SAMHAIN 2.6.4 released

The samhain open source host-based intrusion detection system (HIDS) provides file integrity checking and logfile monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes.

Samhain v2.6.4

  • Don’t read proc_root_iops in sh_kern.c (Problem report by H. R.)
  • Logfile check can check output of shell commands
  • Use data directory as default for logfile checkpoints
  • Fix broken checkpoint save/restore for logfiles

MD5: 10d2688790801d769141f8ce10f1c33c

Beltane v2.3.19

  • If Oracle is used as database, paths would not be displayed at all (due to the incorrect handling of the CLOB datatype). This has been fixed.

MD5: ed7ec4637ef574fd5b75c1c68a8f1b2c

It has been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host.

JPEG - 4.8 kb

Samhain is a multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).

  • Supported platforms:
    • POSIX (e.g. Linux, *BSD, Solaris 2.x, AIX 5.x, AIX 4.x, HP-UX 10.20, HP-UX 11, Unixware 7.1.0, Alpha/True64, and Mac OS X)
    • Windows 2000 / WindowsXP with POSIX emulation (e.g. Cygwin)
  • PCI DSS Compliance:
    • The Payment Card Industry (PCI) Data Security Standard (DSS) mandates the use of file integrity monitoring software.
  • Centralized management: Samhain can be used standalone on a single host, but its particular strength is centralized monitoring and management. The complete management of a samhain system can be done from one central location. To this end, several components are required.
    • The samhain file/host integrity checker
    • The yule log server
    • A relational database
    • The beltane web-based console
    • The deployment system
  • File integrity checks:
    • Scheduling of file checks
  • Host integrity monitoring:
    • Logfile monitoring/analysis
    • Kernel integrity
    • SUID/SGID files
    • Open ports
    • Process check
    • Mount check
    • Login/logoff events
  • Log facilities: The verbosity and on/off status of each log facility can be configured individually.
  • Integration with other systems / Active response
    • Prelude
    • Nagios
    • Generic interfaces
    • Active response
  • Integrity of the samhain system: There is always a trade-off between security and convenience, and thus you may want to keep your file checking executable on disk and hope that an intruder will not tamper with it. Samhain offers the following features to help protecting its integrity:
    • signed database and configuration file
    • embedded password
    • compiled-in key
    • daemon mode
    • signed reports
    • stealth

About Beltane

Beltane is a web-based central management console for the Samhain file integrity / intrusion detection system. It enables the administrator to browse client messages, acknowledge them, and update centrally stored file signature databases.

As the Samhain daemon keeps a memory of file changes, the file signature database need only be up to date when the daemon restarts and downloads the database from the central server. Beltane allows you to use the information logged by the client in order to update the signature database.

Post scriptum

Compliance Mandates

  • IDS :

    PCI DSS 10.6, 11.4, SOX A13.2, DS5.10, GLBA 16CFR Part 314.4(b) and (3), HIPAA 164.306(a)(2), 164.308(a)(1) 164.308(a)(6)42, FISMA SI-4, AC-2, ISO 27001/27002 10.6.2,
    10.10.1, 10.10.2, 10.10.4, 15.1.5

  • Network Monitoring :

    PCI DSS Requirements 3, 4, SOX DS13.4, HIPAA 164.310(d)(1),
    164.312(a)(2)(iv), FISMA SI-4, AU-2, ISO 27001/27002 12.5.4, 15.1.5


Comments

Related Articles

IDS
Network Monitoring
Samhain