[1] | 1 | .TH SAMHAINRC 5 "Jul 29, 2004" "" "samhainrc manual"
|
---|
| 2 | .SH NAME
|
---|
| 3 | samhainrc \- samhain(8) configuration file
|
---|
| 4 |
|
---|
| 5 | .SH WARNING
|
---|
| 6 | .PP
|
---|
| 7 | The information in this man page is not always up to date.
|
---|
| 8 | The authoritative documentation is the user manual.
|
---|
| 9 |
|
---|
| 10 | .SH DESCRIPTION
|
---|
| 11 | .PP
|
---|
| 12 | The configuration file for
|
---|
| 13 | .BR samhain (8)
|
---|
| 14 | is named
|
---|
| 15 | .I samhainrc
|
---|
| 16 | and located in
|
---|
| 17 | .I /etc
|
---|
| 18 | by default.
|
---|
| 19 | .PP
|
---|
| 20 | It contains several sections, indicated by headings in square brackets.
|
---|
| 21 | Each section may hold zero or more
|
---|
| 22 | .BI key= value
|
---|
| 23 | pairs. Blank lines and lines starting with '#' are comments.
|
---|
| 24 | Everything before the first section and after an
|
---|
| 25 | .I "[EOF]"
|
---|
| 26 | is ignored. The file may be (clear text) signed by PGP/GnuPG, and
|
---|
| 27 | .B samhain
|
---|
| 28 | may invoke GnuPG to check the signature
|
---|
| 29 | if compiled with support for it.
|
---|
| 30 | .PP
|
---|
| 31 | Conditional inclusion of entries for some host(s) is
|
---|
| 32 | supported via any number of
|
---|
| 33 | .BI @ hostname /@ end
|
---|
| 34 | directives.
|
---|
| 35 | .BI @ hostname
|
---|
| 36 | and
|
---|
| 37 | .BI @ end
|
---|
| 38 | must each be on separate lines. Lines in between will only be
|
---|
| 39 | read if
|
---|
| 40 | .I "hostname"
|
---|
| 41 | (which may be a regular expression) matches the local host.
|
---|
| 42 | .PP
|
---|
| 43 | Likewise, conditional inclusion of entries based on system type is
|
---|
| 44 | supported via any number of
|
---|
| 45 | .BI $ sysname:release:machine /$ end
|
---|
| 46 | directives.
|
---|
| 47 | .br
|
---|
| 48 | .I "sysname:release:machine"
|
---|
| 49 | can be inferred from
|
---|
| 50 | .I "uname -srm"
|
---|
| 51 | and may be a regular expression.
|
---|
| 52 | .PP
|
---|
| 53 | Filenames/directories to check may be wildcard patterns.
|
---|
| 54 | .PP
|
---|
| 55 | Options given on the command line will override
|
---|
| 56 | those in the configuration file.
|
---|
| 57 | The recognized sections in the configuration file are as follows:
|
---|
| 58 | .PP
|
---|
| 59 | Boolean options can be set with any of 1|true|yes or 0|false|no.
|
---|
| 60 | .TP
|
---|
| 61 | .I "[ReadOnly]"
|
---|
| 62 | This section may contain
|
---|
| 63 | .br
|
---|
| 64 | .BI file= PATH
|
---|
| 65 | and
|
---|
| 66 | .br
|
---|
| 67 | .BI dir= [depth]PATH
|
---|
| 68 | entries for files and directories to check. All modifications except access
|
---|
| 69 | times will be reported for these files.
|
---|
| 70 | .I [depth] (use without brackets)
|
---|
| 71 | is an optional parameter to define a per\-directory recursion
|
---|
| 72 | depth.
|
---|
| 73 | .TP
|
---|
| 74 | .I "[LogFiles]"
|
---|
| 75 | As above, but modifications of timestamps, file size, and signature will
|
---|
| 76 | be ignored.
|
---|
| 77 | .TP
|
---|
| 78 | .I "[GrowingLogFiles]"
|
---|
| 79 | As above, but modifications of file size will only be ignored if the size has
|
---|
| 80 | .IR increased .
|
---|
| 81 | .TP
|
---|
| 82 | .I "[Attributes]"
|
---|
| 83 | As above, but only modifications of ownership and access permissions
|
---|
| 84 | will be checked.
|
---|
| 85 | .TP
|
---|
| 86 | .I "[IgnoreAll]"
|
---|
| 87 | As above, but report no modifications for
|
---|
| 88 | these files/directories. Access failures
|
---|
| 89 | will still be reported.
|
---|
| 90 | .TP
|
---|
| 91 | .I "[IgnoreNone]"
|
---|
| 92 | As above, but report all modifications for these files/directories,
|
---|
| 93 | including access time.
|
---|
| 94 | .TP
|
---|
| 95 | .I "[User0]"
|
---|
| 96 | .TP
|
---|
| 97 | .I "[User1]"
|
---|
| 98 | These are reserved for user-defined policies.
|
---|
| 99 | .TP
|
---|
| 100 | .I "[Prelink]"
|
---|
| 101 | For prelinked executables / libraries or directories holding them.
|
---|
| 102 | .TP
|
---|
| 103 | .I "[Log]"
|
---|
| 104 | This section defines the filtering rules for logging.
|
---|
| 105 | It may contain the following entries:
|
---|
| 106 | .br
|
---|
| 107 | .BI MailSeverity= val
|
---|
| 108 | where the threshold value
|
---|
| 109 | .I val
|
---|
| 110 | may be one of
|
---|
| 111 | .IR debug ,
|
---|
| 112 | .IR info ,
|
---|
| 113 | .IR notice ,
|
---|
| 114 | .IR warn ,
|
---|
| 115 | .IR mark ,
|
---|
| 116 | .IR err ,
|
---|
| 117 | .IR crit ,
|
---|
| 118 | .IR alert ,
|
---|
| 119 | or
|
---|
| 120 | .IR none .
|
---|
| 121 | By default, everything equal to and above the threshold will be logged.
|
---|
| 122 | The specifiers
|
---|
| 123 | .IR * ,
|
---|
| 124 | .IR ! ,
|
---|
| 125 | and
|
---|
| 126 | .I =
|
---|
| 127 | are interpreted as 'all', 'all but', and 'only', respectively (like
|
---|
| 128 | in the Linux version of syslogd(8)).
|
---|
| 129 | Time stamps have the priority
|
---|
| 130 | .IR warn ,
|
---|
| 131 | system\-level errors have the priority
|
---|
| 132 | .IR err ,
|
---|
| 133 | and important start\-up messages the priority
|
---|
| 134 | .IR alert .
|
---|
| 135 | The signature key for the log file will never be logged to syslog or the
|
---|
| 136 | log file itself.
|
---|
| 137 | For failures to verify file integrity, error levels are defined
|
---|
| 138 | in the next section.
|
---|
| 139 | .br
|
---|
| 140 | .BI PrintSeverity= val,
|
---|
| 141 | .br
|
---|
| 142 | .BI LogSeverity= val,
|
---|
| 143 | .br
|
---|
| 144 | .BI ExportSeverity= val,
|
---|
| 145 | .br
|
---|
| 146 | .BI ExternalSeverity= val,
|
---|
| 147 | .br
|
---|
| 148 | .BI PreludeSeverity= val,
|
---|
| 149 | .br
|
---|
| 150 | .BI DatabaseSeverity= val,
|
---|
| 151 | and
|
---|
| 152 | .br
|
---|
| 153 | .BI SyslogSeverity= val
|
---|
| 154 | set the thresholds for logging via stdout (or
|
---|
| 155 | .IR /dev/console ),
|
---|
| 156 | log file, TCP forwarding, calling external programs,
|
---|
| 157 | and
|
---|
| 158 | .BR syslog (3).
|
---|
| 159 | .TP
|
---|
| 160 | .I "[EventSeverity]"
|
---|
| 161 | .BI SeverityReadOnly= val,
|
---|
| 162 | .br
|
---|
| 163 | .BI SeverityLogFiles= val,
|
---|
| 164 | .br
|
---|
| 165 | .BI SeverityGrowingLogs= val,
|
---|
| 166 | .br
|
---|
| 167 | .BI SeverityIgnoreNone= val,
|
---|
| 168 | .br
|
---|
| 169 | .BI SeverityIgnoreAll= val,
|
---|
| 170 | .br
|
---|
| 171 | .BI SeverityPrelink= val,
|
---|
| 172 | .br
|
---|
| 173 | .BI SeverityUser0= val,
|
---|
| 174 | and
|
---|
| 175 | .br
|
---|
| 176 | .BI SeverityUser1= val
|
---|
| 177 | define the error levels for failures to verify the integrity of
|
---|
| 178 | files/directories of the respective types. I.e. if such a file shows
|
---|
| 179 | unexpected modifications, an error of level
|
---|
| 180 | .I val
|
---|
| 181 | will be generated, and logged to all facilities with a threshold of at least
|
---|
| 182 | .IR val .
|
---|
| 183 | .br
|
---|
| 184 | .BI SeverityFiles= val
|
---|
| 185 | sets the error level for file access problems, and
|
---|
| 186 | .br
|
---|
| 187 | .BI SeverityDirs= val
|
---|
| 188 | for directory access problems.
|
---|
| 189 | .br
|
---|
| 190 | .BI SeverityNames= val
|
---|
| 191 | sets the error level for obscure file names
|
---|
| 192 | (e.g. non\-printable characters), and for files
|
---|
| 193 | with invalid UIDs/GIDs.
|
---|
| 194 | .TP
|
---|
| 195 | .I "[External]"
|
---|
| 196 | .BI OpenCommand= path
|
---|
| 197 | Start the definition of an external logging program|script.
|
---|
| 198 | .br
|
---|
| 199 | .BI SetType= log|srv
|
---|
| 200 | Type/purpose of program (log for logging).
|
---|
| 201 | .br
|
---|
| 202 | .BI SetCommandline= list
|
---|
| 203 | Command line options.
|
---|
| 204 | .br
|
---|
| 205 | .BI SetEnviron= KEY=val
|
---|
| 206 | Environment for external program.
|
---|
| 207 | .br
|
---|
| 208 | .BI SetChecksum= val
|
---|
| 209 | Checksum of the external program (checked before invoking).
|
---|
| 210 | .br
|
---|
| 211 | .BI SetCredentials= username
|
---|
| 212 | User as who the program will run.
|
---|
| 213 | .br
|
---|
| 214 | .BI SetFilterNot= list
|
---|
| 215 | Words not allowed in message.
|
---|
| 216 | .br
|
---|
| 217 | .BI SetFilterAnd= list
|
---|
| 218 | Words required (ALL) in message.
|
---|
| 219 | .br
|
---|
| 220 | .BI SetFilterOr= list
|
---|
| 221 | Words required (at least one) in message.
|
---|
| 222 | .br
|
---|
| 223 | .BI SetDeadtime= seconds
|
---|
| 224 | Time between consecutive calls.
|
---|
| 225 | .TP
|
---|
| 226 | .I "[Utmp]"
|
---|
| 227 | Configuration for watching login/logout events.
|
---|
| 228 | .br
|
---|
| 229 | .BI LoginCheckActive= 0|1
|
---|
| 230 | Switch off/on login/logout reporting.
|
---|
| 231 | .br
|
---|
| 232 | .BI LoginCheckInterval= val
|
---|
| 233 | Interval (seconds) between checks for login/logout events.
|
---|
| 234 | .br
|
---|
| 235 | .BI SeverityLogin= val
|
---|
| 236 | .br
|
---|
| 237 | .BI SeverityLoginMulti= val
|
---|
| 238 | .br
|
---|
| 239 | .BI SeverityLogout= val
|
---|
| 240 | Severity levels for logins, multiple logins
|
---|
| 241 | by same user, and logouts.
|
---|
| 242 | .TP
|
---|
| 243 | .I "[Kernel]"
|
---|
| 244 | Configuration for detecting kernel rootkits.
|
---|
| 245 | .br
|
---|
| 246 | .BI KernelCheckActive= 0|1
|
---|
| 247 | Switch off/on checking of kernel syscalls to detect kernel module rootkits.
|
---|
| 248 | .br
|
---|
| 249 | .BI KernelCheckInterval= val
|
---|
| 250 | Interval (seconds) between checks.
|
---|
| 251 | .br
|
---|
| 252 | .BI SeverityKernel= val
|
---|
| 253 | Severity level for clobbered kernel syscalls.
|
---|
| 254 | .br
|
---|
| 255 | .BI KernelCheckIDT= 0|1
|
---|
| 256 | Whether to check the interrrupt descriptor table.
|
---|
| 257 | .br
|
---|
| 258 | .BI KernelSystemCall= address
|
---|
| 259 | The address of system_call (grep system_call System.map).
|
---|
| 260 | Required after a kernel update.
|
---|
| 261 | .br
|
---|
| 262 | .BI KernelProcRoot= address
|
---|
| 263 | The address of proc_root (grep ' proc_root$' System.map).
|
---|
| 264 | Required after a kernel update.
|
---|
| 265 | .br
|
---|
| 266 | .BI KernelProcRootIops= address
|
---|
| 267 | The address of proc_root_inode_operations
|
---|
| 268 | (grep proc_root_inode_operations System.map).
|
---|
| 269 | Required after a kernel update.
|
---|
| 270 | .br
|
---|
| 271 | .BI KernelProcRootLookup= address
|
---|
| 272 | The address of proc_root_lookup (grep proc_root_lookup System.map).
|
---|
| 273 | Required after a kernel update.
|
---|
| 274 | .TP
|
---|
| 275 | .I "[SuidCheck]"
|
---|
| 276 | Settings for finding SUID/SGID files on disk.
|
---|
| 277 | .br
|
---|
| 278 | .BI SuidCheckActive= 0|1
|
---|
| 279 | Switch off/on the check.
|
---|
| 280 | .br
|
---|
| 281 | .BI SuidCheckExclude= path
|
---|
| 282 | A directory (and its subdirectories)
|
---|
| 283 | to exclude from the check. Only one directory can be specified this way.
|
---|
| 284 | .br
|
---|
| 285 | .BI SuidCheckSchedule= schedule
|
---|
| 286 | Crontab-like schedule for checks.
|
---|
| 287 | .br
|
---|
| 288 | .BI SeveritySuidCheck= severity
|
---|
| 289 | Severity for events.
|
---|
| 290 | .br
|
---|
| 291 | .BI SuidCheckFps= fps
|
---|
| 292 | Limit files per seconds for SUID check.
|
---|
| 293 | .TP
|
---|
| 294 | .I "[Database]"
|
---|
| 295 | Settings for
|
---|
| 296 | .I logging
|
---|
| 297 | to a database.
|
---|
| 298 | .br
|
---|
| 299 | .BI SetDBHost= db_host
|
---|
| 300 | Host where the DB server runs (default: localhost).
|
---|
| 301 | Should be a numeric IP address for PostgreSQL.
|
---|
| 302 | .br
|
---|
| 303 | .BI SetDBName= db_name
|
---|
| 304 | Name of the database (default: samhain).
|
---|
| 305 | .br
|
---|
| 306 | .BI SetDBTable= db_table
|
---|
| 307 | Name of the database table (default: log).
|
---|
| 308 | .br
|
---|
| 309 | .BI SetDBUser= db_user
|
---|
| 310 | Connect as this user (default: samhain).
|
---|
| 311 | .br
|
---|
| 312 | .BI SetDBPassword= db_password
|
---|
| 313 | Use this password (default: none).
|
---|
| 314 | .br
|
---|
| 315 | .BI SetDBServerTstamp= true|false
|
---|
| 316 | Log server timestamp for client messages (default: true).
|
---|
| 317 | .br
|
---|
| 318 | .BI UsePersistent= true|false
|
---|
| 319 | Use a persistent connection (default: true).
|
---|
| 320 | .TP
|
---|
| 321 | .I "[Misc]"
|
---|
| 322 | .BI Daemon= no|yes
|
---|
| 323 | Detach from controlling terminal to become a daemon.
|
---|
| 324 | .br
|
---|
| 325 | .BI MessageHeader= format
|
---|
| 326 | Costom format for message header. Replacements:
|
---|
| 327 | .I %F
|
---|
| 328 | source file name,
|
---|
| 329 | .I %L
|
---|
| 330 | source file line,
|
---|
| 331 | .I %S
|
---|
| 332 | severity,
|
---|
| 333 | .I %T
|
---|
| 334 | timestamp,
|
---|
| 335 | .I %C
|
---|
| 336 | message class.
|
---|
| 337 | .br
|
---|
| 338 | .BI VersionString= string
|
---|
| 339 | Set version string to include in file signature database
|
---|
| 340 | (along with hostname and date).
|
---|
| 341 | .br
|
---|
| 342 | .BI SetReverseLookup= true|false
|
---|
| 343 | If false, skip reverse lookups when connecting to a host known by name
|
---|
| 344 | rather than IP address.
|
---|
| 345 | .br
|
---|
| 346 | .BI HideSetup= yes|no
|
---|
| 347 | Don't log name of config/database files on startup.
|
---|
| 348 | .br
|
---|
| 349 | .BI SyslogFacility= facility
|
---|
| 350 | Set the syslog facility to use. Default is LOG_AUTHPRIV.
|
---|
| 351 | .br
|
---|
| 352 | .BI MACType= HASH-TIGER|HMAC-TIGER
|
---|
| 353 | Set type of message authentication code (HMAC).
|
---|
| 354 | Must be identical on client and server.
|
---|
| 355 | .br
|
---|
| 356 | .BI SetLoopTime= val
|
---|
| 357 | Defines the interval (in seconds) for timestamps.
|
---|
| 358 | .br
|
---|
| 359 | .BI SetConsole= device
|
---|
| 360 | Set the console device (default /dev/console).
|
---|
| 361 | .br
|
---|
| 362 | .BI MessageQueueActive= 1|0
|
---|
| 363 | Whether to use a SysV IPC message queue.
|
---|
| 364 | .br
|
---|
| 365 | .BI PreludeMapToInfo= list of severities
|
---|
| 366 | The severities (see section
|
---|
| 367 | .IR [Log] )
|
---|
| 368 | that should be mapped to impact
|
---|
| 369 | severity
|
---|
| 370 | .I info
|
---|
| 371 | in prelude.
|
---|
| 372 | .br
|
---|
| 373 | .BI PreludeMapToLow= list of severities
|
---|
| 374 | The severities (see section
|
---|
| 375 | .IR [Log] )
|
---|
| 376 | that should be mapped to impact
|
---|
| 377 | severity
|
---|
| 378 | .I low
|
---|
| 379 | in prelude.
|
---|
| 380 | .br
|
---|
| 381 | .BI PreludeMapToMedium= list of severities
|
---|
| 382 | The severities (see section
|
---|
| 383 | .IR [Log] )
|
---|
| 384 | that should be mapped to impact
|
---|
| 385 | severity
|
---|
| 386 | .I medium
|
---|
| 387 | in prelude.
|
---|
| 388 | .br
|
---|
| 389 | .BI PreludeMapToHigh= list of severities
|
---|
| 390 | The severities (see section
|
---|
| 391 | .IR [Log] )
|
---|
| 392 | that should be mapped to impact
|
---|
| 393 | severity
|
---|
| 394 | .I high
|
---|
| 395 | in prelude.
|
---|
| 396 | .br
|
---|
| 397 | .BI SetMailTime= val
|
---|
| 398 | defines the maximum interval (in seconds) between succesive e\-mail reports.
|
---|
| 399 | Mail might be empty if there are no events to report.
|
---|
| 400 | .br
|
---|
| 401 | .BI SetMailNum= val
|
---|
| 402 | defines the maximum number of messages that are stored before e\-mailing them.
|
---|
| 403 | Messages of highest priority are always sent immediately.
|
---|
| 404 | .br
|
---|
| 405 | .BI SetMailAddress= username @ host
|
---|
| 406 | sets the recipient address for mailing.
|
---|
| 407 | .I "No aliases should be used."
|
---|
| 408 | For security, you should prefer a numerical host address.
|
---|
| 409 | .br
|
---|
| 410 | .BI SetMailRelay= server
|
---|
| 411 | sets the hostname for the mail relay server (if you need one).
|
---|
| 412 | If no relay server is given, mail is sent directly to the host given in the
|
---|
| 413 | mail address, otherwise it is sent to the relay server, who should
|
---|
| 414 | forward it to the given address.
|
---|
| 415 | .br
|
---|
| 416 | .BI SetMailSubject= val
|
---|
| 417 | defines a custom format for the subject of an email message.
|
---|
| 418 | .br
|
---|
| 419 | .BI SetMailSender= val
|
---|
| 420 | defines the sender for the 'From:' field of a message.
|
---|
| 421 | .br
|
---|
| 422 | .BI SetMailFilterAnd= list
|
---|
| 423 | defines a list of strings all of which must match a message, otherwise
|
---|
| 424 | it will not be mailed.
|
---|
| 425 | .br
|
---|
| 426 | .BI SetMailFilterOr= list
|
---|
| 427 | defines a list of strings at least one of which must match a message, otherwise
|
---|
| 428 | it will not be mailed.
|
---|
| 429 | .br
|
---|
| 430 | .BI SetMailFilterNot= list
|
---|
| 431 | defines a list of strings none of which should match a message, otherwise
|
---|
| 432 | it will not be mailed.
|
---|
| 433 | .br
|
---|
| 434 | .BI SamhainPath= /path/to/binary
|
---|
| 435 | sets the path to the samhain binary. If set, samhain will checksum
|
---|
| 436 | its own binary both on startup and termination, and compare both.
|
---|
| 437 | .br
|
---|
| 438 | .BI SetBindAddress= IP_address
|
---|
| 439 | The IP address (i.e. interface on multi-interface box) to use
|
---|
| 440 | for outgoing connections.
|
---|
| 441 | .br
|
---|
| 442 | .BI SetTimeServer= server
|
---|
| 443 | sets the hostname for the time server.
|
---|
| 444 | .br
|
---|
| 445 | .BI TrustedUser= name|uid
|
---|
| 446 | Add a user to the set of trusted users (root and the effective user
|
---|
| 447 | are always trusted. You can add up to 7 more users).
|
---|
| 448 | .br
|
---|
| 449 | .BI SetLogfilePath= AUTO|/path
|
---|
| 450 | Path to logfile (AUTO to tack hostname on compiled-in path).
|
---|
| 451 | .br
|
---|
| 452 | .BI SetLockfilePath= AUTO|/path
|
---|
| 453 | Path to lockfile (AUTO to tack hostname on compiled-in path).
|
---|
| 454 | .TP
|
---|
| 455 | .B Standalone or client only
|
---|
| 456 | .br
|
---|
| 457 | .BI SetNiceLevel= -19..19
|
---|
| 458 | Set scheduling priority during file check.
|
---|
| 459 | .br
|
---|
| 460 | .BI SetIOLimit= bps
|
---|
| 461 | Set IO limits (kilobytes per second) for file check.
|
---|
| 462 | .br
|
---|
| 463 | .BI SetFilecheckTime= val
|
---|
| 464 | Defines the interval (in seconds) between succesive file checks.
|
---|
| 465 | .br
|
---|
| 466 | .BI FileCheckScheduleOne= schedule
|
---|
| 467 | Crontab-like schedule for file checks. If used,
|
---|
| 468 | .I SetFilecheckTime
|
---|
| 469 | is ignored.
|
---|
| 470 | .br
|
---|
| 471 | .BI UseHardlinkCheck= yes|no
|
---|
| 472 | Compare number of hardlinks to number of subdirectories for directories.
|
---|
| 473 | .br
|
---|
| 474 | .BI HardlinkOffset= N:/path
|
---|
| 475 | Exception (use multiple times for multiple
|
---|
| 476 | exceptions). N is offset (actual - expected hardlinks) for /path.
|
---|
| 477 | .br
|
---|
| 478 | .BI AddOKChars= N1,N2,..
|
---|
| 479 | List of additional acceptable characters (byte value(s)) for the check for
|
---|
| 480 | weird filenames. Nn may be hex (leading '0x': 0xNN), octal
|
---|
| 481 | (leading zero: 0NNN), or decimal.
|
---|
| 482 | Use
|
---|
| 483 | .I all
|
---|
| 484 | for all.
|
---|
| 485 | .br
|
---|
| 486 | .br
|
---|
| 487 | .BI IgnoreAdded= path_regex
|
---|
| 488 | Ignore if this file/directory is added/created.
|
---|
| 489 | .br
|
---|
| 490 | .BI IgnoreMissing= path_regex
|
---|
| 491 | Ignore if this file/directory is missing/deleted.
|
---|
| 492 | .br
|
---|
| 493 | .BI ReportOnlyOnce= yes|no
|
---|
| 494 | Report only once on a modified file (default yes).
|
---|
| 495 | .br
|
---|
| 496 | .BI ReportFullDetail= yes|no
|
---|
| 497 | Report in full detail on modified files (not only modified items).
|
---|
| 498 | .br
|
---|
| 499 | .BI UseLocalTime= yes|no
|
---|
| 500 | Report file timestamps in local time rather than GMT (default no).
|
---|
| 501 | Do not use this with Beltane.
|
---|
| 502 | .br
|
---|
| 503 | .BI ChecksumTest= {init|update|check|none}
|
---|
| 504 | defines whether to initialize/update the database or verify files against it.
|
---|
| 505 | If 'none', you should supply the required option on the command line.
|
---|
| 506 | .br
|
---|
| 507 | .BI SetPrelinkPath= path
|
---|
| 508 | Path of the prelink executable (default /usr/sbin/prelink).
|
---|
| 509 | .br
|
---|
| 510 | .BI SetPrelinkChecksum= checksum
|
---|
| 511 | TIGER192 checksum of the prelink executable (no default).
|
---|
| 512 | .br
|
---|
| 513 | .BI SetLogServer= server
|
---|
| 514 | sets the hostname for the log server.
|
---|
| 515 | .br
|
---|
| 516 | .BI SetDatabasePath= AUTO|/path
|
---|
| 517 | Path to database (AUTO to tack hostname on compiled-in path).
|
---|
| 518 | .br
|
---|
| 519 | .BI DigestAlgo= SHA1|MD5
|
---|
| 520 | Use SHA1 or MD5 instead of the TIGER checksum (default: TIGER192).
|
---|
| 521 | .br
|
---|
| 522 | .BI RedefReadOnly= +/-XXX,+/-YYY,...
|
---|
| 523 | Add or subtract tests XXX from the ReadOnly policy.
|
---|
| 524 | Tests are: CHK (checksum), LNK (link),
|
---|
| 525 | HLN (hardlink), INO (inode), USR (user), GRP (group), MTM (mtime),
|
---|
| 526 | ATM (atime), CTM (ctime), SIZ (size), RDEV (device numbers)
|
---|
| 527 | and/or MOD (file mode).
|
---|
| 528 | .br
|
---|
| 529 | .BI RedefAttributes= +/-XXX,+/-YYY,...
|
---|
| 530 | Add or subtract tests XXX from the Attributes policy.
|
---|
| 531 | .br
|
---|
| 532 | .BI RedefLogFiles= +/-XXX,+/-YYY,...
|
---|
| 533 | Add or subtract tests XXX from the LogFiles policy.
|
---|
| 534 | .br
|
---|
| 535 | .BI RedefGrowingLogFiles= +/-XXX,+/-YYY,...
|
---|
| 536 | Add or subtract tests XXX from the GrowingLogFiles policy.
|
---|
| 537 | .br
|
---|
| 538 | .BI RedefIgnoreAll= +/-XXX,+/-YYY,...
|
---|
| 539 | Add or subtract tests XXX from the IgnoreAll policy.
|
---|
| 540 | .br
|
---|
| 541 | .BI RedefIgnoreNone= +/-XXX,+/-YYY,...
|
---|
| 542 | Add or subtract tests XXX from the IgnoreNone policy.
|
---|
| 543 | .br
|
---|
| 544 | .BI RedefUser0= +/-XXX,+/-YYY,...
|
---|
| 545 | Add or subtract tests XXX from the User0 policy.
|
---|
| 546 | .br
|
---|
| 547 | .BI RedefUser1= +/-XXX,+/-YYY,...
|
---|
| 548 | Add or subtract tests XXX from the User1 policy.
|
---|
| 549 | .TP
|
---|
| 550 | .B Server Only
|
---|
| 551 | .br
|
---|
| 552 | .BI SetUseSocket= yes|no
|
---|
| 553 | If unset, do not open the command socket. The default is no.
|
---|
| 554 | .br
|
---|
| 555 | .BI SetSocketAllowUid= UID
|
---|
| 556 | Which user can connect to the command socket. The default is 0 (root).
|
---|
| 557 | .br
|
---|
| 558 | .BI SetSocketPassword= password
|
---|
| 559 | Password (max. 14 chars, no '@') for password-based authentication on the
|
---|
| 560 | command socket (only if the OS does not support passing
|
---|
| 561 | credentials via sockets).
|
---|
| 562 | .br
|
---|
| 563 | .BI SetChrootDir= path
|
---|
| 564 | If set, chroot to this directory after startup.
|
---|
| 565 | .br
|
---|
| 566 | .BI SetStripDomain= yes|no
|
---|
| 567 | Whether to strip the domain from the client hostname when
|
---|
| 568 | logging client messages (default: yes).
|
---|
| 569 | .br
|
---|
| 570 | .BI SetClientFromAccept= true|false
|
---|
| 571 | If true, use client address as known to the communication layer. Else
|
---|
| 572 | (default) use client name as claimed by the client, try to verify against
|
---|
| 573 | the address known to the communication layer, and accept
|
---|
| 574 | (with a warning message) even if this fails.
|
---|
| 575 | .br
|
---|
| 576 | .BI UseClientSeverity= yes|no
|
---|
| 577 | Use the severity of client messages.
|
---|
| 578 | .br
|
---|
| 579 | .BI UseClientClass= yes|no
|
---|
| 580 | Use the class of client messages.
|
---|
| 581 | .br
|
---|
| 582 | .BI SetServerPort= number
|
---|
| 583 | The port that the server should use for listening (default is 49777).
|
---|
| 584 | .br
|
---|
| 585 | .BI SetServerInterface= IPaddress
|
---|
| 586 | The IP address (i.e. interface on multi-interface box) that the
|
---|
| 587 | server should use for listening (default is all). Use INADDR_ANY to reset
|
---|
| 588 | to all.
|
---|
| 589 | .br
|
---|
| 590 | .BI SeverityLookup= severity
|
---|
| 591 | Severity of the message on client address != socket peer.
|
---|
| 592 | .br
|
---|
| 593 | .BI UseSeparateLogs= true|false
|
---|
| 594 | If true, messages from different clients will be logged to separate
|
---|
| 595 | log files (the name of the client will be appended to the name of the main
|
---|
| 596 | log file to construct the logfile name).
|
---|
| 597 | .br
|
---|
| 598 | .BI SetClientTimeLimit= seconds
|
---|
| 599 | The maximum time between client messages. If exceeded, a warning will
|
---|
| 600 | be issued (the default is 86400 sec = 1 day).
|
---|
| 601 | .br
|
---|
| 602 | .BI SetUDPActive= yes|no
|
---|
| 603 | yule 1.2.8+: Also listen on 514/udp (syslog).
|
---|
| 604 |
|
---|
| 605 |
|
---|
| 606 | .TP
|
---|
| 607 | .I "[Clients]"
|
---|
| 608 | This section is only relevant if
|
---|
| 609 | .B samhain
|
---|
| 610 | is run as a log server for clients running on another (or the same) machine.
|
---|
| 611 | .br
|
---|
| 612 | .BI Client= hostname @ salt @ verifier
|
---|
| 613 | registers a client at host
|
---|
| 614 | .I hostname
|
---|
| 615 | (fully qualified hostname required) for access to the
|
---|
| 616 | log server.
|
---|
| 617 | Log entries from unregistered clients will not be accepted.
|
---|
| 618 | To generate a salt and a valid verifier, use the command
|
---|
| 619 | .B "samhain -P"
|
---|
| 620 | .IR "password" ,
|
---|
| 621 | where
|
---|
| 622 | .I password
|
---|
| 623 | is the password of the client. A simple utility program
|
---|
| 624 | .B samhain_setpwd
|
---|
| 625 | is provided to re\-set the compiled\-in default password of the client
|
---|
| 626 | executable to a user\-defined
|
---|
| 627 | value.
|
---|
| 628 | .TP
|
---|
| 629 | .I "[EOF]"
|
---|
| 630 | An optional end marker. Everything below is ignored.
|
---|
| 631 |
|
---|
| 632 | .SH SEE ALSO
|
---|
| 633 | .PP
|
---|
| 634 | .BR samhain (8)
|
---|
| 635 |
|
---|
| 636 | .SH AUTHOR
|
---|
| 637 | .PP
|
---|
| 638 | Rainer Wichmann (http://la\-samhna.de)
|
---|
| 639 |
|
---|
| 640 | .SH BUG REPORTS
|
---|
| 641 | .PP
|
---|
| 642 | If you find a bug in
|
---|
| 643 | .BR samhain ,
|
---|
| 644 | please send electronic mail to
|
---|
| 645 | .IR support@la\-samhna.de .
|
---|
| 646 | Please include your operating system and its revision, the version of
|
---|
| 647 | .BR samhain ,
|
---|
| 648 | what C compiler you used to compile it, your 'configure' options, and
|
---|
| 649 | anything else you deem helpful.
|
---|
| 650 |
|
---|
| 651 | .SH COPYING PERMISSIONS
|
---|
| 652 | .PP
|
---|
| 653 | Copyright (\(co) 2000, 2004, 2005 Rainer Wichmann
|
---|
| 654 | .PP
|
---|
| 655 | Permission is granted to make and distribute verbatim copies of
|
---|
| 656 | this manual page provided the copyright notice and this permission
|
---|
| 657 | notice are preserved on all copies.
|
---|
| 658 | .ig
|
---|
| 659 | Permission is granted to process this file through troff and print the
|
---|
| 660 | results, provided the printed document carries copying permission
|
---|
| 661 | notice identical to this one except for the removal of this paragraph
|
---|
| 662 | (this paragraph not being relevant to the printed manual page).
|
---|
| 663 | ..
|
---|
| 664 | .PP
|
---|
| 665 | Permission is granted to copy and distribute modified versions of this
|
---|
| 666 | manual page under the conditions for verbatim copying, provided that
|
---|
| 667 | the entire resulting derived work is distributed under the terms of a
|
---|
| 668 | permission notice identical to this one.
|
---|
| 669 |
|
---|