samhain #8

Supports: trusty
Add to new model


Samhain is an integrity checker and host intrusion detection system that
can be used on single hosts as well as large, UNIX-based networks. It
supports central monitoring as well as powerful (and new) stealth
features to run undetected on memory using steganography. Main
features * Complete integrity check + uses cryptographic
checksums of files to detect modifications, + can
find rogue SUID executables anywhere on disk, and * Centralized
monitoring + native support for logging to a central server
via encrypted and authenticated connections * Tamper
resistance + database and configuration files can be signed
+ logfile entries and e-mail reports are signed + support for
stealth operation


This charm installs and configures samhain (http://, a data integrity and host intrusion alert system.


This is a subordinate charm, so deployment will look something like this:

juju deploy apache2
juju deploy samhain
juju add-relation apache2 samhain


The default configuration options should be sane for a basic Ubuntu
Trusty install, although you will most probably want to change
mail_recipient to be your system administrator's email address.

One other configuration option of note is enable_apt_check. By
default this is disabled. Once you enable it, apt will be prevented
from installing new packages if the system is in an unclean state
(to prevent any automatic updates from trampling over any evidence
on a possibly compromised system). Once enabled, this cannot be
disabled again (at least not without manual changes to each unit).
This option can be useful, but it is also highly annoying, so it's
best not to enable it until your system is completely deployed.

How Do I Use Samhain?

Assuming you're happy with the defaults, you should be able to just
deploy the charm and relax. If something happens on your system that
Samhain thinks you should be aware of it will raise a policy violation.
When this happens Samhain will send an email to your system
administrator (or whoever is set as the mail_recipient) and log
the violation in /var/log/samhain/samhain.log.

From time to time you may get policy violations recorded for innocent
actions (maybe you have an application that writes to /etc). By changing
the configuration options you can tune the installation to your
specific usage patterns.

How Do I Know It's Working?

The simplest way is to change something that shouldn't be changed
in a normal situation and see what happens. For example, you could

sudo chmod o+w /usr/bin/xzless; sudo chmod o-w /usr/bin/xzless

This would give write access on the xzless program to everyone (and
the puts it back to normal, just to be safe).

If Samhain is working it should trigger a policy violation. By default,
this should send an email to the system administrator, but you can
also check using /usr/local/sbin/ (the location of
the script may change if you have changed the script_dir configuration

Contact Information

Chris Stratford


(string) Operating name of the charm
(string) Directories for which we care about only permission and ownership changes
(string) Files for which we care about only permission and ownership changes
/etc/mtab /etc/resolv.conf /etc/localtime /etc/adjtime /etc/network/run/ifstate /etc/
(string) Once enabled, this will prevent apt from installing new packages if samhain thinks the system is unclean. It starts disabled to avoid problems during initial Juju installs. Note: Enabling this option is a one-way process
(string) Set policy violation severity levels
SeverityReadOnly=crit SeverityLogFiles=crit SeverityGrowingLogs=warn SeverityIgnoreNone=crit SeverityAttributes=crit
(string) Files for which we ignore changes in signature, timestamps and increases in size
/var/log/wtmp /var/log/faillog /var/log/auth.log /var/log/daemon.log /var/log/kern.log /var/log/syslog
(string) Suppress messages about the creation of files matching these regexes
(string) Dirs that can change freely
(string) Files that can change freely
/etc/nologin /etc/network/run
(string) Suppress messages about the absense of files matching these regexes
(string) Suppress messages about the absense of files matching these regexes
(string) Any change to these directories (even just being accessed) is reported
(string) Any change to these files (even just being accessed) is reported
(string) Files for which changes in signature, timestamps, and size are ignored
(string) Set threshold severity for log facilities
MailSeverity=crit PrintSeverity=none LogSeverity=info SyslogSeverity=alert
(string) Who receives any email
(int) How often to perform a policy check (in minutes)
(string) Used by the nrpe subordinate charms. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like: juju-myservice-0 If you're running multiple environments with the same services in them this allows you to differentiate between them.
(int) Critical alarm if the number of policy violations exceed this value
(string) A comma-separated list of nagios servicegroups. If left empty, the nagios_context will be used as the servicegroup
(int) Warn if the number of policy violations exceed this value
(string) Directories holding prelinked files
(string) A list of prelinked files
(string) Directories for which only access time is ignored
/usr/bin /bin /boot 3/sbin /usr/sbin /lib 3/etc
(string) Files for which only access time is ignored
(string) Directory where we will store any related scripts