47 lines
1.5 KiB
Plaintext
47 lines
1.5 KiB
Plaintext
README.SLACKWARE for samhain
|
|
|
|
Edit the /etc/samhainrc file for your needs. I suggest at least
|
|
these changes, but there may be others for your particular system:
|
|
Comment out these lines:
|
|
#file = /var/lib/rpm/__db.00?
|
|
#file = /var/log/*.[0-9].gz
|
|
#file = /var/log/*/*.[0-9][0-9].gz
|
|
|
|
I don't like Daemon mode so I switched it off, as I run in cron.daily:
|
|
# Daemon = yes
|
|
Daemon = no
|
|
|
|
I like to see the problems again and again in case I miss a report for some
|
|
reason:
|
|
ReportOnlyOnce = False
|
|
|
|
Set a *real* email address here and uncomment so you get problems mailed to
|
|
you when you run Samhain. It is best to use another server that handles
|
|
email to make sure it doesn't get tampered with if there really is an
|
|
intrusion:
|
|
SetMailAddress=root@localhost
|
|
|
|
I have sendmail set up (don't you?) on my system, so I use localhost for
|
|
the relay:
|
|
SetMailRelay = localhost
|
|
|
|
And it's a good idea to put a nice subject header in your emailed reports:
|
|
MailSubject = Samhain Report - myhostname
|
|
|
|
Initialize the database as root. Note that this takes a while and always runs
|
|
in daemon mode regardless of your configuration!
|
|
samhain -t init
|
|
|
|
If you want to run nightly checks, drop a script in cron.daily with something
|
|
like this in it:
|
|
#!/bin/sh
|
|
/usr/sbin/samhain -t check
|
|
|
|
You're done. It is a little work, but now you have daily integrity checks
|
|
emailed to you about what's going on in your system, especially for
|
|
things you did not do!
|
|
|
|
And as Pat would say... Have Fun!
|
|
--Richard Scott Smith
|
|
|