Chapter 7 - Samhain

Samhain provides a very efficient way to monitor the integrity of UNIX and UNIX-like host environments. It can be installed as a stand-alone system such that each host has a self-sufficient installation that requires its own administration. In cases where there are only a few hosts, this approach is generally employed. Alternatively, for monitoring a large number of hosts, Samhain can be deployed to be centrally managed using the log server Yule and a Web-based console named Beltane. Samhain can monitor file attributes as well as user login and logout events, file system mount options, Set User ID (SUID) and Set Group ID (SGID) executables, sensitive files in user home directories, and various attributes surrounding the integrity of the kernel. Samhain can monitor these elements of a host environment and report on changes to a number of logging outlets including files, syslog, external applications, the console, and relational databases. When configured correctly, Samhain can be an effective host integrity monitoring system (HIMS). However, its configuration can be problematic due to the design of the client/server architecture it implements and the security features that are available as an administrator. Throughout the planning and deployment of Samhain, several efforts are made to administer and maintain the system, and understand how receptive it will be to common administrative changes.