2.2.4. Samhain

Read Samhain Manual, samhain is a file and host integrity and intrusion alert system suitable for single hosts as well as for large, UNIX-based networks. samhain offers advanced features to support and facilitate centralized monitoring.

The client (or standalone) part is called samhain, while the server is referred to as yule. Both can run as daemon processes.

Most of the options require being defined at compile time, is easy to start with basic and then compile as more features are required.

        $ sudo prt-get depinst samhain
        

/var/lib/samhain/samhain_file

signature database

/etc/samhainrc

configuration file

/var/log/samhain.log

log file

2.2.4.1. Configure

For more information on configuration check Monitoring Policies. Description of section headings;

ReadOnly

All modifications except access times will be reported for these files.

Checked: owner, group, permissions, file type, device number, hardlinks, links, inode, checksum, size, mtime, ctime.

LogFiles

Modifications of timestamps, file size, and signature will be ignored.

Checked: owner, group, permissions, file type, device number, hardlinks, links, inode.

GrowingLogFiles

Modifications of timestamps, and signature will be ignored. Modification of the file size will only be ignored if the file size has increased.

Checked: owner, group, permissions, file type, device number, hardlinks, links, inode, size >= previous_size, checksum(file start up to previous size) equals previous checksum.

Attributes

Only modifications of ownership, access permissions, and device number will be checked.

Checked: owner, group, permissions, file type, device number.

IgnoreAll

No modifications will be reported. However, the existence of the specified file or directory will still be checked.

IgnoreNone

All modifications, including access time, but excluding ctime, will be reported - checking atime and ctime would require to play with the system clock.

Checked: owner, group, permissions, file type, device number, hardlinks, links, inode, checksum, size, mtime, atime.

        $ vim /etc/samhainrc
        

This is just a resume, there is a complete template on crux ports?.

        [Misc]

        [ReadOnly]
        dir = 0/

        [Attributes]
        file = /tmp
        file = /dev
        file = /media
        file = /proc
        file = /sys

        [ReadOnly]
        dir = 99/etc

        [Attributes]
        file = /etc/mtab
        file = /etc/adjtime
        file = /etc/motd
        file = /etc/fstab

        file = /etc

        [ReadOnly]
        dir = 99/boot

        [ReadOnly]
        dir = 99/bin
        dir = 99/sbin

        [ReadOnly]
        dir = 99/lib

        [Attributes]
        dir = 99/dev

        [IgnoreAll]
        dir = -1/dev/pts

        [ReadOnly]
        dir = 99/usr

        [IgnoreAll]
        dir = -1/usr/ports/core
        dir = -1/usr/ports/opt
        dir = -1/usr/ports/contrib
        dir = -1/usr/ports/work
        dir = -1/usr/ports/distfiles

        [ReadOnly]
        dir = 99/var

        [IgnoreAll]
        dir = -1/var/cache
        dir = -1/var/lock
        dir = -1/var/mail
        dir = -1/var/run
        dir = -1/var/spool
        dir = -1/var/tmp

        [Attributes]

        file = /var/lib/mlocate
        file = /var/lib/mlocate/mlocate.db
        file = /var/lib/urandom
        file = /var/lib/urandom/seed

        [GrowingLogFiles]
        dir = 99/var/log

        file = /var/log/samhain.log.lock

        [Attributes]
        file = /var/log/old/*.[0-9].gz

        [Misc]
        IgnoreAdded = /var/log/.*\.[0-9]+$
        IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
        IgnoreAdded = /var/log/.*\.[0-9]+\.log$
        IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$
        IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$
        IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$
        IgnoreAdded = /var/lib/slocate/slocate.db.tmp
        IgnoreMissing = /var/lib/slocate/slocate.db.tmp

        [IgnoreNone]

        [Prelink]

        [User0]

        [User1]

        [EventSeverity]

        [Log]
        MailSeverity=notice
        PrintSeverity=none

        [Misc]
        Daemon = yes
        ChecksumTest=check
        SetNiceLevel = 19
        SetIOLimit = 500
        SetLoopTime = 600
        SetFileCheckTime = 7200
        ReportOnlyOnce = True
        SetMailTime = 86400
        SetMailNum = 10
        SetMailAddress=root@localhost
        SyslogFacility=LOG_LOCAL2

        

Initialize database;

        # samhain -t init -p notice
        

If you want to "restart" remove samhain_file and run again the command above. If daemon is set on config file you just need to run;

        # samhain -t check -p notice
        

To control daemon;

        # samhain stop
        # samhain start
        # samhain restart
        # samhain reload or force-reload
        # samhain status
        

2.2.4.2. Update database

Manual, You can update the database while the daemon is running, as long as you don't interfere with its logging. Using flag -l like this samhain -t update -l none make sure the log file is not accessed.

        # samhain -t update -l none --interactive
        

Interactive update are supported with the command line flag --interactive. A file with a list of good files, absolute path, one per line, can be passed with flag --listfile. Example;

        # samhain -t update -l none --listfile=/root/list_of_files
        

This is part of the Hive System Documentation. Copyright (C) 2018 c9 team. See the file Gnu Free Documentation License for copying conditions.