-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathREADME
504 lines (356 loc) · 15.5 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
Information about Prelude integration
-------------------------------------
To enable Prelude SIEM sensor, you have to run this :
./configure --with-prelude
CONTENT OF THIS DOCUMENT
------------------------
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++ +++
+++ NOTE: The distribution package contains a much more detailed MANUAL +++
+++ +++
+++ ---- See the docs/ subdirectory ---- +++
+++ +++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- INSTALL basic install procedure
- PGP SIGNATURES signing database and config file
- CLIENT/SERVER how to install and use with client/server mode
for distributed host monitoring
- STEALTH how to install and use with stealth mode enabled
- USAGE some usage examples
- CAVEATS what the name says
- START AT BOOT TIME how to start the daemon during the boot sequence
- CONFIGURE OPTIONS overview of supported options, and defaults
- TESTING test suite (also useful to see EXAMPLES)
INSTALL:
-------
Unpack the source with:
gunzip -c samhain-current.tar.gz | tar xvf -
This will drop two files in your current directory:
samhain-{version}.tar.gz
samhain-{version}.tar.gz.asc
To check authenticity and integrity of the source code, verify
the PGP signature on samhain-{version}.tar.gz
(public PGP key for Rainer Wichmann at http://wwwkeys.pgp.net/):
gpg --verify samhain-{version}.tar.gz.asc samhain-{version}.tar.gz
Then unpack samhain-{version}.tar.gz:
gunzip -c samhain-{version}.tar.gz | tar xvf -
cd samhain-{version}
If you have an incarnation of 'dialog' (xdialog, dialog, lxdialog)
installed, you can use the GUI install tool:
./Install.sh
Otherwise use the commands:
./configure [options]
make
su root
make install
At least the following executable will be built:
+++ samhain +++ the monitoring agent, without any
client/server support (i.e. local use only)
Additional executables will be built if you compile in client/server
and/or stealth mode (see below).
The 'make install' target will strip the executable(s), i.e.
discard symbols.
PATHS:
-----
For configuring the install paths/locations,
see the MANUAL.
WARNING:
-------
Some versions of gcc have a bug that generates incorrect
code if strength reducing is enabled.
If you modify the compiler flags, always use the -fno-strength-reduce
option with gcc, unless you are sure that your compiler does not
suffer from the problem (see README.gcc_bug).
Also, some gcc versions generate incorrect code unless the
-fno-omit-frame-pointer option is used.
The -fno-strength-reduce and the -fno-omit-frame-pointer options are
enabled by default by the 'configure' script.
PGP SIGNATURES:
--------------
By default, samhain will report on the checksums of the database
and configuration files on startup.
You can always (clear)sign the database (once initialized)
with GnuPG, as well as the configuration file
(recommended: gpg -a --clearsign --not-dash-escaped FILE).
However, to have samhain check these signatures, rather than ignoring
them, you need GnuPG and you must compile samhain with the option
./configure --with-gpg=PATH
where PATH is the path to the gpg/pgp binary.
Samhain will invoke gpg only after checking that
only trusted users (by default: root and the effective user)
have write access to any element in the path.
The public key for verification must be in the keyring of the
effective user (usually root)
For more security, it is possible to compile in the checksum
of the GnuPG executable, and/or the key fingerprint. See
the MANUAL for more details.
The public key will be searched in the gpg home directory
(~/.gnupg/) of the effective user (usually root).
The key identification and fingerprint will be reported.
CLIENT/SERVER:
-------------
samhain supports logging to a central server via TCP/IP.
To enable this option, use the ./configure option
./configure --enable-network=client|server [more options]
NOTE: client and server are __distict__ applications, and must be
built seperately. By default, installation names and paths are
different. Do not blame us if you abuse './configure' options to
cause name clashes, if you install both on the same host.
The following executables are built:
+++ samhain (client) +++ the monitoring agent,
with client code included
if --enable-network=client
+++ yule (server) +++ the log server (no monitoring, just report
collecting !!!)
if --enable-network=server
+++ samhain_setpwd +++ a utility program to set the password of
a monitoring agent (see man page samhain.8).
Use it without options to get help.
To set up a monitoring agent, do the following:
-- select a (16-digit hexadecimal) password. To generate
a random password, you can use:
./yule -G
-- use 'samhain_setpwd samhain <suffix> <password>'
to generate an agent 'samhain.suffix' with the selected password
(you can rename the agent afterwards, of course)
-- use 'yule -P password' to compute an entry to register the agent
-- in the servers's configuration file, insert the computed entry
(replace HOSTNAME with the host, on which the agent will run)
in the section called [Clients]
By default, client/server authentication
is done with the SRP (Secure Remote Password) protocol.
It is also possible to store configuration and database files
on the server. See the manual for details.
STEALTH:
-------
samhain supports a 'stealth' mode of operation, meaning that
the program can be run without any obvious trace of its presence
on disk. The supplied facilities are more sophisticated than
just running the program under a different name,
and might thwart efforts using 'standard' Unix commands,
but they will not resist a search using dedicated utilities.
To enable this mode, use the ./configure option
./configure --enable-stealth=XOR_VAL [more options]
XOR_VAL must be a decimal number in the range 0, 128..255
(using 0 will have no effect).
The runtime executable will contain no printable strings revealing
its nature or purpose (strings are xor'ed with XOR_VAL at compile
time, and decoded at runtime).
The configuration file is expected to be
a postscript file with _uncompressed_ image data, wherein
the configuration data are hidden by steganography.
To create a suitable image file from an existing image,
you may use e.g. the ImageMagick program 'convert', such as:
convert +compress ima.jpg ima.ps
The following additional executable will be built:
+++ samhain_stealth +++ steganography utility program to hide/extract
the configuration file data in/from a
postscript file with
_uncompressed_ image data.
Use it without options to get help.
Database and log file entries are xor'ed with XOR_VAL to 'mask'
printable strings as binary data. No steganography is supported
for them, as this would require image files of unreasonable large
size.
However, if the database/log file is an existing image (say, a .jpg
file), the data will be appended to the end of the image data.
The image will display normally, and on examination of the file,
the add-on data will look like binary (image) data at first sight.
The built-in utility to verify and print log file entries
will handle this situation transparently.
To re-name samhain to something unsuspicious, use the configure option
./configure --enable-install-name=NAME
'make install' will then re-name samhain upon installation. Also,
database, log file, and pid file will have 'samhain' replaced by
NAME.
USAGE EXAMPLES:
--------------
Review the default configuration file that comes with the
source distribution. Read the man page (samhain.8).
initialize database: samhain -t init
check files: samhain -t check
run as daemon: samhain -t check -D
report to log server: samhain -t check -D -e warn
start the log server: yule -S
CAVEATS:
-------
Permissions:
-----------
samhain needs root permissions to check some system files.
The log server does not require root permissions, unless
you use a privileged port (port number below 1024).
If you use --enable-udp to listen on the syslog socket, you need
to start the log server with root permissions (it will drop them
after binding to the port).
Trust:
-----
samhain checks the path to critical files (database, configuration)
for write access by untrusted users. By default, only root and
the effective user are trusted. More UIDs can be added as a
compile options (some systems habe 'bin' as owner of the root
directory).
Integrity:
---------
On startup, samhain will report on signatures or checksums of
database and configuration files. You better check these reports.
Both startup and exit will be reported. If you are using samhain
as daemon and start it at boot time, you may want to check that
startup/exit corresponds with scheduled reboots.
If the path to the samhain binary is defined in the configuration
file, samhain will checksum the binary at startup and compare
at program termination. This will minimize the time available
for an intruder to modify the binary.
Mail address:
------------
For offsite mail, you may have to set a mail relay host
in the configuration file.
START AT BOOT TIME:
------------------
the easy way (supported on Linux, FreeBSD, HP-UX, AIX):
su root
make install-boot
CONFIGURE OPTIONS:
-----------------
-------------------
-- basic options --
-------------------
--enable-network Compile with client/server support.
--enable-udp Enable the server to listen on
port 514/udp (syslog).
--enable-srp Use SRP protocol to authenticate to
log server.
--with-gpg=PATH Use GnuPG to verify database/config.
The public key of the effective
user (in ~/.gnupg/pubring.gpg)
will be used.
--enable-login-watch Watch for login/logout events.
--enable-stealth=XOR_VAL Enable stealth mode, and set XOR_VAL.
XOR_VAL must be decimal in
0..32 or 127..255
and will be used to 'mask' literal
strings as binary data.
(0 has no effect).
--enable-micro-stealth=XOR_VAL
As --with-stealth, but without
steganographic hidden configuration
file.
--enable-nocl=PW Enable command line parsing ONLY if
PW is the first argument on the command
line. If PW is "" (empty string),
command line parsing is completely
disabled.
--enable-base=BASE Set base for one-time pads. Must be
ONE string (no space) made of TWO
comma-separated integers in the range
-2147483648...2147483647.
(The default is compile time.)
Binaries compiled with different
values cannot verify the audit trail(s)
of each other.
THIS IS IMPORTANT IF YOU COMPILE
MULTIPLE TIMES, E.G. ON DIFFERENT
HOSTS.
-------------------
-- paths --
-------------------
${install_name} is "samhain" by default
(see --with-install-name=NAME )
configuration: /etc/${install_name}rc
state data: /var/lib/${install_name}
log file: /var/log/${install_name}_log
lock/pid file: /var/run/${install_name}.pid
mandir: /usr/local/man
bindir: /usr/local/sbin/
--exec-prefix=EPREFIX Set sbindir prefix (default
is /usr/local, ie. binaries
go to /usr/local/sbin)
--prefix=PREFIX install directory
(default is NONE)
IF PREFIX = USR; then
configuration: /etc/${install_name}rc
state data: /var/lib/${install_name}
log file: /var/log/${install_name}_log
lock/pid file: /var/run/${install_name}.pid
mandir: /usr/share/man
bindir: /usr/sbin/
IF PREFIX = OPT; then
configuration: /etc/opt/${install_name}rc
state data: /var/opt/${install_name}/${install_name}
log file: /var/opt/${install_name}/${install_name}_log
lock/pid file: /var/opt/${install_name}/${install_name}.pid
mandir: /opt/${install_name}/man
bindir: /opt/${install_name}/bin/
IF PREFIX = (something else); then
If EPREFIX is not set, it will be set to PREFIX.
configuration: PREFIX/etc/${install_name}rc
state data: PREFIX/var/lib/${install_name}
log file: PREFIX/var/log/${install_name}_log
lock/pid file: PREFIX/var/run/${install_name}.pid
mandir: PREFIX/share/man
bindir: PREFIX/sbin/
--with-config-file=FILE Set path of configuration file
(default is PREFIX/etc/samhainrc)
--with-data-file=FILE Set path of data file
(PREFIX/var/lib/samhain/samhain_file)
--with-html-file=FILE Set path of server status html file
(PREFIX/var/lib/samhain/samhain.html)
--with-log-file=FILE Set path of log file
(PREFIX/var/log/samhain_log)
--with-pid-file=FILE Set path of lock file
(PREFIX/var/run/samhain.pid)
-------------------
-- other --
-------------------
--with-checksum=CHECKSUM Compile in TIGER checksum of the
gpg/pgp binary.
CHECKSUM must be the full
line output by samhain or GnuPG when
computing the checksum.
--with-fp=FINGERPRINT Compile in public key fingerprint.
FINGERPRINT must be without spaces.
Only useful in combination with
'--with-gpg'.
If used, samhain will check the
fingerprint, but still report on the
used public key.
--enable-identity=USER Set user when dropping root privileges
(default is the user "nobody").
Only needed if there is no user
'nobody' on your system
(check /etc/passwd)
--with-port=PORT Set port number for TCP/IP
(default is 49777).
Only needed if this port is already
used by some other application.
--with-logserver=HOST Set host address for log server
(default is NULL).
You can set this in the configuration
file as well.
--with-timeserver=HOST Set host address for time server
(default is NULL - use own clock).
You can set this in the configuration
file as well.
--with-sender=SENDER Set sender for e-mail
(default is daemon).
--enable-xml-log Use XML format for log file.
--enable-debug Enable extended debugging
--enable-ptrace Use anti-debugging code.
--with-trusted=UID Comma-separated list of UID's of
users that are always trusted
(default is 0 = root).
You will need this only if the
path to the config file has directories
owned neither by 'root' nor by the
(effective) user of the program.
TESTING:
-------
For testing compilation etc., you may use the test suite:
./test/test.sh n [hostname]
The argument 'n' is the number of the test to run. Some tests require
that the (fully qualified) hostname be given as second argument.
Without options, you will get a short help/usage message, listing
each test, its purpose, and the name of the configuration file used.
You may want to review the respective configuration file before
running a test.
Also listed are the scripts used for each test. If you have problems
getting samhain to run, you may use these scripts as examples.