Samhain
Copyright
© 2002-2004 by Rainer Wichmann
This is version 1.8.4 of Samhain manual.
Table of Contents
Introduction
Installation
Installation Requirements
Installation Procedure
Files and directory layout
Usage
How to invoke
What happens after startup ?
Controlling the daemon
Signals
PID file
Log file rotation
Updating the file signature database
Improving the signal-to-noise ratio
Options & configuration file
Support / Bugs / Problems
Configuration — Basic
Definitions
Configuration of logging facilities
Details of logging facilities
Configuration —
samhain
, the file monitor
Hash function
Basic usage instructions
File signatures
Defining which files/directories to monitor
Timing file checks
Initializing, updating, or checking
The file signature database
Checking the file system for SUID/SGID binaries
Detecting Kernel rootkits
Monitoring login/logout events
Checking mounted filesystem policies
Checking sensitive files owned by users
Modules
Performance tuning
Configuration —
yule
, the log server
General
Important installation notes
Chroot
Client registry
Enabling logging to the server
Database / configuration file download
Libwrap (tcp wrappers) support
Sending commands to clients
Server status information
Syslog logging
Performance tuning
Hooks for External Programs
Pipes
System V message queue
Calling external programs
Additional Features — Signed Configuration/Database Files
The samhainadmin script
Additional Features — Stealth
Hiding the executable
Packing the executable
Deployment to remote hosts
Method A: The deploy.sh script
Method B: The native package manager
Security Design
Usage
Integrity of the executable
The server
General
FAQ — Frequently Asked Questions
General
Client or Standalone
Server
MySQL/PostgreSQL Database
List of compilation options
General
OpenPGP Signatures on Configuration/Database Files
Client/Server Connectivity
Paths
List of command line options
General
samhain
yule
List of configuration file options
General
Files to check
Severity of events
Logging thresholds
Watching login/logout events
Checking for kernel module rootkits
Checking for SUID/SGID files
Database
Miscellaneous
External
Clients
List of database fields
General
Modules
Syslog
Next >>>
Introduction