Wednesday, 24 April 2013

Samhain Installation and Implementation in Linux




Samhain is another open source HIDS application especially designed to monitor file integrity of the system. Samhain can be deployed in two different ways either standalone mode or client/server mode. The most important function of samhain HIDS is file integrity monitoring, monitoring SUID and SGUI audits, monitoring mount settings, login and logout events, perform integrity check of kernel to detect possible rootkits and finally, it can monitor integrity of syscall table, syscall functions (Wotring, 2005). “System calls provide interface between user applications and privileged kernel space and are the primary target for most rootkits. The handler for each system call is stored in a system call table (Wotring, 2005).”
The installation process for standalone mode will be discussed rather than client/server mode. As we know, regarding this project each HIDS applications are installed in single server therefore, standalone mode will be discussed. Similarly, like previous OSSEC HIDS installation it can be installed downloading, compiling its binary and installing but we must remember to download the latest version. The latest version is samhain 3.0.1 and it is recommended to verify PGP signature.

So basically, doesn't matter which distro your using either Redhat, Debian, openSuse, Slackware


# tar –zxvf samhain-current.tar.gz

# tar –zxvf samhain-3.0.1

# cd samhain-3.0.1

# ./configure

The beauty of Samhain is that it has different types of configuration options and each of this option can be used separately for specific purpose but file integrity monitoring option is installed by default. Unlike other HIDS application samhain certain options can be customised for specific task such as: rootkit kernel monitoring, login monitoring, mount check and SUID check etc (Wotring, 2005). However, these are all optional module provided by samhain. The optional packages required for this project are as follows:

# ./configure --enable-login-watch

# ./configure --enable-mount-check

# ./configure --with-kcheck=[/boot/system.map]

# ./configure --with-checksum=CHKSUM

Once these configurations are over we can proceed further with finalising and finishing the installation process.

# make

# make install

By the help of above methods we can successfully download, compile, build and finally install the latest version of samhain. But there are few things to remember before we proceed. During installation process when we finish running “./configure”, it shows us the list of default configured settings.

Samhain has been configured as follows:
System binaries: /usr/local/sbin
Configuration file: /etc/samhainrc
Manual Page: /usr/local/man
Data: /var/lib/samhain
PID file: /var/run/samhain.pid
Log file: /var/log/samhain_log
Base key: 814794596, 541454212
The most important files shown above in table 11 are configuration file (/etc/samhainrc) and log file (/var/log/samhain_log). The samhain init scripts can be installed, which will enable samhain to start monitoring every time it reboots. It can be done easily by using following command:

# make install-boot

Now, we need to tune it like a guitar to so that it can do what it does best, monitor for any intrusion and send alert notification if any detected. For us to begin with samhain configuration, we need to keep in mind that it works only as root therefore, we must shift to root mode.

# vim /etc/samhainrc


The samhain provides brief description on configuration lines which makes it easier to understand and configure. First of all, we need to understand what should be monitored and what should be avoided so that we do not generate excessive false positive. Samhain HIDS supports file and directory monitoring. It not only scans directories but can perform in dept scan. The files and directories are defined in a following ways:
file = /var/log/mail

dir = /etc/network
The most intriguing thing is that it is not necessary to define each and every directory in above shown way. It can be defined with an optional recursive depth (N <= 99), where N is number directories it must check. These are the basic that must be understood before proceeding further.
dir = 99/etc

dir =0/

dir = -1/dev/pts
The configuration sample for samhainrc can be seen below

###Samhain Configuration###

[ReadOnly]

dir = 99/bin

dir = 99/sbin

dir = 99/var

dir = 99/etc

dir = 99/usr

[Attributes]

file = /etc/mtab

file = /etc/adjtime

file = /etc/motd

file = /etc/lvm/.cache

[IgnoreAll]

dir = -1/var/mail

dir = -1/var/run

[GrowingLogFiles]

dir = 99/var/log

SeverityReadOnly=crit

SeverityLogFiles=crit

SeverityAttributes=crit

[Kernel]

KernelCheckActive = True

KernelCheckInterval = 300

SeverityKernel = info

[Utmp]

LoginCheckActive = True

SeverityLogin=info

SeverityLoginMulti=crit

SeverityLogout=info

 SetMailAddress=you&me@mail.com

 SetMailRelay = 127.0.0.1

MailSeverity=none

When installation and configuration of samhain is over, we need to start focusing on creating a baseline database so that samhain can start monitoring for suspicious activity right away. The baseline database can be created easily with root privilege.

# samhain –t init 

Once this command starts it will take some time to finish up creating a baseline database but it all depends on what we want to scan and how deep. The default configuration setting of samhain takes about 4 to 5 minutes to create a baseline database. The moment samhain is finished creating baseline it will save the database in (/var/lib/samhain/) directory. It is advised that once baseline database is created it should not be created again because it append the database and will ignore subsequent checks, either delete or rename before doing so (Wotring, 2005). The best practise would be to use following update command instead of initialising database.

# samhain –t update –interactive

The interactive update will force the database to acknowledge the current state of system and removing previous baseline database. It should not be performed until unless system or network administrator is aware about the changes being made.
However, once we are done with creating a baseline database it better if we check for any configuration error or intrusions. 

# samhain –t check –p warn –foreground


This command starts scanning the whole system for any threats or suspicious activity. It is very important to keep in mind that samhain can run as daemon in background process therefore, “--foreground” should be used so that we can see the alerts err, warn, crit, info.

Enjoy