diff options
Diffstat (limited to 'docs/FAQ.html')
| -rw-r--r-- | docs/FAQ.html | 63 |
1 files changed, 29 insertions, 34 deletions
diff --git a/docs/FAQ.html b/docs/FAQ.html index b34f60c..facc7af 100644 --- a/docs/FAQ.html +++ b/docs/FAQ.html @@ -138,7 +138,7 @@ h1, h2, h3, h4, h5, h6 { the <a href="http://www.la-samhna.de/samhain/HOWTO-client+server-troubleshooting.html">HOWTO client+server troubleshooting</a> document.</li> </ul> </div> -<p><i>FAQ Revised: Wednesday 14 January 2015 20:41:15</i></p> +<p><i>FAQ Revised: Monday 17 September 2018 15:13:17</i></p> <hr><h2>Table of Contents</h2> <dl> <dt><b>1. Most frequently</b></dt> @@ -146,22 +146,21 @@ h1, h2, h3, h4, h5, h6 { <li><a href="#Most frequently0">1.1. Owner not trustworthy / Group writeable and member not trustworthy</a></li> <li><a href="#Most frequently1">1.2. samhain exits with the message "Untrusted path" for config/log/pid/database files</a></li> <li><a href="#Most frequently2">1.3. It does not log anything / Can't stop logging to console</a></li> -<li><a href="#Most frequently3">1.4. Client cannot self-resolve, but nslookup works fine</a></li> -<li><a href="#Most frequently4">1.5. Server logs hostname instead of FQDN (or vice versa)</a></li> +<li><a href="#Most frequently3">1.4. samhain exits with the message "Record with bad version number in file signature database"</a></li> +<li><a href="#Most frequently4">1.5. Client cannot self-resolve, but nslookup works fine</a></li> +<li><a href="#Most frequently5">1.6. Server logs hostname instead of FQDN (or vice versa)</a></li> </ul></dd> <dt><b>2. Build and install</b></dt> <dd><ul> -<li><a href="#Build and install0">2.1. [Fedora Core] Cannot compile with --enable-khide</a></li> -<li><a href="#Build and install1">2.2. [Fedora Core] Cannot compile with --with-kcheck</a></li> -<li><a href="#Build and install2">2.3. "make" loops infinitely !</a></li> -<li><a href="#Build and install3">2.4. Why does static compiling (<code>--enable-static</code>) on Solaris fail ?</a></li> -<li><a href="#Build and install4">2.5. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'</a></li> -<li><a href="#Build and install5">2.6. The executable is corrupted after installation</a></li> -<li><a href="#Build and install6">2.7. --enable-xml-log has no effect</a></li> -<li><a href="#Build and install7">2.8. ./install-sh: strip: not found (Solaris)</a></li> -<li><a href="#Build and install8">2.9. What is sh_tiger1.s?</a></li> -<li><a href="#Build and install9">2.10. Why does static compiling (<code>--enable-static</code>) on MaxOS X fail ?</a></li> -<li><a href="#Build and install10">2.11. Why does compiling with MySQL fail on Solaris ?</a></li> +<li><a href="#Build and install0">2.1. "make" loops infinitely !</a></li> +<li><a href="#Build and install1">2.2. Why does static compiling (<code>--enable-static</code>) on Solaris fail ?</a></li> +<li><a href="#Build and install2">2.3. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'</a></li> +<li><a href="#Build and install3">2.4. The executable is corrupted after installation</a></li> +<li><a href="#Build and install4">2.5. --enable-xml-log has no effect</a></li> +<li><a href="#Build and install5">2.6. ./install-sh: strip: not found (Solaris)</a></li> +<li><a href="#Build and install6">2.7. What is sh_tiger1.s?</a></li> +<li><a href="#Build and install7">2.8. Why does static compiling (<code>--enable-static</code>) on MaxOS X fail ?</a></li> +<li><a href="#Build and install8">2.9. Why does compiling with MySQL fail on Solaris ?</a></li> </ul></dd> <dt><b>3. File checking</b></dt> <dd><ul> @@ -281,7 +280,11 @@ PrintSeverity=none Defining <tt>/dev/null</tt> as console device works as well, but is a bad idea, because samhain will open the device and write (i.e. it is a very inefficient method).<br><br></dd> -<dt><b><a name="Most frequently3">1.4. Client cannot self-resolve, but nslookup works fine</a></b></dt> +<dt><b><a name="Most frequently3">1.4. samhain exits with the message "Record with bad version number in file signature database"</a></b></dt> +<dd>This typically happens when the initialisation of the database has been +done repeatedly, i.e. by using '-t init' multiple times, without (re)moving +the previous database first before an initialisation.<br><br></dd> +<dt><b><a name="Most frequently4">1.5. Client cannot self-resolve, but nslookup works fine</a></b></dt> <dd><ul> <li>Nslookup is a program to query Internet domain name servers. </li> @@ -332,7 +335,7 @@ Below you can find some examples of good and bad <tt>/etc/hosts</tt> files: 127.0.0.1 localhost myhost xxx.xxx.xxx.xxx myhost.mydomain.tld myhost </pre></div><br><br></dd> -<dt><b><a name="Most frequently4">1.5. Server logs hostname instead of FQDN (or vice versa)</a></b></dt> +<dt><b><a name="Most frequently5">1.6. Server logs hostname instead of FQDN (or vice versa)</a></b></dt> <dd>The default is to log the hostname only, if you want the FQDN then there is an option for the server configuration: <div class="block"><pre> @@ -342,26 +345,18 @@ then there is an option for the server configuration: </dl> <hr><h2>2. Build and install</h2> <dl> -<dt><b><a name="Build and install0">2.1. [Fedora Core] Cannot compile with --enable-khide</a></b></dt> -<dd>The Fedora Core kernel is patched to unconditionally deny reading -from /dev/kmem. Compiling the stealth kernel modules is not possible -under these circumstances.<br><br></dd> -<dt><b><a name="Build and install1">2.2. [Fedora Core] Cannot compile with --with-kcheck</a></b></dt> -<dd>The Fedora Core kernel is patched to unconditionally deny reading -from /dev/kmem. Checking the kernel for the presence of rootkits is -not possible under these circumstances.<br><br></dd> -<dt><b><a name="Build and install2">2.3. "make" loops infinitely !</a></b></dt> +<dt><b><a name="Build and install0">2.1. "make" loops infinitely !</a></b></dt> <dd>This may happen (e.g. when building via NFS for multiple architectures) if the relative timestamps in the source directory are wrong (time not in sync on different machines) or some intermediate target is unusable (up-to-date, but built for a different OS). Use "touch * && make distclean" in the source directory to recover.<br><br></dd> -<dt><b><a name="Build and install3">2.4. Why does static compiling (<code>--enable-static</code>) on Solaris fail ?</a></b></dt> +<dt><b><a name="Build and install1">2.2. Why does static compiling (<code>--enable-static</code>) on Solaris fail ?</a></b></dt> <dd>Ingo Rogalsky has provided the following information: It isn't possible to link Samhain statically with Solaris. This is a Solaris issue (see Sun Infodoc ID12624) and not a samhain problem.<br><br></dd> -<dt><b><a name="Build and install4">2.5. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'</a></b></dt> +<dt><b><a name="Build and install2">2.3. Compilation fails with '/usr/bin/ld: cannot find -lnss_files'</a></b></dt> <dd>For Linux, this is a known problem with --enable-static if you compile in MySQL support. The problem is that the <tt>mysql_config</tt> that comes as part of the MySQL @@ -377,7 +372,7 @@ not possible under these circumstances.<br><br></dd> <tt>mysql_config</tt>: search for the <i>client_libs</i> variable, and remove all instances of <i>-lnss_files</i> and <i>-lnss_dns</i>.<br><br></dd> -<dt><b><a name="Build and install5">2.6. The executable is corrupted after installation</a></b></dt> +<dt><b><a name="Build and install3">2.4. The executable is corrupted after installation</a></b></dt> <dd>The executable will get stripped during the installation. On suitable systems (i386 Linux/FreeBSD currently), additionally the "sstrip" @@ -387,14 +382,14 @@ not possible under these circumstances.<br><br></dd> The "strip" utility cannot handle the resulting executable, therefore trying to strip manually after installation will corrupt the executable.<br><br></dd> -<dt><b><a name="Build and install6">2.7. --enable-xml-log has no effect</a></b></dt> +<dt><b><a name="Build and install4">2.5. --enable-xml-log has no effect</a></b></dt> <dd>If you have compiled for stealth, you won't see much, because if obfuscated, then both a 'normal' and an XML logfile look, well ... obfuscated. Use <code>samhain -jL /path/to/logfile</code> to view the logfile.<br><br></dd> -<dt><b><a name="Build and install7">2.8. ./install-sh: strip: not found (Solaris)</a></b></dt> +<dt><b><a name="Build and install5">2.6. ./install-sh: strip: not found (Solaris)</a></b></dt> <dd>Install the SUNWbtool package.<br><br></dd> -<dt><b><a name="Build and install8">2.9. What is sh_tiger1.s?</a></b></dt> +<dt><b><a name="Build and install6">2.7. What is sh_tiger1.s?</a></b></dt> <dd>This is a precompiled assembly file for the i386 architecture generated from sh_tiger1.c using gcc 3.4.0 with the following options, that were found to generate the fastest code: @@ -410,11 +405,11 @@ because different versions of gcc can have very different performance, require different options to compile optimal code, and it would be impossible to maintain a library of optimal compile options for every version of gcc.<br><br></dd> -<dt><b><a name="Build and install9">2.10. Why does static compiling (<code>--enable-static</code>) on MaxOS X fail ?</a></b></dt> +<dt><b><a name="Build and install7">2.8. Why does static compiling (<code>--enable-static</code>) on MaxOS X fail ?</a></b></dt> <dd>Static linking is not supported on MacOS X, see <a href="http://developer.apple.com/qa/qa2001/qa1118.html">Technical Q&A QA1118</a>. This is a MacOS X issue and not a bug in samhain.<br><br></dd> -<dt><b><a name="Build and install10">2.11. Why does compiling with MySQL fail on Solaris ?</a></b></dt> +<dt><b><a name="Build and install8">2.9. Why does compiling with MySQL fail on Solaris ?</a></b></dt> <dd>The reason is often the shell script 'mysql_config' that comes as part of MySQL. This script is intended to print appropriate compiler flags for compiling applications that use MySQL. Unfortunately, since Sun compiles @@ -804,7 +799,7 @@ SetDBServerTstamp = true/false </pre></div> This will enable/disable logging of the server timestamp for client - messages. The server timestamp will be written to a seperate record, + messages. The server timestamp will be written to a separate record, with <i>log_ref</i> set to the value of <i>log_index</i> of the corresponding client message.<br><br></dd> <dt><b><a name="Database2">7.3. I don't want the client TIMESTAMP messages in the SQL database</a></b></dt> |