The Samhain Host Integrity Monitoring System

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. You may obtain a copy of the GNU Free Documentation License from the Free Software Foundation by visiting their Web site or by writing to: Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.

This manual refers to version 3.1.0 of Samhain.


Table of Contents
1. Introduction
2. Compiling and installing
2.1. Overview
2.2. Requirements
2.3. Download and extract
2.4. Configuring the source
2.5. Build
2.6. Install
2.7. Customize
2.8. Initialize the baseline database
2.9. Run samhain
2.10. Files and directory layout
2.11. The testsuite
3. General usage notes
3.1. How to invoke
3.2. Using daemontool (or similar utilities)
3.3. Controlling the daemon
3.4. Signals
3.5. PID file
3.6. Log file rotation
3.7. Updating the file signature database
3.8. Improving the signal-to-noise ratio
3.9. Runtime options: command-line & configuration file
3.10. Remarks on the dnmalloc allocator
3.11. Support / Bugs / Problems
4. Configuration of logging facilities
4.1. General
4.2. Available logging facilities
4.3. Activating logging facilities and filtering messages
4.4. E-mail
4.5. Log file
4.6. Log server
4.7. External facilities
4.8. Console
4.9. Prelude
4.10. Using samhain with nagios
4.11. Syslog
4.12. SQL Database
5. Configuring samhain, the host integrity monitor
5.1. Usage overview
5.2. Available checksum functions
5.3. File signatures
5.4. Defining file check policies: what, and how, to monitor
5.5. Excluding files and/or subdirectories (All except …)
5.6. Timing file checks
5.7. Initializing, updating, or checking
5.8. The file signature database
5.9. Checking the file system for SUID/SGID binaries
5.10. Detecting Kernel rootkits
5.11. Monitoring login/logout events
5.12. Checking mounted filesystem policies
5.13. Checking sensitive files owned by users
5.14. Checking for hidden/fake/missing processes
5.15. Checking for open ports
5.16. Logfile monitoring/analysis
5.17. Checking the Windows registry
5.18. Modules
5.19. Performance tuning
5.20. Storing the full content of a file (aka: WHAT has changed?)
5.21. Inotify support on Linux (instantaneous reports, no I/O load)
6. Configuring yule, the log server
6.1. General
6.2. Important installation notes
6.3. Registering a client
6.4. Enabling logging to the server
6.5. Enabling baseline database / configuration file download from the server
6.6. Rules for logging of client messages
6.7. Detecting 'dead' clients
6.8. The HTML server status page
6.9. Chroot
6.10. Restrict access with libwrap (tcp wrappers)
6.11. Sending commands to clients
6.12. Syslog logging
6.13. Server-to-server relay
6.14. Performance tuning
7. Hooks for External Programs
7.1. Pipes
7.2. System V message queue
7.3. Calling external programs
8. Additional Features — Signed Configuration/Database Files
8.1. The samhainadmin script
9. Additional Features — Stealth
9.1. Hiding the executable
9.2. Packing the executable
10. Deployment to remote hosts
10.1. Method A: The deployment system
10.2. Method B: The native package manager
11. Security Design
11.1. Usage
11.2. Integrity of the samhain executable
11.3. Client executable integrity
11.4. The server
11.5. General
A. List of options for the ./configure script
A.1. General
A.2. Optional modules to perform additional checks
A.3. OpenPGP Signatures on Configuration/Database Files
A.4. Client/Server Connectivity
A.5. Paths
B. List of command line options
B.1. General
B.2. samhain
B.3. yule
C. Configuration file syntax and options
C.1. General
C.2. Files to check
C.3. Severity of events
C.4. Logging thresholds
C.5. Watching login/logout events
C.6. Checking for kernel module rootkits
C.7. Checking for SUID/SGID files
C.8. Checking for mount options
C.9. Checking for user files
C.10. Checking for hidden/fake/required processes
C.11. Checking for open ports
C.12. Logfile monitoring/analysis
C.13. Database
C.14. Miscellaneous
C.15. External
C.16. Clients
D. List of database fields
D.1. General
D.2. Modules
D.3. Syslog
E. List of recognized file types