Client or Standalone

E-mail: From daemon@127.0.0.1

samhain fails to resolve the self-address of the host. This is most probably due to some mistake in the /etc/hosts file.

Correct

	127.0.0.1  localhost
	xxx.xxx.xxx.xxx myhost.mydomain.tld  myhost
	

Wrong

	127.0.0.1  myhost.mydomain.tld  localhost
	xxx.xxx.xxx.xxx myhost.mydomain.tld  myhost
	

Wrong

	127.0.0.1  localhost myhost
	xxx.xxx.xxx.xxx myhost.mydomain.tld  myhost
	
The client sends 127.0.0.1 as its name to the log server

See above.

I need a list for my schedule !

You can have the same effect with a list of schedules. See the note in the Section called Timing file checks in the chapter called Configuration — samhain, the file monitor>.

Why do I get a local logfile if I log to the server ?

Because you can use all log facilities in parallel. You should switch off in the config file what you don't want/need:
        [Log]
        # local log file
        LogSeverity=none
	

Why do I get hundreds of messages about modified CTIME ?

This happens because some backup applications reset the atime/mtime timestamps, which causes the ctime timestamp to be modified (rootkits avoid this by temporarily resetting the system clock to the original ctime ...).

To fix this problem, read the manual of your backup application, or redefine the ReadOnly policy to not check the ctime timestamp:
        [Misc]
        RedefReadOnly=-CTM
	

NoteNOTE
 

You must first redefine ReadOnly before you use it in the config file !

How do I update the file signature database ?

If you keep the file signature database on the server, the database is supposed to be updated on the server, using the beltane web-based console (currently in beta) and the log messages from the client.

Alternatively, you can upload by scp the database to the client, run samhain -t update -l none (you need to avoid logging because otherwise you will get in conflict with the running samhain daemon), and then scp the database back to the server. Actually, with a properly set up ssh, using RSA/DSA authentication and ssh-agent you could write a script to automate this.

SIGILL on AIX

For each scanned file, samhain needs to store some information in memory (e.g. to recognize changes that have already been reported, and avoid duplicate reports). On AIX, if you are checking a really huge number of files, memory usage may exceed the default limit of 256 MB, and the process may terminate with SIGILL.

The problem can be solved by linking with the flag -bmaxdata:0x80000000. This allows the application to access up to 8 segments (where each segment is 256MB).

If you are using gcc, you need to use instead the flag -Wl,bmaxdata:0x80000000, which tells gcc to pass on the bmaxdata flag to the AIX linker. You can use the LDFLAGS environment variable to pass linker flags to the configure script:

export LDFLAGS="-Wl,bmaxdata:0x80000000"