samhain #8

Supports: trusty
Add to new model

Description

Samhain is an integrity checker and host intrusion detection system that
can be used on single hosts as well as large, UNIX-based networks. It
supports central monitoring as well as powerful (and new) stealth
features to run undetected on memory using steganography. Main
features * Complete integrity check + uses cryptographic
checksums of files to detect modifications, + can
find rogue SUID executables anywhere on disk, and * Centralized
monitoring + native support for logging to a central server
via encrypted and authenticated connections * Tamper
resistance + database and configuration files can be signed
+ logfile entries and e-mail reports are signed + support for
stealth operation


Overview

This charm installs and configures samhain (http://http://www.la-samhna.de/samhain/), a data integrity and host intrusion alert system.

Usage

This is a subordinate charm, so deployment will look something like this:

juju deploy apache2
juju deploy samhain
juju add-relation apache2 samhain

Configuration

The default configuration options should be sane for a basic Ubuntu
Trusty install, although you will most probably want to change
mail_recipient to be your system administrator's email address.

One other configuration option of note is enable_apt_check. By
default this is disabled. Once you enable it, apt will be prevented
from installing new packages if the system is in an unclean state
(to prevent any automatic updates from trampling over any evidence
on a possibly compromised system). Once enabled, this cannot be
disabled again (at least not without manual changes to each unit).
This option can be useful, but it is also highly annoying, so it's
best not to enable it until your system is completely deployed.

How Do I Use Samhain?

Assuming you're happy with the defaults, you should be able to just
deploy the charm and relax. If something happens on your system that
Samhain thinks you should be aware of it will raise a policy violation.
When this happens Samhain will send an email to your system
administrator (or whoever is set as the mail_recipient) and log
the violation in /var/log/samhain/samhain.log.

From time to time you may get policy violations recorded for innocent
actions (maybe you have an application that writes to /etc). By changing
the configuration options you can tune the installation to your
specific usage patterns.

How Do I Know It's Working?

The simplest way is to change something that shouldn't be changed
in a normal situation and see what happens. For example, you could
try:

sudo chmod o+w /usr/bin/xzless; sudo chmod o-w /usr/bin/xzless

This would give write access on the xzless program to everyone (and
the puts it back to normal, just to be safe).

If Samhain is working it should trigger a policy violation. By default,
this should send an email to the system administrator, but you can
also check using /usr/local/sbin/samhain-summary.py (the location of
the script may change if you have changed the script_dir configuration
option).

Contact Information

Chris Stratford


Configuration

application_name
(string) Operating name of the charm
samhain
attributes_dirs
(string) Directories for which we care about only permission and ownership changes
attributes_files
(string) Files for which we care about only permission and ownership changes
/etc/mtab /etc/resolv.conf /etc/localtime /etc/adjtime /etc/network/run/ifstate /etc/ld.so.cache
enable_apt_check
(string) Once enabled, this will prevent apt from installing new packages if samhain thinks the system is unclean. It starts disabled to avoid problems during initial Juju installs. Note: Enabling this option is a one-way process
no
event_severity
(string) Set policy violation severity levels
SeverityReadOnly=crit SeverityLogFiles=crit SeverityGrowingLogs=warn SeverityIgnoreNone=crit SeverityAttributes=crit
growing_logfiles
(string) Files for which we ignore changes in signature, timestamps and increases in size
/var/log/wtmp /var/log/faillog /var/log/auth.log /var/log/daemon.log /var/log/kern.log /var/log/syslog
ignore_added
(string) Suppress messages about the creation of files matching these regexes
/etc/samba/dhcp\.conf(\.new)?$
ignore_all_dirs
(string) Dirs that can change freely
ignore_all_files
(string) Files that can change freely
/etc/nologin /etc/network/run
ignore_missing
(string) Suppress messages about the absense of files matching these regexes
/etc/samba/dhcp\.conf(\.new)?$
ignore_modified
(string) Suppress messages about the absense of files matching these regexes
ignore_none_dirs
(string) Any change to these directories (even just being accessed) is reported
ignore_none_files
(string) Any change to these files (even just being accessed) is reported
logfiles
(string) Files for which changes in signature, timestamps, and size are ignored
/var/run/utmp
logging
(string) Set threshold severity for log facilities
MailSeverity=crit PrintSeverity=none LogSeverity=info SyslogSeverity=alert
mail_recipient
(string) Who receives any email
root@localhost
nagios_check_frequency
(int) How often to perform a policy check (in minutes)
30
nagios_context
(string) Used by the nrpe subordinate charms. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like: juju-myservice-0 If you're running multiple environments with the same services in them this allows you to differentiate between them.
juju
nagios_crit_level
(int) Critical alarm if the number of policy violations exceed this value
5
nagios_servicegroups
(string) A comma-separated list of nagios servicegroups. If left empty, the nagios_context will be used as the servicegroup
nagios_warn_level
(int) Warn if the number of policy violations exceed this value
(string) Directories holding prelinked files
(string) A list of prelinked files
read_only_dirs
(string) Directories for which only access time is ignored
/usr/bin /bin /boot 3/sbin /usr/sbin /lib 3/etc
read_only_files
(string) Files for which only access time is ignored
/usr/lib/pt_chown
script_dir
(string) Directory where we will store any related scripts
/usr/local/sbin