Introduction

Samhain is one of the most successful open source host integrity monitoring systems available today. This chapter examines all of the steps involved in a successful deployment of Samhain, including building and verifying the source, installation, and administration. The goal of this chapter is to show you how to effectively use Samhain to monitor the integrity of your hosts. Although all of the features and abilities available through Samhain are covered, this chapter focuses on the aspects of the system that will help you establish a simple yet effective integrity monitoring solution.

It is very important that you establish dedicated build and test environments. A dedicated build environment allows you to create trusted binaries of the software. If you are deploying the Samhain agent to many hosts, you must be sure that the executables are trusted and sound. Establishing a dedicated test environment is helpful for research and ongoing administration. Initially, a test environment can be used to gain familiarity with Samhain. Once you have deployed Samhain, your dedicated test environment can be used to test configuration changes, aid in the reduction of false positives, and test various administrative tasks before loading them into your production environment.

Samhain can be deployed in a solitary fashion (stand alone), and in a client/server mode. Deploying Samhain as stand-alone is useful when you have only a handful of hosts. The client/server mode is a centrally managed deployment for the enterprise or any situation where you have a large number of hosts that...