diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2023-06-25 14:32:10 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2023-06-25 14:32:10 +0000 |
| commit | 65a1f0a17cc2d98c4764a852603659e871ff8157 (patch) | |
| tree | aea8d07f26643e2bcb1ea54734cb4905eb86122b /docs | |
| parent | Initial commit. (diff) | |
| download | samhain-65a1f0a17cc2d98c4764a852603659e871ff8157.tar.xz samhain-65a1f0a17cc2d98c4764a852603659e871ff8157.zip | |
Adding upstream version 4.1.4.upstream/4.1.4
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/#Changelog# | 2552 | ||||
| -rw-r--r-- | docs/BUGS | 38 | ||||
| -rw-r--r-- | docs/Changelog | 2554 | ||||
| -rw-r--r-- | docs/FAQ.html | 866 | ||||
| -rw-r--r-- | docs/HOWTO-client+server-troubleshooting.html | 452 | ||||
| -rw-r--r-- | docs/HOWTO-client+server.html | 441 | ||||
| -rw-r--r-- | docs/HOWTO-samhain+GnuPG.html | 415 | ||||
| -rw-r--r-- | docs/HOWTO-samhain-on-windows.html | 496 | ||||
| -rw-r--r-- | docs/HOWTO-write-modules.html | 771 | ||||
| -rw-r--r-- | docs/MANUAL-2_4.epub | bin | 0 -> 216377 bytes | |||
| -rw-r--r-- | docs/MANUAL-2_4.html.tar | bin | 0 -> 1372160 bytes | |||
| -rw-r--r-- | docs/MANUAL-2_4.pdf | bin | 0 -> 552599 bytes | |||
| -rw-r--r-- | docs/README | 497 | ||||
| -rw-r--r-- | docs/README.LZO | 136 | ||||
| -rw-r--r-- | docs/README.UPGRADE | 113 | ||||
| -rw-r--r-- | docs/README.gcc_bug | 49 | ||||
| -rw-r--r-- | docs/README.sstrip | 40 | ||||
| -rw-r--r-- | docs/README.win2K | 36 | ||||
| -rw-r--r-- | docs/samhain_german.pdf | bin | 0 -> 116424 bytes | |||
| -rw-r--r-- | docs/sh_mounts.txt | 59 | ||||
| -rw-r--r-- | docs/sh_userfiles.txt | 39 |
21 files changed, 9554 insertions, 0 deletions
diff --git a/docs/#Changelog# b/docs/#Changelog# new file mode 100644 index 0000000..3e7b4ff --- /dev/null +++ b/docs/#Changelog# @@ -0,0 +1,2552 @@ +4.1.4: + * fix problems with wildcard pattern re-evaluation: + - not stored if no match at startup + - only one (the first) stored if same pattern for file and dir + * fix problems with directory creation in inotify watched tree + - recursive depth not decreased + - watched as directory even when recursion depth should drop below zero + +4.1.3: + * on Cygwin, the AvoidBlock function is now off by default + (problem reported by Fred C) + * tighter sanity checks in sh_static.c + * fix regression with '--enable-static' in sh_static.c + (reported by amaiket). + +4.1.2: + * add options --enable-selinux and --enable-posix-acl for "hard fail" + if libraries aren't found (requested feature) + * fix wrong policy assignment when inotify is active and change occurs + during a reload (reported by Bond) + * fix failure to detect open UDP port for some daemons + (reported by James) + * fix broken 'rpm' and 'rpm-light' makefile targets + (reported by Bond) + * fix message for self-check + +4.1.1: + * fix problem with timezone calculation on month rollover for + negative timezones (west of GMT; reported by Bond) + * fix problem with rotated logfiles when content is always constant, + i.e. checksum does not change (reported by Bond). + * fix problem with baseline update on FreeBSD and probably other + non-GNU/Linux systems (reported by L.Vasiliev) + * fix bad check_libwrap() call in sh_xfer_server.c + (reported by L.Vasiliev) + +4.1.0: + * fix quirks with Linux audit support + * implement 'silent check' (requested feature) + * fix call of self_check for exit on sigterm + * fix safe_logger() - uses the logger utility with a non-posix option + * fix missing reporting on shell expansion capability in --version + * fix missing error message on invalid list for skipchecksum + (reported by Bond) + * fix missing definition for a sh_dummy_ var on BSD et al. + (reported by Andrew) + +4.0.0: + * fix and document default settings for mounts check + * new -w CL option to wait on scan completion + * new option ReportCheckflags + * enhance testsuite to cover new functionality + * implement draft for change control integration: + * new database format to store change flags + * refactoring of db I/O and client/server code + * option StartupLoadDelay + * --create-database CL option + * --outfile CL option + * --binary, --list-filter CL options + * --verify-database CL option + * yulectl -c DELTA:<uuid> command + * option SetDeltaRetryCount + * option SetDeltaRetryInterval + * update documentation + * remove old/unused code + * fix compiler warnings with gcc 5.1.0 + * update config.sub, config.guess + +3.1.6 (08-06-2015): + * Modify testcompile.sh to remove 'smatch' and use 'clang' + instead. + * Fix compile problems with clang. + * Modify testcompile.sh to remove 'uno' and use 'cppcheck' + for static checking + * Move AC_CHECK_FUNCS( getnameinfo getaddrinfo ) behind + the check for libsocket to have them found on Solaris + * Fix IPv4-only bug in bind_addr use in retry_connect() + * Add more debug code in connect_port() + +3.1.5 (26-03-2015): + * Fix IPv6 issue with portcheck (need to be able to specify + IPv6 interfaces). + * Fix minor issues with bugs in testing code + * Add command line option '--server-host' to set the log server + * In samhain.startLinux.in start script template, add code to read + options from /etc/sysconfig/${NAME} for RedHat + +3.1.4 (17-02-2015): + * Add non-existent file to the regression test config + * Fix erroneous call to sh_hash_init when a missing file + is specified in the configuration + * Fix buffer allocation for getgrnam_r for large groups + (problem reported by Sergio B) + * Search RPM in $HOME/rpmbuild if test -d _topdir fails (CentOS + recommends '%(echo $HOME)/topdir', reported by E. Taft) + +3.1.3 (01-11-2014): + * Remove initgroups() from the popen call in unix entropy gatherer + * Add error message for update mode if local baseline cannot be found + +3.1.2 (07-08-2014): + * Fixed incorrect memset in sh_checksum.c (sha256) + * Circumvent a gcc compiler bug with inline asm (gcc 4.8) + * Allow multiple exclusions for SUID check + * Use calloc instead of malloc + * Add overflow check in minilzo.c (but the potential integer + overflow [CVE-2014-4607,LMS-2014-06-16-1] is irrelevant anyway + because the function is never used on external data). + * Fixed a minor bug in exepack_fill.c that was unearthed by the minilzo + overflow check (the required buffer length information for the check + wasn't provided) + * Fixed incorrect logic in setting the ALLIGNORE flag (more specific + directory / file directives were ignored) + * Fix for tickets #358 (repetitive lstat warning about deleted + directory) and #359 (reporting of deleted/added top level directory) + * Fix a free() on NULL (harmless but avoids spurious warning) + +3.1.1 (01-05-2014): + * Disable inline asm on Cygwin (issue reported by Erik) + * Fix sh_ipvx_is_ipv4 such that numeric hostnames are not + incorrectly recognised as IP address (reported by A. Hofland) + * Fix sh_ipvx_is_ipv6 + +3.1.0 (31-10-2013): + * Add support for SHA2-256 checksum function + * Drop support for --enable-khide on kernel version 3.x and above + * Fix IgnoreAdded to anchor regex at beginning of path (reported by + R.Lindner) + * Add check to detect availability of pmap_getmaps() (missing in + static library on recent Linux systems as reported by Ian Baldwin) + * Fixes for Ubuntu 13.4: + - no error msg for failing stat on /run/user/Username/gvfs in + suidcheck + - no error message for failing hardlink check on /run/user/Username + - eliminate compiler warnings + * Add option '--disable-asm' to work around a gcc issue in Debian + unstable (reported by micah) + * Remove option '-i' from mkitab in samhain-install.sh.in (reported + by N. Kerski) + +3.0.13 (11-06-2013): + * Fix detection of nonfunctional /dev/kmem + * Fix race condition in GrowingLogfiles policy that + causes spurious reports (problem noticed by J. Daubert) + +3.0.12 (16-05-2013): + * Fix compiler warning in bignum.c (unused parameter) + * Detect if /var/run is a symlink and /run exists + * Fix for broken support for audit subsystem (reported + by isquish) + * Fix for incorrect use of sh_inotify_add_watch_later + which causes a steady increase in memory usage + (issue reported by Maxime V) + * Fix for potential minor memory leak + * Fix for bug in negated conditionals for config file + (reported by M. Ward) + +3.0.11 (08-04-2013): + * Fix for compile error on HP-UX (reported by P. Alves) + * Propagate ERANGE error from getgrxxx_r (issue raised by C. Feikes) + * Fix reconnecting to database for Oracle + * Add better logrotate handling for the GrowingLogs policy (search + rotated log and verify it, don't report if this succeeds) + * Add ability to create debian packages with preset password (use + env var PASSWORD) + * Add option KernelCheckProc (bool) to suppress kernel /proc test + * Add option IgnoreModified to cover transient files that + not only get added/deleted but also modified + +3.0.10 (13-01-2013): + * Revert to previous logic in samhain.c because it will block + otherwise (reported by Alexandr Sabitov) + +3.0.9 (21-12-2012): + * Fixed a Cygwin compile warning + * Change logic in samhain.c to make sure inotify doesn't cause + excessive full scans + * Add option IgnoreTimestampsOnly in Windows registry check (ignore + changes if only timestamp has changed) + * Fix the probe command (misses clients if their startup message + has been missed) + * Fix the RPM spec file for --enable-network=client and no password + (reported by Mitch St Martin) + * Fix build error with Linux audit (reported by Andy Jack) + * Fix detection of utmpx.h (reported by D. Thiel) + +3.0.8 (01-11-2012): + * rename to 3.0.8 for release + * useful exit status for samhainadmin.pl --examine + +3.0.7a (25-12-2012): + * add ability to create RPM with preset password (use + env var PASSWORD) + * fix the rpm-light makefile target + * fix minor bug in samhain_setpwd.c (incorrect error message) + +3.0.7 (25-10-2012): + * update documentation for prelude + * fix configure to properly search for Oracle Instantclient SDK + * pass through TNS_ADMIN environment variable for Oracle + * optimize audit rules automatically + * zero out the html status file at server exit + * don't check for assembly optimization unless linux or *BSD + +3.0.6 (01-09-2012): + * install logrotate script if /etc/logrotate.d is detected + * new option --enable-suid for nagios + * fix for --enable-ptrace: make the save_tv variable thread specific + * fix bug in inotify code which made it follow symlinks (by [anonymous]) + * fix two missing SH_MUTEX_LOCK(mutex_thread_nolog) (by [anonymous]) + * fix for 'no such process' message from sh_fInotify_init_internal() + (by [anonymous]) + * fix for --enable-ptrace with threads (by [anonymous]) + * option SetReportFile for writing out summary after file check + +3.0.5 (11-07-2012): + * fix xml format templates for registry check + * fix database download on registry check init (reported by ldieu) + +3.0.4 (01-05-2012): + * fix verbosity of message for alerts on already deleted watches + (set it to debug - suggested by xrx) + * fix extraneous error messages about file not found from + sh_fInotify_init_internal() (bug reports by xrx and aj) + +3.0.3 (28-03-2012): + * fix potential deadlock in sh_ext_popen() + * make sure sh_processes_readps cannot hang forever + * fix for deadlock if sh_processes_readps hangs + * fix for deadlock if suid check and inotify are used together + (reported by A. Jack) + * fixed problem with samhain_stealth.c (handle input config + files that don't end with a newline) + * fixed compiler warnings for yulectl.c with stealth + * fixed lacking support for O_NOATIME on 64bit linux + +3.0.2a (23-02-2012): + * Fix compile error on Solaris 10 + +3.0.2 (16-02-2012): + * change sql init scripts to make bigint fields unsigned (problem + reported by A. Sabitov) + * patch by Andy Jack for issue with the --with-gpg option (hangs with + high cpu load at startup) + * call ./samhain-install.sh as /bin/sh ./samhain-install.sh in the + RPM spec file, because /var might be mounted noexec (reported by GC) + * fixed configure.ac for the case that --with-gpg and --enable-nocl are + used (./samhain for gpg checksum; problem report by Andy Jack) + * fixed a potential NULL pointer dereference in sh_inotify.c on + systems where inotify is not available (reported by <anonymous>) + * fixed: the config file template mentions (in a comment) the + non-existent directive SetLockPath instead of the correct + SetLockfilePath (reported by Curtis). + * fixed: the definition of O_NOATIME isn't seen in sh_files.c. + +3.0.1 (07-12-2011): + * fix a memory leak (reported by C. Westlake) + * fix an uninitialized variable in the suidcheck code (problem + reports by T- Luettgert and Kai) + * fix a bug in the port check with --disable-ipv6 (reported + by C. Westlake) + * fix potential deadlock in sh_files.c (reported by S. Mirolo) + * change Makefile.in to stop on compile error rather than at link stage + (suggested by S. Mirolo) + * fix compile errors caused by missing #define (pthread disabled) and + wrong function call (OSX specific code), reported by S. Mirolo + * fix warning by the llvm/clang static checker + * fix compile issues on freebsd + * handle (ignore) SIGPIPE more thoroughly + * update config.guess, config.sub + +3.0.0a (06-10-2011): + * Fix compile-time issues on RHEL5 (reported by Thomas) + +3.0.0 (01-11-2011): + * Add support for the inotify API + * If --disable-shellexpand is used, also disable setting + the prelink/ps paths + * Fix missing check_mask storage for glob pattern + * Add support for integer keys in zAVL + * Fix compiler warnings with gcc 4.6.1 (variables that get set + but then remain unused) + * Add more server-side debugging for IPv6 + * Make kern_head compile with 3.x kernels + +2.8.6 (20-09-2011): + * Manual updated. + * Added an option LogmonDeadtime to avoid repetitive reporting + on correlated events. + * Fix problems with timestamp handling in logfile correlation + (problem reported by D. Dearmore) + * List the policy under which a directory/file is checked + * Option to use a textfile with a list of files for update + * Fix --enable-db-reload option (reported by David L.) + * Fix samhain_kmem compilation, need to compile under chosen + name if --enable-install-name is used (reported by David L.) + * Fix uninitialized string in error message (reported by mimox) + +2.8.5a (16-06-2011): + * Fix autolocal.m4 for new configure option + +2.8.5 (15-06-2011): + * Detect non-working /dev/kmem in configure script, and fix + a bug in the samhain_kmem kernel module. + * Fix wrong handler for LogmonMarkSeverity (reported by S. Chittenden) + * Better protection against the 'intruder on server' scenario + pointed out by xrx. Add option to disable shell expansion in + configuration files, and check gpg signature earlier. + * Support /opt/local/bin in the Unix entropy gatherer (suggestion + by Sean Chittenden) + * Cache timeserver response for one second (suggestion by + Sean Chittenden) + +2.8.4a (11-05-2011): + * Fix for compile error with --with-prelude + (reported by Sean Chittenden), missing regression test added + * Fix for compile error with --enable-udp (reported by Sean Chittenden), + missing regression test added + +2.8.4 (30-04-2011): + * Fix another reload bug in the log monitoring module + * Add unit tests for IgnoreAdded/IgnoreDeleted configuration directives + * Fix deadlock after reload when compiled with --enable-login-watch + (reported by M. Teege and O. Cobanoglu) + * Fix compile error for samhain_hide.ko with recent kernel + * Include patch by J. Graumann to specify the location of the + secret keyring with samhainadmin.pl + * Fix potential timeout problem in sh_sub_stat_int() and propagate the + error (issue reported by mtg) + * Add support for X-Forwarded-For in apache logfile parser, add + option 'RE{regex}' to insert arbitrary regex + * New options PortcheckMinPort, PortcheckMaxPort for the open ports + check + +2.8.3a (23-03-2011): + * Fix two 'label at end of compound statement' errors on FreeBSD + (reported by David E. Thiel) + +2.8.3 (22-03-2011): + * init scripts: load samhain_kmem.ko before samhain starts + * slib.c: eliminate mutex from sl_create_ticket() + * sh_entropy.c: move pthread usage out of child + * sh_hash.c, sh_pthread.c, sh_pthread.h: sh_hash_hashdelete() + needs deadlock detection, may be called from within sh_hash_init() + via atexit handler on error condition + * sh_suidchk.c, sh_calls.c, sh_calls.h: need a nosub version of lstat() + to use with relative path after chdir() + * samhain.c, sh_calls.c, sh_calls.h: only run (l)stat() in subprocess + after reading config file (to allow disabling) + * sh_unix.c: run sh_sub_kill() in parent after forking the daemon + * fix zeroing of result from getnameinfo() (problem reported by Richard) + * fix spurious warnings about unsupported address family (reported + by N Silverman) + * option to run lstat/stat in subprocess to avoid hanging on NFS mounts + (off by default) + * fix Windows/Cygwin compile error (reported by A. Schmidt) + +2.8.2 (16-02-2011): + * add function to skip checksumming + * Fix missing check for recursion depth >= 0 if not IgnoreAll + * Fix hardcoded path for temp directory in deployment scripts + * Fix bad compile on CentOS 4.8 with gcc 4.1.2 + * Fix minor bug in check_samhain.pl (pointed out by J.-S. Eon long ago) + +2.8.1 (17-11-2010): + * Document handling of missing files with secondary schedule + * Fix incorrect handling of missing files when secondary schedule + is used (reported by Sergey) + * Fix null pointer dereference in config parse handler for SetMailAlias + (reported by Sergey) + * Fix incorrect memset() in sh_kern.c (passed struct by value...), + reported by Roman and Stefan + * Fix 'make install' to create user-defined directory + * fix minor issues noticed by T. Luettgert (test code assumes port + 0/tcp is unused, wrong ifdef order (without impact on compilation)) + * fix compile error on AIX 5.3 with --enable-login-watch, + reported by M. El Nahass (time.h missing in src/sh_login_track.c) + +2.8.0 (01-11-2010): + * Support IPv6 + * Add registry checking + * Use auditd records to find out who did it + +2.7.2c (23-09-2010): + * Fix uppercase hostname problem in client/server communication + + +2.7.2b (05-09-2010): + * Fix compile errors on Solaris 10 (reported by A. Saheba) + +2.7.2a (23-08-2010): + * rewrote rijndaelKeySched() in a more conservative way to fix + compile problem on SLES 11. + +2.7.2 (16-08-2010): + * sh_utils.c: fixed an endianess issue that prevented cross-verification + of email signatures (reported by A. Zangerl) + * sh_login_track.c: fix compiler warning (ignored return value + of fwrite) + * sh_readconf.c: fix comparison of SeverityUserX string + (reported by max__) + * sh_processcheck.c: sh_prochk_set_maxpid: set retval on success + (reported by max__) + * fixed some compiler warnings on cygwin + * sh_extern.c: As reported by T. Luettgert, gcc 4.4.4 on Fedora 13 + will throw a warning if execve is called with a NULL argv pointer. + Need to provide a dummy argp[]. + +2.7.1 (07-06-2010): + * samhain_kmem.c: fix compile problems + * fix problems with config file parser: increase max. line length, + support quoting/escaping of filenames (as in 'ls --quoting-style=c') + * check for pcre_dfa_exec (not available in old versions + of libpcre, reported by Shinoj) + * patch to allow server to log client reports to prelude + (by J. Ventura) + +2.7.0a (09-05-2010): + * fix /dev/kmem detection (reported by S. Clormann) + +2.7.0 (01-05-2010): + * sh_utmp.c, sh_login_track.c: additional login checks + * sh_unix.c: use SIGTTIN as alternative for SIGABRT + (SIGABRT seems not to work on AIX, reported by Peter) + * sh_utmp.c: fix compile error without pthreads (inotify_watch used) + * sh_kern.c, kern_head.c: fix some 64bit issues + * dnmalloc.c: fix compiler warning (ignored ret value) + * Fix LSB init script for kernel module + * samhain_kmem kernel module for /proc/kmem added + +2.6.4 (22-03-2010): + * Don't read proc_root_iops in sh_kern.c (Problem report + by H. R.) + * Logfile check can check output of shell commands + * Use data directory as default for logfile checkpoints + * Fix broken checkpoint save/restore for logfiles + +2.6.3 (10-03-2010): + * Fix bug in mail module, recipients incorrectly flagged + as aliases, which breaks immediate mail for 'alert' + (reported by Jesse) + +2.6.2 (28-01-2010): + * Makefile.in: fix problem in deploy system caused + by adding build number for debs in 2.5.9 (reported + by roman) + * add option for per-rule email alias in log monitoring + module + * sh_readconf.c: make keywords case-independent + * sh_mail.c: on error, report full reply of mail server + * sh_mail.c: report smtp transcript at debug level + * make sure mail aliases are not emailed twice, and + recipients cannot be defined after aliasing them + * handle named pipes in log monitoring module + (open in nonblocking mode, ignore read error if empty) + * fix bug in the server function to probe for necessity + of configuration reload for client + +2.6.1b (23-12-2009): + * fix missing include for sh_inotify.h in sh_inotify.c + (reported by Ack) + +2.6.1a (22-12-2009): + * fix typo in code for older inotify versions without + inotify_init1(), reported by Forll + +2.6.1 (21-12-2009): + * add a routine to log monitoring module to guess the proper year + for timestamps without year (standard syslog) + * add feature to automatically detect and report bursts of + similar messages in log monitoring module + * add feature to check for missing heartbeat messages in + log monitoring module + * cache UIDs/GIDs to reduce the number of lookups + * use inotify to track login/logout (sh_inotify.c, sh_utmp.c) + * support event correlation in log monitoring module + * make sure host matching is done in a case insensitive way + (reported by Tracy) + * fix invalid use of mutex_mlock in src/sh_unix.c, function + sh_unix_count_mlock() (reported by Remco Landegge). + +2.6.0 (01-11-2009): + * don't use statvfs() for process checking on FreeBSD + * fix bug with parallel compilation of cutest in Makefile + * sh_mem.c: fix deadlock in debug-only code + * Evaluate glob patterns for each run of file check + * Add compile option to disable compiling with SSP + * Run SUID check in seperate thread + * By default disable scanning ..namedfork/rsrc (deprecated by Apple) + +2.5.10 (12-10-2009): + * sh_suidchk.c: handle $HOME/.gvfs mount gracefully + * slib.c: fix race condition caused by closing a stream and the fd + +2.5.9c (01-10-2009): + * move stale file record error message closer to problem zone + * sh_port2proc.c: fix flawed logic for interpreting /proc/net/udp,tcp + +2.5.9b (22-09-2009): + * remove stale file record when creating handle, and raise diagnostic + error to find origin of stale record + * sh_port2proc.c: check /proc/net/upd6 for IPv6-only UDP sockets + +2.5.9a (17-09-2009): + * fixed a race condition in closing of file handles + +2.5.9 (11-09-2009): + * added code to generate directory for pid file, since it + would get cleaned if /var/run is a tmpfs mount (problem + reported by M. Athanasiou) + * fixed a bug that prevented reporting of user/executable path + for open UDP ports (issue reported by N. Rath) + * added more debugging code + +2.5.8a (18-08-2009): + * fixed a bug in sh_files.c that would prevent samhain from + running on MacOS X (reported by David) + +2.5.8 (06-08-2009): + * fixed a bug in the MX resolver routine which causes it to fail + sometimes (issue reported by N. Rath). + * fixed deadlock with mutex_listall in sh_nmail_test_recipients() if + error occurs within sh_nmail_flush (problem reported by N. Rath) + +2.5.7 (21-07-2009): + * sh_userfiles.c: set userUids = NULL at reconfiguration (issue + reported by U. Melzer) + * if available, use %z to print timezone as hour offset from GMT + in email date headers (problem reported by NP, solution suggested + by TimB). + * eliminate C99-style comments (problem reported by + venkat) + * fix bad variable name for AC_CACHE_CHECK + * fix potential deadlock when external programm is called + (problem reported by A. Dunkel) + +2.5.6 (09-06-2009): + * recognize fdesc filesystem on MacOS X for suid check (Problem + reported by David) + +2.5.5 (01-05-2009): + * fix some warnings from gcc 4.4 (strict aliasing) + * fix minor memory leak in process check + * t-test1.c: change function names because of clashes with an + AIX system header file + * fix warnings with -fstack-check (too large stack frames) + * fix for incorrect handling of hostnames in database insertion + (reported by byron) + +2.5.4 (04-03-2009): + * fix for incorrect input check in SRP implementation (discovered + by Thomas Ptacek) + * option KernelCheckPCI to switch off check of PCI expansion ROMs + +2.5.3 (25-02-2009): + * disable dnmalloc on MacOS X, doesn't work properly + * stat -> lstat in sh_unix_file_exists (OS X nameforks, report + by David) + * Fix problem in standalone trustfile, does not work correctly on + group-writeable files (reported by David). + * Option SetThrottle to throttle throughput for db download + * Option SetConnectionTimeout to configure the client connection + timeout configurable + * Provide getrpcbynumber, getservbyname implementations + to avoid dependencies with static linkage + * Fix missing sh.host.(system|release|machine) on FreeBSD, + reported by D.Lowry + * New option SetMailPort to allow setting of SMTP port (patch + by lucas sizzo org) + * allow POSIX regexes for filters + * consolidate filtering code from sh_extern.c, sh_(n)mail.c + * rewrite mail subsystem to allow individual filtering + for recipients + * allow shell expansion for values of config file options + * allow list as value for option PortCheckInterface + * fix bug in trustfile.c (with slapping on "/../" for symlinks) + * lock baseline database upon writing + +2.5.2b (29-01-2009): + * turn warnings into errors in the compile test suite + * fix missing define in sh_portcheck.c to eliminate compiler warning + (reported by joerg) + +2.5.2a (26-01-2009): + * fix problem building deb package (bit rot; reported by joerg) + +2.5.2 (22-01-2009): + * samhain.c: report module failure with positive offset + * sh_database.c: parse numerical fields into ulong + * fix regression test script for postgresql + * fix regression test script for SELinux/ACL test + * fix reporting of user for open ports to prelude + * report process pid for open ports + * replace _exit() by raise(SIGKILL) b/o pthread problem + * new option LooseDirCheck ([false]/true), request by + Alexander + * improved help output of samhain_stealth (as suggested + by Michael Athanasiou) + * new option ProcessCheckIsOpenVZ ([false]/true) + +2.5.1 (07-12-2008): + * workaround for freebsd7 amd64 lossage (compiler toolchain, + no mmap to 32bit address space) + * samhain-install.sh: check for presence of stealth_template.ps + before trying to create it + * use -Wno-empty-body if supported to suppress warnings about + glibc pthread_cleanup_pop implementation + * fix text relocations for i386 in src/sh_tiger1.s + * implement server->client SCAN command to initiate file check + * implement @if / @else conditionals with more tests in config file + * new option SetDropCache to drop checksummed files from cache + * report process/user for open ports on FreeBSD (code + lifted from FreeBSD sockstat.c) + * fix for config reload issue with stealth mode (reported by + siim) + * add -fstack-protector flags to LDFLAGS + * cygwin fix: don't use dnmalloc, doesn't work with pthreads + * cygwin fix: make trust check in samhain-install.sh return zero + * improved diagnostics for file read errors + * fixed script permissions (754 -> 755), reported by Christoph + * constness patch by Joe MacDonald + * GnuPG key ID patch by Jim Dutton + * sh_kern.c: more error checking for reads from kernel + +2.5.0 (01-11-2008): + * dnmalloc.c: fix inconsistent chunksize on 64bit systems + * fix improved error reporting for failed fstat in checksumming + * report process/user for open ports (Linux only currently) + * fix deadlock on exit in sh_hash_init() + * fix --enable-mounts-check for FreeBSD 7.0 (no MNT_NODEV anymore) + * log monitoring support + * fixed constness in trustfile interface + * remove libprelude 0.8 support (obsolete) + * sh_forward.c: increase TIME_OUT_DEF to 900 secs + * dnmalloc.c: initialize rc in dnmalloc_fork_child(), + reported by B. Podlipnik + +2.4.6a (09-10-2008): + * fix compile problem on Fedora 9 (reported by pierpaolo), + 'struct ucred' in sh_socket.c requires _GNU_SOURCE + +2.4.6 (27-08-2008): + * fix compile failure on win2k/cygwin (sh_unix_mlock prototype), + reported by jhamilton + * fix potential deadlock with dnmalloc upon fork() + * fix non-portable use of 'hostname -f' in regression test suite + (reported by Borut Podlipnik) + +2.4.5a (18-08-2008): + * fix compile problem in dnmalloc.c (remove prototypes for + memset/memcpy), problem reported by Juergen Daubert + +2.4.5 (07-08-2008): + * testscripts: 'chmod -R' -> 'chmod -f -R', since Solaris 10 + bails out on a chmod on a dangling link + * fix bug in check_samhain.pl nagios script (J.-S. Eon) + * use the UNO static checker + * compile as position independent executable (PIE) + * handle EINPROGRESS error (Windows/cygwin issue) + * make sure every function uses less than one page of stack + (proactive security against gap jumping, Gael Delalleau) + * use dnmalloc instead of system malloc + (proactive security against heap buffer overflows) + * fix dnmalloc bugs and portability problems + * check for compressBound, since older zlibs don't have it + +2.4.4 (30-04-2008): + * sh_database.c: fix maximum size of sql query string, maximum + size of strings in struct dbins_ + * sh_hash.c: fix maximum size of message string + * fix typo in the base64 decoder + * fix 'make cutest' for parallel compiling + * fix compile warnings with -Wstrict-prototypes + * sh_static.c: override getgrgid, getpwuid for libacl + * fix more warnings about variables clobbered by 'longjmp' + or 'vfork' (due to library internal handling of mutexes) + * fix configure warning about unused datarootdir + * configure.ac: warn, but accept nonexistent tmp dir + (Problem reported by Brian) + * sh_unix.c: undef P_ALL, P_PID, P_PGID before including + sys/wait.h (compile problem reported by Reputation) + * syslog function tested ok with Syslog Fuzzer v0.1 + by Jaime Blasco (c) 2008 + * slib.c: call fflush when writing trace to file + * sh_readconf.c: don't set OnlyStderr to false if gpg (problem + reported by Irene Reed) + * fix unconditional removal of pid file in atexit handler (bug + reported by Brian) + * fix invalid free() in sh_unix_checksum_size() + * sh_processcheck.c: workaround for stupid OpenBSD bug (returns + ENODEV instead of EAGAIN, because fgetc does + fcntl(0,F_SETFL,O_NONBLOCK) [ENODEV] internally), problem + reported by Roman R. + * fix buf that cause incomplete reporting of modified symlink if + symlink has changed and both old and new paths are >48 bytes + * fix bug that prevented mount check from running in one-shot mode + * enable mount check for openbsd + * fix processcheck default options and test script for openbsd + * option --list-file to list content of file (if saved) + * sh_tools.c: use strcasecmp in reverse lookup since DNS is case + insensitive (bug reported by Phil) + * fill content if MODI_TXT, zlib compress, base64 encode and add + as link_path in sh_unix.c; add to report in sh_hash.c + * testsuite: add test for gpg fingerprint option + * sh_extern.c: add 'CloseCommand' for syntactic sugar, + add in testsuite + +2.4.3a (12-02-2008): + * fix compile error caused by open() with O_CREAT and no third argument + (reported by J.-S. Eon) + +2.4.3 (31-01-2008): + * sh_kern.c: don't require asm/segment.h for kernel check module + * use global var with pid of initial thread instead of getpid(), + since LinuxThreads returns different value in each thread (problem + reported by Steffen Mueller) + * sh_kern.c: no inode check for pci rom (creates spurious messages) + * slib.c: eliminate prototype for vsnprintf (compile problem reported + by eddy_cs) + * Makefile.in: fix missing dependency on 'encode' for $(OBJECTS) + (reported by Matthias Ehrmann) + +2.4.2 (17-01-2008): + * fix broken option --with-checksum (reported by halosfan), + regression test added + * change HP-UX default optimization to +O2 since +O3 breaks + cutest unit testing framework + * put result vector of rng in skey struct + * fix more compiler warnings, and a potential (compiler-dependent) + NULL dereference in the unix entropy collector + * fix some compiler warnings + * use -D_FORTIFY_SOURCE=1 -fstack-protector-all instead + of -fstack-protector + * always add PTHREAD_CFLAGS to LDFLAGS + * sh_tiger0.c: checksum functions return length of file hashed, + needed to fix GrowingLogfile bug (researched by + siim at p6drad dash teel dot net) + * sh_static.c: fix more 'label at end of compound statement' + (SH_MUTEX_UNLOCK closing brace; reported anonymously) + * make sh_hash.c thread-safe + * remove plenty of tiny allocations + * improve sh_mem_dump + * modify port check to run as thread + * new option PortCheckSkip to skip ports + * fix unsetting of sh_thread_pause_flag (was too early) + +2.4.1a (28-11-2007): + * fix overwrite of ErrFlags (functionality bug) + +2.4.1 (26-11-2007): + * security fix: regression in the seeding routine for the PRNG + (detected by C. Mueller) + * regression test added for PRNG seeding routine + * fix problem with PCI ROM check (spurious messages about modified + timestamps, reported by S. Clormann) + +2.4.0a (08-11-2007): + * fix compile failure with --enable-static (reported by S. Clormann) + * fix potential deadlock if SIGHUP is received while suspended + +2.4.0 (01-11-2007): + * eliminate alarm() for I/O timeout (replaced by select) + * use getgrgid_r, getpwnam_r, getpwuid_r, gmtime_r, localtime_r, + rand_r, strtok_r if available + * protect readdir(), getpwent(), gethostname() with mutexes + (readdir_r considered harmful) + * make checksum/hash, entropy, rng functions reentrant + * use thread-specific conversion buffer for globber() + * fixed compile problems and problems with test suite + * modify login watch to run as thread + * modify process check to run as thread + +2.3.8 (03-10-2007): + * new option PortCheckIgnore = interface:portlist + +2.3.7 (13-09-2007): + * Makefile.in: fix 'make deb' target, wrong name of config file + written to debian/conffiles (reported by marc) + * configure.ac: fix incorrect order of with-prelude, enable-static + (libprelude test was always without -static) + +2.3.6 (06-09-2007): + * added yuleadmin.pl script contributed by Riccardo Murri + * fix compile error with -f-stack-protector on some systems (reported + by marc); we now check for libssp + * fix local DoS attack on BSD systems lacking getpeereid() (reported + by Rob Holland). + * fix yulectl password reading from $HOME/.yulectl_cred, erroneously + rejected passwords with exactly 14 chars (reported by Jerry Brown) + * introduce 'fflags' flag for suid files to detect new files already + found in regular file check (problem reported by J. Crutchfield); + also add regression test to ascertain that files in baseline + database are not quarantined erroneously + * sh_hash.c: replace check for prefix 'K' with check for not prefix'/' + to allow for arbitrary module-specific store/lookup in db + * replace 'visited', 'reported', 'allignore' with generic 'fflags' field + * sh_cat.c: reduce priority of MSG_TCP_RESET to avoid spamming if + port checking is used on same host as server (reported by kadafax) + * Install.sh: don't use --separate-output with non-checklist + widgets (problem discovered by D. Denton) + * sh_gpg.c, sh_userfiles.c: use sh_getpwnam et al. wrappers + +2.3.5 (20-06-2007): + * sh_portcheck.c: try to tear down connections more gracefully + (request by S. Petersen) + * fix incorrect handling of files with zero size in GrowingLogFiles + (problem reported by S. Petersen) + * fix incorrect encoding of null checksums in stealth mode + * sh_hash.c: fix repeated printing of acl/attributes in database dump + * sh_unix.c: fix option useaclcheck ignored if both useaclcheck and + useselinuxcheck are supported + +2.3.4 (01-05-2007): + * sh_processcheck.c: fix missing init of sh_prochk_res array before + check (leads to degrading functionality over time and 'fake pid' + warnings; reported by D. Ossenbrueggen and + soren dot petersen at musiker dot nu) + * sh_processcheck.c: fix memory leak + * sh_kern.c: for 2.6.21+ don't check proc_root_lookup (not possible + anymore? proc_root_inode.lookup != proc_root_lookup) + * sh_extern.c: flush streams before forking (problem if [Prelink] + used together with prelude logging, reported by M. deJong) + * fixed compilation of kern_head (regression cause by cross-compiling + fix; problem reported by S. Clormann) + * more typos fixed (reported by John Horne) + +2.3.3 (27-03-2007): + * fixed typos in configure.ac and manual (reported by John Horne) + * don't use mysql_options on x86_64, since libmysql is broken + * fixed cross-compiling (patch by Joe MacDonald) + * refactor sh_kern.c, sh_suidchk.c + * fix bug with leading slashes in linked path of symlinks within + the root directory + * sh_kern.c: check PCI ROM (Linux), refactor code + * move file descriptor closing more towards program startup + * kernel check: support OpenBSD 4.0 (wishlist) + * fix samhain_hide module (in-)compatibility with recent kernels + (reported by Jonny Halfmoon) + +2.3.2 (29-01-2007): + * fix regression in full stealth mode (incorrect comparison of + bytes read vs. maximum capacity), reported by B. Fleming + +2.3.1a (21-01-2007): + * fix incorrect use of sh_gpg_fill_startup if option --with-fp is used + (reported by zeroXten) + +2.3.1 (21-01-2007): + * fix bug that may cause accidental closure of yule TCP socket + (problem reported by B. Masuda) + * fix sh_kern.c for kernel 2.6.19 (reported by S. Clormann) + * don't use sstrip in 'make deb', since dh_shlibdeps uses objdump + (reported by B. Masuda) + * rm report.pl from rules.deb.in (reported by B. Masuda) + * samhainctl(): longer timeout (bad status reporting at startup, + reported by Phil and by Dan Track) + * sh_portcheck.c: make connect errors more descriptive + * sh_portcheck.c: fix ignored setting of PortCheckActive + * sh_processcheck.c: add statvfs, and wrap for EINTR + * sh_portcheck.c: add wrappers for EINTR + * report user and executable for hidden processes + * fix update failure if reportonlyonce = false (reported + by D. Strine) + * fix compile error in sh_portcheck.c (problem on cygwin + reported by J. D. Fiori) + * check filenames ending in space (also for utf8 spaces) + * check and escape csv formatted db listing + * cache results of sl_trustfile_euid() + * trustfile: use 4096 for MAXFILENAME, switch to strncpy + * CL option -v|--version for info on version and compiled-in options + +2.3.0a (01-11-2006): + * fix compile failure with portcheck + stealth (reported by lucas) + +2.3.0 (01-11-2006): + * fix concurrency for inserts in oracle db + * add acl_(new|old) to database schema + * check for selix attributes and/or posix acl + * new option UseSelinuxCheck (bool) + * new option UseAclCheck (bool) + * regression tests for above + * add module to check for open ports + * add module to check processes (hidden/fake/missing) + * use const char* for argument of module configuration callbacks + +2.2.6 (31-10-2006): + * fix missing support for MacOX X init script (reported + by Daniel Kowalewski) + * fix error about non-readable file with no checksum required + * fix server warning about 'no server name known' + * fix 'make deb' makefile target + * fix default export severity for server + +2.2.5 (05-10-2006): + * fix broken Install.sh, reported by Alexander Kraemer + * workaround for glob(3) sillyness on MacOS X (reported by David) + * fix for broken resorce fork check (reported by David) + * fix for broken compilation on cygwin (reported by Elias) + +2.2.4 (03-09-2006): + * add regression test for the GrowingLogFiles issue to test suite + * fixed sh_unix.c: bug in database init if GrowingLogFiles used + with signed database (reported by Timothy Stotts) + * bug in manual fixed (incorrect documentation of --enable-user, + noticed by M. Brown) + * rc.subr compatible init script for FreeBSD/NetBSD + * improve routine to find rpm after build + * add netbsd rc file from Brian Seklecki (taken from pkgsrc-wip) + * fix error in manual (location of lock file) + * fix bug with SuidExclude (files in directory were still checked) + +2.2.3 (31-07-2006): + * fix samhainadmin.pl: check for gpg-agent running if use-agent is set + (ticket #28 by anonymous) + * fix stealth mode (regression in parser), problem reported by + Joschi Kuphal + * fix minor typo in sh_database.c (compile problem reported by + Joschi Kuphal) + +2.2.2 (17-07-2006) + * minor fixes for regression test scripts + * minor updates to the manual (suggested by Brian A. Seklecki) + * fix sh_kern.c, kern_head.c: kernel rootkit detection for 2.6.17+ + (problem reported by Leonhard Maylein) + * fix samhain_hide.c for 2.6.17+: use module_param() if MODULE_PARM + is not defined + +2.2.1c (11-07-2006) + * fix sh_extern.c: sh_ext_add_default() cast to (void) was too early + (Solaris 8 build failure reported by Jesse) + * fix sh_unix.c: wrong prototype for sh_unix_mlock() + if HAVE_BROKEN_MLOCK (AIX 5.2 build failure reported by + Jonathan Kaufman) + +2.2.1b (20-06-2006): + * fix compile error on SuSE 10.1 (reported by Leonhard Maylein) + +2.2.1a (15-06-2006): + * fix compile error on i686/MacOS X (reported by Andreas Neth) + +2.2.1 (13-06-2006): + * fix gcc 4 warnings and build failure on x86_64 (debian bug #370808) + * fix compiling with Oracle (noticed by Colapinto Giovanni) + * fix configure.ac for most recent autoconf version + (debian bug #369503) + * fix a regression that would make impossible local updates w/clients + * fix a few missing '\n' in sh_getopt.c + * sh_kern.c: fall back on mmap() if read() fails on /dev/kmem + * fix Solaris package creation + * recognize Solaris doors and event ports + * fix the idmef_inode_t patch: provide required info to avoid stat() + * fix bug on database update: fill in dev and rdev fields + * fix get_file_infos() in sh_prelude.c: avoid premature return + * GCC_STACK_PROTECT_CC: AC_TRY_COMPILE -> AC_TRY_LINK + * deploy.sh: allow to set a group for hosts upon installation + * patch by Yoann: fix an issue when setting the idmef_inode_t object + * fix memory leaks in error paths in sh_prelude.c + * fix concurrent inserts with postgres in sh_database.c + * code cleanup + * fix manual version in spec file, first noticed by Imre Gergely + +2.2.0 (01-05-2006): + * patch by Jim Simmons for samhainadmin.pl.in + * fix testsuite portability problems + * fix md5 endianess problem detected on HP-UX 11i / PA-RISC 8700 + * fix potential NULL dereference in sh_utmp_endutent() + * patch by Neil Gorsuch for suidchk.c (do not scan lustre, afs, mmfs) + * fix sh_ext_popen (OpenBSD needs non-null argv[0] in execve) + * fix make_tests.sh portability (echo '"\n"' does not work on OpenBSD) + * fix bug in sh_utils_obscurename (check isascii) + * scan h_aliases for FQDN if h_name is not + * add copyright/license info to test scripts + * add copyright/license info to deployment system scripts + * support server-to-server relay + * new CL option --server-port + * minor improvements in manual + * patch by Yoann Vandoorselaere for sh_prelude.c + * allow --longopt arg as well as --longopt=arg + * verify checksum of growing log files (up to previous size) + * rewrite of the test suite + * added a bit of unit testing + * minor optimizations in various places + * optimized implementation of tiger checksum algorithm + * read in 64k blocks (faster than 4k) + * sh_unix.c, sh_hash.c: support file flags on *BSD, update Linux + file attribute code + * kern_head: fix compilation of kernel check module on OpenBSD + * updated samhainrc.linux, samhainrc.freebsd + * sh_unix.c: fix setrlimit (RLIMIT_NOFILE, ..) + * sh_files.c: fix missing use of flag_err_info + * sh_tiger0.c: remove repetitive use of mlock + * slib.c: remove fcntl's from sl_read_timeout (caller sets O_NONBLOCK), + add function sl_read_timeout_prep + +2.1.3 (13-03-2006): + * fix compile problem in slib.c (reported by Lawrence Bowie) + * fix bug with combination of one-shot update mode and file check + schedule (reportedby Dan Track) + * improved the windows howto according to suggestions by + Jorge Morgado + * fix samhain_hide kernel module for new linux kernel versions + * fix minor problem with dead client detection (problem reported + by Michal Kustosik) + +2.1.2 (10-01-2006): + * fix startup error with combination of gpg+prelude + +2.1.1a (22-12-2005): + * fixed a stupid bug in sh_files.c (break if file = dir) + +2.1.1 (21-12-2005): + * sh_calls.c: protect sh_calls_set_bind_addr against overriding + * comINSTALL, updateDB: use locking + * samhainadmin.pl: use locking + * fix typos in samhainrc.solaris (noticed by Robby Cauwerts) + * improve zAVLSearch (remove redundant strcmp) + * use AVL tree in sh_files.c instead of linked list (better scaling) + * fix bug with suidcheck (no update/check in one-shot mode with + schedule instead of check interval; noticed by R. Rati) + * fix for problem with '-t update -i' if daemon mode (problem report + by Peter van der Does) + * fix for bug in sh_util_ask_update (two returns were required ...) + +2.1.0 (31-10-2005): + * minor fix for cross-compiling with --with-kcheck + * sh_forward.c: handle bad fds in the select() fd sets + (reported by hmy) + * sh_extern.c: fix debugging code + * slib.c, sh_calls.c, sh_calls.h: improve handling of O_NOATIME + (reported by Gabor Kiss) + * makefile.in: fix for solaris package creation + * sh_mail.c, sh_readconf.c: mail filtering options + * sh_database.c: Oracle reconnect on connection failure + (bug report by Alexander A. Sobyanin) + * sh_unix.c: don't purge MYSQL_UNIX_PORT environment variable + (problem reported by Peter) + * sh_calls.c: fix for a HP-UX accept() problem caused by the gcc4 fix + * fixes for gcc 4.0.2 compiler warnings + * ability to use daemon mode together with update + (wishlist Yoan Vandoorselaere) + * fixes for debugging + +2.0.10a (22-08-2005): + * fix for overlapping directory check specification (reported by Bub) + +2.0.10 (21-08-2005): + * fix for segfault (free() on a constant string) with libprelude + (problem reported by Grae Noble) + * upgrade FreeBSD kernel check to 5.4, minor fixes + * useful script for users of Linux kernel check + (contributed by marc heisterkamp) + * documentation improvements (suggested by Brian Seklecki and Robby) + +2.0.9 (25-08-2005): + * samhain_erase.c: add #define for NULL + * sh_suidchk.c: fix incorrect use of escaped filename + * sh_prelude.[ch], sh_readconf.c: configurable mapping from + samhain severity to prelude severity + * sh_unix.h: second arg of gettimeofday should be NULL + * sh_files.c: fix checking of directory special file (use specified + policy, not that of parent dir, problem found by Brian A. Seklecki) + * sh_entropy.c: longer timeout for entropy collector + * sh_socket.c, sh_forward.c: allow probing of clients for + necessity of configuration reload + * yulectl: minor fixes, option -v (verbose), new command PROBE + * fix 'File not found' messages for files flagged with IgnoreMissing + * sh_database.c: strip newline from oracle error messages + * sh_files.c: fix rsrc fork issue with MacOS X Tiger + (reported by A. Koren) + * never compute checksum if not checked (problem report by D.Hughes) + * sh_prelude.c: cleanup and bugfix by Yoann + * sh_hash.c: for prelude, make sure mode is supplied with user/group + and vice versa + * sh_prelude.c: provide proper FileAccess objects (bug + report by Mihai Ilinca) + +2.0.8 (03-07-2005): + * configure.ac: use $LIBPRELUDE_PTHREAD_CFLAGS rather than + $LIBPRELUDE_CFLAGS (bugfix by Yoann) + * samhain.spec.in: remove support for chkconfig (it's too buggy). + Strangely, if invoked as install_initd it behaves sanely ... + * src/sh_err_log.c: fix key input (this time for real) + * fix --with-altlogserver (bug from 2.0.7b) + * remove server socket in start/stop script + +2.0.7e (not released): + * Makefile.in: introduce a total of 6 sec delay for 'make' utilities + that use 1 sec resolution, and consider target out-of-date if + timestamp(target) = timestamp(dependency) ... + * src/sh_err_log.c: fix key input + * another fix for yulectl (use pwent->pw_dir) + * dsys/comINSTALL, dsys/comUNINSTALL, dsys/comBUILD: fix PATH + +2.0.7d (not released): + * one more fix for the spec file (stupid rpm finds tags in comments!!!) + +2.0.7c (not released): + * test/testrun_1b.sh, test/testrun_2b.sh: use $GPG_PATH + * dsys/comINSTALL, dsys/funcDB, dsys/funcINSTALL: some bugfixes + * samhain-install.sh.in: fix test -z $verbose + * sh_hash.c: speedup database reading + * Makefile.in: fix the problem that BSD make would make too much + * deploy: yulerc.clients -> yulerc.install.db, provide + $defdatabase for backward compatibility + * deploy: allow for comma in client_install_date + +2.0.7b (not released): + * hp_ux.psf.in: fix psf file + * dsys/comINSTALL: fix $yule_date -> $yule_data + * Makefile.in: fix 'make depot' + * sh_tools.c, sh_unix.c: fix detection of open file limit + * sh_readconf.c: reset read_mode after reading conf file + * yulectl.c: better error messages, use homedir from getpwuid(geteuid) + * init/samhain.startLSB.in: fix misleading message in lsb init script + * sh_forward.c: better display for nonce u in debug mode + * sh_tiger*.c: fix checksum for HP-UX 64bit + * samhain.c: don't fetch database twice + * configure.ac: accept nodename for --with-logserver=... + * samhain_setpwd.c: return proper exit status for samhain_setpwd + * respond to SIGTERM on initializing + * fix problems with samhainadmin.pl + * sh_utils.c: fix bug with AddOKChars (found by Karol) + +2.0.7a (not released): + * remove 'df' from entropy gatherer (NFS may hang) + * modify va_copy check (doesn't work with HP-UX PA64 compiler) + * fix compile warnings in sh_database.c + * samhain-install.sh.in: check for /usr/bin/false in /etc/shells + * fix install-boot on HP-UX + * aclocal.m4: fix configure CL parsing to recognize VAR=VALUE + +2.0.7 (11-06-2005): + * yet another fix for the spec file (use internal dependency generator) + * sh_error.c, sh_prelude.c: init libprelude after open fds are closed + * error message if queue is full + * fix two compiler warnings on HP-UX + * fix sh_mail.c for Interix (no resolver routines) + * fix sh_unix_initgroups2() if no initgroups() function (bug reported + by Geries Handal) + * remove references to 'struct timezone' (Interix; problem + reported by Geries Handal) + * init/stop for prelude on SIGHUP + * sh_cat.h: fix a stupid bug with messages classes + * manual: new section on nagios (with help from kiarna), + more on prelude + * sh_prelude.c: cleanup and improvements (Yoann Vandorselaere) + * default prelude profile name now is 'samhain' (lowercase) + * sh_readconf.c: new option PreludeProfile (by Yoann Vandorselaere) + * remove obsolete check for linux/module.h, linux/unistd.h + * remove dependency on virtual/glibc in gentoo ebuild + (problem reported by Willis Sarka) + +2.0.6 (01-03-2005): + * sh_prelude.c, configure.ac, aclocal.m4: support for + libprelude 0.9 (Yoann Vandoorselaere) + * sh_html.c: fix bug with entry.html template (reported by + Stephane Sanchez) + * Install.sh: fix mandir option (reported by Rodney Smith) + * Fixed Linux/64bit bug in definition of EUIDSLOT + * New targets 'make depot', 'make depot-light' (HP-UX, untested) + * Use sstrip for RPMs and DEBs (automatic stripping disabled) + * Fix aclocal.m4 for autoconf 2.59 (missing $ac_cr_alnum et al., + problem noticed by Yoann Vandoorselaere) + * Modify samhain.spec.in to disable automatic stripping upon install + * Fix deploy.sh + '--enable-gpg', and fix 'make rpm' and 'make deb' + for '--with-khide' (problems reported by Mark) + * Fix compile error in sh_tools.c on HP-UX 10.20 + (problem reported by Dennis Boylan) + * Runtime configuration of server listening port (wishlist) + * Runtime configuration of server listening interface (wishlist) + * Ignore SIGTTIN (consistency) + * Use SIGTTOU to force file check (wishlist) + +2.0.5b (01-04-2005): + * Fix build problem b/o timestamp on stamp file + +2.0.5a (16-03-2005): + * Fix problem with 'make rpm' (reported by Dirk Brümmer) + +2.0.5 (02-03-2005): + * Fix bug with partial reads from clients in server + (bug report by Brian) + * Support gpg checksum bootstrap with yule + * Support mount option check on HP-UX + * For MAIL FROM, use 'example.com' as domain part if + hostname is numeric (problem reported by Eric Raymond) + * The HOWTO-write-modules has been updated. + * Convenience functions to insert data in database have been + added. + * Use int0x03 only on i386 in sh_derr() (portability problem + reported by John Mandeville) + +2.0.4 (09-02-2005): + * Fixed broken 'make deb' (problem report by olfi) + * Fixed minor bug in test scripts (detection of gmake vs. make) + * Fixed Tru64/OSF compile warnings (reported by B. Terp) + * Normalize list parsing to allow comma, space, and tab as separators + * Some more descriptive error messages in kern_head.c + * Absolute path to utilities in init/samhain.startLinux.in + * Fixed is_root variable in deploy.sh + * Fixed 'deploy.sh info' + * Fixed 'deploy.sh install' client startup + * Fixed 'make tbz': don't remove ebuild scripts in 'make dist' + (issue reported by W. Sarky) + +2.0.3 (14-12-2004): + * Fix CPPFLAGS with mysql/postgresql (repoted by P. Smith) + * Fix missing sys/time.h include in slib.c (reported by Jonas) + * Workaround for file closing problem with Prelude+GPG + * Fixed memory leak with Prelude. + * Fixed bug in samhain_stealth (PGP signature not correctly + retrieved from hidden configuration; report and patch by V. Tuska) + * Added Perl script to concatenate file signature database files + * Fix compile error with combination of --enable-nocl and + --enable-stealth (reported by Zdenek Polach) + * Fix bug in dsys/initscript with --enable-nocl + * Fix declaration of sh_kern_timer() + * Fix missing Mounts+Userfiles options in appendix of manual + * Updated the README (bug report by H. Franzke) + * Fix some compiler warnings + +2.0.2a (09-11-2004): + * Fixed OoM condition when client rc file not found (reported by Eilko) + +2.0.2 (08-11-2004): + * Fixed buffer overflow in sh_hash_compdata() (only in 'update' code) + * Fixed uninitialized variable in sh_mail_msg() (problem reported + by Michael Milvich) + * Fixed potential NULL pointer dereference in sh_hash_compdata() + +2.0.1 (01-11-2004): + * Fixed compilation bug reported by jue (--with-kcheck broken). + * Fixed start option (bug reported by sanek). Behaviour wrt. + environment variables depended on the way the daemon was started. + +2.0.0 (31-10-2004): + * The deployment system has been rewritten from scratch in + a cleaner and more modular and extensible way. Deployment + of native packages is supported now. + * The build system has been revised. Building outside the source + directory is supported now. + * Support for checksumming of prelinked executables / libraries + has been added. + * The configure script now checks for the SSP/ProPolice patch in GCC, + and enables it if present. + * The install-boot option in samhain-install.sh has been fixed + (use absolute paths for sbin utilities). + * A nagios plugin (scripts/check_samhain.pl) has been added. + * The LSB (Linux Standard Base) init script has been fixed (the output + was incorrect). + * Fetching of built binary packages has been + fixed ($(PACKAGE)->@install_name@). + * For files in proc, the timeout has been reduced, and no error + messages are issued upon timeout. + * A function has been added to print out full details for missing + files if encountered while in sh_files(). + * The reporting for SuidCheck has been fixed (incorrect policy + noticed by JiM). + * On Linux, SuidCheck does not report on files marked as candidates + for mandatory locking (group-id bit set, group-execute bit cleared). + * Fix for oracle init script (by Matt Warner) + +1.8.12b (11-10-2004): + * fix bug in MSG_MSTAMP (%ld -> %lu) + * fix bugs in sh_suidchk.c (%ld -> %lu), check fopen for NULL, + mkdir mode for quarantine directory + * fix the fix for modlist_lock search in System.map + +1.8.12a (01-10-2004): + * fix bug in samhain-install.sh.in (only occurs on Solaris), reported + by J. Roland + +1.8.12 (27-09-2004): + * fix compile bug with --enable-static + --with-database=postgresql + * fix search for modlist_lock in System.map + * password auth for yule command socket (request by D. Kocic) + * more info about pending/sent commands to clients + +1.8.11 (30-08-2004): + * fix static linking on Linux by use of replacement routines from + uClib - however, this means, there is no NIS support anymore + * new option AddOKChars=... to modify the set of characters for + filenames considered 'obscure' + * new option HardlinkOffset=... to specify an offset from the canonical + hardlink count for a directory + * fix some warning with HP 11.23 native compiler + * fix minor OpenBSD portability problems (EIDRM, compiler warning) + * samhainrc.5, samhain.8: updated the man pages + * sh_unix.c, sh_files.c: ignore 'no user/group' and 'obscure name' + for AllIgnore + * sh_kern.c: fix 'update' to display modifications + * sh_kern.c: fix bug with IDT check (spurious alerts b/o uninitialized + fields) + * stealth kernel modules: fix for linux 2.6, fix + redefine of KERNEL_VERSION + * warn about stealth kernel module problem with 2.6 in manual + * sh_unix.c: remove some cruft + * fix a typo in the manual (noticed by J. Rubin) + * configure.ac: re-order output from libprelude-config (required + for static linking - problem reported by E. Neber) + * kern_head.h, kern_head.c: fixes for Linux 2.6 kernel + +1.8.10b (13-07-2004): + * fix incorrect usage of 'retry_msleep()' in sh_kern.c (reported + by Pat Smith) + +1.8.10a (13-07-2004): + * depend-gen.c: fix for FreeBSD 'make' which does not understand + the dependencies ... (problem reported by David Thiel) + +1.8.10 (13-07-2004): + * sh_unix.c/sh_unix.h: fix defaults for 'GrowingLogFiles' policy + (bug report by VZoubkov) + * fix some warnings (unreachable statement) with HP-UX native compiler + * kern_check.c: silence warning about 'sendfile' for 4.10 + (noticed by Ryan Beasley) + * modify depend-gen.c to ignore sh_gpg_chksum.h + * add a non-plaintext version of GPG_HASH (sh_gpg_chksum.h) + * .. and for fingerprint + * sh_suidchk.c: fix some compiler warnings on solaris + * allow commas to separate multiple entries in a RedefXXX= directive + * replace sleep/usleep with nanosleep wrapper function + * replace alarm() for read timeout with select() in sl_read_timeout + (should fix bug reported by Scott Kelley) + * increase lstat/open timeout to 6 sec + +1.8.9 (16-06-2004): + * made 'no action specified' error message more informative + (suggested by Stephen Gill) + * fix memory leak in mysql sh_database_query() (bug report by Dejan) + * remove some cruft from the code + * sh_files.c: check MacOS X resource forks (idea from Osiris) + * sh_files.c: no hardlink check for MacOS X + * sh_util_ask_update: fix bug with no terminal in non-interactive mode + (report and debug data by Kris Dom) + * manual refactored + * fix redundant messages when updating with suidcheck + * allow interactive update for suid files + * don't remove the TZ environment variable to guard against + misconfigured hosts + * also use gethostname if uname returns possibly truncated name + * fix improper file descriptor handling in sh_mail.c (bug report + by Alex Weiss) + * cleanup MBLK cruft + * use SH_ALLOC/SH_FREE in sh_prelude.c + * update sstrip to Version 2.0 + +1.8.8 (25-05-2004): + * fix compilation problem on AIX 5.2 (nameser_compat.h; report by + Tim Evans and Ian McCulloch) + * don't check for trusted paths on Cygwin + * add Windows HOWTO written by Kris Dom + * kern_check.h: extend FreeBSD syscall table for 5.x + +1.8.7a (03-05-2004): + * sh_mail.c: fix subject length + * sh_mail.c: fix the sh.mailNum.alarm_last fix (report by Kris Dom) + * sh_utils.c: sh_util_ask_update(): fix ISO C conformance bug + (compile problem reported by Kris Dom) + +1.8.7 (01-05-2004): + * sh_mail.c: fix incorrect count of sh.mailNum.alarm_last, causing + empty mails (introduced with segfault fix in 1.8.6, report + by Kris Dom) + * sh_utils.c: sh_util_ask_update(): check whether stdin is a terminal, + try to reopen on controlling terminal if not + * sh_utmp.c: fix order of options (problem report by Uri) + * sh_files.c: sh_files_chk(): set tmp = NULL at end of loop + (may cause segfault on null dereference for missing files) + * sh_unix.c: patch by Marc Schütz (order of sh_unix_getinfo_type, + sh_unix_getinfo_attr) + * don't use dh_installmanpages in 'make deb' (samhain/yule conflict + reported by xavier) + * on HP-UX, define _XOPEN_SOURCE_EXTENDED in sh_mail.c and sh_tools.c + (suggested by Kris) + * include nameser_compat.h in sh_mail.c (for MacOS X, + suggestion by jna) + * sh_utmp.c: fix time for logout events (reported by Erich + van der Velde) + +1.8.6 (15-04-2004): + * add CL option to set threshold for prelude and RDBMS + * sh_mail.c: fix bug with MailSubject option (segfault on NULL pointer + dereference; reported by Micha Silver) + * fix compiling with --disable-encrypt (reported by Pat Smith) + * fix minor problem in scheduler (don't return before all schedules + are tested, to set last_exec correctly) + +1.8.5 (05-04-2004): + * fix bugs in sh_utmp.c (unlinking of list head); may fix an OpenBSD + problem (endless loop; report and debugging aid by Joe MacDonald) + * fix hardlink check (null dereference in error message, segfaults + on solaris - noticed by Bob Bloom) + * sh_suidcheck: don't truncate quarantined file if nlink > 1 + * fix Install.sh (no --seperate-output with --radiolist); patch by + Greg Kimberly + +1.8.4 (17-03-2004): + * add Prelude patch by Patrice Bourgin + * add license statement to sh_mounts.c, sh_userfiles.c after + receiving a clarifying e-mail from Cian Synnott + * support UsePersistent = no for Oracle (problem spotted and fix + tested by Michael Somers) + * fix bug in samhainadmin.pl + * sh_gpg.c: describe type of gpg error (if any) + * fix persistent connections with postgresql (reported by + Erwin Van de Velde) + * prelude: local 'meaning' shadows global in sh_prelude_alert + (spotted by David Maciejak) + * uname: workaround for cases where nodename would be a possibly + truncated FQDN (problem reported by Cian Synnott) + * re-write parts of sh_kern.c, store kernel info in baseline database + -> no need to recompile after kernel upgrade + * modify timeouts in sh_unix_getinfo, add timeout warning + * change handling of dangling symlinks (store in db) + * fix typo with MSG_FI_OBSC2 (double slash) + * remove redundant operation in sh_utils_safe_name + * fix occasional random start bytes of long messages in + sh_error_string (sl_strlcat -> sl_strlcpy) + * provide details for missing files (as for added files) + * remove duplicate message for no such group/user + * add fixes for samhain.oracle.init (supplied by Michael Somers) + * fix date insertion for Oracle (fix by Michael Somers) + * manual: fix incorrect statement about RPM (noticed by + Lars Kellogg-Stedman) + +1.8.3 (02-02-2004): + * add a HOWTO-client+server-troubleshooting document + * fix another bug with SIGUSR2 (suspend mode) + * new option SetBindAddress (--bind-address=...) to force + interface for outgoing connections on multi-interface box + * don't link against libgmp if not required (i.e. standalone) + * test for ext2fs/ext2_fs.h or linux/ext2_fs.h + * new make targets 'emerge' and 'tbz2' for gentoo + * update rules.deb.in based on the Debian package + by Javier Fernandez-Sanguino + * updated config.guess, config.sub to version 2002-09-05 + * external command: report failure only once + * console: reset failure status after success + * README.UPGRADE: explain 1.7.x <-> 1.8.x client/server compatibility + * use persistent connection to database by default + * option UsePersistent=no to switch off persistent connection + +1.8.2 (19-01-2004): + * sh_userfiles.c: new option UserfilesCheckUids (requested) + * sh_error.c: server: don't log to logfile before dropping root + * new script scripts/samhainadmin.pl (administrative tasks for + signed config/database files) + * add changes code to log_msg for reports on modified files + * change default log threshold to 'mark', as 'none' tends + to confuse new users + * faster response time for SIGUSR2 + * revised (mostly backward-compatible) message classes + * fix missing check of mailTime in server select loop + * add support for libprelude (version 0.8.10) + * fix format for MSG_E_GRNULL (reported by Stefan Hudson) + * fix Bourne shell incompatibility (export) in samhain-install.sh + (first reported by David Thiel) + * fix typo in spec file (first reported by Christian Vanguers) + * remove some cruft (signal handler, memory handling) + * return from sigterm handler, rather than exit directly + (re-entrancy problem causes more problems than it's worth) + +1.8.1 (03-12-2003): + * fix gmp detection (problem pointed out by Nix) + * fix/improve the error message if test compiling with mysql fails + * new CL option --interactive for interactive db update + * fix some compiler warnings from IRIX MIPS compiler + * kern_head.h, kern_head.c: option to disable IDT check + * kern_head.h, kern_head.c: update kernel syscall table (2.4.20,2.6) + * sh_utmp.c: count number of logins (request by Erwin Van De Velde) + * change username -> userid, remove (long) userid (bug noticed + by Erwin Van De Velde) + * emit ADDED message for new SUID/SGID files + * add trailing slash to excluded directory if there is none + +1.8.0a (04-11-2003): + * sh_error.c: remove two debug printf's + +1.8.0 (31-10-2003): + * manual: make ps file fit on both a4 and letter paper + * sh_socket.c, sh_socket.h, sh_forward.c: socket interface + to send (quit/reload) commands to clients + * sh_forward.c, configure.ac: enable build with libwrap + (Wietse Venema's TCP Wrappers library) + * sh_ignore.c, sh_ignore.h, sh_files.c, sh_hash.c, sh_readconf.c: + new option to suppress messages for new and/or deleted files + * samhainrc.aix5.2.0: contributed by Christoph Kiefer + * samhain.c: fix compile warning on solaris (noticed by Ian Hunt) + * sh_database.c: undef debug code for oracle + * samhain.oracle.init: contributed by Joern Michael Krueger + * configure.ac, sh_utils.ac, Makefile.in, sh_modules.c, + sh_cat.c, sh_cat.h, sh_mounts.c/h, sh_userfiles.c/h: + check-mounts and userfiles modules contributed by eircom.net + * sh_utils.c: fix off-by-one bug in sh_util_compress() + * sh_forward.c, sh_tools.c, configure.ac: + version 2 client/server protocol + * sh_mail.c: add %S to include severity in subject (user request) + * sh_suidchk.c, 1093: fix warning about unused var 'flags' on FreeBSD + * samhain.h, sh_unix.h, sh_unix.c: extern inline -> static inline + for --enable-ptrace + * samhain.c: lower priority for 'uninitialized module' message + * sh_entropy.c: lower priority for message if /dev/random blocks and + /dev/urandom is available + * improved error messages in sh_readconf.c + * print system error message for getpwuid, getgrgid + * fix missing module init after SIGHUP (noticed by Cian Synnott) + +1.7.12 (13-10-2003): + * sh_mail.c: fix buffer overflow in mail handler (introduced in 1.7.10) + thanks to bug reports by Jason Martin and Matthew P. Cox + +1.7.11 (01-09-2003): + * samhain.c, samhain.h, sh_unix.c, sh_forward.c, sh_html.h: + - change SIG_USR1 to switch between dbg on/off + - change SIG_USR2 to switch between suspend on/off + - fix CLT_ILLEGAL to actually work + - introduce new state CLT_SUSPEND + - force reauthentication after suspend + * slib.c: change MAXFD from FOPEN_MAX (16) -> 1024 + * sh_suidchk.c: better AIX fs detection (Christoph) + * sh_entropy.c: increase buffer size for unix entropy gatherer + (problem reported by D. Danielson) + * default config files: add lots of comments, list more options + * sh_error.c: set default severities to 'crit' + * sh_readconf.c, sh_cat.c, sh_cat.h: stricter check on config + file syntax, issue warnings (triggered by C. Kiefer) + * Makefile.in: handle depend-gen errors more gracefully + * sh_err_console.c: fix bug in enable_msgq (reported by F. Behrens) + * configure.ac: workaround for mysql_config weird output + (reported by G. Faron) + * sh_unix.c, sh_tiger0.c: check IO limit during read of large files + * depend-gen.c: close streams before attempting to rename (Cygwin) + * Makefile.in: fail gracefully if depend-gen fails + * sh_database.c: sh_database_query(postgresql): fixed missing SL_ENTER + +1.7.10 (27-07-2003): + * FreeBSD init script: define $pidfile (reported by D. Thiel) + * sh_unix.c, sh_unix.h: fix compile error on AIX 4.2 + * sh_schedule.c: fix bad array size + * samhain.c: fix pid_t <> int casts + * sh_kern.c: fix repetitive messages + * configure.ac: try to bootstrap if TIGER192 not supported by gpg, + provide a detailed error message + * configure.ac: try harder to locate mysql + * docs/Changelog: retroactively add release dates, if known + * sh_mail.c: fix potential message truncation in mailer + * sh_unix.c, samhain.c, samhain.h: make --enable-ptrace more portable + * sh_readconf.c: fix segfault (dereference of uninitialized pointer) + if --with-gpg and --enable-stealth are used together (reported + by Anthony Caetano) + * sh_unix.c, samhain.c, sh_calls.c: fix problems with descriptive + error messages (larger GLOB_LEN, stat fills aud_err_message) + +1.7.9 (30-06-2003): + * sh_err_log.c: fix segfault on SIGABRT (dereference of freed memory), + problems with SIGABRT noticed by Brian and Alf B LervÃ¥g + * deploy.sh.in: fix some bugs (found by Alf B LervÃ¥g) + * scripts/chroot.sh: fix typo (found by Alf B LervÃ¥g) + * configure.ac (khide): search also for 'd sys_call_table' (noted by + cuek_saja) + * strip whitespace before checking gpg checksum (noted by D. Thiel) + * manual (faq section): explain how to stop console output + * Makefile.in: fix re-naming of yule with --enable-install-name + * HOWTO-client+server.html: fix typo (noted by xavier renaut) + * configure.ac: escape '-' in awk regex (required by GNU awk 3.1.1) + +1.7.8 (28-05-2003): + * sh_unix.c: new mlock implementation with reference count + and page alignment (fix for solaris problem) + * kern_head.c: search also for 'xxxxxxxx d sys_call_table' + * sh_html.c: write status comment (for Beltane 2) + * add CL option --delimited for comma-delimited signature database dump + * sh_mail.c: check exit status of push_list to fix counting bug + (bug reported by Alan Moore) + * configure.ac: add error message to --with-libs + * fix spelling of $DAEMON in init script (noted by C. Grigoriu) + * fix missing initgroups() + +1.7.7 (06-05-2003): + * sh_forward.c: fix bug if compiled with --enable-udp, but disabled + in config file (found by Andy OBrien) + * sh_database.c: sh_database_entry(): size -> c_size (two places) + to fix writing of '\0' to arbitrary places :( + (problem pointed out by Stefan Giesen) + * profiles/*/configopts: fix --with-base -> --enable-base + +1.7.6 (24-04-2003): + * sh_forward.c, entry.html, head.html: fix/additions by Stefan Giesen + * fix samhain_hide for the O(1) scheduler used by RedHat: + configure.ac, acconfig.h: check for next_task in struct task_struct + samhain_hide.c: use find_task_by_pid if no next_task in task_struct + * samhain_erase.c: add MODULE_LICENSE("GPL") to fix warning + +1.7.5 (15-04-2003): + * sh_cat.c, sh_forward.c, sh_hash.c: fix double 'msg' tag + * manual: point out the bmaxdata problem on AIX in faq section + * trustfile.c: don't check symlinks (permissions of directory count) + * sh_schedule.c: fix problem with daylight saving switchover + * sh_samhain.c: close all open fd's >2 before reading the conf file + * sh_unix.c: fix dereferenced NULL pointer when exiting on non-existing + user + * sh_forward.c: fix dereferenced NULL pointer when exiting on udp error + * sh_forward.c: place timestamp code before select() timeout handler + * fix incorrect class of timestamp messages (conflict with manual) + * sh_readconf.c, sh_forward.c: new config option SetStripDomain + * configure.ac: add warning if /lib/modules/`uname -r`/build/include + not found + * samhain_hide.c: adapt for RedHat 2.4 kernel (fetch sys_call_table + address from System.map) + * sh_err_syslog.c: fix for Solaris + * samhain.spec.in: strip REQ_FROM_SERVER from config file install path + +1.7.4 (21-03-2003): + * configure.ac: fix bug in defargs (--with-base > --enable-base) + * aclocal.ac: detect unsupported options + * kern_check: add syscalls, skip unused syscalls + * fix Manual (--enable.../--with... inconsistency) + * add two HOWTOs (signed files, server/client) + * moved manual into new subdirectory docs/ + * add admin scripts by S.Bailey/M.Redinger + * option to have a version string in db file + +1.7.3 (23-02-2003): + * samhain-install.sh: use yule user key for signing on install + * fix a bug in sh_err_console.c (attempted write to const char) + * sh_gpg.c: if server, always use ~unprivileged_user/.gnupg + * Makefile.in: make target 'trustfile' depend on config.h + * configure.ac: don't use install_name before it is defined ... + * sh_tiger0.c: fix bug in checksum computation introduced in 1.7.2 + * samhain.c: make sure daemon cannot be forced into 'update' mode + * sh_hash.c: remove AIX workaround (AIX has been fixed meanwhile) + +1.7.2 (04-02-2003): + * sh_kern.c: use sys_call_table address from System.map + * fix for reserved SQL keyword 'group' + * add AC_SYS_LARGEFILE to configure.ac + * allow separate client-specific log files for server + * sstrip.c: compile sstrip code only for i386 + * sh_unix.c: closeall: don't close trace file + * slib.c: don't trace sl_is_suid (leads to recursion in trace handler) + * samhain-install.sh.in: fix detection of LSB compliant systems + * sh_tools.c: get_client_*_file: lstat -> stat to allow symlinks + * sh_forward.c: sh_forward_do_write: set O_NONBLOCK for fd + (may block otherwise, for no good reason apparently ...) + * samhain.spec.in: replace %configure with ./configure + * sh_unix.c: re-write signal handling (use __malloc_hook et al. to + check whether we are in the middle of a free/malloc/realloc/memalign) + * sh_unix.c: use new safe_logger() function to log from signal handler + * sh_err_log.c: fix xml + * + * fix Makefile.in to exit non-zero on compile failure + * database init: create index on log_host, entry_status + * sh_suidchk.c: fix path building + * sh_tiger0.c: read larger blocks + * sh_hash.c: cast inode to UINT32 + * sh_tools.c: check that config/database files size fits in uint + * sh_error.c: export flag_err_debug to avoid unnecessary calls + * sh_unix.c: save the open() call in sh_unix_getinfo_attr() + * profiles/redhat_i386/bootscript: add # description field + * deploy.sh.in: set owner + permissions for files in yule_filedir + * profiles/debianlinux_i386: fix bootscript + * Makefile.in: fix deploy file lists and targets (include init+scripts) + * MLOCK GOOD/BAD -> SL_FALSE/SL_TRUE + * sh_mail.c: GOOD/BAD -> SL_FALSE/SL_TRUE (AIX sys/param.h) + * sh_err_syslog.c: split long messages rather than truncating + * sh_error.c: allocate msg to fix truncation limit + * sh_unix.c: closeall fd's >= 3 in non-daemon mode (inherited + filedescriptors may exceed FOPEN_MAX, causing problems in + sl_open_file) + * sh_err_console.c: avoid stdio + * trustfile: dirz: make swp[] static + * slib.c: speed up sl_strlcat + * clean up some bad heap allocation (PATH_MAX+(1|2) -> PATH_MAX) + * remove some unused code + * slib.c: support long long int in the snprintf replacement + * configure.ac: new configure macro to check whether sa_sigaction works + * Makefile.in: make sstrip, encode dependent on config.h + +1.7.1a (08-01-2003): + * fix a syntax error in samhain-install.sh.in + +1.7.1 (07-01-2003): + * search runlevel scripts in ./init or ./ + * handle all distro-specific Linux runlevel script issues + within a single script + * support install-boot on Yellow Dog Linux and Slackware + * samhain-install.sh: fix a bug for unknown Linux + ('"' not closed, DVER not set) + * samhain-install.sh: check for /etc/yellowdog-release + * sh_database.c: fix missing entry for 'userid' in attr_tab[] + * fix debian.rules.in (disable sstrip) + * update make targets: 'srpm', 'srpm-dist', 'rpm' + * check for zlib if mysql is used + * workaround for NetBSD bug with libresolve + * fixed problems with spec files + +1.7.0 (22-12-2002): + * improved spec files (Andre Oliveira da Costa <brblueser@uol.com.br>) + * sh_unix.c: fix a dereferenced static pointer in tf_trust_check + * runlevel scripts: remove pid file after stop + * make the data directory read-only for the daemon + * treat 'localhost' specially in MX resolver + * sh_err_log.c: set sh.flag.log_start == TRUE after writing </trail> + * deploy.sh.in: fix quoting (fix by Simon Bailey) + * slib.c: make sl_get_euid et al. behave well if uids not stored + * trustfile.c: use euid = uid(SH_IDENT) if server + * sh_mail.c: include an MX resolver + * Makefile.in: install-user routine for user installation + * have yule drop root + * sh_tools.c: open_temp use logdir if server + * unified options for runlevel script + * HP-UX, IRIX runlevel scripts + * AIX inittab entry + +1.6.6 (13-12-2002): + * configure.ac: solaris cc -O2 -> -xO2 + * sstrip.c: avoid alpha architecture + * profiles/solaris/configopts: no --enable-static + * sh_forward.c: sh_forward_req_file: copy argument to local array + +1.6.5 (04-12-2002): + * sh_utmp.c: set userlist = NULL in sh_utmp_end () + * sh_unix.c: do not assume that environ is sane + * exit handler: write </trail> + * sh_log_file(NULL): test sh.flag.log_start != S_TRUE + * FreeBSD rc script does not blindly accept content of pid file + * configure.ac: allow 'localhost' for log server + * sh_calls.c: retry_connect: ntohs (port) + * testrun_2[abc].sh: --with-logserver=localhost for client + +1.6.4 (12-11-2002): + * sh_tools.c: fix error when escaping '=<' + * fix the 'make srpm' target + * deploy.sh.in: avoid that client is named 'yule' + * define memset to sl_memset + * fix type cast of uid_t, gid_t + +1.6.3 (31-10-2002): + * fix options for Sun/Solaris native compiler + * sh_unix.c: MSG_FI_LIST (line 2333): cast theFile->size to fix error + * test sstrip on freebsd + * default config file for freebsd + * make target to build .deb packages + * sh_readconf.c: fix bug in error message + * samhain.c, sh_suidchk.c: fix initialization of suidchk + * samhain-install.sh.in: don't remove config file by default + * samhain-install.sh.in: support complete de-installation + * samhain-install.sh.in: add support for Gentoo, FreeBSD, and Solaris + * samhain-install.sh.in: check more paths + * sh_unix.c: fix sys_siglist declaration [NetBSD portability issue] + * sh_calls.c: save error message in retry_lstat() + +1.6.2 (04-10-2002): + * make target to build rpms + * update samhain.spec.in, samhain.startRedHat + * support DESTDIR, as in 'make DESTDIR=/what/ever install' + * explicitely set -fno-omit-frame-pointer b/o gcc bug + * mv configure.in to configure.ac to benefit from autoconf wrapper + * sh_modules.c, sh_modules.h: add mod_reconf() to run at SIGHUP + * slib.c: fix debug messages (no msgs for dlogActive <= 1) + * sh_schedule.c, samhain.c, sh_suidchk.c: + scheduler may accept multiple schedules + +1.6.1 (04-09-2002): + * sh_schedule.c: bugfix (executes only after first day) + * rm obsolete WITH_TRACE stuff + * new dlog() function for debug logging + * some more descriptive error messages + +1.6.0 (27-08-2002): + * omit the -fomit-frame-pointer option (bugs in some gcc versions ?) + * sh_error.c: fix escape mode when logging to database + * sh_forward.c: fix error (twice escape) in recv_syslog_socket + * sh_tools.c: change escape mode for server-received data + * sh_mem.c: change ulong -> size_t in sh_mem_malloc() + * configure.in: fix localstatedir if --prefix=USR + * sh_hash.c: snprintf() -> sl_snprintf() + +1.5.5 (07-08-2002): + * sh_err_log.c: fix incorrect xml syntax for client messages + logged by server + * sh_err_log.c: fix incorrect '</trail>' entries on client EXIT + * sh_files.c: introduce file_class_next + this fixes the problem that a policy for the directory + inode erroneously becomes a policy for the directory itself. + +1.5.4 (17-07-2002): + * sh_hash.c: fix buffer overflow with (micro-)stealth + * sh_database.c: set path[] 1024 -> 12288 + * sh_database.c: set query[] 2048 -> 16383 + * sh_database.c: set values[] 1024 -> 16383 + * sh_forward.c: larger limit for message size (16 kB) + * trustfile.c: set MAXFILENAME 2048 -> 4096 + * fixed a bug in the handling of filenames with embedded newlines + * sh_files.c: fix missing sh_util_safe_name() in debug output + * --with-sender can specify a full address + * fix xml log in a backwards compatible way + +1.5.3 (03-07-2002): + * fix combination of stealth and sql logging + * fix some more places where invalid UIDs/GIDs trigger errors + +1.5.2 (01-07-2002): + * include solaris config file from (sean [at] boran d.o.t com) + * test for files/dirz defined twice in the configuration file + * option to disable reverse lookup on outbound connections + * option to use socket peer as client name (with name resolving) + * sh_html.c: fix an HTML bug (twice </head><body>) + * sh_suidchk.c: fix warning on AIX b/o dirname() + * allow logging server -> syslog if yule is NOT configured to + receive syslog messages + * define PRIi64 to "lld" if undefined + * invalid UIDs: use gid/uid as name, error level SeverityNames + * minor fixes for connect_port + * sh_hash.c: flush output of db listing before _exit() + * configure.in: fix incorrect default ${install_name} for server + * configure.in: try harder to find mysql.h / libpq-fe.h + * sh_files.c: sh_files_checkdir: + closedir() early to not exhaust OPEN_MAX + +1.5.1a (30-05-2002): + * fix missing LSB init script + +1.5.1 (27-05-2002): + * fix '-t update' option + +1.5.0a (23-05-2002): + * fix configure.in + +1.5.0 (22-05-2002): + * include solaris nosuid patch from (nathoo [at] co d.o.t ru) + * similar fix for bsd nosuid + * speed up -t update + * convert manual to DocBook, distribute html and ps + * fix some more problems with configure.in, Makefile.in + * fix testsuite, add tests for udp, mysql + * MSG_TCP_MSG: host -> remote_host + * convert to autoconf 2.53 + * make c_bits.sh exit with status 0 + * sh_database.c #include "mysql.h" --> <mysql.h>, ditto libpq-fe.h + to avoid dependency tracking problems + * samhain.c remove *YULE* #ifdefs + * acconfig.h remove *YULE* #undefs + * samhain.c: procdirSamhain: lstat --> stat (allow symlink) + * configure.in: add checks for correct user input + * Makefile.in: add automatic dependency tracking + * depend-gen: tool to figure out dependencies + * chkconfig comments in redhat start scripts + +1.4.8: + * sh_database.c: fix missing attr_old, attr_new, (from)host columns + * configure.in, Makefile.in: fix an error in the configfile + definition with REQ_FROM_SERVER + * sh_err_console, sh_err_log: avoid recurrent failure messages + * timeout on read from files (/proc) + * fix errrors with setjmp/longjmp/alarm + * fix memory leak in server (~20 byte/file download in sh_tools, 930) + * check gpg signature for files downloaded from server, add a + regression test + * fix chown in solaris bootscript + * provide second scheduler for file check + * provide scheduler for file check + * provide scheduler for SUID check + +1.4.7 (08-04-2002): + * make daemon control LSB-compliant (arguments, exit status) + * set log_ref = 0 for server messages + * boolean option SetDBServerTstamp to disable entering server + timestamps for received client messages into database + * sh_suidcheck: check for "nosuid" mount option if getmntent is used + * fix logrotate script in manual (reported by Scott Worthington) + * don't strip numerical IP addresses + * check item->status_now != CLT_TOOLONG in client_time_check() + * set log_host to client in db client message + +1.4.6a (20-03-2002): + * define prefix in deploy.sh + +1.4.6 (19-03-2002): + * modify samhain_hide.c to hide processes on new Linux kernels + * better error diagnostics in kern_head.c + * fix compile error in all_items () + * check length of install-name in enable-khide (max is 15) + * define exec_prefix in deploy.sh.in + * make configure a bit more cross-compiler friendly + +1.4.5 (07-03-2002): + * Make sure missing file is reported even if ptr->reported == S_TRUE + because the file has been added. + * propagate 'reported' flag from sh_files_checkdir() into file list + * close checkfd in sh_gpg_check_file_sign() + * sh_derr(): kill(parent, SIGCONT) after ptrace(PT_DETACH,...) + * use sh.srvcons.name in dbg() to get debugging info from daemon + * option to log file timestamps with localtime instead of GMT + * comment out MSG_FI_ADD in sh_dirs_chk () - obsoleted by mandatory + sh_files_filecheck(directory) that triggers MSG_FI_ADD in sh_hash.c + * set ptr->reported = S_FALSE; for reappeared files in sh_files_chk() + to make sure re-disappearing will get reported + * new function sh_hash_set_missing() to remove file record + without (duplicate) 'missing' message + * make sure all items are reported for added files + * fix stealth mode with sh_kern (encode sh_ks.h -> sh_ks_xor.h) + * clarify in the documentation which gpg options to use for signing + +1.4.4 (11-02-2002): + * check that parent process has exited before writing PID file + * promote MGG_W_CHDIR to SH_ERR_ERR + * add error message to sh_unix_testlock + * fix missing _() macro in sh_aud_set_functions + +1.4.3 (05-02-2002): + * don't check attributes for symlinks (may cause device access) + * add USE mysql; USE samhain; to samhain.mysql.init + * point out the MessageHeader/mysql problem in manual + * add -lz to LIBS for mysql + * strip after install, avoid double strip + +1.4.2 (27-01-2002): + * support for EGD + * fix some more problems with install-deploy / deploy.sh + * fix a bug in profiles/suselinux_i386/bootscript (INSTALL_NAME_) + * fixed the 'external logging' test (init rather than none in rc file) + +1.4.1: + * SuSE: include run level 4+5 + * install location of hiding kernel modules changed - some insmod + variants do not test for /lib/modules/$(uname -r)/module_name.o + * new make targets 'install-deploy', 'uninstall-deploy' + * fixed make targets 'deploydir', 'deploydirfast' + * bail on unsupported CL option in deploy.sh + * fix various bugs in deploy.sh + +1.4.0 (16-01-2002): + * fixed missing 'dirname' on Mac OS X + * fixed && tested for/with postgres + * 'user=' -> 'userid=' (reserved word in sql) + * fix the endianess + size of file database; this changes db format + for any non-Linux OS + * --enable-old-format for old (V1.3) database format + * getopt, samhain.c, samhain.h: option -f to loop if not daemon + * sh_hash: list numeric + char data to allow file db update on + server side + * sh_database: modify handling of integer (long) data + * sh_database: datetime in database + * sh_database: hash field in database + * sh_database: rewrite database insert string construction + [use INSERT INTO log (fields) VALUES (values);] + * makefile suse 7.x runlevel entries + +1.3.7 (06-01-2002): + * fix incorrect escape in sh_tools_safe_name + * fix sh_error_handle (4. argument) in sh_extern.c + +1.3.6c: + * fix segfault in sh_database (mysql logging) on solaris + +1.3.6b (03-01-2002): + * fix syntax error ('==') in Makefile.in + * fix configure.in (path for /lib/modules/$(uname -r)/build/include) + * fix sh_kern.c (redeclaration of 'j') + +1.3.6 (03-01-2002): + * sh_kern.c: check integrity of int 80h vector + (SucKIT rootkit - Phrack 58) + * make sure childs in sh_kern are wait()'ed for + * provide start/stop/restart/reload/status interface + * fix a potential segfault (dereferenced NULL pointer) in the server + * use sh_util_flagval for sh_unix_setdaemon + * documentation for logging to SQL database + * configure.in: check for -I/lib/modules/$(uname -r)/build/include + * fix trustfile.c to ignore invalid users + * separate 'make install-samhain' and 'make install-yule' + * separate default log/pid/config files for server/client + - less problems running server and client on same host + * rewrite deploy.sh(.in): + - don't use (make|install) if deploying + - use command line options + - better integrate into server environment + - write install db + * always write a pidfile if daemon + * don't use server's config file as fallback for downloading client + * don't overwrite config file when doing 'make install' + +1.3.5 (28-12-2001): + * fix --enable-message-queue for newer glibc versions + * log to SQL database: implemented, but undocumented yet, + needs to be tested further + * xml: escape received syslog messages + * xml: rename 'time' to 'tstamp' + * make targets: make [un]install-[boot-]yule + (for server-only installation) + * fix samhain_hide.c for 2.4 kernel + * fix sh_kern for updated samhain_hide.c + * new option -j to just list the logfile + * sh_getopt.c: recognize -Dt check for -D -t check + * sh_tiger0.c: fix compiler warning (memmove) on Solaris + +1.3.4 (12-12-2001): + * sh_suidchk.c: option to limit files per second + * sh_unix.c: option to limit (kilo)bytes per second + * sh_hash.c: fix potential problem with '\n' in filename + (not backward compatible if there are filenames with '=') + +1.3.3 (03-12-2001): + * sh_readconf.c, samhain.h, samhain.c, sh_suidchk.c: + option SetNiceLevel to set scheduling priority + * sh_hash.c: bugfix for database listing on Solaris + * taus_seed: bugfix for emergency backup rng seed + * sh_util_safe_name: fix for XML + * sh_utmp_set_login_activate: use sh_util_flagval + * sh_utils.c: sh_util_obscurename: rm 'space' from list + * more backtrace macros + * sh_util_flagval: fix bug to recognize 1/0 + * fix test scripts testtimesrv.sh, testext.sh (test.sh 6/5) + * rm stray debug fprintf in sh_srp.c + +1.3.2 (27-11-2001): + * sh_hash.c: fix an error introduced in 1.3.1 + * set RLIMIT_CORE to RLIM_INFINITY if --enable-debug + +1.3.1 (25-11-2001): + * slib.c: get backtrace with --enable-debug + * sh_unix.c: allow core dumps when --enable-debug + * configure.in: fix default message queue permissions + * sh_suidchk.c: automatically include suid/sgid files in database + * sh_suidchk.c: check all suid/sgid files + * sh_hash.c: don't insert duplicates when reading the database + * sh_utmp, sh_kern, samhain: fix 1sec offset in timer + * sh_unix.c: don't require /dev/random to be non-world-writeable + * server: fix segfault in zAVLTree.c if avltree == NULL (no clients) + * client: fix segfault on Solaris if path_conf == NULL + * testrun_1b.sh: \(^/.*\) -> \(/.*\) for Solaris sed + +1.3.0 (31-10-2001): + * support compiling with GNU gmp library + * set 3 sec timer on client_time_check to avoid excessive (and + unnecessary) calls under heavy load + * replace sl_strlen with a macro + * store client_t structure in AVL tree + * database format incompatible with previous format, up the magic# + * sh_html.c: cache entry template for speedup + * slib.c: reset islong(double) in sl_printf_count + * sh_hash.c: report on rdev change + * sh_hash.c: print size in 64 bit + * sh_hash.c: save in absolute size types + * sh_unix.c: get values as appropriate type (time_t, dev_t, ...) + +1.2.10: + * update MANUAL + * sh_unix.c: tiger_hash -> tiger_generic_hash + * sh_readcon.c: DigestAlgo option + * sh_tiger0.c: add MD5 and SHA1 + * sh_unix.c: fix minor problem with win2k/cygwin + +1.2.9 (17-10-2001): + * fix problem with entry template/empty hostname + * fix MASK_USER_ (MTM -> ATM) + * typo fixed in configure.in (${install_name} -> {install_name}) + * bugfix group_old -> size_old in XML code + * skip armor header in signed files + +1.2.8 (29-09-2001): + * Mac OS X: in sh_getopt.c, rename table[] to op_table[] to avoid + obscure compiler warning + * Mac OS X: fix test scripts + * Mac OS X: import newest config.guess, config.sub from ftp.gnu.org + * implement deadtime in syslog recv code to protect against flooding + * sh_err_log: sl_close(fd) if lock|forward fails + * compliance with Filesystem Hierarchy Standard -- Version 2.2 final + * add policies User0, User1 + * fix compile problem (FreeBSD) in sh_suidchk.c + * macro to check for debugger breakpoints (linux/i386) + * check for solaris (does not work) in sh_derr (--enable-ptrace) + * option to listen on 514/udp for syslog, drop root + irrevocably if compiled thus + * use (check_mask & MODI_ATM) to decide whether to reset utime + * reset the policy masks on sighup + * option to write XML log messages + * cleanup of message catalog + * modified error messages for BADCONN + * error messages for Rijndael + * block recursive error messages within sh_error_handler() + - would hang the machine ... - + +1.2.7: + * sh_files, sh_utils: check top level directory + * sh_kern, sh_cat, kern_head: check syscall code, fork subprocess + for reading from /dev/kmem + * include /boot in default samhainrc + * change source distribution signing/packaging system + * Makefile, README, MANUAL: adhere to file system standard, + document new locations + * fix a bug in samhain_hide.c + +1.2.6: + * reset list of trusted users before config file re-read + * TrustedUser=... can be a list + * fix severity for files missing from IgnoreAll + +1.2.5: + * include example_pager.pl, example_sms.pl scripts + * explain paging/sms setup in docs + * allow manual exclusion of a directory in suidcheck + * automatically track all file changes + * remove missing files from in-memory database + * add $(KERN) to DEPLOYFILES + +1.2.4: + * log IP address for login/logout events, if supported by the OS + * release block in globerr (callback) + +------------- + +1.2.3: + * fix problem with reading stealth configuration + * fix a few formats in sh_cat.c + * always use strncmp for file system type check in sh_suidchk.c + (trailing 'fs' may be system specific for some types) + * no bare LF in messages (RFC 2822) + * no lines longer than 998 chars (RFC 2822) + * fix error in testrc_1 + +1.2.2: + * make tmp file directory a compile time option + * fix minor bugs in tmp file allocator (potential memory leak, + double slash if root directory) + * obsolete testpipe script removed + +1.2.1: + * fix memory alignment in rijndael-api-fst.c: blockEncrypt() + * fix byte order in HMAC code (compatibility fix for Linux/HP-UX) + * removed a debug fprintf() + +1.2.0: + * fix a bug in the HMAC implementation (thanks to Cesar Tascon + for help in tracking down this one) + * module to check the file system for SUID/SGID files + +1.1.16 (never released): + * fix the recursion depth -1 option as described in the manual + * optional database reload on SIGHUP + * fix a race condition when checking that /dev/random is a charakter + device + * redirect stderr to /dev/null for c_random + (AIX may segfault in netstat...) + * check whether /dev/random is a charakter device in c_random.sh + (we know at least one sysadmin who has set up a fake /dev/random ...) + * don't give NULL as 2. and 3. arg to execve if not Linux - some + Unices (notably Solaris) don't like it + * init ptr = NULL in my_malloc (compiler warning) + * make the bitmask for tests configureable (suggestion by A. Dunkel) + * make the bitmask for tests a static variable + * make (database/logfile/lockfile) path configurable + (to run multiple instances of samhain from an NFS share - on the + wishlist of J. Patton) + +1.1.15 (never released): + * fix minor error in testcompile.sh (rm test_log only at start) + * return from subroutines on sig_terminate == 1 + (faster exit on SIGTERM) + * fix re-configuration of addresses + * use sh_util_flagval() in sh_mail_setFlag and sh_kern_set_activate + * SysV message queue as compile option + * config file option to set console device + * removed the pre 1.1.9 code bloat + * don't print the LOGKEY to the console + +1.1.14: + * fix an error in the setup consistency check + * make target to uninstall runtime files + * trustfile.c: check return code of readlink(), fix off-by-one error + * sh_files.c: fix placement of terminator after readlink() call + * sh_files.c: fix a missing set_suid()/unset_suid() + - suid should work, but is not recommended - + * more debug statements in c/s code + * avoid re-entry in sh_unix_sigexit + * put a block around free() and malloc() in wrapper functions + * ditto for glob()/globfree(), regcomp()/regfree(), fdopen()/fclose() + - i.e. avoid corrupting the heap from a signal handler - + +1.1.13: + * optimized the size of the configure script somewhat + * modify the compile and hash test scripts + * read '\0's in sh_unix_getline + * exponential schedule for connection attempts + * make stealth working properly with signed files + - config file should be signed now before embedding in picture - + * fix a race in using signed files + * updated err messages for PWNULL, GRNULL + * add missing shell script for test 11 + * add mandatory source file/line info with -p debug + * add mandatory source line info with BADCONN + * fix a latex error in the manual + +1.1.12: + * debug output to console if compiled with --enable-debug and + running as daemon + * make reportonlyonce=true the default + * make sure state changes of a file are always reported, even + with reportonlyonce=true + * Linux kernel modules (samhain_hide, samhain_erase) + * fixed incorrect return value of sh_util_flagval + * fixed an error in sh_files.c: happens with -t init and first + file that is checked does not exist + * revised install/uninstall targets in the Makefile + * module to check for clobbered kernel syscalls (tested on Linux 2.2) + * more diagnostic error messages in sh_gpg.c + * more diagnostic error messages in sh_mail.c + * error in mail.c fixed + (address -> address_list[i] for multiple recipients) + * docs updated, better(?) explanation of signed files + * skip over path in gpg checksum output + * check client name against IP address and FQDN + * fix for --disable-* in config file + * fixed a server crash (MSG_TCP_OKMSG without arg) + if the server is run with debug level output threshold + * catch EAGAIN in sh_gpg.c pipe reader + * fix the 'external logging' test to make it work on BSD + * error message if no local path to init DB + * check for i86/Solaris in configure (vsnprintf prototype) + * make SRP the default + +1.1.11: + * make log file verification more convenient + * fix problem with message classes in stealth mode + * linux: do not try to read file attributes for devices + * handle the root directory correctly (avoid "//" in listing) + * fix problems with blockin on FIFOs/char dev + pointed out by I. Rogalsky (rog@iis.fhg.de) + - open in nonblocking mode for read, then set to blocking + - open file only if regular + * fix alignment in memory profiler + +1.1.10: + * minor code cleanup + * fix an error in trustfile.c (handling of empty/incomplete + group entries in /etc/group, bug report by A. Capriotti ) + +1.1.9: + * compatibility option for old behaviour (plain hash instead + of HMAC, ECB instead of CBC mode) + * use CBC rather than ECB mode for encryption + * use HMAC-TIGER for message authentication codes + * handle NULL data in sh_tiger_hash + * option to set syslog facility (default is LOG_AUTHPRIV) + * longer timeout (300 sec) on /dev/random if no /dev/urandom + * fix minor output error with stealth option + * option not to log names of config/database files on startup + +1.1.8: + * fix error in syslog routine + * fix missing 'test' in configure.in + * fix error in replace_tab() in sh_html.c + * fix minor memory leak in sh_util_regcmp() + +1.1.7: + * timeout on read_mbytes (from /dev/random; fallback to /dev/urandom) + * fix for FreeBSD: ut_user -> ut_name in sh_utmp.c + * fix for Alpha: consider $ac_cv_sizeof_unsigned_int_ in configure.in + * fix for Alpha: format string in sh_tiger0.sh + * on Linux, now compiles cleanly with + -Wall -W -Wstrict-prototypes -Wcast-align + * fix problem with recursion depth + (pointed out by Vic <hvicha@mail.ru>) + * #include "sh_tools.h" in sh_unix.c and fix the + --with-timeserver option (reported by Vic <hvicha@mail.ru>) + * place read_port(), MSG_TCP_NETRP outside ifdefs + * close fd/zero skey before execve + * verify client name against socket peer + * ... with configureable error priority + * use strcmp() rather than strncmp() in search_register() + * fix race between lstat() and open() for checksum + (reported by dynamo <dynamo@ime.net>, + JJohnson <JJohnson@penguincomputing.com>) + * enable globbing for filenames + * fix Solaris problem: siginfo_t may be NULL + * fix missing SL_EBADGID in tf_trust_check + * test case for external scripts, fix flushing pipe + * fix a typo in sh_ext_type + * do an fdexec w/checksum on Linux if calling external program + * even safer tmp file creation + * allow db update + * fix compile options for --enable-debug + * fixed a spelling error in the output + * test program for full CS support (config/database download) + * tell which file is searched for cs download + +1.1.6: + * fix bug in sh_readconf_line (segfault on erroneous config lines) + +1.1.5: + * sh_unix.c: sh_unix_getinfo_attr: f -> flags + * use gettimeofday as last resort +1.1.4: + * fix AIX compiler warning in sh_forward (cast arg1 of sh_tiger_hash + to (char *) + * configure: add static link flags for some more os (from tar) + * don't strip twice (some stupid systems abort) + * fix for reading from /dev/random on non-Linux systems (untested) + * sh_mail.c: end all message lines with \r\n + * stealth: ignore \r, \" + * take out tracing from --enable-debug (presently useless anyway) + * fix some remaining cleartext with debug && stealth combined + * fixed a small memory leak in sh_err_log.c + +1.1.3: + * fixed circular logic in taus_seed() (fallback method only) + * fix for missing _SC_OPEN_MAX (runaway close()) + +1.1.2: + * implement message classes + * let server recognize client message severity and class + * secondary log server + * keep database in memory (allows to close file + if retrieved from server) + * encrypt client/server communication + +1.1.1: + * Compilation problems with native Solaris compiler fixed + * fill in euid/ruid variable + * manual.pdf --> MANUAL.pdf + * debug sh_util_formatted() + * http refresh 120sec for server stat page + * trace/debug options + * fixed problem with utmp.c options + * fixed problem with sh_mail_setaddress + * option for custom message header + * fixed problem in compdata + * fixed problem in mail verification + * remove eventual trailing '/' in file names + * fixed problem with report string for modified files + * option to report in full detail + +1.1.0: + * Move error messages to catalog + * Make error message format more uniform + * Wrap sytem calls that could be interrupted by signals + * Warn on append to database + * Option for full details on mod. files + * Option to report only once on mod. files + * Generally speaking, major modifications with potential new bugs + +0.9.5: + * sh_hash.c: fixed erroneous checksum for config file + * sh_html.c: fixed erroneous timestamp (last) + * sh_tools.c: fixed connect_port (set port for cached address) + * sh_srp.c: fix for '00' (='\0') in pw + (last two fixes by Andreas Piesk) + +0.9.4: + * samhain.c: fcntl(1, ..) -> fcntl(2, ..) + * sh_hash.c: copy 12 instead of 10 byte for c_attributes + * 'empty directory' WARN -> INFO + +0.9.3: + * FreeBSD fixes: + - c_random.sh: make sure /dev/random provides something + rather than nothing + - check for <netinet/in.h> and include it + - include <sys/types.h> early + - sh_utmp.c: fixed an occurence of ut_user + - sh_utmp.c: #ifdef HAVE_UTTYPE static char terminated_line #endif + - sh_forward.c: EBADMSG -> ENOMSG + * sh_unix.c: check return value of gethostbyname + * sh_entropy.c: fallback on /dev/urandom if /dev/random blocks for + more than 30 sec + * ... and fix the timestamp format ... + +0.9.2: + * ISO 8601 timestamps + * Bugfix in sh_utmp (timestring overwrite) + * don't use siginfo_t on Linux (garbage as of 2.2.14) + * check for Linux capabilities bug when dropping root + * include README for gcc compiler bug (pointed out by A. Piesk) + * explicitely set -fno-strength-reduce with gcc + * fixed ignoring missing files with the IgnoreAll policy + +0.9.1: + * more ext2flags (breaks backward database compatibility on Linux) + * IgnoreAll policy modified - missing/added files reported with + SeverityIgnoreAll (to handle files that may or may not be present) + * Check all files, not only regular ones + (bug in sh_files, originally introduced because checksum of + regular files only is computed) + +0.9: + * use O_NOATIME if supported + * --with-nocl takes argument (PW to re-enable CL parsing) + * no daemon mode if initializing database + * fixed segfault in yule with 'unknown file type' request + * enlarged MAX_GLOBS 24 -> 32 and made the array linear + * server uses last registry entry for any given client now + * deploy.sh script to deploy clients to remote hosts + * enhanced signal handling: SIGUSR1/SIGUSR2/SIGABRT/SIGQUIT/SIGHUP + * allow y/Y/n/N for login monitoring (in addition to 0/1) + * external logging scripts/programs + * trustfile.c: define STICKY on Linux + * reset signal mask when initializing + * EINTR_RETRY wrapper + * slib: sl_read, sl_write EINTR update + * use sstrip when installing + * more compact database format (breaks backward database compatibility) + * larger download packets + * TcpFlags unsigned char + * cast to (char *) head in write_port + * m(un)lock cast to (char *) + * (1 << 31) --> (1UL << 31) + * support e2fs attributes on Linux + * fixes for AIX and Solaris native compilers + * fixed Makefile for non-GNU make (pattern rule --> suffix rule) + +0.8.1: + * fixed 'is_numeric()' return value + +0.8: + * added option for static compilation + * added option for stealth with non-hidden config file + * added option for disabling command line parsing + * all options can be set in the configuration file now + * stealth: xor strings in database file + * fixed bug in mailer code ([] in HELO) + * print timestamp when asking for key + * 'micro' stealth mode (no hidden configuration file) + * simplified slib + * int->long for uids/gids in trustfile + * moved mailkey from data to code + * shell script for entropy (stronger default key) + * general code cleanup + * better error checking in client/server code + * detect out-of-sync messages + * check state across protocol passes in server + * make sure authentication is mutual + * file download to client + * reserve six file descriptors in server + * mlock queue buffer if LOG_KEY + * improved robustness in bignum (don't fail on free()) + * per-directory recursion depths + * RFC821 compliance: empty line at end of header, To field, Date field + * RFC821 compliance: make e-mail transfer relieable + * fix detection of hardlink changes + * checksum verification for calling gpg/pgp + * CL option '-S' not required for server-only binary + * eliminate CL options that may leak privileged information + if the program is SUID + * skip leading white space in configuration file + * allow nested conditionals in configuration file + * allow whitespace before and after '=' in configuration file + * don't leak file descriptors to child processes + * make message transfer relieable + * always report error on abnormal termination of connection + +0.7: + * support for alpha machines + * stop TCP logging after exit message + * limit connections in server (DoS attacks) + * move string handling to slib + * move file handling to slib + * timestring without space + * changed report format + * SUID bugfix - use euid when checking logfile ownership + * SUID bugfix - get root for lstat() + * SUID bugfix - get root for opendir() + * store number of hardlinks + * send no message if polling empty queue + * include tiger 64-bit implementation (portability) + * codes for error conditions + * mail check: handle multiple, overlapping audit trails + * security fix: no append to database if SUID + * fix sh_entropy.c (BUFSIZ -> BUF_ENT) + * read command line before config file + * PGP signing of config/database files + * checksum of config file reported + * checking for attributes only + +0.6: + * more syslogish priority specification + * fixed segfault in sh_mem_check, apparently this was also + the reason for the segfault in atexit() + * allow for compilation with SRP authentication + * fixed tiger checksum computation + * fixed broken logfile verification for second and further audit trails + * test program added + * documentation improved + * sh_forward_make_client: bug fixed in[8]->in[i] + * sh_error.h: fixed missing #include <errno.h> + * configure.in: fixed missing strerror() test + * sh_utmp.c: check logins/logouts + * check for missing files + * only reset access time if necessary + * O_EXCL in open() + * limit environment to TZ in execve (sh_entropy.c, not used on Linux) + * use trustfile() to determine whether logfile dir is trustworthy + * strip head instead of tail for numerical address + * store messages in fifo during log server outage + * re-init session key after server outage + +0.5 (21-12-1999): + * added option for mail relay server + * own popen() implementation in sh_entropy() (portability) + * fixed error in sh_util_basename() (returned NULL for base == "/") + * fixed segfault in strlcpy/strlcat (check for src == NULL) + * FILENAME_MAX -> PATH_MAX (HP-UX 10.20) + * use TIGER for 32-byte compilers (portability) + * fixed hash function (do not include stdlib.h) + * flush buffer before write in mailer code (IBM AIX 4.1) + * make mailer code non-forking + * cast argument of is...() to int (portability) + * return() after _exit() for braindead compilers (portability) + * optionally use inet_addr (portability) + * check for broken mlock() (HP-UX 10.20) + * minor code cleanups + * fixed incorrect size of munlock()'ed memory in sh_error_string() + * fixed a buffer overflow in the error printing routine + * fixed a buffer overflow in sh_util_safe_name () + * implement SRP session key exchange + * implement client/server facility + * implement @host/@end construct in configuration file + * preferably use uname(), and do gethostbyname() for FQDN + * make vernam cipher base numeric + * make OnlyStderr private in sh_error + * test -e "/dev/random" --> test -r "/dev/random" (portability) + * check for libsocket (portability) + * add #defines for IPPORT_SMTP, IPPORT_TIMESERVER (portability) + * eliminate superfluous /proc test + * some unreachable code removed + * cast to (byte*) replaced by cast to (word64*) in sh_tiger_hash() + * check for setresuid() if no seteuid() (HP-UX 10.20) + +0.4 (09-11-1999): + * make sure output from /dev/random has no NULL's + * one-time pad encryption for emailed keys + (better than nothing ...) + +0.3 (04-11-1999): + * logfile readable for group + * verify signatures for any file + * signature block in tarball + * use select() in time server routine + * better protection for session keys (mlock) + +0.2: + * fixed incorrect man page + * fixed incorrect example rc file + * recursive error logging should work now + +0.1: + * initial release -- on Samhain 1999, of course + +development start: + * probably 29-06-1999 + diff --git a/docs/BUGS b/docs/BUGS new file mode 100644 index 0000000..1d089f3 --- /dev/null +++ b/docs/BUGS @@ -0,0 +1,38 @@ +AIX: +--- + +Samhain must either be compiled as 32bit application, or with the --disable-dnmalloc +configure flag, because the OS provides no way to enforce usage of 32bit address space. + +MacOS X: +------- + +(1) Pointed out by David: static linking is not supported on MacOS X, + see http://developer.apple.com/qa/qa2001/qa1118.html + +Solaris: +------- + +(1) This was pointed out by rog [at] iis dot fhg dot de (Ingo Rogalsky): + "It isn't possible, to link samhain statically with Solaris. + This is a Solaris issue (see Sun Infodoc ID12624) and + not a samhain problem." + +Linux, maybe others: +------------------- + +(1) With gdm (the GNOME display manager), GNOME version 1.2, using the + file hiding kernel module (configure option --enable-khide) + at system boot may cause problems (keyboard locked up). + No problem observed with kdm (the KDE display manager). + + In case of problems, you may need to reboot into single-user mode and + edit the boot init script ... it should be noted that on the test + system, gdm sometimes locked up the keyboard on other occasions + (e.g. after a fsck). + +(2) With gcc 2.95.2 (and glibc 2.1.3), it is not possible to use + --with-database and --enable-debug at the same time (the code will + segfault). This is apparently a compiler bug, and it does not happen + with gcc 3.0. + diff --git a/docs/Changelog b/docs/Changelog new file mode 100644 index 0000000..c29cefe --- /dev/null +++ b/docs/Changelog @@ -0,0 +1,2554 @@ +4.1.4: + * fix problems with wildcard pattern re-evaluation (reported by + A. Ansari): + - not stored if no match at startup + - only one (the first) stored if same pattern for file and dir + * fix problems with directory creation in inotify watched tree + (reported by A. Ansari): + - recursive depth not decreased + - watched as directory even when recursion depth should drop below zero + +4.1.3 (19-04-2016): + * on Cygwin, the AvoidBlock function is now off by default + (problem reported by Fred C) + * tighter sanity checks in sh_static.c + * fix regression with '--enable-static' in sh_static.c + (reported by amaiket). + +4.1.2 (21-12-2015): + * add options --enable-selinux and --enable-posix-acl for "hard fail" + if libraries aren't found (requested feature) + * fix wrong policy assignment when inotify is active and change occurs + during a reload (reported by Bond) + * fix failure to detect open UDP port for some daemons + (reported by James) + * fix broken 'rpm' and 'rpm-light' makefile targets + (reported by Bond) + * fix message for self-check + +4.1.1 (01-11-2015): + * fix problem with timezone calculation on month rollover for + negative timezones (west of GMT; reported by Bond) + * fix problem with rotated logfiles when content is always constant, + i.e. checksum does not change (reported by Bond). + * fix problem with baseline update on FreeBSD and probably other + non-GNU/Linux systems (reported by L.Vasiliev) + * fix bad check_libwrap() call in sh_xfer_server.c + (reported by L.Vasiliev) + +4.1.0 (24-09-2015): + * fix quirks with Linux audit support + * implement 'silent check' (requested feature) + * fix call of self_check for exit on sigterm + * fix safe_logger() - uses the logger utility with a non-posix option + * fix missing reporting on shell expansion capability in --version + * fix missing error message on invalid list for skipchecksum + (reported by Bond) + * fix missing definition for a sh_dummy_ var on BSD et al. + (reported by Andrew) + +4.0.0 (20-07-2015): + * fix and document default settings for mounts check + * new -w CL option to wait on scan completion + * new option ReportCheckflags + * enhance testsuite to cover new functionality + * implement draft for change control integration: + * new database format to store change flags + * refactoring of db I/O and client/server code + * option StartupLoadDelay + * --create-database CL option + * --outfile CL option + * --binary, --list-filter CL options + * --verify-database CL option + * yulectl -c DELTA:<uuid> command + * option SetDeltaRetryCount + * option SetDeltaRetryInterval + * update documentation + * remove old/unused code + * fix compiler warnings with gcc 5.1.0 + * update config.sub, config.guess + +3.1.6 (08-06-2015): + * Modify testcompile.sh to remove 'smatch' and use 'clang' + instead. + * Fix compile problems with clang. + * Modify testcompile.sh to remove 'uno' and use 'cppcheck' + for static checking + * Move AC_CHECK_FUNCS( getnameinfo getaddrinfo ) behind + the check for libsocket to have them found on Solaris + * Fix IPv4-only bug in bind_addr use in retry_connect() + * Add more debug code in connect_port() + +3.1.5 (26-03-2015): + * Fix IPv6 issue with portcheck (need to be able to specify + IPv6 interfaces). + * Fix minor issues with bugs in testing code + * Add command line option '--server-host' to set the log server + * In samhain.startLinux.in start script template, add code to read + options from /etc/sysconfig/${NAME} for RedHat + +3.1.4 (17-02-2015): + * Add non-existent file to the regression test config + * Fix erroneous call to sh_hash_init when a missing file + is specified in the configuration + * Fix buffer allocation for getgrnam_r for large groups + (problem reported by Sergio B) + * Search RPM in $HOME/rpmbuild if test -d _topdir fails (CentOS + recommends '%(echo $HOME)/topdir', reported by E. Taft) + +3.1.3 (01-11-2014): + * Remove initgroups() from the popen call in unix entropy gatherer + * Add error message for update mode if local baseline cannot be found + +3.1.2 (07-08-2014): + * Fixed incorrect memset in sh_checksum.c (sha256) + * Circumvent a gcc compiler bug with inline asm (gcc 4.8) + * Allow multiple exclusions for SUID check + * Use calloc instead of malloc + * Add overflow check in minilzo.c (but the potential integer + overflow [CVE-2014-4607,LMS-2014-06-16-1] is irrelevant anyway + because the function is never used on external data). + * Fixed a minor bug in exepack_fill.c that was unearthed by the minilzo + overflow check (the required buffer length information for the check + wasn't provided) + * Fixed incorrect logic in setting the ALLIGNORE flag (more specific + directory / file directives were ignored) + * Fix for tickets #358 (repetitive lstat warning about deleted + directory) and #359 (reporting of deleted/added top level directory) + * Fix a free() on NULL (harmless but avoids spurious warning) + +3.1.1 (01-05-2014): + * Disable inline asm on Cygwin (issue reported by Erik) + * Fix sh_ipvx_is_ipv4 such that numeric hostnames are not + incorrectly recognised as IP address (reported by A. Hofland) + * Fix sh_ipvx_is_ipv6 + +3.1.0 (31-10-2013): + * Add support for SHA2-256 checksum function + * Drop support for --enable-khide on kernel version 3.x and above + * Fix IgnoreAdded to anchor regex at beginning of path (reported by + R.Lindner) + * Add check to detect availability of pmap_getmaps() (missing in + static library on recent Linux systems as reported by Ian Baldwin) + * Fixes for Ubuntu 13.4: + - no error msg for failing stat on /run/user/Username/gvfs in + suidcheck + - no error message for failing hardlink check on /run/user/Username + - eliminate compiler warnings + * Add option '--disable-asm' to work around a gcc issue in Debian + unstable (reported by micah) + * Remove option '-i' from mkitab in samhain-install.sh.in (reported + by N. Kerski) + +3.0.13 (11-06-2013): + * Fix detection of nonfunctional /dev/kmem + * Fix race condition in GrowingLogfiles policy that + causes spurious reports (problem noticed by J. Daubert) + +3.0.12 (16-05-2013): + * Fix compiler warning in bignum.c (unused parameter) + * Detect if /var/run is a symlink and /run exists + * Fix for broken support for audit subsystem (reported + by isquish) + * Fix for incorrect use of sh_inotify_add_watch_later + which causes a steady increase in memory usage + (issue reported by Maxime V) + * Fix for potential minor memory leak + * Fix for bug in negated conditionals for config file + (reported by M. Ward) + +3.0.11 (08-04-2013): + * Fix for compile error on HP-UX (reported by P. Alves) + * Propagate ERANGE error from getgrxxx_r (issue raised by C. Feikes) + * Fix reconnecting to database for Oracle + * Add better logrotate handling for the GrowingLogs policy (search + rotated log and verify it, don't report if this succeeds) + * Add ability to create debian packages with preset password (use + env var PASSWORD) + * Add option KernelCheckProc (bool) to suppress kernel /proc test + * Add option IgnoreModified to cover transient files that + not only get added/deleted but also modified + +3.0.10 (13-01-2013): + * Revert to previous logic in samhain.c because it will block + otherwise (reported by Alexandr Sabitov) + +3.0.9 (21-12-2012): + * Fixed a Cygwin compile warning + * Change logic in samhain.c to make sure inotify doesn't cause + excessive full scans + * Add option IgnoreTimestampsOnly in Windows registry check (ignore + changes if only timestamp has changed) + * Fix the probe command (misses clients if their startup message + has been missed) + * Fix the RPM spec file for --enable-network=client and no password + (reported by Mitch St Martin) + * Fix build error with Linux audit (reported by Andy Jack) + * Fix detection of utmpx.h (reported by D. Thiel) + +3.0.8 (01-11-2012): + * rename to 3.0.8 for release + * useful exit status for samhainadmin.pl --examine + +3.0.7a (25-12-2012): + * add ability to create RPM with preset password (use + env var PASSWORD) + * fix the rpm-light makefile target + * fix minor bug in samhain_setpwd.c (incorrect error message) + +3.0.7 (25-10-2012): + * update documentation for prelude + * fix configure to properly search for Oracle Instantclient SDK + * pass through TNS_ADMIN environment variable for Oracle + * optimize audit rules automatically + * zero out the html status file at server exit + * don't check for assembly optimization unless linux or *BSD + +3.0.6 (01-09-2012): + * install logrotate script if /etc/logrotate.d is detected + * new option --enable-suid for nagios + * fix for --enable-ptrace: make the save_tv variable thread specific + * fix bug in inotify code which made it follow symlinks (by [anonymous]) + * fix two missing SH_MUTEX_LOCK(mutex_thread_nolog) (by [anonymous]) + * fix for 'no such process' message from sh_fInotify_init_internal() + (by [anonymous]) + * fix for --enable-ptrace with threads (by [anonymous]) + * option SetReportFile for writing out summary after file check + +3.0.5 (11-07-2012): + * fix xml format templates for registry check + * fix database download on registry check init (reported by ldieu) + +3.0.4 (01-05-2012): + * fix verbosity of message for alerts on already deleted watches + (set it to debug - suggested by xrx) + * fix extraneous error messages about file not found from + sh_fInotify_init_internal() (bug reports by xrx and aj) + +3.0.3 (28-03-2012): + * fix potential deadlock in sh_ext_popen() + * make sure sh_processes_readps cannot hang forever + * fix for deadlock if sh_processes_readps hangs + * fix for deadlock if suid check and inotify are used together + (reported by A. Jack) + * fixed problem with samhain_stealth.c (handle input config + files that don't end with a newline) + * fixed compiler warnings for yulectl.c with stealth + * fixed lacking support for O_NOATIME on 64bit linux + +3.0.2a (23-02-2012): + * Fix compile error on Solaris 10 + +3.0.2 (16-02-2012): + * change sql init scripts to make bigint fields unsigned (problem + reported by A. Sabitov) + * patch by Andy Jack for issue with the --with-gpg option (hangs with + high cpu load at startup) + * call ./samhain-install.sh as /bin/sh ./samhain-install.sh in the + RPM spec file, because /var might be mounted noexec (reported by GC) + * fixed configure.ac for the case that --with-gpg and --enable-nocl are + used (./samhain for gpg checksum; problem report by Andy Jack) + * fixed a potential NULL pointer dereference in sh_inotify.c on + systems where inotify is not available (reported by <anonymous>) + * fixed: the config file template mentions (in a comment) the + non-existent directive SetLockPath instead of the correct + SetLockfilePath (reported by Curtis). + * fixed: the definition of O_NOATIME isn't seen in sh_files.c. + +3.0.1 (07-12-2011): + * fix a memory leak (reported by C. Westlake) + * fix an uninitialized variable in the suidcheck code (problem + reports by T- Luettgert and Kai) + * fix a bug in the port check with --disable-ipv6 (reported + by C. Westlake) + * fix potential deadlock in sh_files.c (reported by S. Mirolo) + * change Makefile.in to stop on compile error rather than at link stage + (suggested by S. Mirolo) + * fix compile errors caused by missing #define (pthread disabled) and + wrong function call (OSX specific code), reported by S. Mirolo + * fix warning by the llvm/clang static checker + * fix compile issues on freebsd + * handle (ignore) SIGPIPE more thoroughly + * update config.guess, config.sub + +3.0.0a (06-10-2011): + * Fix compile-time issues on RHEL5 (reported by Thomas) + +3.0.0 (01-11-2011): + * Add support for the inotify API + * If --disable-shellexpand is used, also disable setting + the prelink/ps paths + * Fix missing check_mask storage for glob pattern + * Add support for integer keys in zAVL + * Fix compiler warnings with gcc 4.6.1 (variables that get set + but then remain unused) + * Add more server-side debugging for IPv6 + * Make kern_head compile with 3.x kernels + +2.8.6 (20-09-2011): + * Manual updated. + * Added an option LogmonDeadtime to avoid repetitive reporting + on correlated events. + * Fix problems with timestamp handling in logfile correlation + (problem reported by D. Dearmore) + * List the policy under which a directory/file is checked + * Option to use a textfile with a list of files for update + * Fix --enable-db-reload option (reported by David L.) + * Fix samhain_kmem compilation, need to compile under chosen + name if --enable-install-name is used (reported by David L.) + * Fix uninitialized string in error message (reported by mimox) + +2.8.5a (16-06-2011): + * Fix autolocal.m4 for new configure option + +2.8.5 (15-06-2011): + * Detect non-working /dev/kmem in configure script, and fix + a bug in the samhain_kmem kernel module. + * Fix wrong handler for LogmonMarkSeverity (reported by S. Chittenden) + * Better protection against the 'intruder on server' scenario + pointed out by xrx. Add option to disable shell expansion in + configuration files, and check gpg signature earlier. + * Support /opt/local/bin in the Unix entropy gatherer (suggestion + by Sean Chittenden) + * Cache timeserver response for one second (suggestion by + Sean Chittenden) + +2.8.4a (11-05-2011): + * Fix for compile error with --with-prelude + (reported by Sean Chittenden), missing regression test added + * Fix for compile error with --enable-udp (reported by Sean Chittenden), + missing regression test added + +2.8.4 (30-04-2011): + * Fix another reload bug in the log monitoring module + * Add unit tests for IgnoreAdded/IgnoreDeleted configuration directives + * Fix deadlock after reload when compiled with --enable-login-watch + (reported by M. Teege and O. Cobanoglu) + * Fix compile error for samhain_hide.ko with recent kernel + * Include patch by J. Graumann to specify the location of the + secret keyring with samhainadmin.pl + * Fix potential timeout problem in sh_sub_stat_int() and propagate the + error (issue reported by mtg) + * Add support for X-Forwarded-For in apache logfile parser, add + option 'RE{regex}' to insert arbitrary regex + * New options PortcheckMinPort, PortcheckMaxPort for the open ports + check + +2.8.3a (23-03-2011): + * Fix two 'label at end of compound statement' errors on FreeBSD + (reported by David E. Thiel) + +2.8.3 (22-03-2011): + * init scripts: load samhain_kmem.ko before samhain starts + * slib.c: eliminate mutex from sl_create_ticket() + * sh_entropy.c: move pthread usage out of child + * sh_hash.c, sh_pthread.c, sh_pthread.h: sh_hash_hashdelete() + needs deadlock detection, may be called from within sh_hash_init() + via atexit handler on error condition + * sh_suidchk.c, sh_calls.c, sh_calls.h: need a nosub version of lstat() + to use with relative path after chdir() + * samhain.c, sh_calls.c, sh_calls.h: only run (l)stat() in subprocess + after reading config file (to allow disabling) + * sh_unix.c: run sh_sub_kill() in parent after forking the daemon + * fix zeroing of result from getnameinfo() (problem reported by Richard) + * fix spurious warnings about unsupported address family (reported + by N Silverman) + * option to run lstat/stat in subprocess to avoid hanging on NFS mounts + (off by default) + * fix Windows/Cygwin compile error (reported by A. Schmidt) + +2.8.2 (16-02-2011): + * add function to skip checksumming + * Fix missing check for recursion depth >= 0 if not IgnoreAll + * Fix hardcoded path for temp directory in deployment scripts + * Fix bad compile on CentOS 4.8 with gcc 4.1.2 + * Fix minor bug in check_samhain.pl (pointed out by J.-S. Eon long ago) + +2.8.1 (17-11-2010): + * Document handling of missing files with secondary schedule + * Fix incorrect handling of missing files when secondary schedule + is used (reported by Sergey) + * Fix null pointer dereference in config parse handler for SetMailAlias + (reported by Sergey) + * Fix incorrect memset() in sh_kern.c (passed struct by value...), + reported by Roman and Stefan + * Fix 'make install' to create user-defined directory + * fix minor issues noticed by T. Luettgert (test code assumes port + 0/tcp is unused, wrong ifdef order (without impact on compilation)) + * fix compile error on AIX 5.3 with --enable-login-watch, + reported by M. El Nahass (time.h missing in src/sh_login_track.c) + +2.8.0 (01-11-2010): + * Support IPv6 + * Add registry checking + * Use auditd records to find out who did it + +2.7.2c (23-09-2010): + * Fix uppercase hostname problem in client/server communication + + +2.7.2b (05-09-2010): + * Fix compile errors on Solaris 10 (reported by A. Saheba) + +2.7.2a (23-08-2010): + * rewrote rijndaelKeySched() in a more conservative way to fix + compile problem on SLES 11. + +2.7.2 (16-08-2010): + * sh_utils.c: fixed an endianess issue that prevented cross-verification + of email signatures (reported by A. Zangerl) + * sh_login_track.c: fix compiler warning (ignored return value + of fwrite) + * sh_readconf.c: fix comparison of SeverityUserX string + (reported by max__) + * sh_processcheck.c: sh_prochk_set_maxpid: set retval on success + (reported by max__) + * fixed some compiler warnings on cygwin + * sh_extern.c: As reported by T. Luettgert, gcc 4.4.4 on Fedora 13 + will throw a warning if execve is called with a NULL argv pointer. + Need to provide a dummy argp[]. + +2.7.1 (07-06-2010): + * samhain_kmem.c: fix compile problems + * fix problems with config file parser: increase max. line length, + support quoting/escaping of filenames (as in 'ls --quoting-style=c') + * check for pcre_dfa_exec (not available in old versions + of libpcre, reported by Shinoj) + * patch to allow server to log client reports to prelude + (by J. Ventura) + +2.7.0a (09-05-2010): + * fix /dev/kmem detection (reported by S. Clormann) + +2.7.0 (01-05-2010): + * sh_utmp.c, sh_login_track.c: additional login checks + * sh_unix.c: use SIGTTIN as alternative for SIGABRT + (SIGABRT seems not to work on AIX, reported by Peter) + * sh_utmp.c: fix compile error without pthreads (inotify_watch used) + * sh_kern.c, kern_head.c: fix some 64bit issues + * dnmalloc.c: fix compiler warning (ignored ret value) + * Fix LSB init script for kernel module + * samhain_kmem kernel module for /proc/kmem added + +2.6.4 (22-03-2010): + * Don't read proc_root_iops in sh_kern.c (Problem report + by H. R.) + * Logfile check can check output of shell commands + * Use data directory as default for logfile checkpoints + * Fix broken checkpoint save/restore for logfiles + +2.6.3 (10-03-2010): + * Fix bug in mail module, recipients incorrectly flagged + as aliases, which breaks immediate mail for 'alert' + (reported by Jesse) + +2.6.2 (28-01-2010): + * Makefile.in: fix problem in deploy system caused + by adding build number for debs in 2.5.9 (reported + by roman) + * add option for per-rule email alias in log monitoring + module + * sh_readconf.c: make keywords case-independent + * sh_mail.c: on error, report full reply of mail server + * sh_mail.c: report smtp transcript at debug level + * make sure mail aliases are not emailed twice, and + recipients cannot be defined after aliasing them + * handle named pipes in log monitoring module + (open in nonblocking mode, ignore read error if empty) + * fix bug in the server function to probe for necessity + of configuration reload for client + +2.6.1b (23-12-2009): + * fix missing include for sh_inotify.h in sh_inotify.c + (reported by Ack) + +2.6.1a (22-12-2009): + * fix typo in code for older inotify versions without + inotify_init1(), reported by Forll + +2.6.1 (21-12-2009): + * add a routine to log monitoring module to guess the proper year + for timestamps without year (standard syslog) + * add feature to automatically detect and report bursts of + similar messages in log monitoring module + * add feature to check for missing heartbeat messages in + log monitoring module + * cache UIDs/GIDs to reduce the number of lookups + * use inotify to track login/logout (sh_inotify.c, sh_utmp.c) + * support event correlation in log monitoring module + * make sure host matching is done in a case insensitive way + (reported by Tracy) + * fix invalid use of mutex_mlock in src/sh_unix.c, function + sh_unix_count_mlock() (reported by Remco Landegge). + +2.6.0 (01-11-2009): + * don't use statvfs() for process checking on FreeBSD + * fix bug with parallel compilation of cutest in Makefile + * sh_mem.c: fix deadlock in debug-only code + * Evaluate glob patterns for each run of file check + * Add compile option to disable compiling with SSP + * Run SUID check in seperate thread + * By default disable scanning ..namedfork/rsrc (deprecated by Apple) + +2.5.10 (12-10-2009): + * sh_suidchk.c: handle $HOME/.gvfs mount gracefully + * slib.c: fix race condition caused by closing a stream and the fd + +2.5.9c (01-10-2009): + * move stale file record error message closer to problem zone + * sh_port2proc.c: fix flawed logic for interpreting /proc/net/udp,tcp + +2.5.9b (22-09-2009): + * remove stale file record when creating handle, and raise diagnostic + error to find origin of stale record + * sh_port2proc.c: check /proc/net/upd6 for IPv6-only UDP sockets + +2.5.9a (17-09-2009): + * fixed a race condition in closing of file handles + +2.5.9 (11-09-2009): + * added code to generate directory for pid file, since it + would get cleaned if /var/run is a tmpfs mount (problem + reported by M. Athanasiou) + * fixed a bug that prevented reporting of user/executable path + for open UDP ports (issue reported by N. Rath) + * added more debugging code + +2.5.8a (18-08-2009): + * fixed a bug in sh_files.c that would prevent samhain from + running on MacOS X (reported by David) + +2.5.8 (06-08-2009): + * fixed a bug in the MX resolver routine which causes it to fail + sometimes (issue reported by N. Rath). + * fixed deadlock with mutex_listall in sh_nmail_test_recipients() if + error occurs within sh_nmail_flush (problem reported by N. Rath) + +2.5.7 (21-07-2009): + * sh_userfiles.c: set userUids = NULL at reconfiguration (issue + reported by U. Melzer) + * if available, use %z to print timezone as hour offset from GMT + in email date headers (problem reported by NP, solution suggested + by TimB). + * eliminate C99-style comments (problem reported by + venkat) + * fix bad variable name for AC_CACHE_CHECK + * fix potential deadlock when external programm is called + (problem reported by A. Dunkel) + +2.5.6 (09-06-2009): + * recognize fdesc filesystem on MacOS X for suid check (Problem + reported by David) + +2.5.5 (01-05-2009): + * fix some warnings from gcc 4.4 (strict aliasing) + * fix minor memory leak in process check + * t-test1.c: change function names because of clashes with an + AIX system header file + * fix warnings with -fstack-check (too large stack frames) + * fix for incorrect handling of hostnames in database insertion + (reported by byron) + +2.5.4 (04-03-2009): + * fix for incorrect input check in SRP implementation (discovered + by Thomas Ptacek) + * option KernelCheckPCI to switch off check of PCI expansion ROMs + +2.5.3 (25-02-2009): + * disable dnmalloc on MacOS X, doesn't work properly + * stat -> lstat in sh_unix_file_exists (OS X nameforks, report + by David) + * Fix problem in standalone trustfile, does not work correctly on + group-writeable files (reported by David). + * Option SetThrottle to throttle throughput for db download + * Option SetConnectionTimeout to configure the client connection + timeout configurable + * Provide getrpcbynumber, getservbyname implementations + to avoid dependencies with static linkage + * Fix missing sh.host.(system|release|machine) on FreeBSD, + reported by D.Lowry + * New option SetMailPort to allow setting of SMTP port (patch + by lucas sizzo org) + * allow POSIX regexes for filters + * consolidate filtering code from sh_extern.c, sh_(n)mail.c + * rewrite mail subsystem to allow individual filtering + for recipients + * allow shell expansion for values of config file options + * allow list as value for option PortCheckInterface + * fix bug in trustfile.c (with slapping on "/../" for symlinks) + * lock baseline database upon writing + +2.5.2b (29-01-2009): + * turn warnings into errors in the compile test suite + * fix missing define in sh_portcheck.c to eliminate compiler warning + (reported by joerg) + +2.5.2a (26-01-2009): + * fix problem building deb package (bit rot; reported by joerg) + +2.5.2 (22-01-2009): + * samhain.c: report module failure with positive offset + * sh_database.c: parse numerical fields into ulong + * fix regression test script for postgresql + * fix regression test script for SELinux/ACL test + * fix reporting of user for open ports to prelude + * report process pid for open ports + * replace _exit() by raise(SIGKILL) b/o pthread problem + * new option LooseDirCheck ([false]/true), request by + Alexander + * improved help output of samhain_stealth (as suggested + by Michael Athanasiou) + * new option ProcessCheckIsOpenVZ ([false]/true) + +2.5.1 (07-12-2008): + * workaround for freebsd7 amd64 lossage (compiler toolchain, + no mmap to 32bit address space) + * samhain-install.sh: check for presence of stealth_template.ps + before trying to create it + * use -Wno-empty-body if supported to suppress warnings about + glibc pthread_cleanup_pop implementation + * fix text relocations for i386 in src/sh_tiger1.s + * implement server->client SCAN command to initiate file check + * implement @if / @else conditionals with more tests in config file + * new option SetDropCache to drop checksummed files from cache + * report process/user for open ports on FreeBSD (code + lifted from FreeBSD sockstat.c) + * fix for config reload issue with stealth mode (reported by + siim) + * add -fstack-protector flags to LDFLAGS + * cygwin fix: don't use dnmalloc, doesn't work with pthreads + * cygwin fix: make trust check in samhain-install.sh return zero + * improved diagnostics for file read errors + * fixed script permissions (754 -> 755), reported by Christoph + * constness patch by Joe MacDonald + * GnuPG key ID patch by Jim Dutton + * sh_kern.c: more error checking for reads from kernel + +2.5.0 (01-11-2008): + * dnmalloc.c: fix inconsistent chunksize on 64bit systems + * fix improved error reporting for failed fstat in checksumming + * report process/user for open ports (Linux only currently) + * fix deadlock on exit in sh_hash_init() + * fix --enable-mounts-check for FreeBSD 7.0 (no MNT_NODEV anymore) + * log monitoring support + * fixed constness in trustfile interface + * remove libprelude 0.8 support (obsolete) + * sh_forward.c: increase TIME_OUT_DEF to 900 secs + * dnmalloc.c: initialize rc in dnmalloc_fork_child(), + reported by B. Podlipnik + +2.4.6a (09-10-2008): + * fix compile problem on Fedora 9 (reported by pierpaolo), + 'struct ucred' in sh_socket.c requires _GNU_SOURCE + +2.4.6 (27-08-2008): + * fix compile failure on win2k/cygwin (sh_unix_mlock prototype), + reported by jhamilton + * fix potential deadlock with dnmalloc upon fork() + * fix non-portable use of 'hostname -f' in regression test suite + (reported by Borut Podlipnik) + +2.4.5a (18-08-2008): + * fix compile problem in dnmalloc.c (remove prototypes for + memset/memcpy), problem reported by Juergen Daubert + +2.4.5 (07-08-2008): + * testscripts: 'chmod -R' -> 'chmod -f -R', since Solaris 10 + bails out on a chmod on a dangling link + * fix bug in check_samhain.pl nagios script (J.-S. Eon) + * use the UNO static checker + * compile as position independent executable (PIE) + * handle EINPROGRESS error (Windows/cygwin issue) + * make sure every function uses less than one page of stack + (proactive security against gap jumping, Gael Delalleau) + * use dnmalloc instead of system malloc + (proactive security against heap buffer overflows) + * fix dnmalloc bugs and portability problems + * check for compressBound, since older zlibs don't have it + +2.4.4 (30-04-2008): + * sh_database.c: fix maximum size of sql query string, maximum + size of strings in struct dbins_ + * sh_hash.c: fix maximum size of message string + * fix typo in the base64 decoder + * fix 'make cutest' for parallel compiling + * fix compile warnings with -Wstrict-prototypes + * sh_static.c: override getgrgid, getpwuid for libacl + * fix more warnings about variables clobbered by 'longjmp' + or 'vfork' (due to library internal handling of mutexes) + * fix configure warning about unused datarootdir + * configure.ac: warn, but accept nonexistent tmp dir + (Problem reported by Brian) + * sh_unix.c: undef P_ALL, P_PID, P_PGID before including + sys/wait.h (compile problem reported by Reputation) + * syslog function tested ok with Syslog Fuzzer v0.1 + by Jaime Blasco (c) 2008 + * slib.c: call fflush when writing trace to file + * sh_readconf.c: don't set OnlyStderr to false if gpg (problem + reported by Irene Reed) + * fix unconditional removal of pid file in atexit handler (bug + reported by Brian) + * fix invalid free() in sh_unix_checksum_size() + * sh_processcheck.c: workaround for stupid OpenBSD bug (returns + ENODEV instead of EAGAIN, because fgetc does + fcntl(0,F_SETFL,O_NONBLOCK) [ENODEV] internally), problem + reported by Roman R. + * fix buf that cause incomplete reporting of modified symlink if + symlink has changed and both old and new paths are >48 bytes + * fix bug that prevented mount check from running in one-shot mode + * enable mount check for openbsd + * fix processcheck default options and test script for openbsd + * option --list-file to list content of file (if saved) + * sh_tools.c: use strcasecmp in reverse lookup since DNS is case + insensitive (bug reported by Phil) + * fill content if MODI_TXT, zlib compress, base64 encode and add + as link_path in sh_unix.c; add to report in sh_hash.c + * testsuite: add test for gpg fingerprint option + * sh_extern.c: add 'CloseCommand' for syntactic sugar, + add in testsuite + +2.4.3a (12-02-2008): + * fix compile error caused by open() with O_CREAT and no third argument + (reported by J.-S. Eon) + +2.4.3 (31-01-2008): + * sh_kern.c: don't require asm/segment.h for kernel check module + * use global var with pid of initial thread instead of getpid(), + since LinuxThreads returns different value in each thread (problem + reported by Steffen Mueller) + * sh_kern.c: no inode check for pci rom (creates spurious messages) + * slib.c: eliminate prototype for vsnprintf (compile problem reported + by eddy_cs) + * Makefile.in: fix missing dependency on 'encode' for $(OBJECTS) + (reported by Matthias Ehrmann) + +2.4.2 (17-01-2008): + * fix broken option --with-checksum (reported by halosfan), + regression test added + * change HP-UX default optimization to +O2 since +O3 breaks + cutest unit testing framework + * put result vector of rng in skey struct + * fix more compiler warnings, and a potential (compiler-dependent) + NULL dereference in the unix entropy collector + * fix some compiler warnings + * use -D_FORTIFY_SOURCE=1 -fstack-protector-all instead + of -fstack-protector + * always add PTHREAD_CFLAGS to LDFLAGS + * sh_tiger0.c: checksum functions return length of file hashed, + needed to fix GrowingLogfile bug (researched by + siim at p6drad dash teel dot net) + * sh_static.c: fix more 'label at end of compound statement' + (SH_MUTEX_UNLOCK closing brace; reported anonymously) + * make sh_hash.c thread-safe + * remove plenty of tiny allocations + * improve sh_mem_dump + * modify port check to run as thread + * new option PortCheckSkip to skip ports + * fix unsetting of sh_thread_pause_flag (was too early) + +2.4.1a (28-11-2007): + * fix overwrite of ErrFlags (functionality bug) + +2.4.1 (26-11-2007): + * security fix: regression in the seeding routine for the PRNG + (detected by C. Mueller) + * regression test added for PRNG seeding routine + * fix problem with PCI ROM check (spurious messages about modified + timestamps, reported by S. Clormann) + +2.4.0a (08-11-2007): + * fix compile failure with --enable-static (reported by S. Clormann) + * fix potential deadlock if SIGHUP is received while suspended + +2.4.0 (01-11-2007): + * eliminate alarm() for I/O timeout (replaced by select) + * use getgrgid_r, getpwnam_r, getpwuid_r, gmtime_r, localtime_r, + rand_r, strtok_r if available + * protect readdir(), getpwent(), gethostname() with mutexes + (readdir_r considered harmful) + * make checksum/hash, entropy, rng functions reentrant + * use thread-specific conversion buffer for globber() + * fixed compile problems and problems with test suite + * modify login watch to run as thread + * modify process check to run as thread + +2.3.8 (03-10-2007): + * new option PortCheckIgnore = interface:portlist + +2.3.7 (13-09-2007): + * Makefile.in: fix 'make deb' target, wrong name of config file + written to debian/conffiles (reported by marc) + * configure.ac: fix incorrect order of with-prelude, enable-static + (libprelude test was always without -static) + +2.3.6 (06-09-2007): + * added yuleadmin.pl script contributed by Riccardo Murri + * fix compile error with -f-stack-protector on some systems (reported + by marc); we now check for libssp + * fix local DoS attack on BSD systems lacking getpeereid() (reported + by Rob Holland). + * fix yulectl password reading from $HOME/.yulectl_cred, erroneously + rejected passwords with exactly 14 chars (reported by Jerry Brown) + * introduce 'fflags' flag for suid files to detect new files already + found in regular file check (problem reported by J. Crutchfield); + also add regression test to ascertain that files in baseline + database are not quarantined erroneously + * sh_hash.c: replace check for prefix 'K' with check for not prefix'/' + to allow for arbitrary module-specific store/lookup in db + * replace 'visited', 'reported', 'allignore' with generic 'fflags' field + * sh_cat.c: reduce priority of MSG_TCP_RESET to avoid spamming if + port checking is used on same host as server (reported by kadafax) + * Install.sh: don't use --separate-output with non-checklist + widgets (problem discovered by D. Denton) + * sh_gpg.c, sh_userfiles.c: use sh_getpwnam et al. wrappers + +2.3.5 (20-06-2007): + * sh_portcheck.c: try to tear down connections more gracefully + (request by S. Petersen) + * fix incorrect handling of files with zero size in GrowingLogFiles + (problem reported by S. Petersen) + * fix incorrect encoding of null checksums in stealth mode + * sh_hash.c: fix repeated printing of acl/attributes in database dump + * sh_unix.c: fix option useaclcheck ignored if both useaclcheck and + useselinuxcheck are supported + +2.3.4 (01-05-2007): + * sh_processcheck.c: fix missing init of sh_prochk_res array before + check (leads to degrading functionality over time and 'fake pid' + warnings; reported by D. Ossenbrueggen and + soren dot petersen at musiker dot nu) + * sh_processcheck.c: fix memory leak + * sh_kern.c: for 2.6.21+ don't check proc_root_lookup (not possible + anymore? proc_root_inode.lookup != proc_root_lookup) + * sh_extern.c: flush streams before forking (problem if [Prelink] + used together with prelude logging, reported by M. deJong) + * fixed compilation of kern_head (regression cause by cross-compiling + fix; problem reported by S. Clormann) + * more typos fixed (reported by John Horne) + +2.3.3 (27-03-2007): + * fixed typos in configure.ac and manual (reported by John Horne) + * don't use mysql_options on x86_64, since libmysql is broken + * fixed cross-compiling (patch by Joe MacDonald) + * refactor sh_kern.c, sh_suidchk.c + * fix bug with leading slashes in linked path of symlinks within + the root directory + * sh_kern.c: check PCI ROM (Linux), refactor code + * move file descriptor closing more towards program startup + * kernel check: support OpenBSD 4.0 (wishlist) + * fix samhain_hide module (in-)compatibility with recent kernels + (reported by Jonny Halfmoon) + +2.3.2 (29-01-2007): + * fix regression in full stealth mode (incorrect comparison of + bytes read vs. maximum capacity), reported by B. Fleming + +2.3.1a (21-01-2007): + * fix incorrect use of sh_gpg_fill_startup if option --with-fp is used + (reported by zeroXten) + +2.3.1 (21-01-2007): + * fix bug that may cause accidental closure of yule TCP socket + (problem reported by B. Masuda) + * fix sh_kern.c for kernel 2.6.19 (reported by S. Clormann) + * don't use sstrip in 'make deb', since dh_shlibdeps uses objdump + (reported by B. Masuda) + * rm report.pl from rules.deb.in (reported by B. Masuda) + * samhainctl(): longer timeout (bad status reporting at startup, + reported by Phil and by Dan Track) + * sh_portcheck.c: make connect errors more descriptive + * sh_portcheck.c: fix ignored setting of PortCheckActive + * sh_processcheck.c: add statvfs, and wrap for EINTR + * sh_portcheck.c: add wrappers for EINTR + * report user and executable for hidden processes + * fix update failure if reportonlyonce = false (reported + by D. Strine) + * fix compile error in sh_portcheck.c (problem on cygwin + reported by J. D. Fiori) + * check filenames ending in space (also for utf8 spaces) + * check and escape csv formatted db listing + * cache results of sl_trustfile_euid() + * trustfile: use 4096 for MAXFILENAME, switch to strncpy + * CL option -v|--version for info on version and compiled-in options + +2.3.0a (01-11-2006): + * fix compile failure with portcheck + stealth (reported by lucas) + +2.3.0 (01-11-2006): + * fix concurrency for inserts in oracle db + * add acl_(new|old) to database schema + * check for selix attributes and/or posix acl + * new option UseSelinuxCheck (bool) + * new option UseAclCheck (bool) + * regression tests for above + * add module to check for open ports + * add module to check processes (hidden/fake/missing) + * use const char* for argument of module configuration callbacks + +2.2.6 (31-10-2006): + * fix missing support for MacOX X init script (reported + by Daniel Kowalewski) + * fix error about non-readable file with no checksum required + * fix server warning about 'no server name known' + * fix 'make deb' makefile target + * fix default export severity for server + +2.2.5 (05-10-2006): + * fix broken Install.sh, reported by Alexander Kraemer + * workaround for glob(3) sillyness on MacOS X (reported by David) + * fix for broken resorce fork check (reported by David) + * fix for broken compilation on cygwin (reported by Elias) + +2.2.4 (03-09-2006): + * add regression test for the GrowingLogFiles issue to test suite + * fixed sh_unix.c: bug in database init if GrowingLogFiles used + with signed database (reported by Timothy Stotts) + * bug in manual fixed (incorrect documentation of --enable-user, + noticed by M. Brown) + * rc.subr compatible init script for FreeBSD/NetBSD + * improve routine to find rpm after build + * add netbsd rc file from Brian Seklecki (taken from pkgsrc-wip) + * fix error in manual (location of lock file) + * fix bug with SuidExclude (files in directory were still checked) + +2.2.3 (31-07-2006): + * fix samhainadmin.pl: check for gpg-agent running if use-agent is set + (ticket #28 by anonymous) + * fix stealth mode (regression in parser), problem reported by + Joschi Kuphal + * fix minor typo in sh_database.c (compile problem reported by + Joschi Kuphal) + +2.2.2 (17-07-2006) + * minor fixes for regression test scripts + * minor updates to the manual (suggested by Brian A. Seklecki) + * fix sh_kern.c, kern_head.c: kernel rootkit detection for 2.6.17+ + (problem reported by Leonhard Maylein) + * fix samhain_hide.c for 2.6.17+: use module_param() if MODULE_PARM + is not defined + +2.2.1c (11-07-2006) + * fix sh_extern.c: sh_ext_add_default() cast to (void) was too early + (Solaris 8 build failure reported by Jesse) + * fix sh_unix.c: wrong prototype for sh_unix_mlock() + if HAVE_BROKEN_MLOCK (AIX 5.2 build failure reported by + Jonathan Kaufman) + +2.2.1b (20-06-2006): + * fix compile error on SuSE 10.1 (reported by Leonhard Maylein) + +2.2.1a (15-06-2006): + * fix compile error on i686/MacOS X (reported by Andreas Neth) + +2.2.1 (13-06-2006): + * fix gcc 4 warnings and build failure on x86_64 (debian bug #370808) + * fix compiling with Oracle (noticed by Colapinto Giovanni) + * fix configure.ac for most recent autoconf version + (debian bug #369503) + * fix a regression that would make impossible local updates w/clients + * fix a few missing '\n' in sh_getopt.c + * sh_kern.c: fall back on mmap() if read() fails on /dev/kmem + * fix Solaris package creation + * recognize Solaris doors and event ports + * fix the idmef_inode_t patch: provide required info to avoid stat() + * fix bug on database update: fill in dev and rdev fields + * fix get_file_infos() in sh_prelude.c: avoid premature return + * GCC_STACK_PROTECT_CC: AC_TRY_COMPILE -> AC_TRY_LINK + * deploy.sh: allow to set a group for hosts upon installation + * patch by Yoann: fix an issue when setting the idmef_inode_t object + * fix memory leaks in error paths in sh_prelude.c + * fix concurrent inserts with postgres in sh_database.c + * code cleanup + * fix manual version in spec file, first noticed by Imre Gergely + +2.2.0 (01-05-2006): + * patch by Jim Simmons for samhainadmin.pl.in + * fix testsuite portability problems + * fix md5 endianess problem detected on HP-UX 11i / PA-RISC 8700 + * fix potential NULL dereference in sh_utmp_endutent() + * patch by Neil Gorsuch for suidchk.c (do not scan lustre, afs, mmfs) + * fix sh_ext_popen (OpenBSD needs non-null argv[0] in execve) + * fix make_tests.sh portability (echo '"\n"' does not work on OpenBSD) + * fix bug in sh_utils_obscurename (check isascii) + * scan h_aliases for FQDN if h_name is not + * add copyright/license info to test scripts + * add copyright/license info to deployment system scripts + * support server-to-server relay + * new CL option --server-port + * minor improvements in manual + * patch by Yoann Vandoorselaere for sh_prelude.c + * allow --longopt arg as well as --longopt=arg + * verify checksum of growing log files (up to previous size) + * rewrite of the test suite + * added a bit of unit testing + * minor optimizations in various places + * optimized implementation of tiger checksum algorithm + * read in 64k blocks (faster than 4k) + * sh_unix.c, sh_hash.c: support file flags on *BSD, update Linux + file attribute code + * kern_head: fix compilation of kernel check module on OpenBSD + * updated samhainrc.linux, samhainrc.freebsd + * sh_unix.c: fix setrlimit (RLIMIT_NOFILE, ..) + * sh_files.c: fix missing use of flag_err_info + * sh_tiger0.c: remove repetitive use of mlock + * slib.c: remove fcntl's from sl_read_timeout (caller sets O_NONBLOCK), + add function sl_read_timeout_prep + +2.1.3 (13-03-2006): + * fix compile problem in slib.c (reported by Lawrence Bowie) + * fix bug with combination of one-shot update mode and file check + schedule (reportedby Dan Track) + * improved the windows howto according to suggestions by + Jorge Morgado + * fix samhain_hide kernel module for new linux kernel versions + * fix minor problem with dead client detection (problem reported + by Michal Kustosik) + +2.1.2 (10-01-2006): + * fix startup error with combination of gpg+prelude + +2.1.1a (22-12-2005): + * fixed a stupid bug in sh_files.c (break if file = dir) + +2.1.1 (21-12-2005): + * sh_calls.c: protect sh_calls_set_bind_addr against overriding + * comINSTALL, updateDB: use locking + * samhainadmin.pl: use locking + * fix typos in samhainrc.solaris (noticed by Robby Cauwerts) + * improve zAVLSearch (remove redundant strcmp) + * use AVL tree in sh_files.c instead of linked list (better scaling) + * fix bug with suidcheck (no update/check in one-shot mode with + schedule instead of check interval; noticed by R. Rati) + * fix for problem with '-t update -i' if daemon mode (problem report + by Peter van der Does) + * fix for bug in sh_util_ask_update (two returns were required ...) + +2.1.0 (31-10-2005): + * minor fix for cross-compiling with --with-kcheck + * sh_forward.c: handle bad fds in the select() fd sets + (reported by hmy) + * sh_extern.c: fix debugging code + * slib.c, sh_calls.c, sh_calls.h: improve handling of O_NOATIME + (reported by Gabor Kiss) + * makefile.in: fix for solaris package creation + * sh_mail.c, sh_readconf.c: mail filtering options + * sh_database.c: Oracle reconnect on connection failure + (bug report by Alexander A. Sobyanin) + * sh_unix.c: don't purge MYSQL_UNIX_PORT environment variable + (problem reported by Peter) + * sh_calls.c: fix for a HP-UX accept() problem caused by the gcc4 fix + * fixes for gcc 4.0.2 compiler warnings + * ability to use daemon mode together with update + (wishlist Yoan Vandoorselaere) + * fixes for debugging + +2.0.10a (22-08-2005): + * fix for overlapping directory check specification (reported by Bub) + +2.0.10 (21-08-2005): + * fix for segfault (free() on a constant string) with libprelude + (problem reported by Grae Noble) + * upgrade FreeBSD kernel check to 5.4, minor fixes + * useful script for users of Linux kernel check + (contributed by marc heisterkamp) + * documentation improvements (suggested by Brian Seklecki and Robby) + +2.0.9 (25-08-2005): + * samhain_erase.c: add #define for NULL + * sh_suidchk.c: fix incorrect use of escaped filename + * sh_prelude.[ch], sh_readconf.c: configurable mapping from + samhain severity to prelude severity + * sh_unix.h: second arg of gettimeofday should be NULL + * sh_files.c: fix checking of directory special file (use specified + policy, not that of parent dir, problem found by Brian A. Seklecki) + * sh_entropy.c: longer timeout for entropy collector + * sh_socket.c, sh_forward.c: allow probing of clients for + necessity of configuration reload + * yulectl: minor fixes, option -v (verbose), new command PROBE + * fix 'File not found' messages for files flagged with IgnoreMissing + * sh_database.c: strip newline from oracle error messages + * sh_files.c: fix rsrc fork issue with MacOS X Tiger + (reported by A. Koren) + * never compute checksum if not checked (problem report by D.Hughes) + * sh_prelude.c: cleanup and bugfix by Yoann + * sh_hash.c: for prelude, make sure mode is supplied with user/group + and vice versa + * sh_prelude.c: provide proper FileAccess objects (bug + report by Mihai Ilinca) + +2.0.8 (03-07-2005): + * configure.ac: use $LIBPRELUDE_PTHREAD_CFLAGS rather than + $LIBPRELUDE_CFLAGS (bugfix by Yoann) + * samhain.spec.in: remove support for chkconfig (it's too buggy). + Strangely, if invoked as install_initd it behaves sanely ... + * src/sh_err_log.c: fix key input (this time for real) + * fix --with-altlogserver (bug from 2.0.7b) + * remove server socket in start/stop script + +2.0.7e (not released): + * Makefile.in: introduce a total of 6 sec delay for 'make' utilities + that use 1 sec resolution, and consider target out-of-date if + timestamp(target) = timestamp(dependency) ... + * src/sh_err_log.c: fix key input + * another fix for yulectl (use pwent->pw_dir) + * dsys/comINSTALL, dsys/comUNINSTALL, dsys/comBUILD: fix PATH + +2.0.7d (not released): + * one more fix for the spec file (stupid rpm finds tags in comments!!!) + +2.0.7c (not released): + * test/testrun_1b.sh, test/testrun_2b.sh: use $GPG_PATH + * dsys/comINSTALL, dsys/funcDB, dsys/funcINSTALL: some bugfixes + * samhain-install.sh.in: fix test -z $verbose + * sh_hash.c: speedup database reading + * Makefile.in: fix the problem that BSD make would make too much + * deploy: yulerc.clients -> yulerc.install.db, provide + $defdatabase for backward compatibility + * deploy: allow for comma in client_install_date + +2.0.7b (not released): + * hp_ux.psf.in: fix psf file + * dsys/comINSTALL: fix $yule_date -> $yule_data + * Makefile.in: fix 'make depot' + * sh_tools.c, sh_unix.c: fix detection of open file limit + * sh_readconf.c: reset read_mode after reading conf file + * yulectl.c: better error messages, use homedir from getpwuid(geteuid) + * init/samhain.startLSB.in: fix misleading message in lsb init script + * sh_forward.c: better display for nonce u in debug mode + * sh_tiger*.c: fix checksum for HP-UX 64bit + * samhain.c: don't fetch database twice + * configure.ac: accept nodename for --with-logserver=... + * samhain_setpwd.c: return proper exit status for samhain_setpwd + * respond to SIGTERM on initializing + * fix problems with samhainadmin.pl + * sh_utils.c: fix bug with AddOKChars (found by Karol) + +2.0.7a (not released): + * remove 'df' from entropy gatherer (NFS may hang) + * modify va_copy check (doesn't work with HP-UX PA64 compiler) + * fix compile warnings in sh_database.c + * samhain-install.sh.in: check for /usr/bin/false in /etc/shells + * fix install-boot on HP-UX + * aclocal.m4: fix configure CL parsing to recognize VAR=VALUE + +2.0.7 (11-06-2005): + * yet another fix for the spec file (use internal dependency generator) + * sh_error.c, sh_prelude.c: init libprelude after open fds are closed + * error message if queue is full + * fix two compiler warnings on HP-UX + * fix sh_mail.c for Interix (no resolver routines) + * fix sh_unix_initgroups2() if no initgroups() function (bug reported + by Geries Handal) + * remove references to 'struct timezone' (Interix; problem + reported by Geries Handal) + * init/stop for prelude on SIGHUP + * sh_cat.h: fix a stupid bug with messages classes + * manual: new section on nagios (with help from kiarna), + more on prelude + * sh_prelude.c: cleanup and improvements (Yoann Vandorselaere) + * default prelude profile name now is 'samhain' (lowercase) + * sh_readconf.c: new option PreludeProfile (by Yoann Vandorselaere) + * remove obsolete check for linux/module.h, linux/unistd.h + * remove dependency on virtual/glibc in gentoo ebuild + (problem reported by Willis Sarka) + +2.0.6 (01-03-2005): + * sh_prelude.c, configure.ac, aclocal.m4: support for + libprelude 0.9 (Yoann Vandoorselaere) + * sh_html.c: fix bug with entry.html template (reported by + Stephane Sanchez) + * Install.sh: fix mandir option (reported by Rodney Smith) + * Fixed Linux/64bit bug in definition of EUIDSLOT + * New targets 'make depot', 'make depot-light' (HP-UX, untested) + * Use sstrip for RPMs and DEBs (automatic stripping disabled) + * Fix aclocal.m4 for autoconf 2.59 (missing $ac_cr_alnum et al., + problem noticed by Yoann Vandoorselaere) + * Modify samhain.spec.in to disable automatic stripping upon install + * Fix deploy.sh + '--enable-gpg', and fix 'make rpm' and 'make deb' + for '--with-khide' (problems reported by Mark) + * Fix compile error in sh_tools.c on HP-UX 10.20 + (problem reported by Dennis Boylan) + * Runtime configuration of server listening port (wishlist) + * Runtime configuration of server listening interface (wishlist) + * Ignore SIGTTIN (consistency) + * Use SIGTTOU to force file check (wishlist) + +2.0.5b (01-04-2005): + * Fix build problem b/o timestamp on stamp file + +2.0.5a (16-03-2005): + * Fix problem with 'make rpm' (reported by Dirk Brümmer) + +2.0.5 (02-03-2005): + * Fix bug with partial reads from clients in server + (bug report by Brian) + * Support gpg checksum bootstrap with yule + * Support mount option check on HP-UX + * For MAIL FROM, use 'example.com' as domain part if + hostname is numeric (problem reported by Eric Raymond) + * The HOWTO-write-modules has been updated. + * Convenience functions to insert data in database have been + added. + * Use int0x03 only on i386 in sh_derr() (portability problem + reported by John Mandeville) + +2.0.4 (09-02-2005): + * Fixed broken 'make deb' (problem report by olfi) + * Fixed minor bug in test scripts (detection of gmake vs. make) + * Fixed Tru64/OSF compile warnings (reported by B. Terp) + * Normalize list parsing to allow comma, space, and tab as separators + * Some more descriptive error messages in kern_head.c + * Absolute path to utilities in init/samhain.startLinux.in + * Fixed is_root variable in deploy.sh + * Fixed 'deploy.sh info' + * Fixed 'deploy.sh install' client startup + * Fixed 'make tbz': don't remove ebuild scripts in 'make dist' + (issue reported by W. Sarky) + +2.0.3 (14-12-2004): + * Fix CPPFLAGS with mysql/postgresql (repoted by P. Smith) + * Fix missing sys/time.h include in slib.c (reported by Jonas) + * Workaround for file closing problem with Prelude+GPG + * Fixed memory leak with Prelude. + * Fixed bug in samhain_stealth (PGP signature not correctly + retrieved from hidden configuration; report and patch by V. Tuska) + * Added Perl script to concatenate file signature database files + * Fix compile error with combination of --enable-nocl and + --enable-stealth (reported by Zdenek Polach) + * Fix bug in dsys/initscript with --enable-nocl + * Fix declaration of sh_kern_timer() + * Fix missing Mounts+Userfiles options in appendix of manual + * Updated the README (bug report by H. Franzke) + * Fix some compiler warnings + +2.0.2a (09-11-2004): + * Fixed OoM condition when client rc file not found (reported by Eilko) + +2.0.2 (08-11-2004): + * Fixed buffer overflow in sh_hash_compdata() (only in 'update' code) + * Fixed uninitialized variable in sh_mail_msg() (problem reported + by Michael Milvich) + * Fixed potential NULL pointer dereference in sh_hash_compdata() + +2.0.1 (01-11-2004): + * Fixed compilation bug reported by jue (--with-kcheck broken). + * Fixed start option (bug reported by sanek). Behaviour wrt. + environment variables depended on the way the daemon was started. + +2.0.0 (31-10-2004): + * The deployment system has been rewritten from scratch in + a cleaner and more modular and extensible way. Deployment + of native packages is supported now. + * The build system has been revised. Building outside the source + directory is supported now. + * Support for checksumming of prelinked executables / libraries + has been added. + * The configure script now checks for the SSP/ProPolice patch in GCC, + and enables it if present. + * The install-boot option in samhain-install.sh has been fixed + (use absolute paths for sbin utilities). + * A nagios plugin (scripts/check_samhain.pl) has been added. + * The LSB (Linux Standard Base) init script has been fixed (the output + was incorrect). + * Fetching of built binary packages has been + fixed ($(PACKAGE)->@install_name@). + * For files in proc, the timeout has been reduced, and no error + messages are issued upon timeout. + * A function has been added to print out full details for missing + files if encountered while in sh_files(). + * The reporting for SuidCheck has been fixed (incorrect policy + noticed by JiM). + * On Linux, SuidCheck does not report on files marked as candidates + for mandatory locking (group-id bit set, group-execute bit cleared). + * Fix for oracle init script (by Matt Warner) + +1.8.12b (11-10-2004): + * fix bug in MSG_MSTAMP (%ld -> %lu) + * fix bugs in sh_suidchk.c (%ld -> %lu), check fopen for NULL, + mkdir mode for quarantine directory + * fix the fix for modlist_lock search in System.map + +1.8.12a (01-10-2004): + * fix bug in samhain-install.sh.in (only occurs on Solaris), reported + by J. Roland + +1.8.12 (27-09-2004): + * fix compile bug with --enable-static + --with-database=postgresql + * fix search for modlist_lock in System.map + * password auth for yule command socket (request by D. Kocic) + * more info about pending/sent commands to clients + +1.8.11 (30-08-2004): + * fix static linking on Linux by use of replacement routines from + uClib - however, this means, there is no NIS support anymore + * new option AddOKChars=... to modify the set of characters for + filenames considered 'obscure' + * new option HardlinkOffset=... to specify an offset from the canonical + hardlink count for a directory + * fix some warning with HP 11.23 native compiler + * fix minor OpenBSD portability problems (EIDRM, compiler warning) + * samhainrc.5, samhain.8: updated the man pages + * sh_unix.c, sh_files.c: ignore 'no user/group' and 'obscure name' + for AllIgnore + * sh_kern.c: fix 'update' to display modifications + * sh_kern.c: fix bug with IDT check (spurious alerts b/o uninitialized + fields) + * stealth kernel modules: fix for linux 2.6, fix + redefine of KERNEL_VERSION + * warn about stealth kernel module problem with 2.6 in manual + * sh_unix.c: remove some cruft + * fix a typo in the manual (noticed by J. Rubin) + * configure.ac: re-order output from libprelude-config (required + for static linking - problem reported by E. Neber) + * kern_head.h, kern_head.c: fixes for Linux 2.6 kernel + +1.8.10b (13-07-2004): + * fix incorrect usage of 'retry_msleep()' in sh_kern.c (reported + by Pat Smith) + +1.8.10a (13-07-2004): + * depend-gen.c: fix for FreeBSD 'make' which does not understand + the dependencies ... (problem reported by David Thiel) + +1.8.10 (13-07-2004): + * sh_unix.c/sh_unix.h: fix defaults for 'GrowingLogFiles' policy + (bug report by VZoubkov) + * fix some warnings (unreachable statement) with HP-UX native compiler + * kern_check.c: silence warning about 'sendfile' for 4.10 + (noticed by Ryan Beasley) + * modify depend-gen.c to ignore sh_gpg_chksum.h + * add a non-plaintext version of GPG_HASH (sh_gpg_chksum.h) + * .. and for fingerprint + * sh_suidchk.c: fix some compiler warnings on solaris + * allow commas to separate multiple entries in a RedefXXX= directive + * replace sleep/usleep with nanosleep wrapper function + * replace alarm() for read timeout with select() in sl_read_timeout + (should fix bug reported by Scott Kelley) + * increase lstat/open timeout to 6 sec + +1.8.9 (16-06-2004): + * made 'no action specified' error message more informative + (suggested by Stephen Gill) + * fix memory leak in mysql sh_database_query() (bug report by Dejan) + * remove some cruft from the code + * sh_files.c: check MacOS X resource forks (idea from Osiris) + * sh_files.c: no hardlink check for MacOS X + * sh_util_ask_update: fix bug with no terminal in non-interactive mode + (report and debug data by Kris Dom) + * manual refactored + * fix redundant messages when updating with suidcheck + * allow interactive update for suid files + * don't remove the TZ environment variable to guard against + misconfigured hosts + * also use gethostname if uname returns possibly truncated name + * fix improper file descriptor handling in sh_mail.c (bug report + by Alex Weiss) + * cleanup MBLK cruft + * use SH_ALLOC/SH_FREE in sh_prelude.c + * update sstrip to Version 2.0 + +1.8.8 (25-05-2004): + * fix compilation problem on AIX 5.2 (nameser_compat.h; report by + Tim Evans and Ian McCulloch) + * don't check for trusted paths on Cygwin + * add Windows HOWTO written by Kris Dom + * kern_check.h: extend FreeBSD syscall table for 5.x + +1.8.7a (03-05-2004): + * sh_mail.c: fix subject length + * sh_mail.c: fix the sh.mailNum.alarm_last fix (report by Kris Dom) + * sh_utils.c: sh_util_ask_update(): fix ISO C conformance bug + (compile problem reported by Kris Dom) + +1.8.7 (01-05-2004): + * sh_mail.c: fix incorrect count of sh.mailNum.alarm_last, causing + empty mails (introduced with segfault fix in 1.8.6, report + by Kris Dom) + * sh_utils.c: sh_util_ask_update(): check whether stdin is a terminal, + try to reopen on controlling terminal if not + * sh_utmp.c: fix order of options (problem report by Uri) + * sh_files.c: sh_files_chk(): set tmp = NULL at end of loop + (may cause segfault on null dereference for missing files) + * sh_unix.c: patch by Marc Schütz (order of sh_unix_getinfo_type, + sh_unix_getinfo_attr) + * don't use dh_installmanpages in 'make deb' (samhain/yule conflict + reported by xavier) + * on HP-UX, define _XOPEN_SOURCE_EXTENDED in sh_mail.c and sh_tools.c + (suggested by Kris) + * include nameser_compat.h in sh_mail.c (for MacOS X, + suggestion by jna) + * sh_utmp.c: fix time for logout events (reported by Erich + van der Velde) + +1.8.6 (15-04-2004): + * add CL option to set threshold for prelude and RDBMS + * sh_mail.c: fix bug with MailSubject option (segfault on NULL pointer + dereference; reported by Micha Silver) + * fix compiling with --disable-encrypt (reported by Pat Smith) + * fix minor problem in scheduler (don't return before all schedules + are tested, to set last_exec correctly) + +1.8.5 (05-04-2004): + * fix bugs in sh_utmp.c (unlinking of list head); may fix an OpenBSD + problem (endless loop; report and debugging aid by Joe MacDonald) + * fix hardlink check (null dereference in error message, segfaults + on solaris - noticed by Bob Bloom) + * sh_suidcheck: don't truncate quarantined file if nlink > 1 + * fix Install.sh (no --seperate-output with --radiolist); patch by + Greg Kimberly + +1.8.4 (17-03-2004): + * add Prelude patch by Patrice Bourgin + * add license statement to sh_mounts.c, sh_userfiles.c after + receiving a clarifying e-mail from Cian Synnott + * support UsePersistent = no for Oracle (problem spotted and fix + tested by Michael Somers) + * fix bug in samhainadmin.pl + * sh_gpg.c: describe type of gpg error (if any) + * fix persistent connections with postgresql (reported by + Erwin Van de Velde) + * prelude: local 'meaning' shadows global in sh_prelude_alert + (spotted by David Maciejak) + * uname: workaround for cases where nodename would be a possibly + truncated FQDN (problem reported by Cian Synnott) + * re-write parts of sh_kern.c, store kernel info in baseline database + -> no need to recompile after kernel upgrade + * modify timeouts in sh_unix_getinfo, add timeout warning + * change handling of dangling symlinks (store in db) + * fix typo with MSG_FI_OBSC2 (double slash) + * remove redundant operation in sh_utils_safe_name + * fix occasional random start bytes of long messages in + sh_error_string (sl_strlcat -> sl_strlcpy) + * provide details for missing files (as for added files) + * remove duplicate message for no such group/user + * add fixes for samhain.oracle.init (supplied by Michael Somers) + * fix date insertion for Oracle (fix by Michael Somers) + * manual: fix incorrect statement about RPM (noticed by + Lars Kellogg-Stedman) + +1.8.3 (02-02-2004): + * add a HOWTO-client+server-troubleshooting document + * fix another bug with SIGUSR2 (suspend mode) + * new option SetBindAddress (--bind-address=...) to force + interface for outgoing connections on multi-interface box + * don't link against libgmp if not required (i.e. standalone) + * test for ext2fs/ext2_fs.h or linux/ext2_fs.h + * new make targets 'emerge' and 'tbz2' for gentoo + * update rules.deb.in based on the Debian package + by Javier Fernandez-Sanguino + * updated config.guess, config.sub to version 2002-09-05 + * external command: report failure only once + * console: reset failure status after success + * README.UPGRADE: explain 1.7.x <-> 1.8.x client/server compatibility + * use persistent connection to database by default + * option UsePersistent=no to switch off persistent connection + +1.8.2 (19-01-2004): + * sh_userfiles.c: new option UserfilesCheckUids (requested) + * sh_error.c: server: don't log to logfile before dropping root + * new script scripts/samhainadmin.pl (administrative tasks for + signed config/database files) + * add changes code to log_msg for reports on modified files + * change default log threshold to 'mark', as 'none' tends + to confuse new users + * faster response time for SIGUSR2 + * revised (mostly backward-compatible) message classes + * fix missing check of mailTime in server select loop + * add support for libprelude (version 0.8.10) + * fix format for MSG_E_GRNULL (reported by Stefan Hudson) + * fix Bourne shell incompatibility (export) in samhain-install.sh + (first reported by David Thiel) + * fix typo in spec file (first reported by Christian Vanguers) + * remove some cruft (signal handler, memory handling) + * return from sigterm handler, rather than exit directly + (re-entrancy problem causes more problems than it's worth) + +1.8.1 (03-12-2003): + * fix gmp detection (problem pointed out by Nix) + * fix/improve the error message if test compiling with mysql fails + * new CL option --interactive for interactive db update + * fix some compiler warnings from IRIX MIPS compiler + * kern_head.h, kern_head.c: option to disable IDT check + * kern_head.h, kern_head.c: update kernel syscall table (2.4.20,2.6) + * sh_utmp.c: count number of logins (request by Erwin Van De Velde) + * change username -> userid, remove (long) userid (bug noticed + by Erwin Van De Velde) + * emit ADDED message for new SUID/SGID files + * add trailing slash to excluded directory if there is none + +1.8.0a (04-11-2003): + * sh_error.c: remove two debug printf's + +1.8.0 (31-10-2003): + * manual: make ps file fit on both a4 and letter paper + * sh_socket.c, sh_socket.h, sh_forward.c: socket interface + to send (quit/reload) commands to clients + * sh_forward.c, configure.ac: enable build with libwrap + (Wietse Venema's TCP Wrappers library) + * sh_ignore.c, sh_ignore.h, sh_files.c, sh_hash.c, sh_readconf.c: + new option to suppress messages for new and/or deleted files + * samhainrc.aix5.2.0: contributed by Christoph Kiefer + * samhain.c: fix compile warning on solaris (noticed by Ian Hunt) + * sh_database.c: undef debug code for oracle + * samhain.oracle.init: contributed by Joern Michael Krueger + * configure.ac, sh_utils.ac, Makefile.in, sh_modules.c, + sh_cat.c, sh_cat.h, sh_mounts.c/h, sh_userfiles.c/h: + check-mounts and userfiles modules contributed by eircom.net + * sh_utils.c: fix off-by-one bug in sh_util_compress() + * sh_forward.c, sh_tools.c, configure.ac: + version 2 client/server protocol + * sh_mail.c: add %S to include severity in subject (user request) + * sh_suidchk.c, 1093: fix warning about unused var 'flags' on FreeBSD + * samhain.h, sh_unix.h, sh_unix.c: extern inline -> static inline + for --enable-ptrace + * samhain.c: lower priority for 'uninitialized module' message + * sh_entropy.c: lower priority for message if /dev/random blocks and + /dev/urandom is available + * improved error messages in sh_readconf.c + * print system error message for getpwuid, getgrgid + * fix missing module init after SIGHUP (noticed by Cian Synnott) + +1.7.12 (13-10-2003): + * sh_mail.c: fix buffer overflow in mail handler (introduced in 1.7.10) + thanks to bug reports by Jason Martin and Matthew P. Cox + +1.7.11 (01-09-2003): + * samhain.c, samhain.h, sh_unix.c, sh_forward.c, sh_html.h: + - change SIG_USR1 to switch between dbg on/off + - change SIG_USR2 to switch between suspend on/off + - fix CLT_ILLEGAL to actually work + - introduce new state CLT_SUSPEND + - force reauthentication after suspend + * slib.c: change MAXFD from FOPEN_MAX (16) -> 1024 + * sh_suidchk.c: better AIX fs detection (Christoph) + * sh_entropy.c: increase buffer size for unix entropy gatherer + (problem reported by D. Danielson) + * default config files: add lots of comments, list more options + * sh_error.c: set default severities to 'crit' + * sh_readconf.c, sh_cat.c, sh_cat.h: stricter check on config + file syntax, issue warnings (triggered by C. Kiefer) + * Makefile.in: handle depend-gen errors more gracefully + * sh_err_console.c: fix bug in enable_msgq (reported by F. Behrens) + * configure.ac: workaround for mysql_config weird output + (reported by G. Faron) + * sh_unix.c, sh_tiger0.c: check IO limit during read of large files + * depend-gen.c: close streams before attempting to rename (Cygwin) + * Makefile.in: fail gracefully if depend-gen fails + * sh_database.c: sh_database_query(postgresql): fixed missing SL_ENTER + +1.7.10 (27-07-2003): + * FreeBSD init script: define $pidfile (reported by D. Thiel) + * sh_unix.c, sh_unix.h: fix compile error on AIX 4.2 + * sh_schedule.c: fix bad array size + * samhain.c: fix pid_t <> int casts + * sh_kern.c: fix repetitive messages + * configure.ac: try to bootstrap if TIGER192 not supported by gpg, + provide a detailed error message + * configure.ac: try harder to locate mysql + * docs/Changelog: retroactively add release dates, if known + * sh_mail.c: fix potential message truncation in mailer + * sh_unix.c, samhain.c, samhain.h: make --enable-ptrace more portable + * sh_readconf.c: fix segfault (dereference of uninitialized pointer) + if --with-gpg and --enable-stealth are used together (reported + by Anthony Caetano) + * sh_unix.c, samhain.c, sh_calls.c: fix problems with descriptive + error messages (larger GLOB_LEN, stat fills aud_err_message) + +1.7.9 (30-06-2003): + * sh_err_log.c: fix segfault on SIGABRT (dereference of freed memory), + problems with SIGABRT noticed by Brian and Alf B Lervåg + * deploy.sh.in: fix some bugs (found by Alf B Lervåg) + * scripts/chroot.sh: fix typo (found by Alf B Lervåg) + * configure.ac (khide): search also for 'd sys_call_table' (noted by + cuek_saja) + * strip whitespace before checking gpg checksum (noted by D. Thiel) + * manual (faq section): explain how to stop console output + * Makefile.in: fix re-naming of yule with --enable-install-name + * HOWTO-client+server.html: fix typo (noted by xavier renaut) + * configure.ac: escape '-' in awk regex (required by GNU awk 3.1.1) + +1.7.8 (28-05-2003): + * sh_unix.c: new mlock implementation with reference count + and page alignment (fix for solaris problem) + * kern_head.c: search also for 'xxxxxxxx d sys_call_table' + * sh_html.c: write status comment (for Beltane 2) + * add CL option --delimited for comma-delimited signature database dump + * sh_mail.c: check exit status of push_list to fix counting bug + (bug reported by Alan Moore) + * configure.ac: add error message to --with-libs + * fix spelling of $DAEMON in init script (noted by C. Grigoriu) + * fix missing initgroups() + +1.7.7 (06-05-2003): + * sh_forward.c: fix bug if compiled with --enable-udp, but disabled + in config file (found by Andy OBrien) + * sh_database.c: sh_database_entry(): size -> c_size (two places) + to fix writing of '\0' to arbitrary places :( + (problem pointed out by Stefan Giesen) + * profiles/*/configopts: fix --with-base -> --enable-base + +1.7.6 (24-04-2003): + * sh_forward.c, entry.html, head.html: fix/additions by Stefan Giesen + * fix samhain_hide for the O(1) scheduler used by RedHat: + configure.ac, acconfig.h: check for next_task in struct task_struct + samhain_hide.c: use find_task_by_pid if no next_task in task_struct + * samhain_erase.c: add MODULE_LICENSE("GPL") to fix warning + +1.7.5 (15-04-2003): + * sh_cat.c, sh_forward.c, sh_hash.c: fix double 'msg' tag + * manual: point out the bmaxdata problem on AIX in faq section + * trustfile.c: don't check symlinks (permissions of directory count) + * sh_schedule.c: fix problem with daylight saving switchover + * sh_samhain.c: close all open fd's >2 before reading the conf file + * sh_unix.c: fix dereferenced NULL pointer when exiting on non-existing + user + * sh_forward.c: fix dereferenced NULL pointer when exiting on udp error + * sh_forward.c: place timestamp code before select() timeout handler + * fix incorrect class of timestamp messages (conflict with manual) + * sh_readconf.c, sh_forward.c: new config option SetStripDomain + * configure.ac: add warning if /lib/modules/`uname -r`/build/include + not found + * samhain_hide.c: adapt for RedHat 2.4 kernel (fetch sys_call_table + address from System.map) + * sh_err_syslog.c: fix for Solaris + * samhain.spec.in: strip REQ_FROM_SERVER from config file install path + +1.7.4 (21-03-2003): + * configure.ac: fix bug in defargs (--with-base > --enable-base) + * aclocal.ac: detect unsupported options + * kern_check: add syscalls, skip unused syscalls + * fix Manual (--enable.../--with... inconsistency) + * add two HOWTOs (signed files, server/client) + * moved manual into new subdirectory docs/ + * add admin scripts by S.Bailey/M.Redinger + * option to have a version string in db file + +1.7.3 (23-02-2003): + * samhain-install.sh: use yule user key for signing on install + * fix a bug in sh_err_console.c (attempted write to const char) + * sh_gpg.c: if server, always use ~unprivileged_user/.gnupg + * Makefile.in: make target 'trustfile' depend on config.h + * configure.ac: don't use install_name before it is defined ... + * sh_tiger0.c: fix bug in checksum computation introduced in 1.7.2 + * samhain.c: make sure daemon cannot be forced into 'update' mode + * sh_hash.c: remove AIX workaround (AIX has been fixed meanwhile) + +1.7.2 (04-02-2003): + * sh_kern.c: use sys_call_table address from System.map + * fix for reserved SQL keyword 'group' + * add AC_SYS_LARGEFILE to configure.ac + * allow separate client-specific log files for server + * sstrip.c: compile sstrip code only for i386 + * sh_unix.c: closeall: don't close trace file + * slib.c: don't trace sl_is_suid (leads to recursion in trace handler) + * samhain-install.sh.in: fix detection of LSB compliant systems + * sh_tools.c: get_client_*_file: lstat -> stat to allow symlinks + * sh_forward.c: sh_forward_do_write: set O_NONBLOCK for fd + (may block otherwise, for no good reason apparently ...) + * samhain.spec.in: replace %configure with ./configure + * sh_unix.c: re-write signal handling (use __malloc_hook et al. to + check whether we are in the middle of a free/malloc/realloc/memalign) + * sh_unix.c: use new safe_logger() function to log from signal handler + * sh_err_log.c: fix xml + * + * fix Makefile.in to exit non-zero on compile failure + * database init: create index on log_host, entry_status + * sh_suidchk.c: fix path building + * sh_tiger0.c: read larger blocks + * sh_hash.c: cast inode to UINT32 + * sh_tools.c: check that config/database files size fits in uint + * sh_error.c: export flag_err_debug to avoid unnecessary calls + * sh_unix.c: save the open() call in sh_unix_getinfo_attr() + * profiles/redhat_i386/bootscript: add # description field + * deploy.sh.in: set owner + permissions for files in yule_filedir + * profiles/debianlinux_i386: fix bootscript + * Makefile.in: fix deploy file lists and targets (include init+scripts) + * MLOCK GOOD/BAD -> SL_FALSE/SL_TRUE + * sh_mail.c: GOOD/BAD -> SL_FALSE/SL_TRUE (AIX sys/param.h) + * sh_err_syslog.c: split long messages rather than truncating + * sh_error.c: allocate msg to fix truncation limit + * sh_unix.c: closeall fd's >= 3 in non-daemon mode (inherited + filedescriptors may exceed FOPEN_MAX, causing problems in + sl_open_file) + * sh_err_console.c: avoid stdio + * trustfile: dirz: make swp[] static + * slib.c: speed up sl_strlcat + * clean up some bad heap allocation (PATH_MAX+(1|2) -> PATH_MAX) + * remove some unused code + * slib.c: support long long int in the snprintf replacement + * configure.ac: new configure macro to check whether sa_sigaction works + * Makefile.in: make sstrip, encode dependent on config.h + +1.7.1a (08-01-2003): + * fix a syntax error in samhain-install.sh.in + +1.7.1 (07-01-2003): + * search runlevel scripts in ./init or ./ + * handle all distro-specific Linux runlevel script issues + within a single script + * support install-boot on Yellow Dog Linux and Slackware + * samhain-install.sh: fix a bug for unknown Linux + ('"' not closed, DVER not set) + * samhain-install.sh: check for /etc/yellowdog-release + * sh_database.c: fix missing entry for 'userid' in attr_tab[] + * fix debian.rules.in (disable sstrip) + * update make targets: 'srpm', 'srpm-dist', 'rpm' + * check for zlib if mysql is used + * workaround for NetBSD bug with libresolve + * fixed problems with spec files + +1.7.0 (22-12-2002): + * improved spec files (Andre Oliveira da Costa <brblueser@uol.com.br>) + * sh_unix.c: fix a dereferenced static pointer in tf_trust_check + * runlevel scripts: remove pid file after stop + * make the data directory read-only for the daemon + * treat 'localhost' specially in MX resolver + * sh_err_log.c: set sh.flag.log_start == TRUE after writing </trail> + * deploy.sh.in: fix quoting (fix by Simon Bailey) + * slib.c: make sl_get_euid et al. behave well if uids not stored + * trustfile.c: use euid = uid(SH_IDENT) if server + * sh_mail.c: include an MX resolver + * Makefile.in: install-user routine for user installation + * have yule drop root + * sh_tools.c: open_temp use logdir if server + * unified options for runlevel script + * HP-UX, IRIX runlevel scripts + * AIX inittab entry + +1.6.6 (13-12-2002): + * configure.ac: solaris cc -O2 -> -xO2 + * sstrip.c: avoid alpha architecture + * profiles/solaris/configopts: no --enable-static + * sh_forward.c: sh_forward_req_file: copy argument to local array + +1.6.5 (04-12-2002): + * sh_utmp.c: set userlist = NULL in sh_utmp_end () + * sh_unix.c: do not assume that environ is sane + * exit handler: write </trail> + * sh_log_file(NULL): test sh.flag.log_start != S_TRUE + * FreeBSD rc script does not blindly accept content of pid file + * configure.ac: allow 'localhost' for log server + * sh_calls.c: retry_connect: ntohs (port) + * testrun_2[abc].sh: --with-logserver=localhost for client + +1.6.4 (12-11-2002): + * sh_tools.c: fix error when escaping '=<' + * fix the 'make srpm' target + * deploy.sh.in: avoid that client is named 'yule' + * define memset to sl_memset + * fix type cast of uid_t, gid_t + +1.6.3 (31-10-2002): + * fix options for Sun/Solaris native compiler + * sh_unix.c: MSG_FI_LIST (line 2333): cast theFile->size to fix error + * test sstrip on freebsd + * default config file for freebsd + * make target to build .deb packages + * sh_readconf.c: fix bug in error message + * samhain.c, sh_suidchk.c: fix initialization of suidchk + * samhain-install.sh.in: don't remove config file by default + * samhain-install.sh.in: support complete de-installation + * samhain-install.sh.in: add support for Gentoo, FreeBSD, and Solaris + * samhain-install.sh.in: check more paths + * sh_unix.c: fix sys_siglist declaration [NetBSD portability issue] + * sh_calls.c: save error message in retry_lstat() + +1.6.2 (04-10-2002): + * make target to build rpms + * update samhain.spec.in, samhain.startRedHat + * support DESTDIR, as in 'make DESTDIR=/what/ever install' + * explicitely set -fno-omit-frame-pointer b/o gcc bug + * mv configure.in to configure.ac to benefit from autoconf wrapper + * sh_modules.c, sh_modules.h: add mod_reconf() to run at SIGHUP + * slib.c: fix debug messages (no msgs for dlogActive <= 1) + * sh_schedule.c, samhain.c, sh_suidchk.c: + scheduler may accept multiple schedules + +1.6.1 (04-09-2002): + * sh_schedule.c: bugfix (executes only after first day) + * rm obsolete WITH_TRACE stuff + * new dlog() function for debug logging + * some more descriptive error messages + +1.6.0 (27-08-2002): + * omit the -fomit-frame-pointer option (bugs in some gcc versions ?) + * sh_error.c: fix escape mode when logging to database + * sh_forward.c: fix error (twice escape) in recv_syslog_socket + * sh_tools.c: change escape mode for server-received data + * sh_mem.c: change ulong -> size_t in sh_mem_malloc() + * configure.in: fix localstatedir if --prefix=USR + * sh_hash.c: snprintf() -> sl_snprintf() + +1.5.5 (07-08-2002): + * sh_err_log.c: fix incorrect xml syntax for client messages + logged by server + * sh_err_log.c: fix incorrect '</trail>' entries on client EXIT + * sh_files.c: introduce file_class_next + this fixes the problem that a policy for the directory + inode erroneously becomes a policy for the directory itself. + +1.5.4 (17-07-2002): + * sh_hash.c: fix buffer overflow with (micro-)stealth + * sh_database.c: set path[] 1024 -> 12288 + * sh_database.c: set query[] 2048 -> 16383 + * sh_database.c: set values[] 1024 -> 16383 + * sh_forward.c: larger limit for message size (16 kB) + * trustfile.c: set MAXFILENAME 2048 -> 4096 + * fixed a bug in the handling of filenames with embedded newlines + * sh_files.c: fix missing sh_util_safe_name() in debug output + * --with-sender can specify a full address + * fix xml log in a backwards compatible way + +1.5.3 (03-07-2002): + * fix combination of stealth and sql logging + * fix some more places where invalid UIDs/GIDs trigger errors + +1.5.2 (01-07-2002): + * include solaris config file from (sean [at] boran d.o.t com) + * test for files/dirz defined twice in the configuration file + * option to disable reverse lookup on outbound connections + * option to use socket peer as client name (with name resolving) + * sh_html.c: fix an HTML bug (twice </head><body>) + * sh_suidchk.c: fix warning on AIX b/o dirname() + * allow logging server -> syslog if yule is NOT configured to + receive syslog messages + * define PRIi64 to "lld" if undefined + * invalid UIDs: use gid/uid as name, error level SeverityNames + * minor fixes for connect_port + * sh_hash.c: flush output of db listing before _exit() + * configure.in: fix incorrect default ${install_name} for server + * configure.in: try harder to find mysql.h / libpq-fe.h + * sh_files.c: sh_files_checkdir: + closedir() early to not exhaust OPEN_MAX + +1.5.1a (30-05-2002): + * fix missing LSB init script + +1.5.1 (27-05-2002): + * fix '-t update' option + +1.5.0a (23-05-2002): + * fix configure.in + +1.5.0 (22-05-2002): + * include solaris nosuid patch from (nathoo [at] co d.o.t ru) + * similar fix for bsd nosuid + * speed up -t update + * convert manual to DocBook, distribute html and ps + * fix some more problems with configure.in, Makefile.in + * fix testsuite, add tests for udp, mysql + * MSG_TCP_MSG: host -> remote_host + * convert to autoconf 2.53 + * make c_bits.sh exit with status 0 + * sh_database.c #include "mysql.h" --> <mysql.h>, ditto libpq-fe.h + to avoid dependency tracking problems + * samhain.c remove *YULE* #ifdefs + * acconfig.h remove *YULE* #undefs + * samhain.c: procdirSamhain: lstat --> stat (allow symlink) + * configure.in: add checks for correct user input + * Makefile.in: add automatic dependency tracking + * depend-gen: tool to figure out dependencies + * chkconfig comments in redhat start scripts + +1.4.8: + * sh_database.c: fix missing attr_old, attr_new, (from)host columns + * configure.in, Makefile.in: fix an error in the configfile + definition with REQ_FROM_SERVER + * sh_err_console, sh_err_log: avoid recurrent failure messages + * timeout on read from files (/proc) + * fix errrors with setjmp/longjmp/alarm + * fix memory leak in server (~20 byte/file download in sh_tools, 930) + * check gpg signature for files downloaded from server, add a + regression test + * fix chown in solaris bootscript + * provide second scheduler for file check + * provide scheduler for file check + * provide scheduler for SUID check + +1.4.7 (08-04-2002): + * make daemon control LSB-compliant (arguments, exit status) + * set log_ref = 0 for server messages + * boolean option SetDBServerTstamp to disable entering server + timestamps for received client messages into database + * sh_suidcheck: check for "nosuid" mount option if getmntent is used + * fix logrotate script in manual (reported by Scott Worthington) + * don't strip numerical IP addresses + * check item->status_now != CLT_TOOLONG in client_time_check() + * set log_host to client in db client message + +1.4.6a (20-03-2002): + * define prefix in deploy.sh + +1.4.6 (19-03-2002): + * modify samhain_hide.c to hide processes on new Linux kernels + * better error diagnostics in kern_head.c + * fix compile error in all_items () + * check length of install-name in enable-khide (max is 15) + * define exec_prefix in deploy.sh.in + * make configure a bit more cross-compiler friendly + +1.4.5 (07-03-2002): + * Make sure missing file is reported even if ptr->reported == S_TRUE + because the file has been added. + * propagate 'reported' flag from sh_files_checkdir() into file list + * close checkfd in sh_gpg_check_file_sign() + * sh_derr(): kill(parent, SIGCONT) after ptrace(PT_DETACH,...) + * use sh.srvcons.name in dbg() to get debugging info from daemon + * option to log file timestamps with localtime instead of GMT + * comment out MSG_FI_ADD in sh_dirs_chk () - obsoleted by mandatory + sh_files_filecheck(directory) that triggers MSG_FI_ADD in sh_hash.c + * set ptr->reported = S_FALSE; for reappeared files in sh_files_chk() + to make sure re-disappearing will get reported + * new function sh_hash_set_missing() to remove file record + without (duplicate) 'missing' message + * make sure all items are reported for added files + * fix stealth mode with sh_kern (encode sh_ks.h -> sh_ks_xor.h) + * clarify in the documentation which gpg options to use for signing + +1.4.4 (11-02-2002): + * check that parent process has exited before writing PID file + * promote MGG_W_CHDIR to SH_ERR_ERR + * add error message to sh_unix_testlock + * fix missing _() macro in sh_aud_set_functions + +1.4.3 (05-02-2002): + * don't check attributes for symlinks (may cause device access) + * add USE mysql; USE samhain; to samhain.mysql.init + * point out the MessageHeader/mysql problem in manual + * add -lz to LIBS for mysql + * strip after install, avoid double strip + +1.4.2 (27-01-2002): + * support for EGD + * fix some more problems with install-deploy / deploy.sh + * fix a bug in profiles/suselinux_i386/bootscript (INSTALL_NAME_) + * fixed the 'external logging' test (init rather than none in rc file) + +1.4.1: + * SuSE: include run level 4+5 + * install location of hiding kernel modules changed - some insmod + variants do not test for /lib/modules/$(uname -r)/module_name.o + * new make targets 'install-deploy', 'uninstall-deploy' + * fixed make targets 'deploydir', 'deploydirfast' + * bail on unsupported CL option in deploy.sh + * fix various bugs in deploy.sh + +1.4.0 (16-01-2002): + * fixed missing 'dirname' on Mac OS X + * fixed && tested for/with postgres + * 'user=' -> 'userid=' (reserved word in sql) + * fix the endianess + size of file database; this changes db format + for any non-Linux OS + * --enable-old-format for old (V1.3) database format + * getopt, samhain.c, samhain.h: option -f to loop if not daemon + * sh_hash: list numeric + char data to allow file db update on + server side + * sh_database: modify handling of integer (long) data + * sh_database: datetime in database + * sh_database: hash field in database + * sh_database: rewrite database insert string construction + [use INSERT INTO log (fields) VALUES (values);] + * makefile suse 7.x runlevel entries + +1.3.7 (06-01-2002): + * fix incorrect escape in sh_tools_safe_name + * fix sh_error_handle (4. argument) in sh_extern.c + +1.3.6c: + * fix segfault in sh_database (mysql logging) on solaris + +1.3.6b (03-01-2002): + * fix syntax error ('==') in Makefile.in + * fix configure.in (path for /lib/modules/$(uname -r)/build/include) + * fix sh_kern.c (redeclaration of 'j') + +1.3.6 (03-01-2002): + * sh_kern.c: check integrity of int 80h vector + (SucKIT rootkit - Phrack 58) + * make sure childs in sh_kern are wait()'ed for + * provide start/stop/restart/reload/status interface + * fix a potential segfault (dereferenced NULL pointer) in the server + * use sh_util_flagval for sh_unix_setdaemon + * documentation for logging to SQL database + * configure.in: check for -I/lib/modules/$(uname -r)/build/include + * fix trustfile.c to ignore invalid users + * separate 'make install-samhain' and 'make install-yule' + * separate default log/pid/config files for server/client + - less problems running server and client on same host + * rewrite deploy.sh(.in): + - don't use (make|install) if deploying + - use command line options + - better integrate into server environment + - write install db + * always write a pidfile if daemon + * don't use server's config file as fallback for downloading client + * don't overwrite config file when doing 'make install' + +1.3.5 (28-12-2001): + * fix --enable-message-queue for newer glibc versions + * log to SQL database: implemented, but undocumented yet, + needs to be tested further + * xml: escape received syslog messages + * xml: rename 'time' to 'tstamp' + * make targets: make [un]install-[boot-]yule + (for server-only installation) + * fix samhain_hide.c for 2.4 kernel + * fix sh_kern for updated samhain_hide.c + * new option -j to just list the logfile + * sh_getopt.c: recognize -Dt check for -D -t check + * sh_tiger0.c: fix compiler warning (memmove) on Solaris + +1.3.4 (12-12-2001): + * sh_suidchk.c: option to limit files per second + * sh_unix.c: option to limit (kilo)bytes per second + * sh_hash.c: fix potential problem with '\n' in filename + (not backward compatible if there are filenames with '=') + +1.3.3 (03-12-2001): + * sh_readconf.c, samhain.h, samhain.c, sh_suidchk.c: + option SetNiceLevel to set scheduling priority + * sh_hash.c: bugfix for database listing on Solaris + * taus_seed: bugfix for emergency backup rng seed + * sh_util_safe_name: fix for XML + * sh_utmp_set_login_activate: use sh_util_flagval + * sh_utils.c: sh_util_obscurename: rm 'space' from list + * more backtrace macros + * sh_util_flagval: fix bug to recognize 1/0 + * fix test scripts testtimesrv.sh, testext.sh (test.sh 6/5) + * rm stray debug fprintf in sh_srp.c + +1.3.2 (27-11-2001): + * sh_hash.c: fix an error introduced in 1.3.1 + * set RLIMIT_CORE to RLIM_INFINITY if --enable-debug + +1.3.1 (25-11-2001): + * slib.c: get backtrace with --enable-debug + * sh_unix.c: allow core dumps when --enable-debug + * configure.in: fix default message queue permissions + * sh_suidchk.c: automatically include suid/sgid files in database + * sh_suidchk.c: check all suid/sgid files + * sh_hash.c: don't insert duplicates when reading the database + * sh_utmp, sh_kern, samhain: fix 1sec offset in timer + * sh_unix.c: don't require /dev/random to be non-world-writeable + * server: fix segfault in zAVLTree.c if avltree == NULL (no clients) + * client: fix segfault on Solaris if path_conf == NULL + * testrun_1b.sh: \(^/.*\) -> \(/.*\) for Solaris sed + +1.3.0 (31-10-2001): + * support compiling with GNU gmp library + * set 3 sec timer on client_time_check to avoid excessive (and + unnecessary) calls under heavy load + * replace sl_strlen with a macro + * store client_t structure in AVL tree + * database format incompatible with previous format, up the magic# + * sh_html.c: cache entry template for speedup + * slib.c: reset islong(double) in sl_printf_count + * sh_hash.c: report on rdev change + * sh_hash.c: print size in 64 bit + * sh_hash.c: save in absolute size types + * sh_unix.c: get values as appropriate type (time_t, dev_t, ...) + +1.2.10: + * update MANUAL + * sh_unix.c: tiger_hash -> tiger_generic_hash + * sh_readcon.c: DigestAlgo option + * sh_tiger0.c: add MD5 and SHA1 + * sh_unix.c: fix minor problem with win2k/cygwin + +1.2.9 (17-10-2001): + * fix problem with entry template/empty hostname + * fix MASK_USER_ (MTM -> ATM) + * typo fixed in configure.in (${install_name} -> {install_name}) + * bugfix group_old -> size_old in XML code + * skip armor header in signed files + +1.2.8 (29-09-2001): + * Mac OS X: in sh_getopt.c, rename table[] to op_table[] to avoid + obscure compiler warning + * Mac OS X: fix test scripts + * Mac OS X: import newest config.guess, config.sub from ftp.gnu.org + * implement deadtime in syslog recv code to protect against flooding + * sh_err_log: sl_close(fd) if lock|forward fails + * compliance with Filesystem Hierarchy Standard -- Version 2.2 final + * add policies User0, User1 + * fix compile problem (FreeBSD) in sh_suidchk.c + * macro to check for debugger breakpoints (linux/i386) + * check for solaris (does not work) in sh_derr (--enable-ptrace) + * option to listen on 514/udp for syslog, drop root + irrevocably if compiled thus + * use (check_mask & MODI_ATM) to decide whether to reset utime + * reset the policy masks on sighup + * option to write XML log messages + * cleanup of message catalog + * modified error messages for BADCONN + * error messages for Rijndael + * block recursive error messages within sh_error_handler() + - would hang the machine ... - + +1.2.7: + * sh_files, sh_utils: check top level directory + * sh_kern, sh_cat, kern_head: check syscall code, fork subprocess + for reading from /dev/kmem + * include /boot in default samhainrc + * change source distribution signing/packaging system + * Makefile, README, MANUAL: adhere to file system standard, + document new locations + * fix a bug in samhain_hide.c + +1.2.6: + * reset list of trusted users before config file re-read + * TrustedUser=... can be a list + * fix severity for files missing from IgnoreAll + +1.2.5: + * include example_pager.pl, example_sms.pl scripts + * explain paging/sms setup in docs + * allow manual exclusion of a directory in suidcheck + * automatically track all file changes + * remove missing files from in-memory database + * add $(KERN) to DEPLOYFILES + +1.2.4: + * log IP address for login/logout events, if supported by the OS + * release block in globerr (callback) + +------------- + +1.2.3: + * fix problem with reading stealth configuration + * fix a few formats in sh_cat.c + * always use strncmp for file system type check in sh_suidchk.c + (trailing 'fs' may be system specific for some types) + * no bare LF in messages (RFC 2822) + * no lines longer than 998 chars (RFC 2822) + * fix error in testrc_1 + +1.2.2: + * make tmp file directory a compile time option + * fix minor bugs in tmp file allocator (potential memory leak, + double slash if root directory) + * obsolete testpipe script removed + +1.2.1: + * fix memory alignment in rijndael-api-fst.c: blockEncrypt() + * fix byte order in HMAC code (compatibility fix for Linux/HP-UX) + * removed a debug fprintf() + +1.2.0: + * fix a bug in the HMAC implementation (thanks to Cesar Tascon + for help in tracking down this one) + * module to check the file system for SUID/SGID files + +1.1.16 (never released): + * fix the recursion depth -1 option as described in the manual + * optional database reload on SIGHUP + * fix a race condition when checking that /dev/random is a charakter + device + * redirect stderr to /dev/null for c_random + (AIX may segfault in netstat...) + * check whether /dev/random is a charakter device in c_random.sh + (we know at least one sysadmin who has set up a fake /dev/random ...) + * don't give NULL as 2. and 3. arg to execve if not Linux - some + Unices (notably Solaris) don't like it + * init ptr = NULL in my_malloc (compiler warning) + * make the bitmask for tests configureable (suggestion by A. Dunkel) + * make the bitmask for tests a static variable + * make (database/logfile/lockfile) path configurable + (to run multiple instances of samhain from an NFS share - on the + wishlist of J. Patton) + +1.1.15 (never released): + * fix minor error in testcompile.sh (rm test_log only at start) + * return from subroutines on sig_terminate == 1 + (faster exit on SIGTERM) + * fix re-configuration of addresses + * use sh_util_flagval() in sh_mail_setFlag and sh_kern_set_activate + * SysV message queue as compile option + * config file option to set console device + * removed the pre 1.1.9 code bloat + * don't print the LOGKEY to the console + +1.1.14: + * fix an error in the setup consistency check + * make target to uninstall runtime files + * trustfile.c: check return code of readlink(), fix off-by-one error + * sh_files.c: fix placement of terminator after readlink() call + * sh_files.c: fix a missing set_suid()/unset_suid() + - suid should work, but is not recommended - + * more debug statements in c/s code + * avoid re-entry in sh_unix_sigexit + * put a block around free() and malloc() in wrapper functions + * ditto for glob()/globfree(), regcomp()/regfree(), fdopen()/fclose() + - i.e. avoid corrupting the heap from a signal handler - + +1.1.13: + * optimized the size of the configure script somewhat + * modify the compile and hash test scripts + * read '\0's in sh_unix_getline + * exponential schedule for connection attempts + * make stealth working properly with signed files + - config file should be signed now before embedding in picture - + * fix a race in using signed files + * updated err messages for PWNULL, GRNULL + * add missing shell script for test 11 + * add mandatory source file/line info with -p debug + * add mandatory source line info with BADCONN + * fix a latex error in the manual + +1.1.12: + * debug output to console if compiled with --enable-debug and + running as daemon + * make reportonlyonce=true the default + * make sure state changes of a file are always reported, even + with reportonlyonce=true + * Linux kernel modules (samhain_hide, samhain_erase) + * fixed incorrect return value of sh_util_flagval + * fixed an error in sh_files.c: happens with -t init and first + file that is checked does not exist + * revised install/uninstall targets in the Makefile + * module to check for clobbered kernel syscalls (tested on Linux 2.2) + * more diagnostic error messages in sh_gpg.c + * more diagnostic error messages in sh_mail.c + * error in mail.c fixed + (address -> address_list[i] for multiple recipients) + * docs updated, better(?) explanation of signed files + * skip over path in gpg checksum output + * check client name against IP address and FQDN + * fix for --disable-* in config file + * fixed a server crash (MSG_TCP_OKMSG without arg) + if the server is run with debug level output threshold + * catch EAGAIN in sh_gpg.c pipe reader + * fix the 'external logging' test to make it work on BSD + * error message if no local path to init DB + * check for i86/Solaris in configure (vsnprintf prototype) + * make SRP the default + +1.1.11: + * make log file verification more convenient + * fix problem with message classes in stealth mode + * linux: do not try to read file attributes for devices + * handle the root directory correctly (avoid "//" in listing) + * fix problems with blockin on FIFOs/char dev + pointed out by I. Rogalsky (rog@iis.fhg.de) + - open in nonblocking mode for read, then set to blocking + - open file only if regular + * fix alignment in memory profiler + +1.1.10: + * minor code cleanup + * fix an error in trustfile.c (handling of empty/incomplete + group entries in /etc/group, bug report by A. Capriotti ) + +1.1.9: + * compatibility option for old behaviour (plain hash instead + of HMAC, ECB instead of CBC mode) + * use CBC rather than ECB mode for encryption + * use HMAC-TIGER for message authentication codes + * handle NULL data in sh_tiger_hash + * option to set syslog facility (default is LOG_AUTHPRIV) + * longer timeout (300 sec) on /dev/random if no /dev/urandom + * fix minor output error with stealth option + * option not to log names of config/database files on startup + +1.1.8: + * fix error in syslog routine + * fix missing 'test' in configure.in + * fix error in replace_tab() in sh_html.c + * fix minor memory leak in sh_util_regcmp() + +1.1.7: + * timeout on read_mbytes (from /dev/random; fallback to /dev/urandom) + * fix for FreeBSD: ut_user -> ut_name in sh_utmp.c + * fix for Alpha: consider $ac_cv_sizeof_unsigned_int_ in configure.in + * fix for Alpha: format string in sh_tiger0.sh + * on Linux, now compiles cleanly with + -Wall -W -Wstrict-prototypes -Wcast-align + * fix problem with recursion depth + (pointed out by Vic <hvicha@mail.ru>) + * #include "sh_tools.h" in sh_unix.c and fix the + --with-timeserver option (reported by Vic <hvicha@mail.ru>) + * place read_port(), MSG_TCP_NETRP outside ifdefs + * close fd/zero skey before execve + * verify client name against socket peer + * ... with configureable error priority + * use strcmp() rather than strncmp() in search_register() + * fix race between lstat() and open() for checksum + (reported by dynamo <dynamo@ime.net>, + JJohnson <JJohnson@penguincomputing.com>) + * enable globbing for filenames + * fix Solaris problem: siginfo_t may be NULL + * fix missing SL_EBADGID in tf_trust_check + * test case for external scripts, fix flushing pipe + * fix a typo in sh_ext_type + * do an fdexec w/checksum on Linux if calling external program + * even safer tmp file creation + * allow db update + * fix compile options for --enable-debug + * fixed a spelling error in the output + * test program for full CS support (config/database download) + * tell which file is searched for cs download + +1.1.6: + * fix bug in sh_readconf_line (segfault on erroneous config lines) + +1.1.5: + * sh_unix.c: sh_unix_getinfo_attr: f -> flags + * use gettimeofday as last resort +1.1.4: + * fix AIX compiler warning in sh_forward (cast arg1 of sh_tiger_hash + to (char *) + * configure: add static link flags for some more os (from tar) + * don't strip twice (some stupid systems abort) + * fix for reading from /dev/random on non-Linux systems (untested) + * sh_mail.c: end all message lines with \r\n + * stealth: ignore \r, \" + * take out tracing from --enable-debug (presently useless anyway) + * fix some remaining cleartext with debug && stealth combined + * fixed a small memory leak in sh_err_log.c + +1.1.3: + * fixed circular logic in taus_seed() (fallback method only) + * fix for missing _SC_OPEN_MAX (runaway close()) + +1.1.2: + * implement message classes + * let server recognize client message severity and class + * secondary log server + * keep database in memory (allows to close file + if retrieved from server) + * encrypt client/server communication + +1.1.1: + * Compilation problems with native Solaris compiler fixed + * fill in euid/ruid variable + * manual.pdf --> MANUAL.pdf + * debug sh_util_formatted() + * http refresh 120sec for server stat page + * trace/debug options + * fixed problem with utmp.c options + * fixed problem with sh_mail_setaddress + * option for custom message header + * fixed problem in compdata + * fixed problem in mail verification + * remove eventual trailing '/' in file names + * fixed problem with report string for modified files + * option to report in full detail + +1.1.0: + * Move error messages to catalog + * Make error message format more uniform + * Wrap sytem calls that could be interrupted by signals + * Warn on append to database + * Option for full details on mod. files + * Option to report only once on mod. files + * Generally speaking, major modifications with potential new bugs + +0.9.5: + * sh_hash.c: fixed erroneous checksum for config file + * sh_html.c: fixed erroneous timestamp (last) + * sh_tools.c: fixed connect_port (set port for cached address) + * sh_srp.c: fix for '00' (='\0') in pw + (last two fixes by Andreas Piesk) + +0.9.4: + * samhain.c: fcntl(1, ..) -> fcntl(2, ..) + * sh_hash.c: copy 12 instead of 10 byte for c_attributes + * 'empty directory' WARN -> INFO + +0.9.3: + * FreeBSD fixes: + - c_random.sh: make sure /dev/random provides something + rather than nothing + - check for <netinet/in.h> and include it + - include <sys/types.h> early + - sh_utmp.c: fixed an occurence of ut_user + - sh_utmp.c: #ifdef HAVE_UTTYPE static char terminated_line #endif + - sh_forward.c: EBADMSG -> ENOMSG + * sh_unix.c: check return value of gethostbyname + * sh_entropy.c: fallback on /dev/urandom if /dev/random blocks for + more than 30 sec + * ... and fix the timestamp format ... + +0.9.2: + * ISO 8601 timestamps + * Bugfix in sh_utmp (timestring overwrite) + * don't use siginfo_t on Linux (garbage as of 2.2.14) + * check for Linux capabilities bug when dropping root + * include README for gcc compiler bug (pointed out by A. Piesk) + * explicitely set -fno-strength-reduce with gcc + * fixed ignoring missing files with the IgnoreAll policy + +0.9.1: + * more ext2flags (breaks backward database compatibility on Linux) + * IgnoreAll policy modified - missing/added files reported with + SeverityIgnoreAll (to handle files that may or may not be present) + * Check all files, not only regular ones + (bug in sh_files, originally introduced because checksum of + regular files only is computed) + +0.9: + * use O_NOATIME if supported + * --with-nocl takes argument (PW to re-enable CL parsing) + * no daemon mode if initializing database + * fixed segfault in yule with 'unknown file type' request + * enlarged MAX_GLOBS 24 -> 32 and made the array linear + * server uses last registry entry for any given client now + * deploy.sh script to deploy clients to remote hosts + * enhanced signal handling: SIGUSR1/SIGUSR2/SIGABRT/SIGQUIT/SIGHUP + * allow y/Y/n/N for login monitoring (in addition to 0/1) + * external logging scripts/programs + * trustfile.c: define STICKY on Linux + * reset signal mask when initializing + * EINTR_RETRY wrapper + * slib: sl_read, sl_write EINTR update + * use sstrip when installing + * more compact database format (breaks backward database compatibility) + * larger download packets + * TcpFlags unsigned char + * cast to (char *) head in write_port + * m(un)lock cast to (char *) + * (1 << 31) --> (1UL << 31) + * support e2fs attributes on Linux + * fixes for AIX and Solaris native compilers + * fixed Makefile for non-GNU make (pattern rule --> suffix rule) + +0.8.1: + * fixed 'is_numeric()' return value + +0.8: + * added option for static compilation + * added option for stealth with non-hidden config file + * added option for disabling command line parsing + * all options can be set in the configuration file now + * stealth: xor strings in database file + * fixed bug in mailer code ([] in HELO) + * print timestamp when asking for key + * 'micro' stealth mode (no hidden configuration file) + * simplified slib + * int->long for uids/gids in trustfile + * moved mailkey from data to code + * shell script for entropy (stronger default key) + * general code cleanup + * better error checking in client/server code + * detect out-of-sync messages + * check state across protocol passes in server + * make sure authentication is mutual + * file download to client + * reserve six file descriptors in server + * mlock queue buffer if LOG_KEY + * improved robustness in bignum (don't fail on free()) + * per-directory recursion depths + * RFC821 compliance: empty line at end of header, To field, Date field + * RFC821 compliance: make e-mail transfer relieable + * fix detection of hardlink changes + * checksum verification for calling gpg/pgp + * CL option '-S' not required for server-only binary + * eliminate CL options that may leak privileged information + if the program is SUID + * skip leading white space in configuration file + * allow nested conditionals in configuration file + * allow whitespace before and after '=' in configuration file + * don't leak file descriptors to child processes + * make message transfer relieable + * always report error on abnormal termination of connection + +0.7: + * support for alpha machines + * stop TCP logging after exit message + * limit connections in server (DoS attacks) + * move string handling to slib + * move file handling to slib + * timestring without space + * changed report format + * SUID bugfix - use euid when checking logfile ownership + * SUID bugfix - get root for lstat() + * SUID bugfix - get root for opendir() + * store number of hardlinks + * send no message if polling empty queue + * include tiger 64-bit implementation (portability) + * codes for error conditions + * mail check: handle multiple, overlapping audit trails + * security fix: no append to database if SUID + * fix sh_entropy.c (BUFSIZ -> BUF_ENT) + * read command line before config file + * PGP signing of config/database files + * checksum of config file reported + * checking for attributes only + +0.6: + * more syslogish priority specification + * fixed segfault in sh_mem_check, apparently this was also + the reason for the segfault in atexit() + * allow for compilation with SRP authentication + * fixed tiger checksum computation + * fixed broken logfile verification for second and further audit trails + * test program added + * documentation improved + * sh_forward_make_client: bug fixed in[8]->in[i] + * sh_error.h: fixed missing #include <errno.h> + * configure.in: fixed missing strerror() test + * sh_utmp.c: check logins/logouts + * check for missing files + * only reset access time if necessary + * O_EXCL in open() + * limit environment to TZ in execve (sh_entropy.c, not used on Linux) + * use trustfile() to determine whether logfile dir is trustworthy + * strip head instead of tail for numerical address + * store messages in fifo during log server outage + * re-init session key after server outage + +0.5 (21-12-1999): + * added option for mail relay server + * own popen() implementation in sh_entropy() (portability) + * fixed error in sh_util_basename() (returned NULL for base == "/") + * fixed segfault in strlcpy/strlcat (check for src == NULL) + * FILENAME_MAX -> PATH_MAX (HP-UX 10.20) + * use TIGER for 32-byte compilers (portability) + * fixed hash function (do not include stdlib.h) + * flush buffer before write in mailer code (IBM AIX 4.1) + * make mailer code non-forking + * cast argument of is...() to int (portability) + * return() after _exit() for braindead compilers (portability) + * optionally use inet_addr (portability) + * check for broken mlock() (HP-UX 10.20) + * minor code cleanups + * fixed incorrect size of munlock()'ed memory in sh_error_string() + * fixed a buffer overflow in the error printing routine + * fixed a buffer overflow in sh_util_safe_name () + * implement SRP session key exchange + * implement client/server facility + * implement @host/@end construct in configuration file + * preferably use uname(), and do gethostbyname() for FQDN + * make vernam cipher base numeric + * make OnlyStderr private in sh_error + * test -e "/dev/random" --> test -r "/dev/random" (portability) + * check for libsocket (portability) + * add #defines for IPPORT_SMTP, IPPORT_TIMESERVER (portability) + * eliminate superfluous /proc test + * some unreachable code removed + * cast to (byte*) replaced by cast to (word64*) in sh_tiger_hash() + * check for setresuid() if no seteuid() (HP-UX 10.20) + +0.4 (09-11-1999): + * make sure output from /dev/random has no NULL's + * one-time pad encryption for emailed keys + (better than nothing ...) + +0.3 (04-11-1999): + * logfile readable for group + * verify signatures for any file + * signature block in tarball + * use select() in time server routine + * better protection for session keys (mlock) + +0.2: + * fixed incorrect man page + * fixed incorrect example rc file + * recursive error logging should work now + +0.1: + * initial release -- on Samhain 1999, of course + +development start: + * probably 29-06-1999 + diff --git a/docs/FAQ.html b/docs/FAQ.html new file mode 100644 index 0000000..b34f60c --- /dev/null +++ b/docs/FAQ.html @@ -0,0 +1,866 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> +<html><head> +<title>Frequently Asked Questions for Samhain</title> +<meta name="author" content="Rainer Wichmann"> + +<style type="text/css"> +<!-- + +html { background: #eee; color: #000; } + +body { background: #eee; color: #000; margin: 0; padding: 0;} + +div.body { + background: #fff; color: #000; + margin: 0 1em 0 1em; padding: 1em; + font-family: serif; + font-size: 1em; line-height: 1.2em; + border-width: 0 1px 0 1px; + border-style: solid; + border-color: #aaa; +} + +div.block { + background: #b6c5f2; color: #000; + margin: 1em; padding: 0 1em 0 1em; + border-width: 1px; + border-style: solid; + border-color: #2d4488; +} + +div.warnblock { + background: #b6c5f2; color: #000; + background: #ffffcc; color: #000; + margin: 1em; padding: 0 1em 0 1em; + border-width: 1px; + border-style: solid; + border-color: #FF9900; +} + +table { + background: #F8F8F8; color: #000; + margin: 1em; + border-width: 0 0 0 1px; + border-style: solid; + border-color: #C0C0C0; +} + +td { + border-width: 0 1px 1px 0; + border-style: solid; + border-color: #C0C0C0; +} + +th { + background: #F8F8FF; + border-width: 1px 1px 2px 0; + border-style: solid; + border-color: #C0C0C0; +} + + +/* body text, headings, and rules */ + +p { margin: 0; text-indent: 0em; margin: 0 0 0.5em 0 } + +h1, h2, h3, h4, h5, h6 { + color: #206020; background: transparent; + font-family: Optima, Arial, Helvetica, sans-serif; + font-weight: normal; +} + +h1 { font-size: 1.69em; margin: 1.4em 0 0.4em 0; } +h2 { font-size: 1.44em; margin: 1.4em 0 0.4em 0; } +h3 { font-size: 1.21em; margin: 1.4em 0 0.4em 0; } +h4 { font-size: 1.00em; margin: 1.4em 0 0.4em 0; } +h5 { font-size: 0.81em; margin: 1.4em 0 0.4em 0; } +h6 { font-size: 0.64em; margin: 1.4em 0 0.4em 0; } + +hr { + color: transparent; background: transparent; + height: 0px; margin: 0.6em 0; + border-width: 1px ; + border-style: solid; + border-color: #999; +} + +/* bulleted lists and definition lists */ + +ul { margin: 0 1em 0.6em 2em; padding: 0; } +li { margin: 0.4em 0 0 0; } + +dl { margin: 0.6em 1em 0.6em 2em; } +dt { color: #285577; } + +tt { color: #602020; } + +/* links */ + +a.link { + color: #33c; background: transparent; + text-decoration: none; +} + +a:hover { + color: #000; background: transparent; +} + +body > a { + font-family: Optima, Arial, Helvetica, sans-serif; + font-size: 0.81em; +} + +h1, h2, h3, h4, h5, h6 { + color: #2d5588; background: transparent; + font-family: Optima, Arial, Helvetica, sans-serif; + font-weight: normal; +} + + --> +</style></head> +<body> +<div class="body"> +<p style="text-align: center; background: #ccc; border: 1px solid #2d5588;"><a + style="text-decoration: none;" + href="http://www.la-samhna.de/samhain/">samhain file integrity + scanner</a> | <a style="text-decoration: none;" + href="http://www.la-samhna.de/samhain/s_documentation.html">online + documentation</a></p> +<br><center><h1><a name="FAQ-top">Frequently Asked Questions for Samhain</a></h1></center> +<br><center><h2>Rainer Wichmann</h2></center> +<hr> +<div class="warnblock"> +<ul> + <li>If you encounter problems after installing samhain, disable daemon + mode and run it in the foreground with + <tt>samhain --foreground [more options]</tt> for debugging.</li> + <li>If you have problems getting client/server mode to work, please check + the <a href="http://www.la-samhna.de/samhain/HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a> document.</li> +</ul> +</div> +<p><i>FAQ Revised: Wednesday 14 January 2015 20:41:15</i></p> +<hr><h2>Table of Contents</h2> +<dl> +<dt><b>1. Most frequently</b></dt> +<dd><ul> +<li><a href="#Most frequently0">1.1. Owner not trustworthy / Group writeable and member not trustworthy</a></li> +<li><a href="#Most frequently1">1.2. samhain exits with the message "Untrusted path" for config/log/pid/database files</a></li> +<li><a href="#Most frequently2">1.3. It does not log anything / Can't stop logging to console</a></li> +<li><a href="#Most frequently3">1.4. Client cannot self-resolve, but nslookup works fine</a></li> +<li><a href="#Most frequently4">1.5. Server logs hostname instead of FQDN (or vice versa)</a></li> +</ul></dd> +<dt><b>2. Build and install</b></dt> +<dd><ul> +<li><a href="#Build and install0">2.1. [Fedora Core] Cannot compile with --enable-khide</a></li> +<li><a href="#Build and install1">2.2. [Fedora Core] Cannot compile with --with-kcheck</a></li> +<li><a href="#Build and install2">2.3. "make" loops infinitely !</a></li> +<li><a href="#Build and install3">2.4. Why does static compiling (<code>--enable-static</code>) on Solaris fail ?</a></li> +<li><a href="#Build and install4">2.5. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'</a></li> +<li><a href="#Build and install5">2.6. The executable is corrupted after installation</a></li> +<li><a href="#Build and install6">2.7. --enable-xml-log has no effect</a></li> +<li><a href="#Build and install7">2.8. ./install-sh: strip: not found (Solaris)</a></li> +<li><a href="#Build and install8">2.9. What is sh_tiger1.s?</a></li> +<li><a href="#Build and install9">2.10. Why does static compiling (<code>--enable-static</code>) on MaxOS X fail ?</a></li> +<li><a href="#Build and install10">2.11. Why does compiling with MySQL fail on Solaris ?</a></li> +</ul></dd> +<dt><b>3. File checking</b></dt> +<dd><ul> +<li><a href="#File checking0">3.1. How can I exclude a (sub-)directory ?</a></li> +<li><a href="#File checking1">3.2. In messages about policy violations, what does the code after POLICY [XYZ] +mean ?</a></li> +<li><a href="#File checking2">3.3. Does samhain support prelink ?</a></li> +<li><a href="#File checking3">3.4. I get error messages about 'subdirectory count != hardlinks'</a></li> +</ul></dd> +<dt><b>4. Client/Server</b></dt> +<dd><ul> +<li><a href="#Client/Server0">4.1. I don't want to poke a hole into my firewall to let the client connect to the server !</a></li> +<li><a href="#Client/Server1">4.2. The client sends 127.0.0.1 (or some other numerical address) as its name to the log server</a></li> +<li><a href="#Client/Server2">4.3. The server wants to send rc.ip-adress rather than rc.fqdn to the client</a></li> +<li><a href="#Client/Server3">4.4. Cannot resolve client name host=XXX</a></li> +<li><a href="#Client/Server4">4.5. Cannot resolve socket peer IP for client host=XXX peer=YYY</a></li> +<li><a href="#Client/Server5">4.6. Reverse lookup of socket peer failed host=XXX peer=YYY obj=ZZZ</a></li> +<li><a href="#Client/Server6">4.7. No socket peer alias matches client name host=XXX peer=YYY</a></li> +<li><a href="#Client/Server7">4.8. Session key negotiation failed</a></li> +<li><a href="#Client/Server8">4.9. Invalid connection attempt: Not in client list</a></li> +<li><a href="#Client/Server9">4.10. Invalid connection attempt: Session key mismatch</a></li> +<li><a href="#Client/Server10">4.11. How do I update the file signature database ?</a></li> +<li><a href="#Client/Server11">4.12. Time limit exceeded</a></li> +<li><a href="#Client/Server12">4.13. Invalid connection attempt: Signature mismatch</a></li> +<li><a href="#Client/Server13">4.14. [Server] PANIC .. Address already in use subroutine=bind</a></li> +</ul></dd> +<dt><b>5. Email</b></dt> +<dd><ul> +<li><a href="#Email0">5.1. Reverse lookup failed</a></li> +<li><a href="#Email1">5.2. From daemon@example.com</a></li> +<li><a href="#Email2">5.3. How do I define more than one email addresses ?</a></li> +</ul></dd> +<dt><b>6. Misc</b></dt> +<dd><ul> +<li><a href="#Misc0">6.1. Error message: "Invalid line XYZ in configuration file"</a></li> +<li><a href="#Misc1">6.2. Why do I get a local logfile if I log to the server ?</a></li> +<li><a href="#Misc2">6.3. Why is there no NIS support with a static samhain executable on Linux ?</a></li> +<li><a href="#Misc3">6.4. Why do I get hundreds of messages about modified CTIME ?</a></li> +<li><a href="#Misc4">6.5. PANIC — File not accessible</a></li> +<li><a href="#Misc5">6.6. How can I avoid error messages for invalid UIDs (no such user) ?</a></li> +<li><a href="#Misc6">6.7. [Redhat] The /etc/init.d/(samhain|yule) init script hangs</a></li> +<li><a href="#Misc7">6.8. The /etc/init.d/(samhain|yule) init script exits with: execvp: No such file or directory</a></li> +<li><a href="#Misc8">6.9. Why am I not receiving the "BEGIN LOGKEY" message by email ?</a></li> +<li><a href="#Misc9">6.10. Why does console logging fail if I compile with + <code>--enable-(micro-)stealth</code> ?</a></li> +<li><a href="#Misc10">6.11. I need a list for my schedule !</a></li> +<li><a href="#Misc11">6.12. The hiding kernel module has no effect !</a></li> +<li><a href="#Misc12">6.13. What does the message "Large lstat/open overhead" mean ?</a></li> +<li><a href="#Misc13">6.14. What does the message "Device not available path=/dev/random" mean ? I have /dev/random !</a></li> +<li><a href="#Misc14">6.15. Logging to an external program fails; the program receives no data + on stdin !</a></li> +<li><a href="#Misc15">6.16. SIGILL on AIX</a></li> +</ul></dd> +<dt><b>7. Database</b></dt> +<dd><ul> +<li><a href="#Database0">7.1. Why are client messages corrupted / incompletely stored in the DB ?</a></li> +<li><a href="#Database1">7.2. I want / don't want the server timestamps (for client messages) in the SQL database</a></li> +<li><a href="#Database2">7.3. I don't want the client TIMESTAMP messages in the SQL database</a></li> +<li><a href="#Database3">7.4. What does the log_ref field mean ?</a></li> +<li><a href="#Database4">7.5. How can I check what is in the database ?</a></li> +</ul></dd> +</dl> +<hr><h2>1. Most frequently</h2> +<dl> +<dt><b><a name="Most frequently0">1.1. Owner not trustworthy / Group writeable and member not trustworthy</a></b></dt> +<dd>An untrusted user (might be an untrusted group member + for group writeable files/directories) owns or can write to an + element in the path listed in the error message. This concerns + the configuration file, the log file, and the database file. + The offending element in the path is identified as obj=/xxx in the + error message. + To fix the problem, see next entry.<br><br></dd> +<dt><b><a name="Most frequently1">1.2. samhain exits with the message "Untrusted path" for config/log/pid/database files</a></b></dt> +<dd>Paths to critical + files (e.g. the configuration file) must be writeable by trusted users + only. + If a path element is group writeable, all group members must be trusted. + By default, only <i>root</i> and the (effective) <i>user</i> of + the program are trusted. To add trusted users, use the compile time + option +<div class="block"><pre> +$ ./configure --with-trusted=0,... +</pre></div> + or the configure file option: +<div class="block"><pre> +[Misc] +TrustedUser=username +</pre></div> +If the path to the configuration file itself is writeable + by other users than <i>root</i> and the + <i>effective user</i> + these must be defined as trusted already + at compile time.<br><br></dd> +<dt><b><a name="Most frequently2">1.3. It does not log anything / Can't stop logging to console</a></b></dt> +<dd>(1) There is a section in the manual dealing with +logging and filtering.<br /> + +(2) To log to the console: +<div class="block"><pre> +$ samhain -p info ... +</pre></div> +or in the configuration file: +<div class="block"><pre> +[Log] +PrintSeverity=info +</pre></div> + +To <i>stop</i> logging to the console: +<div class="block"><pre> +$ samhain -p none ... +</pre></div> +or in the configuration file: +<div class="block"><pre> +[Log] +PrintSeverity=none +</pre></div> +Defining <tt>/dev/null</tt> as console device works as well, but +is a bad idea, because samhain will open the device and write (i.e. it is +a very inefficient method).<br><br></dd> +<dt><b><a name="Most frequently3">1.4. Client cannot self-resolve, but nslookup works fine</a></b></dt> +<dd><ul> +<li>Nslookup is a program to query Internet domain name servers. +</li> +<li>Applications (like samhain) are not supposed to query DNS servers + directly. Rather, they are supposed to query the resolver library that: + <ul> + <li>is provided by the operating system,</li> + <li>configured by the system administrator,</li> + <li>may use several different method to determine host names, as + configured in <tt>/etc/nsswitch.conf</tt>, and</li> + <li>usually is configured to give precedence to + the <tt>/etc/hosts</tt> file.</li> + </ul> +</li> +<li>Therefore, whether nslookup gives correct answers may be completely + irrelevant. For self-resolving the own hostname, the resolver + library probably will use <tt>/etc/hosts</tt>, rather than + querying a DNS server. +</li> +</ul> +<p> +Below you can find some examples of good and bad <tt>/etc/hosts</tt> files: +</p> +<div class="block"><pre> + # CORRECT + # + 127.0.0.1 localhost + xxx.xxx.xxx.xxx myhost.mydomain.tld myhost +</pre></div> + +<div class="block"><pre> + # CORRECT + # + 127.0.0.1 localhost.localdomain localhost + xxx.xxx.xxx.xxx myhost.mydomain.tld myhost +</pre></div> + +<div class="block"><pre> + # BAD + # + 127.0.0.1 myhost.mydomain.tld localhost + xxx.xxx.xxx.xxx myhost.mydomain.tld myhost +</pre></div> + +<div class="block"><pre> + # BAD + # + 127.0.0.1 localhost myhost + xxx.xxx.xxx.xxx myhost.mydomain.tld myhost +</pre></div><br><br></dd> +<dt><b><a name="Most frequently4">1.5. Server logs hostname instead of FQDN (or vice versa)</a></b></dt> +<dd>The default is to log the hostname only, if you want the FQDN +then there is an option for the server configuration: +<div class="block"><pre> + [Misc] + SetStripDomain = true / false +</pre></div><br><br></dd> +</dl> +<hr><h2>2. Build and install</h2> +<dl> +<dt><b><a name="Build and install0">2.1. [Fedora Core] Cannot compile with --enable-khide</a></b></dt> +<dd>The Fedora Core kernel is patched to unconditionally deny reading +from /dev/kmem. Compiling the stealth kernel modules is not possible +under these circumstances.<br><br></dd> +<dt><b><a name="Build and install1">2.2. [Fedora Core] Cannot compile with --with-kcheck</a></b></dt> +<dd>The Fedora Core kernel is patched to unconditionally deny reading +from /dev/kmem. Checking the kernel for the presence of rootkits is +not possible under these circumstances.<br><br></dd> +<dt><b><a name="Build and install2">2.3. "make" loops infinitely !</a></b></dt> +<dd>This may happen (e.g. when building via NFS for multiple architectures) + if the relative timestamps in the source directory are + wrong (time not in sync on different machines) or some intermediate + target is unusable (up-to-date, but built for a different OS). Use + "touch * && make distclean" in the source directory + to recover.<br><br></dd> +<dt><b><a name="Build and install3">2.4. Why does static compiling (<code>--enable-static</code>) on Solaris fail ?</a></b></dt> +<dd>Ingo Rogalsky has provided the following information: It isn't possible + to link Samhain statically with Solaris. This + is a Solaris issue (see Sun Infodoc ID12624) and not a samhain problem.<br><br></dd> +<dt><b><a name="Build and install4">2.5. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'</a></b></dt> +<dd>For Linux, this is a known problem with --enable-static if you compile + in MySQL support. The problem is that the + <tt>mysql_config</tt> that comes as part of the MySQL + distribution script incorrectly lists dependencies on + the libnss_files and libnss_dns libraries which are only available as + shared libraries, so the linker cannot find the static libraries. + + You can check this by inspecting the output of + <code>mysql_config --libs</code>. The version of + <tt>mysql_config</tt> that comes with the RedHat mysql + RPM (RedHat 9) does not have this bug; the one distributed by the MySQL + people has. You can fix the problem by editing + <tt>mysql_config</tt>: search for the + <i>client_libs</i> variable, and remove all instances + of <i>-lnss_files</i> and <i>-lnss_dns</i>.<br><br></dd> +<dt><b><a name="Build and install5">2.6. The executable is corrupted after installation</a></b></dt> +<dd>The executable will get stripped during the installation. On + suitable systems (i386 Linux/FreeBSD currently), additionally + the "sstrip" + utility (copyright 1999 by Brian Raiter, under the GNU GPL) + will be used to strip the executable even more, to prevent + debugging with the GNU "gdb" debugger. + The "strip" utility cannot handle the resulting + executable, therefore trying to strip manually after installation + will corrupt the executable.<br><br></dd> +<dt><b><a name="Build and install6">2.7. --enable-xml-log has no effect</a></b></dt> +<dd>If you have compiled for stealth, you won't see much, because if + obfuscated, then both a 'normal' and an XML logfile look, + well ... obfuscated. Use <code>samhain -jL /path/to/logfile</code> + to view the logfile.<br><br></dd> +<dt><b><a name="Build and install7">2.8. ./install-sh: strip: not found (Solaris)</a></b></dt> +<dd>Install the SUNWbtool package.<br><br></dd> +<dt><b><a name="Build and install8">2.9. What is sh_tiger1.s?</a></b></dt> +<dd>This is a precompiled assembly file for the i386 architecture +generated from sh_tiger1.c using gcc 3.4.0 with the following options, +that were found to generate the fastest code: +<pre> + -O1 -fno-delayed-branch -fexpensive-optimizations -fstrength-reduce + -fpeephole2 -fschedule-insns2 -fregmove -frename-registers -fweb + -momit-leaf-frame-pointer -funroll-loops +</pre> +These options were determined using +<a href="http://www.coyotegulch.com/products/acovea/">acovea</a> 5.1.1 +by Scott Robert Ladd. The file is provided as precompiled assembly +because different versions of gcc can have very different performance, +require different options to compile optimal code, and +it would be impossible to maintain a library of optimal compile options +for every version of gcc.<br><br></dd> +<dt><b><a name="Build and install9">2.10. Why does static compiling (<code>--enable-static</code>) on MaxOS X fail ?</a></b></dt> +<dd>Static linking is not supported on MacOS X, see +<a href="http://developer.apple.com/qa/qa2001/qa1118.html">Technical Q&A QA1118</a>. +This is a MacOS X issue and not a bug in samhain.<br><br></dd> +<dt><b><a name="Build and install10">2.11. Why does compiling with MySQL fail on Solaris ?</a></b></dt> +<dd>The reason is often the shell script 'mysql_config' that comes as part +of MySQL. This script is intended to print appropriate compiler flags for +compiling applications that use MySQL. Unfortunately, since Sun compiles +MySQL with the Solaris compiler, this script outputs options for the Solaris +compiler (i.e. unsuitable for gcc). To solve this problem, you need to move +this script (i.e. 'mysql_config') out of your PATH before running +<tt>./configure</tt> (unless of course you are using the Solaris compiler +rather than gcc).<br><br></dd> +</dl> +<hr><h2>3. File checking</h2> +<dl> +<dt><b><a name="File checking0">3.1. How can I exclude a (sub-)directory ?</a></b></dt> +<dd><div class="block"><pre> +[IgnoreAll] +dir=-1/ignore/this/subdirectory +</pre></div><br><br></dd> +<dt><b><a name="File checking1">3.2. In messages about policy violations, what does the code after POLICY [XYZ] +mean ?</a></b></dt> +<dd>This code indicates which items are modified (e.g. C = checksum). You can +find a description in section 5.4.9 in the user manual. It is there because +then you can see in the message list of the Beltane web console what has been +modified, without the need to look at the message in detail.<br><br></dd> +<dt><b><a name="File checking2">3.3. Does samhain support prelink ?</a></b></dt> +<dd>Yes. There is a special checking policy [Prelink]. Directories with +prelinked executables / shared libraries (see /etc/prelink.conf) should be +placed under this policy, rather than under the [ReadOnly] policy.<br><br></dd> +<dt><b><a name="File checking3">3.4. I get error messages about 'subdirectory count != hardlinks'</a></b></dt> +<dd>Some filesystems do not always follow the rule that the number +of directory +hardlinks equals the number of subdirectories. E.g. the root directory of +reiserfs partitions generally seems to have two additional hardlinks. +To account for such exceptions, you can either switch off the +hardlink check globally, or specify exceptions: +<div class="block"><pre> +[Misc] +# Switch off hardlink check +# +UseHardlinkCheck=no +</pre></div> +<div class="block"><pre> +[Misc] +# Specify exceptions for the hardlink check +# +HardlinkOffset=N:/path +</pre></div> +Here, N is the numerical offset (actual - expected hardlinks) for +'/path'. For multiple exceptions, use +this options multiple times (note that '/path N:/path2' would itself be a valid +path, so using the option only once with multiple exceptions on the same line +would be ambiguous).<br><br></dd> +</dl> +<hr><h2>4. Client/Server</h2> +<dl> +<dt><b><a name="Client/Server0">4.1. I don't want to poke a hole into my firewall to let the client connect to the server !</a></b></dt> +<dd>Pat Smith has posted the following solution. On the client, create +an iptable rule as follows (<i>note: you probably don't need this if you +configure / compile in 127.0.0.1 as the server address</i>): +<div class="block"><pre> +iptables -t nat -A OUTPUT -p tcp -m tcp --dport 49777 -d <i>server-ip</i> -j REDIRECT +</pre></div> + +On the server, create an ssh tunnel for each client outside the firewall: + +<div class="block"><pre> +ssh -f -C -R 49777:localhost:49777 -N <i>client-ip</i> +</pre></div> + +It is necessary that each client has a distinct name, and that the server +knows the name of the client. With the setup above, each client will appear +as "localhost" to the server, thus the server +needs to trust the client name +as reported by the client itself, and suppress all errors on resolving +this name to the apparent address. In the server configuration: + +<div class="block"><pre> +[Misc] +SetClientFromAccept = false +SeverityLookup = debug +</pre></div> + +Obviously, self-resolving must work on the client machine, otherwise +you are in trouble (see next issue).<br><br></dd> +<dt><b><a name="Client/Server1">4.2. The client sends 127.0.0.1 (or some other numerical address) as its name to the log server</a></b></dt> +<dd>See 'Client cannot self-resolve' in the 'Most frequently' section<br><br></dd> +<dt><b><a name="Client/Server2">4.3. The server wants to send rc.ip-adress rather than rc.fqdn to the client</a></b></dt> +<dd>The client self-resolves to its ip address. +See 'Client cannot self-resolve' in the 'Most frequently' section<br><br></dd> +<dt><b><a name="Client/Server3">4.4. Cannot resolve client name host=XXX</a></b></dt> +<dd><div class="block"><pre> +The server must be able to determine the client name. +This is because only authenticated connections from registered +clients are allowed, and +the server must be able to check the client hostname against the list of +allowed hosts, and look up the password verifier for that +host. +</pre></div> +There are two different ways to accomplish this. Unfortunately, judging +from customer feedback as well from common sense, both do not work very well +with a messed up local DNS (including /etc/hosts files) and/or +überparanoid or misconfigured firewalls (in case of connections +across one). +<ul> + <li> + <p> + <i>First method: Determine client name on client, and + try to cross-check on server</i> + <p> + <p> + This does not work for a number of people because (1) the + <tt>/etc/hosts</tt> file on the client machine has errors + (yes, there are plenty machines with a completely + messed up <tt>/etc/hosts</tt> file), (2) the + server cannot resolve the client address because the local DNS is + f***ed up, or (3) the client machine has multiple network interfaces, and + the interface used is not the one the client name resolves to. + </p> + <p> + If the client uses the wrong interface on a multi-interface machine, + there is a config file option + <tt>SetBindAddress=</tt><i>IP address</i> + that allows to choose the interface the client will use for + outgoing connections. + </p> + <p> + If you want to download the config file from the server, you + should instead use the corresponding command line + <tt>--bind-address=</tt><i>IP address</i> + to select the interface. + </p> + + <p> + If you encounter problems, you may (1) fix your + <tt>/etc/hosts</tt> file(s), (2) fix your local DNS, or + (3) switch to the second method. + </p> + <p> + Errors in name resolving/cross-checking can be avoided by setting a + very low severity (lower than the logging threshold), e.g. + </p> + <p> + <tt>SeverityLookup=</tt><i>debug</i> + </p> + <p> + in the <i>Misc</i> section of the server configuration, + if you prefer running <i>unsafe</i> at any speed + instead of fixing the problem (you have been warned). Doing so will + allow an attacker to pose as the client. + </p> + </li> + <li> + <p><i>Second method: Use address of connecting entity as + known to the communication layer</i></p> + <p> + This has been dropped as default + long ago because it may not always be the + address of the client machine. + To enable this method, use + </p> + <p> + <tt>SetClientFromAccept=</tt><i>true</i> + </p> + <p> + in the <i>Misc</i> section of the server configuration + file. If the address cannot be resolved, or reverse lookup of the + resolved name fails, <i>no</i> error message will be issued, + but the numerical address will be used. + </p> + </li> +</ul><br><br></dd> +<dt><b><a name="Client/Server4">4.5. Cannot resolve socket peer IP for client host=XXX peer=YYY</a></b></dt> +<dd>See above<br><br></dd> +<dt><b><a name="Client/Server5">4.6. Reverse lookup of socket peer failed host=XXX peer=YYY obj=ZZZ</a></b></dt> +<dd>See above<br><br></dd> +<dt><b><a name="Client/Server6">4.7. No socket peer alias matches client name host=XXX peer=YYY</a></b></dt> +<dd>See above<br><br></dd> +<dt><b><a name="Client/Server7">4.8. Session key negotiation failed</a></b></dt> +<dd>See the document <a href="HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a><br><br></dd> +<dt><b><a name="Client/Server8">4.9. Invalid connection attempt: Not in client list</a></b></dt> +<dd>See the document <a href="HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a><br><br></dd> +<dt><b><a name="Client/Server9">4.10. Invalid connection attempt: Session key mismatch</a></b></dt> +<dd>See the document <a href="HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a><br><br></dd> +<dt><b><a name="Client/Server10">4.11. How do I update the file signature database ?</a></b></dt> +<dd>If you keep the file signature database on the server, + the database is supposed to be updated on the server, using the + <a href="http://www.la-samhna.de/beltane/">beltane</a> + web-based console (currently in beta) and the + log messages from the client. + <p> + Alternatively, you can <code>scp</code> the database + to the client, run <code>samhain -t update -l none --foreground</code> + (you + need to avoid logging because otherwise you will get in conflict with + the running samhain daemon), and then <code>scp</code> the + database back to the server. Actually, with a properly set up + "ssh", using RSA/DSA authentication + and ssh-agent you could write a script to automate this.<br><br></dd> +<dt><b><a name="Client/Server11">4.12. Time limit exceeded</a></b></dt> +<dd>The respective client for that this message is generated has not + sent anything for some interval of time (default 84600 sec = 1 day). + The interval can be set as follows: +<div class="block"><pre> + [Misc] + # unit is seconds + SetClientTimeLimit=NNN +</pre></div> + + This feature has the purpose to detect if a client is dead. You + might want to ensure that timestamps are sent to the server: +<div class="block"><pre> + [Log] + ExportSeverity=mark +</pre></div> + If you don't want to use this feature, set the time limit to some + very large value.<br><br></dd> +<dt><b><a name="Client/Server12">4.13. Invalid connection attempt: Signature mismatch</a></b></dt> +<dd>Clients sign their messages using a session key negotiated + with the server. The message indicates that the server could + not verify the signature. This may be caused by a running two + instances of samhain on the same client machine, both of them + accessing the server (and negotiating different session keys + ...). The system will recover automatically from the problem + by forcing the failed client to negotiate a fresh session key.<br><br></dd> +<dt><b><a name="Client/Server13">4.14. [Server] PANIC .. Address already in use subroutine=bind</a></b></dt> +<dd>The server cannot bind to its port because the port is already used. + Maybe you have accidentially already an instance of the + server running.<br><br></dd> +</dl> +<hr><h2>5. Email</h2> +<dl> +<dt><b><a name="Email0">5.1. Reverse lookup failed</a></b></dt> +<dd>Fix your DNS (reverse lookup: numerical IP address to FQDN, to verify + FQDN to numerical IP address). +<div class="block"><pre> +Whether "nslookup" works is not very informative, because +"nslookup" does not use the resolver library of the operating +system. Therefore, +it is not exactly the +best tool for debugging name resolving problems (see the book +"DNS and bind"). +</pre></div><br><br></dd> +<dt><b><a name="Email1">5.2. From daemon@example.com</a></b></dt> +<dd>samhain fails to resolve the + self-address of the host. +See 'Client cannot self-resolve' in the 'Most frequently' section.<br><br></dd> +<dt><b><a name="Email2">5.3. How do I define more than one email addresses ?</a></b></dt> +<dd>Use <tt>SetMailAddress=...</tt> multiple times (upt to eight addresses +are possible, with at most 63 characters per address): +<div class="block"><pre> +[Misc] +SetMailAddress=aaa@foo.com +SetMailAddress=bbb@foo.com +</pre></div><br><br></dd> +</dl> +<hr><h2>6. Misc</h2> +<dl> +<dt><b><a name="Misc0">6.1. Error message: "Invalid line XYZ in configuration file"</a></b></dt> +<dd>This message indicates that line XYZ in the configuration file contains +an unrecognized directive. The primary reasons are:<br /> + +(a) The directive should be placed into a particular section of the +configuration file, but the section header is not present (or you forgot +to uncomment it).<br /> + +(b) Samhain is compiled without support for this directive.<br /> + +(c) You have a typo in the directive.<br /><br><br></dd> +<dt><b><a name="Misc1">6.2. Why do I get a local logfile if I log to the server ?</a></b></dt> +<dd>Because you can use all log facilities in parallel. You should + switch off in the config file what you don't want/need: +<div class="block"><pre> + [Log] + # local log file + LogSeverity=none +</pre></div><br><br></dd> +<dt><b><a name="Misc2">6.3. Why is there no NIS support with a static samhain executable on Linux ?</a></b></dt> +<dd>Some functions (including NIS) require + libraries that are only available as shared libraries + with modern GLIBC versions. While you can always compile a static + executable, normally it would still open the shared library at runtime. + As of version 1.8.11, samhain avoids this by providing replacement + functions from uClibc. However, these do not include NIS support.<br><br></dd> +<dt><b><a name="Misc3">6.4. Why do I get hundreds of messages about modified CTIME ?</a></b></dt> +<dd>This happens because some + backup applications reset the atime/mtime timestamps, which causes + the ctime timestamp to be modified (rootkits avoid this by + temporarily resetting the system clock to the original ctime ...). + <p> + To fix this problem, read the manual of your backup application, or + redefine the ReadOnly policy to <i>not</i> check + the ctime timestamp: +<div class="block"><pre> + [Misc] + RedefReadOnly=-CTM +</pre></div> +<div class="warnblock"><pre> + Order matters - you must <i>first</i> redefine + ReadOnly <i>before</i> you use it +</pre></div><br><br></dd> +<dt><b><a name="Misc4">6.5. PANIC — File not accessible</a></b></dt> +<dd>Most likely permission denied because of unsufficient privileges.<br><br></dd> +<dt><b><a name="Misc5">6.6. How can I avoid error messages for invalid UIDs (no such user) ?</a></b></dt> +<dd>Set SeverityNames to a low value +<div class="block"><pre> +[EventSeverity] +SeverityNames=debug +</pre></div><br><br></dd> +<dt><b><a name="Misc6">6.7. [Redhat] The /etc/init.d/(samhain|yule) init script hangs</a></b></dt> +<dd>Redhat uses "initlog" (see + <code>man initlog</code>) in initscripts. If it hangs, most probably + samhain/yule runs in the foreground rather than as daemon. Set + daemon mode in the configuration file: +<div class="block"><pre> +[Misc] +Daemon=yes +</pre></div><br><br></dd> +<dt><b><a name="Misc7">6.8. The /etc/init.d/(samhain|yule) init script exits with: execvp: No such file or directory</a></b></dt> +<dd>Either the program is not installed, or it is not in the PATH (the one + used by the init script, which may be different from your PATH).<br><br></dd> +<dt><b><a name="Misc8">6.9. Why am I not receiving the "BEGIN LOGKEY" message by email ?</a></b></dt> +<dd>This message (which contains the key to verify the log file) is generated + when logging to the log file starts. It has the severity "ALRT", + thus you should make sure that you have set the logging threshold for + email correctly to receive it.<br><br></dd> +<dt><b><a name="Misc9">6.10. Why does console logging fail if I compile with + <code>--enable-(micro-)stealth</code> ?</a></b></dt> +<dd>The default logging options are more "stealthy". Set the + threshold explicitely rather than relying on the default.<br><br></dd> +<dt><b><a name="Misc10">6.11. I need a list for my schedule !</a></b></dt> +<dd>You can have the same effect with a list of schedules. See the section +"Timing file checks" in the manual.<br><br></dd> +<dt><b><a name="Misc11">6.12. The hiding kernel module has no effect !</a></b></dt> +<dd>Most probably you compiled using the wrong "System.map" file.<br><br></dd> +<dt><b><a name="Misc12">6.13. What does the message "Large lstat/open overhead" mean ?</a></b></dt> +<dd>Your system needs several seconds to proceed from an lstat() system call + to an open() system call. This is a tremenduous overhead, and + indicates that either your system has a really severe performance problem, + or someone tries to slow down samhain.<br><br></dd> +<dt><b><a name="Misc13">6.14. What does the message "Device not available path=/dev/random" mean ? I have /dev/random !</a></b></dt> +<dd>/dev/random blocks unless there is some entropy it can deliver. Samhain + will time out and fall back on /dev/urandom after some seconds to avoid + hanging for a potentially long time. It will try /dev/random again next + time it needs entropy.<br><br></dd> +<dt><b><a name="Misc14">6.15. Logging to an external program fails; the program receives no data + on stdin !</a></b></dt> +<dd>Probably your program is not designed to <i>wait for input</i>, but exits + if reading fails (because there is no data <i>yet</i>). You may want to + let your program wait for the terminating "[EOF]" line.<br><br></dd> +<dt><b><a name="Misc15">6.16. SIGILL on AIX</a></b></dt> +<dd>For each scanned file, samhain needs to + store some information in memory (e.g. to recognize changes that have + already been reported, and avoid duplicate reports). On AIX, if you are + checking a <i>really huge</i> number of files, + memory usage may exceed the default limit of 256 MB, and the process may + terminate with SIGILL. + <p> + The problem can be solved by linking with the flag + <code>-bmaxdata:0x80000000</code>. This allows the application to + access up to 8 segments (where each segment is 256MB). + <p> + If you are using gcc, you need to use instead + the flag <code>-Wl,bmaxdata:0x80000000</code>, which tells + gcc to pass on the + <i>bmaxdata</i> + flag to the AIX linker. You can use the LDFLAGS environment variable to + pass linker flags to the configure script: +<div class="block"><pre> + export LDFLAGS="-Wl,bmaxdata:0x80000000" +</pre></div><br><br></dd> +</dl> +<hr><h2>7. Database</h2> +<dl> +<dt><b><a name="Database0">7.1. Why are client messages corrupted / incompletely stored in the DB ?</a></b></dt> +<dd>Because the messages are not in XML format, and therefore incorrectly + parsed. The most frequent reasons are: +<div class="block"><pre> + 1.) Your server is compiled with --enable-xml-log, but your client(s) + is/are not. + + 2.) In your client or server configuration file, you are using + the option for a custom message header, but without paying attention + to preserving the XML format. +</pre></div><br><br></dd> +<dt><b><a name="Database1">7.2. I want / don't want the server timestamps (for client messages) in the SQL database</a></b></dt> +<dd><div class="block"><pre> +[Database] +SetDBServerTstamp = true/false +</pre></div> + + This will enable/disable logging of the server timestamp for client + messages. The server timestamp will be written to a seperate record, + with <i>log_ref</i> set to the value of + <i>log_index</i> of the corresponding client message.<br><br></dd> +<dt><b><a name="Database2">7.3. I don't want the client TIMESTAMP messages in the SQL database</a></b></dt> +<dd><div class="block"><pre> + Sending timestamps from the client allows the server to detect if + a client is not running anymore (use SetClientTimeLimit=NNN in the + [Misc] section of the server config file to set the number of seconds + after which the server will issue an error message if no timestamp has + been received). +</pre></div> + + However, you might not want to log these timestamps to the database + (or other log facilities). To filter them, you can use two methods + (examples are for the SQL database). + The first + one has the disadvantage that only messages of + severity <i>err</i> or higher will be logged: +<div class="block"><pre> + [Misc] + UseClientSeverity=yes + + [Log] + DatabaseSeverity=err +</pre></div> + + The second method is more specific — log everything not + belonging to the STAMP class of messages: +<div class="block"><pre> + [Misc] + UseClientClass=yes + + [Log] + DatabaseClass=PANIC RUN FIL TCP ERR ENET EINPUT +</pre></div><br><br></dd> +<dt><b><a name="Database3">7.4. What does the log_ref field mean ?</a></b></dt> +<dd>NULL are client messages. Nonzero integer is a server timestamp + for a client message (where log_ref indicates the log_index entry + number of the corresponding client message). Zero indicates a message + by the server itself (e.g. the server's start message).<br><br></dd> +<dt><b><a name="Database4">7.5. How can I check what is in the database ?</a></b></dt> +<dd>Use a command line client to login to the database and query it: +<div class="block"><pre> + sh$ mysql -u <user_name> -p <database_name> + Enter password: **** + mysql> SELECT log_index,log_ref,log_host,log_sev,log_msg,path FROM <table_name> WHERE entry_status = 'NEW' ORDER BY log_index; + .... + mysql> \q +</pre></div><br><br></dd> +</dl> +<hr> + +<p>Copyright (c) 2004 Rainer Wichmann</p> + +<p><i>This list of questions and answers was generated by +<a href="http://www.makefaq.org/">makefaq</a>.</i> + +</div> +</body> +</html> diff --git a/docs/HOWTO-client+server-troubleshooting.html b/docs/HOWTO-client+server-troubleshooting.html new file mode 100644 index 0000000..ec4e555 --- /dev/null +++ b/docs/HOWTO-client+server-troubleshooting.html @@ -0,0 +1,452 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> +<html> +<head> +<title>HOWTO client+server troubleshooting</title> +<style type="text/css"> +<!-- + +html { background: #eee; color: #000; } + +body { background: #eee; color: #000; margin: 0; padding: 0;} + +div.body { + background: #fff; color: #000; + margin: 0 1em 0 1em; padding: 1em; + font-family: serif; + font-size: 1em; line-height: 1.2em; + border-width: 0 1px 0 1px; + border-style: solid; + border-color: #aaa; +} + +div.block { + background: #b6c5f2; color: #000; + margin: 1em; padding: 0 1em 0 1em; + border-width: 1px; + border-style: solid; + border-color: #2d4488; +} + +div.warnblock { + background: #b6c5f2; color: #000; + background: #ffffcc; color: #000; + margin: 1em; padding: 0 1em 0 1em; + border-width: 1px; + border-style: solid; + border-color: #FF9900; +} + +table { + background: #F8F8F8; color: #000; + margin: 1em; + border-width: 0 0 0 1px; + border-style: solid; + border-color: #C0C0C0; +} + +td { + border-width: 0 1px 1px 0; + border-style: solid; + border-color: #C0C0C0; +} + +th { + background: #F8F8FF; + border-width: 1px 1px 2px 0; + border-style: solid; + border-color: #C0C0C0; +} + + +/* body text, headings, and rules */ + +p { margin: 0; text-indent: 0em; margin: 0 0 0.5em 0 } + +h1, h2, h3, h4, h5, h6 { + color: #206020; background: transparent; + font-family: Optima, Arial, Helvetica, sans-serif; + font-weight: normal; +} + +h1 { font-size: 1.69em; margin: 1.4em 0 0.4em 0; } +h2 { font-size: 1.44em; margin: 1.4em 0 0.4em 0; } +h3 { font-size: 1.21em; margin: 1.4em 0 0.4em 0; } +h4 { font-size: 1.00em; margin: 1.4em 0 0.4em 0; } +h5 { font-size: 0.81em; margin: 1.4em 0 0.4em 0; } +h6 { font-size: 0.64em; margin: 1.4em 0 0.4em 0; } + +hr { + color: transparent; background: transparent; + height: 0px; margin: 0.6em 0; + border-width: 1px ; + border-style: solid; + border-color: #999; +} + +/* bulleted lists and definition lists */ + +ul { margin: 0 1em 0.6em 2em; padding: 0; } +li { margin: 0.4em 0 0 0; } + +dl { margin: 0.6em 1em 0.6em 2em; } +dt { color: #285577; } + +tt { color: #602020; } + +/* links */ + +a.link { + color: #33c; background: transparent; + text-decoration: none; +} + +a:hover { + color: #000; background: transparent; +} + +body > a { + font-family: Optima, Arial, Helvetica, sans-serif; + font-size: 0.81em; +} + +h1, h2, h3, h4, h5, h6 { + color: #2d5588; background: transparent; + font-family: Optima, Arial, Helvetica, sans-serif; + font-weight: normal; +} + + --> +</style></head> + +<body> +<div class="body"> +<p style="text-align: center; background: #ccc; border: 1px solid #2d5588;"><a + style="text-decoration: none;" + href="http://www.la-samhna.de/samhain/">samhain file integrity + scanner</a> | <a style="text-decoration: none;" + href="http://www.la-samhna.de/samhain/s_documentation.html">online + documentation</a></p> +<br><center> +<h1>Samhain client/server: What can go wrong, and how can you fix it ?</h1> +</center> +<br> +<hr> +<div class="warnblock"> +<ul> + <li>Almost all problems can only be diagnosed correctly by checking the + <b>server logs</b>.</li> + <li> + If the server does not write logs, <b>fix this first</b>. For debugging, + stop the server, then run it in the foreground with + <tt>yule -p info --foreground</tt> + <ul> + <li> + By default, the server logs to the file + <tt>/var/log/yule/yule_log</tt>, and since the server drops + root privileges on startup, the directory <tt>/var/log/yule</tt> + must be writable for the nonprivileged user the server runs + as (the first existing out of: yule, daemon, nobody). + </li> + <li> + Logging to the logfile must be enabled in the + <tt>/etc/yulerc</tt> config file (e.g. LogSeverity=mark, or + LogSeverity=info for enhanced verbosity). + </li> + </ul> + </li> +</ul> +</div> +<p> +This document aims to explain how to diagnose and fix common problems that +may result from misunderstanding or misconfiguration when setting up +a client/server samhain system. This document is divided in several sections +more or less corresponding to the different stages when a client +connects to a server. Each section starts with a brief explanation that +should provide a basic understanding of what is going on. +</p> +<p> +This document does not discuss <i>how</i> to setup a client/server (for +this, look into the manual and/or the HOWTO-client+server). +</p> + +<h2><a name="sect1">Table of Contents</a></h2> +<p> +<a href="#sect1">Connecting to the server</a><br> +<a href="#sect2">Authentication</a><br> +<a href="#sect3">Downloading config/database files</a><br> +<a href="#sect4">Other connection problems</a><br> +</p> + +<h2><a name="sect1">Connecting to the server</a></h2> + +<p> +Client/server connections are always initiated from the client. The port +is compiled in (there is a configure option to change the default). +The default port is 49777. +</p> + +<h3>Problem #1</h3> +<p> +The client reports: <b>Connection refused</b>. The server reports nothing. +</p> +<p> +The server is down, listens on the wrong port, or network failure. +</p> + +<h3>Problem #2</h3> +<p> +The client reports: <b>Connection error: Connection reset by peer</b>, and +later also <b>Session key negotiation failed</b>. The server reports: +<b>msg="Refused connection from ..." subroutine="libwrap"</b>. +</p> +<p> +The server is compiled with libwrap (TCP Wrapper) support, and the +client is either in <tt>/etc/hosts.deny</tt>, or you have set <i>yule: ALL</i> +in <tt>/etc/hosts.deny</tt>, and forgot to put the client in +<tt>/etc/hosts.allow</tt>. +</p> +<p> +To fix: make proper entries in <tt>/etc/hosts.allow</tt> and/or +<tt>/etc/hosts.deny</tt>. There is no need to restart/reload the server. +</p> + + +<h2><a name="sect2">Authentication</a></h2> +<p> +The client has a password that is used to authenticate to the server. +This password is located within the binary, and is set with the +<tt>samhain_setpwd</tt> helper application, as explained e.g. in the +manual or in the Client+Server HOWTO. +</p><p> +The server has a list of clients that are allowed to connect, and the +verifiers corresponding to the passwords of these clients. +</p> +<p> +Upon successful authentication, client and server will negotiate +a <b>session key</b> that is used for signing further messages +from the client. +</p> + +<h3>Problem #1</h3> + +<p> +If the password is wrong, the client will report +<b>Session key negotiation failed</b>. The server will +report: <b>Invalid connection attempt: Session key mismatch</b> +</p> +<p> +To fix: make sure that the password has in fact been set, that you are +using the correct executable for the client (the one where the password is +set), and that the entry in the server config file is the one generated +for this password (also look out for double entries for this client). +</p> + +<h3>Problem #2</h3> + +<p> +If the client name (as resolved on the server) is wrong, the client +will report +<b>Session key negotiation failed</b>. The server will +report: <b>Invalid connection attempt: Not in client list</b>, +<i>and</i> it will tell you in the same error message +what name it has inferred for the connecting +client (example): <b>client="client.mydomain.com"</b>. +</p> +<p> +The fix depends on the nature of the problem. In principle, it should be +sufficient to change the name of the client in the config file entry, which +isn't really a solution if e.g. the server thinks the client is 'localhost'. +</p> +<p> +There are two different ways to determine the client name. +Unfortunately, judging +from customer feedback as well from common sense, both do not work very well +with a messed up local DNS (including /etc/hosts files) and/or +überparanoid or misconfigured firewalls (in case of connections +across one). +</p> +<ul> + <li> + <p> + <i>First method: Determine client name on client, and + try to cross-check on server</i> + <p> + <p> + This does not work for a number of people because + <ol> + <li> + the + <tt>/etc/hosts</tt> file on the client machine has errors + (yes, there are plenty machines with a completely + messed up <tt>/etc/hosts</tt> file), + </li> + <li> + the + server cannot resolve the client address because the local DNS is + misconfigured, or + </li> + <li> + the client machine has multiple network interfaces, and + the interface used is not the one the client name resolves to. + </li> + </ol> + </p> + + <p> + If the client uses the wrong interface on a multi-interface machine, + there is a config file option + <tt>SetBindAddress=</tt><i>IP address</i> + that allows to choose the interface the client will use for + outgoing connections. + </p> + <p> + If you want to download the config file from the server, you + should instead use the corresponding command line option + <tt>--bind-address=</tt><i>IP address</i> + to select the interface. + </p> + + <p> + If you encounter problems, you may (1) fix your + <tt>/etc/hosts</tt> file(s), (2) fix your local DNS, or + (3) switch to the second method. + </p> + <p> + Error messages related to name resolving/cross-checking can be + suppressed by setting a + very low severity (lower than the logging threshold), e.g. + </p> + <p> + <tt>SeverityLookup=</tt><i>debug</i> + </p> + <p> + in the <i>Misc</i> section of the server configuration, + if you prefer running <i>unsafe</i> at any speed + instead of fixing the problem (you have been warned). Doing so will + allow an attacker to pose as the client. + </p> + </li> + <li> + <p><i>Second method: Use address of connecting entity as + known to the communication layer</i></p> + <p> + This has been dropped as default + long ago because it may not always be the + address of the client machine. + To enable this method, use + </p> + <p> + <tt>SetClientFromAccept=</tt><i>true</i> + </p> + <p> + in the <i>Misc</i> section of the server configuration + file. If the address cannot be resolved, or reverse lookup of the + resolved name fails, <i>no</i> error message will be issued, + but the numerical address will be used. + </p> + </li> +</ul> + + +<h2><a name="sect3">Downloading config/database files</a></h2> + +<p> +The client does <i>not</i> tell the server the path to the requested +file - it just tells the <em>type</em> of the file, i.e. +either a configuration file or a database file. It is entirely the +responsibility of the server to locate the correct file and send it. +</p> +<p> +The server has a <i>data directory</i>, which by default would be +<tt>/var/lib/yule</tt>. Here the config/database files should be placed. +</p> +<p> +Configuration files: <tt>rc.</tt><i>client.mydomain.tld</i> or +simply <tt>rc</tt> +(this can be used as a catchall file). +</p> +<p> +Database files: <tt>file.</tt><i>client.mydomain.tld</i> or +simply <tt>file</tt> +(this can be used as a catchall file). +</p> + +<h3>Problem #1</h3> + +<p> +If the server cannot access the configuration (or database) file, either +because it does not exist or the server has no read permission, the +client will report <b>File download failed</b>. The server will +report: <b>File not accessible</b>, <i>and</i> it will tell you in the +same report the path where it would have expected the file (example): +<b>path="/var/lib/yule/rc.client.mydomain.com"</b> +</p> +<p> +To fix: put the file in the correct location, make sure the permissions +are ok. +<ul> + <li> + Note that <em>the server drops root privileges at startup</em> and + runs as an unprivileged user (the first existing out of: + yule, daemon, nobody). + </li> + <li> + Also remember that to access a file, at least execute permission is required + <em>for every directory in the path</em>. + </li> +</ul> +</p> + + +<h2><a name="sect4">Other connection problems</a></h2> + +<p> +The server has a table with client names and their session keys. If +another client process accesses the server from the same host, +it will negotiate a fresh session key for that host. As a consequence, +the session key of the first client process will become <i>invalid</i>. +</p> +<p> +Also, the server keeps track of the status of a client. If a client +process does not announce its termination to the server, the server +will not expect a <i>startup</i> message, and issue a warning for any +such message. +</p> + +<h3>Problem #1</h3> + +<p> +The client reports: <b>Invalid connection state</b>. The server reports: +<b>Invalid connection attempt: Signature mismatch</b>. This is a sign that +a client has tried to connect using an invalid session key. Most probably, +another instance of the client is/was started on the respective host. +</p> +<p> +To fix: if you need to have concurrent access to the server, +suspend the first process with SIGUSR2 before starting the second. Use +SIGUSR2 again to wake up the first process. Give the process a second or two +to return into the main event loop and go into suspend mode. Do not just use +SIGSTOP/SIGCONT: it is important that the client tells the server that +it will go into suspend. +</p> + +<h3>Problem #2</h3> + +<p> +The server reports: +<b>Restart without prior exit</b> for a client. +This is a sign that +a client has re-started without informing the server about a previous +termination. +</p> +<p> +This would happen if the client was killed with SIGKILL, or if it terminated +within the routine to send a message to the server (the routine is +not re-entrant). You may want to investigate messages logged via another +logging facility (e.g. the client's local logfile). Of course it <i>may</i> +also be a segfault, which would be reported via syslog. +</p> + +</div> +</body> +</html> diff --git a/docs/HOWTO-client+server.html b/docs/HOWTO-client+server.html new file mode 100644 index 0000000..e2d7d8e --- /dev/null +++ b/docs/HOWTO-client+server.html @@ -0,0 +1,441 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> +<html> +<head> +<title>HOWTO client+server</title> +<style type="text/css"> +<!-- + +html { background: #eee; color: #000; } + +body { background: #eee; color: #000; margin: 0; padding: 0;} + +div.body { + background: #fff; color: #000; + margin: 0 1em 0 1em; padding: 1em; + font-family: serif; + font-size: 1em; line-height: 1.2em; + border-width: 0 1px 0 1px; + border-style: solid; + border-color: #aaa; +} + +div.block { + background: #b6c5f2; color: #000; + margin: 1em; padding: 0 1em 0 1em; + border-width: 1px; + border-style: solid; + border-color: #2d4488; +} + +div.warnblock { + background: #b6c5f2; color: #000; + margin: 1em; padding: 0 1em 0 1em; + border-width: 1px; + border-style: solid; + border-color: #FF9900; +} + +table { + background: #F8F8F8; color: #000; + margin: 1em; + border-width: 0 0 0 1px; + border-style: solid; + border-color: #C0C0C0; +} + +td { + border-width: 0 1px 1px 0; + border-style: solid; + border-color: #C0C0C0; +} + +th { + background: #F8F8FF; + border-width: 1px 1px 2px 0; + border-style: solid; + border-color: #C0C0C0; +} + + +/* body text, headings, and rules */ + +p { margin: 0; text-indent: 0em; margin: 0 0 0.5em 0 } + +h1, h2, h3, h4, h5, h6 { + color: #206020; background: transparent; + font-family: Optima, Arial, Helvetica, sans-serif; + font-weight: normal; +} + +h1 { font-size: 1.69em; margin: 1.4em 0 0.4em 0; } +h2 { font-size: 1.44em; margin: 1.4em 0 0.4em 0; } +h3 { font-size: 1.21em; margin: 1.4em 0 0.4em 0; } +h4 { font-size: 1.00em; margin: 1.4em 0 0.4em 0; } +h5 { font-size: 0.81em; margin: 1.4em 0 0.4em 0; } +h6 { font-size: 0.64em; margin: 1.4em 0 0.4em 0; } + +hr { + color: transparent; background: transparent; + height: 0px; margin: 0.6em 0; + border-width: 1px ; + border-style: solid; + border-color: #999; +} + +/* bulleted lists and definition lists */ + +ul { margin: 0 1em 0.6em 2em; padding: 0; } +li { margin: 0.4em 0 0 0; } + +dl { margin: 0.6em 1em 0.6em 2em; } +dt { color: #285577; } + +tt { color: #602020; } + +/* links */ + +a.link { + color: #33c; background: transparent; + text-decoration: none; +} + +a:hover { + color: #000; background: transparent; +} + +body > a { + font-family: Optima, Arial, Helvetica, sans-serif; + font-size: 0.81em; +} + +h1, h2, h3, h4, h5, h6 { + color: #2d5588; background: transparent; + font-family: Optima, Arial, Helvetica, sans-serif; + font-weight: normal; +} + + --> +</style></head> + +<body> +<div class="body"> +<p style="text-align: center; background: #ccc; border: 1px solid #2d5588;"><a + style="text-decoration: none;" + href="http://www.la-samhna.de/samhain/">samhain file integrity + scanner</a> | <a style="text-decoration: none;" + href="http://www.la-samhna.de/samhain/s_documentation.html">online + documentation</a></p> +<br><center> +<h1>Setting up a client/server samhain system</h1> +</center> +<br> +<hr> +<p> +This document aims to explain how to set up a client/server +samhain system, where the client (samhain) runs on one machine to be +monitored, and sends reports via TCP/IP to a remote server (yule). +</p> +<p> +<b>Please note:</b> the server (yule) does not perform any filesystem and/or +kernel checks. If you want to perform such checks on the log server host, +you need to run a samhain client on this host as well. +</p> +<p> +Client and server are +<b>distict applications</b>, and must be +built seperately. By default, installation names and paths (e.g. +the configuration file) are +different. Do not blame us if you abuse './configure' options to +cause name clashes, if you install both on the same host. +</p> + +<h2>Introduction</h2> +<p> +Samhain can be compiled for remote logging to a central server via a +secure (AES-encrypted, signed, and authenticated) TCP/IP connection. +</p><p> +In addition, both the client configuration file and the file signature +database can be stored on the server. The client will then pull them from +the server upon startup. +</p><p> +This requires three basic steps: +</p> +<ol> +<li> +compile and install server and client, +</li> +<li> +establish trust between client and server, and +</li> +<li> +enable remote logging in the client's configuration file. +</li> +</ol> + + +<h2>Compiling</h2> + +<h3>The server - yule</h3> + +<p> +<b>Note: </b> the server can be started with root privileges (e.g. to use +a privileged port < 1024), but it will always +drop root privileges irrevocably +before accepting any connections, and run as a non-root user. This user +can be specified explicitely with the <i>configure</i> +option <tt>--enable-identity=USER</tt>. The default is +the first existing user +out of the list <i>yule, daemon, nobody</i>. +</p> + +<pre> + +bash$ ./configure --enable-network=server +bash$ make +bash$ make install + +</pre> + +<h3>The client - samhain</h3> + + +<ul> +<li> + <p> + If you just want remote logging: + </p><p> + <tt> ./configure --enable-network=client + --with-logserver=server.example.com</tt> + </p> +</li> +<li> + <p> + If you want configuration and database files on the server: + </p><p> + <tt> ./configure --enable-network=client + --with-logserver=server.example.com \<br /> + --with-config-file=REQ_FROM_SERVER/etc/samhainrc \<br /> + --with-data-file=REQ_FROM_SERVER/var/lib/samhain/samhain_file</tt> + </p> +</li> +</ul> +<p> +The path after the keyword <tt>REQ_FROM_SERVER</tt> has the following meaning: +<ul> +<li>for the configuration file: + <ul> + <li> if <i>initializing</i>, and the connection to the server + fails, samhain will fall back on the local file (if given); + </li> + <li> if in <i>check mode</i>, it is <i>ignored</i>. Samhain will + abort if the connection to the server fails. + </li> + </ul> + Thus, the local path allows you to initialize the database from a local + configuration file before the client is known to the server. +</li> +<li>for the database file: + <ul> + <li> if <i>initializing</i>, the database is written to the local file; + </li> + <li> if in <i>check mode</i>, the local path is <i>ignored</i>. Samhain will + abort if the connection to the server fails. + </li> + </ul> + Thus, <i>init</i> (or <i>update</i>) always requires a local file that + must be uploaded to the server thereafter. <b>Note</b> that if you + use the <b>Beltane</b> web-based frontend, database updates can be performed + on the server without ever running an <i>update</i> on the client. +</li> +</ul> + +<h2>Establishing trust between client and server</h2> + +<p> +By default, samhain uses the SRP (Secure Remote Password) protocol, +with a password that is <i>embedded in the client binary</i>, and a +corresponding verifier that is in the <i>server configuration file</i>. +</p> + +<h3>Embedding the password in the client, and register it with the server</h3> + +<p> +To embed the password in the binary, there is a dummy password compiled +in as placeholder, and a utility <i>samhain_setpwd</i> is provided that +</p> + +<ol> +<li> + takes a password as input, +</li> +<li> + searches the original binary for the + correct place (i.e. the placeholder), and +</li> +<li> + writes a copy of the original binary, with the placeholder replaced + by the password. The original is left untouched. The copy cannot + be changed to another password anymore. +</li> +</ol> + + +<p> +For convenience, the server has functions to +</p> + +<ul> +<li> +<p> +generate a random password in the correct format: +</p><p> +<tt> sh$ yule -G</tt> +</p> +</li> +<li> +<p> +and generate a corresponding entry for the +server configuration file: +</p><p> + <tt> sh$ yule -P PASSWORD</tt>. +<p> +</li> +<li> +The generated entry has a string <tt>'HOSTNAME'</tt> that you should +replace with the fully qualified name of the client. This entry must +then be placed in the <tt>[Clients]</tt> section of the yule configuration +file (e.g. <tt>/etc/yulerc</tt>). +</li> +<li> +Finally, you need to tell yule to reload the configuration (send SIGHUP, +or use <tt>/etc/init.d/yule reload</tt>). +</li> +</ul> + + +<h3>Example</h3> + +<pre style="background-color:#DDDDDD; color:#000000"> + +rainer$ ./samhain_setpwd + +Usage: samhain_setpwd <filename> <suffix> <new_password> + + This program is a utility that will: + - search in the binary executable <filename> for samhain's + compiled-in default password, + - change it to <new_password>, + - and output the modified binary to <filename>.<suffix> + + To allow for non-printable chars, <new_password> must be + a 16-digit hexadecimal number (only 0-9,A-F allowed in input), + thus corresponding to an 8-byte password. + + Example: 'samhain_setpwd samhain new 4142434445464748' + takes the file 'samhain', sets the password to 'ABCDEFGH' + ('A' = 41 hex, 'B' = 42 hex, ...) and outputs the result + to 'samhain.new'. + +rainer$ yule -G +5B5CDF18CE8D66A3 + +rainer$ ./samhain_setpwd samhain new 5B5CDF18CE8D66A3 +INFO old password found +INFO replaced: f7c312aaaa12c3f7 by: 5b5cdf18ce8d66a3 +INFO finished + +rainer$ scp ./samhain.new root@client.example.com:/usr/local/sbin/samhain +samhain 100% |********************************| 592 KB 00:00 + +rainer$ yule -P 5B5CDF18CE8D66A3 +Client=HOSTNAME@8A542F99C3514499@744C3A3EE8323470D9DAD42E2485BD0B138F6B4116E964\ +A9991A0B0D221E1AADE5800968804B99B494C39E7B9DD5710D18F1E6703D1DB6D6393295E05DF6A\ +6AA8D10BB4A21D7D9DC4901D444500D4EA358C1B44A3E3D44ACEC645F938F790A11AB0D03586143\ +977E2BCE3A2D689445AC89134B409E68F34B0DE8BD8242ADD7C0 + +rainer$ yule -P 5B5CDF18CE8D66A3 | sed s%HOSTNAME%client.example.com% >> /etc/yulerc + +rainer$ tail -2 /etc/yulerc +[Clients] +Client=client.example.com@8A542F99C3514499@744C3A3EE8323470D9DAD42E2485BD0B138F +6B4116E964A9991A0B0D221E1AADE5800968804B99B494C39E7B9DD5710D18F1E6703D1DB6D6393 +295E05DF6A6AA8D10BB4A21D7D9DC4901D444500D4EA358C1B44A3E3D44ACEC645F938F790A11AB +0D03586143977E2BCE3A2D689445AC89134B409E68F34B0DE8BD8242ADD7C0 + +rainer$ /etc/init.d/yule reload + +</pre> + +<p> +<b>Note 1:</b> the verifier <tt>Client=client.example.com@.....</tt> must be +in the <b>[Clients]</b> section of the server configuration file. It is +convenient if this is the last section in the config file, because then +you can just concatenate the output of <tt>yule -P PASSWORD</tt> to the +configuration file. This allows for better automatisation with a simple +script. +</p> +<p> +<b>Note 2:</b> samhain comes with a <b>deploy system</b> that handles +the deployment of clients, including password embedding and server +configuration, in a semi-automatic way. +This deploy system is tested and used in a production system +of more than 50 machines, and described in detail in Chapt. 10 of the MANUAL. +</p> + +<h2>Enabling remote logging</h2> +<p> +Samhain has multiple independent logging facilities (such as a local logfile, +syslog, e-mail, TCP/IP, etc.) that can be used +in parallel. You therefore have to specify in the client's configuration +file, <b>which logging facility</b> you want to use. +</p> +<p> +Selecting logging facilities is done by setting appropriate <b>thresholds</b> +in the <b>[Log]</b> section of the configuration file: each +message with a <b>priority</b> exceeding +the threshold will be logged via the respective facility. Setting +the threshold to <i>none</i> will disable a facility. For details, +refer to Chapt. 4 in the MANUAL. +</p> +<h3>Example</h3> +<p> +To enable remote logging to the server for all messages of +priority <i>error</i> or higher, use the following directive in the +client configuration file: +</p> +<pre style="background-color:#DDDDDD; color:#000000"> + +[Log] +ExportSeverity=err + +</pre> + + +<h2>Databases and config files on the server</h2> + +<p> +The client does <i>not</i> tell the server the path to the requested +file - it just requests a config or a database file. It's entirely the +responsibility of the server to locate the correct file and send it. +</p> +<p> +The server has a <i>data directory</i>, which by default would be +<tt>/var/lib/yule</tt>, but depends on your compile options. +</p> +<p> +Config files and baseline databases for clients must be located +in this directory, and they must be named as follows: +</p> +<p> +Configuration files: <tt>rc.</tt><i>client.mydomain.tld</i> or +simply <tt>rc</tt> +(this can be used as a catchall file). +</p> +<p> +Database files: <tt>file.</tt><i>client.mydomain.tld</i> or +simply <tt>file</tt> +(this can be used as a catchall file). +</p> +</div> +</body> +</html> diff --git a/docs/HOWTO-samhain+GnuPG.html b/docs/HOWTO-samhain+GnuPG.html new file mode 100644 index 0000000..013327f --- /dev/null +++ b/docs/HOWTO-samhain+GnuPG.html @@ -0,0 +1,415 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> +<html> +<head> +<title>HOWTO samhain+GnuPG</title> +<style type="text/css"> +<!-- + +html { background: #eee; color: #000; } + +body { background: #eee; color: #000; margin: 0; padding: 0;} + +div.body { + background: #fff; color: #000; + margin: 0 1em 0 1em; padding: 1em; + font-family: serif; + font-size: 1em; line-height: 1.2em; + border-width: 0 1px 0 1px; + border-style: solid; + border-color: #aaa; +} + +div.block { + background: #b6c5f2; color: #000; + margin: 1em; padding: 0 1em 0 1em; + border-width: 1px; + border-style: solid; + border-color: #2d4488; +} + +div.warnblock { + background: #b6c5f2; color: #000; + margin: 1em; padding: 0 1em 0 1em; + border-width: 1px; + border-style: solid; + border-color: #FF9900; +} + +table { + background: #F8F8F8; color: #000; + margin: 1em; + border-width: 0 0 0 1px; + border-style: solid; + border-color: #C0C0C0; +} + +td { + border-width: 0 1px 1px 0; + border-style: solid; + border-color: #C0C0C0; +} + +th { + background: #F8F8FF; + border-width: 1px 1px 2px 0; + border-style: solid; + border-color: #C0C0C0; +} + + +/* body text, headings, and rules */ + +p { margin: 0; text-indent: 0em; margin: 0 0 0.5em 0 } + +h1, h2, h3, h4, h5, h6 { + color: #206020; background: transparent; + font-family: Optima, Arial, Helvetica, sans-serif; + font-weight: normal; +} + +h1 { font-size: 1.69em; margin: 1.4em 0 0.4em 0; } +h2 { font-size: 1.44em; margin: 1.4em 0 0.4em 0; } +h3 { font-size: 1.21em; margin: 1.4em 0 0.4em 0; } +h4 { font-size: 1.00em; margin: 1.4em 0 0.4em 0; } +h5 { font-size: 0.81em; margin: 1.4em 0 0.4em 0; } +h6 { font-size: 0.64em; margin: 1.4em 0 0.4em 0; } + +hr { + color: transparent; background: transparent; + height: 0px; margin: 0.6em 0; + border-width: 1px ; + border-style: solid; + border-color: #999; +} + +/* bulleted lists and definition lists */ + +ul { margin: 0 1em 0.6em 2em; padding: 0; } +li { margin: 0.4em 0 0 0; } + +dl { margin: 0.6em 1em 0.6em 2em; } +dt { color: #285577; } + +tt { color: #602020; } + +/* links */ + +a.link { + color: #33c; background: transparent; + text-decoration: none; +} + +a:hover { + color: #000; background: transparent; +} + +body > a { + font-family: Optima, Arial, Helvetica, sans-serif; + font-size: 0.81em; +} + +h1, h2, h3, h4, h5, h6 { + color: #2d5588; background: transparent; + font-family: Optima, Arial, Helvetica, sans-serif; + font-weight: normal; +} + + --> +</style></head> + +<body> +<div class="body"> +<p style="text-align: center; background: #ccc; border: 1px solid #2d5588;"><a + style="text-decoration: none;" + href="http://www.la-samhna.de/samhain/">samhain file integrity + scanner</a> | <a style="text-decoration: none;" + href="http://www.la-samhna.de/samhain/s_documentation.html">online + documentation</a></p> +<br><center> +<h1>Using samhain with GnuPG</h1> +</center> +<br> +<hr> +<p> +This document aims to explain how to use samhain with <b>signed configuration +and database files</b> which are checked by invoking GnuPG. +</p> +<h2>Introduction</h2> +<p> +Samhain can be compiled to recognize PGP signatures on configuration and +database files and to invoke GnuPG in order to check such signatures. +(<b>Note:</b> while the application usually is referred to as <i>GnuPG</i>, +the executable itself is called <i>gpg</i>). +</p> +<p> +If samhain is compiled with this option, then +</p> + +<ol> +<li> +both the <i>configuration file</i> +and the <i>file signature database</i> must be signed, and +</li> +<li> +for both files the signatures must verify correctly, +</li> +<li> +otherwise samhain will abort. +</li> +</ol> + + +<h2>Prerequisites</h2> +<ul> +<li> +<p> +Obviously you need <i>gpg</i> (GnuPG), and you must +have created a key pair with: +</p><p> +<tt> gpg --gen-key</tt> +</p><p> +(it does not really matter which type of key, the defaults are ok). +</p><p> +GnuPG uses a public-key algorithm: the key pair consists of +</p> +<ul> +<li> +a <i>secret key</i> that is +used for signing and stored in <b>~user/.gnupg/secring.gpg</b>, and +</li><li> +a <i>public key</i> used for verifying the signature, and stored in +<b>~user/.gnupg/pubring.gpg</b>. +</li> +</ul> +<p> +The secret key obviously should be +kept secret, while the public key can be published. +</p> +</li> +<li> +<p> +You need to compile samhain with support for GnuPG: +</p><p> +<tt> ./configure --with-gpg=/path/to/gpg [more options]</tt> +</p><p> +</li> +</ul> + +<p> +<b>Note 1:</b> If compiled with support for GnuPG, +the TIGER192 checksum of the gpg +executable will be compiled into samhain, and the gpg executable will +be checksummed (to verify its integrity) before invoking it. If you +don't like this, you should add the <i>configure</i> option: +</p><p> +<tt> --with-checksum=no</tt> +</p> +<div class="warnblock"> +<p> +Compiling in the GnuPG checksum will tie the samhain executable to +the gpg executable. If you upgrade GnuPG, you will need to re-compile +samhain. If you don't like this, use <tt>'--with-checksum=no'</tt>. +</p> +</div> +<p> +<b>Note 2:</b> The mere fact that the signature +is correct does not prove that it has been signed by <i>you</i> with +<i>your</i> key - it just proves that it has been signed by <i>somebody</i>. +Samhain can optionally check the <i>fingerprint</i> of the key that has been +used to sign the files, to verify that <i>your</i> key has been used +to sign the file(s). To enable this, use the <i>configure</i> option +</p><p> +<tt> --with-fingerprint=FINGERPRINT</tt> +</p><p> +where FINGERPRINT is the hexadecimal fingerprint of the key as listed +with +</p><p> +<tt> gpg --fingerprint</tt> +</p> + +<h3>Example</h3> + +<pre style="background-color:#DDDDDD; color:#000000"> + +rainer$ gpg --fingerprint rainer +pub 1024D/0F571F6C 1999-10-31 Rainer Wichmann + Key fingerprint = EF6C EF54 701A 0AFD B86A F4C3 1AAD 26C8 0F57 1F6C +uid Rainer Wichmann +sub 1024g/9DACAC30 1999-10-31 + +rainer$ which gpg +/usr/bin/gpg + +rainer$ ./configure --with-gpg=/usr/bin/gpg --with-fingerprint=EF6CEF54701A0AFDB86AF4C31AAD26C80F571F6C + +</pre> + +<h2>Signing the files</h2> +<p> +The <i>configuration file</i> and the +<i>file signature database</i> +(created by running <tt>samhain -t init</tt>) must be signed manually +using the command: +</p><p> +<tt> gpg -a --clearsign --not-dash-escaped /etc/samhainrc</tt><br/> +<tt> mv /etc/samhainrc.asc /etc/samhainrc</tt> +</p><p> +<i>Gpg</i> will create a <i>signed copy</i> of the file, +named <i>file.asc</i>. +You need to <b>rename</b> (<tt>cp/mv</tt>) this signed copy +to the original filename. +After signing the configuration file, you can initialize the database +and sign it likewise. +</p> +<p> +<b>Note 1:</b> The installation script will ask you to +sign the <i>configuration file</i> upon installation. +</p><p> +<b>Note 2:</b> The <i>gpg</i> option <tt>--not-dash-escaped</tt> +does not harm if used with the +<i>configuration file</i>, but is only required for the +<i>file signature database</i>. +</p> + +<h3>TIP</h3> +<p> + In the subdirectory <tt>scripts/</tt> of the source directory you will find + a Perl script <b>samhainadmin.pl</b> to facilitate some + tasks related to the administration of signed configuration and + database files (e.g. examine/create/remove signatures). + Use with <i>--help</i> to get usage + information. +</p> + +<h3>CAVEAT</h3> +<p> + When signing, the option <i>--not-dash-escaped</i> is + recommended, because otherwise the database might get corrupted. + However, this implies that after a database update, + you <i>must</i> remove the old signature first, before + re-signing the database. Without 'dash escaping', + gpg will not properly handle the old signature. + See the tip just above. +</p> + +<h3>Example</h3> + +<pre style="background-color:#DDDDDD; color:#000000"> + +root# gpg -a --clearsign --not-dash-escaped /etc/samhainrc + +You need a passphrase to unlock the secret key for +user: "Rainer Wichmann" +1024-bit DSA key, ID 0F571F6C, created 1999-10-31 + +root# mv /etc/samhainrc.asc /etc/samhainrc +root# samhain -t init +root# gpg -a --clearsign --not-dash-escaped /var/lib/samhain/samhain_file + +You need a passphrase to unlock the secret key for +user: "Rainer Wichmann" +1024-bit DSA key, ID 0F571F6C, created 1999-10-31 + +root# mv /var/lib/samhain/samhain_file.asc /var/lib/samhain/samhain_file +root# samhain -D -t check + +</pre> + +<h2>Make samhain verify the signature</h2> +<p> +This is the part where some people run into problems. The point is, +when <i>gpg</i> is invoked by samhain, it must <i>find the public key</i> +needed for verification. <i>Gpg</i> expects public keys in a file +located at <b>~user/.gnupg/pubring.gpg</b> where <b>~user</b> +is the home directory of the user as that <i>gpg</i> is running. +</p><p> +It is therefore <i>crucial</i> to include the public key corresponding +to te secret key used for signing into the correct <b>pubring.gpg</b> +file (this file can hold many public keys, e.g. of people sending you +emails signed by them). +</p><p> +So which is the correct file? Here we have to consider two seperate +cases: +</p> +<ol> +<li>The client (or standalone) samhain daemon runs with UID 0 (i.e. root), +thus the public key must be in <b>~root/.gnupg/pubring.gpg</b> +</li> +<li> +The server (yule) <i>always</i> drops root privileges (if started with), and +runs as a <i>non-root user</i>. The username to use is compiled in, +either with the <i>configure</i> option <tt>--enable-identity=USER</tt>, +or by default as determined by <i>configure</i> (the first existing user +out of the list <i>yule, daemon, nobody</i>). Thus, the public key +must be in <b>~root/.gnupg/pubring.gpg</b> (for startup) <i>and</i> +in <b>~non_root_user/.gnupg/pubring.gpg</b> (for reload with SIGHUP). +</li> +</ol> +<p> +To import a public key into the public +keyring (pubring.gpg) of another user, you can do: +</p><p> +<tt> gpg --export KEY-ID > filename</tt><br> +<tt> su another_user</tt><br> +<tt> gpg --import filename</tt> +</p> +<p> +<b>Note:</b> samhain will invoke <i>gpg</i> with the options: +</p><p> +<tt> --status-fd 1 --verify --homedir /homedir/.gnupg --no-tty -</tt> +</p><p> +and pipe the configuration/database file into <i>gpg</i>, similar to: +</p><p> +<tt>cat filename | /usr/bin/gpg --status-fd 1 --verify --homedir /root/.gnupg --no-tty -</tt> +</p><p> +(of course samhain does not invoke cat, or the shell; the example above +just shows how to do the same from the shell command prompt). +</p> + +<h3>Example for signature check</h3> +<p> +If you want to check the signature the same way samhain does, it should look +like (note the GOODSIG and VALIDSIG keywords in the output): +</p> +<pre style="background-color:#DDDDDD; color:#000000"> + +root# cat /etc/samhainrc | gpg --status-fd 1 --verify --homedir /root/.gnupg --no-tty - +gpg: Signature made Sat Mar 15 16:08:21 2003 CET using DSA key ID 0F571F6C +[GNUPG:] SIG_ID 9hQvRhgjWLqyFzVOHi2b0uDmBFo 2003-03-15 1047740901 +[GNUPG:] GOODSIG 1AAD26C80F571F6C Rainer Wichmann +gpg: Good signature from "Rainer Wichmann" +gpg: aka "Rainer Wichmann" +[GNUPG:] VALIDSIG EF6CEF54701A0AFDB86AF4C31AAD26C80F571F6C 2003-03-15 1047740901 +[GNUPG:] TRUST_ULTIMATE + +</pre> + +<h2>Troubleshooting</h2> +<p> +First and foremost, run samhain (or yule) from the command line, in non-daemon +mode, and with the command-line option <tt>-p debug</tt> for debug-level +output. This will print +descriptive information on setup errors and/or relevant output from +the GnuPG subprocess. +</p> +<p> +Output from the GnuPG subprocess is marked by <b>[GNUPG:]</b>, and +may show the following errors: +</p> + +<ul> +<li><b>ERRSIG</b> and/or <b>NO_PUBKEY</b> indicates that gpg did not find + the public key to verify the signature. You should import that key + into the keyrings of root and (for yule additionaly) the yule user. +</li> +<li><b>BADSIG</b> indicates that the public key was found by gpg, but + the signature is invalid. Either the file has been modified after + signing, or a previous signature has not been removed. +</li> +<li><b>NODATA</b> indicates that there is no signed data, i.e. the + configuration or database file is not signed at all. +</li> +</ul> +</div> +</body> +</html> diff --git a/docs/HOWTO-samhain-on-windows.html b/docs/HOWTO-samhain-on-windows.html new file mode 100644 index 0000000..8bd039c --- /dev/null +++ b/docs/HOWTO-samhain-on-windows.html @@ -0,0 +1,496 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> +<html> +<head> +<title>HOWTO Samhain on Windows</title> +<style type="text/css"> +<!-- + +html { background: #eee; color: #000; } + +body { background: #eee; color: #000; margin: 0; padding: 0;} + +div.body { + background: #fff; color: #000; + margin: 0 1em 0 1em; padding: 1em; + font-family: serif; + font-size: 1em; line-height: 1.2em; + border-width: 0 1px 0 1px; + border-style: solid; + border-color: #aaa; +} + +div.block { + background: #b6c5f2; color: #000; + margin: 1em; padding: 0 1em 0 1em; + border-width: 1px; + border-style: solid; + border-color: #2d4488; +} + +div.warnblock { + background: #b6c5f2; color: #000; + margin: 1em; padding: 0 1em 0 1em; + border-width: 1px; + border-style: solid; + border-color: #FF9900; +} + +table { + background: #F8F8F8; color: #000; + margin: 1em; + border-width: 0 0 0 1px; + border-style: solid; + border-color: #C0C0C0; +} + +td { + border-width: 0 1px 1px 0; + border-style: solid; + border-color: #C0C0C0; +} + +th { + background: #F8F8FF; + border-width: 1px 1px 2px 0; + border-style: solid; + border-color: #C0C0C0; +} + + +/* body text, headings, and rules */ + +p { margin: 0; text-indent: 0em; margin: 0 0 0.5em 0 } + +h1, h2, h3, h4, h5, h6 { + color: #206020; background: transparent; + font-family: Optima, Arial, Helvetica, sans-serif; + font-weight: normal; +} + +h1 { font-size: 1.69em; margin: 1.4em 0 0.4em 0; } +h2 { font-size: 1.44em; margin: 1.4em 0 0.4em 0; } +h3 { font-size: 1.21em; margin: 1.4em 0 0.4em 0; } +h4 { font-size: 1.00em; margin: 1.4em 0 0.4em 0; } +h5 { font-size: 0.81em; margin: 1.4em 0 0.4em 0; } +h6 { font-size: 0.64em; margin: 1.4em 0 0.4em 0; } + +hr { + color: transparent; background: transparent; + height: 0px; margin: 0.6em 0; + border-width: 1px ; + border-style: solid; + border-color: #999; +} + +/* bulleted lists and definition lists */ + +ul { margin: 0 1em 0.6em 2em; padding: 0; } +li { margin: 0.4em 0 0 0; } + +dl { margin: 0.6em 1em 0.6em 2em; } +dt { color: #285577; } + +tt { color: #602020; } + +/* links */ + +a.link { + color: #33c; background: transparent; + text-decoration: none; +} + +a:hover { + color: #000; background: transparent; +} + +body > a { + font-family: Optima, Arial, Helvetica, sans-serif; + font-size: 0.81em; +} + +h1, h2, h3, h4, h5, h6 { + color: #2d5588; background: transparent; + font-family: Optima, Arial, Helvetica, sans-serif; + font-weight: normal; +} + + --> +</style></head> +<body> +<div class="body"> +<p style="text-align: center; background: #ccc; border: 1px solid #2d5588;"><a + style="text-decoration: none;" + href="http://www.la-samhna.de/samhain/">samhain file integrity + scanner</a> | <a style="text-decoration: none;" + href="http://www.la-samhna.de/samhain/s_documentation.html">online + documentation</a></p> +<br><center> +<h1>Using Samhain on Windows</h1> +</center> +<br> +<hr> +<p> +This document aims to explain how to compile and run +samhain on Windows with the +<b>Cygwin</b> POSIX emulation layer, and how to install it as a service. +These instructions have been written by Kris Dom, +who has tested this on WinXP Professional, with additions by Geries Handal +and Jorge Morgado. +</p> +<div class="block"> +<h3>Interix / Services For UNIX</h3> +<p> +Samhain can also be used with Interix/SFU 3.5. Note that in Interix, +the Windows +filesystem is referred as <tt>/dev/fs/C</tt>, while in Cygwin it +is <tt>/cygdrive/c</tt> (both refers to the <tt>C:</tt> drive; other drives +are analogous). +</p><p> +Older versions of samhain would need to be built with +<tt>./configure --disable-mail</tt> (i.e. without support for email +logging) because Interix does not provide some of the required functionality +to build the email module. This issue should be fixed as of samhain +version 2.0.7 (not tested).<br /> +[Based on information kindly provided by Geries Handal]. +</p> +</div> + +<h2>Cygwin installation procedure to compile samhain</h2> + +<h3>Cygwin download</h3> + +<ul> +<li> +Make a temporary directory to store cygwin installer (e.g. c:\temp\cygwin) +</li> +<li> +Surf to <a href="http://www.cygwin.com">http://www.cygwin.com</a> +to download cygwin +</li> +<li> +Use the "install or update now (using setup.exe)" to +download the installer in c:\temp\cygwin +</li> +<li> +Execute "setup.exe" in c:\temp\cygwin +</li> +<li> +Choose the "download from the Internet" option +</li> +<li> +Choose "c:\temp\cygwin" as 'Local Package Directory' +</li> +<li> +Choose an FTP site +</li> +<li> +Click on 'Default' just after 'All' to change the installation type +from 'Default' to 'Install'. This will most likely install way too much +stuff but I am not familiar with Cygwin, so this way I know that all libs and +compilers are installed. +</li> +<li> +Let it download the stuff (there is a lot to download so be patient). +</li> +</ul> +<div class="block"> +<p> +You don't need to download and install All packages. It is enough to keep +the Default and then add the following additional packages: +</p> +<p> + Category Devel -> gcc: C compiler upgrade helper<br/> + Category Devel -> make: The GNU version of the 'make' utility<br/> + Category Libs -> minires: A simple synchronous non caching stub resolver<br/> +</p> +<p> +When selecting these packages, Cygwin installer will automatically add +other packages based on their dependencies. +The package minires is only necessary for a minimal Cygwin installation +(below). [Kindly pointed out by Jorge Morgado]. +</p> +</div> + +<h3>Cygwin installation</h3> + +<ul> +<li> +When the download is complete you have the Cygwin software in the +temporary directory, however, it still needs to be installed. +</li> +<li> +To install, execute the "setup.exe" in "c:\temp\cygwin" +</li> +<li> +Choose the "Install from local directory" option. +</li> +<li> +Choose "C:\Cygwin" as root directory (this will be the Unix '/') +</li> +<li> +Choose the Local Package Directory: "c:\temp\cygwin" +</li> +<li> +Click on 'Default' just after 'All' to change the installation type +from 'Default' to 'Install'. +</li> +<li> +Let it install Cygwin (this will take some time so be patient). +</li> +</ul> + +<h3>Samhain install procedure (used 'samhain 1.8.7a' in this procedure)</h3> +<p> +(in the following procedure I use my personal preferences) +</p> + +<ul> +<li> +Start up Cygwin using the "Cygwin" icon on the desktop (a classic +Unix environment will be started). +</li> +<li> +Download the 'samhain' gzip/tar (I always put in my home directory) +</li> +<li> +Make directories to install samhain (taking into account the configure +options):<br /> + <tt>$ mkdir /usr/local/sbin</tt><br /> + <tt>$ mkdir /usr/local/var</tt><br /> + <tt>$ mkdir /usr/local/log</tt><br /> + <tt>$ mkdir /usr/local/tmp</tt><br /> +</li> +<li>Go to the home directory:<br /> + <tt>$ cd $HOME</tt> +</li> +<li>Un-gzip and untar the samhain package:<br /> + <tt>$ gunzip samhain-1.8.7a.tar.gz</tt><br /> + <tt>$ tar xvf samhain-1.8.7a.tar</tt><br /> +</li> +<li>Go to the samhain directory:<br /> + <tt>$ cd samhain-1.8.7a</tt><br /> +</li> +<li>Configure:<br /> + <tt>$ ./configure --enable-xml-log=yes --with-tmp-dir=/usr/local/tmp --with-config-file=/usr/local/etc/samhainrc --with-log-file=/usr/local/log/samhain.log --with-pid-file=/usr/local/var/samhain.pid --with-state-dir=/usr/local/var</tt><br /> +<div class="block"> +<p> +In my experience, the paths given in the 'configure' command should refer to +the Cygwin filesystem view, i.e. <tt>/cygdrive/c/...</tt>, otherwise +samhain may not work from a pure DOS shell, and may not run as a Windows +service [Rainer Wichmann]. +</p> +</div> +</li> +<li>Make the binary:<br /> + <tt>$ make</tt><br /> +</li> +<li>Install samhain:<br /> + <tt>$ make install</tt><br /> +</li> +<li>Now configure the "/usr/local/etc/samhainrc" file.<br /> +Remember: "C:\" -> "/cygdrive/c/" +</li> +<li>Initialize the samhain local baseline database:<br /> + <tt>$ /usr/local/sbin/samhain -t init</tt><br /> +</li> +<li>Start it up:<br /> + <tt>$ /usr/local/sbin/samhain -t check</tt><br /> +</li> +</ul> + + +<h2>Cygwin minimal installation procedure to run samhain</h2> + +<ul> +<li> +Files needed to create a service (from NT/W2K Resource Kit): + <ul> + <li> + instsrv.exe + </li> + <li> + srvany.exe + </li> + </ul> +</li> +<li> +First copy these files to the "%winnt%\system32" directory. +</li> +<li> +Files needed to run the 'samhain.exe'. Copy the following .dll from the +Cygwin setup (c:\Cygwin\bin) to the "%winnt%\system32" directory: + <ul> + <li> + cygwin1.dll + </li> + <li> + cygminires.dll + </li> + </ul> +</li> +<li> +Files needed from c:\Cygwin\bin to create the /etc/passwd and /etc/group files: + <ul> + <li> + mkpasswd.exe + </li> + <li> + mkgroup.exe + </li> + </ul> +<p> +To generate these files on a minimal Cygwin installation execute - on a +Windows Command Prompt: +</p><p> + <tt>mkdir c:\etc</tt><br /> + <tt>path\to\mkpasswd.exe -l > c:\etc\passwd</tt><br /> + <tt>path\to\mkgroup.exe -l > c:\etc\group</tt> +</p><p> +IMPORTANT NOTE: You should re-create these two files, each time the +Windows users and groups accounts database changes. Failing to do this +might generate critical log messages (depending on your configuration +file). +</p> +</li> +<li> +Create a directory structure for samhain (following the compilation options +you used)<br /> + - in a DOS box (or via Windows Explorer)<br /> + <tt>mkdir c:\usr</tt><br /> + <tt>mkdir c:\usr\local</tt><br /> + <tt>mkdir c:\usr\local\sbin</tt><br /> + <tt>mkdir c:\usr\local\var</tt><br /> + <tt>mkdir c:\usr\local\tmp</tt><br /> + <tt>mkdir c:\usr\local\log</tt><br /> + <tt>mkdir c:\usr\local\etc</tt><br /> +</li> +<li> +Use the "instsrv.exe" binary to create a new service:<br /> + <tt>instsrv.exe samhain c:\windows\system32\srvany.exe</tt><br /> + (this will create a service called "Samhain" that will +start the "srvany.exe" process). +</li> +<li>Now edit the registry to change the startup parameters for the newly +created service: + <ul> + <li>regedit</li> + <li>HKEY_LOCAL_MACHINE->SYSTEM->CurrentControlSet->Services->Samhain</li> + <li>Add a String value (type: REG_SZ called: "Description") under the 'Samhain' key</li> + <li>Open the newly created "Description" value and fill in a description for the 'Samhain' service</li> + <li>Add a key to specify what file the "srvany.exe" process must start:<br /> + Edit->New->Key called "Parameters" + </li> + <li>Under the newly created "Parameters" key, add a new String + value called "Application".<br /> + The value for "Application" + should be "c:\usr\local\sbin\samhain.exe".</li> + </ul> +</li> +<li> +Make sure that in the "samhainrc" file, you have used +"/cygdrive/c" to refer to "c:" +</li> +<li> +Initialize the samhain baseline database first:<br /> + <tt>c:\usr\local\sbin\samhain -t init</tt><br /> +</li> +<li> +Reboot (it is Windows so ...) +</li> +</ul> +<div class="block"> +<p> +It seems that start/stop/restart the service does not work if samhain +is configured to run as a daemon, because the Windows service manager +cannot track the forked daemon process. +</p> +<p>Therefore, if you run Samhain as a Windows service, it might be better +to configure it as a 'normal' process which does not fork a daemon: +<ul> + <li> + Set 'Daemon = no' in the samhainrc configuration file. + </li> + <li> + Edit the key HKEY_LOCAL_MACHINE->SYSTEM->CurrentControlSet->Services->Samhain->Parameters to add a string value named 'AppParameters', with + the value '--forever'. + </li> +</ul> +[Rainer Wichmann]. +</p> +</div> +<p> +Also see <a href="http://support.microsoft.com/kb/q137890/">http://support.microsoft.com/kb/q137890/</a> for information regarding the creation of a +user-defined service. +</p> +<p> +Note: the first time I tried to install samhain as an NT service, I first +installed a default Cygwin on the system. This however made things much more +complex. I think when there is no Cygwin installed, it is more easy to install +Samhain as a service. +</p> + + +<h2>Troubleshooting samhain</h2> + +<p> +[Rainer Wichmann] I had some problems at first getting it to run as a +Windows service. Some tips: +<ul> + <li> + Running samhain from a pure DOS shell (outside the Cygwin environment) + helps to identify problems, in particular if it refuses to start + as a Windows service. + </li> + <li> + I found it neccessary to put the <tt>cygwin1.dll</tt> DLL into the + same directory as the <tt>samhain.exe</tt> executable. Also, you + can use the command <tt>ldd ./samhain.exe</tt> to identify further + Cygwin-specific DLL that may be required (if any). + </li> + <li> + Also, I found it neccessary to use Cygwin-style paths + (<tt>/cygdrive/c/...</tt>) in the './configure ..' command when + compiling samhain. + </li> +</ul> +</p> + +<p> +[Tip from Jorge Morgado] If you, like me, have a Windows server not part of any domain and (for +security reasons) you even turn off DNS resolution, you might probably get +the following error when initializing the baseline database: +</p> +<pre> + --------- sh_unix.c --- 1487 --------- + According to uname, your nodename is yourcomputername, but your resolver + library cannot resolve this nodename to a FQDN. + Rather, it resolves this to yourcomputername. + For more information, see the entry about self-resolving under + 'Most frequently' in the FAQ that you will find in the docs/ subdirectory + ---------------------------------------------- +</pre> +<p> +To fix this problem open the Registry Editor and create the following +entries under the key +HKLM\System\CurrentControlSet\Services\Tcpip\Parameters +</p> +<p> +<tt> +Name: Domain<br/> +Type: REG_SZ<br/> +Data: your.domain.name +</tt> +</p><p> +<tt> +Name: NV Domain<br/> +Type: REG_SZ<br/> +Data: your.domain.name +</tt> +</p><p> +The NV Domain registry value contains the computer's primary DNS suffix +while the Domain registry value contains the computer's primary DNS +domain. This will make the warning message go away. +</p> +</div> +</body> +</html> diff --git a/docs/HOWTO-write-modules.html b/docs/HOWTO-write-modules.html new file mode 100644 index 0000000..a2ace92 --- /dev/null +++ b/docs/HOWTO-write-modules.html @@ -0,0 +1,771 @@ +<html> +<head> +<title>HOWTO Write Samhain Modules</title> +<style type="text/css"> +<!-- + +html { background: #eee; color: #000; } + +body { background: #eee; color: #000; margin: 0; padding: 0;} + +div.body { + background: #fff; color: #000; + margin: 0 1em 0 1em; padding: 1em; + font-family: serif; + font-size: 1em; line-height: 1.2em; + border-width: 0 1px 0 1px; + border-style: solid; + border-color: #aaa; +} + +div.block { + background: #b6c5f2; color: #000; + margin: 1em; padding: 0 1em 0 1em; + border-width: 1px; + border-style: solid; + border-color: #2d4488; +} + +div.warnblock { + background: #b6c5f2; color: #000; + margin: 1em; padding: 0 1em 0 1em; + border-width: 1px; + border-style: solid; + border-color: #FF9900; +} + +table { + background: #F8F8F8; color: #000; + margin: 1em; + border-width: 0 0 0 1px; + border-style: solid; + border-color: #C0C0C0; +} + +td { + border-width: 0 1px 1px 0; + border-style: solid; + border-color: #C0C0C0; +} + +th { + background: #F8F8FF; + border-width: 1px 1px 2px 0; + border-style: solid; + border-color: #C0C0C0; +} + + +/* body text, headings, and rules */ + +p { margin: 0; text-indent: 0em; margin: 0 0 0.5em 0 } + +h1, h2, h3, h4, h5, h6 { + color: #206020; background: transparent; + font-family: Optima, Arial, Helvetica, sans-serif; + font-weight: normal; +} + +h1 { font-size: 1.69em; margin: 1.4em 0 0.4em 0; } +h2 { font-size: 1.44em; margin: 1.4em 0 0.4em 0; } +h3 { font-size: 1.21em; margin: 1.4em 0 0.4em 0; } +h4 { font-size: 1.00em; margin: 1.4em 0 0.4em 0; } +h5 { font-size: 0.81em; margin: 1.4em 0 0.4em 0; } +h6 { font-size: 0.64em; margin: 1.4em 0 0.4em 0; } + +hr { + color: transparent; background: transparent; + height: 0px; margin: 0.6em 0; + border-width: 1px ; + border-style: solid; + border-color: #999; +} + +/* bulleted lists and definition lists */ + +ul { margin: 0 1em 0.6em 2em; padding: 0; } +li { margin: 0.4em 0 0 0; } + +dl { margin: 0.6em 1em 0.6em 2em; } +dt { color: #285577; } + +tt { color: #602020; } + +/* links */ + +a.link { + color: #33c; background: transparent; + text-decoration: none; +} + +a:hover { + color: #000; background: transparent; +} + +body > a { + font-family: Optima, Arial, Helvetica, sans-serif; + font-size: 0.81em; +} + +h1, h2, h3, h4, h5, h6 { + color: #2d5588; background: transparent; + font-family: Optima, Arial, Helvetica, sans-serif; + font-weight: normal; +} + + --> +</style></head> + +<body> +<div class="body"> +<p style="text-align: center; background: #ccc; border: 1px solid #2d5588;"><a + style="text-decoration: none;" + href="http://www.la-samhna.de/samhain/">samhain file integrity + scanner</a> | <a style="text-decoration: none;" + href="http://www.la-samhna.de/samhain/s_documentation.html">online + documentation</a></p> +<br><center> +<h1>Writing modules for samhain</h1> +</center> +<br> +<hr> +<p> +This document should help anyone who is sitting down to write a module +for the samhain host intrusion detection system. We give an overview +of samhain's structure from the point of view of the module author, +and describe some of the samhain utility and interface functions +available. Lastly, we explain how to integrate your module into the +samhain autoconf build tools. +</p> +<h2>Introduction</h2> +<p> +Samhain is a rather useful file integrity and host intrusion detection +system. It is written entirely in C, and much care has been given to +making it robust and secure. Additionally, it has been written with +extensibility in mind, and so interfaces for adding user-contributed +modules have been provided. A module author can easily extend the +configuration file syntax and have his checking code run on a regular +basis as one of samhain's internal checks. +</p> + +<h2>Prerequisites</h2> +<p> +You'll need to know how to read and write C. You'll need the latest +source for samhain. You'll need to have read all of samhain's other +documentation. Finally, if you want to make your module build as part +of the samhain tree (you do), you'll need GNU's autoconf package. +</p> +<h2>An overview of samhain's execution</h2> +<p> +Here's what happens when samhain starts: +<ul> + <li> + Check if samhain has been called with one of the "init.d" type + commands - start, stop, reload, status. If so, these are handled + as you might expect. Nice feature. + </li> + <li> + Initialise all global structures and parse command-line options. + </li> + <li> + Read the configuration file. This is handled in sh_readconf_read(). + This includes attempting to download the file if samhain has been + compiled to do so. + </li> + <li> + Drop privileges if server. + </li> + <li> + Test the checksum on the database if client or standalone. + </li> + <li> + Now test if samhain has been compiled as a client or a server. + <ul> + <li> + If server, enter server main loop sh_receive() in + sh_forward.c. This is simple enough; apart from checks for + signals received, the server just accepts incoming + connections, verifies that they are from an authorised + client, and logs the message received. + </li> + <li> + If client or standalone, we run the rest of main() in + samhain.c, which follows: + </li> + </ul> + </li> + <li> + Initialise modules - that is, call the mod_init() function on each + module. Note that if the module intialisation routine returns a + nonzero value, you should also have it free anything that's been + allocated by the configuration file reading functions, since this + method is always called after an sh_readconf_read(), i.e. when the + configuration file is re-read after a SIGHUP. + </li> + <li> + Test the setup that's been read from the configuration - for example, + check if any files or directories have been defined twice. + </li> + <li> + Enter the main loop (which runs just once if samhain is not + configured as a daemon). Test if any signals have been received, + and handle them appropriately: + <ul> + <li> + On reconfiguration (SIGHUP), clear internal file lists etc. + and call the mod_reconf() function on each module. This should + clean up anything internal to the module before the + configuration file is re-read. Then read the configuration + file again and set things up as before, including a new call + to mod_init(). + </li> + <li> + On SIGIOT (SIGABRT), shut down the log-file for a moment + to allow for rotation. + </li> + <li> + On SIGQUIT, terminate. Note that any call to exit() will + invoke the exit_handler() defined in samhain.c; the first + thing this does is to call mod_cleanup() on all modules. + Then it cleans up everything else in samhain and exits. + </li> + <li> + On SIGUSR1 turn toggle debugging on/off. + </li> + <li> + On SIGUSR2 suspend the daemon an notify the server to + allow a second instance of samhain downloading its + configuration file without triggering an alert (restart + without exit) on the server. + </li> + </ul> + </li> + <li> + If it's time to check files, check directories and then files, and + then flush the mail queue. + </li> + <li> + Execute modules. For each module, if mod_timer(tcurrent) returns a + nonzero value, then execute mod_check(). + </li> + <li> + Do various maintenance operations such as logging a timestamp/sending + some mail if it's time, seeding/re-seeding the PRNG, etc. + </li> +</ul> +You'll note that in the text above I refer to a couple of module +functions - mod_init(), mod_check(), etc. These are function pointers +that act as hooks for attaching modules to samhain. Next we'll +describe how they are used. +</p> + +<h2>Samhain's module interface</h2> +<p> +Here we'll describe the interface samhain provides to module authors. +</p> + +<h3>The module list</h3> +<p> +In sh_modules.h, the following structure is defined: +</p> +<pre> + +typedef struct mod_type +{ + /* The name of the module */ + char * name; + + /* Set by samhain to 1 on successful initialization, else 0 */ + int initval; + + /* The initialization function. Return 0 on success. */ + int (* mod_init) (void); + + /* The timer function. Return 0 if NOT time to check. */ + int (* mod_timer) (unsigned long tcurrent); + + /* The check function. Return 0 on success. */ + int (* mod_check) (void); + + /* The cleanup function. Return 0 on success. */ + int (* mod_cleanup) (void); + + /* The preparation for reconfiguration. Return 0 on success. */ + int (* mod_reconf) (void); + + /* Section header in config file */ + char * conf_section; + + /* A table of key/handler_function for config file entries */ + sh_rconf * conf_table; + +} sh_mtype; +</pre> + +<p> +This is the structure used to hook modules into samhain. There is a +list of these structures (modList), defined in sh_modules.c, +containing pointers to the functions to be used for each module +compiled into samhain. For example, +</p> + +<pre> + +sh_mtype modList[] = { +#ifdef SH_USE_UTMP + { + N_("UTMP"), + 0, + sh_utmp_init, + sh_utmp_timer, + sh_utmp_check, + sh_utmp_end, + sh_utmp_null, + + N_("[Utmp]"), + sh_utmp_table, + }, +#endif +</pre> +<p> +is the beginning of that table. The author of the sh_utmp module has +initialised the structure with the name of the module (note that N_() +is just a macro used to delimit strings here), a 0 to signify that the +module has not yet been initialised, and then pointers to _init(), +_timer(), _check(), _cleanup() and _reconf() functions for the +module. Finally, the last two structure elements are for configuration +file parsing: the first is the section heading in the configuration +file for this module, and the second is a table of type +</p> + +<pre> + +typedef struct rconf +{ + char * the_opt; + int (*func)(char * opt); +} sh_rconf; +</pre> + +<p> +(also defined in sh_modules.h). This structure is for storing options +for this module to be found in the configuration file, as well as the +functions that will be used to parse them when found. In the sh_utmp +example above, we can see that this table has been set to +sh_utmp_table - this is a reference to a list of the Utmp module's +configuration options declared in sh_utmp.h. It should be clear now +that one of the changes you will need to make to samhain's source +files is to include your header file in sh_modules.c and add a modList +entry like the above. +</p> + +<p> +For a description of when during samhain's execution these various +module hooks are called, see the overview above. It would likely be +helpful to you now to read through the source for one of the modules +provided with samhain and see the above actually implemented. You +should also be able to use one of these modules as a template for your +own. +</p> + +<h3>The message catalogue</h3> + +<p> +Most module authors will want to log messages in their own specified +format; samhain stores all of its message formats in a "messages +catalogue" found in sh_cat.h and sh_cat.c. For example, for the +sh_suidchk module we find the following entries in sh_cat.h, as part +of an enum: +</p> + +<pre> + +#ifdef SH_USE_SUIDCHK + MSG_SUID_POLICY, + MSG_SUID_FOUND, + MSG_SUID_STAT, + MSG_SUID_SUMMARY, +#endif +</pre> + +<p> +Correspondingly in sh_cat.c we find +</p> + +<pre> + +#ifdef SH_USE_SUIDCHK + { MSG_SUID_POLICY, SH_ERR_SEVERE, RUN, N_("msg=\"POLICY SUIDCHK %s\" path=\"%s\"") }, + { MSG_SUID_FOUND, SH_ERR_INFO, RUN, N_("msg=\"Found suid/sgid file\" path=\"%s\"") }, + { MSG_SUID_STAT, SH_ERR_ERR, ERR, N_("msg=\"stat: %s\" path=\"%s\"") }, + { MSG_SUID_SUMMARY,SH_ERR_INFO, RUN, N_("msg=\"Checked for SUID programs: %ld files, %ld seconds\"") }, +#endif +</pre> +<p> +as part of the table msg_cat[] of type cat_entry: +</p> +<pre> + +typedef struct foo_cat_entry { + unsigned long id; + unsigned long priority; + unsigned long class; + char * format; +} cat_entry; +</pre> +<p> +The first member of this structure is the message type's ID, as +defined in the enum in sh_cat.h. The second is the default priority of +such messages, defined as in the samhain documentation. The third is +the class of the message, again defined as in the samhain +documentation. Finally we have the message format itself, which is a +printf() style format string. +</p> +<p> +This catalogue is used by the logging functions in samhain; you will +need to add your own message types and formats to sh_cat.h and +sh_cat.c. Note that because samhain can be compiled for XML style +logging, you will actually need to make two entries in sh_cat.c for +each message; see the file itself for details. +</p> +<p> +Note that there is a generic message format with the ID 'MSG_E_SUBGEN' +and the default priority 'SH_ERR_ERR'. If you are using this message +format, then you can log (a) a string, and (b) the name of the subroutine. +</p> +<p> +This completes our description of samhain's module interface. +</p> + +<h2>Samhain's utility functions</h2> +<p> +Here we'll describe the main utility functions available to samhain module +authors. +</p> + +<h3>String wrapping macros</h3> + +<p> +Constant strings should be wrapped in the _(string) macro. Initialisation +strings that cannot be replaced with a function should be wrapped +in a N_(string) macro, and the variable thus initialized should be +wrapped in a _(var) macro whereever used. This is important for the +'stealth' functionality of samhain. +</p> + +<h3>Logging messages</h3> + +<pre> +#include "sh_error.h" + +void sh_error_handle(int severity, char * file, long line, long status, + unsigned long msg_id, ...) +</pre> +<p> +This is samhain's logging/reporting function, so the name is a little +misleading - errors are not the only thing we should handle with +this. The first four arguments are simple enough: severity is the +logging severity, defined in the enum ShErrLevel from sh_error.h; file +and line are the current file and line - usually you'll be using FIL__ +and __LINE__ for these; status is not very important - for module +authors it'll do to always pass 0 to this. The final named argument is +msg_id, which should be one of the message IDs defined in sh_cat.h; +these correspond to message format strings in printf() format, which +will be interpolated with the following arguments to form the log +message. +</p> +<p> +The '__LINE__' macro is provided by the C preprocessor. The FIL__ macro +should be #defined to '_("sourcefile_name")' (see 'String wrapping macros' +above). +<p> +Example of use: +</p> +<pre> +#undef +#define FIL__ _("sh_mounts.c") + +sh_error_handle(ShMountsSevMnt, FIL__, __LINE__, 0, MSG_MNT_MNTMISS, + cfgmnt->path); +</pre> +<p> +See cat.c for the definition of MSG_MNT_MNTMISS: +</p> +<pre> + +{ MSG_MNT_MNTMISS, SH_ERR_WARN, RUN, N_("msg=\"Mount missing\" path=\"%s\"")}, +</pre> +<p> +So we print this out at severity ShMountsSevMnt, which in this case is +a configured value read from the samhain configuration file (see +sh_mounts.c). If we wanted to print it at the default severity +(SH_ERR_WARN), we could pass -1 as the severity. +</p> + +<h3>Checking files for modification</h3> + +<pre> +#include "sh_files.h" + +int sh_files_pushdir_?? (char * dirName); +int sh_files_pushfile_?? (char * fileName); +</pre> +<p> +These functions push directories and files onto the stack of those to check +for the specified policy (see the samhain documentation for further +information): +<table> + <tr><td> sh_files_pushdir_user0 </td><td>pushes the directory at USER0 </td></tr> + <tr><td align=right> ... _user1</td><td align=right>USER1</td></tr> + <tr><td align=right> ... _attr</td><td align=right>ATTR</td></tr> + <tr><td align=right> ... _ro</td><td align=right>READONLY</td></tr> + <tr><td align=right> ... _log</td><td align=right>LOGFILE</td></tr> + <tr><td align=right> ... _glog</td><td align=right>GROWING LOGFILE</td></tr> + <tr><td align=right> ... _noig</td><td align=right>IGNORE NONE</td></tr> + <tr><td align=right> ... _allig</td><td align=right>IGNORE ALL</td></tr> +</table> +So if you're writing a module that adds particular files to check, like the +sh_userfiles module for example, these are the functions to use. +</p> + +<h3>Managing memory</h3> + +<pre> +#include "sh_mem.h" + +#define SH_FREE(a) ... +#define SH_ALLOC(a) ... +</pre> +<p> +These are the macros to use when you're allocating/freeing memory in +samhain. They do all the error checking/reporting you need, so when +you get memory from SH_ALLOC you can just get to using it right away. +</p> + +<h3>Parsing strings</h3> + +<pre> +#include "sh_utils.h" + +char * sh_util_strdup (const char * str); +char * sh_util_strsep (char **str, const char *delim); +char * sh_util_strconcat (const char * arg1, ...); + +int sh_util_flagval(char * c, int * fval); +int sh_util_isnum (char *str); + +#include "slib.h" + +int sl_strlcpy (char * dst, const char * src, size_t siz); +int sl_strlcat (char * dst, const char * src, size_t siz); +int sl_snprintf(char *str, size_t n, const char *format, ... ); +</pre> +<p> +These functions are the samhain internal functions for string +handling. The first three act like their C library counterparts, +except using samhain's memory management functions and error +checking. sh_util_flagval converts the passed string into a truth +value - the value is stored in <b>fval</b> as 1 or 0 - and returns 0 +on success, -1 on failure. sh_util_isnum just checks if the passed +string is all numeric. +</p> +<p> +The functions sl_strlcpy and sl_strlcat work similar to the C library +strncpy/strncat functions, except that the destination string is always +null terminated, and the third argument must be the full length of the +destination buffer, <i>not</i> the remaining space. On success, the +return value is 0. +</p> +<p> +The function sl_snprintf provides either the system snprintf, or a replacement, +if the system has no or a buggy snprintf. +</p> + +<h3>Tracing execution</h3> + +<pre> +#include "slib.h" + +#define SL_ENTER(s) ... +#define SL_RETURN(retval, s) ... +</pre> +<p> +These macros are for tracing execution through samhain functions. You +should use SL_ENTER with the name of the function for each function +entered, and SL_RETURN with the return value and the name of the +function for each exit if you want to maintain compatibility with the +rest of samhain. +</p> + +<h3>Executing external programs (popen)</h3> + +<pre> +#include "sh_extern.h" + + +sh_tas_t task; +/* Prepare task */ +sh_ext_tas_init(&task); +sh_ext_tas_command(&task, char * command); +sh_ext_tas_add_argv(&task, char * val); +sh_ext_tas_add_envv (&task, char * environment_variable, char * value); + +int sh_ext_popen(&task); +int sh_ext_pclose(&task); +</pre> +<p> +To prepare a task to run, use 'sh_ext_tas_init' to initialise the task +structure. With 'sh_ext_tas_command' the command (absolute path) is set, +with 'sh_ext_tas_add_argv' command line options are added. Environment +variables can be set with 'sh_ext_tas_add_envv'. +</p> +<p> +To open for read, set "task.rw = 'r';", to open for write +use "task.rw = 'w';". +</p> +<p> +To run the task with privileges dropped to another UID, set +"task.privileged = 0;" and task.run_user_uid, task.run_user_gid +to the desired UID/GID. +</p> +<p> +To verify the checksum of the called executable, set +task.checksum[KEY_LEN+1] to the TIGER192 checksum of the executable. +</p> +<p> +After successful execution of sh_ext_popen (return status 0), +task.pipe is the stream opened for read or write, and task.pipeFD +its associated file descriptor. +</p> + +<h3>Inserting arbitrary data into the baseline database</h3> +<pre> + +#include "sh_hash.c" + +void sh_hash_push2db (char * key, unsigned long val1, + unsigned long val2, unsigned long val3, + unsigned char * str, int size); + +char * sh_hash_db2pop (char * key, unsigned long * val1, + unsigned long * val2, unsigned long * val3, + int * size); +</pre> +<p> +The baseline database has a fixed record format. To enter data, these need +to be prepared in the required format. To retrieve the data, the +'filepath' is used as key (if your data is not a file, you would provide +a dummy pathname as key). For convenience, the two functions noted below +are provided. +</p> +<p> +When checking files, samhain will walk the database to find files that +are in the database, but have been deleted from the disk. If you enter +data, you need to mark it as such by using a key that +starts with something else but '/', otherwise samhain will complain +if it has not been checked during the file check. +</p> +<pre> + +#include "sh_hash.c" + +void sh_hash_push2db (char * key, unsigned long val1, + unsigned long val2, unsigned long val3, + unsigned char * str, int size); + +char * sh_hash_db2pop (char * key, unsigned long * val1, + unsigned long * val2, unsigned long * val3, + int * size); +</pre> +<p> +To insert data, use 'sh_hash_push2db'. You can insert up to three long +integers (val1, val2, val3) and/or a binary string of length size +(max. (PATH_MAX-1)/2). As noted +above, you need to supply a key (stored as the 'filepath', which should +start with a character different from '/'). To retrieve data, you can use +'sh_hash_db2pop'. The return value is either NULL (if no string was +stored under this key), or the stored string (length returned in 'size'). +</p> +<p> +A string to store may consist of any characters, including NULLs, and +need not be NULL terminated. The returned string is +always NULL terminated (the terminating NULL is not included in 'size'), +and should be freed with SH_FREE() if not required anymore. +</p> +<p> +If the key is not found in the database, <b>size</b> is set to -1. +</p> + +<h2>Incorporating modules into the samhain build</h2> +<p> +This is a somewhat secondary but important part of writing a module +for samhain: +how to incorporate it into the samhain configuration and build process. +This just involves hacking the autoconf and makefile setup to include your +module. We'll present this file-by-file. +</p> +<h3>Makefile.in</h3> +<p> +You need to add a few bits to this file. First, add your header, +source and object filenames to the HEADERS, SOURCES and OBJECTS +variables. Then add your header to the dependencies for sh_modules.o +and ./sh_modules.o. Finally add dependency lines for your module +object file sh_whatever.o and ./sh_whatever.o, modelling them on the +other module object dependency lines. +</p> +<h3>acconfig.h</h3> +<p> +The config.h.in will be generated from this file by 'autoheader'. +You just need to add a line like +<pre> +#undef SH_USE_MOUNTS +</pre> +that will be defined by the ./configure code if the user specifies +the module as enabled. +</p> +<h3>aclocal.m4</h3> +<p> +This file is used by 'autoconf' to help generate ./configure. You need to add +your module's ./configure option to the SH_ENABLE_OPTS variable; for example, +to add the option --enable-mounts-check, we added the string 'mounts-check' to +this variable. +</p> +<h3>configure.ac</h3> +This is the other file used by 'autoconf' to generate ./configure. You need to +add an AC_ARG_ENABLE call to this file, along the lines of those for other +modules. For example, we added +<pre> +AC_ARG_ENABLE(mounts-check, + [ --enable-mounts-check check mount options on filesystems [[no] +]], + [ + if test "x${enable_mounts_check}" = xyes; then + AC_DEFINE(SH_USE_MOUNTS) + fi + ] +) +</pre> +for the sh_mounts module. This causes the #undef from acconfig.h above +to be defined when ./configure is run with the --enable-mounts-check argument. +</p> +This is all that you need. Once you've done the above, you'll need to +run 'autoheader' and 'autoconfig' to generate config.h.in and the +./configure script. Then your module will build as part of the samhain +source. +</p> + +<h2>Conclusion</h2> +<p> +Armed with the above information, any proficient C programmer should +be able to adapt and extend samhain to do whatever it is they need. We +hope that this document has been reasonably clear, easy to follow and +useful; please feel free to update it for clarity, accuracy and +completeness and resubmit it to the samhain project. +</p> +<p> +This document was written by the eircom.net Computer Incident Response Team. +Updated with CSS by Rainer Wichmann. +</p> +</div> +</body> +</html> diff --git a/docs/MANUAL-2_4.epub b/docs/MANUAL-2_4.epub Binary files differnew file mode 100644 index 0000000..2e5d3c7 --- /dev/null +++ b/docs/MANUAL-2_4.epub diff --git a/docs/MANUAL-2_4.html.tar b/docs/MANUAL-2_4.html.tar Binary files differnew file mode 100644 index 0000000..b5fea43 --- /dev/null +++ b/docs/MANUAL-2_4.html.tar diff --git a/docs/MANUAL-2_4.pdf b/docs/MANUAL-2_4.pdf Binary files differnew file mode 100644 index 0000000..c83b2bd --- /dev/null +++ b/docs/MANUAL-2_4.pdf diff --git a/docs/README b/docs/README new file mode 100644 index 0000000..a512389 --- /dev/null +++ b/docs/README @@ -0,0 +1,497 @@ + +CONTENT OF THIS DOCUMENT +------------------------ + + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + +++ +++ + +++ NOTE: The distribution package contains a much more detailed MANUAL +++ + +++ +++ + +++ ---- See the docs/ subdirectory ---- +++ + +++ +++ + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + + - INSTALL basic install procedure + + - PGP SIGNATURES signing database and config file + + - CLIENT/SERVER how to install and use with client/server mode + for distributed host monitoring + + - STEALTH how to install and use with stealth mode enabled + + - USAGE some usage examples + + - CAVEATS what the name says + + - START AT BOOT TIME how to start the daemon during the boot sequence + + - CONFIGURE OPTIONS overview of supported options, and defaults + + - TESTING test suite (also useful to see EXAMPLES) + + + + +INSTALL: +------- + + Unpack the source with: + + gunzip -c samhain-current.tar.gz | tar xvf - + + This will drop two files in your current directory: + + samhain-{version}.tar.gz + samhain-{version}.tar.gz.asc + + To check authenticity and integrity of the source code, verify + the PGP signature on samhain-{version}.tar.gz + (public PGP key for Rainer Wichmann at http://wwwkeys.pgp.net/): + + gpg --verify samhain-{version}.tar.gz.asc samhain-{version}.tar.gz + + Then unpack samhain-{version}.tar.gz: + + gunzip -c samhain-{version}.tar.gz | tar xvf - + cd samhain-{version} + + If you have an incarnation of 'dialog' (xdialog, dialog, lxdialog) + installed, you can use the GUI install tool: + + ./Install.sh + + Otherwise use the commands: + + ./configure [options] + make + su root + make install + + At least the following executable will be built: + + +++ samhain +++ the monitoring agent, without any + client/server support (i.e. local use only) + + Additional executables will be built if you compile in client/server + and/or stealth mode (see below). + + The 'make install' target will strip the executable(s), i.e. + discard symbols. + + PATHS: + ----- + For configuring the install paths/locations, + see the MANUAL. + + + WARNING: + ------- + Some versions of gcc have a bug that generates incorrect + code if strength reducing is enabled. + If you modify the compiler flags, always use the -fno-strength-reduce + option with gcc, unless you are sure that your compiler does not + suffer from the problem (see README.gcc_bug). + Also, some gcc versions generate incorrect code unless the + -fno-omit-frame-pointer option is used. + The -fno-strength-reduce and the -fno-omit-frame-pointer options are + enabled by default by the 'configure' script. + +PGP SIGNATURES: +-------------- + By default, samhain will report on the checksums of the database + and configuration files on startup. + + You can always (clear)sign the database (once initialized) + with GnuPG, as well as the configuration file + (recommended: gpg -a --clearsign --not-dash-escaped FILE). + + However, to have samhain check these signatures, rather than ignoring + them, you need GnuPG and you must compile samhain with the option + + ./configure --with-gpg=PATH + + where PATH is the path to the gpg/pgp binary. + + Samhain will invoke gpg only after checking that + only trusted users (by default: root and the effective user) + have write access to any element in the path. + + The public key for verification must be in the keyring of the + effective user (usually root) + + For more security, it is possible to compile in the checksum + of the GnuPG executable, and/or the key fingerprint. See + the MANUAL for more details. + + The public key will be searched in the gpg home directory + (~/.gnupg/) of the effective user (usually root). + The key identification and fingerprint will be reported. + +CLIENT/SERVER: +------------- + + samhain supports logging to a central server via TCP/IP. + To enable this option, use the ./configure option + + ./configure --enable-network=client|server [more options] + + NOTE: client and server are __distict__ applications, and must be + built seperately. By default, installation names and paths are + different. Do not blame us if you abuse './configure' options to + cause name clashes, if you install both on the same host. + + The following executables are built: + + +++ samhain (client) +++ the monitoring agent, + with client code included + if --enable-network=client + + +++ yule (server) +++ the log server (no monitoring, just report + collecting !!!) + if --enable-network=server + + +++ samhain_setpwd +++ a utility program to set the password of + a monitoring agent (see man page samhain.8). + Use it without options to get help. + + + To set up a monitoring agent, do the following: + + -- select a (16-digit hexadecimal) password. To generate + a random password, you can use: + + ./yule -G + + -- use 'samhain_setpwd samhain <suffix> <password>' + to generate an agent 'samhain.suffix' with the selected password + (you can rename the agent afterwards, of course) + + -- use 'yule -P password' to compute an entry to register the agent + + -- in the servers's configuration file, insert the computed entry + (replace HOSTNAME with the host, on which the agent will run) + in the section called [Clients] + + By default, client/server authentication + is done with the SRP (Secure Remote Password) protocol. + + It is also possible to store configuration and database files + on the server. See the manual for details. + +STEALTH: +------- + + samhain supports a 'stealth' mode of operation, meaning that + the program can be run without any obvious trace of its presence + on disk. The supplied facilities are more sophisticated than + just running the program under a different name, + and might thwart efforts using 'standard' Unix commands, + but they will not resist a search using dedicated utilities. + To enable this mode, use the ./configure option + + ./configure --enable-stealth=XOR_VAL [more options] + + XOR_VAL must be a decimal number in the range 0, 128..255 + (using 0 will have no effect). + + The runtime executable will contain no printable strings revealing + its nature or purpose (strings are xor'ed with XOR_VAL at compile + time, and decoded at runtime). + + The configuration file is expected to be + a postscript file with _uncompressed_ image data, wherein + the configuration data are hidden by steganography. + To create a suitable image file from an existing image, + you may use e.g. the ImageMagick program 'convert', such as: + + convert +compress ima.jpg ima.ps + + The following additional executable will be built: + + +++ samhain_stealth +++ steganography utility program to hide/extract + the configuration file data in/from a + postscript file with + _uncompressed_ image data. + Use it without options to get help. + + Database and log file entries are xor'ed with XOR_VAL to 'mask' + printable strings as binary data. No steganography is supported + for them, as this would require image files of unreasonable large + size. + However, if the database/log file is an existing image (say, a .jpg + file), the data will be appended to the end of the image data. + The image will display normally, and on examination of the file, + the add-on data will look like binary (image) data at first sight. + The built-in utility to verify and print log file entries + will handle this situation transparently. + + To re-name samhain to something unsuspicious, use the configure option + + ./configure --enable-install-name=NAME + + 'make install' will then re-name samhain upon installation. Also, + database, log file, and pid file will have 'samhain' replaced by + NAME. + + +USAGE EXAMPLES: +-------------- + + Review the default configuration file that comes with the + source distribution. Read the man page (samhain.8). + + initialize database: samhain -t init + + check files: samhain -t check + + run as daemon: samhain -t check -D + + report to log server: samhain -t check -D -e warn + + start the log server: yule -S + + +CAVEATS: +------- + Permissions: + ----------- + samhain needs root permissions to check some system files. + The log server does not require root permissions, unless + you use a privileged port (port number below 1024). + If you use --enable-udp to listen on the syslog socket, you need + to start the log server with root permissions (it will drop them + after binding to the port). + + Trust: + ----- + samhain checks the path to critical files (database, configuration) + for write access by untrusted users. By default, only root and + the effective user are trusted. More UIDs can be added as a + compile options (some systems habe 'bin' as owner of the root + directory). + + Integrity: + --------- + On startup, samhain will report on signatures or checksums of + database and configuration files. You better check these reports. + + Both startup and exit will be reported. If you are using samhain + as daemon and start it at boot time, you may want to check that + startup/exit corresponds with scheduled reboots. + + If the path to the samhain binary is defined in the configuration + file, samhain will checksum the binary at startup and compare + at program termination. This will minimize the time available + for an intruder to modify the binary. + + Mail address: + ------------ + For offsite mail, you may have to set a mail relay host + in the configuration file. + +START AT BOOT TIME: +------------------ + the easy way (supported on Linux, FreeBSD, HP-UX, AIX): + + su root + make install-boot + + + +CONFIGURE OPTIONS: +----------------- + + ------------------- + -- basic options -- + ------------------- + + --enable-network Compile with client/server support. + + --enable-udp Enable the server to listen on + port 514/udp (syslog). + + --enable-srp Use SRP protocol to authenticate to + log server. + + --with-gpg=PATH Use GnuPG to verify database/config. + The public key of the effective + user (in ~/.gnupg/pubring.gpg) + will be used. + + --enable-login-watch Watch for login/logout events. + + --enable-stealth=XOR_VAL Enable stealth mode, and set XOR_VAL. + XOR_VAL must be decimal in + 0..32 or 127..255 + and will be used to 'mask' literal + strings as binary data. + (0 has no effect). + + --enable-micro-stealth=XOR_VAL + As --with-stealth, but without + steganographic hidden configuration + file. + + --enable-nocl=PW Enable command line parsing ONLY if + PW is the first argument on the command + line. If PW is "" (empty string), + command line parsing is completely + disabled. + + --enable-base=BASE Set base for one-time pads. Must be + ONE string (no space) made of TWO + comma-separated integers in the range + -2147483648...2147483647. + (The default is compile time.) + Binaries compiled with different + values cannot verify the audit trail(s) + of each other. + THIS IS IMPORTANT IF YOU COMPILE + MULTIPLE TIMES, E.G. ON DIFFERENT + HOSTS. + + + ------------------- + -- paths -- + ------------------- + + ${install_name} is "samhain" by default + (see --with-install-name=NAME ) + + configuration: /etc/${install_name}rc + state data: /var/lib/${install_name} + log file: /var/log/${install_name}_log + lock/pid file: /var/run/${install_name}.pid + + mandir: /usr/local/man + bindir: /usr/local/sbin/ + + + --exec-prefix=EPREFIX Set sbindir prefix (default + is /usr/local, ie. binaries + go to /usr/local/sbin) + + --prefix=PREFIX install directory + (default is NONE) + + IF PREFIX = USR; then + + configuration: /etc/${install_name}rc + state data: /var/lib/${install_name} + log file: /var/log/${install_name}_log + lock/pid file: /var/run/${install_name}.pid + + mandir: /usr/share/man + bindir: /usr/sbin/ + + IF PREFIX = OPT; then + + configuration: /etc/opt/${install_name}rc + state data: /var/opt/${install_name}/${install_name} + log file: /var/opt/${install_name}/${install_name}_log + lock/pid file: /var/opt/${install_name}/${install_name}.pid + + mandir: /opt/${install_name}/man + bindir: /opt/${install_name}/bin/ + + IF PREFIX = (something else); then + + If EPREFIX is not set, it will be set to PREFIX. + configuration: PREFIX/etc/${install_name}rc + state data: PREFIX/var/lib/${install_name} + log file: PREFIX/var/log/${install_name}_log + lock/pid file: PREFIX/var/run/${install_name}.pid + + mandir: PREFIX/share/man + bindir: PREFIX/sbin/ + + + + --with-config-file=FILE Set path of configuration file + (default is PREFIX/etc/samhainrc) + + --with-data-file=FILE Set path of data file + (PREFIX/var/lib/samhain/samhain_file) + --with-html-file=FILE Set path of server status html file + (PREFIX/var/lib/samhain/samhain.html) + + --with-log-file=FILE Set path of log file + (PREFIX/var/log/samhain_log) + --with-pid-file=FILE Set path of lock file + (PREFIX/var/run/samhain.pid) + + ------------------- + -- other -- + ------------------- + + + --with-checksum=CHECKSUM Compile in TIGER checksum of the + gpg/pgp binary. + CHECKSUM must be the full + line output by samhain or GnuPG when + computing the checksum. + + --with-fp=FINGERPRINT Compile in public key fingerprint. + FINGERPRINT must be without spaces. + Only useful in combination with + '--with-gpg'. + If used, samhain will check the + fingerprint, but still report on the + used public key. + + --enable-identity=USER Set user when dropping root privileges + (default is the user "nobody"). + Only needed if there is no user + 'nobody' on your system + (check /etc/passwd) + + --with-port=PORT Set port number for TCP/IP + (default is 49777). + Only needed if this port is already + used by some other application. + + --with-logserver=HOST Set host address for log server + (default is NULL). + You can set this in the configuration + file as well. + + --with-timeserver=HOST Set host address for time server + (default is NULL - use own clock). + You can set this in the configuration + file as well. + + --with-sender=SENDER Set sender for e-mail + (default is daemon). + + --enable-xml-log Use XML format for log file. + + --enable-debug Enable extended debugging + + --enable-ptrace Use anti-debugging code. + + --with-trusted=UID Comma-separated list of UID's of + users that are always trusted + (default is 0 = root). + You will need this only if the + path to the config file has directories + owned neither by 'root' nor by the + (effective) user of the program. + + +TESTING: +------- + For testing compilation etc., you may use the test suite: + + ./test/test.sh n [hostname] + + The argument 'n' is the number of the test to run. Some tests require + that the (fully qualified) hostname be given as second argument. + + Without options, you will get a short help/usage message, listing + each test, its purpose, and the name of the configuration file used. + You may want to review the respective configuration file before + running a test. + + Also listed are the scripts used for each test. If you have problems + getting samhain to run, you may use these scripts as examples. + diff --git a/docs/README.LZO b/docs/README.LZO new file mode 100644 index 0000000..9d13643 --- /dev/null +++ b/docs/README.LZO @@ -0,0 +1,136 @@ +-----BEGIN PGP SIGNED MESSAGE----- + + + ============================================================================ + miniLZO -- mini subset of the LZO real-time data compression library + ============================================================================ + + Author : Markus Franz Xaver Johannes Oberhumer + <markus.oberhumer@jk.uni-linz.ac.at> + http://wildsau.idv.uni-linz.ac.at/mfx/lzo.html + Version : 1.06 + Date : 29-Nov-1999 + + I've created miniLZO for projects where it is inconvenient to + include (or require) the full LZO source code just because you + want to add a little bit of data compression to your application. + + miniLZO implements the LZO1X-1 compressor and both the standard and + safe LZO1X decompressor. Apart from fast compression it also useful + for situations where you want to use pre-compressed data files (which + must have been compressed with LZO1X-999). + + miniLZO consists of one C source file and two header files: + minilzo.c + minilzo.h + lzoconf.h + + To use miniLZO just copy these files into your source directory, add + minilzo.c to your Makefile and #include minilzo.h from your program. + Note: you also must distribute this file (`README.LZO') with your project. + + minilzo.o compiles to about 6 kB (using gcc or Watcom C on a i386), and + the sources are about 14 kB when packed with zip - so there's no more + excuse that your application doesn't support data compression :-) + + For more information, documentation, example programs and other support + files (like Makefiles and build scripts) please download the full LZO + package from + http://wildsau.idv.uni-linz.ac.at/mfx/lzo.html + + Have fun, + Markus + + + P.S. minilzo.c is generated automatically from the LZO sources and + therefore functionality is completely identical + + + Appendix A: building miniLZO + ---------------------------- + miniLZO is written such a way that it should compile and run + out-of-the-box on most machines. + + If you are running on a very unusual architecture and lzo_init() fails then + you should first recompile with `-DLZO_DEBUG' to see what causes the failure. + The most probable case is something like `sizeof(char *) != sizeof(long)'. + After identifying the problem you can compile by adding some defines + like `-DSIZEOF_CHAR_P=8' to your Makefile. + + The best solution is (of course) using Autoconf - if your project uses + Autoconf anyway just add `-DMINILZO_HAVE_CONFIG_H' to your compiler + flags when compiling minilzo.c. See the LZO distribution for an example + how to set up configure.in. + + + Appendix B: list of public functions available in miniLZO + --------------------------------------------------------- + Library initialization + lzo_init() + + Compression + lzo1x_1_compress() + + Decompression + lzo1x_decompress() + lzo1x_decompress_safe() + + Checksum functions + lzo_adler32() + + Version functions + lzo_version() + lzo_version_string() + lzo_version_date() + + Portable (but slow) string functions + lzo_memcmp() + lzo_memcpy() + lzo_memmove() + lzo_memset() + + + Appendix C: suggested macros for `configure.in' when using Autoconf + ------------------------------------------------------------------- + Checks for typedefs and structures + AC_CHECK_TYPE(ptrdiff_t,long) + AC_TYPE_SIZE_T + AC_CHECK_SIZEOF(unsigned short) + AC_CHECK_SIZEOF(unsigned) + AC_CHECK_SIZEOF(unsigned long) + AC_CHECK_SIZEOF(char *) + AC_CHECK_SIZEOF(ptrdiff_t) + AC_CHECK_SIZEOF(size_t) + + Checks for compiler characteristics + AC_C_CONST + + Checks for library functions + AC_CHECK_FUNCS(memcmp memcpy memmove memset) + + + Appendix D: Copyright + --------------------- + LZO and miniLZO are Copyright (C) 1996-1999 + Markus Franz Xaver Johannes Oberhumer + + LZO and miniLZO are distributed under the terms of the GNU General + Public License (GPL). See the file COPYING. + + Special licenses for commercial and other applications which + are not willing to accept the GNU General Public License + are available by contacting the author. + + + + +-----BEGIN PGP SIGNATURE----- +Version: 2.6.3ia +Charset: noconv + +iQCVAwUBOEK5Km10fyLu8beJAQE2oAQAovSZ1KDXJKdbfUmGHhRAoU/BdQXydYKr +tGDtC0i8EfC2cjrbJANbZq8GQM0PMZSAgyW9/BaUmRZ/d5pxpF0eBBpUp87i/ZM6 +BoPE3uu7Rwu05SSR3FRFe1lCrMDn/yHkyV9T+DUY6XaBLONdaPh7BayQ93MnCFoD +9gs3grhALsM= +=uuXN +-----END PGP SIGNATURE----- diff --git a/docs/README.UPGRADE b/docs/README.UPGRADE new file mode 100644 index 0000000..608ca4b --- /dev/null +++ b/docs/README.UPGRADE @@ -0,0 +1,113 @@ +to 4.0.0 and higher: if you use "ReportCheckflags = yes" (off by default), + you need to change the database scheme: + + -- mysql: + ALTER TABLE samhain.log ADD COLUMN checkflags_old BIGINT UNSIGNED; + ALTER TABLE samhain.log ADD COLUMN checkflags_new BIGINT UNSIGNED; + + -- postgres: + ALTER TABLE samhain.log ADD COLUMN checkflags_old NUMERIC(20); + ALTER TABLE samhain.log ADD COLUMN checkflags_new NUMERIC(20); + + --oracle: + ALTER TABLE samhain.log ADD checkflags_old NUMBER(20); + ALTER TABLE samhain.log ADD checkflags_new NUMBER(20); + +to 2.8.0 and higher: samhain supports IPv6 now, which means that the + size of the 'ip' column in the database must be increased from + VARCHAR(16) to VARCHAR(46). + + BE SURE TO MAKE A BACKUP BEFORE THIS! + + -- mysql: alter table samhain.log modify ip VARCHAR(46); + + -- postgresql: alter table samhain.log alter column ip type varchar(46); + + -- oracle: alter table samhain.log modify ip VARCHAR2(46); + + +to 2.4.4 and higher: it is possible now to store the full content of + small files in the baseline database. To support this feature with + logging to an RDBMS, the DB schema for Oracle needs to be adjusted + by converting the link_old, link_new columns from VARCHAR2 to CLOB: + + -- Oracle: + ALTER TABLE samhain.log ADD tmp_name CLOB; + UPDATE samhain.log SET tmp_name=link_old; + ALTER TABLE samhain.log DROP COLUMN link_old; + ALTER TABLE samhain.log RENAME COLUMN tmp_name to link_old; + + ALTER TABLE samhain.log ADD tmp_name CLOB; + UPDATE samhain.log SET tmp_name=link_new; + ALTER TABLE samhain.log DROP COLUMN link_new; + ALTER TABLE samhain.log RENAME COLUMN tmp_name to link_new; + + -- Samhain server (yule): if you are logging to the RDBMS via + the server (yule), as recommended, you need to also upgrade the + server, because earlier versions had a too restrictive limit on + the maximum length of an SQL query. + + +to 2.3.3 and higher: a bug has been fixed that resulted in an additional + slash at the beginning of the linked path of symlinks in the root + directory (symlinks in other directories were not affected) + + -- this may cause spurious warnings about modified links, if you check + against a database created with an earlier version of samhain + +from lower to 2.3.x: the database scheme has changed slightly. + To upgrade, use the following SQL commands in the command-line + client of your database: + + -- MySQL: + ALTER TABLE samhain.log ADD COLUMN acl_old BLOB; + ALTER TABLE samhain.log ADD COLUMN acl_new BLOB; + + -- PostgreSQL: + ALTER TABLE samhain.log ADD COLUMN acl_old TEXT; + ALTER TABLE samhain.log ADD COLUMN acl_new TEXT; + + -- Oracle: + ALTER TABLE samhain.log ADD acl_old VARCHAR2(4000); + ALTER TABLE samhain.log ADD acl_new VARCHAR2(4000); + DROP TRIGGER trigger_on_log; + + + +since 2.2.0: server-to-server relay is possible + + -- this implies that problems will arise if your server is misconfigured + to connect to itself (SetExportSeverity is explicitely set + to a threshold different from 'none', and the logserver is set to + localhost). The server may deadlock in this case. + + + +since 2.1.0: update and daemon mode can be combined + + -- this implies that '-t update' will start a daemon process if running as + daemon is the default specified in the config file. use '--foreground' + to avoid starting a daemon process + + + +from 1.7.x to 1.8.x: client/server encryption protocol has been enhanced + + -- 1.7.x clients can connect to a 1.8.x server + + -- 1.8.x clients can only connect to a 1.7.x server, if they + are built with --enable-encrypt=1 + + + +from 1.6.x to 1.7.x: things to watch out for + + -- the log server drops root privileges after startup; it needs a logfile + directory with write access for the unprivileged user now + + -- the PID file does not double as lock for the log file anymore; the + log file has its own lock now (same path, with .lock appended) + + -- by default, the HTML status page of the server is in the log directory + now; this allows to make the data directory read-only for the server + diff --git a/docs/README.gcc_bug b/docs/README.gcc_bug new file mode 100644 index 0000000..1330528 --- /dev/null +++ b/docs/README.gcc_bug @@ -0,0 +1,49 @@ + +GCC Compiler Bug +---------------- + +Reference: http://boudicca.tux.org/hypermail/linux-kernel/2000week05/0983.html + +From: Johan Kullstam (kullstam@ne.mediaone.net) +Date: Thu Jan 27 2000 - 18:00:28 EST + +Horst von Brand <vonbrand@sleipnir.valparaiso.cl> writes: + +> My question in this vein would be the -fno-strength-reduce. The gcc bug +> that placed this in the kernel was in gcc-2.7.2, and was worked around in +> 2.7.2.3 by just making this option unconditional. Both 2.2.15pre4 and +> 2.3.41pre2 at least demand gcc-2.7.2.3 as minimal version. + +just when you thought it was safe to go into the water... + +strength-reduction is broken again in gcc-2.95.2 (aka the current +release). i'm not sure about what versions actually do work. + +for fun, try this one out. cut and paste the program bug.c. + +$ gcc -O2 bug.c -o b0 +$ gcc -O2 -fno-strength-reduce bug.c -o b1 + +run b1. notice it finish immediately. +now run b0. notice how b0 never terminates (until you ^C it). + + +-- bug.c ----------------------------------------- +static void bug(int size, int tries) +{ + int i; + int num = 0; + + while (num < size) + { + for (i = 1; i < tries; i++) num++; + } +} + +int main() +{ + bug(5, 10); + return 0; +} +-- bug.c ----------------------------------------- + diff --git a/docs/README.sstrip b/docs/README.sstrip new file mode 100644 index 0000000..b96c171 --- /dev/null +++ b/docs/README.sstrip @@ -0,0 +1,40 @@ +sstrip is a small utility that removes the contents at the end of an +ELF file that are not part of the program's memory image. + +Most ELF executables are built with both a program header table and a +section header table. However, only the former is required in order +for the OS to load, link and execute a program. sstrip attempts to +extract the ELF header, the program header table, and its contents, +leaving everything else in the bit bucket. It can only remove parts of +the file that occur at the end, after the parts to be saved. However, +this almost always includes the section header table, and occasionally +a few random sections that are not used when running a program. + +It should be noted that the GNU bfd library is (understandably) +dependent on the section header table as an index to the file's +contents. Thus, an executable file that has no section header table +cannot be used with gdb, objdump, or any other program based upon the +bfd library, at all. In fact, the program will not even recognize the +file as a valid executable. (This limitation is noted in the source +code comments for bfd, and is marked "FIXME", so this may change at +some future date. However, I would imagine that it is a pretty +low-priority item, as executables without a section header table are +rare in the extreme.) This probably also explains why strip doesn't +offer the option to do this. + +Shared library files may also have their section header table removed. +Such a library will still function; however, it will no longer be +possible for a compiler to link a new program against it. + +As an added bonus, sstrip also tries to removes trailing zero bytes +from the end of the file. (This normally cannot be done with an +executable that has a section header table.) + +sstrip is a very simplistic program. It depends upon the common +practice of putting the parts of the file that contribute to the +memory image at the front, and the remaining material at the end. This +permits it to discard the latter material without affecting file +offsets and memory addresses in what remains. However, the ELF +standard permits files to be organized in almost any order. So +although this procedure usually works in practice, it is not meant to +be taken too seriously. diff --git a/docs/README.win2K b/docs/README.win2K new file mode 100644 index 0000000..4a04347 --- /dev/null +++ b/docs/README.win2K @@ -0,0 +1,36 @@ + +Using SAMHAIN on Win2K +---------------------- + +samhain builds and runs on Win2K (and maybe other M$ products) with +the (free, GPL) Cygwin environment. +Fabio Paracchini <fparacchini at alteanet dot it> writes: + +(UPDATE: note that some configure options have changed since this has been + written. Check the manual and/or run './configure --help' for + available options.) + + The configuration I'm testing now is a server on OpenBSD 2.8 and a client on + W2K, using the latest Cygwin. I was able to compile the client on a W2K + Cygwin development machine using those configuration flags: + + --enable-static + --enable-network + --with-tmp-dir=/tmp + --with-data-file=REQ_FROM_SERVER/samhain.db + --with-config-file=REQ_FROM_SERVER/etc/samhainrc + --with-logserver=x.x.x.x + --with-lock-file=/cygdrive/c/samhain.lck + --with-log-file=/cygdrive/c/samhain.log + + I was able to successfully compile and sign the executable, upload to the + production server with the cygwin1.dll in the same directory and run both + samhain -t init and samhain -t check. + + If you need a stealthy configuration you could change lock & log file to + something more obscure, only pay attention that in Cygwin if you need to + access drive C: you have to prefix your path with /cygdrive/c. + + The configuration is kept on the server where Yule runs; I registered the + client and I'm in the process of tuning the exceptions for the files + modified by Windows. diff --git a/docs/samhain_german.pdf b/docs/samhain_german.pdf Binary files differnew file mode 100644 index 0000000..45cd6ed --- /dev/null +++ b/docs/samhain_german.pdf diff --git a/docs/sh_mounts.txt b/docs/sh_mounts.txt new file mode 100644 index 0000000..4bfe121 --- /dev/null +++ b/docs/sh_mounts.txt @@ -0,0 +1,59 @@ +Documentation for sh_mounts, the samhain "Mounts" module. +--------------------------------------------------------- +sh_mounts implements functionality we had in a policy-checking Perl script we +have here at eircom; basically, all it does is ensure that certain mounts are +there (for example, /, /tmp, /var, /usr, /home) and that certain options are +specified on those mounts (for example noexec,nosuid on /tmp). + +All quite simple. It wouldn't be too hard to extend this module somewhat, to +report any NFS mounts found, for example, or to test that _only_ the mounts +specified are mounted on the machine. + +Here's a bit for the manual: + +<Begin manual entry> + +Checking mounted filesystem policies +------------------------------------ +samhain can be compiled to check if certain filesystems are mounted, and if they +are mounted with the appropriate options. This module currently supports Linux, +Solaris and FreeBSD. The configuration of the module is done in the Mounts +section of the configuration file: + +-------->8--------- + +[Mounts] +# +# Activate (0 is off). +# +MountCheckActive=1 + +# +# Interval between checks. +# +MountCheckInterval=7200 + +# +# Logging severities. We have two checks: to see if a mount is there, and to +# see if it is mounted with the correct options. +# +SeverityMountMissing=warn +SeverityOptionMissing=warn + +# +# Mounts to check for, followed by lists of options to check on them. +# +checkmount=/ +checkmount=/var +checkmount=/usr +checkmount=/tmp noexec,nosuid,nodev +checkmount=/home noexec,nosuid,nodev + +-------->8--------- + +<End manual entry> + +The module is enabled as part of the compilation of samhain by specifying +--enable-mounts-check + +This module by the eircom.net Computer Incident Response Team diff --git a/docs/sh_userfiles.txt b/docs/sh_userfiles.txt new file mode 100644 index 0000000..cc3ad3f --- /dev/null +++ b/docs/sh_userfiles.txt @@ -0,0 +1,39 @@ +Checking sensitive files owned by users. +------------------------------------ +samhain can be compiled to support checking of files that are specified +as being relative to the a user's home directory. It is intended to +detect interference with files that influence process behaviour such as +.profile +It simply adds the appropriate file entries to the main samhain list, at +the specified alerting level. + + +-------->8--------- + +[UserFiles] +# +# Activate (0 is off). +# +UserfilesActive=1 + +# +# Files to check for under each $HOME +# A specific level can be specified. +# The allowed values are: +# allignore +# attributes +# logfiles +# loggrow +# noignore +# readonly +# user0 +# user1 +# +#Ê The default is noignore +UserfilesName=.login noignore +UserfilesName=.profile readonly +UserfilesName=.ssh/authorized_keys + +-------->8--------- + +This module by the eircom.net Computer Incident Response Team. |