[SOLVED] Samhain not detecting rootkit or false logins
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Unlike OSSEC, Samhain HIDS is not being able to detect any false login, its not being able to detect rootkits or do any kernel level checks.
I have configured Kernel, SUID, Login and logout but it seems it doesn't take any effect.
The things that it can detect only if I add users and it performs file integrity check.
I would really appreciate if anyone could help or provide me with any suggestions.
Its intalled and configured properly according to BOOK (Host Integrity Monitoring Using Osiris and Samhain) yet it is not detecting a thing.
I dont know where i'm making mistake.
I even have installed rootkit and it doesn't even detect any file modification cause by it.
I could be wrong but AFAIK the rootkit component of OSSEC HIDS hasn't been significantly updated in a while...
Quote:
Originally Posted by metalaarif
Samhain HIDS is not being able to detect any false login,
Define "false login"?
How did you test it?
Quote:
Originally Posted by metalaarif
its not being able to detect rootkits or do any kernel level checks.
How did you test this?
What Samhain release?
Installed from source or as a distribution or third party package?
What distribution do you use (maybe fill in your Control Panel details)?
What kernel do you run?
Quote:
Originally Posted by metalaarif
Its intalled and configured properly
Attach your full configuration file?
Quote:
Originally Posted by metalaarif
I even have installed rootkit and it doesn't even detect any file modification cause by it.
That is not a suggestion I would make unless you test inside an isolated and expendable virtualization guest.
What rootkit BTW?
I am performing this in a virtual environment. I am doing it in VMware to be safe and secure.
I have installed latest version of samhain-3.0.1 in Ubuntu 10.04 Desktop edition (server edition) both, kernel version 2.6.32.33.
I did
I just checked with above command and it detects few alerts, that's fine, I'm not much worried about minor ones for now.
Now lets test for real threats
Quote:
I will create 1 user
# useradd dragon
# passwd dragon
I will delete files and add
# mkdir /etc/dragon
# vi /etc/dragon/hacker.txt
# vi /etc/dragon/hello.txt
# rm -f /etc/dragon/hello.txt
# touch /bin/ls
#touch /bin/ps
I am doing these changes directly in the ubuntu desktop.
In my case false login is like this (This is for internal threat test.):
I am direclty trying to login to root but providing wrong password.
I have installed openssh-server then i'm trying to login via ssh client from different computer.
I have been doing brute-force attack using hydra. Unlike OSSEC which detects and log each and every detail.
Quote:
Finally, the rootkit which i installed was kbeast-v1 from core.ipsecs.com
I installed and # ./setup build
installation successful!!!
After installing and modifing I need to scan for possible threats
# samhain -t check -p warn --foreground
Quote:
WARN : [2012-01-06T14:52:33+0000] msg=<Unrecognized section heading in line 362 of configuration file>
WARN : [2012-01-06T14:52:33+0000] msg=<Unrecognized section heading in line 414 of configuration file>
WARN : [2012-01-06T14:52:33+0000] msg=<Unrecognized section heading in line 435 of configuration file>
I don't know why i get these warning, I shouldn't be getting isn't it. I don't know why, I changed these before creating a baseline.
For some reason for the first time, I just performed everything and it really detected most of those things I mentioned.
It detected kbeast but I'm not sure if it detected it as rootkit and I didn't find any false login.
I have attached configuration and log files.
Last edited by metalaarif; 01-25-2012 at 12:08 PM.
Reason: spelling mistake
I am performing this in a virtual environment. I am doing it in VMware to be safe and secure.
Good.
Quote:
Originally Posted by metalaarif
I have attached configuration and log files.
Thanks.
Quote:
Originally Posted by metalaarif
I changed few things, it is exactly same to books configuration
You should not assume everybody knows or has that book. Anyway. The [Kernel] section is missing values the documentation (samhain-3.0.1/docs/MANUAL-2_3.html/MANUAL-2_3/checking-for-kernel-module-rootkits.html) talks about. Without these the LKM check can't detect changes.
Quote:
Originally Posted by metalaarif
I am direclty trying to login to root but providing wrong password.
If you run Ubuntu then root is not allowed to log in so which password you use should not matter.
Quote:
Originally Posted by metalaarif
I have installed openssh-server then i'm trying to login via ssh client from different computer.
I have been doing brute-force attack using hydra. Unlike OSSEC which detects and log each and every detail.
The configuration file has generic "SetFilecheckTime" of one hour but the [Utmp] section is missing a specific "LoginCheckInterval" for scheduling the login/logout check.
* IMHO OSSEC HIDS shouldn't be compared with Samhain. If you would then in some aspects it may perform better and worse in others.
** Also I've noticed you use "SyslogFacility=LOG_LOCAL2". Did you define this facility in your syslog configuration, initialize the log file and restart syslog?
Quote:
Originally Posted by metalaarif
I don't know why i get these warning
Maybe the checks weren't enabled when you compiled Samhain. Check your build directory, the configure.log / configure.status files.
Quote:
Originally Posted by metalaarif
For some reason for the first time, I just performed everything and it really detected most of those things I mentioned. It detected kbeast but I'm not sure if it detected it as rootkit and I didn't find any false login.
Doubtful. At least your (current) log and configuration file don't support that. Samhain detected Kbeast only by the files added to the /usr/_h4x_ path.
Later I installed Kbeast, I got these results I just want you to confirm if these are the possible changes done in kernel due to the rootkit installtion
Ah, yes, one of the more elaborate threads of 2011. Was fun doing that.
Quote:
Originally Posted by metalaarif
Later I installed Kbeast, I got these results I just want you to confirm if these are the possible changes done in kernel due to the rootkit installtion
Finally, I would like to know which checksum does samhain support by default.
See samhain-3.0.1/docs/MANUAL-2_3.html/MANUAL-2_3/hash-function.html and samhain-3.0.1/docs/MANUAL-2_3.html/MANUAL-2_3/file-signatures.html: TIGER but SHA-1 or MD5 can be used.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.