Hi there --
I am planning on implementing Samhain, and I need feedback on what would be the best deployment option. What I intend to do is to have Samhain do the following checks:
1. Check for SUID files
2. Detect for kernel modifications
3. Check for rootkits
4. Monitor login and logout events
5. Check for hidden processes
6. Detect open ports
There are two servers that I plan on having monitored, but I wanted to know would it be better to install Samhain as a standalone application on each of the systems, or to have it installed on one system that is monitoring both.
If I go with the centralized server approach, will the configuration script for the server include the option
while that on each of the target systems includes the option
Also, does Samhain, or can be configured, to communicate over SSH or port 22? Thanks.