diff options
Diffstat (limited to 'debian/README.Debian')
-rw-r--r-- | debian/README.Debian | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..728ac91 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,117 @@ +samhain for Debian +------------------ + +Samhain reports +--------------- +(in systems that are upgrade periodically) + +If you are running samhain and are constantly updating your system, +maybe because you are running Debian 'sid' (i.e. unstable, not advised +on production servers) you will find that when you run 'apt-get upgrade' +you will get a flood of e-mails warning of system changes. +You will also get them when the system is rebooted or samhain is restarted. + +The main reason for this is that samhain is essentially doing its job: +warning the administrator of file system changes, and will keep on doing +this until the administrator updates the file system integrity database. +Notice that in a production server this will also happen when a security +update is made and patches are installed from Debian sources. + +This package will _never_ include a cron job that will do this for you, +since it could open a way for attackers to leave samhain useless (kill +samhain, make your changes, wait until the cron job updates samhain, restart +samhain...) + +It's the administrator job to determine whether a change samhain has +reported since the database was initialized/updated is correct or not and +when this has been verified he needs to manually reset the database +('samhain -t update -m none'). + +If this is your situation, and your integrity database is in your system +in read-write media (again, not recommended) you might want to run +'samhain -t update' after each programmed upgrade. +Moreover, you could do this automatically by +changing apt.conf (again, not recommend): + +-------------------------------------------------------------------------- +DPkg +{ + Pre-Invoke { "/etc/init.d/samhain stop" }; + Post-Invoke { "echo Updating samhain database" ; + "/usr/sbin/samhain -t update --foreground -m none" ; + "/etc/init.d/samhain start" }; +}; +-------------------------------------------------------------------------- + +Notice this configuration opens up a "window of vulnerability" in which +an attacker can wait until you run an update through apt, and makes his +changes before all the packages are installed. Since samhain is stopped +before that and the database is updated before it's restarted, the attacker's +changes will go unnoticed. + +With this configuration you will only receive a mail of the fact that samhain +was stopped and started, but no mail regarding the changes done to the filesystem +(you can modify the '-m' switch to change this, however) + +Included functionality +---------------------- + +Whileas samhain provides a client/server model as well as some nifty +security features (such as using GNUpg to test the database) +and functionality features (such as logging to SQL databases) they +have not been (yet) included in the package. Please read the manual and +use the sources (adjusting as needed) if you want these options. + +You can still use the Debian sources, if you want, to create new packages with +those features. For example, if you want to compile the server instead you +have to use the --enable-network=server flag. You can change this in the +debian/rules file inside the sources of the Debian package and recompile the +package (dpkg-buildpackage). You could do something like this: + +$ apt-get source samhain +$ cd samhain-2.0.10a +$ vi debian/rules +[ change the --enable-network= call ] +$ dch --newversion 1:2.2.0-1 +[ ... introduce a relevant changelog entry ... ] +$ dpkg-buildpackage +[ ... builds the package ... ] + +If you change the Debian version of the package (using 'dch') apt will +not update your package from Debian sources if these get update with a new +release. That's what the 'dch --newversion 1:2.2.0-1' is for. +A package with this version should never be upgraded by apt (as it would be +higher to any other version I might introduce in the archive due to the '1:' +epoch). You can also put the samhain package 'on hold' will not be +upgraded either (read more on 'holding' packages in the dpkg or apt +documentation) + +Samhain does not provide the web-based console (Beltane) either, you can +retrieve it from http://la-samhna.de/beltane/index.html + +The feature to detect loadable kernel module rootkits has been disabled +for the time being (it is kernel specific) + +In any clase, please take you time to customise samhain's configuration +file (/etc/samhain/samhainrc) specially the places (and kind of errors) +which Samahin will log (by sending an email, printing to console or to +syslog), please do 'man samhainrc' + +FIXED? (check) +- Make samhainrc adapted to Debian system -> 1.6 comes with a profile for + Debian-i386linux (this one is installed) + +TODO list +- Write manpages for samhain_encode and samhain_pwd based on README +- Currently not compiled with options, but could be compiled with +GPG/PGP support +- postrm script should remove database (if any) +- create a samhain-stealth package that conflicts with sanhain and does not +include the manpages and provides kernel module for stealth +- probably separate the client and server stuff in different packages + + -- Javier Fernandez-Sanguino Peņa <jfs@computer.org> +Thu, 1 Jun 2006 21:36:21 +0200 + + + |