Install And Configuration HIDS Yule La Samhain

Published: by Creative Commons Licence

Download La-Samhain

wget -c http://www.la-samhna.de/archive/samhain_signed-4.1.5.tar.gz

Install Server Yule
Hostname : sec.wajatmaka.com | FQDN
Add a User Yule

useradd yule


Compile Yule

./configure --enable-network=server --enable-identity=yule --enable-xml-log
make install

Install Client Samhain
Hostname : client.wajatmaka.com | FQDN
Compile Samhain

./configure --enable-network=client \
--with-logserver=sec.wajatmaka.com \
--with-config-file=REQ_FROM_SERVER/etc/samhainrc \
--with-data-file=REQ_FROM_SERVER/var/lib/samhain/samhain_file \
--with-trusted=0

Noted :
hostname maybe have short hostname and domain hostname, example : sec.wajatmaka.com
- sec is short hostname
- wajatmaka.com is a domain

FROM CLIENT TO SERVER (Samhain to Yule)
Noted :
File executable client must be send and reconfigure (about connection) in Yule Server,
- /etc/samhainrc must be rename and send with format (#rc.hostname) -> rc.client.wajatmaka.com in /var/lib/yule
- /usr/local/sbin/samhain (#file binary executeable) rename and send with format (#samhain_host-hostname) -> samhain_host-client.wajatmaka.com in /usr/local/sbin

scp /etc/samhainrc root@192.168.56.101:/var/lib/yule/rc.`hostname`
scp /usr/local/sbin/samhain root@192.168.56.101:/usr/local/sbin/samhain_host-`hostname`

FROM Server to Client (Yule to Samhain)
Noted :
1. Generated unique key
2. Recreate samhain new with result unique key
3. Generate Configuration for connection with same key unique
4. Send samhain.new to Client

yule -G > samhain_host-client.wajatmaka.com.txt
./yule_setpwd samhain_host-client.wajatmaka.com new $(cat samhain_host-client.wajatmaka.com.txt)
./yule -P $(cat samhain_host-client.wajatmaka.com.txt) | sed -e 's/HOSTNAME/client.wajatmaka.com/g' >> /etc/yulerc
scp samhain_host-client.wajatmaka.com.new root@192.168.56.103:/usr/local/sbin/samhain


FROM CLIENT TO SERVER (Samhain to Yule)
Noted :
1. Generate File integrity in Client
2. File generated must be send to server in /var/lib/yule/ with format (#file.hostname) -> file.client.wajatmaka.com

/usr/local/sbin/samhain -t init
scp /var/lib/samhain/samhain_file root@192.168.56.101:/var/lib/yule/file.`hostname`

From Client Check File Integrity
check log :

tail -f /var/log/samhain_log

verify the integrity of log messages, you have to use the built-in command and enter the logkey received by email to verify the hash of each log entry:

samhain -L /var/log/samhain_log