/usr/share/doc/samhain/manual.html/design.html is in samhain 4.1.4-2build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>5. General</title><link rel="stylesheet" type="text/css" href="docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="The Samhain Host Integrity Monitoring System"><link rel="up" href="security-design.html" title="Chapter 12. Security Design"><link rel="prev" href="server-security.html" title="4. The server"><link rel="next" href="compilation-options.html" title="Appendix A. List of options for the configure script"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/header.html"--><!--#endif--><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">5. General</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="server-security.html">Prev</a> </td><th width="60%" align="center">Chapter 12. Security Design</th><td width="20%" align="right"> <a accesskey="n" href="compilation-options.html">Next</a></td></tr></table><hr></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="design"></a>5. General</h2></div></div></div><p>Obviously, a security application should not open up
security holes by itself. Therefore, an inportant aspect in
the development of
<span class="application">samhain</span> has been
the security of the program itself. While
<span class="application">samhain</span> comes with
no warranty (see the license), much effort has been invested
to identify security problems and avoid them.</p><p>As the client requires root privileges, while the
server does not, the clients has no open socket to listen on
the network. Consequently, all client/server connections are
initiated by the client.</p><p>To avoid buffer overflows, only secure string handling
functions are used to limit the amount of data copied into a
buffer to the size of the respective buffer (unless it is
known in advance that the data will fit into the
buffer).</p><p>On startup, the timezone is saved, and all environment
variables are set to zero thereafter. Signal handlers,
timers, and file creation mask are reset, and the core dump
size is set to zero. If started as daemon, all file
descriptors are closed, and the first three streams are
opened to
<code class="filename">/dev/null</code>.</p><p>If external programs are used (in the entropy gatherer,
if
<code class="filename">/dev/random</code> is not
available), they are invoked directly (without using the
shell), with the full path, and with a limited environment
(by default only the timezone). Privileged credentials are
dropped before calling the external program.</p><p>With respect to its own files (configuration, database,
the log file, and its lock), on access
<span class="application">samhain</span> checks the
complete path for write access by untrusted users. Some care
has been taken to avoid race conditions on file access as far
as possible.</p><p>Critical information, including session keys and data
read from files for computing checksums, is kept in memory
for which paging is disabled (if the operating system
supports this). This way it is avoided that such information
is transfered to a persistent swap store medium, where it
might be accessible to unauthorized users.</p><p>Random numbers are generated from a pseudo-random
number generator (PRNG) with a period of 2^88 (actually by
mixing the output from three instances of the PRNG). The
internal state of the PRNG is seeded from a strong entropy
source (if available,
<code class="filename">/dev/random</code> is used, else
lots of system statistics is pooled and mixed with a hash
function). The PRNG is re-seeded from the entropy source at
regular intervals (one hour).</p><p>Numbers generated from a PRNG can be predicted, if the
internal state of the PRNG can be inferred. To avoid this,
the internal state of the PRNG is hidden by hashing the
output with a hash function.</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="server-security.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="security-design.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="compilation-options.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">4. The server </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Appendix A. List of options for the configure script</td></tr></table></div><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/footer.html"--><!--#endif--></body></html>
|