This file is indexed.

/usr/share/doc/samhain/manual.html/design.html is in samhain 4.1.4-2build1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>5. General</title><link rel="stylesheet" type="text/css" href="docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="The Samhain Host Integrity Monitoring System"><link rel="up" href="security-design.html" title="Chapter 12. Security Design"><link rel="prev" href="server-security.html" title="4. The server"><link rel="next" href="compilation-options.html" title="Appendix A. List of options for the configure script"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/header.html"--><!--#endif--><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">5. General</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="server-security.html">Prev</a> </td><th width="60%" align="center">Chapter 12. Security Design</th><td width="20%" align="right"> <a accesskey="n" href="compilation-options.html">Next</a></td></tr></table><hr></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="design"></a>5. General</h2></div></div></div><p>Obviously, a security application should not open up
      security holes by itself. Therefore, an inportant aspect in
      the development of 
      <span class="application">samhain</span> has been
      the security of the program itself. While 
      <span class="application">samhain</span> comes with
      no warranty (see the license), much effort has been invested
      to identify security problems and avoid them.</p><p>As the client requires root privileges, while the
      server does not, the clients has no open socket to listen on
      the network. Consequently, all client/server connections are
      initiated by the client.</p><p>To avoid buffer overflows, only secure string handling
      functions are used to limit the amount of data copied into a
      buffer to the size of the respective buffer (unless it is
      known in advance that the data will fit into the
      buffer).</p><p>On startup, the timezone is saved, and all environment
      variables are set to zero thereafter. Signal handlers,
      timers, and file creation mask are reset, and the core dump
      size is set to zero. If started as daemon, all file
      descriptors are closed, and the first three streams are
      opened to 
      <code class="filename">/dev/null</code>.</p><p>If external programs are used (in the entropy gatherer,
      if 
      <code class="filename">/dev/random</code> is not
      available), they are invoked directly (without using the
      shell), with the full path, and with a limited environment
      (by default only the timezone). Privileged credentials are
      dropped before calling the external program.</p><p>With respect to its own files (configuration, database,
      the log file, and its lock), on access 
      <span class="application">samhain</span> checks the
      complete path for write access by untrusted users. Some care
      has been taken to avoid race conditions on file access as far
      as possible.</p><p>Critical information, including session keys and data
      read from files for computing checksums, is kept in memory
      for which paging is disabled (if the operating system
      supports this). This way it is avoided that such information
      is transfered to a persistent swap store medium, where it
      might be accessible to unauthorized users.</p><p>Random numbers are generated from a pseudo-random
      number generator (PRNG) with a period of 2^88 (actually by
      mixing the output from three instances of the PRNG). The
      internal state of the PRNG is seeded from a strong entropy
      source (if available, 
      <code class="filename">/dev/random</code> is used, else
      lots of system statistics is pooled and mixed with a hash
      function). The PRNG is re-seeded from the entropy source at
      regular intervals (one hour).</p><p>Numbers generated from a PRNG can be predicted, if the
      internal state of the PRNG can be inferred. To avoid this,
      the internal state of the PRNG is hidden by hashing the
      output with a hash function.</p></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="server-security.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="security-design.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="compilation-options.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">4. The server </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Appendix A. List of options for the configure script</td></tr></table></div><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/footer.html"--><!--#endif--></body></html>