-
Notifications
You must be signed in to change notification settings - Fork 1
License
GPL-2.0, Unknown licenses found
Licenses found
GPL-2.0
LICENSE
Unknown
COPYING
Prelude-SIEM-Agents/samhain
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Information about Prelude integration
-------------------------------------
To enable Prelude SIEM sensor, you have to run this :
./configure --with-prelude
CONTENT OF THIS DOCUMENT
------------------------
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++ +++
+++ NOTE: The distribution package contains a much more detailed MANUAL +++
+++ +++
+++ ---- See the docs/ subdirectory ---- +++
+++ +++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- INSTALL basic install procedure
- PGP SIGNATURES signing database and config file
- CLIENT/SERVER how to install and use with client/server mode
for distributed host monitoring
- STEALTH how to install and use with stealth mode enabled
- USAGE some usage examples
- CAVEATS what the name says
- START AT BOOT TIME how to start the daemon during the boot sequence
- CONFIGURE OPTIONS overview of supported options, and defaults
- TESTING test suite (also useful to see EXAMPLES)
INSTALL:
-------
Unpack the source with:
gunzip -c samhain-current.tar.gz | tar xvf -
This will drop two files in your current directory:
samhain-{version}.tar.gz
samhain-{version}.tar.gz.asc
To check authenticity and integrity of the source code, verify
the PGP signature on samhain-{version}.tar.gz
(public PGP key for Rainer Wichmann at http://wwwkeys.pgp.net/):
gpg --verify samhain-{version}.tar.gz.asc samhain-{version}.tar.gz
Then unpack samhain-{version}.tar.gz:
gunzip -c samhain-{version}.tar.gz | tar xvf -
cd samhain-{version}
If you have an incarnation of 'dialog' (xdialog, dialog, lxdialog)
installed, you can use the GUI install tool:
./Install.sh
Otherwise use the commands:
./configure [options]
make
su root
make install
At least the following executable will be built:
+++ samhain +++ the monitoring agent, without any
client/server support (i.e. local use only)
Additional executables will be built if you compile in client/server
and/or stealth mode (see below).
The 'make install' target will strip the executable(s), i.e.
discard symbols.
PATHS:
-----
For configuring the install paths/locations,
see the MANUAL.
WARNING:
-------
Some versions of gcc have a bug that generates incorrect
code if strength reducing is enabled.
If you modify the compiler flags, always use the -fno-strength-reduce
option with gcc, unless you are sure that your compiler does not
suffer from the problem (see README.gcc_bug).
Also, some gcc versions generate incorrect code unless the
-fno-omit-frame-pointer option is used.
The -fno-strength-reduce and the -fno-omit-frame-pointer options are
enabled by default by the 'configure' script.
PGP SIGNATURES:
--------------
By default, samhain will report on the checksums of the database
and configuration files on startup.
You can always (clear)sign the database (once initialized)
with GnuPG, as well as the configuration file
(recommended: gpg -a --clearsign --not-dash-escaped FILE).
However, to have samhain check these signatures, rather than ignoring
them, you need GnuPG and you must compile samhain with the option
./configure --with-gpg=PATH
where PATH is the path to the gpg/pgp binary.
Samhain will invoke gpg only after checking that
only trusted users (by default: root and the effective user)
have write access to any element in the path.
The public key for verification must be in the keyring of the
effective user (usually root)
For more security, it is possible to compile in the checksum
of the GnuPG executable, and/or the key fingerprint. See
the MANUAL for more details.
The public key will be searched in the gpg home directory
(~/.gnupg/) of the effective user (usually root).
The key identification and fingerprint will be reported.
CLIENT/SERVER:
-------------
samhain supports logging to a central server via TCP/IP.
To enable this option, use the ./configure option
./configure --enable-network=client|server [more options]
NOTE: client and server are __distict__ applications, and must be
built seperately. By default, installation names and paths are
different. Do not blame us if you abuse './configure' options to
cause name clashes, if you install both on the same host.
The following executables are built:
+++ samhain (client) +++ the monitoring agent,
with client code included
if --enable-network=client
+++ yule (server) +++ the log server (no monitoring, just report
collecting !!!)
if --enable-network=server
+++ samhain_setpwd +++ a utility program to set the password of
a monitoring agent (see man page samhain.8).
Use it without options to get help.
To set up a monitoring agent, do the following:
-- select a (16-digit hexadecimal) password. To generate
a random password, you can use:
./yule -G
-- use 'samhain_setpwd samhain <suffix> <password>'
to generate an agent 'samhain.suffix' with the selected password
(you can rename the agent afterwards, of course)
-- use 'yule -P password' to compute an entry to register the agent
-- in the servers's configuration file, insert the computed entry
(replace HOSTNAME with the host, on which the agent will run)
in the section called [Clients]
By default, client/server authentication
is done with the SRP (Secure Remote Password) protocol.
It is also possible to store configuration and database files
on the server. See the manual for details.
STEALTH:
-------
samhain supports a 'stealth' mode of operation, meaning that
the program can be run without any obvious trace of its presence
on disk. The supplied facilities are more sophisticated than
just running the program under a different name,
and might thwart efforts using 'standard' Unix commands,
but they will not resist a search using dedicated utilities.
To enable this mode, use the ./configure option
./configure --enable-stealth=XOR_VAL [more options]
XOR_VAL must be a decimal number in the range 0, 128..255
(using 0 will have no effect).
The runtime executable will contain no printable strings revealing
its nature or purpose (strings are xor'ed with XOR_VAL at compile
time, and decoded at runtime).
The configuration file is expected to be
a postscript file with _uncompressed_ image data, wherein
the configuration data are hidden by steganography.
To create a suitable image file from an existing image,
you may use e.g. the ImageMagick program 'convert', such as:
convert +compress ima.jpg ima.ps
The following additional executable will be built:
+++ samhain_stealth +++ steganography utility program to hide/extract
the configuration file data in/from a
postscript file with
_uncompressed_ image data.
Use it without options to get help.
Database and log file entries are xor'ed with XOR_VAL to 'mask'
printable strings as binary data. No steganography is supported
for them, as this would require image files of unreasonable large
size.
However, if the database/log file is an existing image (say, a .jpg
file), the data will be appended to the end of the image data.
The image will display normally, and on examination of the file,
the add-on data will look like binary (image) data at first sight.
The built-in utility to verify and print log file entries
will handle this situation transparently.
To re-name samhain to something unsuspicious, use the configure option
./configure --enable-install-name=NAME
'make install' will then re-name samhain upon installation. Also,
database, log file, and pid file will have 'samhain' replaced by
NAME.
USAGE EXAMPLES:
--------------
Review the default configuration file that comes with the
source distribution. Read the man page (samhain.8).
initialize database: samhain -t init
check files: samhain -t check
run as daemon: samhain -t check -D
report to log server: samhain -t check -D -e warn
start the log server: yule -S
CAVEATS:
-------
Permissions:
-----------
samhain needs root permissions to check some system files.
The log server does not require root permissions, unless
you use a privileged port (port number below 1024).
If you use --enable-udp to listen on the syslog socket, you need
to start the log server with root permissions (it will drop them
after binding to the port).
Trust:
-----
samhain checks the path to critical files (database, configuration)
for write access by untrusted users. By default, only root and
the effective user are trusted. More UIDs can be added as a
compile options (some systems habe 'bin' as owner of the root
directory).
Integrity:
---------
On startup, samhain will report on signatures or checksums of
database and configuration files. You better check these reports.
Both startup and exit will be reported. If you are using samhain
as daemon and start it at boot time, you may want to check that
startup/exit corresponds with scheduled reboots.
If the path to the samhain binary is defined in the configuration
file, samhain will checksum the binary at startup and compare
at program termination. This will minimize the time available
for an intruder to modify the binary.
Mail address:
------------
For offsite mail, you may have to set a mail relay host
in the configuration file.
START AT BOOT TIME:
------------------
the easy way (supported on Linux, FreeBSD, HP-UX, AIX):
su root
make install-boot
CONFIGURE OPTIONS:
-----------------
-------------------
-- basic options --
-------------------
--enable-network Compile with client/server support.
--enable-udp Enable the server to listen on
port 514/udp (syslog).
--enable-srp Use SRP protocol to authenticate to
log server.
--with-gpg=PATH Use GnuPG to verify database/config.
The public key of the effective
user (in ~/.gnupg/pubring.gpg)
will be used.
--enable-login-watch Watch for login/logout events.
--enable-stealth=XOR_VAL Enable stealth mode, and set XOR_VAL.
XOR_VAL must be decimal in
0..32 or 127..255
and will be used to 'mask' literal
strings as binary data.
(0 has no effect).
--enable-micro-stealth=XOR_VAL
As --with-stealth, but without
steganographic hidden configuration
file.
--enable-nocl=PW Enable command line parsing ONLY if
PW is the first argument on the command
line. If PW is "" (empty string),
command line parsing is completely
disabled.
--enable-base=BASE Set base for one-time pads. Must be
ONE string (no space) made of TWO
comma-separated integers in the range
-2147483648...2147483647.
(The default is compile time.)
Binaries compiled with different
values cannot verify the audit trail(s)
of each other.
THIS IS IMPORTANT IF YOU COMPILE
MULTIPLE TIMES, E.G. ON DIFFERENT
HOSTS.
-------------------
-- paths --
-------------------
${install_name} is "samhain" by default
(see --with-install-name=NAME )
configuration: /etc/${install_name}rc
state data: /var/lib/${install_name}
log file: /var/log/${install_name}_log
lock/pid file: /var/run/${install_name}.pid
mandir: /usr/local/man
bindir: /usr/local/sbin/
--exec-prefix=EPREFIX Set sbindir prefix (default
is /usr/local, ie. binaries
go to /usr/local/sbin)
--prefix=PREFIX install directory
(default is NONE)
IF PREFIX = USR; then
configuration: /etc/${install_name}rc
state data: /var/lib/${install_name}
log file: /var/log/${install_name}_log
lock/pid file: /var/run/${install_name}.pid
mandir: /usr/share/man
bindir: /usr/sbin/
IF PREFIX = OPT; then
configuration: /etc/opt/${install_name}rc
state data: /var/opt/${install_name}/${install_name}
log file: /var/opt/${install_name}/${install_name}_log
lock/pid file: /var/opt/${install_name}/${install_name}.pid
mandir: /opt/${install_name}/man
bindir: /opt/${install_name}/bin/
IF PREFIX = (something else); then
If EPREFIX is not set, it will be set to PREFIX.
configuration: PREFIX/etc/${install_name}rc
state data: PREFIX/var/lib/${install_name}
log file: PREFIX/var/log/${install_name}_log
lock/pid file: PREFIX/var/run/${install_name}.pid
mandir: PREFIX/share/man
bindir: PREFIX/sbin/
--with-config-file=FILE Set path of configuration file
(default is PREFIX/etc/samhainrc)
--with-data-file=FILE Set path of data file
(PREFIX/var/lib/samhain/samhain_file)
--with-html-file=FILE Set path of server status html file
(PREFIX/var/lib/samhain/samhain.html)
--with-log-file=FILE Set path of log file
(PREFIX/var/log/samhain_log)
--with-pid-file=FILE Set path of lock file
(PREFIX/var/run/samhain.pid)
-------------------
-- other --
-------------------
--with-checksum=CHECKSUM Compile in TIGER checksum of the
gpg/pgp binary.
CHECKSUM must be the full
line output by samhain or GnuPG when
computing the checksum.
--with-fp=FINGERPRINT Compile in public key fingerprint.
FINGERPRINT must be without spaces.
Only useful in combination with
'--with-gpg'.
If used, samhain will check the
fingerprint, but still report on the
used public key.
--enable-identity=USER Set user when dropping root privileges
(default is the user "nobody").
Only needed if there is no user
'nobody' on your system
(check /etc/passwd)
--with-port=PORT Set port number for TCP/IP
(default is 49777).
Only needed if this port is already
used by some other application.
--with-logserver=HOST Set host address for log server
(default is NULL).
You can set this in the configuration
file as well.
--with-timeserver=HOST Set host address for time server
(default is NULL - use own clock).
You can set this in the configuration
file as well.
--with-sender=SENDER Set sender for e-mail
(default is daemon).
--enable-xml-log Use XML format for log file.
--enable-debug Enable extended debugging
--enable-ptrace Use anti-debugging code.
--with-trusted=UID Comma-separated list of UID's of
users that are always trusted
(default is 0 = root).
You will need this only if the
path to the config file has directories
owned neither by 'root' nor by the
(effective) user of the program.
TESTING:
-------
For testing compilation etc., you may use the test suite:
./test/test.sh n [hostname]
The argument 'n' is the number of the test to run. Some tests require
that the (fully qualified) hostname be given as second argument.
Without options, you will get a short help/usage message, listing
each test, its purpose, and the name of the configuration file used.
You may want to review the respective configuration file before
running a test.
Also listed are the scripts used for each test. If you have problems
getting samhain to run, you may use these scripts as examples.
About
No description, website, or topics provided.
Resources
License
GPL-2.0, Unknown licenses found
Licenses found
GPL-2.0
LICENSE
Unknown
COPYING
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published