/usr/share/doc/samhain/manual.html/design.html is in samhain 3.1.0-5ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>General</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
REL="HOME"
TITLE="The Samhain Host Integrity Monitoring System"
HREF="index.html"><LINK
REL="UP"
TITLE="Security Design"
HREF="security-design.html"><LINK
REL="PREVIOUS"
TITLE="The server"
HREF="server-security.html"><LINK
REL="NEXT"
TITLE="List of options for the ./configure script"
HREF="compilation-options.html"><LINK
REL="STYLESHEET"
TYPE="text/css"
HREF="./docbook.css"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/header.html"--><!--#endif --><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>The Samhain Host Integrity Monitoring System</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="server-security.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 11. Security Design</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="compilation-options.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="DESIGN"
>11.5. General</A
></H1
><P
> Obviously, a security application should not open up security holes by
itself. Therefore, an inportant aspect in the
development of <SPAN
CLASS="APPLICATION"
>samhain</SPAN
>
has been the security of the program itself.
While <SPAN
CLASS="APPLICATION"
>samhain</SPAN
> comes
with no warranty (see the license), much effort has been invested
to identify security problems and avoid them. </P
><P
> As the client requires root privileges, while the server does not,
the clients has no open socket to listen on the network. Consequently,
all client/server connections are initiated by the client.</P
><P
> To avoid buffer overflows, only secure string handling functions are
used to limit the amount of data copied into a buffer to the size
of the respective buffer (unless it is known in advance that
the data will fit into the buffer).</P
><P
> On startup, the timezone is saved, and all environment variables are
set to zero thereafter. Signal handlers, timers, and file creation mask
are reset, and the core dump size is set to zero. If started as daemon,
all file descriptors are closed, and the first three streams are
opened to <TT
CLASS="FILENAME"
>/dev/null</TT
>. </P
><P
> If external programs are used (in the entropy gatherer,
if <TT
CLASS="FILENAME"
>/dev/random</TT
>
is not available), they
are invoked directly (without using the shell), with the full path,
and with a limited environment (by default only the timezone). Privileged
credentials are dropped before calling the external program.</P
><P
> With respect to its own files (configuration, database, the log file, and
its lock), on access <SPAN
CLASS="APPLICATION"
>samhain</SPAN
> checks
the complete path for write access
by untrusted users. Some care has been taken to avoid race
conditions on file access as far as possible.</P
><P
> Critical information, including session keys and data read from files
for computing checksums, is kept in memory for which paging is disabled
(if the operating system supports this). This way it is avoided that
such information is transfered to a persistent swap store medium,
where it might be accessible to unauthorized users.</P
><P
> Random numbers are generated from a pseudo-random number generator (PRNG)
with a period of 2^88 (actually by mixing the output from three
instances of the PRNG). The internal state of the PRNG is seeded from
a strong entropy source (if available,
<TT
CLASS="FILENAME"
>/dev/random</TT
> is used, else
lots of system statistics is pooled and mixed with a hash function).
The PRNG is re-seeded from the entropy source at regular intervals
(one hour).</P
><P
> Numbers generated from a PRNG can be predicted, if the internal state
of the PRNG can be inferred. To avoid this, the internal state of the
PRNG is hidden by hashing the output with a hash function.</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="server-security.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="compilation-options.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>The server</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="security-design.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>List of options for the ./configure script</TD
></TR
></TABLE
></DIV
><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/footer.html"--><!--#endif --></BODY
></HTML
>
|