Samhain
Copyright
© 2002 by Rainer Wichmann
This is version 1.7.2 of Samhain manual.
Table of Contents
Introduction
Installation
Installation Requirements
Installation Procedure
Files and directory layout
Usage
How to invoke
What happens after startup ?
Controlling the daemon
Signals
PID file
Log file rotation
Updating the file signature database
Improving the signal-to-noise ratio
Options & configuration file
Support (bug/problem reports)
Configuration — Basic
Definitions
Configuration of logging facilities
Details of logging facilities
Configuration —
samhain
, the file monitor
Hash function
Basic usage instructions
File signatures
Defining which files/directories to monitor
Timing file checks
Initializing, updating, or checking
The file signature database
Checking the file system for SUID/SGID binaries
Detecting Kernel rootkits
Monitoring login/logout events
Modules
Performance tuning
Configuration —
yule
, the log server
General
Important installation notes
Chroot
Client registry
Enabling logging to the server
Database / configuration file download
Server status information
Syslog logging
Performance tuning
Hooks for External Programs
Pipes
System V message queue
Calling external programs
Additional Features — Signed Configuration/Database Files
Additional Features — Stealth
Hiding the executable
Packing the executable
Deployment to remote hosts
Usage Notes
Building an RPM
Building a Debian package
Security Design
Usage
Integrity of the executable
Design
FAQ — Frequently Asked Questions
General
Client or Standalone
Server
List of compilation options
General
OpenPGP Signatures on Configuration/Database Files
Client/Server Connectivity
Paths
List of command line options
General
samhain
yule
List of configuration file options
General
Files to check
Severity of events
Logging thresholds
Watching login/logout events
Checking for kernel module rootkits
Checking for SUID/SGID files
Database
Miscellaneous
External
Clients
Next >>>
Introduction