Samhain is another open source HIDS application especially designed to monitor file integrity of the system. Samhain can be deployed in two different ways either standalone mode or client/server mode. The most important function of samhain HIDS is file integrity monitoring, monitoring SUID and SGUI audits, monitoring mount settings, login and logout events, perform integrity check of kernel to detect possible rootkits and finally, it can monitor integrity of syscall table, syscall functions (Wotring, 2005). “System calls provide interface between user applications and privileged kernel space and are the primary target for most rootkits. The handler for each system call is stored in a system call table (Wotring, 2005).”
The installation
process for standalone mode will be discussed rather than client/server mode.
As we know, regarding this project each HIDS applications are installed in
single server therefore, standalone mode will be discussed. Similarly, like
previous OSSEC HIDS installation it can be installed downloading, compiling its
binary and installing but we must remember to download the latest version. The
latest version is samhain 3.0.1 and it is recommended to verify PGP signature.
So basically, doesn't matter which distro your using either Redhat, Debian, openSuse, Slackware
So basically, doesn't matter which distro your using either Redhat, Debian, openSuse, Slackware
# tar –zxvf samhain-current.tar.gz
# tar –zxvf samhain-3.0.1
# cd samhain-3.0.1
# ./configure
The beauty of
Samhain is that it has different types of configuration options and each of
this option can be used separately for specific purpose but file integrity
monitoring option is installed by default. Unlike other HIDS application samhain
certain options can be customised for specific task such as: rootkit kernel
monitoring, login monitoring, mount check and SUID check etc (Wotring, 2005). However, these are all optional module
provided by samhain. The optional packages required for this project are as
follows:
# ./configure --enable-login-watch
# ./configure --enable-mount-check
# ./configure
--with-kcheck=[/boot/system.map]
# ./configure --with-checksum=CHKSUM
Once these
configurations are over we can proceed further with finalising and finishing
the installation process.
# make
# make install
By the help of above methods we can successfully download, compile, build
and finally install the latest version of samhain. But there are few things to
remember before we proceed. During installation process when we finish running
“./configure”, it shows us the list of default configured settings.
Samhain has been configured as follows:
System binaries: /usr/local/sbin
Configuration file: /etc/samhainrc
Manual Page: /usr/local/man
Data: /var/lib/samhain
PID file: /var/run/samhain.pid
Log file: /var/log/samhain_log
Base key: 814794596, 541454212
|
The most important files shown above in table 11 are configuration file
(/etc/samhainrc) and log file (/var/log/samhain_log). The samhain init scripts
can be installed, which will enable samhain to start monitoring every time it
reboots. It can be done easily by using following command:
# make install-boot
Now, we need to tune it like a guitar to so that it can do what it does best, monitor for any intrusion and send alert notification if any detected. For us to begin with samhain configuration, we need to keep in mind that it works only as root therefore, we must shift to root mode.
# vim /etc/samhainrc
The samhain
provides brief description on configuration lines which makes it easier to
understand and configure. First of all, we need to understand what should be
monitored and what should be avoided so that we do not generate excessive false
positive. Samhain HIDS supports file and directory monitoring. It not only
scans directories but can perform in dept scan. The files and directories are
defined in a following ways:
file = /var/log/mail
dir = /etc/network
The most intriguing thing is that it is not necessary
to define each and every directory in above shown way. It can be defined with
an optional recursive depth (N <= 99), where N is number directories it must
check. These are the basic that must be understood before proceeding further.
dir = 99/etc
dir =0/
dir = -1/dev/pts
The configuration sample for
samhainrc can be seen below
###Samhain Configuration###
[ReadOnly]
dir = 99/bin
dir = 99/sbin
dir = 99/var
dir = 99/etc
dir = 99/usr
[Attributes]
file = /etc/mtab
file = /etc/adjtime
file = /etc/motd
file = /etc/lvm/.cache
[IgnoreAll]
dir = -1/var/mail
dir = -1/var/run
[GrowingLogFiles]
dir = 99/var/log
SeverityReadOnly=crit
SeverityLogFiles=crit
SeverityAttributes=crit
[Kernel]
KernelCheckActive = True
KernelCheckInterval = 300
SeverityKernel = info
[Utmp]
LoginCheckActive = True
SeverityLogin=info
SeverityLoginMulti=crit
SeverityLogout=info
SetMailAddress=you&me@mail.com
SetMailRelay = 127.0.0.1
MailSeverity=none
|
When
installation and configuration of samhain is over, we need to start focusing on
creating a baseline database so that samhain can start monitoring for
suspicious activity right away. The baseline database can be created easily
with root privilege.
# samhain –t
init
Once this command starts it will
take some time to finish up creating a baseline database but it all depends on
what we want to scan and how deep. The default configuration setting of samhain
takes about 4 to 5 minutes to create a baseline database. The moment samhain is
finished creating baseline it will save the database in (/var/lib/samhain/)
directory. It is advised that once baseline database is created it should not
be created again because it append the database and will ignore subsequent
checks, either delete or rename before doing so (Wotring, 2005). The best practise would be to use
following update command instead of initialising database.
# samhain –t
update –interactive
The interactive update will force
the database to acknowledge the current state of system and removing previous
baseline database. It should not be performed until unless system or network
administrator is aware about the changes being made.
However, once
we are done with creating a baseline database it better if we check for any
configuration error or intrusions.
# samhain –t
check –p warn –foreground
This command starts scanning the
whole system for any threats or suspicious activity. It is very important to
keep in mind that samhain can run as daemon in background process therefore,
“--foreground” should be used so that we can see the alerts err, warn, crit,
info.
Enjoy
No comments:
Post a Comment