The Samhain Host Integrity Monitoring System The Samhain Host Integrity Monitoring System This is version 2.4.3 of the Samhain manual. Copyright © 2002-2019 Rainer Wichmann Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. You may obtain a copy of the GNU Free Documentation Licensefrom the Free Software Foundation by visiting their Web site or by writing to: Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. This manual refers to version 4.4.0 of Samhain. Table of Contents 1. Introduction .............................................................................................................. 1 1. Backward compatibility ...................................................................................... 1 2. Compiling and installing ............................................................................................. 2 1. Overview ......................................................................................................... 2 2. Requirements .................................................................................................... 3 3. Download and extract ......................................................................................... 3 4. Configuring the source ....................................................................................... 4 4.1. Some more configuration options ............................................................... 5 5. Build ............................................................................................................... 6 6. Install .............................................................................................................. 6 6.1. Important make targets ............................................................................. 7 7. Customize ........................................................................................................ 7 8. Initialize the baseline database ............................................................................. 8 9. Run samhain ..................................................................................................... 8 10. Files and directory layout .................................................................................. 9 10.1. Trusted users and trusted paths ................................................................ 9 10.2. Directory layout .................................................................................... 9 10.3. Runtime files ...................................................................................... 10 10.4. Installed files ...................................................................................... 10 11. The testsuite .................................................................................................. 11 3. General usage notes ................................................................................................. 13 1. How to invoke ................................................................................................ 13 2. Using daemontool (or similar utilities) ................................................................. 13 3. Controlling the daemon ..................................................................................... 13 4. Signals ........................................................................................................... 14 5. PID file .......................................................................................................... 14 6. Wait on file check ........................................................................................... 15 7. Log file rotation .............................................................................................. 15 8. Updating the file signature database .................................................................... 16 9. Improving the signal-to-noise ratio ...................................................................... 16 10. Runtime options: command-line & configuration file ............................................ 17 11. Remarks on the dnmalloc allocator .................................................................... 17 12. Support / Bugs / Problems ................................................................................ 18 12.1. If samhain appears to hang indefinitely .................................................... 18 4. Configuration of logging facilities ............................................................................... 19 1. General .......................................................................................................... 19 1.1. Severity levels ...................................................................................... 19 1.2. Classes ................................................................................................ 20 1.3. Error message customization ................................................................... 21 2. Available logging facilities ................................................................................ 21 3. Activating logging facilities and filtering messages ................................................ 22 4. E-mail ............................................................................................................ 23 4.1. E-mail reports and their integrity .............................................................. 26 5. Log file .......................................................................................................... 27 5.1. The log file and its integrity .................................................................... 27 6. Log server ...................................................................................................... 29 6.1. Details ................................................................................................. 29 7. External facilities ............................................................................................. 29 8. Console .......................................................................................................... 29 9. Prelude ........................................................................................................... 30 9.1. Prelude-specific command-line options ...................................................... 30 9.2. Registering to a Prelude manager ............................................................. 31 10. Using samhain with nagios .............................................................................. 31 11. Syslog .......................................................................................................... 32 12. SQL Database ................................................................................................ 33 iii The Samhain Host In- tegrity Monitoring System 12.1. Upgrade to samhain 2.3 ........................................................................ 34 12.2. Upgrade to samhain 2.4.4 ...................................................................... 35 12.3. Upgrade to samhain 2.8.0+ .................................................................... 35 12.4. Upgrade to samhain 4.0 ........................................................................ 36 12.5. MySQL configuration details ................................................................. 36 5. Configuring samhain, the host integrity monitor ............................................................ 37 1. Usage overview ............................................................................................... 37 2. Available checksum functions ............................................................................ 38 3. File signatures ................................................................................................. 38 4. Defining file check policies: what, and how, to monitor .......................................... 38 4.1. Monitoring policies ................................................................................ 39 4.2. File/directory specification ...................................................................... 40 4.3. Suppress messages about new/deleted/modified files .................................... 42 4.4. Dynamic database update (modified/disappeared/new files) ........................... 43 4.5. Recursion depth(s) ................................................................................. 43 4.6. Hardlink check ...................................................................................... 44 4.7. Check for weird filenames ...................................................................... 44 4.8. Support for prelink ................................................................................ 45 4.9. SELinux attributes and Posix ACLs .......................................................... 45 4.10. Codes in messages about reported files .................................................... 46 4.11. Loose directory checking ...................................................................... 46 4.12. Storing the full content of a file ............................................................. 46 4.13. Who made changes to a file? ................................................................. 46 4.14. Skip checksumming for particular