Keep Crackers Out of the Box with Samhain
We all know, or can at least imagine, that sinking feeling that accompanies an e-mail from another Internet site, explaining how our Web server is attacking them. Last week's Samhain overview explained why you need to be running this intrusion detection software, or something very much like it.
While this article isn't designed to be a complete how-to, we are going to leverage our own experience installing and using Samhain to provide readers with some caveats and considerations for their own deployments. The installation process seems straightforward at first, but if you're installing Samhain to be used on more than one computer, you'll soon find yourself recompiling with different options a few times.
When you start reading the manual, the "build" section leads you to believe that you can simply use the options recommended and continue on with the next step. When you read further, it becomes clear that this software needs many more compile-time options enabled. It is a good idea to read the entire manual before starting, especially paying attention to the sections for the features you wish to use. The configure options are listed in each respective section, not in the installation part of the manual.
To configure, compile, and install this software, simply perform the standard ./configure, make, make install dance. When building the server, you have to run "./configure --enable-network=server" among other options that are discovered when you read further into the manual. Useful options that you'll find include: --with-gpg (to enable a gpg signed configuration file) and --with-loghost, which is required to hardcode the server's IP address in the binary--another security feature. Another really cool feature of Samhain is that it can obfuscate itself, so that attackers won't even know it's running. The option to make it run as something else is --enable-install-name with an argument of whatever you want it to be called. The last few important options are: --with-kcheck to enable Linux kernel rootkit checks, and --enable-nocl with a password as the argument to tell samhain not to respond to the command line, unless it hears the password first. When building the client, a separate step, use "--enable-network=client" with similar options, but also: --with-data-file and --with-config-file to enable clients to download their baseline database and configuration from the server.
Now that we have that out of the way, let's try to make sense of all this. First, there is a log server called "yule." This is what results from the --enable-network=server option. There is also a Web front-end called "beltane" that needs to be downloaded separately. To use Beltane, you must have configured Samhain in a certain way. From their website:
"Beltane requires a Samhain (version 1.6.0 or higher) client/server installation, with file signature databases stored on the central server, and logging to a SQL database enabled."
If you decided against configuring the clients to grab their database from the server on startup, you will now need to rebuild Samhain. Alas, this also means that you must specify --with-database when building the server portion.
It may be annoying, but Samhain requires many things to be configured at the compiling phase for security reasons. The binary that results is checksummed, and tampering with it is very difficult. Also, passwords shouldn't be stored in configuration files, so embedding them (encrypted) into the binary is also a good security practice.
We believe that configuring Samhain is straightforward once you get familiar with the project's way of doing things, so the configuration file options aren't covered here. The comments in the configuration file are very helpful. Minimally, the configuration file is used to specify the following things: which files and directories you wish to monitor, policies for monitoring these files (i.e. what to report), and what threshold of logging you desire.
To begin using Samhain, you must initialize the baseline database on all of your clients, hopefully from a known-good state. Be sure to read the section about "storing the baseline database on the server," because this step must be done differently if you've configured server database storage (which is required by Beltane). The baseline databases must be copied to the server after 'samhain -t init' has been run. When Samhain starts up as a daemon, it needs to be able to get the database, so this is a manual, but scriptable, first-time step. Be very careful not to run 'init' more than once, because the database will be appended to instead of overwritten. If something changes before you copy the database to the server, you'll need to run 'samhain -t update'.
After all your client's databases are stored on the server, Sahmain can be started in daemon mode on all each client. Use 'samhain -D -t check' to start it. If you'd rather not let Samhain run all the time, it can also be run periodically without the -D option to check all of the file signatures. Any discrepancies will be reported to the log server when 'check' is run.
Up to this point, we've performed a traumatic installation and we're left with a system that's just like the free Tripwire, albeit more secure. Well here is where the real fun begins. Download and untar Beltane , then read the documentation. As a matter of fact, you should read the Beltane documentation to see what options Samhain should be compiled with before building Samhain. It is all laid out nicely in the Beltane install documents. After it's installed properly, you can visit a Web page and view all host discrepancies and alerts. A simple click of the button, indicating that you know why these files changed, and bam!™ the database for that machine is updated.
Before anyone e-mails asking why we'd recommend a Web interface to manage an IDS, please notice that Beltane requires a username and password. Further, it's written in php, but php can be secure if done properly. Finally, don't let people access the Web interface from external networks, and always use SSL. Now, go modify your password file and see how fast Samhain notices it.