samhain
samhain is a daemon that can check file integrity, search the file tree for SUID files, and detect kernel module rootkits (Linux only). It can be used either standalone or as a client/server system for centralized monitoring, with strong (192-bit AES) encryption for client/server connections and the option to store databases and configuration files on the server. For tamper resistance, it supports signed database/configuration files and signed reports/audit logs. It has been tested on Linux, FreeBSD, Solaris, AIX, HP-UX, and Unixware.
| Tags | Security |
|---|---|
| Licenses | GPL |
| Operating Systems | POSIX |
| Implementation | C |
Recent releases
- 05 May 2009 22:29
Changes: For relayed messages, the incorrect order of hostname insertion into an RDBMS has been fixed. Some compiler warnings have been resolved, and a minor memory leak in the process check module has been fixed.
- 05 Mar 2009 18:24
Changes: This version fixes a flaw that would allow clients to bypass authentication when connecting to the server. A new KernelCheckPCI option has been added to switch off checking of PCI expansion ROMs.
- 29 Jan 2009 22:13
Changes: This release provides a new option to avoid reports for timestamp changes on directories. For open ports, PID is determined now, and reporting of open ports to prelude has been improved. A bug has been fixed that could cause truncation of the reported file size upon entering into an RDBMS, and some build problems have been fixed.
- 17 Dec 2008 21:40
Changes: The syntax for conditionals in the configuration file has been enhanced. An option has been added to drop checksummed files from the file cache. The server can now request on-demand scans from the clients. Some compile issues and a problem with reloading the configuration in stealth mode have been fixed.
- 03 Nov 2008 21:52
Changes: This version provides a new module to perform log file monitoring (currently supported: syslog, apache, samba, and pacct). On Linux, port monitoring now reports the process and the user for open ports. Some minor bugs have been fixed.
- All comments
Recent commentsSamhain rocks da house!!!
This is bar none *THE* coolest integrity checker out there. I've played with every single one I can find: Tripwire, Sentinel, Aide, FCheck, Viper, etc., etc., and this is the sh*t!
Why?
1. Platform-independent (builds on just about anything)
2. Small footprint
3. Fast
4. Stealth mode (very cool)
5. Clean code (not somebody's sophomore C project)
6. Client / server mode (send reports to a central server over a secure channel)
7. Obscure Glen Danzig reference
8. Docs that don't suck and an active development community