LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 06-16-2010, 01:00 PM   #1
kaplan71
Member
 
Registered: Nov 2003
Posts: 719

Rep: Reputation: 39
Samhain questions


Hi there --

I am planning on implementing Samhain, and I need feedback on what would be the best deployment option. What I intend to do is to have Samhain do the following checks:

Quote:
1. Check for SUID files
2. Detect for kernel modifications
3. Check for rootkits
4. Monitor login and logout events
5. Check for hidden processes
6. Detect open ports
There are two servers that I plan on having monitored, but I wanted to know would it be better to install Samhain as a standalone application on each of the systems, or to have it installed on one system that is monitoring both.

If I go with the centralized server approach, will the configuration script for the server include the option

Code:
--enable-network=server
while that on each of the target systems includes the option

Code:
--enable-network=client
Also, does Samhain, or can be configured, to communicate over SSH or port 22? Thanks.
 
Old 06-16-2010, 06:16 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,743
Blog Entries: 54

Rep: Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972Reputation: 2972
Quote:
Originally Posted by kaplan71 View Post
I need feedback on what would be the best deployment option. There are two servers that I plan on having monitored, but I wanted to know would it be better to install Samhain as a standalone application on each of the systems, or to have it installed on one system that is monitoring both.
From tarball /docs directory to website Samhain appears to be a very well-documented HIDS. This means that all questions from deployment configuration ("central logging, central storage of baseline databases and client configurations, and central updates of baseline databases") to configuration flags (docs/README) to communication (logging over TCP/IP, client-server comms using SRP, GnuPG-encryption) are answered already. Duplicating those docs would be inefficient.

So. About "best" deployment. What does "best" mean? That depends on what these "two servers" represent. If one is a web server and the other a secure logging server then that would be easy. But if they for instance are both Internet-facing servers then they may be considered as targets of equal value. If you can't afford to wedge in a secure, central syslog server then your middle way choices will be to run Samhain stand-alone on both machines or set both up to be the server and client for the other. It depends on what the value is of what you need to protect.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
samhain --enable-stealth question mihalisla Linux - Security 8 12-14-2008 09:40 PM
Does anybody/has anybody used Samhain.. a HIDS similar to Tripwire helptonewbie Linux - Security 4 09-12-2008 01:43 PM
what can or can't OSSEC do compare to samhain? kissfreeman Linux - Newbie 3 06-19-2008 08:56 AM
Is anyone using Samhain with centralized logging? abefroman Linux - Security 6 04-10-2008 01:40 PM
Samhain vs Osiris? Opinions welcome. humbletech99 Linux - Security 1 01-02-2007 04:49 AM


All times are GMT -5. The time now is 10:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration