Part 12: Install and configure Samhain


This is far from finished

Yule: The Log (aka samhain server):

1) Download and install rngtools to generate entropy for gpg:

yum -y install rng-tools
echo "EXTRAOPTIONS=\"-r /dev/urandom\"" > /etc/sysconfig/rngd
chkconfig --level 3456 rngd on
service rngd start

2) Generate a gpg key with root:

mkdir -m 700 -p ~/.gnupg/
echo "personal-digest-preferences SHA256" > ~/.gnupg/gpg.conf
echo "cert-digest-algo SHA256" >> ~/.gnupg/gpg.conf
echo "default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed" >> ~/.gnupg/gpg.conf
chmod 600 ~/.gnupg/gpg.conf
echo "gpg-agent --daemon --use-standard-socket" >> ~/.bashrc
. ~/.bashrc
gpg --gen-key
#RSA & DSA: option 1
#size: 4096
#key expiration: 5y
#real name: Root on Samhain
#email: root@domainy.com
#comment: [none/blank]
#change?: O
#enter a passphrase

3) Create a user and a GPG key to secure the changed database:

adduser yule
passwd yule
su yule
mkdir -m 700 -p ~/.gnupg/
echo "personal-digest-preferences SHA256" > ~/.gnupg/gpg.conf
echo "cert-digest-algo SHA256" >> ~/.gnupg/gpg.conf
echo "default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed" >> ~/.gnupg/gpg.conf
chmod 600 ~/.gnupg/gpg.conf
echo "gpg-agent --daemon --use-standard-socket" >> ~/.bashrc
. ~/.bashrc

4) Generate gpg key for yule:

#you MUST logon as `yule` on the console not tty/ssh (see: https://bugzilla.redhat.com/show_bug.cgi?id=659512, has not changed)
gpg --gen-key
#RSA & DSA: option 1
#size: 4096
#key expiration: 5y
#real name: Yule Samhain Server
#email: yule@domainy.com
#comment: [none/blank]
#change?: O
#enter a passphrase
logout

5) Download and prep the install:
check: http://www.la-samhna.de/samhain/s_download.html

cd
wget http://www.la-samhna.de/samhain/samhain-current.tar.gz
if [ $(md5sum samhain-current.tar.gz | awk {'print $1'}) == a621678f0e97fec612e63864b4d1e9d2 ]; then echo "checksum matches website"; else break; fi
tar zxvf samhain-current.tar.gz
rm -f samhain-current.tar.gz
gpg --keyserver pgp.mit.edu --recv-key 0F571F6C # needs access over TCP 11371
gpg --fingerprint 0F571F6C
gpg --verify samhain-3.1.0.tar.gz.asc samhain-3.1.0.tar.gz #make sure this verifies
tar zxvf samhain-*.tar.gz
cd samhain-*

3) Configure samhain for a variety of things:
Here some decisions must be made. Samhain is a robust platform with many capabilities.
Please refer to man pages for information: Appendix A. List of options for the ./configure script. Remember to review A.[2-5] also!

#interesting strategy to totally obfuscate samhain’s stuff:
use –with-(micro-)stealth,–enable-install-name and –enable-khide

Used options:
–enable-identity=yule: this allows the the server to run as the user `yule`.
–with-sender=yule: this allows the system to send email as yule (adjust destination in /etc/ssmtp/revaliases).
–with-database=mysql: enables the ability to log to mysql DB.
–enable-xml-log: required when using- –with-database.
–disable-ipv6: we already disabled ipv6 on this box.
–with-gpg=/usr/bin/gpg: we will use gpg to verify the DB.
–enable-network=server: compile the server rather than the standalone or client
–with-port=[an obscure port]: this is the port the server will bind to.

Continue and build yule:

cd
cd samhain-*
./configure
make
./configure --enable-identity=yule --with-sender=yule --with-database=mysql --enable-xml-log --disable-ipv6 --with-gpg=/usr/bin/gpg --enable-network=server --with-port=51248
make && make install && make install-boot
touch /etc/yulerc.asc
chown yule:yule /etc/yulerc /etc/yulerc.asc

6) Copy `yule` installer for later use:

cd
cd samhain-*
cp ./samhain-install.sh /usr/sbin/yule-install.sh
chmod 700 /usr/sbin/yule-install.sh
#to uninstall later: `/usr/sbin/yule-install.sh uninstall`

7) Copy the samhainadmin.pl script:

cd
cd samhain-*
cp ./scripts/samhainadmin.pl /usr/sbin
chmod 755 /usr/sbin/samhainadmin.pl

8) Configure the DB:
Note that `samhain_dbuserpassword` is used as a password and must be replaced in the below.

cd
cd samhain-*
mysql -p < ./sql_init/samhain.mysql.init
echo "GRANT SELECT, INSERT ON \`samhain\`.\`log\` TO samhain@localhost IDENTIFIED BY 'samhain_dbuserpassword';" > ~/samhain.sql
echo "FLUSH PRIVILEGES;" >> ~/samhain.sql
mysql -p < ~/samhain.sql
shred -u -z -n 17 ~/samhain.sql

9) Sign the existing configuration:

#you MUST logon as `yule` on the console not tty/ssh (see: https://bugzilla.redhat.com/show_bug.cgi?id=659512, has not changed)
#samhain checks the conf file signature before the process forks to be run by `yule`, you should perform signing 
samhainadmin.pl --sign /etc/yulerc
#overwrite the existing file
#IGNORE the move() permission denied error.  It's a lie!
logout

10) start yule:

service yule start

11) Add the following to /etc/httpd/conf/httpd.conf

Include conf/yule.conf

12) Add the following to /etc/httpd/conf/yule.conf:

echo "<Directory \"/var/log/yule/\">"> /etc/httpd/conf/yule.conf
echo "   Options ExecCGI">> /etc/httpd/conf/yule.conf
echo "   AllowOverride None">> /etc/httpd/conf/yule.conf
echo "   Order allow,deny">> /etc/httpd/conf/yule.conf
echo "   Allow from all">> /etc/httpd/conf/yule.conf
echo "</Directory>" >> /etc/httpd/conf/yule.conf
echo "Alias /yule.html \"/var/log/yule/yule.html\"">> /etc/httpd/conf/yule.conf

13) Allow `apache` user access to yule.html:

chown apache:apache /var/log/yule/yule.html

14) restart httpd:

service httpd restart

Some stats on the yule system are now available at http://HOST/yule.html

Samhain: The Client (aka samhain client… umm… yea.):

1) Generate a gpg key with root (if on another system; if it’s the yule system, the key already exists…):

mkdir -m 700 -p ~/.gnupg/
echo "personal-digest-preferences SHA256" > ~/.gnupg/gpg.conf
echo "cert-digest-algo SHA256" >> ~/.gnupg/gpg.conf
echo "default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed" >> ~/.gnupg/gpg.conf
chmod 600 ~/.gnupg/gpg.conf
echo "gpg-agent --daemon --use-standard-socket" >> ~/.bashrc
. ~/.bashrc
gpg --gen-key
#RSA & DSA: option 1
#size: 4096
#key expiration: 5y
#real name: Root on John
#email: root@domainy.com
#comment: [none/blank]
#change?: O
#enter a passphrase

2) Get the fingerprint of the gpg key for root:

ROOT_FP=`gpg --fingerprint root | grep fingerpr | sed 's/ //g' | awk 'BEGIN { FS = "=" } ; {print $2}'`

3) Download and prep the install:
check: http://www.la-samhna.de/samhain/s_download.html

cd
wget http://www.la-samhna.de/samhain/samhain-current.tar.gz
if [ $(md5sum samhain-current.tar.gz | awk {'print $1'}) == a621678f0e97fec612e63864b4d1e9d2 ]; then echo "checksum matches website"; else break; fi
tar zxvf samhain-current.tar.gz
rm -f samhain-current.tar.gz
gpg --keyserver pgp.mit.edu --recv-key 0F571F6C # needs access over TCP 11371
gpg --fingerprint 0F571F6C
gpg --verify samhain-3.1.0.tar.gz.asc samhain-3.1.0.tar.gz #make sure this verifies
tar zxvf samhain-*.tar.gz
cd samhain-*

4) Configure samhain for a variety of things:
Here some decisions must be made. Samhain is a robust platform with many capabilities.
Please refer to man pages for information: Appendix A. List of options for the ./configure script. Remember to review A.[2-5] also!

Additionally, please review the detailed samhain man pages that details some advanced client options (you might want to use these):
–enable-login-watch: watch for login/logout events (man page).
–enable-mounts-check: check for correct mount options (man page).
–enable-suidcheck: check file system for SUID/SGID binaries not in the database (man page).
–with-kcheck: check for kernel root kits (man page).
–enable-userfiles: (man page).

#interesting strategy to totally obfuscate samhain’s stuff:
use –with-(micro-)stealth,–enable-install-name, –enable-khide.

Used options (all require additional configuration to be activated):
–with-sender=samhain: this allows the system to send email as samhain (adjust destination in /etc/ssmtp/revaliases).
–with-gpg=/usr/bin/gpg: we will use gpg to verify the DB.
–disable-ipv6: we already disabled ipv6 on this box.
–enable-network=client: compile the client rather than the standalone or server.
–enable-srp: force the use of “the zero-knowledge SRP protocol to authenticate to log server” (man page).
–with-port=[an obscure port]: this is the port on the logserver yule is bound to.
–with-logserver=[IP of yule server]: this is the port the server is bound to.
–with-fp=$ROOT_FP: provide the gpg key fingerprint as static to be used for configuration file and database signing.
–with-config-file=REQ_FROM_SERVER: requests the config file from the server (man page).
–with-data-file=REQ_FROM_SERVER/var/lib/samhain/data.samhain: requests the database file from the server and stores it at /var/lib/samhain/data.samhain.

Continue and build samhain:

cd
cd samhain-*
#the following is required for TIGER192
./configure && make
./configure --with-sender=samhain --with-gpg=/usr/bin/gpg --disable-ipv6 --enable-network=client --enable-srp --with-port=51248 --with-logserver=127.0.0.1 --with-fp=$ROOT_FP --with-config-file=REQ_FROM_SERVER --with-data-file=REQ_FROM_SERVER/var/lib/samhain/data.samhain
make && make install && make install-boot
touch /etc/yulerc.asc
chown yule:yule /etc/yulerc /etc/yulerc.asc

5) Copy `samhain` installer for later use:

cd
cd samhain-*
cp ./samhain-install.sh /usr/sbin/samhain-install.sh
chmod 700 /usr/sbin/samhain-install.sh
#to uninstall later: `/usr/sbin/samhain-install.sh uninstall`

6) Generate a password for `samhain` to connect to `yule` by logging on to the `yule` server and running:

yule -G
#output will be a "a 16-digit hexadecimal number, thus corresponding to an 8-byte password."

7) Set this password for `samhain`:

samhain_setpwd /usr/local/sbin/samhain tmp [the 8 byte hex number]

8) Add the `samhain` client to the server configuration so that it can retrieve the config and database:

Log on to the `yule` server and perform the following

/usr/local/sbin/yule -P [the 8 byte hex number] | sed 's/HOSTNAME/samhain_client_hostname/' >> /etc/yulerc
vim /etc/yulerc
#move the last line, with the samhain_client_hostname and samhain password, above the gpg key.

9) Since the the `yule` config has been changed, we must resign it:

#you MUST logon as `yule` on the console not tty/ssh (see: https://bugzilla.redhat.com/show_bug.cgi?id=659512, has not changed)
#samhain checks the conf file signature before the process forks to be run by `yule`, you should perform signing
samhainadmin.pl --sign /etc/yulerc
#overwrite the existing file
#IGNORE the move() permission denied error.  It's a lie!
logout

10) As root on the `yule` server, restart yule:

service yule reload

11) As root on the `samhain` client, generate the baseline databse:

samhain -t init -p info

modify the configuration settings (like intervals and IPs), check out github:

vim /etc/samhainrc
#add login monitoring: http://www.la-samhna.de/samhain/manual/mondef.html

You must/should store this backup on read only media as recommended.

4) start samhain:

#this script daemonizes using the /etc/init.d/functions daemon()
service samhain start

Sources:

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: