| 1 | .TH SAMHAINRC 5 "Jul 29, 2004" "" "samhainrc manual" | 
|---|
| 2 | .SH NAME | 
|---|
| 3 | samhainrc \- samhain(8) configuration file | 
|---|
| 4 |  | 
|---|
| 5 | .SH WARNING | 
|---|
| 6 | .PP | 
|---|
| 7 | The information in this man page is not always up to date. | 
|---|
| 8 | The authoritative documentation is the user manual. | 
|---|
| 9 |  | 
|---|
| 10 | .SH DESCRIPTION | 
|---|
| 11 | .PP | 
|---|
| 12 | The configuration file for | 
|---|
| 13 | .BR samhain (8) | 
|---|
| 14 | is named | 
|---|
| 15 | .I samhainrc | 
|---|
| 16 | and located in | 
|---|
| 17 | .I /etc | 
|---|
| 18 | by default. | 
|---|
| 19 | .PP | 
|---|
| 20 | It contains several sections, indicated by headings in square brackets. | 
|---|
| 21 | Each section may hold zero or more | 
|---|
| 22 | .BI key= value | 
|---|
| 23 | pairs. Blank lines and lines starting with '#' are comments. | 
|---|
| 24 | Everything before the first section and after an | 
|---|
| 25 | .I "[EOF]" | 
|---|
| 26 | is ignored. The file may be (clear text) signed by PGP/GnuPG, and | 
|---|
| 27 | .B samhain | 
|---|
| 28 | may invoke GnuPG to check the signature | 
|---|
| 29 | if compiled with support for it. | 
|---|
| 30 | .PP | 
|---|
| 31 | Conditional inclusion of entries for some host(s) is | 
|---|
| 32 | supported via any number of | 
|---|
| 33 | .BI @ hostname /@ end | 
|---|
| 34 | directives. | 
|---|
| 35 | .BI @ hostname | 
|---|
| 36 | and | 
|---|
| 37 | .BI @ end | 
|---|
| 38 | must each be on separate lines. Lines in between will only be | 
|---|
| 39 | read if | 
|---|
| 40 | .I "hostname" | 
|---|
| 41 | (which may be a regular expression) matches the local host. | 
|---|
| 42 | .PP | 
|---|
| 43 | Likewise, conditional inclusion of entries based on system type is | 
|---|
| 44 | supported via any number of | 
|---|
| 45 | .BI $ sysname:release:machine /$ end | 
|---|
| 46 | directives. | 
|---|
| 47 | .br | 
|---|
| 48 | .I "sysname:release:machine" | 
|---|
| 49 | can be inferred from | 
|---|
| 50 | .I "uname -srm" | 
|---|
| 51 | and may be a regular expression. | 
|---|
| 52 | .PP | 
|---|
| 53 | Filenames/directories to check may be wildcard patterns. | 
|---|
| 54 | .PP | 
|---|
| 55 | Options given on the command line will override | 
|---|
| 56 | those in the configuration file. | 
|---|
| 57 | The recognized sections in the configuration file are as follows: | 
|---|
| 58 | .PP | 
|---|
| 59 | Boolean options can be set with any of 1|true|yes or 0|false|no. | 
|---|
| 60 | .TP | 
|---|
| 61 | .I "[ReadOnly]" | 
|---|
| 62 | This section may contain | 
|---|
| 63 | .br | 
|---|
| 64 | .BI file= PATH | 
|---|
| 65 | and | 
|---|
| 66 | .br | 
|---|
| 67 | .BI dir= [depth]PATH | 
|---|
| 68 | entries for files and directories to check. All modifications except access | 
|---|
| 69 | times will be reported for these files. | 
|---|
| 70 | .I [depth] (use without brackets) | 
|---|
| 71 | is an optional parameter to define a per\-directory recursion | 
|---|
| 72 | depth. | 
|---|
| 73 | .TP | 
|---|
| 74 | .I "[LogFiles]" | 
|---|
| 75 | As above, but modifications of timestamps, file size, and signature will | 
|---|
| 76 | be ignored. | 
|---|
| 77 | .TP | 
|---|
| 78 | .I "[GrowingLogFiles]" | 
|---|
| 79 | As above, but modifications of file size will only be ignored if the size has | 
|---|
| 80 | .IR increased . | 
|---|
| 81 | .TP | 
|---|
| 82 | .I "[Attributes]" | 
|---|
| 83 | As above, but only modifications of ownership and access permissions | 
|---|
| 84 | will be checked. | 
|---|
| 85 | .TP | 
|---|
| 86 | .I "[IgnoreAll]" | 
|---|
| 87 | As above, but report no modifications for | 
|---|
| 88 | these files/directories. Access failures | 
|---|
| 89 | will still be reported. | 
|---|
| 90 | .TP | 
|---|
| 91 | .I "[IgnoreNone]" | 
|---|
| 92 | As above, but report all modifications for these files/directories, | 
|---|
| 93 | including access time. | 
|---|
| 94 | .TP | 
|---|
| 95 | .I "[User0]" | 
|---|
| 96 | .TP | 
|---|
| 97 | .I "[User1]" | 
|---|
| 98 | .TP | 
|---|
| 99 | .I "[User2]" | 
|---|
| 100 | .TP | 
|---|
| 101 | .I "[User3]" | 
|---|
| 102 | .TP | 
|---|
| 103 | .I "[User4]" | 
|---|
| 104 | These are reserved for user-defined policies. | 
|---|
| 105 | .TP | 
|---|
| 106 | .I "[Prelink]" | 
|---|
| 107 | For prelinked executables / libraries or directories holding them. | 
|---|
| 108 | .TP | 
|---|
| 109 | .I "[Log]" | 
|---|
| 110 | This section defines the filtering rules for logging. | 
|---|
| 111 | It may contain the following entries: | 
|---|
| 112 | .br | 
|---|
| 113 | .BI  MailSeverity= val | 
|---|
| 114 | where the threshold value | 
|---|
| 115 | .I val | 
|---|
| 116 | may be one of | 
|---|
| 117 | .IR debug , | 
|---|
| 118 | .IR info , | 
|---|
| 119 | .IR notice , | 
|---|
| 120 | .IR warn , | 
|---|
| 121 | .IR mark , | 
|---|
| 122 | .IR err , | 
|---|
| 123 | .IR crit , | 
|---|
| 124 | .IR alert , | 
|---|
| 125 | or | 
|---|
| 126 | .IR none . | 
|---|
| 127 | By default, everything equal to and above the threshold will be logged. | 
|---|
| 128 | The specifiers | 
|---|
| 129 | .IR * , | 
|---|
| 130 | .IR ! , | 
|---|
| 131 | and | 
|---|
| 132 | .I = | 
|---|
| 133 | are interpreted as 'all', 'all but', and 'only', respectively (like | 
|---|
| 134 | in the Linux version of syslogd(8)). | 
|---|
| 135 | Time stamps have the priority | 
|---|
| 136 | .IR warn , | 
|---|
| 137 | system\-level errors have the priority | 
|---|
| 138 | .IR err , | 
|---|
| 139 | and important start\-up messages the priority | 
|---|
| 140 | .IR alert . | 
|---|
| 141 | The signature key for the log file will never be logged to syslog or the | 
|---|
| 142 | log file itself. | 
|---|
| 143 | For failures to verify file integrity, error levels are defined | 
|---|
| 144 | in the next section. | 
|---|
| 145 | .br | 
|---|
| 146 | .BI  PrintSeverity= val, | 
|---|
| 147 | .br | 
|---|
| 148 | .BI  LogSeverity= val, | 
|---|
| 149 | .br | 
|---|
| 150 | .BI  ExportSeverity= val, | 
|---|
| 151 | .br | 
|---|
| 152 | .BI  ExternalSeverity= val, | 
|---|
| 153 | .br | 
|---|
| 154 | .BI  PreludeSeverity= val, | 
|---|
| 155 | .br | 
|---|
| 156 | .BI  DatabaseSeverity= val, | 
|---|
| 157 | and | 
|---|
| 158 | .br | 
|---|
| 159 | .BI  SyslogSeverity= val | 
|---|
| 160 | set the thresholds for logging via stdout (or | 
|---|
| 161 | .IR /dev/console ), | 
|---|
| 162 | log file, TCP forwarding, calling external programs, | 
|---|
| 163 | and | 
|---|
| 164 | .BR syslog (3). | 
|---|
| 165 | .TP | 
|---|
| 166 | .I "[EventSeverity]" | 
|---|
| 167 | .BI  SeverityReadOnly= val, | 
|---|
| 168 | .br | 
|---|
| 169 | .BI  SeverityLogFiles= val, | 
|---|
| 170 | .br | 
|---|
| 171 | .BI  SeverityGrowingLogs= val, | 
|---|
| 172 | .br | 
|---|
| 173 | .BI  SeverityIgnoreNone= val, | 
|---|
| 174 | .br | 
|---|
| 175 | .BI  SeverityIgnoreAll= val, | 
|---|
| 176 | .br | 
|---|
| 177 | .BI  SeverityPrelink= val, | 
|---|
| 178 | .br | 
|---|
| 179 | .BI  SeverityUser0= val, | 
|---|
| 180 | .br | 
|---|
| 181 | .BI  SeverityUser1= val, | 
|---|
| 182 | .br | 
|---|
| 183 | .BI  SeverityUser2= val, | 
|---|
| 184 | .br | 
|---|
| 185 | .BI  SeverityUser3= val, | 
|---|
| 186 | and | 
|---|
| 187 | .br | 
|---|
| 188 | .BI  SeverityUser4= val | 
|---|
| 189 | define the error levels for failures to verify the integrity of | 
|---|
| 190 | files/directories of the respective types. I.e. if such a file shows | 
|---|
| 191 | unexpected modifications, an error of level | 
|---|
| 192 | .I val | 
|---|
| 193 | will be generated, and logged to all facilities with a threshold of at least | 
|---|
| 194 | .IR val . | 
|---|
| 195 | .br | 
|---|
| 196 | .BI  SeverityFiles= val | 
|---|
| 197 | sets the error level for file access problems, and | 
|---|
| 198 | .br | 
|---|
| 199 | .BI  SeverityDirs= val | 
|---|
| 200 | for directory access problems. | 
|---|
| 201 | .br | 
|---|
| 202 | .BI SeverityNames= val | 
|---|
| 203 | sets the error level for obscure file names | 
|---|
| 204 | (e.g. non\-printable characters), and for files | 
|---|
| 205 | with invalid UIDs/GIDs. | 
|---|
| 206 | .TP | 
|---|
| 207 | .I "[External]" | 
|---|
| 208 | .BI OpenCommand= path | 
|---|
| 209 | Start the definition of an external logging program|script. | 
|---|
| 210 | .br | 
|---|
| 211 | .BI SetType= log|srv | 
|---|
| 212 | Type/purpose of program (log for logging). | 
|---|
| 213 | .br | 
|---|
| 214 | .BI SetCommandline= list | 
|---|
| 215 | Command line options. | 
|---|
| 216 | .br | 
|---|
| 217 | .BI SetEnviron= KEY=val | 
|---|
| 218 | Environment for external program. | 
|---|
| 219 | .br | 
|---|
| 220 | .BI SetChecksum= val | 
|---|
| 221 | Checksum of the external program (checked before invoking). | 
|---|
| 222 | .br | 
|---|
| 223 | .BI SetCredentials= username | 
|---|
| 224 | User as who the program will run. | 
|---|
| 225 | .br | 
|---|
| 226 | .BI SetFilterNot= list | 
|---|
| 227 | Words not allowed in message. | 
|---|
| 228 | .br | 
|---|
| 229 | .BI SetFilterAnd= list | 
|---|
| 230 | Words required (ALL) in message. | 
|---|
| 231 | .br | 
|---|
| 232 | .BI SetFilterOr= list | 
|---|
| 233 | Words required (at least one) in message. | 
|---|
| 234 | .br | 
|---|
| 235 | .BI SetDeadtime= seconds | 
|---|
| 236 | Time between consecutive calls. | 
|---|
| 237 | .TP | 
|---|
| 238 | .I "[Utmp]" | 
|---|
| 239 | Configuration for watching login/logout events. | 
|---|
| 240 | .br | 
|---|
| 241 | .BI LoginCheckActive= 0|1 | 
|---|
| 242 | Switch off/on login/logout reporting. | 
|---|
| 243 | .br | 
|---|
| 244 | .BI LoginCheckInterval= val | 
|---|
| 245 | Interval (seconds) between checks for login/logout events. | 
|---|
| 246 | .br | 
|---|
| 247 | .BI SeverityLogin= val | 
|---|
| 248 | .br | 
|---|
| 249 | .BI SeverityLoginMulti= val | 
|---|
| 250 | .br | 
|---|
| 251 | .BI SeverityLogout= val | 
|---|
| 252 | Severity levels for logins, multiple logins | 
|---|
| 253 | by same user, and logouts. | 
|---|
| 254 | .TP | 
|---|
| 255 | .I "[Kernel]" | 
|---|
| 256 | Configuration for detecting kernel rootkits. | 
|---|
| 257 | .br | 
|---|
| 258 | .BI KernelCheckActive= 0|1 | 
|---|
| 259 | Switch off/on checking of kernel syscalls to detect kernel module rootkits. | 
|---|
| 260 | .br | 
|---|
| 261 | .BI KernelCheckInterval= val | 
|---|
| 262 | Interval (seconds) between checks. | 
|---|
| 263 | .br | 
|---|
| 264 | .BI SeverityKernel= val | 
|---|
| 265 | Severity level for clobbered kernel syscalls. | 
|---|
| 266 | .br | 
|---|
| 267 | .BI KernelCheckIDT= 0|1 | 
|---|
| 268 | Whether to check the interrrupt descriptor table. | 
|---|
| 269 | .br | 
|---|
| 270 | .BI KernelSystemCall= address | 
|---|
| 271 | The address of system_call (grep system_call System.map). | 
|---|
| 272 | Required after a kernel update. | 
|---|
| 273 | .br | 
|---|
| 274 | .BI KernelProcRoot= address | 
|---|
| 275 | The address of proc_root (grep ' proc_root$' System.map). | 
|---|
| 276 | Required after a kernel update. | 
|---|
| 277 | .br | 
|---|
| 278 | .BI KernelProcRootIops= address | 
|---|
| 279 | The address of proc_root_inode_operations | 
|---|
| 280 | (grep proc_root_inode_operations System.map). | 
|---|
| 281 | Required after a kernel update. | 
|---|
| 282 | .br | 
|---|
| 283 | .BI KernelProcRootLookup= address | 
|---|
| 284 | The address of proc_root_lookup (grep proc_root_lookup System.map). | 
|---|
| 285 | Required after a kernel update. | 
|---|
| 286 | .TP | 
|---|
| 287 | .I "[SuidCheck]" | 
|---|
| 288 | Settings for finding SUID/SGID files on disk. | 
|---|
| 289 | .br | 
|---|
| 290 | .BI SuidCheckActive= 0|1 | 
|---|
| 291 | Switch off/on the check. | 
|---|
| 292 | .br | 
|---|
| 293 | .BI SuidCheckExclude= path | 
|---|
| 294 | A directory (and its subdirectories) | 
|---|
| 295 | to exclude from the check. Only one directory can be specified this way. | 
|---|
| 296 | .br | 
|---|
| 297 | .BI SuidCheckSchedule= schedule | 
|---|
| 298 | Crontab-like schedule for checks. | 
|---|
| 299 | .br | 
|---|
| 300 | .BI SeveritySuidCheck= severity | 
|---|
| 301 | Severity for events. | 
|---|
| 302 | .br | 
|---|
| 303 | .BI SuidCheckFps= fps | 
|---|
| 304 | Limit files per seconds for SUID check. | 
|---|
| 305 | .br | 
|---|
| 306 | .BI SuidCheckNosuid= 0|1 | 
|---|
| 307 | Check filesystems mounted as nosuid. Defaults to not. | 
|---|
| 308 | .br | 
|---|
| 309 | .BI SuidCheckQuarantineFiles= 0|1 | 
|---|
| 310 | Whether to quarantine files. Defaults to not. | 
|---|
| 311 | .br | 
|---|
| 312 | .BI SuidCheckQuarantineMethod= 0|1|2 | 
|---|
| 313 | Quarantine method. Delete = 1, remove suid/sgid flags = 1, move to quarantine directory = 2. Defaults to 1 (remove suid/sgid flags). | 
|---|
| 314 | .br | 
|---|
| 315 | .BI | 
|---|
| 316 | .TP | 
|---|
| 317 | .I "[Mounts]" | 
|---|
| 318 | Configuration for checking mounts. | 
|---|
| 319 | .br | 
|---|
| 320 | .BI MountCheckActive= 0|1 | 
|---|
| 321 | Switch off/on this module. | 
|---|
| 322 | .br | 
|---|
| 323 | .BI MountCheckInterval= seconds | 
|---|
| 324 | The interval between checks (default 300). | 
|---|
| 325 | .br | 
|---|
| 326 | .BI SeverityMountMissing= severity | 
|---|
| 327 | Severity for reports on missing mounts. | 
|---|
| 328 | .br | 
|---|
| 329 | .BI SeverityOptionMissing= severity | 
|---|
| 330 | Severity for reports on missing mount options. | 
|---|
| 331 | .br | 
|---|
| 332 | .BI CheckMount= path | 
|---|
| 333 | [mount_options] | 
|---|
| 334 | .br | 
|---|
| 335 | Mount point to check. Mount options must be given as | 
|---|
| 336 | comma-separated list, separated by a blank from the preceding mount point. | 
|---|
| 337 | .TP | 
|---|
| 338 | .I "[UserFiles]" | 
|---|
| 339 | Configuration for checking paths relative to user home directories. | 
|---|
| 340 | .br | 
|---|
| 341 | .BI UserFilesActive= 0|1 | 
|---|
| 342 | Switch off/on this module. | 
|---|
| 343 | .br | 
|---|
| 344 | .BI UserFilesName= filename | 
|---|
| 345 | policy | 
|---|
| 346 | .br | 
|---|
| 347 | Files to check for under each $HOME. Allowed values for 'policy' | 
|---|
| 348 | are: allignore, attributes, logfiles, loggrow, noignore (default), | 
|---|
| 349 | readonly, user0, user1, user2, user3, and user4. | 
|---|
| 350 | .br | 
|---|
| 351 | .BI UserFilesCheckUids= uid_list | 
|---|
| 352 | A list of UIDs where we want to check. The default | 
|---|
| 353 | is all. Ranges (e.g. 100-500) are allowed. If there is an open range (e.g. | 
|---|
| 354 | 1000-), it must be last in the list. | 
|---|
| 355 | .TP | 
|---|
| 356 | .I "[ProcessCheck]" | 
|---|
| 357 | Settings for finding hidden/fake,required processes on the local host. | 
|---|
| 358 | .br | 
|---|
| 359 | .BI ProcessCheckActive= 0|1 | 
|---|
| 360 | Switch off/on the check. | 
|---|
| 361 | .br | 
|---|
| 362 | .BI ProcessCheckInterval= seconds | 
|---|
| 363 | The interval between checks (default 300). | 
|---|
| 364 | .br | 
|---|
| 365 | .BI SeverityProcessCheck= severity | 
|---|
| 366 | Severity for events (default crit). | 
|---|
| 367 | .br | 
|---|
| 368 | .BI ProcessCheckMinPID= pid | 
|---|
| 369 | The minimum PID to check (default 0). | 
|---|
| 370 | .br | 
|---|
| 371 | .BI ProcessCheckMaxPID= pid | 
|---|
| 372 | The maximum PID to check (default 32767). | 
|---|
| 373 | .br | 
|---|
| 374 | .BI ProcessCheckPSPath= path | 
|---|
| 375 | The path to ps (autodetected at compile time). | 
|---|
| 376 | .br | 
|---|
| 377 | .BI ProcessCheckPSArg= argument | 
|---|
| 378 | The argument to ps (autodetected at compile time). | 
|---|
| 379 | Must yield PID in first column. | 
|---|
| 380 | .br | 
|---|
| 381 | .BI ProcessCheckExists= regular_expression | 
|---|
| 382 | Check for existence of a process matching the given regular expression. | 
|---|
| 383 | .TP | 
|---|
| 384 | .I "[PortCheck]" | 
|---|
| 385 | Settings for checking open ports on the local host. | 
|---|
| 386 | .br | 
|---|
| 387 | .BI PortCheckActive= 0|1 | 
|---|
| 388 | Switch off/on the check. | 
|---|
| 389 | .br | 
|---|
| 390 | .BI PortCheckInterval= seconds | 
|---|
| 391 | The interval between checks (default 300). | 
|---|
| 392 | .br | 
|---|
| 393 | .BI PortCheckUDP= yes|no | 
|---|
| 394 | Whether to check UPD ports as well (default yes). | 
|---|
| 395 | .br | 
|---|
| 396 | .BI SeverityPortCheck= severity | 
|---|
| 397 | Severity for events (default crit). | 
|---|
| 398 | .br | 
|---|
| 399 | .BI PortCheckInterface= ip_address | 
|---|
| 400 | Additional interface to check. | 
|---|
| 401 | .br | 
|---|
| 402 | .BI PortCheckOptional= ip_address:list | 
|---|
| 403 | Ports that may, but need not be open. The ip_address is the one | 
|---|
| 404 | of the interface, the list must be | 
|---|
| 405 | comma or whitespace separated, each item must be (port|service)/protocol, | 
|---|
| 406 | e.g. 22/tcp,nfs/tcp/nfs/udp. | 
|---|
| 407 | .br | 
|---|
| 408 | .BI PortCheckRequired= ip_address:list | 
|---|
| 409 | Ports that are required to be open. The ip_address is the one | 
|---|
| 410 | of the interface, the list must be | 
|---|
| 411 | comma or whitespace separated, each item must be (port|service)/protocol, | 
|---|
| 412 | e.g. 22/tcp,nfs/tcp/nfs/udp. | 
|---|
| 413 | .TP | 
|---|
| 414 | .I "[Database]" | 
|---|
| 415 | Settings for | 
|---|
| 416 | .I logging | 
|---|
| 417 | to a database. | 
|---|
| 418 | .br | 
|---|
| 419 | .BI SetDBHost= db_host | 
|---|
| 420 | Host where the DB server runs (default: localhost). | 
|---|
| 421 | Should be a numeric IP address for PostgreSQL. | 
|---|
| 422 | .br | 
|---|
| 423 | .BI SetDBName= db_name | 
|---|
| 424 | Name of the database (default: samhain). | 
|---|
| 425 | .br | 
|---|
| 426 | .BI SetDBTable= db_table | 
|---|
| 427 | Name of the database table (default: log). | 
|---|
| 428 | .br | 
|---|
| 429 | .BI SetDBUser= db_user | 
|---|
| 430 | Connect as this user (default: samhain). | 
|---|
| 431 | .br | 
|---|
| 432 | .BI SetDBPassword= db_password | 
|---|
| 433 | Use this password (default: none). | 
|---|
| 434 | .br | 
|---|
| 435 | .BI SetDBServerTstamp= true|false | 
|---|
| 436 | Log server timestamp for client messages (default: true). | 
|---|
| 437 | .br | 
|---|
| 438 | .BI UsePersistent= true|false | 
|---|
| 439 | Use a persistent connection (default: true). | 
|---|
| 440 | .TP | 
|---|
| 441 | .I "[Misc]" | 
|---|
| 442 | .BI Daemon= no|yes | 
|---|
| 443 | Detach from controlling terminal to become a daemon. | 
|---|
| 444 | .br | 
|---|
| 445 | .BI  MessageHeader= format | 
|---|
| 446 | Costom format for message header. Replacements: | 
|---|
| 447 | .I %F | 
|---|
| 448 | source file name, | 
|---|
| 449 | .I %L | 
|---|
| 450 | source file line, | 
|---|
| 451 | .I %S | 
|---|
| 452 | severity, | 
|---|
| 453 | .I %T | 
|---|
| 454 | timestamp, | 
|---|
| 455 | .I %C | 
|---|
| 456 | message class. | 
|---|
| 457 | .br | 
|---|
| 458 | .BI VersionString= string | 
|---|
| 459 | Set version string to include in file signature database | 
|---|
| 460 | (along with hostname and date). | 
|---|
| 461 | .br | 
|---|
| 462 | .BI SetReverseLookup= true|false | 
|---|
| 463 | If false, skip reverse lookups when connecting to a host known by name | 
|---|
| 464 | rather than IP address. | 
|---|
| 465 | .br | 
|---|
| 466 | .BI  HideSetup= yes|no | 
|---|
| 467 | Don't log name of config/database files on startup. | 
|---|
| 468 | .br | 
|---|
| 469 | .BI  SyslogFacility= facility | 
|---|
| 470 | Set the syslog facility to use. Default is LOG_AUTHPRIV. | 
|---|
| 471 | .br | 
|---|
| 472 | .BI MACType= HASH-TIGER|HMAC-TIGER | 
|---|
| 473 | Set type of message authentication code (HMAC). | 
|---|
| 474 | Must be identical on client and server. | 
|---|
| 475 | .br | 
|---|
| 476 | .BI SetLoopTime= val | 
|---|
| 477 | Defines the interval (in seconds) for timestamps. | 
|---|
| 478 | .br | 
|---|
| 479 | .BI SetConsole= device | 
|---|
| 480 | Set the console device (default /dev/console). | 
|---|
| 481 | .br | 
|---|
| 482 | .BI MessageQueueActive= 1|0 | 
|---|
| 483 | Whether to use a SysV IPC message queue. | 
|---|
| 484 | .br | 
|---|
| 485 | .BI PreludeMapToInfo= list of severities | 
|---|
| 486 | The severities (see section | 
|---|
| 487 | .IR [Log] ) | 
|---|
| 488 | that should be mapped to impact | 
|---|
| 489 | severity | 
|---|
| 490 | .I info | 
|---|
| 491 | in prelude. | 
|---|
| 492 | .br | 
|---|
| 493 | .BI PreludeMapToLow= list of severities | 
|---|
| 494 | The severities (see section | 
|---|
| 495 | .IR [Log] ) | 
|---|
| 496 | that should be mapped to impact | 
|---|
| 497 | severity | 
|---|
| 498 | .I low | 
|---|
| 499 | in prelude. | 
|---|
| 500 | .br | 
|---|
| 501 | .BI PreludeMapToMedium= list of severities | 
|---|
| 502 | The severities (see section | 
|---|
| 503 | .IR [Log] ) | 
|---|
| 504 | that should be mapped to impact | 
|---|
| 505 | severity | 
|---|
| 506 | .I medium | 
|---|
| 507 | in prelude. | 
|---|
| 508 | .br | 
|---|
| 509 | .BI PreludeMapToHigh= list of severities | 
|---|
| 510 | The severities (see section | 
|---|
| 511 | .IR [Log] ) | 
|---|
| 512 | that should be mapped to impact | 
|---|
| 513 | severity | 
|---|
| 514 | .I high | 
|---|
| 515 | in prelude. | 
|---|
| 516 | .br | 
|---|
| 517 | .BI SetMailTime= val | 
|---|
| 518 | defines the maximum interval (in seconds) between succesive e\-mail reports. | 
|---|
| 519 | Mail might be empty if there are no events to report. | 
|---|
| 520 | .br | 
|---|
| 521 | .BI SetMailNum= val | 
|---|
| 522 | defines the maximum number of messages that are stored before e\-mailing them. | 
|---|
| 523 | Messages of highest priority are always sent immediately. | 
|---|
| 524 | .br | 
|---|
| 525 | .BI SetMailAddress= username @ host | 
|---|
| 526 | sets the recipient address for mailing. | 
|---|
| 527 | .I "No aliases should be used." | 
|---|
| 528 | For security, you should prefer a numerical host address. | 
|---|
| 529 | .br | 
|---|
| 530 | .BI SetMailRelay= server | 
|---|
| 531 | sets the hostname for the mail relay server (if you need one). | 
|---|
| 532 | If no relay server is given, mail is sent directly to the host given in the | 
|---|
| 533 | mail address, otherwise it is sent to the relay server, who should | 
|---|
| 534 | forward it to the given address. | 
|---|
| 535 | .br | 
|---|
| 536 | .BI SetMailSubject= val | 
|---|
| 537 | defines a custom format for the subject of an email message. | 
|---|
| 538 | .br | 
|---|
| 539 | .BI SetMailSender= val | 
|---|
| 540 | defines the sender for the 'From:' field of a message. | 
|---|
| 541 | .br | 
|---|
| 542 | .BI SetMailFilterAnd= list | 
|---|
| 543 | defines a list of strings all of which must match a message, otherwise | 
|---|
| 544 | it will not be mailed. | 
|---|
| 545 | .br | 
|---|
| 546 | .BI SetMailFilterOr= list | 
|---|
| 547 | defines a list of strings at least one of which must match a message, otherwise | 
|---|
| 548 | it will not be mailed. | 
|---|
| 549 | .br | 
|---|
| 550 | .BI SetMailFilterNot= list | 
|---|
| 551 | defines a list of strings none of which should match a message, otherwise | 
|---|
| 552 | it will not be mailed. | 
|---|
| 553 | .br | 
|---|
| 554 | .BI SamhainPath= /path/to/binary | 
|---|
| 555 | sets the path to the samhain binary. If set, samhain will checksum | 
|---|
| 556 | its own binary both on startup and termination, and compare both. | 
|---|
| 557 | .br | 
|---|
| 558 | .BI SetBindAddress= IP_address | 
|---|
| 559 | The IP address (i.e. interface on multi-interface box) to use | 
|---|
| 560 | for outgoing connections. | 
|---|
| 561 | .br | 
|---|
| 562 | .BI SetTimeServer= server | 
|---|
| 563 | sets the hostname for the time server. | 
|---|
| 564 | .br | 
|---|
| 565 | .BI TrustedUser= name|uid | 
|---|
| 566 | Add a user to the set of trusted users (root and the effective user | 
|---|
| 567 | are always trusted. You can add up to 7 more users). | 
|---|
| 568 | .br | 
|---|
| 569 | .BI SetLogfilePath= AUTO|/path | 
|---|
| 570 | Path to logfile (AUTO to tack hostname on compiled-in path). | 
|---|
| 571 | .br | 
|---|
| 572 | .BI SetLockfilePath= AUTO|/path | 
|---|
| 573 | Path to lockfile (AUTO to tack hostname on compiled-in path). | 
|---|
| 574 | .TP | 
|---|
| 575 | .B Standalone or client only | 
|---|
| 576 | .br | 
|---|
| 577 | .BI SetNiceLevel= -19..19 | 
|---|
| 578 | Set scheduling priority during file check. | 
|---|
| 579 | .br | 
|---|
| 580 | .BI SetIOLimit= bps | 
|---|
| 581 | Set IO limits (kilobytes per second) for file check. | 
|---|
| 582 | .br | 
|---|
| 583 | .BI SetFilecheckTime= val | 
|---|
| 584 | Defines the interval (in seconds) between succesive file checks. | 
|---|
| 585 | .br | 
|---|
| 586 | .BI FileCheckScheduleOne= schedule | 
|---|
| 587 | Crontab-like schedule for file checks. If used, | 
|---|
| 588 | .I SetFilecheckTime | 
|---|
| 589 | is ignored. | 
|---|
| 590 | .br | 
|---|
| 591 | .BI UseHardlinkCheck= yes|no | 
|---|
| 592 | Compare number of hardlinks to number of subdirectories for directories. | 
|---|
| 593 | .br | 
|---|
| 594 | .BI HardlinkOffset= N:/path | 
|---|
| 595 | Exception (use multiple times for multiple | 
|---|
| 596 | exceptions). N is offset (actual - expected hardlinks) for /path. | 
|---|
| 597 | .br | 
|---|
| 598 | .BI AddOKChars= N1,N2,.. | 
|---|
| 599 | List of additional acceptable characters (byte value(s)) for the check for | 
|---|
| 600 | weird filenames. Nn may be hex (leading '0x': 0xNN), octal | 
|---|
| 601 | (leading zero: 0NNN), or decimal. | 
|---|
| 602 | Use | 
|---|
| 603 | .I all | 
|---|
| 604 | for all. | 
|---|
| 605 | .br | 
|---|
| 606 | .BI FilenamesAreUTF8= yes|no | 
|---|
| 607 | Whether filenames are UTF-8 encoded (defaults to no). If yes, filenames | 
|---|
| 608 | are checked for invalid UTF-8 encoding and for ending in invisible characters. | 
|---|
| 609 | .br | 
|---|
| 610 | .BI IgnoreAdded= path_regex | 
|---|
| 611 | Ignore if this file/directory is added/created. | 
|---|
| 612 | .br | 
|---|
| 613 | .BI IgnoreMissing= path_regex | 
|---|
| 614 | Ignore if this file/directory is missing/deleted. | 
|---|
| 615 | .br | 
|---|
| 616 | .BI ReportOnlyOnce= yes|no | 
|---|
| 617 | Report only once on a modified file (default yes). | 
|---|
| 618 | .br | 
|---|
| 619 | .BI  ReportFullDetail= yes|no | 
|---|
| 620 | Report in full detail on modified files (not only modified items). | 
|---|
| 621 | .br | 
|---|
| 622 | .BI UseLocalTime= yes|no | 
|---|
| 623 | Report file timestamps in local time rather than GMT (default no). | 
|---|
| 624 | Do not use this with Beltane. | 
|---|
| 625 | .br | 
|---|
| 626 | .BI  ChecksumTest= {init|update|check|none} | 
|---|
| 627 | defines whether to initialize/update the database or verify files against it. | 
|---|
| 628 | If 'none', you should supply the required option on the command line. | 
|---|
| 629 | .br | 
|---|
| 630 | .BI SetPrelinkPath= path | 
|---|
| 631 | Path of the prelink executable (default /usr/sbin/prelink). | 
|---|
| 632 | .br | 
|---|
| 633 | .BI SetPrelinkChecksum= checksum | 
|---|
| 634 | TIGER192 checksum of the prelink executable (no default). | 
|---|
| 635 | .br | 
|---|
| 636 | .BI SetLogServer= server | 
|---|
| 637 | sets the hostname for the log server. | 
|---|
| 638 | .br | 
|---|
| 639 | .BI SetServerPort= portnumber | 
|---|
| 640 | sets the port on the server to connect to. | 
|---|
| 641 | .br | 
|---|
| 642 | .BI SetDatabasePath= AUTO|/path | 
|---|
| 643 | Path to database (AUTO to tack hostname on compiled-in path). | 
|---|
| 644 | .br | 
|---|
| 645 | .BI DigestAlgo= SHA1|MD5 | 
|---|
| 646 | Use SHA1 or MD5 instead of the TIGER checksum (default: TIGER192). | 
|---|
| 647 | .br | 
|---|
| 648 | .BI RedefReadOnly= +/-XXX,+/-YYY,... | 
|---|
| 649 | Add or subtract tests XXX from the ReadOnly policy. | 
|---|
| 650 | Tests are: CHK (checksum), TXT (store literal content), LNK (link), | 
|---|
| 651 | HLN (hardlink), INO (inode), USR (user), GRP (group), MTM (mtime), | 
|---|
| 652 | ATM (atime), CTM (ctime), SIZ (size), RDEV (device numbers) | 
|---|
| 653 | and/or MOD (file mode). | 
|---|
| 654 | .br | 
|---|
| 655 | .BI RedefAttributes= +/-XXX,+/-YYY,... | 
|---|
| 656 | Add or subtract tests XXX from the Attributes policy. | 
|---|
| 657 | .br | 
|---|
| 658 | .BI RedefLogFiles= +/-XXX,+/-YYY,... | 
|---|
| 659 | Add or subtract tests XXX from the LogFiles policy. | 
|---|
| 660 | .br | 
|---|
| 661 | .BI RedefGrowingLogFiles= +/-XXX,+/-YYY,... | 
|---|
| 662 | Add or subtract tests XXX from the GrowingLogFiles policy. | 
|---|
| 663 | .br | 
|---|
| 664 | .BI RedefIgnoreAll= +/-XXX,+/-YYY,... | 
|---|
| 665 | Add or subtract tests XXX from the IgnoreAll policy. | 
|---|
| 666 | .br | 
|---|
| 667 | .BI RedefIgnoreNone= +/-XXX,+/-YYY,... | 
|---|
| 668 | Add or subtract tests XXX from the IgnoreNone policy. | 
|---|
| 669 | .br | 
|---|
| 670 | .BI RedefUser0= +/-XXX,+/-YYY,... | 
|---|
| 671 | Add or subtract tests XXX from the User0 policy. | 
|---|
| 672 | .br | 
|---|
| 673 | .BI RedefUser1= +/-XXX,+/-YYY,... | 
|---|
| 674 | Add or subtract tests XXX from the User1 policy. | 
|---|
| 675 | .br | 
|---|
| 676 | .BI RedefUser2= +/-XXX,+/-YYY,... | 
|---|
| 677 | Add or subtract tests XXX from the User2 policy. | 
|---|
| 678 | .br | 
|---|
| 679 | .BI RedefUser3= +/-XXX,+/-YYY,... | 
|---|
| 680 | Add or subtract tests XXX from the User3 policy. | 
|---|
| 681 | .br | 
|---|
| 682 | .BI RedefUser4= +/-XXX,+/-YYY,... | 
|---|
| 683 | Add or subtract tests XXX from the User4 policy. | 
|---|
| 684 | .TP | 
|---|
| 685 | .B Server Only | 
|---|
| 686 | .br | 
|---|
| 687 | .BI SetUseSocket= yes|no | 
|---|
| 688 | If unset, do not open the command socket. The default is no. | 
|---|
| 689 | .br | 
|---|
| 690 | .BI SetSocketAllowUid= UID | 
|---|
| 691 | Which user can connect to the command socket. The default is 0 (root). | 
|---|
| 692 | .br | 
|---|
| 693 | .BI SetSocketPassword= password | 
|---|
| 694 | Password (max. 14 chars, no '@') for password-based authentication on the | 
|---|
| 695 | command socket (only if the OS does not support passing | 
|---|
| 696 | credentials via sockets). | 
|---|
| 697 | .br | 
|---|
| 698 | .BI SetChrootDir= path | 
|---|
| 699 | If set, chroot to this directory after startup. | 
|---|
| 700 | .br | 
|---|
| 701 | .BI SetStripDomain= yes|no | 
|---|
| 702 | Whether to strip the domain from the client hostname when | 
|---|
| 703 | logging client messages (default: yes). | 
|---|
| 704 | .br | 
|---|
| 705 | .BI SetClientFromAccept= true|false | 
|---|
| 706 | If true, use client address as known to the communication layer. Else | 
|---|
| 707 | (default) use client name as claimed by the client, try to verify against | 
|---|
| 708 | the address known to the communication layer, and accept | 
|---|
| 709 | (with a warning message) even if this fails. | 
|---|
| 710 | .br | 
|---|
| 711 | .BI  UseClientSeverity= yes|no | 
|---|
| 712 | Use the severity of client messages. | 
|---|
| 713 | .br | 
|---|
| 714 | .BI  UseClientClass= yes|no | 
|---|
| 715 | Use the class of client messages. | 
|---|
| 716 | .br | 
|---|
| 717 | .BI SetServerPort= number | 
|---|
| 718 | The port that the server should use for listening (default is 49777). | 
|---|
| 719 | .br | 
|---|
| 720 | .BI SetServerInterface= IPaddress | 
|---|
| 721 | The IP address (i.e. interface on multi-interface box) that the | 
|---|
| 722 | server should use for listening (default is all). Use INADDR_ANY to reset | 
|---|
| 723 | to all. | 
|---|
| 724 | .br | 
|---|
| 725 | .BI  SeverityLookup= severity | 
|---|
| 726 | Severity of the message on client address != socket peer. | 
|---|
| 727 | .br | 
|---|
| 728 | .BI UseSeparateLogs= true|false | 
|---|
| 729 | If true, messages from different clients will be logged to separate | 
|---|
| 730 | log files (the name of the client will be appended to the name of the main | 
|---|
| 731 | log file to construct the logfile name). | 
|---|
| 732 | .br | 
|---|
| 733 | .BI  SetClientTimeLimit= seconds | 
|---|
| 734 | The maximum time between client messages. If exceeded, a warning will | 
|---|
| 735 | be issued (the default is 86400 sec = 1 day). | 
|---|
| 736 | .br | 
|---|
| 737 | .BI SetUDPActive= yes|no | 
|---|
| 738 | yule 1.2.8+: Also listen on 514/udp (syslog). | 
|---|
| 739 |  | 
|---|
| 740 |  | 
|---|
| 741 | .TP | 
|---|
| 742 | .I "[Clients]" | 
|---|
| 743 | This section is only relevant if | 
|---|
| 744 | .B samhain | 
|---|
| 745 | is run as a log server for clients running on another (or the same) machine. | 
|---|
| 746 | .br | 
|---|
| 747 | .BI Client= hostname @ salt @ verifier | 
|---|
| 748 | registers a client at host | 
|---|
| 749 | .I hostname | 
|---|
| 750 | (fully qualified hostname required) for access to the | 
|---|
| 751 | log server. | 
|---|
| 752 | Log entries from unregistered clients will not be accepted. | 
|---|
| 753 | To generate a salt and a valid verifier, use the command | 
|---|
| 754 | .B "samhain -P" | 
|---|
| 755 | .IR "password" , | 
|---|
| 756 | where | 
|---|
| 757 | .I password | 
|---|
| 758 | is the password of the client. A simple utility program | 
|---|
| 759 | .B samhain_setpwd | 
|---|
| 760 | is provided to re\-set the compiled\-in default password of the client | 
|---|
| 761 | executable to a user\-defined | 
|---|
| 762 | value. | 
|---|
| 763 | .TP | 
|---|
| 764 | .I "[EOF]" | 
|---|
| 765 | An optional end marker. Everything below is ignored. | 
|---|
| 766 |  | 
|---|
| 767 | .SH SEE ALSO | 
|---|
| 768 | .PP | 
|---|
| 769 | .BR samhain (8) | 
|---|
| 770 |  | 
|---|
| 771 | .SH AUTHOR | 
|---|
| 772 | .PP | 
|---|
| 773 | Rainer Wichmann (http://la\-samhna.de) | 
|---|
| 774 |  | 
|---|
| 775 | .SH BUG REPORTS | 
|---|
| 776 | .PP | 
|---|
| 777 | If you find a bug in | 
|---|
| 778 | .BR samhain , | 
|---|
| 779 | please send electronic mail to | 
|---|
| 780 | .IR support@la\-samhna.de . | 
|---|
| 781 | Please include your operating system and its revision, the version of | 
|---|
| 782 | .BR samhain , | 
|---|
| 783 | what C compiler you used to compile it, your 'configure' options, and | 
|---|
| 784 | anything else you deem helpful. | 
|---|
| 785 |  | 
|---|
| 786 | .SH COPYING PERMISSIONS | 
|---|
| 787 | .PP | 
|---|
| 788 | Copyright (\(co) 2000, 2004, 2005 Rainer Wichmann | 
|---|
| 789 | .PP | 
|---|
| 790 | Permission is granted to make and distribute verbatim copies of | 
|---|
| 791 | this manual page provided the copyright notice and this permission | 
|---|
| 792 | notice are preserved on all copies. | 
|---|
| 793 | .ig | 
|---|
| 794 | Permission is granted to process this file through troff and print the | 
|---|
| 795 | results, provided the printed document carries copying permission | 
|---|
| 796 | notice identical to this one except for the removal of this paragraph | 
|---|
| 797 | (this paragraph not being relevant to the printed manual page). | 
|---|
| 798 | .. | 
|---|
| 799 | .PP | 
|---|
| 800 | Permission is granted to copy and distribute modified versions of this | 
|---|
| 801 | manual page under the conditions for verbatim copying, provided that | 
|---|
| 802 | the entire resulting derived work is distributed under the terms of a | 
|---|
| 803 | permission notice identical to this one. | 
|---|
| 804 |  | 
|---|