Table of Contents
If an intruder does not know that samhain is running, s/he will make no attempt to subvert it. Hence, you may consider to run samhain in stealth mode, using some of the options discussed in this section.
samhain may be compiled with support for a stealth mode of operation, meaning that the program can be run without any obvious trace of its presence on disk. The following compile-time options are provided:
xor_val provides the
All embedded strings are obfuscated by XORing them with some value xor_val chosen at compile time. The allowed range for xor_val is 128 to 255.
The messages in the log file are obfuscated by XORing them with xor_val. The built-in routine for validating the log file ( samhain -L /path/to/logfile ) will handle this transparently. You may specify as path an already existing binary file (e.g. an executable, or a JPEG image), to which the log will get appended.
Use samhain -jL /path/to/logfile if you just want to view rather than verify the logfile.
Strings in the database file are obfuscated by XORing them with xor_val. You may append the database file to some binary file (e.g. an executable, or a JPEG image), if you like.
The configuration file must be steganographically
hidden in a postscript image file (the image data must
be uncompressed). To create such a file from an
existing image, you may use e.g. the program
convert , which is
part of the
ImageMagick package, such as
make install will do this automatically before installation.
To hide/extract the configuration data within/from the postscript file, a utility program samhain_stealth is provided. Use it without options to get help.
If --enable-stealth is used together with --with-gpg or --with-signify , then the config file must be signed before hiding it (rather than signing the PS image file afterwards).
Furthermore, in the case of --with-signify, the config file MUST end with the '[EOF]' marker, as the only content of the LAST line. If there are blank lines afterwards, they will not get extracted, and the signature verification will fail.
xor_val is like
--enable-stealth , but uses
a 'normal' configuration file (not hidden
--enable-nocl[=ARG] will disables command line parsing. The optional argument is a 'magic' word that will enable reading command-line arguments from stdin. If the first command-line argument is not the 'magic' word, all command line arguments will be ignored. This allows to start the program with completely arbitrary command-line arguments.
NAME will rename every
installed file from
NAME when doing a
install (standalone/client installation), and
likewise rename installed files from
NAME when doing a
make install (server
installation). Also, the boot scripts will be updated
accordingly. Files created by
samhain (e.g. the
database) will also have
samhain replaced by
NAME in their filenames.
The man pages have far too much specific information enabling an intruder to infer the presence of samhain. There is no point in changing samhain to NAME there — this would rather help an intruder to find out what NAME is. You probably want to avoid installing man8/samhain.8 and man5/samhainrc.5.