Project

General

Profile

Back to 3rd Party Agents Installation

Installing Samhain

This section explains how to install Samhain with Prelude support.

Get the sources

Download Samhain from http://la-samhna.de/samhain/s_download.html

Unpack it :

   $ tar -zxvf samhain-current.tar.gz
   $ tar -zxvf samhain-*.tar.gz
   $ cd samhain-*

Then, compile and install Samhain using the following:

   $ ./configure *--with-prelude*
   $ make
   # make install

Configuration

Edit /etc/samhainrc, and use the following keywords to configure Prelude output:

[Log] 
[[PreludeSeverity]]=crit
[[PreludeClass]]=EVENT

[Misc]
[[PreludeProfile]]=samhain

All option except !PreludeSeverity are optional. The default is to use a profile called samhain, and site-wide configuration templates.

Registering Samhain profile

You now you need to create the Samhain profile with a command like:

$ prelude-admin register samhain "idmef:w" <manager address> --uid X --gid X

and follow the instructions. If the registration is successeful - you are ready to test your installation. Please check the Agents Registration Page for more details about sensors registration.

Running Samhain

Before running Samhain, please make sure to read the General Configuration Page. It is very important for the server-addr parameters to be set to the Prelude-Manager address.

Samhain works by comparing the present state of the filesystem against a baseline database. Of course, this baseline database must be initialized first (and preferably from a known good state !). To perform the initialization (i.e. create the baseline database), type:

 samhain -t init

It is usually an error to run samhain -t init twice, because (a) it will append a second baseline database to the existing one, and (b) only the first baseline database will be used. Use samhain -t update for updating the baseline database. Delete or rename the baseline database file if you really want to run samhain -t init a second time.

Once Samhain initialization is successful, you can run Samhain in check mode:

 samhain -t check

Or update the Samhain database using:

 samhain -t update

See the Samhain documentation for more information.

Back to 3rd Party Agents Installation