LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Samhain questions (http://www.linuxquestions.org/questions/linux-security-4/samhain-questions-814535/)

kaplan71 06-16-2010 12:00 PM

Samhain questions
 
Hi there --

I am planning on implementing Samhain, and I need feedback on what would be the best deployment option. What I intend to do is to have Samhain do the following checks:

Quote:

1. Check for SUID files
2. Detect for kernel modifications
3. Check for rootkits
4. Monitor login and logout events
5. Check for hidden processes
6. Detect open ports
There are two servers that I plan on having monitored, but I wanted to know would it be better to install Samhain as a standalone application on each of the systems, or to have it installed on one system that is monitoring both.

If I go with the centralized server approach, will the configuration script for the server include the option

Code:

--enable-network=server
while that on each of the target systems includes the option

Code:

--enable-network=client
Also, does Samhain, or can be configured, to communicate over SSH or port 22? Thanks.

unSpawn 06-16-2010 05:16 PM

Quote:

Originally Posted by kaplan71 (Post 4005610)
I need feedback on what would be the best deployment option. There are two servers that I plan on having monitored, but I wanted to know would it be better to install Samhain as a standalone application on each of the systems, or to have it installed on one system that is monitoring both.

From tarball /docs directory to website Samhain appears to be a very well-documented HIDS. This means that all questions from deployment configuration ("central logging, central storage of baseline databases and client configurations, and central updates of baseline databases") to configuration flags (docs/README) to communication (logging over TCP/IP, client-server comms using SRP, GnuPG-encryption) are answered already. Duplicating those docs would be inefficient.

So. About "best" deployment. What does "best" mean? That depends on what these "two servers" represent. If one is a web server and the other a secure logging server then that would be easy. But if they for instance are both Internet-facing servers then they may be considered as targets of equal value. If you can't afford to wedge in a secure, central syslog server then your middle way choices will be to run Samhain stand-alone on both machines or set both up to be the server and client for the other. It depends on what the value is of what you need to protect.


All times are GMT -5. The time now is 08:48 AM.