# Why isn't Samhain more popular?Can Pax or Grsec do this?

## dman777

I did a search on this forum and found very little posts on Samhain IDS. I'm confused why this IDS isn't more popular in the Gentoo Security community. 

I don't care about it having it's own logrotate, port scanner, and logging facility because I have the GNU utils that more native to Linux for that. 

But what I do like about it is how it detects SUID's on files, monitors kernel's syscall, monitors for rootkits, and can find hidden processes that wouldn't show up in PS. 

How come no one here uses Shamain for these features? Can Pax or Grsec do this instead?

And what about monitoring logs so they don't get hacked? What could be used for this instead of Samhain?

----------

## Veldrin

How many Snort installations do you have these days?

And no, it cannot be substituted Pax/GrSEC: PaX is memory protection and exec restriction system, and GrSEC is a RBAC-system (Role Based Access Control system). 

Both have nothing to do with IDS.

just my .02$

V.

----------

## dman777

Sorry, I'm am new to HIDS and don't fully understand what most are using to fill the void. I thought Snort was just for network. When you asked how many snorts installations I have I looked up snort to make sure it doesn't offer kernel protection or monitoring over logs. 

If most of the Gentoo Security Community aren't using a Samhain, what are they using for HIDS that offers log monitoring(keeping the logs from getting hacked) and kernel intrustion?

----------

## prometheanfire

For keeping logs safe, I just stream them to another server via syslog.  I've thought of running tripwire or samhain for file integrity but have not gotten around to it.  Grsec is more then just rbac, it is a bunch of kernel stuff http://grsecurity.net/ has a good summary.  Just stop by the #gentoo-hardened channel (again  :Razz: ) if you have more questions.

-- prometheanfire

----------

## dman777

Hi prometheanfire, good to hear from you  :Smile:  I'm at work alot lately so the only time I can really go on there is on my cell phone which is hard to use for IRC. 

I like how with AIDE the bin is portable. What I currently have is AIDE bin on a thumbdrive with it's databases and I plug it in to get a filesystem integrity check and the unplug it.  

What I'm thinking about doing is using Samhain for everything but the filesystem integrity(with exception of logs and use samhain to monitor them realtime) check because I like the insurance of the AIDE bin will never be compromised since it's physically not there.

I do have one question and concern about Samhain.... I read where it is best to have /dev/kmem disabled so there can be no runtime kernel modifications. Samhain uses it's own module called samhain_kmem.ko which generates a file /proc/kmem since samhain relies on the information provided from kmem for its kernel integrity check. So, it's kind of a contradiction....in one aspect the /dev/kmem is there for exploits. But on the other Samhain should be able to detect any kernel integrity of any exploits. I'm not sure which one is a better/safer route...not have /dev/kmem, do without Samhains kernel integrity checks, and significantly lower possible kernel exploits; or have /dev/kmem open and hope Samhain will always come through if there is an kernel exploit.

Also, Samhain's /dev/kmem data is extracted through it's own module samhain_kmem.ko. Just the fact that this is a module makes it a security vulunability since it is a module and not built into the kernel, correct?

----------

