DOCSLIB.ORG

The Samhain Host Integrity Monitoring System the Samhain Host Integrity Monitoring System This Is Version 2.4.3 of the Samhain Manual

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Samhain Host Integrity Monitoring System the Samhain Host Integrity Monitoring System This Is Version 2.4.3 of the Samhain Manual The Samhain Host Integrity Monitoring System The Samhain Host Integrity Monitoring System This is version 2.4.3 of the Samhain manual. Copyright © 2002-2019 Rainer Wichmann Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. You may obtain a copy of the GNU Free Documentation Licensefrom the Free Software Foundation by visiting their Web site or by writing to: Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. This manual refers to version 4.4.0 of Samhain. Table of Contents 1. Introduction .............................................................................................................. 1 1. Backward compatibility ...................................................................................... 1 2. Compiling and installing ............................................................................................. 2 1. Overview ......................................................................................................... 2 2. Requirements .................................................................................................... 3 3. Download and extract ......................................................................................... 3 4. Configuring the source ....................................................................................... 4 4.1. Some more configuration options ............................................................... 5 5. Build ............................................................................................................... 6 6. Install .............................................................................................................. 6 6.1. Important make targets ............................................................................. 7 7. Customize ........................................................................................................ 7 8. Initialize the baseline database ............................................................................. 8 9. Run samhain ..................................................................................................... 8 10. Files and directory layout .................................................................................. 9 10.1. Trusted users and trusted paths ................................................................ 9 10.2. Directory layout .................................................................................... 9 10.3. Runtime files ...................................................................................... 10 10.4. Installed files ...................................................................................... 10 11. The testsuite .................................................................................................. 11 3. General usage notes ................................................................................................. 13 1. How to invoke ................................................................................................ 13 2. Using daemontool (or similar utilities) ................................................................. 13 3. Controlling the daemon ..................................................................................... 13 4. Signals ........................................................................................................... 14 5. PID file .......................................................................................................... 14 6. Wait on file check ........................................................................................... 15 7. Log file rotation .............................................................................................. 15 8. Updating the file signature database .................................................................... 16 9. Improving the signal-to-noise ratio ...................................................................... 16 10. Runtime options: command-line & configuration file ............................................ 17 11. Remarks on the dnmalloc allocator .................................................................... 17 12. Support / Bugs / Problems ................................................................................ 18 12.1. If samhain appears to hang indefinitely .................................................... 18 4. Configuration of logging facilities ............................................................................... 19 1. General .......................................................................................................... 19 1.1. Severity levels ...................................................................................... 19 1.2. Classes ................................................................................................ 20 1.3. Error message customization ................................................................... 21 2. Available logging facilities ................................................................................ 21 3. Activating logging facilities and filtering messages ................................................ 22 4. E-mail ............................................................................................................ 23 4.1. E-mail reports and their integrity .............................................................. 26 5. Log file .......................................................................................................... 27 5.1. The log file and its integrity .................................................................... 27 6. Log server ...................................................................................................... 29 6.1. Details ................................................................................................. 29 7. External facilities ............................................................................................. 29 8. Console .......................................................................................................... 29 9. Prelude ........................................................................................................... 30 9.1. Prelude-specific command-line options ...................................................... 30 9.2. Registering to a Prelude manager ............................................................. 31 10. Using samhain with nagios .............................................................................. 31 11. Syslog .......................................................................................................... 32 12. SQL Database ................................................................................................ 33 iii The Samhain Host In- tegrity Monitoring System 12.1. Upgrade to samhain 2.3 ........................................................................ 34 12.2. Upgrade to samhain 2.4.4 ...................................................................... 35 12.3. Upgrade to samhain 2.8.0+ .................................................................... 35 12.4. Upgrade to samhain 4.0 ........................................................................ 36 12.5. MySQL configuration details ................................................................. 36 5. Configuring samhain, the host integrity monitor ............................................................ 37 1. Usage overview ............................................................................................... 37 2. Available checksum functions ............................................................................ 38 3. File signatures ................................................................................................. 38 4. Defining file check policies: what, and how, to monitor .......................................... 38 4.1. Monitoring policies ................................................................................ 39 4.2. File/directory specification ...................................................................... 40 4.3. Suppress messages about new/deleted/modified files .................................... 42 4.4. Dynamic database update (modified/disappeared/new files) ........................... 43 4.5. Recursion depth(s) ................................................................................. 43 4.6. Hardlink check ...................................................................................... 44 4.7. Check for weird filenames ...................................................................... 44 4.8. Support for prelink ................................................................................ 45 4.9. SELinux attributes and Posix ACLs .......................................................... 45 4.10. Codes in messages about reported files .................................................... 46 4.11. Loose directory checking ...................................................................... 46 4.12. Storing the full content of a file ............................................................. 46 4.13. Who made changes to a file? ................................................................. 46 4.14. Skip checksumming for particular
Load more

Recommended publications
  • Red Hat Enterprise Linux 6 Developer Guide
    Red Hat Enterprise Linux 6 Developer Guide An introduction to application development tools in Red Hat Enterprise Linux 6 Dave Brolley William Cohen Roland Grunberg Aldy Hernandez Karsten Hopp Jakub Jelinek Developer Guide Jeff Johnston Benjamin Kosnik Aleksander Kurtakov Chris Moller Phil Muldoon Andrew Overholt Charley Wang Kent Sebastian Red Hat Enterprise Linux 6 Developer Guide An introduction to application development tools in Red Hat Enterprise Linux 6 Edition 0 Author Dave Brolley [email protected] Author William Cohen [email protected] Author Roland Grunberg [email protected] Author Aldy Hernandez [email protected] Author Karsten Hopp [email protected] Author Jakub Jelinek [email protected] Author Jeff Johnston [email protected] Author Benjamin Kosnik [email protected] Author Aleksander Kurtakov [email protected] Author Chris Moller [email protected] Author Phil Muldoon [email protected] Author Andrew Overholt [email protected] Author Charley Wang [email protected] Author Kent Sebastian [email protected] Editor Don Domingo [email protected] Editor Jacquelynn East [email protected] Copyright © 2010 Red Hat, Inc. and others. The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
    [Show full text]
  • Improving Security Through Egalitarian Binary Recompilation
    Improving Security Through Egalitarian Binary Recompilation David Williams-King Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy under the Executive Committee of the Graduate School of Arts and Sciences COLUMBIA UNIVERSITY 2021 © 2021 David Williams-King All Rights Reserved Abstract Improving Security Through Egalitarian Binary Recompilation David Williams-King In this thesis, we try to bridge the gap between which program transformations are possible at source-level and which are possible at binary-level. While binaries are typically seen as opaque artifacts, our binary recompiler Egalito (ASPLOS 2020) enables users to parse and modify stripped binaries on existing systems. Our technique of binary recompilation is not robust to errors in disassembly, but with an accurate analysis, provides near-zero transformation overhead. We wrote several demonstration security tools with Egalito, including code randomization, control-flow integrity, retpoline insertion, and a fuzzing backend. We also wrote Nibbler (ACSAC 2019, DTRAP 2020), which detects unused code and removes it. Many of these features, including Nibbler, can be combined with other defenses resulting in multiplicatively stronger or more effective hardening. Enabled by our recompiler, an overriding theme of this thesis is our focus on deployable software transformation. Egalito has been tested by collaborators across tens of thousands of Debian programs and libraries. We coined this term egalitarian in the context of binary security. Simply put, an egalitarian analysis or security mechanism is one that can operate on itself (and is usually more deployable as a result). As one demonstration of this idea, we created a strong, deployable defense against code reuse attacks.
    [Show full text]
  • All Saints and All Souls Day? Are These Linked with Paganism and Halloween?
    AALL SSAINTS AND AALL SSOULS St. Peter Catholic Church Faith Fact November 2017 By FATHER WILLIAM SAUNDERS What are the origins of All Saints and All Souls Day? Are these linked with paganism and Halloween? Both the Feast of All Saints and the Feast of All Souls evolved in the life of the Church independently of paganism and Halloween. However, elements of pagan practices were perhaps “baptized” by some cultures or attached themselves to the celebration of All Saints and All Souls. Let us first address the Feast of All Saints. The exact origins of this celebration are uncertain, although, after the legalization of Christianity in 313, a common commemoration of Saints, especially the martyrs, appeared in various areas throughout the Church. For instance in the East, the city of Edessa celebrated this feast on May 13; the Syrians, on the Friday after Easter; and the city of Antioch, on the first Sunday after Pentecost. Both St. Ephrem (d. 373) and St. John Chrysostom (d. 407) attest to this feast day in their preaching. In the West, a commemoration for all the saints also was celebrated on the first Sunday after Pentecost. The primary reason for establishing a common feast day was because of the desire to honor the great number of martyrs, especially during the persecution of Emperor Diocletion (284-305), the worst and most extensive of the persecutions. […T]here were not enough days of the year for a feast day for each martyr and many of them died in groups. A common feast day for all saints, therefore seemed most appropriate In 609, the Emperor Phocas gave the Pantheon in Rome to Pope Boniface IV, who rededicated it on May 13 under the title St.
    [Show full text]
  • Ivoyeur: Inotify
    COLUMNS iVoyeur inotify DAVE JOSEPHSEN Dave Josephsen is the he last time I changed jobs, the magnitude of the change didn’t really author of Building a sink in until the morning of my first day, when I took a different com- Monitoring Infrastructure bination of freeways to work. The difference was accentuated by the with Nagios (Prentice Hall T PTR, 2007) and is Senior fact that the new commute began the same as the old one, but on this morn- Systems Engineer at DBG, Inc., where he ing, at a particular interchange, I would zig where before I zagged. maintains a gaggle of geographically dispersed It was an unexpectedly emotional and profound metaphor for the change. My old place was server farms. He won LISA ‘04’s Best Paper off to the side, and down below, while my future was straight ahead, and literally under award for his co-authored work on spam construction. mitigation, and he donates his spare time to the SourceMage GNU Linux Project. The fact that it was under construction was poetic but not surprising. Most of the roads I [email protected] travel in the Dallas/Fort Worth area are under construction and have been for as long as anyone can remember. And I don’t mean a lane closed here or there. Our roads drift and wan- der like leaves in the water—here today and tomorrow over there. The exits and entrances, neither a part of this road or that, seem unable to anticipate the movements of their brethren, and are constantly forced to react.
    [Show full text]
  • Chapter 1. Origins of Mac OS X
    1 Chapter 1. Origins of Mac OS X "Most ideas come from previous ideas." Alan Curtis Kay The Mac OS X operating system represents a rather successful coming together of paradigms, ideologies, and technologies that have often resisted each other in the past. A good example is the cordial relationship that exists between the command-line and graphical interfaces in Mac OS X. The system is a result of the trials and tribulations of Apple and NeXT, as well as their user and developer communities. Mac OS X exemplifies how a capable system can result from the direct or indirect efforts of corporations, academic and research communities, the Open Source and Free Software movements, and, of course, individuals. Apple has been around since 1976, and many accounts of its history have been told. If the story of Apple as a company is fascinating, so is the technical history of Apple's operating systems. In this chapter,[1] we will trace the history of Mac OS X, discussing several technologies whose confluence eventually led to the modern-day Apple operating system. [1] This book's accompanying web site (www.osxbook.com) provides a more detailed technical history of all of Apple's operating systems. 1 2 2 1 1.1. Apple's Quest for the[2] Operating System [2] Whereas the word "the" is used here to designate prominence and desirability, it is an interesting coincidence that "THE" was the name of a multiprogramming system described by Edsger W. Dijkstra in a 1968 paper. It was March 1988. The Macintosh had been around for four years.
    [Show full text]
  • Celtic Thunder Legacy on Tour Across the US
    ISSUE 25 VOLUME 5 Proudly Serving Celts in North America Since 1991 SEPTEMBER/OCTOBER 2016 THE BIGGEST Gaelic Games event in North America took place in Seattle on the weekend of September 2-4, 2016 with over 1,500 players and 85 teams from across the USA, Canada and the Caribbean competing. [Pictured above] Seattle Mayor Ed Murray [second from right] presents the Championship Trophy to Donie Breathnach, captain of the San Francisco Naomh Padraig hurling team after they won the North American Sen- ior Hurling Championship final. Pictured on the left is Seattle BREAKING GROUND by Norfolk, England artist, Rob Barnes. Police Chief Kathleen O’Toole and Irish Consul General Philip [Read more about the artist inside on page 2] Grant on the right. [Read more on pages 20, 21 & 23] Walking the Path at Samhain Into the Twilight of the Year OME would At Samhain, that path rises, careens, By CYNTHIA WALLENTINE motivates, tears down, and drives us on. argue that a Order is lost, but structure remains – it path that can- At Samhain, whose bonfires burn will push, drag, or pull even the ridicu- brightly at dusk on October 31, the year lously stubborn to their fate. not be seen descends to its finish. S Those not gripped entirely by the expe- does not ex- In the ashes of that same fire, on No- rience may instead find destiny, the con- ist. But vision is only one vember 1, the Celtic New Year is born, scious transformation of the cultivated IRELAND’S O’Donovan brothers are the latest Olympic Internet along with the winter season.
    [Show full text]
  • History of Halloween
    History of Halloween History of Halloween By ReadWorks Makayla gently placed her black witch’s hat on top of her black curls as she looked at herself in the mirror. Her mom had painted her skin green and outlined her eyes in purple paint. She wore tall, black boots underneath a long, purple dress. It was October 31st, and she was ready for trick‐or‐treating on Halloween night. “Makayyyla!” her mom called out from downstairs. Makayla’s two friends, Colden and Porter, had arrived. Colden stood in the doorway, his costume blowing in the wind. A white sheet hung over his head, and his eyes peered out from two cut‐out holes. Porter decided to dress like his favorite superhero, Batman. A black mask covered his face and a long cape trailed behind him. They carried plastic pumpkin bowls to collect candy later in the evening. The two boys greeted Makayla with equal levels of excitement. “Hi, Makayla!” Colden said. “You ready to go trick‐or‐treating?” Porter asked. She nodded her head and ran to grab her coat. “Let’s go, everyone!” her mom called out, and they all marched out the front door. All around them, children and parents walked from door to door in colorful costumes. Carved Jack‐o‐lanterns sat in front of houses, candles shimmering inside the orange pumpkins. A breeze blew past Makayla and her friends, making her shiver. The weather had just started to get colder. 1 © 2014 ReadWorks®, Inc. All rights reserved. History of Halloween Makayla remembered her class earlier that day, when her teacher talked about the origins of Halloween.
    [Show full text]
  • The Samhain Host Integrity Monitoring System the Samhain Host Integrity Monitoring System This Is Version 2.4.3 of the Samhain Manual
    The Samhain Host Integrity Monitoring System The Samhain Host Integrity Monitoring System This is version 2.4.3 of the Samhain manual. Copyright © 2002-2019 Rainer Wichmann Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. You may obtain a copy of the GNU Free Documentation Licensefrom the Free Software Foundation by visiting their Web site or by writing to: Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. This manual refers to version 4.4.0 of Samhain. Table of Contents 1. Introduction .............................................................................................................. 1 1. Backward compatibility ...................................................................................... 1 2. Compiling and installing ............................................................................................. 2 1. Overview ......................................................................................................... 2 2. Requirements .................................................................................................... 3 3. Download and extract ......................................................................................... 3 4. Configuring the source ......................................................................................
    [Show full text]
  • Derek and Lucy Dightmaker Celebrated Their Silver Wedding Anniversary Recently and Renewed Their Wedding Vows During Holy Mass I
    RUTH WINSTON COMMUNITY CENTRE NEWSLETTER NO.25. Autumn Edition 2020 Well everyone, we are back in lockdown and therefore our lovely Centre will have to temporarily close again. Therefore, it is essential that you let us have all your news to keep the newsletter going during this awful period. We hope everyone stays well and again PLEASE KEEP IN TOUCH. Why do we carve pumpkins at Halloween? Their origin comes from an Irish myth about Stingy Jack, who tricked the devil for his own monetary gain. When Jack died, God didn’t allow him into Heaven, and the Devil didn’t allow him into Hell, so Jack was sentenced to roam the earth for eternity. In Ireland, people started to carve demonic faces out of turnips to frighten away Jack’s wandering soul. When Irish immigrants moved to the U.S., they began carving jack-o- lanterns from pumpkins, as these were native to the region. But how did jack-o-lanterns become associated with Halloween? Halloween is based on the Celt festival Samhain, a celebration in ancient Britain and Ireland that marked the end of summer and the beginning of the new year on November 1st. It was believed that during Samhain, the souls of those, who had died that year travelled to the other world and that other souls would return to visit their homes. In the 8th century CE, the Roman Catholic Church moved All Saints’ Day, a day celebrating the church’s Saints, to November 1st. this meant that All Hallows’ Eve (or Halloween) fell on October 31st.
    [Show full text]
  • Cloaker: Hardware Supported Rootkit Concealment
    Cloaker: Hardware Supported Rootkit Concealment Francis M. David, Ellick M. Chan, Jeffrey C. Carlyle, Roy H. Campbell Department of Computer Science University of Illinois at Urbana-Champaign 201 N Goodwin Ave, Urbana, IL 61801 {fdavid,emchan,jcarlyle,rhc}@uiuc.edu Abstract signers resorted to more complex techniques such as modi- fying boot sectors [33, 51] and manipulating the in-memory Rootkits are used by malicious attackers who desire to image of the kernel. These rootkits are susceptible to de- run software on a compromised machine without being de- tection by tools that check kernel code and data for alter- tected. They have become stealthier over the years as a ation [43, 13, 42, 21]. Rootkits that modify the system consequence of the ongoing struggle between attackers and BIOS or device firmware [25, 26] can also be detected by system defenders. In order to explore the next step in rootkit integrity checking tools. More recently, virtualization tech- evolution and to build strong defenses, we look at this issue nology has been studied as yet another means to conceal from the point of view of an attacker. We construct Cloaker, rootkits [31, 44]. These rootkits remain hidden by running a proof-of-concept rootkit for the ARM platform that is non- the host OS in a virtual machine environment. To counter persistent and only relies on hardware state modifications the threat from these Virtual Machine Based Rootkits (VM- for concealment and operation. A primary goal in the de- BRs), researchers have detailed approaches to detect if code sign of Cloaker is to not alter any part of the host oper- is executing inside a virtual machine [20].
    [Show full text]
  • CIS Ubuntu Linux 18.04 LTS Benchmark
    CIS Ubuntu Linux 18.04 LTS Benchmark v1.0.0 - 08-13-2018 Terms of Use Please see the below link for our current terms of use: https://www.cisecurity.org/cis-securesuite/cis-securesuite-membership-terms-of-use/ 1 | P a g e Table of Contents Terms of Use ........................................................................................................................................................... 1 Overview ............................................................................................................................................................... 12 Intended Audience ........................................................................................................................................ 12 Consensus Guidance ..................................................................................................................................... 13 Typographical Conventions ...................................................................................................................... 14 Scoring Information ..................................................................................................................................... 14 Profile Definitions ......................................................................................................................................... 15 Acknowledgements ...................................................................................................................................... 17 Recommendations ............................................................................................................................................
    [Show full text]
  • Chaplain's Chat Healthcare Resident Garden Columbus Day History Of
    Chaplain's Chat W Dear Friends, The Greetings in Christ! Here are a few quotes I ran across for your reflection: Villager "Live simply. love generously. care deeply. speak kindly, and leave the rest to God." OFFICIAL NEWSLETTER OF WESTCHESTER VILLAGE 10-01-2020 "If you find yourself in a hole, the first thing you need to do is stop digging." "When people fail you... remember to give them as much grace as you expect from God." "If you think you're a person of influence, try ordering someone else's dog around." "Worrying doesn't change anything; trusting Jesus changes everything!" History of Halloween "One day Jesus will hug you so tight that all the broken pieces in you will fit back together again." Halloween is a holiday celebrated each year on October 31, and Halloween 2020 will occur on Saturday, October 31. The tradition originated with the ancient Celtic festival of Samhain, when people would light bonfires and wear costumes to ward off ghosts. In the eighth century, Pope Gregory III designated November 1 as a time to honor all saints. Soon, All Saints Day incorporated some of the traditions of Samhain. The evening before was known as All Hallows Eve, and later Halloween. Over time, Halloween evolved into a Healthcare Resident Garden day of activities like trick-or-treating, carving jack-o-lanterns, festive gatherings, donning costumes and eating treats. Halloween's origins date back to the ancient Celtic festival of Healthcare Garden is on the courtyard in a raised planter. Various things have been planted Samhain (pronounced sow-in).
    [Show full text]