2.10. Files and directory layout

TipTip
 

samhain has its own set of trusted users. Paths to critical files (e.g. the configuration file) must be writeable by trusted users only. Failure to ensure this (e.g. by compiling in an appropriate set of trusted users) is one of the most frequent reasons for problems. See below for details.

2.10.1. Trusted users and trusted paths

If a path element is group writeable, all group members must be trusted. If the path to the configuration file itself is writeable by other users than root and the effective user these must be defined as trusted already at compile time.

NoteNote
 

The list of group members in /etc/group may be incomplete or even empty. samhain will check /etc/passwd (where each user has a GID field) in addition to /etc/group to find all members of a group.

2.10.2. Directory layout

samhain conforms to the FHS, which mandates a directory layout that is different from the default GNU layout (everything in subdirectories under /etc/local).

TipTip
 

There is an option ./configure --enable-install-name=NAME. When this option is used, not only the executable is installed as NAME, but also in all the paths, samhain is replaced with NAME.

NoteNote
 

For the yule server, replace samhain with yule in the paths explained below.

The following table explains which directory layout results from ./configure --prefix=PREFIX

sbindirmandirsysconfdirlocalstatedir
PREFIX(none)  
/usr/local/sbin/usr/local/man/etc/var
PREFIXUSR (all capital)  
/usr/sbin/usr/share/man/etc/var
PREFIXOPT (all capital)  
/opt/samhain/bin/opt/samhain/man/etc/opt/var/opt/samhain
PREFIX/other  
/other/sbin/other/share/man/other/etc/other/var

The file signature database will be written to localstatedir/lib/samhain/samhain_file, the pid file to localstatedir/run/samhain.pid, and the log file to localstatedir/log/samhain_log. In addition, yule writes an HTML status file to localstatedir/log/yule/yule.html

To get a more fine-grained control on the layout, the following configure options are provided

2.10.3. Runtime files

2.10.3.1. Standalone or client

PurposeDirectory
Logfileslocalstatedir/log/
Data fileslocalstatedir/lib/samhain/
Pid filelocalstatedir/run/

2.10.3.2. Server

NoteNote
 

The server will drop root privileges after startup. I does not need write access to the data files, thus the data file directory is chmod 555 on installation. It does need write access to the log file directory. As the system logfile directory usually is owned by root, the install script will by default create a subdirectory and chown it to the unprivileged yule user. The PID file is written before dropping root.

PurposeDirectory
Logfileslocalstatedir/log/yule/
Data fileslocalstatedir/lib/yule/
Pid filelocalstatedir/run/

2.10.4. Installed files

2.10.4.1. Standalone or client

FileInstalled toMode
samhainsbindir/samhain700
samhainrcsysconfdir/samhainrc600
samhain.8mandir/man8/samhain.8644
samhainrc.5mandir/man5/samhainrc.5644
(samhain_setpwd)sbindir/samhain_setpwd700
(samhain_stealth)sbindir/samhain_stealth700

2.10.4.2. Server

FileInstalled toMode
yulesbindir/yule700
yulectlsbindir/yulectl700
yulercsysconfdir/yulerc600
samhain.8mandir/man8/yule.8644
samhainrc.5mandir/man5/yulerc.5644
samhain_setpwdsbindir/yule_setpwd700