Samhain questions
 

Hi there --

I am planning on implementing Samhain, and I need feedback on what would be the best deployment option. What I intend to do is to have Samhain do the following checks:

There are two servers that I plan on having monitored, but I wanted to know would it be better to install Samhain as a standalone application on each of the systems, or to have it installed on one system that is monitoring both.

If I go with the centralized server approach, will the configuration script for the server include the option

while that on each of the target systems includes the option

Also, does Samhain, or can be configured, to communicate over SSH or port 22? Thanks.

From tarball /docs directory to website Samhain appears to be a very well-documented HIDS. This means that all questions from deployment configuration ("central logging, central storage of baseline databases and client configurations, and central updates of baseline databases") to configuration flags (docs/README) to communication (logging over TCP/IP, client-server comms using SRP, GnuPG-encryption) are answered already. Duplicating those docs would be inefficient.

So. About "best" deployment. What does "best" mean? That depends on what these "two servers" represent. If one is a web server and the other a secure logging server then that would be easy. But if they for instance are both Internet-facing servers then they may be considered as targets of equal value. If you can't afford to wedge in a secure, central syslog server then your middle way choices will be to run Samhain stand-alone on both machines or set both up to be the server and client for the other. It depends on what the value is of what you need to protect.