samhain has its own set of trusted users. Paths to critical files (e.g. the configuration file) must be writeable by trusted users only. Failure to ensure this (e.g. by compiling in an appropriate set of trusted users) is one of the most frequent reasons for problems. See below for details.
Trusted users are root and the effective user of the process (usually, the effective user will be root herself). Additional trusted users can be defined in the configuration file (see Sect. Section 5 for an example), or at compile time, with the option
A trusted path is a path with all elements writeable only by trusted users. samhain requires the paths to the configuration and log file to be trusted paths, as well as the path to the pid file.
If a path element is group writeable, all group members must be trusted. If the path to the configuration file itself is writeable by other users than root and the effective user these must be defined as trusted already at compile time.
The list of group members in
to the FHS, which mandates a directory layout that is
different from the default GNU layout (everything in
There is an option
For the yule server, replace samhain with yule in the paths explained below.
The following table explains which directory layout
|PREFIX||USR (all capital)|
|PREFIX||OPT (all capital)|
The file signature database will be written to
pid file to
and the log file to
yule writes an
HTML status file to
To get a more fine-grained control on the layout, the following configure options are provided
--with-config-file=FILE — The path of the configuration file.
--with-log-file=FILE — The path of the log file.
--with-pid-file=FILE — The path of the pid file.
--with-data-file=FILE — The path of the file signature database file.
--with-html-file=FILE — The path of the HTML status file (server only).
The server will drop root privileges after startup. I does not need write access to the data files, thus the data file directory is chmod 555 on installation. It does need write access to the log file directory. As the system logfile directory usually is owned by root, the install script will by default create a subdirectory and chown it to the unprivileged yule user. The PID file is written before dropping root.