Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 08-10-2011, 05:46 PM   #16
Registered: May 2001
Posts: 29,359
Blog Entries: 55

Rep: Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546Reputation: 3546

Sorry for the slow reply.
Originally Posted by sneakyimp View Post
So I changed the /var/run/samhain folder to be root:root, 770.
Please check if 0750 is enough.

Originally Posted by sneakyimp View Post
For some reason the text did not go into the file samhain_start.txt but instead was echoed to the terminal window.
Next time try 'sudo samhain -t init -p info 2>&1> /path/to/samhain_start.txt'?

Originally Posted by sneakyimp View Post
According to uname, your nodename is foo-bar-64, but your resolver library cannot resolve this nodename to a FQDN. Rather, it resolves this to foo-bar-64.
I checked the docs it mentioned and the referenced section mentions the /etc/hosts file but it would seem that this matters mostly in a client/server arrangement which I don't have. Do I really need to fix this?
As you know by now it is not an issue with Samhain but with the system resolver not being able to resolve the IP address to a fully qualified domain name and AFAIK is not critical for running Samhain correctly to fix this.

Originally Posted by sneakyimp View Post
The Debian samhain package includes this config in /etc/logrotate.d/samhain (..) This script doesn't look like it's very careful about stopping/starting samhain or acquiring locks. I also don't understand what the reload is for. Unfortunately, the recommended samhain logrotate script is not tested
If you're not certain the script restarts Samhain like it should just use the facilities you have on your system or see 'man samhain': SIGNALS. Reloading means it'll close opened file descriptors (new log file) and rereading the configuration file. Wrt testing: luckily you have a staging machine.

Originally Posted by sneakyimp View Post
Good news:
* I have records in my database now, which is tremendous and makes me exceedingly happy. Append-only log! W00T.
* I think I've almost got all the big questions answered.
Well done working out most things yourself!

Originally Posted by sneakyimp View Post
I have added these to the GrowingLogFiles section:
You do not run a News server and you probably should not run a printer.

Originally Posted by sneakyimp View Post
How to use signatures in email notifications to validate the messages therein? / What is the significance of the logkey?
Samhain sends an initial LOGKEY per email. Use Samhain on the mailbox or log file to verify integrity.

Originally Posted by sneakyimp View Post
Which keys are needed and how are they used in order to run samhain using gpg?

Originally Posted by sneakyimp View Post
Is there some way to check up on samhain to make sure it's running? I'm worried a kill -9 might take it down without any sort of notification.
Samhain, when run as daemon, will log a message (hash changing from n to 0) when shut down. One way to ensure it runs is to use an external process checker like Monit. The downside is this creates a dependency in Monit. Another way is to start Samhain from init (/etc/inittab or equivalent) letting it take care of restarting killed processes. The downside is this interferes with log rotation, unless yours accepts delayed compression and such, as the process will respawn as soon as it's killed.


samhain, ubuntu

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH to Amazon EC2 Arlc Linux - Security 3 07-22-2011 07:41 PM
LXer: Host Based Intrusion Detection - Samhain LXer Syndicated Linux News 0 01-19-2011 03:20 PM
File Integrity Through Samhain (windows) s3cur3ity General 1 10-04-2010 10:47 AM
What are the Pros versus Cons with File Integrity Detection Systems 2backitup Linux - Security 7 03-02-2006 06:47 PM
Suggestions for file integrity monitoring? Phaethar Linux - Software 1 06-11-2005 02:07 AM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:05 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration