The SAMHAIN file integrity / host-based intrusion detection system
Overview
Samhain is a multiplatform, open source host-based intrusion detection system (HIDS) for POSIX (Unix, Linux, Cygwin/Windows). Samhain provides file integrity checking, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes.
It has been designed to monitor multiple hosts with potentially different operating systems with centralized logging and maintenance, although it can also be used as standalone application on a single host.
«We have samhain running on over 200 servers being managed by beltane. Its working really well so far. Excellent software.»
-- Mike
Samhain in the press
- Keep Crackers Out of the Box with Samhain [enterprise networking planet]
- Yes Virginia, There is a Cracker in Your Box [enterprise networking planet]
Host Integrity Monitoring Using Osiris & Samhain [Author: Brian Wotring, Publisher: Syngress]
- Projects on the Move [Linux Magazine, PDF]
- Host-based intrusion detection with samhain [Newsforge]
- Host Integrity Monitoring: Best Practices for Deployment [SecurityFocus]
- Centralized File-Integrity With Samhain [Linuxsecurity.com]
- A comparison of file integrity checkers
Features
Centralized monitoring
The client/server architecture of samhain allows central logging to the server, central storage of baseline databases and client configuration data, and central updates of baseline databases.
Web-based management console
A web-based console - Beltane - is available as separate package. Beltane allows to monitor server and client activity, view client reports, and update the baseline databases on the server side.
Multiple logging facilities
Samhain supports multiple logging facilities, each of which can be configured individually; e.g. tamper-resistant logfile, syslog, email, relational databases (MySQL, PostgreSQL, Oracle, or unixODBC) and the Prelude IDS.
Tamper resistance
Samhain offers PGP-signed database and configuration files, a stealth mode, and several more features to protect against attempts to subvert the integrity of the samhain client / agent.