samhain file integrity scanner | online documentation

Using Samhain on Windows

This document aims to explain how to compile and run samhain on Windows with the Cygwin POSIX emulation layer, and how to install it as a service. These instructions have been written by Kris Dom, who has tested this on WinXP Professional, with additions by Geries Handal and Jorge Morgado.

Interix / Services For UNIX

Samhain can also be used with Interix/SFU 3.5. Note that in Interix, the Windows filesystem is referred as /dev/fs/C, while in Cygwin it is /cygdrive/c (both refers to the C: drive; other drives are analogous).

Older versions of samhain would need to be built with ./configure --disable-mail (i.e. without support for email logging) because Interix does not provide some of the required functionality to build the email module. This issue should be fixed as of samhain version 2.0.7 (not tested).
[Based on information kindly provided by Geries Handal].

Cygwin installation procedure to compile samhain

Cygwin download

Make a temporary directory to store cygwin installer (e.g. c:\temp\cygwin)
Surf to http://www.cygwin.com to download cygwin
Use the "install or update now (using setup.exe)" to download the installer in c:\temp\cygwin
Execute "setup.exe" in c:\temp\cygwin
Choose the "download from the Internet" option
Choose "c:\temp\cygwin" as 'Local Package Directory'
Choose an FTP site
Click on 'Default' just after 'All' to change the installation type from 'Default' to 'Install'. This will most likely install way too much stuff but I am not familiar with Cygwin, so this way I know that all libs and compilers are installed.
Let it download the stuff (there is a lot to download so be patient).

You don't need to download and install All packages. It is enough to keep the Default and then add the following additional packages:

Category Devel -> gcc: C compiler upgrade helper
Category Devel -> make: The GNU version of the 'make' utility
Category Libs -> minires: A simple synchronous non caching stub resolver

When selecting these packages, Cygwin installer will automatically add other packages based on their dependencies. The package minires is only necessary for a minimal Cygwin installation (below). [Kindly pointed out by Jorge Morgado].

Cygwin installation

When the download is complete you have the Cygwin software in the temporary directory, however, it still needs to be installed.
To install, execute the "setup.exe" in "c:\temp\cygwin"
Choose the "Install from local directory" option.
Choose "C:\Cygwin" as root directory (this will be the Unix '/')
Choose the Local Package Directory: "c:\temp\cygwin"
Click on 'Default' just after 'All' to change the installation type from 'Default' to 'Install'.
Let it install Cygwin (this will take some time so be patient).

Samhain install procedure (used 'samhain 1.8.7a' in this procedure)

(in the following procedure I use my personal preferences)

Start up Cygwin using the "Cygwin" icon on the desktop (a classic Unix environment will be started).
Download the 'samhain' gzip/tar (I always put in my home directory)
Make directories to install samhain (taking into account the configure options):
$ mkdir /usr/local/sbin
$ mkdir /usr/local/var
$ mkdir /usr/local/log
$ mkdir /usr/local/tmp
Go to the home directory:
$ cd $HOME
Un-gzip and untar the samhain package:
$ gunzip samhain-1.8.7a.tar.gz
$ tar xvf samhain-1.8.7a.tar
Go to the samhain directory:
$ cd samhain-1.8.7a
Configure:
$ ./configure --enable-xml-log=yes --with-tmp-dir=/usr/local/tmp --with-config-file=/usr/local/etc/samhainrc --with-log-file=/usr/local/log/samhain.log --with-pid-file=/usr/local/var/samhain.pid --with-state-dir=/usr/local/var

In my experience, the paths given in the 'configure' command should refer to the Cygwin filesystem view, i.e. /cygdrive/c/..., otherwise samhain may not work from a pure DOS shell, and may not run as a Windows service [Rainer Wichmann].
Make the binary:
$ make
Install samhain:
$ make install
Now configure the "/usr/local/etc/samhainrc" file.
Remember: "C:\" -> "/cygdrive/c/"
Initialize the samhain local baseline database:
$ /usr/local/sbin/samhain -t init
Start it up:
$ /usr/local/sbin/samhain -t check

Cygwin minimal installation procedure to run samhain

Files needed to create a service (from NT/W2K Resource Kit):
- instsrv.exe
- srvany.exe
First copy these files to the "%winnt%\system32" directory.
Files needed to run the 'samhain.exe'. Copy the following .dll from the Cygwin setup (c:\Cygwin\bin) to the "%winnt%\system32" directory:
- cygwin1.dll
- cygminires.dll
Files needed from c:\Cygwin\bin to create the /etc/passwd and /etc/group files:
- mkpasswd.exe
- mkgroup.exe
To generate these files on a minimal Cygwin installation execute - on a Windows Command Prompt:
mkdir c:\etc
path\to\mkpasswd.exe -l > c:\etc\passwd
path\to\mkgroup.exe -l > c:\etc\group
IMPORTANT NOTE: You should re-create these two files, each time the Windows users and groups accounts database changes. Failing to do this might generate critical log messages (depending on your configuration file).
Create a directory structure for samhain (following the compilation options you used)
- in a DOS box (or via Windows Explorer)
mkdir c:\usr
mkdir c:\usr\local
mkdir c:\usr\local\sbin
mkdir c:\usr\local\var
mkdir c:\usr\local\tmp
mkdir c:\usr\local\log
mkdir c:\usr\local\etc
Use the "instsrv.exe" binary to create a new service:
instsrv.exe samhain c:\windows\system32\srvany.exe
(this will create a service called "Samhain" that will start the "srvany.exe" process).
Now edit the registry to change the startup parameters for the newly created service:
- regedit
- HKEY_LOCAL_MACHINE->SYSTEM->CurrentControlSet->Services->Samhain
- Add a String value (type: REG_SZ called: "Description") under the 'Samhain' key
- Open the newly created "Description" value and fill in a description for the 'Samhain' service
- Add a key to specify what file the "srvany.exe" process must start:
  Edit->New->Key called "Parameters"
- Under the newly created "Parameters" key, add a new String value called "Application".
  The value for "Application" should be "c:\usr\local\sbin\samhain.exe".
Make sure that in the "samhainrc" file, you have used "/cygdrive/c" to refer to "c:"
Initialize the samhain baseline database first:
c:\usr\local\sbin\samhain -t init
Reboot (it is Windows so ...)

It seems that start/stop/restart the service does not work if samhain is configured to run as a daemon, because the Windows service manager cannot track the forked daemon process.

Therefore, if you run Samhain as a Windows service, it might be better to configure it as a 'normal' process which does not fork a daemon:

Set 'Daemon = no' in the samhainrc configuration file.
Edit the key HKEY_LOCAL_MACHINE->SYSTEM->CurrentControlSet->Services->Samhain->Parameters to add a string value named 'AppParameters', with the value '--forever'.

[Rainer Wichmann].

Also see http://support.microsoft.com/kb/q137890/ for information regarding the creation of a user-defined service.

Note: the first time I tried to install samhain as an NT service, I first installed a default Cygwin on the system. This however made things much more complex. I think when there is no Cygwin installed, it is more easy to install Samhain as a service.

Troubleshooting samhain

[Rainer Wichmann] I had some problems at first getting it to run as a Windows service. Some tips:

Running samhain from a pure DOS shell (outside the Cygwin environment) helps to identify problems, in particular if it refuses to start as a Windows service.
I found it neccessary to put the cygwin1.dll DLL into the same directory as the samhain.exe executable. Also, you can use the command ldd ./samhain.exe to identify further Cygwin-specific DLL that may be required (if any).
Also, I found it neccessary to use Cygwin-style paths (/cygdrive/c/...) in the './configure ..' command when compiling samhain.

[Tip from Jorge Morgado] If you, like me, have a Windows server not part of any domain and (for security reasons) you even turn off DNS resolution, you might probably get the following error when initializing the baseline database:

  ---------   sh_unix.c  ---   1487 ---------
  According to uname, your nodename is yourcomputername, but your resolver
  library cannot resolve this nodename to a FQDN.
  Rather, it resolves this to yourcomputername.
  For more information, see the entry about self-resolving under
  'Most frequently' in the FAQ that you will find in the docs/ subdirectory
  ----------------------------------------------

To fix this problem open the Registry Editor and create the following entries under the key HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

Name: Domain Type: REG_SZ Data: your.domain.name

Name: NV Domain Type: REG_SZ Data: your.domain.name

The NV Domain registry value contains the computer's primary DNS suffix while the Domain registry value contains the computer's primary DNS domain. This will make the warning message go away.