
Most frequently encountered setup problems:
------------------------------------------

 General:
 =======

 "--enable-xml-log has no effect"

	If you have compiled for stealth, you won't see much, because if 
	obfuscated, then both a 'normal' and an XML logfile look, 
	well ... obfuscated. Use 'samhain -jL /path/to/logfile'
	to view the logfile.


 "Group writeable and member not trustworthy"
 "Untrusted path"

	An untrusted user (might be an untrusted group member 
	for group writeable files/directories) owns or can write to an 
	element in the path listed in the error message. This concerns 
	the configuration file, the log file, and the database file.

	The offending element in the path is identified as obj=/xxx in the
	error message.
	
 	To fix the problem, determine relevant users and/or group members, and
	use the configure option --with-trusted=LIST_OF_TRUSTED_UIDS 
	(not GIDS !)
	
		./configure [more options] --with-trusted=0,...
	
	Also: read the MANUAL, in particular the section on trusted paths.

 Standalone/client:
 =================

 "Why do I get a local logfile if I log to the server ?"

	Because you can use all log facilities in parallel. You should
	switch off in the config file what you don't want/need:

	[Log]
	# local log file
	LogSeverity=none

 "Why do I get hundreds of messages about modified CTIME ?"
 "Is there anyway to avoid notification of backup?"
 
 	The offending message look like:
	CRIT : [2002-01-14T17:31:48-0800] msg=<POLICY [ReadOnly]>,
        path=</usr/sbin/inetd>, ctime_old=<[2002-01-12T05:34:31-0800]>,
        ctime_new=<[2002-01-14T17:15:32-0800]>

	Note that ONLY ctime is modified. This happens because some
	backup application reset the atime/mtime timestamps, which causes
	the ctime timestamp to be modified (rootkits avoid this by
	temporarily resetting the system clock to the original ctime ...).

	To fix this problem, redefine the ReadOnly policy to *not* check
	the ctime timestamp, as explained in the manual:

	[Misc]
	RedefReadOnly=-CTM 

	NOTE that you must FIRST redefine ReadOnly BEFORE you use it
	in the config file !
 
 Server:
 ======

 "Time limit exceeded"

	The respective client for that this message is generated has not
	sent anything for some interval of time (default 84600 sec = 1 day).
	The interval can be set in section [Misc] with SetClientTimeLimit=NNN.
	This feature has the purpose to detect if a client is dead. You
	might want to ensure that timestamps are sent to the server
	(in [Log]: ExportSeverity=mark). 
	If you don't want to use this feature, set the time limit to some 
	very large value.


 "Invalid connection attempt: Not in client list"

	In the server config file, you have not listed the client. Or
	you have listed it, but not with the correct name. The name to use
	is the one the client has determined for the host it is running on,
	and is given in the error message. This error frequently occurs if
	you have listed the client with a FQDN in the server config file,
	while the client itself can only determine the IP address of its 
	host (usually caused by improper entries in /etc/hosts).

  
 "Invalid connection attempt: Session key mismatch"

	Most likely, the client password (set in the binary via the
	samhain_setpwd utility) does not match the credentials
	in the server config file. 

 "PANIC .. Address already in use  subroutine=bind"

	The server cannot bind to the port because the port is already used.
	Maybe you have accidentially already an instance of the 
	server running.


 "Peer name false host=xx peer=yy"

	The peer of the socket (yy) resolves to a different hostname than the
	one claimed by the client (xx). Either the server cannot resolve
	the name correctly (if yy is incorrect), or the client cannot
	determine its own hostname (if xx is incorrect/incomplete). 
	In the latter
	case, you may want to check whether 'uname -n' returns the correct
	nodename of the host, and whether /etc/hosts has an entry to resolve
	that nodename to a FQDN.
