-to-server relay
14. Performance tuning
7. Hooks for External Programs
1. Pipes
2. System V message queue
3. Calling external programs
3.1. Example setup for paging
8. Change Control Process Integration
1. Use cases
1.1. Case I: Machine taken offline for a large patch
1.2. Case II: Installation of a new package
1.3. Case III: Configuration change / Package upgrade
2. Limitations
9. Additional Features — Signed Configuration/Database Files
1. Compiling with support for signatures
2. Installation
3. The samhainadmin script
10. Additional Features — Stealth
1. Hiding the executable
1.1. Using kernel modules to hide samhain (Linux/ix86 only)
2. Packing the executable
11. Deployment to remote hosts
1. Method A: The deployment system
1.1. Requirements
1.2. Layout of the deployment system
1.3. Customizing the system
1.4. Using the deploy.sh script
1.5. deploy.sh info
1.6. deploy.sh clean
1.7. deploy.sh download
1.8. deploy.sh checksrc
1.9. deploy.sh build
1.10. deploy.sh install
1.11. deploy.sh uninstall
1.12. Usage notes
2. Method B: The native package manager
2.1. Building an RPM
2.2. Building an HP-UX package
2.3. Building a Solaris package
2.4. Building a Gentoo Linux package
2.5. Building a Debian package
12. Security Design
1. Usage
1.1. Client security in a client/server system
2. Integrity of the samhain executable
3. Client executable integrity
4. The server
5. General
A. List of options for the configure script
1. General
2. Optional modules to perform additional checks
3. OpenPGP Signatures on Configuration/Database Files
4. Client/Server Connectivity
5. Paths
B. List of command line options
1. General
2. samhain
3. yule
C. Configuration file syntax and options
1. General
1.1. Shell expansion
1.2. Conditionals
2. Files to check
3. Severity of events
4. Logging thresholds
5. Watching login/logout events
6. Checking for SUID/SGID files
7. Checking for mount options
8. Checking for user files
9. Checking for hidden/fake/required processes
10. Checking for open ports
11. Logfile monitoring/analysis
12. Database
13. Miscellaneous
14. External
15. Clients
D. List of database fields
1. General
2. Modules
3. Syslog
E. List of recognized file types