Samhain

Copyright © 2002-2004 by Rainer Wichmann

This is version 1.8.4 of Samhain manual.

Table of Contents

Introduction

Installation

Installation Requirements
Installation Procedure
Files and directory layout

How to invoke
What happens after startup ?
Controlling the daemon
Signals
PID file
Log file rotation
Updating the file signature database
Improving the signal-to-noise ratio
Options & configuration file
Support / Bugs / Problems

Configuration — Basic

Definitions
Configuration of logging facilities
Details of logging facilities

Configuration — samhain, the file monitor

Hash function
Basic usage instructions
File signatures
Defining which files/directories to monitor
Timing file checks
Initializing, updating, or checking
The file signature database
Checking the file system for SUID/SGID binaries
Detecting Kernel rootkits
Monitoring login/logout events
Checking mounted filesystem policies
Checking sensitive files owned by users
Modules
Performance tuning

Configuration — yule, the log server

General
Important installation notes
Chroot
Client registry
Enabling logging to the server
Database / configuration file download
Libwrap (tcp wrappers) support
Sending commands to clients
Server status information
Syslog logging
Performance tuning

Hooks for External Programs

Pipes
System V message queue
Calling external programs

Additional Features — Signed Configuration/Database Files

The samhainadmin script

Additional Features — Stealth

Hiding the executable
Packing the executable

Deployment to remote hosts

Method A: The deploy.sh script
Method B: The native package manager

Security Design

Usage
Integrity of the executable
The server
General

FAQ — Frequently Asked Questions

General
Client or Standalone
Server
MySQL/PostgreSQL Database

List of compilation options

General
OpenPGP Signatures on Configuration/Database Files
Client/Server Connectivity
Paths

List of command line options

General
samhain
yule

List of configuration file options

General
Files to check
Severity of events
Logging thresholds
Watching login/logout events
Checking for kernel module rootkits
Checking for SUID/SGID files
Database
Miscellaneous
External
Clients

List of database fields

General
Modules
Syslog

		Next >>>
		Introduction