Host Based Intrusion Detection - Samhain

Want to support HowtoForge? Become a subscriber!
Submitted by thirddeep (Contact Author) (Forums) on Mon, 2011-01-17 17:17. :: CentOS | Debian | Linux | Security

Host Based Intrusion Detection - Samhain


This article describes in some detail how to install Samhain, the host based intrusion detection system. For further information regarding Samhain, please see

I am not going to ramble on about what host based intrusion detection is or why to use it, as there are plenty of articles already covering those subjects. This article is just to show you how to get Samhain up and running in a client / server configuration with a couple bells and whistles thrown in for fun.

I highly recommend you read the entire guide before you start, it will most certainly help.

There is a lot of swapping between client and server as I try my best to confuse you, so stay sharp!



You will need all the required build tools installed as we are going to compile Samhain. Here is a quick refresher:

Red Hat

yum groupinstall "Development Tools"


apt-get install build-essential

NOTE: Please keep in mind that development tools on production servers is perhaps not the best of ideas. These packages may further assist the wannebe hacker, fill up precious megabyte or eat your cat. It is recommended to build the required packages on your build server, test them, create rpm / deb package and then deploy said packages on your production environment.

Here is a short check list to follow:

  1. You will need MySQL and Apache running on your server. This guide will assume a vanilla MySQL and Apache configuration. I leave it up to the reader to figure out how to install and configure these services on your favourite distribution. (Hint : and
  2. You will need the MySQL development package (generaly mysql-devel) installed for the server side of things.
  3. MySQL must have a root password set. If the MySQL root password is not set, go and do that first. While your at MySQL, you may want to look at this : /usr/bin/mysql_secure_installation
  4. The server and client(s) host name must be fully qualified.
  5. The server and client(s) /etc/host file must be correct (really correct, not Red Hat default correct), and DNS must be working for both forward and reverse lookups.
  6. Port 50888 TCP should be open, or whatever port you set when building.
  7. ImageMagick is required on the client.


Download And Install

The above page has a full description of where to download the latest version of Samhain, and how to verify the integrity of the package. It is critical that the integrity of the package is checked. If you do not have a good foundation to build on, your house will surely crumble :-)


Server Setup

Yule is the server side component of Samhain.

After you have extracted and checked the package, make sure you are the root user, in the top level directory of the unpacked source files.

We start by creating a user for the service, and generating a gpg key as that user:

adduser yule
su - yule
gpg --gen-key

You will be asked the following questions:

gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: directory `/home/mytest/.gnupg' created
gpg: new configuration file `/home/yule/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/yule/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/yule/.gnupg/secring.gpg' created
gpg: keyring `/home/yule/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? <-- The default is fine, just press ENTER
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096 <-- 4096 For the paranoid
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y <-- Some may feel 2 years is to long, it's up to you ...
Key expires at Sat 15 Dec 2012 22:24:38 GMT
Is this correct? (y/N) y <-- If you are happy and you know it clap your hands
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter)<>"

Real name: yules <-- Whatever name you want to use
Email address: <-- Some e-mail address
Comment: 20 questions is a fun game
You selected this USER-ID:
"yules (20 questions) <>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O <-- If you are happy, OK it
You need a Passphrase to protect your secret key.

Enter passphrase: This is a long passphrase ! <-- Enter a strong passphrase
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 284 more bytes)

Fed up waiting for this ? Click here :

gpg: /home/yule/.gnupg/trustdb.gpg: trustdb created
gpg: key B7043C9A marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2012-12-15
pub 1024D/B7043C9A 2010-12-16 [expires: 2012-12-15]
Key fingerprint = 421E CFE8 533E 017F 95C8 170A DB54 28E7 B704 3C9A
uid yules (20 questions) <>
sub 4096g/EB230E29 2010-12-16 [expires: 2012-12-15]

Quit this shell, so that we are back to the root user.


So now we have a gpg key, lets get on with building the packages.

The default gpg binary does not support the TIGER192 checksum. As such, we first build a vanilla Samhain binary so that we can get that capability from the Samhain binary.


Right, now we build the real thing ...

./configure --with-gpg=/usr/bin/gpg --enable-network=server --with-database=mysql --enable-xml-log --with-port=50888 --enable-identity=yule
make install

At this point, the following should come up:

You need to sign the configuration file now
/usr/bin/gpg -a --clearsign yulerc
using --homedir /home/yule/.gnupg
gpg: WARNING: unsafe ownership on homedir `/home/yule/.gnupg'
You need a passphrase to unlock the secret key for
user: "yules (20 questions) <>"
1024-bit DSA key, ID BAFB6B91, created 2010-12-21
Enter passphrase: This is a long passphrase ! <-- This is the passphrase we set earlier.

Side note: I am unsure why gpg is complaining about the ownership, as the permissions is just fine.

Now install the initialization script, set up MySQL user / permission and fix some file permissions.

make install-boot
mysql -p < sql_init/samhain.mysql.init
echo "grant select, insert on samhain.log to samhain@localhost IDENTIFIED BY 'samhain';" | mysql -p <-- This will ask for your root MySQL password.
echo "FLUSH PRIVILEGES;" | mysql -p <-- This will ask for your root MySQL password.
chown yule:yule /var/log/yule
chown yule:yule /etc/yulerc
chown yule:yule /var/lib/yule

Set yule to start at boot.

Red Hat

chkconfig --add yule
chkconfig yule on


update-rc.d yule defaults

Start yule with:

/etc/init.d/yule start

Yule may complain with something like :

<log sev="WARN" tstamp="2010-12-21T11:46:42+0000" msg="Invalid line 102 in configuration file: incorrect format, unrecognized option, or missing section header" />
<log sev="WARN" tstamp="2010-12-21T11:46:42+0000" msg="Invalid line 106 in configuration file: incorrect format, unrecognized option, or missing section header" />

However, the service should start fine. These two warnings are due to the [Database] header being commented out. Either uncomment it, or comment said two lines out. They are true by default.

For a list of configuration options with full explanations, see


Apache Configuration

Add the following in:

Red Hat




<Directory "/var/log/yule/">
   Options ExecCGI
   AllowOverride None
   Order allow,deny
   Allow from all
Alias /yule.html "/var/log/yule/yule.html"

Then reload Apache with:

Red Hat

service httpd restart


/etc/init.d/apache2 restart

Now visit http://yourserver/yule.hml

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.