Sorry for the slow reply.
Quote:
Originally Posted by sneakyimp
So I changed the /var/run/samhain folder to be root:root, 770.
|
Please check if 0750 is enough.
Quote:
Originally Posted by sneakyimp
For some reason the text did not go into the file samhain_start.txt but instead was echoed to the terminal window.
|
Next time try 'sudo samhain -t init -p info
2>&1> /path/to/samhain_start.txt'?
Quote:
Originally Posted by sneakyimp
Code:
According to uname, your nodename is foo-bar-64, but your resolver library cannot resolve this nodename to a FQDN. Rather, it resolves this to foo-bar-64.
I checked the docs it mentioned and the referenced section mentions the /etc/hosts file but it would seem that this matters mostly in a client/server arrangement which I don't have. Do I really need to fix this? |
As you know by now it is not an issue with Samhain but with the
system resolver not being able to resolve the IP address to a fully qualified domain name and AFAIK is not critical for running Samhain correctly to fix this.
Quote:
Originally Posted by sneakyimp
The Debian samhain package includes this config in /etc/logrotate.d/samhain (..) This script doesn't look like it's very careful about stopping/starting samhain or acquiring locks. I also don't understand what the reload is for. Unfortunately, the recommended samhain logrotate script is not tested
|
If you're not certain the script restarts Samhain like it should just use the facilities you have on your system or see 'man samhain':
SIGNALS. Reloading means it'll close opened file descriptors (new log file) and rereading the configuration file. Wrt testing:
luckily you have a staging machine.
Quote:
Originally Posted by sneakyimp
Good news:
* I have records in my database now, which is tremendous and makes me exceedingly happy. Append-only log! W00T.
* I think I've almost got all the big questions answered.
|
Well done working out most things yourself!
Quote:
Originally Posted by sneakyimp
I have added these to the GrowingLogFiles section:
Code:
/var/log/lpr.log
/var/log/news/news.crit
/var/log/news/news.err
/var/log/news/news.notice
|
You do not run a News server and you probably should not run a printer.
Quote:
Originally Posted by sneakyimp
How to use signatures in email notifications to validate the messages therein? / What is the significance of the logkey?
|
Samhain sends an initial LOGKEY per email. Use Samhain on the mailbox or log file to verify integrity.
Quote:
Originally Posted by sneakyimp
Which keys are needed and how are they used in order to run samhain using gpg?
|
http://www.la-samhna.de/samhain/manu...ignatures.html?
Quote:
Originally Posted by sneakyimp
Is there some way to check up on samhain to make sure it's running? I'm worried a kill -9 might take it down without any sort of notification.
|
Samhain, when run as daemon, will log a message (hash changing from n to 0) when shut down. One way to ensure it runs is to use an external process checker like Monit. The downside is this creates a dependency in Monit. Another way is to start Samhain from init (/etc/inittab or equivalent) letting it take care of restarting killed processes. The downside is this interferes with log rotation, unless yours accepts delayed compression and such, as the process will respawn as soon as it's killed.
