source: branches/samhain-2_2-branch/man/samhainrc.5@ 334

Last change on this file since 334 was 27, checked in by rainer, 19 years ago

Support for server-to-server relay and more user policies

File size: 18.2 KB
Line 
1.TH SAMHAINRC 5 "Jul 29, 2004" "" "samhainrc manual"
2.SH NAME
3samhainrc \- samhain(8) configuration file
4
5.SH WARNING
6.PP
7The information in this man page is not always up to date.
8The authoritative documentation is the user manual.
9
10.SH DESCRIPTION
11.PP
12The configuration file for
13.BR samhain (8)
14is named
15.I samhainrc
16and located in
17.I /etc
18by default.
19.PP
20It contains several sections, indicated by headings in square brackets.
21Each section may hold zero or more
22.BI key= value
23pairs. Blank lines and lines starting with '#' are comments.
24Everything before the first section and after an
25.I "[EOF]"
26is ignored. The file may be (clear text) signed by PGP/GnuPG, and
27.B samhain
28may invoke GnuPG to check the signature
29if compiled with support for it.
30.PP
31Conditional inclusion of entries for some host(s) is
32supported via any number of
33.BI @ hostname /@ end
34directives.
35.BI @ hostname
36and
37.BI @ end
38must each be on separate lines. Lines in between will only be
39read if
40.I "hostname"
41(which may be a regular expression) matches the local host.
42.PP
43Likewise, conditional inclusion of entries based on system type is
44supported via any number of
45.BI $ sysname:release:machine /$ end
46directives.
47.br
48.I "sysname:release:machine"
49can be inferred from
50.I "uname -srm"
51and may be a regular expression.
52.PP
53Filenames/directories to check may be wildcard patterns.
54.PP
55Options given on the command line will override
56those in the configuration file.
57The recognized sections in the configuration file are as follows:
58.PP
59Boolean options can be set with any of 1|true|yes or 0|false|no.
60.TP
61.I "[ReadOnly]"
62This section may contain
63.br
64.BI file= PATH
65and
66.br
67.BI dir= [depth]PATH
68entries for files and directories to check. All modifications except access
69times will be reported for these files.
70.I [depth] (use without brackets)
71is an optional parameter to define a per\-directory recursion
72depth.
73.TP
74.I "[LogFiles]"
75As above, but modifications of timestamps, file size, and signature will
76be ignored.
77.TP
78.I "[GrowingLogFiles]"
79As above, but modifications of file size will only be ignored if the size has
80.IR increased .
81.TP
82.I "[Attributes]"
83As above, but only modifications of ownership and access permissions
84will be checked.
85.TP
86.I "[IgnoreAll]"
87As above, but report no modifications for
88these files/directories. Access failures
89will still be reported.
90.TP
91.I "[IgnoreNone]"
92As above, but report all modifications for these files/directories,
93including access time.
94.TP
95.I "[User0]"
96.TP
97.I "[User1]"
98.TP
99.I "[User2]"
100.TP
101.I "[User3]"
102.TP
103.I "[User4]"
104These are reserved for user-defined policies.
105.TP
106.I "[Prelink]"
107For prelinked executables / libraries or directories holding them.
108.TP
109.I "[Log]"
110This section defines the filtering rules for logging.
111It may contain the following entries:
112.br
113.BI MailSeverity= val
114where the threshold value
115.I val
116may be one of
117.IR debug ,
118.IR info ,
119.IR notice ,
120.IR warn ,
121.IR mark ,
122.IR err ,
123.IR crit ,
124.IR alert ,
125or
126.IR none .
127By default, everything equal to and above the threshold will be logged.
128The specifiers
129.IR * ,
130.IR ! ,
131and
132.I =
133are interpreted as 'all', 'all but', and 'only', respectively (like
134in the Linux version of syslogd(8)).
135Time stamps have the priority
136.IR warn ,
137system\-level errors have the priority
138.IR err ,
139and important start\-up messages the priority
140.IR alert .
141The signature key for the log file will never be logged to syslog or the
142log file itself.
143For failures to verify file integrity, error levels are defined
144in the next section.
145.br
146.BI PrintSeverity= val,
147.br
148.BI LogSeverity= val,
149.br
150.BI ExportSeverity= val,
151.br
152.BI ExternalSeverity= val,
153.br
154.BI PreludeSeverity= val,
155.br
156.BI DatabaseSeverity= val,
157and
158.br
159.BI SyslogSeverity= val
160set the thresholds for logging via stdout (or
161.IR /dev/console ),
162log file, TCP forwarding, calling external programs,
163and
164.BR syslog (3).
165.TP
166.I "[EventSeverity]"
167.BI SeverityReadOnly= val,
168.br
169.BI SeverityLogFiles= val,
170.br
171.BI SeverityGrowingLogs= val,
172.br
173.BI SeverityIgnoreNone= val,
174.br
175.BI SeverityIgnoreAll= val,
176.br
177.BI SeverityPrelink= val,
178.br
179.BI SeverityUser0= val,
180.br
181.BI SeverityUser1= val,
182.br
183.BI SeverityUser2= val,
184.br
185.BI SeverityUser3= val,
186and
187.br
188.BI SeverityUser4= val
189define the error levels for failures to verify the integrity of
190files/directories of the respective types. I.e. if such a file shows
191unexpected modifications, an error of level
192.I val
193will be generated, and logged to all facilities with a threshold of at least
194.IR val .
195.br
196.BI SeverityFiles= val
197sets the error level for file access problems, and
198.br
199.BI SeverityDirs= val
200for directory access problems.
201.br
202.BI SeverityNames= val
203sets the error level for obscure file names
204(e.g. non\-printable characters), and for files
205with invalid UIDs/GIDs.
206.TP
207.I "[External]"
208.BI OpenCommand= path
209Start the definition of an external logging program|script.
210.br
211.BI SetType= log|srv
212Type/purpose of program (log for logging).
213.br
214.BI SetCommandline= list
215Command line options.
216.br
217.BI SetEnviron= KEY=val
218Environment for external program.
219.br
220.BI SetChecksum= val
221Checksum of the external program (checked before invoking).
222.br
223.BI SetCredentials= username
224User as who the program will run.
225.br
226.BI SetFilterNot= list
227Words not allowed in message.
228.br
229.BI SetFilterAnd= list
230Words required (ALL) in message.
231.br
232.BI SetFilterOr= list
233Words required (at least one) in message.
234.br
235.BI SetDeadtime= seconds
236Time between consecutive calls.
237.TP
238.I "[Utmp]"
239Configuration for watching login/logout events.
240.br
241.BI LoginCheckActive= 0|1
242Switch off/on login/logout reporting.
243.br
244.BI LoginCheckInterval= val
245Interval (seconds) between checks for login/logout events.
246.br
247.BI SeverityLogin= val
248.br
249.BI SeverityLoginMulti= val
250.br
251.BI SeverityLogout= val
252Severity levels for logins, multiple logins
253by same user, and logouts.
254.TP
255.I "[Kernel]"
256Configuration for detecting kernel rootkits.
257.br
258.BI KernelCheckActive= 0|1
259Switch off/on checking of kernel syscalls to detect kernel module rootkits.
260.br
261.BI KernelCheckInterval= val
262Interval (seconds) between checks.
263.br
264.BI SeverityKernel= val
265Severity level for clobbered kernel syscalls.
266.br
267.BI KernelCheckIDT= 0|1
268Whether to check the interrrupt descriptor table.
269.br
270.BI KernelSystemCall= address
271The address of system_call (grep system_call System.map).
272Required after a kernel update.
273.br
274.BI KernelProcRoot= address
275The address of proc_root (grep ' proc_root$' System.map).
276Required after a kernel update.
277.br
278.BI KernelProcRootIops= address
279The address of proc_root_inode_operations
280(grep proc_root_inode_operations System.map).
281Required after a kernel update.
282.br
283.BI KernelProcRootLookup= address
284The address of proc_root_lookup (grep proc_root_lookup System.map).
285Required after a kernel update.
286.TP
287.I "[SuidCheck]"
288Settings for finding SUID/SGID files on disk.
289.br
290.BI SuidCheckActive= 0|1
291Switch off/on the check.
292.br
293.BI SuidCheckExclude= path
294 A directory (and its subdirectories)
295 to exclude from the check. Only one directory can be specified this way.
296.br
297.BI SuidCheckSchedule= schedule
298Crontab-like schedule for checks.
299.br
300.BI SeveritySuidCheck= severity
301Severity for events.
302.br
303.BI SuidCheckFps= fps
304Limit files per seconds for SUID check.
305.TP
306.I "[Database]"
307Settings for
308.I logging
309to a database.
310.br
311.BI SetDBHost= db_host
312Host where the DB server runs (default: localhost).
313Should be a numeric IP address for PostgreSQL.
314.br
315.BI SetDBName= db_name
316Name of the database (default: samhain).
317.br
318.BI SetDBTable= db_table
319Name of the database table (default: log).
320.br
321.BI SetDBUser= db_user
322Connect as this user (default: samhain).
323.br
324.BI SetDBPassword= db_password
325Use this password (default: none).
326.br
327.BI SetDBServerTstamp= true|false
328Log server timestamp for client messages (default: true).
329.br
330.BI UsePersistent= true|false
331Use a persistent connection (default: true).
332.TP
333.I "[Misc]"
334.BI Daemon= no|yes
335Detach from controlling terminal to become a daemon.
336.br
337.BI MessageHeader= format
338Costom format for message header. Replacements:
339.I %F
340source file name,
341.I %L
342source file line,
343.I %S
344severity,
345.I %T
346timestamp,
347.I %C
348message class.
349.br
350.BI VersionString= string
351Set version string to include in file signature database
352(along with hostname and date).
353.br
354.BI SetReverseLookup= true|false
355If false, skip reverse lookups when connecting to a host known by name
356rather than IP address.
357.br
358.BI HideSetup= yes|no
359Don't log name of config/database files on startup.
360.br
361.BI SyslogFacility= facility
362Set the syslog facility to use. Default is LOG_AUTHPRIV.
363.br
364.BI MACType= HASH-TIGER|HMAC-TIGER
365Set type of message authentication code (HMAC).
366Must be identical on client and server.
367.br
368.BI SetLoopTime= val
369Defines the interval (in seconds) for timestamps.
370.br
371.BI SetConsole= device
372Set the console device (default /dev/console).
373.br
374.BI MessageQueueActive= 1|0
375Whether to use a SysV IPC message queue.
376.br
377.BI PreludeMapToInfo= list of severities
378The severities (see section
379.IR [Log] )
380that should be mapped to impact
381severity
382.I info
383in prelude.
384.br
385.BI PreludeMapToLow= list of severities
386The severities (see section
387.IR [Log] )
388that should be mapped to impact
389severity
390.I low
391in prelude.
392.br
393.BI PreludeMapToMedium= list of severities
394The severities (see section
395.IR [Log] )
396that should be mapped to impact
397severity
398.I medium
399in prelude.
400.br
401.BI PreludeMapToHigh= list of severities
402The severities (see section
403.IR [Log] )
404that should be mapped to impact
405severity
406.I high
407in prelude.
408.br
409.BI SetMailTime= val
410defines the maximum interval (in seconds) between succesive e\-mail reports.
411Mail might be empty if there are no events to report.
412.br
413.BI SetMailNum= val
414defines the maximum number of messages that are stored before e\-mailing them.
415Messages of highest priority are always sent immediately.
416.br
417.BI SetMailAddress= username @ host
418sets the recipient address for mailing.
419.I "No aliases should be used."
420For security, you should prefer a numerical host address.
421.br
422.BI SetMailRelay= server
423sets the hostname for the mail relay server (if you need one).
424If no relay server is given, mail is sent directly to the host given in the
425mail address, otherwise it is sent to the relay server, who should
426forward it to the given address.
427.br
428.BI SetMailSubject= val
429defines a custom format for the subject of an email message.
430.br
431.BI SetMailSender= val
432defines the sender for the 'From:' field of a message.
433.br
434.BI SetMailFilterAnd= list
435defines a list of strings all of which must match a message, otherwise
436it will not be mailed.
437.br
438.BI SetMailFilterOr= list
439defines a list of strings at least one of which must match a message, otherwise
440it will not be mailed.
441.br
442.BI SetMailFilterNot= list
443defines a list of strings none of which should match a message, otherwise
444it will not be mailed.
445.br
446.BI SamhainPath= /path/to/binary
447sets the path to the samhain binary. If set, samhain will checksum
448its own binary both on startup and termination, and compare both.
449.br
450.BI SetBindAddress= IP_address
451The IP address (i.e. interface on multi-interface box) to use
452for outgoing connections.
453.br
454.BI SetTimeServer= server
455sets the hostname for the time server.
456.br
457.BI TrustedUser= name|uid
458Add a user to the set of trusted users (root and the effective user
459are always trusted. You can add up to 7 more users).
460.br
461.BI SetLogfilePath= AUTO|/path
462Path to logfile (AUTO to tack hostname on compiled-in path).
463.br
464.BI SetLockfilePath= AUTO|/path
465Path to lockfile (AUTO to tack hostname on compiled-in path).
466.TP
467.B Standalone or client only
468.br
469.BI SetNiceLevel= -19..19
470Set scheduling priority during file check.
471.br
472.BI SetIOLimit= bps
473Set IO limits (kilobytes per second) for file check.
474.br
475.BI SetFilecheckTime= val
476Defines the interval (in seconds) between succesive file checks.
477.br
478.BI FileCheckScheduleOne= schedule
479Crontab-like schedule for file checks. If used,
480.I SetFilecheckTime
481is ignored.
482.br
483.BI UseHardlinkCheck= yes|no
484Compare number of hardlinks to number of subdirectories for directories.
485.br
486.BI HardlinkOffset= N:/path
487Exception (use multiple times for multiple
488exceptions). N is offset (actual - expected hardlinks) for /path.
489.br
490.BI AddOKChars= N1,N2,..
491List of additional acceptable characters (byte value(s)) for the check for
492weird filenames. Nn may be hex (leading '0x': 0xNN), octal
493(leading zero: 0NNN), or decimal.
494Use
495.I all
496for all.
497.br
498.br
499.BI IgnoreAdded= path_regex
500Ignore if this file/directory is added/created.
501.br
502.BI IgnoreMissing= path_regex
503Ignore if this file/directory is missing/deleted.
504.br
505.BI ReportOnlyOnce= yes|no
506Report only once on a modified file (default yes).
507.br
508.BI ReportFullDetail= yes|no
509Report in full detail on modified files (not only modified items).
510.br
511.BI UseLocalTime= yes|no
512Report file timestamps in local time rather than GMT (default no).
513Do not use this with Beltane.
514.br
515.BI ChecksumTest= {init|update|check|none}
516defines whether to initialize/update the database or verify files against it.
517If 'none', you should supply the required option on the command line.
518.br
519.BI SetPrelinkPath= path
520Path of the prelink executable (default /usr/sbin/prelink).
521.br
522.BI SetPrelinkChecksum= checksum
523TIGER192 checksum of the prelink executable (no default).
524.br
525.BI SetLogServer= server
526sets the hostname for the log server.
527.br
528.BI SetServerPort= portnumber
529sets the port on the server to connect to.
530.br
531.BI SetDatabasePath= AUTO|/path
532Path to database (AUTO to tack hostname on compiled-in path).
533.br
534.BI DigestAlgo= SHA1|MD5
535Use SHA1 or MD5 instead of the TIGER checksum (default: TIGER192).
536.br
537.BI RedefReadOnly= +/-XXX,+/-YYY,...
538Add or subtract tests XXX from the ReadOnly policy.
539Tests are: CHK (checksum), LNK (link),
540HLN (hardlink), INO (inode), USR (user), GRP (group), MTM (mtime),
541ATM (atime), CTM (ctime), SIZ (size), RDEV (device numbers)
542and/or MOD (file mode).
543.br
544.BI RedefAttributes= +/-XXX,+/-YYY,...
545Add or subtract tests XXX from the Attributes policy.
546.br
547.BI RedefLogFiles= +/-XXX,+/-YYY,...
548Add or subtract tests XXX from the LogFiles policy.
549.br
550.BI RedefGrowingLogFiles= +/-XXX,+/-YYY,...
551Add or subtract tests XXX from the GrowingLogFiles policy.
552.br
553.BI RedefIgnoreAll= +/-XXX,+/-YYY,...
554Add or subtract tests XXX from the IgnoreAll policy.
555.br
556.BI RedefIgnoreNone= +/-XXX,+/-YYY,...
557Add or subtract tests XXX from the IgnoreNone policy.
558.br
559.BI RedefUser0= +/-XXX,+/-YYY,...
560Add or subtract tests XXX from the User0 policy.
561.br
562.BI RedefUser1= +/-XXX,+/-YYY,...
563Add or subtract tests XXX from the User1 policy.
564.br
565.BI RedefUser2= +/-XXX,+/-YYY,...
566Add or subtract tests XXX from the User2 policy.
567.br
568.BI RedefUser3= +/-XXX,+/-YYY,...
569Add or subtract tests XXX from the User3 policy.
570.br
571.BI RedefUser4= +/-XXX,+/-YYY,...
572Add or subtract tests XXX from the User4 policy.
573.TP
574.B Server Only
575.br
576.BI SetUseSocket= yes|no
577If unset, do not open the command socket. The default is no.
578.br
579.BI SetSocketAllowUid= UID
580Which user can connect to the command socket. The default is 0 (root).
581.br
582.BI SetSocketPassword= password
583Password (max. 14 chars, no '@') for password-based authentication on the
584command socket (only if the OS does not support passing
585credentials via sockets).
586.br
587.BI SetChrootDir= path
588If set, chroot to this directory after startup.
589.br
590.BI SetStripDomain= yes|no
591Whether to strip the domain from the client hostname when
592logging client messages (default: yes).
593.br
594.BI SetClientFromAccept= true|false
595If true, use client address as known to the communication layer. Else
596(default) use client name as claimed by the client, try to verify against
597the address known to the communication layer, and accept
598(with a warning message) even if this fails.
599.br
600.BI UseClientSeverity= yes|no
601Use the severity of client messages.
602.br
603.BI UseClientClass= yes|no
604Use the class of client messages.
605.br
606.BI SetServerPort= number
607The port that the server should use for listening (default is 49777).
608.br
609.BI SetServerInterface= IPaddress
610The IP address (i.e. interface on multi-interface box) that the
611server should use for listening (default is all). Use INADDR_ANY to reset
612to all.
613.br
614.BI SeverityLookup= severity
615Severity of the message on client address != socket peer.
616.br
617.BI UseSeparateLogs= true|false
618If true, messages from different clients will be logged to separate
619log files (the name of the client will be appended to the name of the main
620log file to construct the logfile name).
621.br
622.BI SetClientTimeLimit= seconds
623The maximum time between client messages. If exceeded, a warning will
624be issued (the default is 86400 sec = 1 day).
625.br
626.BI SetUDPActive= yes|no
627yule 1.2.8+: Also listen on 514/udp (syslog).
628
629
630.TP
631.I "[Clients]"
632This section is only relevant if
633.B samhain
634is run as a log server for clients running on another (or the same) machine.
635.br
636.BI Client= hostname @ salt @ verifier
637registers a client at host
638.I hostname
639(fully qualified hostname required) for access to the
640log server.
641Log entries from unregistered clients will not be accepted.
642To generate a salt and a valid verifier, use the command
643.B "samhain -P"
644.IR "password" ,
645where
646.I password
647is the password of the client. A simple utility program
648.B samhain_setpwd
649is provided to re\-set the compiled\-in default password of the client
650executable to a user\-defined
651value.
652.TP
653.I "[EOF]"
654An optional end marker. Everything below is ignored.
655
656.SH SEE ALSO
657.PP
658.BR samhain (8)
659
660.SH AUTHOR
661.PP
662Rainer Wichmann (http://la\-samhna.de)
663
664.SH BUG REPORTS
665.PP
666If you find a bug in
667.BR samhain ,
668please send electronic mail to
669.IR support@la\-samhna.de .
670Please include your operating system and its revision, the version of
671.BR samhain ,
672what C compiler you used to compile it, your 'configure' options, and
673anything else you deem helpful.
674
675.SH COPYING PERMISSIONS
676.PP
677Copyright (\(co) 2000, 2004, 2005 Rainer Wichmann
678.PP
679Permission is granted to make and distribute verbatim copies of
680this manual page provided the copyright notice and this permission
681notice are preserved on all copies.
682.ig
683Permission is granted to process this file through troff and print the
684results, provided the printed document carries copying permission
685notice identical to this one except for the removal of this paragraph
686(this paragraph not being relevant to the printed manual page).
687..
688.PP
689Permission is granted to copy and distribute modified versions of this
690manual page under the conditions for verbatim copying, provided that
691the entire resulting derived work is distributed under the terms of a
692permission notice identical to this one.
693
Note: See TracBrowser for help on using the repository browser.