Samhain


Table of Contents
Introduction
Installation
Installation Requirements
Installation Procedure
Files and directory layout
Trusted users and trusted paths
Directory layout
Installed files
Usage
How to invoke
daemontool et al.
What happens after startup ?
Controlling the daemon
Signals
PID file
Log file rotation
Updating the file signature database
Improving the signal-to-noise ratio
Options & configuration file
Support (bug/problem reports)
Configuration — Basic
Definitions
Severity levels
Classes
Logging facilities
Thresholds — Activating logging facilities
Configuration of logging facilities
E-mail
Log file
Log server
External facilities
Details of logging facilities
Console
Syslog
E-mail reports and their integrity
The log file and its integrity
The log server
SQL Database
Configuration — samhain, the file monitor
Hash function
Basic usage instructions
File signatures
Defining which files/directories to monitor
Monitoring policies
File/directory specification
All except …
Dynamic database update (modified/disappeared/new files)
Recursion depth(s)
Timing file checks
Using a second schedule
Initializing, updating, or checking
The file signature database
Checking the file system for SUID/SGID binaries
Configuration
Detecting Kernel rootkits
What is a kernel rootkit ?
How can samhain detect them ?
Configuration
Monitoring login/logout events
Modules
Performance tuning
Configuration — yule, the log server
General
Client registry
Enabling logging to the server
Database / configuration file download
Configuration file
Database file
Server status information
Syslog logging
Performance tuning
Hooks for External Programs
Pipes
System V message queue
Calling external programs
Example setup for paging
Additional Features — Signed Configuration/Database Files
Additional Features — Stealth
Hiding the executable
Packing the executable
Deployment to remote host
Usage Notes
Security Design
Usage
Integrity of the executable
Design
FAQ — Frequently Asked Questions
General
Standalone/Client
Server
List of compilation options
General
OpenPGP Signatures on Configuration/Database Files
Client/Server Connectivity
Paths
List of command line options
General
samhain
yule
List of configuration file options
General
Conditionals
Files to check
Severity of events
Logging thresholds
Watching login/logout events
Checking for kernel module rootkits
Checking for SUID/SGID files
Database
Miscellaneous
External
Clients