source: trunk/man/samhainrc.5@ 111

Last change on this file since 111 was 77, checked in by rainer, 18 years ago

Fix for ticket #40 (No update if ReportOnlyOnce = False), and documentation
update.

File size: 21.1 KB
RevLine 
[1]1.TH SAMHAINRC 5 "Jul 29, 2004" "" "samhainrc manual"
2.SH NAME
3samhainrc \- samhain(8) configuration file
4
5.SH WARNING
6.PP
7The information in this man page is not always up to date.
8The authoritative documentation is the user manual.
9
10.SH DESCRIPTION
11.PP
12The configuration file for
13.BR samhain (8)
14is named
15.I samhainrc
16and located in
17.I /etc
18by default.
19.PP
20It contains several sections, indicated by headings in square brackets.
21Each section may hold zero or more
22.BI key= value
23pairs. Blank lines and lines starting with '#' are comments.
24Everything before the first section and after an
25.I "[EOF]"
26is ignored. The file may be (clear text) signed by PGP/GnuPG, and
27.B samhain
28may invoke GnuPG to check the signature
29if compiled with support for it.
30.PP
31Conditional inclusion of entries for some host(s) is
32supported via any number of
33.BI @ hostname /@ end
34directives.
35.BI @ hostname
36and
37.BI @ end
38must each be on separate lines. Lines in between will only be
39read if
40.I "hostname"
41(which may be a regular expression) matches the local host.
42.PP
43Likewise, conditional inclusion of entries based on system type is
44supported via any number of
45.BI $ sysname:release:machine /$ end
46directives.
47.br
48.I "sysname:release:machine"
49can be inferred from
50.I "uname -srm"
51and may be a regular expression.
52.PP
53Filenames/directories to check may be wildcard patterns.
54.PP
55Options given on the command line will override
56those in the configuration file.
57The recognized sections in the configuration file are as follows:
58.PP
59Boolean options can be set with any of 1|true|yes or 0|false|no.
60.TP
61.I "[ReadOnly]"
62This section may contain
63.br
64.BI file= PATH
65and
66.br
67.BI dir= [depth]PATH
68entries for files and directories to check. All modifications except access
69times will be reported for these files.
70.I [depth] (use without brackets)
71is an optional parameter to define a per\-directory recursion
72depth.
73.TP
74.I "[LogFiles]"
75As above, but modifications of timestamps, file size, and signature will
76be ignored.
77.TP
78.I "[GrowingLogFiles]"
79As above, but modifications of file size will only be ignored if the size has
80.IR increased .
81.TP
82.I "[Attributes]"
83As above, but only modifications of ownership and access permissions
84will be checked.
85.TP
86.I "[IgnoreAll]"
87As above, but report no modifications for
88these files/directories. Access failures
89will still be reported.
90.TP
91.I "[IgnoreNone]"
92As above, but report all modifications for these files/directories,
93including access time.
94.TP
95.I "[User0]"
96.TP
97.I "[User1]"
[27]98.TP
99.I "[User2]"
100.TP
101.I "[User3]"
102.TP
103.I "[User4]"
[1]104These are reserved for user-defined policies.
105.TP
106.I "[Prelink]"
107For prelinked executables / libraries or directories holding them.
108.TP
109.I "[Log]"
110This section defines the filtering rules for logging.
111It may contain the following entries:
112.br
113.BI MailSeverity= val
114where the threshold value
115.I val
116may be one of
117.IR debug ,
118.IR info ,
119.IR notice ,
120.IR warn ,
121.IR mark ,
122.IR err ,
123.IR crit ,
124.IR alert ,
125or
126.IR none .
127By default, everything equal to and above the threshold will be logged.
128The specifiers
129.IR * ,
130.IR ! ,
131and
132.I =
133are interpreted as 'all', 'all but', and 'only', respectively (like
134in the Linux version of syslogd(8)).
135Time stamps have the priority
136.IR warn ,
137system\-level errors have the priority
138.IR err ,
139and important start\-up messages the priority
140.IR alert .
141The signature key for the log file will never be logged to syslog or the
142log file itself.
143For failures to verify file integrity, error levels are defined
144in the next section.
145.br
146.BI PrintSeverity= val,
147.br
148.BI LogSeverity= val,
149.br
150.BI ExportSeverity= val,
151.br
152.BI ExternalSeverity= val,
153.br
154.BI PreludeSeverity= val,
155.br
156.BI DatabaseSeverity= val,
157and
158.br
159.BI SyslogSeverity= val
160set the thresholds for logging via stdout (or
161.IR /dev/console ),
162log file, TCP forwarding, calling external programs,
163and
164.BR syslog (3).
165.TP
166.I "[EventSeverity]"
167.BI SeverityReadOnly= val,
168.br
169.BI SeverityLogFiles= val,
170.br
171.BI SeverityGrowingLogs= val,
172.br
173.BI SeverityIgnoreNone= val,
174.br
175.BI SeverityIgnoreAll= val,
176.br
177.BI SeverityPrelink= val,
178.br
179.BI SeverityUser0= val,
[27]180.br
181.BI SeverityUser1= val,
182.br
183.BI SeverityUser2= val,
184.br
185.BI SeverityUser3= val,
[1]186and
187.br
[27]188.BI SeverityUser4= val
[1]189define the error levels for failures to verify the integrity of
190files/directories of the respective types. I.e. if such a file shows
191unexpected modifications, an error of level
192.I val
193will be generated, and logged to all facilities with a threshold of at least
194.IR val .
195.br
196.BI SeverityFiles= val
197sets the error level for file access problems, and
198.br
199.BI SeverityDirs= val
200for directory access problems.
201.br
202.BI SeverityNames= val
203sets the error level for obscure file names
204(e.g. non\-printable characters), and for files
205with invalid UIDs/GIDs.
206.TP
207.I "[External]"
208.BI OpenCommand= path
209Start the definition of an external logging program|script.
210.br
211.BI SetType= log|srv
212Type/purpose of program (log for logging).
213.br
214.BI SetCommandline= list
215Command line options.
216.br
217.BI SetEnviron= KEY=val
218Environment for external program.
219.br
220.BI SetChecksum= val
221Checksum of the external program (checked before invoking).
222.br
223.BI SetCredentials= username
224User as who the program will run.
225.br
226.BI SetFilterNot= list
227Words not allowed in message.
228.br
229.BI SetFilterAnd= list
230Words required (ALL) in message.
231.br
232.BI SetFilterOr= list
233Words required (at least one) in message.
234.br
235.BI SetDeadtime= seconds
236Time between consecutive calls.
237.TP
238.I "[Utmp]"
239Configuration for watching login/logout events.
240.br
241.BI LoginCheckActive= 0|1
242Switch off/on login/logout reporting.
243.br
244.BI LoginCheckInterval= val
245Interval (seconds) between checks for login/logout events.
246.br
247.BI SeverityLogin= val
248.br
249.BI SeverityLoginMulti= val
250.br
251.BI SeverityLogout= val
252Severity levels for logins, multiple logins
253by same user, and logouts.
254.TP
255.I "[Kernel]"
256Configuration for detecting kernel rootkits.
257.br
258.BI KernelCheckActive= 0|1
259Switch off/on checking of kernel syscalls to detect kernel module rootkits.
260.br
261.BI KernelCheckInterval= val
262Interval (seconds) between checks.
263.br
264.BI SeverityKernel= val
265Severity level for clobbered kernel syscalls.
266.br
267.BI KernelCheckIDT= 0|1
268Whether to check the interrrupt descriptor table.
269.br
270.BI KernelSystemCall= address
271The address of system_call (grep system_call System.map).
272Required after a kernel update.
273.br
274.BI KernelProcRoot= address
275The address of proc_root (grep ' proc_root$' System.map).
276Required after a kernel update.
277.br
278.BI KernelProcRootIops= address
279The address of proc_root_inode_operations
280(grep proc_root_inode_operations System.map).
281Required after a kernel update.
282.br
283.BI KernelProcRootLookup= address
284The address of proc_root_lookup (grep proc_root_lookup System.map).
285Required after a kernel update.
286.TP
287.I "[SuidCheck]"
288Settings for finding SUID/SGID files on disk.
289.br
290.BI SuidCheckActive= 0|1
291Switch off/on the check.
292.br
293.BI SuidCheckExclude= path
294 A directory (and its subdirectories)
295 to exclude from the check. Only one directory can be specified this way.
296.br
297.BI SuidCheckSchedule= schedule
298Crontab-like schedule for checks.
299.br
300.BI SeveritySuidCheck= severity
301Severity for events.
302.br
303.BI SuidCheckFps= fps
304Limit files per seconds for SUID check.
305.TP
[76]306.I "[Mounts]"
307Configuration for checking mounts.
308.br
309.BI MountCheckActive= 0|1
310Switch off/on this module.
311.br
312.BI MountCheckInterval= seconds
313 The interval between checks (default 300).
314.br
315.BI SeverityMountMissing= severity
316Severity for reports on missing mounts.
317.br
318.BI SeverityOptionMissing= severity
319Severity for reports on missing mount options.
320.br
321.BI CheckMount= path
322[mount_options]
323.br
324Mount point to check. Mount options must be given as
325comma-separated list, separated by a blank from the preceding mount point.
326.TP
327.I "[UserFiles]"
328Configuration for checking paths relative to user home directories.
329.br
330.BI UserFilesActive= 0|1
331Switch off/on this module.
332.br
333.BI UserFilesName= filename
334policy
335.br
336Files to check for under each $HOME. Allowed values for 'policy'
337are: allignore, attributes, logfiles, loggrow, noignore (default),
338readonly, user0, user1, user2, user3, and user4.
339.br
340.BI UserFilesCheckUids= uid_list
341A list of UIDs where we want to check. The default
342is all. Ranges (e.g. 100-500) are allowed. If there is an open range (e.g.
3431000-), it must be last in the list.
344.TP
345.I "[ProcessCheck]"
346Settings for finding hidden/fake,required processes on the local host.
347.br
348.BI ProcessCheckActive= 0|1
349Switch off/on the check.
350.br
351.BI ProcessCheckInterval= seconds
352 The interval between checks (default 300).
353.br
354.BI SeverityProcessCheck= severity
355Severity for events (default crit).
356.br
357.BI ProcessCheckMinPID= pid
358The minimum PID to check (default 0).
359.br
360.BI ProcessCheckMaxPID= pid
361The maximum PID to check (default 32767).
362.br
363.BI ProcessCheckPSPath= path
364The path to ps (autodetected at compile time).
365.br
366.BI ProcessCheckPSArg= argument
367The argument to ps (autodetected at compile time).
368Must yield PID in first column.
369.br
370.BI ProcessCheckExists= regular_expression
371Check for existence of a process matching the given regular expression.
372.TP
373.I "[PortCheck]"
374Settings for checking open ports on the local host.
375.br
376.BI PortCheckActive= 0|1
377Switch off/on the check.
378.br
379.BI PortCheckInterval= seconds
380 The interval between checks (default 300).
381.br
382.BI PortCheckUDP= yes|no
383Whether to check UPD ports as well (default yes).
384.br
385.BI SeverityPortCheck= severity
386Severity for events (default crit).
387.br
388.BI PortCheckInterface= ip_address
389Additional interface to check.
390.br
391.BI PortCheckOptional= ip_address:list
392Ports that may, but need not be open. The ip_address is the one
393of the interface, the list must be
394comma or whitespace separated, each item must be (port|service)/protocol,
395e.g. 22/tcp,nfs/tcp/nfs/udp.
396.br
397.BI PortCheckRequired= ip_address:list
398Ports that are required to be open. The ip_address is the one
399of the interface, the list must be
400comma or whitespace separated, each item must be (port|service)/protocol,
401e.g. 22/tcp,nfs/tcp/nfs/udp.
402.TP
[1]403.I "[Database]"
404Settings for
405.I logging
406to a database.
407.br
408.BI SetDBHost= db_host
409Host where the DB server runs (default: localhost).
410Should be a numeric IP address for PostgreSQL.
411.br
412.BI SetDBName= db_name
413Name of the database (default: samhain).
414.br
415.BI SetDBTable= db_table
416Name of the database table (default: log).
417.br
418.BI SetDBUser= db_user
419Connect as this user (default: samhain).
420.br
421.BI SetDBPassword= db_password
422Use this password (default: none).
423.br
424.BI SetDBServerTstamp= true|false
425Log server timestamp for client messages (default: true).
426.br
427.BI UsePersistent= true|false
428Use a persistent connection (default: true).
429.TP
430.I "[Misc]"
431.BI Daemon= no|yes
432Detach from controlling terminal to become a daemon.
433.br
434.BI MessageHeader= format
435Costom format for message header. Replacements:
436.I %F
437source file name,
438.I %L
439source file line,
440.I %S
441severity,
442.I %T
443timestamp,
444.I %C
445message class.
446.br
447.BI VersionString= string
448Set version string to include in file signature database
449(along with hostname and date).
450.br
451.BI SetReverseLookup= true|false
452If false, skip reverse lookups when connecting to a host known by name
453rather than IP address.
454.br
455.BI HideSetup= yes|no
456Don't log name of config/database files on startup.
457.br
458.BI SyslogFacility= facility
459Set the syslog facility to use. Default is LOG_AUTHPRIV.
460.br
461.BI MACType= HASH-TIGER|HMAC-TIGER
462Set type of message authentication code (HMAC).
463Must be identical on client and server.
464.br
465.BI SetLoopTime= val
466Defines the interval (in seconds) for timestamps.
467.br
468.BI SetConsole= device
469Set the console device (default /dev/console).
470.br
471.BI MessageQueueActive= 1|0
472Whether to use a SysV IPC message queue.
473.br
474.BI PreludeMapToInfo= list of severities
475The severities (see section
476.IR [Log] )
477that should be mapped to impact
478severity
479.I info
480in prelude.
481.br
482.BI PreludeMapToLow= list of severities
483The severities (see section
484.IR [Log] )
485that should be mapped to impact
486severity
487.I low
488in prelude.
489.br
490.BI PreludeMapToMedium= list of severities
491The severities (see section
492.IR [Log] )
493that should be mapped to impact
494severity
495.I medium
496in prelude.
497.br
498.BI PreludeMapToHigh= list of severities
499The severities (see section
500.IR [Log] )
501that should be mapped to impact
502severity
503.I high
504in prelude.
505.br
506.BI SetMailTime= val
507defines the maximum interval (in seconds) between succesive e\-mail reports.
508Mail might be empty if there are no events to report.
509.br
510.BI SetMailNum= val
511defines the maximum number of messages that are stored before e\-mailing them.
512Messages of highest priority are always sent immediately.
513.br
514.BI SetMailAddress= username @ host
515sets the recipient address for mailing.
516.I "No aliases should be used."
517For security, you should prefer a numerical host address.
518.br
519.BI SetMailRelay= server
520sets the hostname for the mail relay server (if you need one).
521If no relay server is given, mail is sent directly to the host given in the
522mail address, otherwise it is sent to the relay server, who should
523forward it to the given address.
524.br
525.BI SetMailSubject= val
526defines a custom format for the subject of an email message.
527.br
528.BI SetMailSender= val
529defines the sender for the 'From:' field of a message.
530.br
531.BI SetMailFilterAnd= list
532defines a list of strings all of which must match a message, otherwise
533it will not be mailed.
534.br
535.BI SetMailFilterOr= list
536defines a list of strings at least one of which must match a message, otherwise
537it will not be mailed.
538.br
539.BI SetMailFilterNot= list
540defines a list of strings none of which should match a message, otherwise
541it will not be mailed.
542.br
543.BI SamhainPath= /path/to/binary
544sets the path to the samhain binary. If set, samhain will checksum
545its own binary both on startup and termination, and compare both.
546.br
547.BI SetBindAddress= IP_address
548The IP address (i.e. interface on multi-interface box) to use
549for outgoing connections.
550.br
551.BI SetTimeServer= server
552sets the hostname for the time server.
553.br
554.BI TrustedUser= name|uid
555Add a user to the set of trusted users (root and the effective user
556are always trusted. You can add up to 7 more users).
557.br
558.BI SetLogfilePath= AUTO|/path
559Path to logfile (AUTO to tack hostname on compiled-in path).
560.br
561.BI SetLockfilePath= AUTO|/path
562Path to lockfile (AUTO to tack hostname on compiled-in path).
563.TP
564.B Standalone or client only
565.br
566.BI SetNiceLevel= -19..19
567Set scheduling priority during file check.
568.br
569.BI SetIOLimit= bps
570Set IO limits (kilobytes per second) for file check.
571.br
572.BI SetFilecheckTime= val
573Defines the interval (in seconds) between succesive file checks.
574.br
575.BI FileCheckScheduleOne= schedule
576Crontab-like schedule for file checks. If used,
577.I SetFilecheckTime
578is ignored.
579.br
580.BI UseHardlinkCheck= yes|no
581Compare number of hardlinks to number of subdirectories for directories.
582.br
583.BI HardlinkOffset= N:/path
584Exception (use multiple times for multiple
585exceptions). N is offset (actual - expected hardlinks) for /path.
586.br
587.BI AddOKChars= N1,N2,..
588List of additional acceptable characters (byte value(s)) for the check for
589weird filenames. Nn may be hex (leading '0x': 0xNN), octal
590(leading zero: 0NNN), or decimal.
591Use
592.I all
593for all.
594.br
[77]595.BI FilenamesAreUTF8= yes|no
596Whether filenames are UTF-8 encoded (defaults to no). If yes, filenames
597are checked for invalid UTF-8 encoding and for ending in invisible characters.
[1]598.br
599.BI IgnoreAdded= path_regex
600Ignore if this file/directory is added/created.
601.br
602.BI IgnoreMissing= path_regex
603Ignore if this file/directory is missing/deleted.
604.br
605.BI ReportOnlyOnce= yes|no
606Report only once on a modified file (default yes).
607.br
608.BI ReportFullDetail= yes|no
609Report in full detail on modified files (not only modified items).
610.br
611.BI UseLocalTime= yes|no
612Report file timestamps in local time rather than GMT (default no).
613Do not use this with Beltane.
614.br
615.BI ChecksumTest= {init|update|check|none}
616defines whether to initialize/update the database or verify files against it.
617If 'none', you should supply the required option on the command line.
618.br
619.BI SetPrelinkPath= path
620Path of the prelink executable (default /usr/sbin/prelink).
621.br
622.BI SetPrelinkChecksum= checksum
623TIGER192 checksum of the prelink executable (no default).
624.br
625.BI SetLogServer= server
626sets the hostname for the log server.
627.br
[27]628.BI SetServerPort= portnumber
629sets the port on the server to connect to.
630.br
[1]631.BI SetDatabasePath= AUTO|/path
632Path to database (AUTO to tack hostname on compiled-in path).
633.br
634.BI DigestAlgo= SHA1|MD5
635Use SHA1 or MD5 instead of the TIGER checksum (default: TIGER192).
636.br
637.BI RedefReadOnly= +/-XXX,+/-YYY,...
638Add or subtract tests XXX from the ReadOnly policy.
639Tests are: CHK (checksum), LNK (link),
640HLN (hardlink), INO (inode), USR (user), GRP (group), MTM (mtime),
641ATM (atime), CTM (ctime), SIZ (size), RDEV (device numbers)
642and/or MOD (file mode).
643.br
644.BI RedefAttributes= +/-XXX,+/-YYY,...
645Add or subtract tests XXX from the Attributes policy.
646.br
647.BI RedefLogFiles= +/-XXX,+/-YYY,...
648Add or subtract tests XXX from the LogFiles policy.
649.br
650.BI RedefGrowingLogFiles= +/-XXX,+/-YYY,...
651Add or subtract tests XXX from the GrowingLogFiles policy.
652.br
653.BI RedefIgnoreAll= +/-XXX,+/-YYY,...
654Add or subtract tests XXX from the IgnoreAll policy.
655.br
656.BI RedefIgnoreNone= +/-XXX,+/-YYY,...
657Add or subtract tests XXX from the IgnoreNone policy.
658.br
659.BI RedefUser0= +/-XXX,+/-YYY,...
660Add or subtract tests XXX from the User0 policy.
661.br
662.BI RedefUser1= +/-XXX,+/-YYY,...
663Add or subtract tests XXX from the User1 policy.
[27]664.br
665.BI RedefUser2= +/-XXX,+/-YYY,...
666Add or subtract tests XXX from the User2 policy.
667.br
668.BI RedefUser3= +/-XXX,+/-YYY,...
669Add or subtract tests XXX from the User3 policy.
670.br
671.BI RedefUser4= +/-XXX,+/-YYY,...
672Add or subtract tests XXX from the User4 policy.
[1]673.TP
674.B Server Only
675.br
676.BI SetUseSocket= yes|no
677If unset, do not open the command socket. The default is no.
678.br
679.BI SetSocketAllowUid= UID
680Which user can connect to the command socket. The default is 0 (root).
681.br
682.BI SetSocketPassword= password
683Password (max. 14 chars, no '@') for password-based authentication on the
684command socket (only if the OS does not support passing
685credentials via sockets).
686.br
687.BI SetChrootDir= path
688If set, chroot to this directory after startup.
689.br
690.BI SetStripDomain= yes|no
691Whether to strip the domain from the client hostname when
692logging client messages (default: yes).
693.br
694.BI SetClientFromAccept= true|false
695If true, use client address as known to the communication layer. Else
696(default) use client name as claimed by the client, try to verify against
697the address known to the communication layer, and accept
698(with a warning message) even if this fails.
699.br
700.BI UseClientSeverity= yes|no
701Use the severity of client messages.
702.br
703.BI UseClientClass= yes|no
704Use the class of client messages.
705.br
706.BI SetServerPort= number
707The port that the server should use for listening (default is 49777).
708.br
709.BI SetServerInterface= IPaddress
710The IP address (i.e. interface on multi-interface box) that the
711server should use for listening (default is all). Use INADDR_ANY to reset
712to all.
713.br
714.BI SeverityLookup= severity
715Severity of the message on client address != socket peer.
716.br
717.BI UseSeparateLogs= true|false
718If true, messages from different clients will be logged to separate
719log files (the name of the client will be appended to the name of the main
720log file to construct the logfile name).
721.br
722.BI SetClientTimeLimit= seconds
723The maximum time between client messages. If exceeded, a warning will
724be issued (the default is 86400 sec = 1 day).
725.br
726.BI SetUDPActive= yes|no
727yule 1.2.8+: Also listen on 514/udp (syslog).
728
729
730.TP
731.I "[Clients]"
732This section is only relevant if
733.B samhain
734is run as a log server for clients running on another (or the same) machine.
735.br
736.BI Client= hostname @ salt @ verifier
737registers a client at host
738.I hostname
739(fully qualified hostname required) for access to the
740log server.
741Log entries from unregistered clients will not be accepted.
742To generate a salt and a valid verifier, use the command
743.B "samhain -P"
744.IR "password" ,
745where
746.I password
747is the password of the client. A simple utility program
748.B samhain_setpwd
749is provided to re\-set the compiled\-in default password of the client
750executable to a user\-defined
751value.
752.TP
753.I "[EOF]"
754An optional end marker. Everything below is ignored.
755
756.SH SEE ALSO
757.PP
758.BR samhain (8)
759
760.SH AUTHOR
761.PP
762Rainer Wichmann (http://la\-samhna.de)
763
764.SH BUG REPORTS
765.PP
766If you find a bug in
767.BR samhain ,
768please send electronic mail to
769.IR support@la\-samhna.de .
770Please include your operating system and its revision, the version of
771.BR samhain ,
772what C compiler you used to compile it, your 'configure' options, and
773anything else you deem helpful.
774
775.SH COPYING PERMISSIONS
776.PP
777Copyright (\(co) 2000, 2004, 2005 Rainer Wichmann
778.PP
779Permission is granted to make and distribute verbatim copies of
780this manual page provided the copyright notice and this permission
781notice are preserved on all copies.
782.ig
783Permission is granted to process this file through troff and print the
784results, provided the printed document carries copying permission
785notice identical to this one except for the removal of this paragraph
786(this paragraph not being relevant to the printed manual page).
787..
788.PP
789Permission is granted to copy and distribute modified versions of this
790manual page under the conditions for verbatim copying, provided that
791the entire resulting derived work is distributed under the terms of a
792permission notice identical to this one.
793
Note: See TracBrowser for help on using the repository browser.