aboutsummaryrefslogtreecommitdiff
path: root/system/samhain/README.SLACKWARE
blob: e64cc6c9576d4412fdb3526f9e960319df52486a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
README.SLACKWARE for samhain

Edit the /etc/samhainrc file for your needs.  I suggest at least
these changes, but there may be others for your particular system:
Comment out these lines:
  #file = /var/lib/rpm/__db.00?
  #file = /var/log/*.[0-9].gz
  #file = /var/log/*/*.[0-9][0-9].gz

I don't like Daemon mode so I switched it off, as I run in cron.daily:
  # Daemon = yes
  Daemon = no

I like to see the problems again and again in case I miss a report for some
reason:
  ReportOnlyOnce = False

Set a *real* email address here and uncomment so you get problems mailed to 
you when you run Samhain.  It is best to use another server that handles 
email to make sure it doesn't get tampered with if there really is an
intrusion:
  SetMailAddress=root@localhost

I have sendmail set up (don't you?) on my system, so I use localhost for 
the relay:
  SetMailRelay = localhost

And it's a good idea to put a nice subject header in your emailed reports:
  MailSubject = Samhain Report - myhostname

Initialize the database as root.  Note that this takes a while and always runs
in daemon mode regardless of your configuration!
  samhain -t init

If you want to run nightly checks, drop a script in cron.daily with something
like this in it:
  #!/bin/sh
  /usr/sbin/samhain -t check

You're done.  It is a little work, but now you have daily integrity checks 
emailed to you about what's going on in your system, especially for 
things you did not do!

And as Pat would say... Have Fun!
--Richard Scott Smith