/usr/share/doc/samhain/HOWTO-samhain+GnuPG.html is in samhain 3.1.0-5ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>HOWTO samhain+GnuPG</title>
<style type="text/css">
<!--
html { background: #eee; color: #000; }
body { background: #eee; color: #000; margin: 0; padding: 0;}
div.body {
background: #fff; color: #000;
margin: 0 1em 0 1em; padding: 1em;
font-family: serif;
font-size: 1em; line-height: 1.2em;
border-width: 0 1px 0 1px;
border-style: solid;
border-color: #aaa;
}
div.block {
background: #b6c5f2; color: #000;
margin: 1em; padding: 0 1em 0 1em;
border-width: 1px;
border-style: solid;
border-color: #2d4488;
}
div.warnblock {
background: #b6c5f2; color: #000;
margin: 1em; padding: 0 1em 0 1em;
border-width: 1px;
border-style: solid;
border-color: #FF9900;
}
table {
background: #F8F8F8; color: #000;
margin: 1em;
border-width: 0 0 0 1px;
border-style: solid;
border-color: #C0C0C0;
}
td {
border-width: 0 1px 1px 0;
border-style: solid;
border-color: #C0C0C0;
}
th {
background: #F8F8FF;
border-width: 1px 1px 2px 0;
border-style: solid;
border-color: #C0C0C0;
}
/* body text, headings, and rules */
p { margin: 0; text-indent: 0em; margin: 0 0 0.5em 0 }
h1, h2, h3, h4, h5, h6 {
color: #206020; background: transparent;
font-family: Optima, Arial, Helvetica, sans-serif;
font-weight: normal;
}
h1 { font-size: 1.69em; margin: 1.4em 0 0.4em 0; }
h2 { font-size: 1.44em; margin: 1.4em 0 0.4em 0; }
h3 { font-size: 1.21em; margin: 1.4em 0 0.4em 0; }
h4 { font-size: 1.00em; margin: 1.4em 0 0.4em 0; }
h5 { font-size: 0.81em; margin: 1.4em 0 0.4em 0; }
h6 { font-size: 0.64em; margin: 1.4em 0 0.4em 0; }
hr {
color: transparent; background: transparent;
height: 0px; margin: 0.6em 0;
border-width: 1px ;
border-style: solid;
border-color: #999;
}
/* bulleted lists and definition lists */
ul { margin: 0 1em 0.6em 2em; padding: 0; }
li { margin: 0.4em 0 0 0; }
dl { margin: 0.6em 1em 0.6em 2em; }
dt { color: #285577; }
tt { color: #602020; }
/* links */
a.link {
color: #33c; background: transparent;
text-decoration: none;
}
a:hover {
color: #000; background: transparent;
}
body > a {
font-family: Optima, Arial, Helvetica, sans-serif;
font-size: 0.81em;
}
h1, h2, h3, h4, h5, h6 {
color: #2d5588; background: transparent;
font-family: Optima, Arial, Helvetica, sans-serif;
font-weight: normal;
}
-->
</style></head>
<body>
<div class="body">
<p style="text-align: center; background: #ccc; border: 1px solid #2d5588;"><a
style="text-decoration: none;"
href="http://www.la-samhna.de/samhain/">samhain file integrity
scanner</a> | <a style="text-decoration: none;"
href="http://www.la-samhna.de/samhain/s_documentation.html">online
documentation</a></p>
<br><center>
<h1>Using samhain with GnuPG</h1>
</center>
<br>
<hr>
<p>
This document aims to explain how to use samhain with <b>signed configuration
and database files</b> which are checked by invoking GnuPG.
</p>
<h2>Introduction</h2>
<p>
Samhain can be compiled to recognize PGP signatures on configuration and
database files and to invoke GnuPG in order to check such signatures.
(<b>Note:</b> while the application usually is referred to as <i>GnuPG</i>,
the executable itself is called <i>gpg</i>).
</p>
<p>
If samhain is compiled with this option, then
</p>
<ol>
<li>
both the <i>configuration file</i>
and the <i>file signature database</i> must be signed, and
</li>
<li>
for both files the signatures must verify correctly,
</li>
<li>
otherwise samhain will abort.
</li>
</ol>
<h2>Prerequisites</h2>
<ul>
<li>
<p>
Obviously you need <i>gpg</i> (GnuPG), and you must
have created a key pair with:
</p><p>
<tt> gpg --gen-key</tt>
</p><p>
(it does not really matter which type of key, the defaults are ok).
</p><p>
GnuPG uses a public-key algorithm: the key pair consists of
</p>
<ul>
<li>
a <i>secret key</i> that is
used for signing and stored in <b>~user/.gnupg/secring.gpg</b>, and
</li><li>
a <i>public key</i> used for verifying the signature, and stored in
<b>~user/.gnupg/pubring.gpg</b>.
</li>
</ul>
<p>
The secret key obviously should be
kept secret, while the public key can be published.
</p>
</li>
<li>
<p>
You need to compile samhain with support for GnuPG:
</p><p>
<tt> ./configure --with-gpg=/path/to/gpg [more options]</tt>
</p><p>
</li>
</ul>
<p>
<b>Note 1:</b> If compiled with support for GnuPG,
the TIGER192 checksum of the gpg
executable will be compiled into samhain, and the gpg executable will
be checksummed (to verify its integrity) before invoking it. If you
don't like this, you should add the <i>configure</i> option:
</p><p>
<tt> --with-checksum=no</tt>
</p>
<div class="warnblock">
<p>
Compiling in the GnuPG checksum will tie the samhain executable to
the gpg executable. If you upgrade GnuPG, you will need to re-compile
samhain. If you don't like this, use <tt>'--with-checksum=no'</tt>.
</p>
</div>
<p>
<b>Note 2:</b> The mere fact that the signature
is correct does not prove that it has been signed by <i>you</i> with
<i>your</i> key - it just proves that it has been signed by <i>somebody</i>.
Samhain can optionally check the <i>fingerprint</i> of the key that has been
used to sign the files, to verify that <i>your</i> key has been used
to sign the file(s). To enable this, use the <i>configure</i> option
</p><p>
<tt> --with-fingerprint=FINGERPRINT</tt>
</p><p>
where FINGERPRINT is the hexadecimal fingerprint of the key as listed
with
</p><p>
<tt> gpg --fingerprint</tt>
</p>
<h3>Example</h3>
<pre style="background-color:#DDDDDD; color:#000000">
rainer$ gpg --fingerprint rainer
pub 1024D/0F571F6C 1999-10-31 Rainer Wichmann
Key fingerprint = EF6C EF54 701A 0AFD B86A F4C3 1AAD 26C8 0F57 1F6C
uid Rainer Wichmann
sub 1024g/9DACAC30 1999-10-31
rainer$ which gpg
/usr/bin/gpg
rainer$ ./configure --with-gpg=/usr/bin/gpg --with-fingerprint=EF6CEF54701A0AFDB86AF4C31AAD26C80F571F6C
</pre>
<h2>Signing the files</h2>
<p>
The <i>configuration file</i> and the
<i>file signature database</i>
(created by running <tt>samhain -t init</tt>) must be signed manually
using the command:
</p><p>
<tt> gpg -a --clearsign --not-dash-escaped /etc/samhainrc</tt><br/>
<tt> mv /etc/samhainrc.asc /etc/samhainrc</tt>
</p><p>
<i>Gpg</i> will create a <i>signed copy</i> of the file,
named <i>file.asc</i>.
You need to <b>rename</b> (<tt>cp/mv</tt>) this signed copy
to the original filename.
After signing the configuration file, you can initialize the database
and sign it likewise.
</p>
<p>
<b>Note 1:</b> The installation script will ask you to
sign the <i>configuration file</i> upon installation.
</p><p>
<b>Note 2:</b> The <i>gpg</i> option <tt>--not-dash-escaped</tt>
does not harm if used with the
<i>configuration file</i>, but is only required for the
<i>file signature database</i>.
</p>
<h3>TIP</h3>
<p>
In the subdirectory <tt>scripts/</tt> of the source directory you will find
a Perl script <b>samhainadmin.pl</b> to facilitate some
tasks related to the administration of signed configuration and
database files (e.g. examine/create/remove signatures).
Use with <i>--help</i> to get usage
information.
</p>
<h3>CAVEAT</h3>
<p>
When signing, the option <i>--not-dash-escaped</i> is
recommended, because otherwise the database might get corrupted.
However, this implies that after a database update,
you <i>must</i> remove the old signature first, before
re-signing the database. Without 'dash escaping',
gpg will not properly handle the old signature.
See the tip just above.
</p>
<h3>Example</h3>
<pre style="background-color:#DDDDDD; color:#000000">
root# gpg -a --clearsign --not-dash-escaped /etc/samhainrc
You need a passphrase to unlock the secret key for
user: "Rainer Wichmann"
1024-bit DSA key, ID 0F571F6C, created 1999-10-31
root# mv /etc/samhainrc.asc /etc/samhainrc
root# samhain -t init
root# gpg -a --clearsign --not-dash-escaped /var/lib/samhain/samhain_file
You need a passphrase to unlock the secret key for
user: "Rainer Wichmann"
1024-bit DSA key, ID 0F571F6C, created 1999-10-31
root# mv /var/lib/samhain/samhain_file.asc /var/lib/samhain/samhain_file
root# samhain -D -t check
</pre>
<h2>Make samhain verify the signature</h2>
<p>
This is the part where some people run into problems. The point is,
when <i>gpg</i> is invoked by samhain, it must <i>find the public key</i>
needed for verification. <i>Gpg</i> expects public keys in a file
located at <b>~user/.gnupg/pubring.gpg</b> where <b>~user</b>
is the home directory of the user as that <i>gpg</i> is running.
</p><p>
It is therefore <i>crucial</i> to include the public key corresponding
to te secret key used for signing into the correct <b>pubring.gpg</b>
file (this file can hold many public keys, e.g. of people sending you
emails signed by them).
</p><p>
So which is the correct file? Here we have to consider two seperate
cases:
</p>
<ol>
<li>The client (or standalone) samhain daemon runs with UID 0 (i.e. root),
thus the public key must be in <b>~root/.gnupg/pubring.gpg</b>
</li>
<li>
The server (yule) <i>always</i> drops root privileges (if started with), and
runs as a <i>non-root user</i>. The username to use is compiled in,
either with the <i>configure</i> option <tt>--enable-identity=USER</tt>,
or by default as determined by <i>configure</i> (the first existing user
out of the list <i>yule, daemon, nobody</i>). Thus, the public key
must be in <b>~root/.gnupg/pubring.gpg</b> (for startup) <i>and</i>
in <b>~non_root_user/.gnupg/pubring.gpg</b> (for reload with SIGHUP).
</li>
</ol>
<p>
To import a public key into the public
keyring (pubring.gpg) of another user, you can do:
</p><p>
<tt> gpg --export KEY-ID > filename</tt><br>
<tt> su another_user</tt><br>
<tt> gpg --import filename</tt>
</p>
<p>
<b>Note:</b> samhain will invoke <i>gpg</i> with the options:
</p><p>
<tt> --status-fd 1 --verify --homedir /homedir/.gnupg --no-tty -</tt>
</p><p>
and pipe the configuration/database file into <i>gpg</i>, similar to:
</p><p>
<tt>cat filename | /usr/bin/gpg --status-fd 1 --verify --homedir /root/.gnupg --no-tty -</tt>
</p><p>
(of course samhain does not invoke cat, or the shell; the example above
just shows how to do the same from the shell command prompt).
</p>
<h3>Example for signature check</h3>
<p>
If you want to check the signature the same way samhain does, it should look
like (note the GOODSIG and VALIDSIG keywords in the output):
</p>
<pre style="background-color:#DDDDDD; color:#000000">
root# cat /etc/samhainrc | gpg --status-fd 1 --verify --homedir /root/.gnupg --no-tty -
gpg: Signature made Sat Mar 15 16:08:21 2003 CET using DSA key ID 0F571F6C
[GNUPG:] SIG_ID 9hQvRhgjWLqyFzVOHi2b0uDmBFo 2003-03-15 1047740901
[GNUPG:] GOODSIG 1AAD26C80F571F6C Rainer Wichmann
gpg: Good signature from "Rainer Wichmann"
gpg: aka "Rainer Wichmann"
[GNUPG:] VALIDSIG EF6CEF54701A0AFDB86AF4C31AAD26C80F571F6C 2003-03-15 1047740901
[GNUPG:] TRUST_ULTIMATE
</pre>
<h2>Troubleshooting</h2>
<p>
First and foremost, run samhain (or yule) from the command line, in non-daemon
mode, and with the command-line option <tt>-p debug</tt> for debug-level
output. This will print
descriptive information on setup errors and/or relevant output from
the GnuPG subprocess.
</p>
<p>
Output from the GnuPG subprocess is marked by <b>[GNUPG:]</b>, and
may show the following errors:
</p>
<ul>
<li><b>ERRSIG</b> and/or <b>NO_PUBKEY</b> indicates that gpg did not find
the public key to verify the signature. You should import that key
into the keyrings of root and (for yule additionaly) the yule user.
</li>
<li><b>BADSIG</b> indicates that the public key was found by gpg, but
the signature is invalid. Either the file has been modified after
signing, or a previous signature has not been removed.
</li>
<li><b>NODATA</b> indicates that there is no signed data, i.e. the
configuration or database file is not signed at all.
</li>
</ul>
</div>
</body>
</html>
|