Samhain
The Samhain host-based intrusion detection system (HIDS) provides file integrity checking, log file monitoring/analysis, rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes. Like having tripwire when it was still working plus rkhunter rolled into one.
Plus, it can be expanded to include more (remote) clients if set up in client-server mode and getting Beltane II as well (not GPL licensed and can be used on a limited amount of (10) machines for a small donation). Something that can maybe be used for guarding client machines remotely. Yum.
Problems
A steeper learning curve than for other programs.
No binaries available, setting it up is not easy for non-techies
Download
Download samhain-current.tar.gz from Samhain Labs.
Verification
cd Downloads/
$ gunzip samhain-current.tar.gz
$ tar -xf samhain-current.tar
$ gpg --keyserver pgp.mit.edu --recv-key 0F571F6C
gpg: key 1AAD26C80F571F6C: 3 duplicate signatures removed
gpg: key 1AAD26C80F571F6C: 96 signatures not checked due to missing keys
gpg: key 1AAD26C80F571F6C: "Rainer Wichmann <rwichmann@la-samhna.de>" not changed
gpg: key 3A2AAE330F571F6C: 21 signatures not checked due to missing keys
gpg: key 3A2AAE330F571F6C: "Rainer Wichmann <rwichmann@la-samhna.de>" not changed
gpg: Total number processed: 2
gpg: unchanged: 2
$ gpg --fingerprint 0F571F6C
pub dsa1024 1999-10-31 [SCA]
EF6C EF54 701A 0AFD B86A F4C3 1AAD 26C8 0F57 1F6C
uid [ unknown] Rainer Wichmann <rwichmann@la-samhna.de>
uid [ unknown] Rainer Wichmann <rwichmann@hs.uni-hamburg.de>
sub elg1024 1999-10-31 [E]
pub rsa1024 2014-07-21 [SCEA] [revoked: 2016-08-16]
5B17 5A1C 8C1B 7BC3 CB12 0FAA 3A2A AE33 0F57 1F6C
uid [ revoked] Rainer Wichmann <rwichmann@la-samhna.de>
[nina@archlinux Downloads]$ gpg --verify samhain-4.2.4.tar.gz.asc samhain-4.2.4.tar.gz
gpg: Signature made Thu 21 Dec 2017 09:05:24 PM CET
gpg: using DSA key 1AAD26C80F571F6C
gpg: Good signature from "Rainer Wichmann <rwichmann@la-samhna.de>" [unknown]
gpg: aka "Rainer Wichmann <rwichmann@hs.uni-hamburg.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EF6C EF54 701A 0AFD B86A F4C3 1AAD 26C8 0F57 1F6C
And that fits with the key given on the site.
Simple configuration stand-alone
Configure stand-alone version:
$ ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether make sets $(MAKE)... yes
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking for gcc... gcc
.
.
.
[snip]
.
.
.
config.status: creating deploy.sh
config.status: creating config.h
config.status: executing default commands
samhain has been configured as follows:
System binaries: /usr/local/sbin
Configuration file: /etc/samhainrc
Manual pages: /usr/local/man
Data directory: /var/lib/samhain
Database file: /var/lib/samhain/samhain_file
PID file: /run/samhain.pid
Log file: /var/log/samhain_log
Base key: 1617215581,281009996
Selected rc file: samhainrc.linux
$
Configuration for watching logins, mounts and rootkits
Watching over logins:
$ ./configure --enable-login-watch
Over mountings:
./configure --enable-mount-check
Samhain can check for kernel rootkits on FreeBSD and Linux with:
$ ./configure --with-kcheck=systemmap
where systemmap is the System.map file for a particular system.
Configuration for stealth
If an intruder cannot discover that samhain is running, he cannot compromise it. You can, for example, use:
$ ./configure --enable-install-name=somename
where somename is an innocuous-sounding executable name. To make it less likely that the program isn’t accidentally discovered, samhain can be set to never respond to the command line. Or, it can be set to respond to the command line only after a certain password is given:
$./configure --enable-nocl=somepass
If somepass is set to an empty string it disables command-line interaction completely. Otherwise, invoke samhain with somepass as the first argument followed by the other arguments.
There are many other interesting stealth options available, all documented along with the rest of the compilation switches in Appendix A of the documentation.
Build
Next step is to Build:
$ make
gcc -I. -o depend-gen ./src/depend-gen.c
update depend.dep ...
gcc -I. -o mkhdr ./src/mkhdr.c
gcc -I. -o encode ./src/encode.c
encode 0 config.h
./encode 0 ./src/sh_files.c --> x_sh_files.c
gcc -DHAVE_CONFIG_H -I. -I./include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -DUSE_MALLOC_LOCK=1 -fPIE -Wall -W -fno-strength-reduce -fno-omit-frame-pointer -Wno-empty-body -Wno-invalid-source-encoding -DSH_STANDALONE -o sh_files.o -c x_sh_files.c
.
.
.
[snip]
.
.
.
sh_string.o sh_inotify.o dnmalloc.o sh_audit.o sh_registry.o sh_ipvx.o sh_restrict.o sh_filetype.o sh_sub.o sh_fInotify.o sh_checksum.o sh_guid.o sh_sem.o sh_dbIO.o sh_dbCheck.o sh_dbCreate.o -lz -lresolv -lnsl -lnsl -lattr -lacl
gcc -I. -o sstrip ./src/sstrip.c
$
Installation
$ make install /usr/bin/install -c -m 700 samhain /usr/local/sbin/samhain
/usr/bin/install: cannot create regular file '/usr/local/sbin/samhain': Permission denied
chmod: cannot access '/usr/local/sbin/samhain': No such file or directory
make: *** [Makefile:518: install-program] Error 1
Ah yes, installing an application and using ./configure without the --prefix= option, the make install process will
install the compiled files in to the predefined paths in the system’s file system, and that means special permissions
for writing the files is required:
$ sudo make install
[sudo] password for nina:
/usr/bin/install -c -m 700 samhain /usr/local/sbin/samhain
/bin/sh ./mkinstalldirs /usr/local/man/man8
mkdir /usr/local/man/man8
/bin/sh ./mkinstalldirs /usr/local/man/man5
mkdir /usr/local/man/man5
/usr/bin/install -c -m 644 ./man/samhain.8 /usr/local/man/man8/samhain.8
/usr/bin/install -c -m 644 ./man/samhainrc.5 /usr/local/man/man5/samhainrc.5
gcc -DHAVE_CONFIG_H -I. -I./include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector-all -pthread -DUSE_MALLOC_LOCK=1 -fPIE -Wall -W -fno-strength-reduce -fno-omit-frame-pointer -Wno-empty-body -Wno-invalid-source-encoding -DSH_STANDALONE -DSH_IDENT=\"daemon\" -DTRUST_MAIN -DSL_ALWAYS_TRUSTED=0 -o trustfile ./src/trustfile.c
mkdir /var/lib/samhain
./samhain-install.sh --destdir= --express --verbose install-data
cp samhainrc.linux samhainrc
cp samhainrc samhainrc.pre
mv -f samhainrc.pre samhainrc.install
./samhain-install.sh --install-sh -m 600 samhainrc.install /etc/samhainrc
checking whether paths are trustworthy
configuration file /etc/samhainrc ... OK
state directory /run ... OK
state directory /var/log ... OK
data directory /var/lib/samhain ... OK
You can use 'samhain-install.sh uninstall' for uninstalling
i.e. you might consider saving that script for future use
Use 'make install-boot' if you want samhain to start on system boot
Customisation
$ sudo vi /etc/samhainrc
I will run with defaults for now, and make changes later.
Initialisation
Initialize the baseline database (do NOT do twice):
$ samhain -t init
[snip]
CRIT : [2018-03-04T22:01:33+0100] interface=<lstat>, msg=<No such file or directory>, userid=<0>, path=</var/lib/urandom/random-seed>
CRIT : [2018-03-04T22:01:33+0100] msg=<POLICY MISSING>, path=</var/lib/urandom/random-seed>
MARK : [2018-03-04T22:01:33+0100] msg=<File check completed.>, time=<593>, kBps=<9067.752000>
NOTICE : [2018-03-04T22:01:33+0100] msg=<Finished writing baseline database.>
ALERT : [2018-03-04T22:01:33+0100] msg=<EXIT>, program=<Samhain>, status=<exit_success>
Aaaaand a sheitload of errors and garble passed by on my screen for about ten minutes, including all kinds of critical issues on missing files and policies. This was on a worst-case linux, an archlinux halfway in the making (by me), and to be expected. I be reading them logs then. :D
Usage
$ samhain -t check --foreground
Immediately. Okay, so more of that garble of course. Just to see what gets reported and logged as differences.
Update baseline
Note: Archlinux does not have apt, and the logs are organised differently.
sudo vi /etc/samhainrc
The configuration file is divided into several sections:
Parameter |
Note |
|---|---|
Attributes |
files specified in this section are checked only for change in permission and ownership |
LogFiles |
files put in this section are not checked for timestamp, size, or cryptographic checksum changes, because they change often |
GrowingLogFiles |
files put in this section are not checked for timestamp and cryptographic signature changes and increases in file size (decreases are noted) |
IgnoreAll |
files in this section are never checked for modifications |
IgnoreNone |
these files have all modifications checked, including access time |
ReadOnly |
all modifications are checked except for access time |
User0 |
all modifications are checked |
User1 |
all modifications are checked |
Files may be specified in two ways, either as
file=/path/to/some/file or
dir=number/path/to/directory
where number is an option defining how many subdirectories to include; up to 99 can be checked. It is not necessary to define the recursion depth. It is also possible to use wildcards, as in file=/etc/*.conf. Normal shell wildcards are allowed: “*”, “?”, and “..”.
Put a fake file (such as “tripwire”) on your filesystem and check for it in the IgnoreNone section. This will alert you if anyone pokes around and accesses that file.
Put critical files such as
/etc/passwdand programs in/usr/sbinin the ReadOnly section since they are read often.Put log files in GrowingLogFiles in case an intruder attempts to scrub the logs. If logs are rotated frequently put them under LogFiles.
Put samhain, the configuration file, and the database file in IgnoreNone. After samhain is started as a daemon it does not need to re-read configuration file or the database. Any touching of it is very suspicious.
Several hours later, after thoroughly going through samhainrc, I got rid of all of the errors and warnings:
$ sudo samhain -t update
[happy emptiness]
Start daemon
Start the samhain daemon:
$ samhain -t check -D