FAQ — Frequently Asked Questions

General

TipTIP
 

The most frequent problems are:

  1. Untrusted paths for config/log/pid/database files. See the Section called Trusted users and trusted paths in the chapter called Installation> for details.

  2. Failure of self-address resolving on the client due to mistakes in the /etc/hosts file. See the Section called Client or Standalone> for details.

  3. It does not log anything / Can't stop logging to console. See the Section called Thresholds and Classes — Activating logging facilities and filtering messages in the chapter called Configuration — Basic> for details.

'make' loops forever

make uses file timestamps to determine whether a target should be regenerated from its dependencies. It may fail if timestamps are corrupted (by using the same source directory via NFS mount from machines with different clock settings), or intermediate targets are up-to-date but unuseable (built on another OS). Use touch * followed by make distclean to clean up the source directory, or extract it anew from the tarball.

Compilation fails with '/usr/bin/ld: cannot find -lnss_files'

For Linux, this is a known problem with --enable-static if you compile in MySQL support. The problem is that the mysql_config that comes as part of the MySQL distribution script incorrectly lists dependencies on the libnss_files and libnss_dns libraries which are only available as shared libraries, so the linker cannot find the static libraries.

You can check this by inspecting the output of mysql_config --libs. The version of mysql_config that comes with the RedHat mysql RPM (RedHat 9) does not have this bug; the one distributed by the MySQL people has. You can fix the problem by editing mysql_config: search for the client_libs variable, and remove all instances of -lnss_files and -lnss_dns.

Owner not trustworthy / Group writeable and member not trustworthy

An untrusted user (might be an untrusted group member for group writeable files/directories) owns or can write to an element in the path listed in the error message. This concerns the configuration file, the log file, and the database file.

The offending element in the path is identified as obj=/xxx in the error message.

To fix the problem, determine relevant users and/or group members, and use the configure option --with-trusted=LIST_OF_TRUSTED_UIDS (not GIDS !)

./configure [more options] --with-trusted=0,...

Untrusted path

See above

PANIC — File not accessible

Most likely permission denied because of unsufficient privileges.

How can I stop console output ?

If running as daemon, the default output facility is /dev/console. To stop output there, simply set the threshold to 'none'.
        [Log]
        PrintSeverity=none
	
Alternatively, you can redirect console output elsewhere, as explained in
the Section called Console in the chapter called Configuration — Basic>.

Note that depending on your syslog configuration, syslog may also log to /dev/console, if you have enabled logging to syslog in the samhain configuration file (see also the Section called Syslog in the chapter called Configuration — Basic>).

The executable is corrupted after installation

The executable will get stripped during the installation. On suitable systems (i386 Linux/FreeBSD currently), additionally the sstrip utility (copyright 1999 by Brian Raiter, under the GNU GPL) will be used to strip the executable even more, to prevent debugging with the GNU gdb debugger. The strip utility cannot handle the resulting executable, therefore trying to strip manually after installation will corrupt the executable.

--enable-xml-log has no effect

If you have compiled for stealth, you won't see much, because if obfuscated, then both a 'normal' and an XML logfile look, well ... obfuscated. Use 'samhain -jL /path/to/logfile' to view the logfile.

E-mail: Reverse lookup failed

Fix your DNS (reverse lookup: numerical IP address to FQDN, to verify FQDN to numerical IP address). If this problem happens for client/server connections: also see the Section called Server>.

But nslookup tells me my DNS works

First, nslookup does not use the system resolver library — it has its own resolving routines, and does things differently than the resolver library (see the book DNS and bind). Therefore, it is not exactly the best tool for debugging name resolving problems. Second, did you check reverse lookup as well as forward lookup ?

Device not available path=/dev/random

Because /dev/random can block for a long time if there is no entropy, samhain will fall back on /dev/urandom after some timeout, and issue this message (it will try /dev/random again next time).

How can I avoid error messages for invalid UIDs (no such user) ?

Set SeverityNames to a low value (see the Section called Severity levels in the chapter called Configuration — Basic>).

[Redhat] The /etc/init.d/xyz init script hangs

Redhat uses initlog (see man initlog) in initscripts. If it hangs, most probably samhain/yule runs in the foreground rather than as daemon. Use Daemon=yes in the configuration file.

The /etc/init.d/xyz init script exits with: execvp: No such file or directory

Either the program is not installed, or it is not in the PATH (the one used by the init script, which may be different from your PATH).