[1] | 1 | .TH SAMHAINRC 5 "Jul 29, 2004" "" "samhainrc manual"
|
---|
| 2 | .SH NAME
|
---|
| 3 | samhainrc \- samhain(8) configuration file
|
---|
| 4 |
|
---|
| 5 | .SH WARNING
|
---|
| 6 | .PP
|
---|
| 7 | The information in this man page is not always up to date.
|
---|
| 8 | The authoritative documentation is the user manual.
|
---|
| 9 |
|
---|
| 10 | .SH DESCRIPTION
|
---|
| 11 | .PP
|
---|
| 12 | The configuration file for
|
---|
| 13 | .BR samhain (8)
|
---|
| 14 | is named
|
---|
| 15 | .I samhainrc
|
---|
| 16 | and located in
|
---|
| 17 | .I /etc
|
---|
| 18 | by default.
|
---|
| 19 | .PP
|
---|
| 20 | It contains several sections, indicated by headings in square brackets.
|
---|
| 21 | Each section may hold zero or more
|
---|
| 22 | .BI key= value
|
---|
| 23 | pairs. Blank lines and lines starting with '#' are comments.
|
---|
| 24 | Everything before the first section and after an
|
---|
| 25 | .I "[EOF]"
|
---|
| 26 | is ignored. The file may be (clear text) signed by PGP/GnuPG, and
|
---|
| 27 | .B samhain
|
---|
| 28 | may invoke GnuPG to check the signature
|
---|
| 29 | if compiled with support for it.
|
---|
| 30 | .PP
|
---|
| 31 | Conditional inclusion of entries for some host(s) is
|
---|
| 32 | supported via any number of
|
---|
| 33 | .BI @ hostname /@ end
|
---|
| 34 | directives.
|
---|
| 35 | .BI @ hostname
|
---|
| 36 | and
|
---|
| 37 | .BI @ end
|
---|
| 38 | must each be on separate lines. Lines in between will only be
|
---|
| 39 | read if
|
---|
| 40 | .I "hostname"
|
---|
| 41 | (which may be a regular expression) matches the local host.
|
---|
| 42 | .PP
|
---|
| 43 | Likewise, conditional inclusion of entries based on system type is
|
---|
| 44 | supported via any number of
|
---|
| 45 | .BI $ sysname:release:machine /$ end
|
---|
| 46 | directives.
|
---|
| 47 | .br
|
---|
| 48 | .I "sysname:release:machine"
|
---|
| 49 | can be inferred from
|
---|
| 50 | .I "uname -srm"
|
---|
| 51 | and may be a regular expression.
|
---|
| 52 | .PP
|
---|
| 53 | Filenames/directories to check may be wildcard patterns.
|
---|
| 54 | .PP
|
---|
| 55 | Options given on the command line will override
|
---|
| 56 | those in the configuration file.
|
---|
| 57 | The recognized sections in the configuration file are as follows:
|
---|
| 58 | .PP
|
---|
| 59 | Boolean options can be set with any of 1|true|yes or 0|false|no.
|
---|
| 60 | .TP
|
---|
| 61 | .I "[ReadOnly]"
|
---|
| 62 | This section may contain
|
---|
| 63 | .br
|
---|
| 64 | .BI file= PATH
|
---|
| 65 | and
|
---|
| 66 | .br
|
---|
| 67 | .BI dir= [depth]PATH
|
---|
| 68 | entries for files and directories to check. All modifications except access
|
---|
| 69 | times will be reported for these files.
|
---|
| 70 | .I [depth] (use without brackets)
|
---|
| 71 | is an optional parameter to define a per\-directory recursion
|
---|
| 72 | depth.
|
---|
| 73 | .TP
|
---|
| 74 | .I "[LogFiles]"
|
---|
| 75 | As above, but modifications of timestamps, file size, and signature will
|
---|
| 76 | be ignored.
|
---|
| 77 | .TP
|
---|
| 78 | .I "[GrowingLogFiles]"
|
---|
| 79 | As above, but modifications of file size will only be ignored if the size has
|
---|
| 80 | .IR increased .
|
---|
| 81 | .TP
|
---|
| 82 | .I "[Attributes]"
|
---|
| 83 | As above, but only modifications of ownership and access permissions
|
---|
| 84 | will be checked.
|
---|
| 85 | .TP
|
---|
| 86 | .I "[IgnoreAll]"
|
---|
| 87 | As above, but report no modifications for
|
---|
| 88 | these files/directories. Access failures
|
---|
| 89 | will still be reported.
|
---|
| 90 | .TP
|
---|
| 91 | .I "[IgnoreNone]"
|
---|
| 92 | As above, but report all modifications for these files/directories,
|
---|
| 93 | including access time.
|
---|
| 94 | .TP
|
---|
| 95 | .I "[User0]"
|
---|
| 96 | .TP
|
---|
| 97 | .I "[User1]"
|
---|
[27] | 98 | .TP
|
---|
| 99 | .I "[User2]"
|
---|
| 100 | .TP
|
---|
| 101 | .I "[User3]"
|
---|
| 102 | .TP
|
---|
| 103 | .I "[User4]"
|
---|
[1] | 104 | These are reserved for user-defined policies.
|
---|
| 105 | .TP
|
---|
| 106 | .I "[Prelink]"
|
---|
| 107 | For prelinked executables / libraries or directories holding them.
|
---|
| 108 | .TP
|
---|
| 109 | .I "[Log]"
|
---|
| 110 | This section defines the filtering rules for logging.
|
---|
| 111 | It may contain the following entries:
|
---|
| 112 | .br
|
---|
| 113 | .BI MailSeverity= val
|
---|
| 114 | where the threshold value
|
---|
| 115 | .I val
|
---|
| 116 | may be one of
|
---|
| 117 | .IR debug ,
|
---|
| 118 | .IR info ,
|
---|
| 119 | .IR notice ,
|
---|
| 120 | .IR warn ,
|
---|
| 121 | .IR mark ,
|
---|
| 122 | .IR err ,
|
---|
| 123 | .IR crit ,
|
---|
| 124 | .IR alert ,
|
---|
| 125 | or
|
---|
| 126 | .IR none .
|
---|
| 127 | By default, everything equal to and above the threshold will be logged.
|
---|
| 128 | The specifiers
|
---|
| 129 | .IR * ,
|
---|
| 130 | .IR ! ,
|
---|
| 131 | and
|
---|
| 132 | .I =
|
---|
| 133 | are interpreted as 'all', 'all but', and 'only', respectively (like
|
---|
| 134 | in the Linux version of syslogd(8)).
|
---|
| 135 | Time stamps have the priority
|
---|
| 136 | .IR warn ,
|
---|
| 137 | system\-level errors have the priority
|
---|
| 138 | .IR err ,
|
---|
| 139 | and important start\-up messages the priority
|
---|
| 140 | .IR alert .
|
---|
| 141 | The signature key for the log file will never be logged to syslog or the
|
---|
| 142 | log file itself.
|
---|
| 143 | For failures to verify file integrity, error levels are defined
|
---|
| 144 | in the next section.
|
---|
| 145 | .br
|
---|
| 146 | .BI PrintSeverity= val,
|
---|
| 147 | .br
|
---|
| 148 | .BI LogSeverity= val,
|
---|
| 149 | .br
|
---|
| 150 | .BI ExportSeverity= val,
|
---|
| 151 | .br
|
---|
| 152 | .BI ExternalSeverity= val,
|
---|
| 153 | .br
|
---|
| 154 | .BI PreludeSeverity= val,
|
---|
| 155 | .br
|
---|
| 156 | .BI DatabaseSeverity= val,
|
---|
| 157 | and
|
---|
| 158 | .br
|
---|
| 159 | .BI SyslogSeverity= val
|
---|
| 160 | set the thresholds for logging via stdout (or
|
---|
| 161 | .IR /dev/console ),
|
---|
| 162 | log file, TCP forwarding, calling external programs,
|
---|
| 163 | and
|
---|
| 164 | .BR syslog (3).
|
---|
| 165 | .TP
|
---|
| 166 | .I "[EventSeverity]"
|
---|
| 167 | .BI SeverityReadOnly= val,
|
---|
| 168 | .br
|
---|
| 169 | .BI SeverityLogFiles= val,
|
---|
| 170 | .br
|
---|
| 171 | .BI SeverityGrowingLogs= val,
|
---|
| 172 | .br
|
---|
| 173 | .BI SeverityIgnoreNone= val,
|
---|
| 174 | .br
|
---|
| 175 | .BI SeverityIgnoreAll= val,
|
---|
| 176 | .br
|
---|
| 177 | .BI SeverityPrelink= val,
|
---|
| 178 | .br
|
---|
| 179 | .BI SeverityUser0= val,
|
---|
[27] | 180 | .br
|
---|
| 181 | .BI SeverityUser1= val,
|
---|
| 182 | .br
|
---|
| 183 | .BI SeverityUser2= val,
|
---|
| 184 | .br
|
---|
| 185 | .BI SeverityUser3= val,
|
---|
[1] | 186 | and
|
---|
| 187 | .br
|
---|
[27] | 188 | .BI SeverityUser4= val
|
---|
[1] | 189 | define the error levels for failures to verify the integrity of
|
---|
| 190 | files/directories of the respective types. I.e. if such a file shows
|
---|
| 191 | unexpected modifications, an error of level
|
---|
| 192 | .I val
|
---|
| 193 | will be generated, and logged to all facilities with a threshold of at least
|
---|
| 194 | .IR val .
|
---|
| 195 | .br
|
---|
| 196 | .BI SeverityFiles= val
|
---|
| 197 | sets the error level for file access problems, and
|
---|
| 198 | .br
|
---|
| 199 | .BI SeverityDirs= val
|
---|
| 200 | for directory access problems.
|
---|
| 201 | .br
|
---|
| 202 | .BI SeverityNames= val
|
---|
| 203 | sets the error level for obscure file names
|
---|
| 204 | (e.g. non\-printable characters), and for files
|
---|
| 205 | with invalid UIDs/GIDs.
|
---|
| 206 | .TP
|
---|
| 207 | .I "[External]"
|
---|
| 208 | .BI OpenCommand= path
|
---|
| 209 | Start the definition of an external logging program|script.
|
---|
| 210 | .br
|
---|
| 211 | .BI SetType= log|srv
|
---|
| 212 | Type/purpose of program (log for logging).
|
---|
| 213 | .br
|
---|
| 214 | .BI SetCommandline= list
|
---|
| 215 | Command line options.
|
---|
| 216 | .br
|
---|
| 217 | .BI SetEnviron= KEY=val
|
---|
| 218 | Environment for external program.
|
---|
| 219 | .br
|
---|
| 220 | .BI SetChecksum= val
|
---|
| 221 | Checksum of the external program (checked before invoking).
|
---|
| 222 | .br
|
---|
| 223 | .BI SetCredentials= username
|
---|
| 224 | User as who the program will run.
|
---|
| 225 | .br
|
---|
| 226 | .BI SetFilterNot= list
|
---|
| 227 | Words not allowed in message.
|
---|
| 228 | .br
|
---|
| 229 | .BI SetFilterAnd= list
|
---|
| 230 | Words required (ALL) in message.
|
---|
| 231 | .br
|
---|
| 232 | .BI SetFilterOr= list
|
---|
| 233 | Words required (at least one) in message.
|
---|
| 234 | .br
|
---|
| 235 | .BI SetDeadtime= seconds
|
---|
| 236 | Time between consecutive calls.
|
---|
| 237 | .TP
|
---|
| 238 | .I "[Utmp]"
|
---|
| 239 | Configuration for watching login/logout events.
|
---|
| 240 | .br
|
---|
| 241 | .BI LoginCheckActive= 0|1
|
---|
| 242 | Switch off/on login/logout reporting.
|
---|
| 243 | .br
|
---|
| 244 | .BI LoginCheckInterval= val
|
---|
| 245 | Interval (seconds) between checks for login/logout events.
|
---|
| 246 | .br
|
---|
| 247 | .BI SeverityLogin= val
|
---|
| 248 | .br
|
---|
| 249 | .BI SeverityLoginMulti= val
|
---|
| 250 | .br
|
---|
| 251 | .BI SeverityLogout= val
|
---|
| 252 | Severity levels for logins, multiple logins
|
---|
| 253 | by same user, and logouts.
|
---|
| 254 | .TP
|
---|
| 255 | .I "[Kernel]"
|
---|
| 256 | Configuration for detecting kernel rootkits.
|
---|
| 257 | .br
|
---|
| 258 | .BI KernelCheckActive= 0|1
|
---|
| 259 | Switch off/on checking of kernel syscalls to detect kernel module rootkits.
|
---|
| 260 | .br
|
---|
| 261 | .BI KernelCheckInterval= val
|
---|
| 262 | Interval (seconds) between checks.
|
---|
| 263 | .br
|
---|
| 264 | .BI SeverityKernel= val
|
---|
| 265 | Severity level for clobbered kernel syscalls.
|
---|
| 266 | .br
|
---|
| 267 | .BI KernelCheckIDT= 0|1
|
---|
| 268 | Whether to check the interrrupt descriptor table.
|
---|
| 269 | .br
|
---|
| 270 | .BI KernelSystemCall= address
|
---|
| 271 | The address of system_call (grep system_call System.map).
|
---|
| 272 | Required after a kernel update.
|
---|
| 273 | .br
|
---|
| 274 | .BI KernelProcRoot= address
|
---|
| 275 | The address of proc_root (grep ' proc_root$' System.map).
|
---|
| 276 | Required after a kernel update.
|
---|
| 277 | .br
|
---|
| 278 | .BI KernelProcRootIops= address
|
---|
| 279 | The address of proc_root_inode_operations
|
---|
| 280 | (grep proc_root_inode_operations System.map).
|
---|
| 281 | Required after a kernel update.
|
---|
| 282 | .br
|
---|
| 283 | .BI KernelProcRootLookup= address
|
---|
| 284 | The address of proc_root_lookup (grep proc_root_lookup System.map).
|
---|
| 285 | Required after a kernel update.
|
---|
| 286 | .TP
|
---|
| 287 | .I "[SuidCheck]"
|
---|
| 288 | Settings for finding SUID/SGID files on disk.
|
---|
| 289 | .br
|
---|
| 290 | .BI SuidCheckActive= 0|1
|
---|
| 291 | Switch off/on the check.
|
---|
| 292 | .br
|
---|
| 293 | .BI SuidCheckExclude= path
|
---|
| 294 | A directory (and its subdirectories)
|
---|
| 295 | to exclude from the check. Only one directory can be specified this way.
|
---|
| 296 | .br
|
---|
| 297 | .BI SuidCheckSchedule= schedule
|
---|
| 298 | Crontab-like schedule for checks.
|
---|
| 299 | .br
|
---|
| 300 | .BI SeveritySuidCheck= severity
|
---|
| 301 | Severity for events.
|
---|
| 302 | .br
|
---|
| 303 | .BI SuidCheckFps= fps
|
---|
| 304 | Limit files per seconds for SUID check.
|
---|
| 305 | .TP
|
---|
[76] | 306 | .I "[Mounts]"
|
---|
| 307 | Configuration for checking mounts.
|
---|
| 308 | .br
|
---|
| 309 | .BI MountCheckActive= 0|1
|
---|
| 310 | Switch off/on this module.
|
---|
| 311 | .br
|
---|
| 312 | .BI MountCheckInterval= seconds
|
---|
| 313 | The interval between checks (default 300).
|
---|
| 314 | .br
|
---|
| 315 | .BI SeverityMountMissing= severity
|
---|
| 316 | Severity for reports on missing mounts.
|
---|
| 317 | .br
|
---|
| 318 | .BI SeverityOptionMissing= severity
|
---|
| 319 | Severity for reports on missing mount options.
|
---|
| 320 | .br
|
---|
| 321 | .BI CheckMount= path
|
---|
| 322 | [mount_options]
|
---|
| 323 | .br
|
---|
| 324 | Mount point to check. Mount options must be given as
|
---|
| 325 | comma-separated list, separated by a blank from the preceding mount point.
|
---|
| 326 | .TP
|
---|
| 327 | .I "[UserFiles]"
|
---|
| 328 | Configuration for checking paths relative to user home directories.
|
---|
| 329 | .br
|
---|
| 330 | .BI UserFilesActive= 0|1
|
---|
| 331 | Switch off/on this module.
|
---|
| 332 | .br
|
---|
| 333 | .BI UserFilesName= filename
|
---|
| 334 | policy
|
---|
| 335 | .br
|
---|
| 336 | Files to check for under each $HOME. Allowed values for 'policy'
|
---|
| 337 | are: allignore, attributes, logfiles, loggrow, noignore (default),
|
---|
| 338 | readonly, user0, user1, user2, user3, and user4.
|
---|
| 339 | .br
|
---|
| 340 | .BI UserFilesCheckUids= uid_list
|
---|
| 341 | A list of UIDs where we want to check. The default
|
---|
| 342 | is all. Ranges (e.g. 100-500) are allowed. If there is an open range (e.g.
|
---|
| 343 | 1000-), it must be last in the list.
|
---|
| 344 | .TP
|
---|
| 345 | .I "[ProcessCheck]"
|
---|
| 346 | Settings for finding hidden/fake,required processes on the local host.
|
---|
| 347 | .br
|
---|
| 348 | .BI ProcessCheckActive= 0|1
|
---|
| 349 | Switch off/on the check.
|
---|
| 350 | .br
|
---|
| 351 | .BI ProcessCheckInterval= seconds
|
---|
| 352 | The interval between checks (default 300).
|
---|
| 353 | .br
|
---|
| 354 | .BI SeverityProcessCheck= severity
|
---|
| 355 | Severity for events (default crit).
|
---|
| 356 | .br
|
---|
| 357 | .BI ProcessCheckMinPID= pid
|
---|
| 358 | The minimum PID to check (default 0).
|
---|
| 359 | .br
|
---|
| 360 | .BI ProcessCheckMaxPID= pid
|
---|
| 361 | The maximum PID to check (default 32767).
|
---|
| 362 | .br
|
---|
| 363 | .BI ProcessCheckPSPath= path
|
---|
| 364 | The path to ps (autodetected at compile time).
|
---|
| 365 | .br
|
---|
| 366 | .BI ProcessCheckPSArg= argument
|
---|
| 367 | The argument to ps (autodetected at compile time).
|
---|
| 368 | Must yield PID in first column.
|
---|
| 369 | .br
|
---|
| 370 | .BI ProcessCheckExists= regular_expression
|
---|
| 371 | Check for existence of a process matching the given regular expression.
|
---|
| 372 | .TP
|
---|
| 373 | .I "[PortCheck]"
|
---|
| 374 | Settings for checking open ports on the local host.
|
---|
| 375 | .br
|
---|
| 376 | .BI PortCheckActive= 0|1
|
---|
| 377 | Switch off/on the check.
|
---|
| 378 | .br
|
---|
| 379 | .BI PortCheckInterval= seconds
|
---|
| 380 | The interval between checks (default 300).
|
---|
| 381 | .br
|
---|
| 382 | .BI PortCheckUDP= yes|no
|
---|
| 383 | Whether to check UPD ports as well (default yes).
|
---|
| 384 | .br
|
---|
| 385 | .BI SeverityPortCheck= severity
|
---|
| 386 | Severity for events (default crit).
|
---|
| 387 | .br
|
---|
| 388 | .BI PortCheckInterface= ip_address
|
---|
| 389 | Additional interface to check.
|
---|
| 390 | .br
|
---|
| 391 | .BI PortCheckOptional= ip_address:list
|
---|
| 392 | Ports that may, but need not be open. The ip_address is the one
|
---|
| 393 | of the interface, the list must be
|
---|
| 394 | comma or whitespace separated, each item must be (port|service)/protocol,
|
---|
| 395 | e.g. 22/tcp,nfs/tcp/nfs/udp.
|
---|
| 396 | .br
|
---|
| 397 | .BI PortCheckRequired= ip_address:list
|
---|
| 398 | Ports that are required to be open. The ip_address is the one
|
---|
| 399 | of the interface, the list must be
|
---|
| 400 | comma or whitespace separated, each item must be (port|service)/protocol,
|
---|
| 401 | e.g. 22/tcp,nfs/tcp/nfs/udp.
|
---|
| 402 | .TP
|
---|
[1] | 403 | .I "[Database]"
|
---|
| 404 | Settings for
|
---|
| 405 | .I logging
|
---|
| 406 | to a database.
|
---|
| 407 | .br
|
---|
| 408 | .BI SetDBHost= db_host
|
---|
| 409 | Host where the DB server runs (default: localhost).
|
---|
| 410 | Should be a numeric IP address for PostgreSQL.
|
---|
| 411 | .br
|
---|
| 412 | .BI SetDBName= db_name
|
---|
| 413 | Name of the database (default: samhain).
|
---|
| 414 | .br
|
---|
| 415 | .BI SetDBTable= db_table
|
---|
| 416 | Name of the database table (default: log).
|
---|
| 417 | .br
|
---|
| 418 | .BI SetDBUser= db_user
|
---|
| 419 | Connect as this user (default: samhain).
|
---|
| 420 | .br
|
---|
| 421 | .BI SetDBPassword= db_password
|
---|
| 422 | Use this password (default: none).
|
---|
| 423 | .br
|
---|
| 424 | .BI SetDBServerTstamp= true|false
|
---|
| 425 | Log server timestamp for client messages (default: true).
|
---|
| 426 | .br
|
---|
| 427 | .BI UsePersistent= true|false
|
---|
| 428 | Use a persistent connection (default: true).
|
---|
| 429 | .TP
|
---|
| 430 | .I "[Misc]"
|
---|
| 431 | .BI Daemon= no|yes
|
---|
| 432 | Detach from controlling terminal to become a daemon.
|
---|
| 433 | .br
|
---|
| 434 | .BI MessageHeader= format
|
---|
| 435 | Costom format for message header. Replacements:
|
---|
| 436 | .I %F
|
---|
| 437 | source file name,
|
---|
| 438 | .I %L
|
---|
| 439 | source file line,
|
---|
| 440 | .I %S
|
---|
| 441 | severity,
|
---|
| 442 | .I %T
|
---|
| 443 | timestamp,
|
---|
| 444 | .I %C
|
---|
| 445 | message class.
|
---|
| 446 | .br
|
---|
| 447 | .BI VersionString= string
|
---|
| 448 | Set version string to include in file signature database
|
---|
| 449 | (along with hostname and date).
|
---|
| 450 | .br
|
---|
| 451 | .BI SetReverseLookup= true|false
|
---|
| 452 | If false, skip reverse lookups when connecting to a host known by name
|
---|
| 453 | rather than IP address.
|
---|
| 454 | .br
|
---|
| 455 | .BI HideSetup= yes|no
|
---|
| 456 | Don't log name of config/database files on startup.
|
---|
| 457 | .br
|
---|
| 458 | .BI SyslogFacility= facility
|
---|
| 459 | Set the syslog facility to use. Default is LOG_AUTHPRIV.
|
---|
| 460 | .br
|
---|
| 461 | .BI MACType= HASH-TIGER|HMAC-TIGER
|
---|
| 462 | Set type of message authentication code (HMAC).
|
---|
| 463 | Must be identical on client and server.
|
---|
| 464 | .br
|
---|
| 465 | .BI SetLoopTime= val
|
---|
| 466 | Defines the interval (in seconds) for timestamps.
|
---|
| 467 | .br
|
---|
| 468 | .BI SetConsole= device
|
---|
| 469 | Set the console device (default /dev/console).
|
---|
| 470 | .br
|
---|
| 471 | .BI MessageQueueActive= 1|0
|
---|
| 472 | Whether to use a SysV IPC message queue.
|
---|
| 473 | .br
|
---|
| 474 | .BI PreludeMapToInfo= list of severities
|
---|
| 475 | The severities (see section
|
---|
| 476 | .IR [Log] )
|
---|
| 477 | that should be mapped to impact
|
---|
| 478 | severity
|
---|
| 479 | .I info
|
---|
| 480 | in prelude.
|
---|
| 481 | .br
|
---|
| 482 | .BI PreludeMapToLow= list of severities
|
---|
| 483 | The severities (see section
|
---|
| 484 | .IR [Log] )
|
---|
| 485 | that should be mapped to impact
|
---|
| 486 | severity
|
---|
| 487 | .I low
|
---|
| 488 | in prelude.
|
---|
| 489 | .br
|
---|
| 490 | .BI PreludeMapToMedium= list of severities
|
---|
| 491 | The severities (see section
|
---|
| 492 | .IR [Log] )
|
---|
| 493 | that should be mapped to impact
|
---|
| 494 | severity
|
---|
| 495 | .I medium
|
---|
| 496 | in prelude.
|
---|
| 497 | .br
|
---|
| 498 | .BI PreludeMapToHigh= list of severities
|
---|
| 499 | The severities (see section
|
---|
| 500 | .IR [Log] )
|
---|
| 501 | that should be mapped to impact
|
---|
| 502 | severity
|
---|
| 503 | .I high
|
---|
| 504 | in prelude.
|
---|
| 505 | .br
|
---|
| 506 | .BI SetMailTime= val
|
---|
| 507 | defines the maximum interval (in seconds) between succesive e\-mail reports.
|
---|
| 508 | Mail might be empty if there are no events to report.
|
---|
| 509 | .br
|
---|
| 510 | .BI SetMailNum= val
|
---|
| 511 | defines the maximum number of messages that are stored before e\-mailing them.
|
---|
| 512 | Messages of highest priority are always sent immediately.
|
---|
| 513 | .br
|
---|
| 514 | .BI SetMailAddress= username @ host
|
---|
| 515 | sets the recipient address for mailing.
|
---|
| 516 | .I "No aliases should be used."
|
---|
| 517 | For security, you should prefer a numerical host address.
|
---|
| 518 | .br
|
---|
| 519 | .BI SetMailRelay= server
|
---|
| 520 | sets the hostname for the mail relay server (if you need one).
|
---|
| 521 | If no relay server is given, mail is sent directly to the host given in the
|
---|
| 522 | mail address, otherwise it is sent to the relay server, who should
|
---|
| 523 | forward it to the given address.
|
---|
| 524 | .br
|
---|
| 525 | .BI SetMailSubject= val
|
---|
| 526 | defines a custom format for the subject of an email message.
|
---|
| 527 | .br
|
---|
| 528 | .BI SetMailSender= val
|
---|
| 529 | defines the sender for the 'From:' field of a message.
|
---|
| 530 | .br
|
---|
| 531 | .BI SetMailFilterAnd= list
|
---|
| 532 | defines a list of strings all of which must match a message, otherwise
|
---|
| 533 | it will not be mailed.
|
---|
| 534 | .br
|
---|
| 535 | .BI SetMailFilterOr= list
|
---|
| 536 | defines a list of strings at least one of which must match a message, otherwise
|
---|
| 537 | it will not be mailed.
|
---|
| 538 | .br
|
---|
| 539 | .BI SetMailFilterNot= list
|
---|
| 540 | defines a list of strings none of which should match a message, otherwise
|
---|
| 541 | it will not be mailed.
|
---|
| 542 | .br
|
---|
| 543 | .BI SamhainPath= /path/to/binary
|
---|
| 544 | sets the path to the samhain binary. If set, samhain will checksum
|
---|
| 545 | its own binary both on startup and termination, and compare both.
|
---|
| 546 | .br
|
---|
| 547 | .BI SetBindAddress= IP_address
|
---|
| 548 | The IP address (i.e. interface on multi-interface box) to use
|
---|
| 549 | for outgoing connections.
|
---|
| 550 | .br
|
---|
| 551 | .BI SetTimeServer= server
|
---|
| 552 | sets the hostname for the time server.
|
---|
| 553 | .br
|
---|
| 554 | .BI TrustedUser= name|uid
|
---|
| 555 | Add a user to the set of trusted users (root and the effective user
|
---|
| 556 | are always trusted. You can add up to 7 more users).
|
---|
| 557 | .br
|
---|
| 558 | .BI SetLogfilePath= AUTO|/path
|
---|
| 559 | Path to logfile (AUTO to tack hostname on compiled-in path).
|
---|
| 560 | .br
|
---|
| 561 | .BI SetLockfilePath= AUTO|/path
|
---|
| 562 | Path to lockfile (AUTO to tack hostname on compiled-in path).
|
---|
| 563 | .TP
|
---|
| 564 | .B Standalone or client only
|
---|
| 565 | .br
|
---|
| 566 | .BI SetNiceLevel= -19..19
|
---|
| 567 | Set scheduling priority during file check.
|
---|
| 568 | .br
|
---|
| 569 | .BI SetIOLimit= bps
|
---|
| 570 | Set IO limits (kilobytes per second) for file check.
|
---|
| 571 | .br
|
---|
| 572 | .BI SetFilecheckTime= val
|
---|
| 573 | Defines the interval (in seconds) between succesive file checks.
|
---|
| 574 | .br
|
---|
| 575 | .BI FileCheckScheduleOne= schedule
|
---|
| 576 | Crontab-like schedule for file checks. If used,
|
---|
| 577 | .I SetFilecheckTime
|
---|
| 578 | is ignored.
|
---|
| 579 | .br
|
---|
| 580 | .BI UseHardlinkCheck= yes|no
|
---|
| 581 | Compare number of hardlinks to number of subdirectories for directories.
|
---|
| 582 | .br
|
---|
| 583 | .BI HardlinkOffset= N:/path
|
---|
| 584 | Exception (use multiple times for multiple
|
---|
| 585 | exceptions). N is offset (actual - expected hardlinks) for /path.
|
---|
| 586 | .br
|
---|
| 587 | .BI AddOKChars= N1,N2,..
|
---|
| 588 | List of additional acceptable characters (byte value(s)) for the check for
|
---|
| 589 | weird filenames. Nn may be hex (leading '0x': 0xNN), octal
|
---|
| 590 | (leading zero: 0NNN), or decimal.
|
---|
| 591 | Use
|
---|
| 592 | .I all
|
---|
| 593 | for all.
|
---|
| 594 | .br
|
---|
[77] | 595 | .BI FilenamesAreUTF8= yes|no
|
---|
| 596 | Whether filenames are UTF-8 encoded (defaults to no). If yes, filenames
|
---|
| 597 | are checked for invalid UTF-8 encoding and for ending in invisible characters.
|
---|
[1] | 598 | .br
|
---|
| 599 | .BI IgnoreAdded= path_regex
|
---|
| 600 | Ignore if this file/directory is added/created.
|
---|
| 601 | .br
|
---|
| 602 | .BI IgnoreMissing= path_regex
|
---|
| 603 | Ignore if this file/directory is missing/deleted.
|
---|
| 604 | .br
|
---|
| 605 | .BI ReportOnlyOnce= yes|no
|
---|
| 606 | Report only once on a modified file (default yes).
|
---|
| 607 | .br
|
---|
| 608 | .BI ReportFullDetail= yes|no
|
---|
| 609 | Report in full detail on modified files (not only modified items).
|
---|
| 610 | .br
|
---|
| 611 | .BI UseLocalTime= yes|no
|
---|
| 612 | Report file timestamps in local time rather than GMT (default no).
|
---|
| 613 | Do not use this with Beltane.
|
---|
| 614 | .br
|
---|
| 615 | .BI ChecksumTest= {init|update|check|none}
|
---|
| 616 | defines whether to initialize/update the database or verify files against it.
|
---|
| 617 | If 'none', you should supply the required option on the command line.
|
---|
| 618 | .br
|
---|
| 619 | .BI SetPrelinkPath= path
|
---|
| 620 | Path of the prelink executable (default /usr/sbin/prelink).
|
---|
| 621 | .br
|
---|
| 622 | .BI SetPrelinkChecksum= checksum
|
---|
| 623 | TIGER192 checksum of the prelink executable (no default).
|
---|
| 624 | .br
|
---|
| 625 | .BI SetLogServer= server
|
---|
| 626 | sets the hostname for the log server.
|
---|
| 627 | .br
|
---|
[27] | 628 | .BI SetServerPort= portnumber
|
---|
| 629 | sets the port on the server to connect to.
|
---|
| 630 | .br
|
---|
[1] | 631 | .BI SetDatabasePath= AUTO|/path
|
---|
| 632 | Path to database (AUTO to tack hostname on compiled-in path).
|
---|
| 633 | .br
|
---|
| 634 | .BI DigestAlgo= SHA1|MD5
|
---|
| 635 | Use SHA1 or MD5 instead of the TIGER checksum (default: TIGER192).
|
---|
| 636 | .br
|
---|
| 637 | .BI RedefReadOnly= +/-XXX,+/-YYY,...
|
---|
| 638 | Add or subtract tests XXX from the ReadOnly policy.
|
---|
| 639 | Tests are: CHK (checksum), LNK (link),
|
---|
| 640 | HLN (hardlink), INO (inode), USR (user), GRP (group), MTM (mtime),
|
---|
| 641 | ATM (atime), CTM (ctime), SIZ (size), RDEV (device numbers)
|
---|
| 642 | and/or MOD (file mode).
|
---|
| 643 | .br
|
---|
| 644 | .BI RedefAttributes= +/-XXX,+/-YYY,...
|
---|
| 645 | Add or subtract tests XXX from the Attributes policy.
|
---|
| 646 | .br
|
---|
| 647 | .BI RedefLogFiles= +/-XXX,+/-YYY,...
|
---|
| 648 | Add or subtract tests XXX from the LogFiles policy.
|
---|
| 649 | .br
|
---|
| 650 | .BI RedefGrowingLogFiles= +/-XXX,+/-YYY,...
|
---|
| 651 | Add or subtract tests XXX from the GrowingLogFiles policy.
|
---|
| 652 | .br
|
---|
| 653 | .BI RedefIgnoreAll= +/-XXX,+/-YYY,...
|
---|
| 654 | Add or subtract tests XXX from the IgnoreAll policy.
|
---|
| 655 | .br
|
---|
| 656 | .BI RedefIgnoreNone= +/-XXX,+/-YYY,...
|
---|
| 657 | Add or subtract tests XXX from the IgnoreNone policy.
|
---|
| 658 | .br
|
---|
| 659 | .BI RedefUser0= +/-XXX,+/-YYY,...
|
---|
| 660 | Add or subtract tests XXX from the User0 policy.
|
---|
| 661 | .br
|
---|
| 662 | .BI RedefUser1= +/-XXX,+/-YYY,...
|
---|
| 663 | Add or subtract tests XXX from the User1 policy.
|
---|
[27] | 664 | .br
|
---|
| 665 | .BI RedefUser2= +/-XXX,+/-YYY,...
|
---|
| 666 | Add or subtract tests XXX from the User2 policy.
|
---|
| 667 | .br
|
---|
| 668 | .BI RedefUser3= +/-XXX,+/-YYY,...
|
---|
| 669 | Add or subtract tests XXX from the User3 policy.
|
---|
| 670 | .br
|
---|
| 671 | .BI RedefUser4= +/-XXX,+/-YYY,...
|
---|
| 672 | Add or subtract tests XXX from the User4 policy.
|
---|
[1] | 673 | .TP
|
---|
| 674 | .B Server Only
|
---|
| 675 | .br
|
---|
| 676 | .BI SetUseSocket= yes|no
|
---|
| 677 | If unset, do not open the command socket. The default is no.
|
---|
| 678 | .br
|
---|
| 679 | .BI SetSocketAllowUid= UID
|
---|
| 680 | Which user can connect to the command socket. The default is 0 (root).
|
---|
| 681 | .br
|
---|
| 682 | .BI SetSocketPassword= password
|
---|
| 683 | Password (max. 14 chars, no '@') for password-based authentication on the
|
---|
| 684 | command socket (only if the OS does not support passing
|
---|
| 685 | credentials via sockets).
|
---|
| 686 | .br
|
---|
| 687 | .BI SetChrootDir= path
|
---|
| 688 | If set, chroot to this directory after startup.
|
---|
| 689 | .br
|
---|
| 690 | .BI SetStripDomain= yes|no
|
---|
| 691 | Whether to strip the domain from the client hostname when
|
---|
| 692 | logging client messages (default: yes).
|
---|
| 693 | .br
|
---|
| 694 | .BI SetClientFromAccept= true|false
|
---|
| 695 | If true, use client address as known to the communication layer. Else
|
---|
| 696 | (default) use client name as claimed by the client, try to verify against
|
---|
| 697 | the address known to the communication layer, and accept
|
---|
| 698 | (with a warning message) even if this fails.
|
---|
| 699 | .br
|
---|
| 700 | .BI UseClientSeverity= yes|no
|
---|
| 701 | Use the severity of client messages.
|
---|
| 702 | .br
|
---|
| 703 | .BI UseClientClass= yes|no
|
---|
| 704 | Use the class of client messages.
|
---|
| 705 | .br
|
---|
| 706 | .BI SetServerPort= number
|
---|
| 707 | The port that the server should use for listening (default is 49777).
|
---|
| 708 | .br
|
---|
| 709 | .BI SetServerInterface= IPaddress
|
---|
| 710 | The IP address (i.e. interface on multi-interface box) that the
|
---|
| 711 | server should use for listening (default is all). Use INADDR_ANY to reset
|
---|
| 712 | to all.
|
---|
| 713 | .br
|
---|
| 714 | .BI SeverityLookup= severity
|
---|
| 715 | Severity of the message on client address != socket peer.
|
---|
| 716 | .br
|
---|
| 717 | .BI UseSeparateLogs= true|false
|
---|
| 718 | If true, messages from different clients will be logged to separate
|
---|
| 719 | log files (the name of the client will be appended to the name of the main
|
---|
| 720 | log file to construct the logfile name).
|
---|
| 721 | .br
|
---|
| 722 | .BI SetClientTimeLimit= seconds
|
---|
| 723 | The maximum time between client messages. If exceeded, a warning will
|
---|
| 724 | be issued (the default is 86400 sec = 1 day).
|
---|
| 725 | .br
|
---|
| 726 | .BI SetUDPActive= yes|no
|
---|
| 727 | yule 1.2.8+: Also listen on 514/udp (syslog).
|
---|
| 728 |
|
---|
| 729 |
|
---|
| 730 | .TP
|
---|
| 731 | .I "[Clients]"
|
---|
| 732 | This section is only relevant if
|
---|
| 733 | .B samhain
|
---|
| 734 | is run as a log server for clients running on another (or the same) machine.
|
---|
| 735 | .br
|
---|
| 736 | .BI Client= hostname @ salt @ verifier
|
---|
| 737 | registers a client at host
|
---|
| 738 | .I hostname
|
---|
| 739 | (fully qualified hostname required) for access to the
|
---|
| 740 | log server.
|
---|
| 741 | Log entries from unregistered clients will not be accepted.
|
---|
| 742 | To generate a salt and a valid verifier, use the command
|
---|
| 743 | .B "samhain -P"
|
---|
| 744 | .IR "password" ,
|
---|
| 745 | where
|
---|
| 746 | .I password
|
---|
| 747 | is the password of the client. A simple utility program
|
---|
| 748 | .B samhain_setpwd
|
---|
| 749 | is provided to re\-set the compiled\-in default password of the client
|
---|
| 750 | executable to a user\-defined
|
---|
| 751 | value.
|
---|
| 752 | .TP
|
---|
| 753 | .I "[EOF]"
|
---|
| 754 | An optional end marker. Everything below is ignored.
|
---|
| 755 |
|
---|
| 756 | .SH SEE ALSO
|
---|
| 757 | .PP
|
---|
| 758 | .BR samhain (8)
|
---|
| 759 |
|
---|
| 760 | .SH AUTHOR
|
---|
| 761 | .PP
|
---|
| 762 | Rainer Wichmann (http://la\-samhna.de)
|
---|
| 763 |
|
---|
| 764 | .SH BUG REPORTS
|
---|
| 765 | .PP
|
---|
| 766 | If you find a bug in
|
---|
| 767 | .BR samhain ,
|
---|
| 768 | please send electronic mail to
|
---|
| 769 | .IR support@la\-samhna.de .
|
---|
| 770 | Please include your operating system and its revision, the version of
|
---|
| 771 | .BR samhain ,
|
---|
| 772 | what C compiler you used to compile it, your 'configure' options, and
|
---|
| 773 | anything else you deem helpful.
|
---|
| 774 |
|
---|
| 775 | .SH COPYING PERMISSIONS
|
---|
| 776 | .PP
|
---|
| 777 | Copyright (\(co) 2000, 2004, 2005 Rainer Wichmann
|
---|
| 778 | .PP
|
---|
| 779 | Permission is granted to make and distribute verbatim copies of
|
---|
| 780 | this manual page provided the copyright notice and this permission
|
---|
| 781 | notice are preserved on all copies.
|
---|
| 782 | .ig
|
---|
| 783 | Permission is granted to process this file through troff and print the
|
---|
| 784 | results, provided the printed document carries copying permission
|
---|
| 785 | notice identical to this one except for the removal of this paragraph
|
---|
| 786 | (this paragraph not being relevant to the printed manual page).
|
---|
| 787 | ..
|
---|
| 788 | .PP
|
---|
| 789 | Permission is granted to copy and distribute modified versions of this
|
---|
| 790 | manual page under the conditions for verbatim copying, provided that
|
---|
| 791 | the entire resulting derived work is distributed under the terms of a
|
---|
| 792 | permission notice identical to this one.
|
---|
| 793 |
|
---|