blob: e64cc6c9576d4412fdb3526f9e960319df52486a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
README.SLACKWARE for samhain
Edit the /etc/samhainrc file for your needs. I suggest at least
these changes, but there may be others for your particular system:
Comment out these lines:
#file = /var/lib/rpm/__db.00?
#file = /var/log/*.[0-9].gz
#file = /var/log/*/*.[0-9][0-9].gz
I don't like Daemon mode so I switched it off, as I run in cron.daily:
# Daemon = yes
Daemon = no
I like to see the problems again and again in case I miss a report for some
reason:
ReportOnlyOnce = False
Set a *real* email address here and uncomment so you get problems mailed to
you when you run Samhain. It is best to use another server that handles
email to make sure it doesn't get tampered with if there really is an
intrusion:
SetMailAddress=root@localhost
I have sendmail set up (don't you?) on my system, so I use localhost for
the relay:
SetMailRelay = localhost
And it's a good idea to put a nice subject header in your emailed reports:
MailSubject = Samhain Report - myhostname
Initialize the database as root. Note that this takes a while and always runs
in daemon mode regardless of your configuration!
samhain -t init
If you want to run nightly checks, drop a script in cron.daily with something
like this in it:
#!/bin/sh
/usr/sbin/samhain -t check
You're done. It is a little work, but now you have daily integrity checks
emailed to you about what's going on in your system, especially for
things you did not do!
And as Pat would say... Have Fun!
--Richard Scott Smith
|