HOWTO Samhain on Windows

http://la-samhna.de/samhain/HOWTO-samhain-on-windo...

samhain le integrity scanner | online documentation

Using Samhain on Windows

This document aims to explain how to compile and run samhain on Windows with the Cygwin POSIX emulation layer, and how to install it as a service. These instructions have been written by Kris Dom, who has tested this on WinXP Professional, with additions by Geries Handal and Jorge Morgado.

Interix / Services For UNIX

Samhain can also be used with Interix/SFU 3.5. Note that in Interix, the Windows lesystem is referred as /dev/fs/C, while in Cygwin it is /cygdrive/c (both refers to the drive; other drives are analogous).
C:

Older versions of samhain would need to be built with ./configure --disable-mail (i.e. without support for email logging) because Interix does not provide some of the required functionality to build the email module. This issue should be xed as of samhain version 2.0.7 (not tested). [Based on information kindly provided by Geries Handal].

Cygwin installation procedure to compile samhain

Cygwin download
Make a temporary directory to store cygwin installer (e.g. c:\temp\cygwin) Surf to http://www.cygwin.com to download cygwin Use the "install or update now (using setup.exe)" to download the installer in c:\temp \cygwin Execute "setup.exe" in c:\temp\cygwin Choose the "download from the Internet" option Choose "c:\temp\cygwin" as 'Local Package Directory' Choose an FTP site Click on 'Default' just after 'All' to change the installation type from 'Default' to 'Install'. This will most likely install way too much stu but I am not familiar with Cygwin, so this way I know that all libs and compilers are installed. Let it download the stu (there is a lot to download so be patient). You don't need to download and install All packages. It is enough to keep the Default and then add the following additional packages: Category Devel -> gcc: C compiler upgrade helper Category Devel -> make: The GNU version of the 'make' utility Category Libs -> minires: A simple synchronous non caching stub resolver When selecting these packages, Cygwin installer will automatically add other packages based on their dependencies. The package minires is only necessary for a minimal Cygwin installation (below). [Kindly pointed out by Jorge Morgado].

Cygwin installation

1 of 4

31.10.2012 14:33

HOWTO Samhain on Windows

http://la-samhna.de/samhain/HOWTO-samhain-on-windo...

When the download is complete you have the Cygwin software in the temporary directory, however, it still needs to be installed. To install, execute the "setup.exe" in "c:\temp\cygwin" Choose the "Install from local directory" option. Choose "C:\Cygwin" as root directory (this will be the Unix '/') Choose the Local Package Directory: "c:\temp\cygwin" Click on 'Default' just after 'All' to change the installation type from 'Default' to 'Install'. Let it install Cygwin (this will take some time so be patient).

Samhain install procedure (used 'samhain 1.8.7a' in this procedure)

(in the following procedure I use my personal preferences) Start up Cygwin using the "Cygwin" icon on the desktop (a classic Unix environment will be started). Download the 'samhain' gzip/tar (I always put in my home directory) Make directories to install samhain (taking into account the congure options):
$ mkdir /usr/local/sbin $ mkdir /usr/local/var $ mkdir /usr/local/log $ mkdir /usr/local/tmp

Go to the home directory:

$ cd $HOME

Un-gzip and untar the samhain package:

$ gunzip samhain-1.8.7a.tar.gz $ tar xvf samhain-1.8.7a.tar

Go to the samhain directory:

$ cd samhain-1.8.7a

Congure:
$ ./configure --enable-xml-log=yes --with-tmp-dir=/usr/local/tmp --with-config-file=/usr/local /etc/samhainrc --with-log-file=/usr/local/log/samhain.log --with-pid-file=/usr/local/var/samhain.pid --with-state-dir=/usr/local/var

In my experience, the paths given in the 'congure' command should refer to the Cygwin lesystem view, i.e. /cygdrive/c/..., otherwise samhain may not work from a pure DOS shell, and may not run as a Windows service [Rainer Wichmann]. Make the binary:
$ make

Install samhain:
$ make install

Now congure the "/usr/local/etc/samhainrc" le. Remember: "C:\" -> "/cygdrive/c/" Initialize the samhain local baseline database:
$ /usr/local/sbin/samhain -t init

Start it up:
$ /usr/local/sbin/samhain -t check

Cygwin minimal installation procedure to run samhain

Files needed to create a service (from NT/W2K Resource Kit): instsrv.exe

2 of 4

31.10.2012 14:33

HOWTO Samhain on Windows

http://la-samhna.de/samhain/HOWTO-samhain-on-windo...

srvany.exe First copy these les to the "%winnt%\system32" directory. Files needed to run the 'samhain.exe'. Copy the following .dll from the Cygwin setup (c:\Cygwin\bin) to the "%winnt%\system32" directory: cygwin1.dll cygminires.dll Files needed from c:\Cygwin\bin to create the /etc/passwd and /etc/group les: mkpasswd.exe mkgroup.exe To generate these les on a minimal Cygwin installation execute - on a Windows Command Prompt:
mkdir c:\etc path\to\mkpasswd.exe -l > c:\etc\passwd path\to\mkgroup.exe -l > c:\etc\group

IMPORTANT NOTE: You should re-create these two les, each time the Windows users and groups accounts database changes. Failing to do this might generate critical log messages (depending on your conguration le). Create a directory structure for samhain (following the compilation options you used) - in a DOS box (or via Windows Explorer)
mkdir c:\usr mkdir c:\usr\local mkdir c:\usr\local\sbin mkdir c:\usr\local\var mkdir c:\usr\local\tmp mkdir c:\usr\local\log mkdir c:\usr\local\etc

Use the "instsrv.exe" binary to create a new service:

instsrv.exe samhain c:\windows\system32\srvany.exe

(this will create a service called "Samhain" that will start the "srvany.exe" process). Now edit the registry to change the startup parameters for the newly created service: regedit HKEY_LOCAL_MACHINE->SYSTEM->CurrentControlSet->Services->Samhain Add a String value (type: REG_SZ called: "Description") under the 'Samhain' key Open the newly created "Description" value and ll in a description for the 'Samhain' service Add a key to specify what le the "srvany.exe" process must start: Edit->New->Key called "Parameters" Under the newly created "Parameters" key, add a new String value called "Application". The value for "Application" should be "c:\usr\local\sbin\samhain.exe". Make sure that in the "samhainrc" le, you have used "/cygdrive/c" to refer to "c:" Initialize the samhain baseline database rst:
c:\usr\local\sbin\samhain -t init

Reboot (it is Windows so ...) It seems that start/stop/restart the service does not work if samhain is congured to run as a daemon, because the Windows service manager cannot track the forked daemon process. Therefore, if you run Samhain as a Windows service, it might be better to congure it as a 'normal' process which does not fork a daemon:
3 of 4 31.10.2012 14:33

HOWTO Samhain on Windows

http://la-samhna.de/samhain/HOWTO-samhain-on-windo...

Set 'Daemon = no' in the samhainrc conguration le. Edit the key HKEY_LOCAL_MACHINE->SYSTEM->CurrentControlSet->Services->Samhain->Parameters to add a string value named 'AppParameters', with the value '--forever'. [Rainer Wichmann]. Also see http://support.microsoft.com/kb/q137890/ for information regarding the creation of a user-dened service. Note: the rst time I tried to install samhain as an NT service, I rst installed a default Cygwin on the system. This however made things much more complex. I think when there is no Cygwin installed, it is more easy to install Samhain as a service.

Troubleshooting samhain
[Rainer Wichmann] I had some problems at rst getting it to run as a Windows service. Some tips: Running samhain from a pure DOS shell (outside the Cygwin environment) helps to identify problems, in particular if it refuses to start as a Windows service. I found it neccessary to put the cygwin1.dll DLL into the same directory as the samhain.exe executable. Also, you can use the command ldd ./samhain.exe to identify further Cygwinspecic DLL that may be required (if any). Also, I found it neccessary to use Cygwin-style paths (/cygdrive/c/...) in the './congure ..' command when compiling samhain. [Tip from Jorge Morgado] If you, like me, have a Windows server not part of any domain and (for security reasons) you even turn o DNS resolution, you might probably get the following error when initializing the baseline database:
--------sh_unix.c --1487 --------According to uname, your nodename is yourcomputername, but your resolver library cannot resolve this nodename to a FQDN. Rather, it resolves this to yourcomputername. For more information, see the entry about self-resolving under 'Most frequently' in the FAQ that you will find in the docs/ subdirectory ----------------------------------------------

To x this problem open the Registry Editor and create the following entries under the key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters
Name: Domain Type: REG_SZ Data: your.domain.name Name: NV Domain Type: REG_SZ Data: your.domain.name

The NV Domain registry value contains the computer's primary DNS sux while the Domain registry value contains the computer's primary DNS domain. This will make the warning message go away.

4 of 4

31.10.2012 14:33