source: trunk/man/samhainrc.5@ 569

Last change on this file since 569 was 481, checked in by katerina, 9 years ago

Enhancements and fixes for tickets #374, #375, #376, #377, #378, and #379.

File size: 20.7 KB
Line 
1.TH SAMHAINRC 5 "Jul 29, 2004" "" "samhainrc manual"
2.SH NAME
3samhainrc \- samhain(8) configuration file
4
5.SH WARNING
6.PP
7The information in this man page is not always up to date.
8The authoritative documentation is the user manual.
9
10.SH DESCRIPTION
11.PP
12The configuration file for
13.BR samhain (8)
14is named
15.I samhainrc
16and located in
17.I /etc
18by default.
19.PP
20It contains several sections, indicated by headings in square brackets.
21Each section may hold zero or more
22.BI key= value
23pairs. Blank lines and lines starting with '#' are comments.
24Everything before the first section and after an
25.I "[EOF]"
26is ignored. The file may be (clear text) signed by PGP/GnuPG, and
27.B samhain
28may invoke GnuPG to check the signature
29if compiled with support for it.
30.PP
31Conditional inclusion of entries for some host(s) is
32supported via any number of
33.BI @ hostname /@ end
34directives.
35.BI @ hostname
36and
37.BI @ end
38must each be on separate lines. Lines in between will only be
39read if
40.I "hostname"
41(which may be a regular expression) matches the local host.
42.PP
43Likewise, conditional inclusion of entries based on system type is
44supported via any number of
45.BI $ sysname:release:machine /$ end
46directives.
47.br
48.I "sysname:release:machine"
49can be inferred from
50.I "uname -srm"
51and may be a regular expression.
52.PP
53Filenames/directories to check may be wildcard patterns.
54.PP
55Options given on the command line will override
56those in the configuration file.
57The recognized sections in the configuration file are as follows:
58.PP
59Boolean options can be set with any of 1|true|yes or 0|false|no.
60.TP
61.I "[ReadOnly]"
62This section may contain
63.br
64.BI file= PATH
65and
66.br
67.BI dir= [depth]PATH
68entries for files and directories to check. All modifications except access
69times will be reported for these files.
70.I [depth] (use without brackets)
71is an optional parameter to define a per\-directory recursion
72depth.
73.TP
74.I "[LogFiles]"
75As above, but modifications of timestamps, file size, and signature will
76be ignored.
77.TP
78.I "[GrowingLogFiles]"
79As above, but modifications of file size will only be ignored if the size has
80.IR increased .
81.TP
82.I "[Attributes]"
83As above, but only modifications of ownership and access permissions
84will be checked.
85.TP
86.I "[IgnoreAll]"
87As above, but report no modifications for
88these files/directories. Access failures
89will still be reported.
90.TP
91.I "[IgnoreNone]"
92As above, but report all modifications for these files/directories,
93including access time.
94.TP
95.I "[User0]"
96.TP
97.I "[User1]"
98.TP
99.I "[User2]"
100.TP
101.I "[User3]"
102.TP
103.I "[User4]"
104These are reserved for user-defined policies.
105.TP
106.I "[Prelink]"
107For prelinked executables / libraries or directories holding them.
108.TP
109.I "[Log]"
110This section defines the filtering rules for logging.
111It may contain the following entries:
112.br
113.BI MailSeverity= val
114where the threshold value
115.I val
116may be one of
117.IR debug ,
118.IR info ,
119.IR notice ,
120.IR warn ,
121.IR mark ,
122.IR err ,
123.IR crit ,
124.IR alert ,
125or
126.IR none .
127By default, everything equal to and above the threshold will be logged.
128The specifiers
129.IR * ,
130.IR ! ,
131and
132.I =
133are interpreted as 'all', 'all but', and 'only', respectively (like
134in the Linux version of syslogd(8)).
135Time stamps have the priority
136.IR warn ,
137system\-level errors have the priority
138.IR err ,
139and important start\-up messages the priority
140.IR alert .
141The signature key for the log file will never be logged to syslog or the
142log file itself.
143For failures to verify file integrity, error levels are defined
144in the next section.
145.br
146.BI PrintSeverity= val,
147.br
148.BI LogSeverity= val,
149.br
150.BI ExportSeverity= val,
151.br
152.BI ExternalSeverity= val,
153.br
154.BI PreludeSeverity= val,
155.br
156.BI DatabaseSeverity= val,
157and
158.br
159.BI SyslogSeverity= val
160set the thresholds for logging via stdout (or
161.IR /dev/console ),
162log file, TCP forwarding, calling external programs,
163and
164.BR syslog (3).
165.TP
166.I "[EventSeverity]"
167.BI SeverityReadOnly= val,
168.br
169.BI SeverityLogFiles= val,
170.br
171.BI SeverityGrowingLogs= val,
172.br
173.BI SeverityIgnoreNone= val,
174.br
175.BI SeverityIgnoreAll= val,
176.br
177.BI SeverityPrelink= val,
178.br
179.BI SeverityUser0= val,
180.br
181.BI SeverityUser1= val,
182.br
183.BI SeverityUser2= val,
184.br
185.BI SeverityUser3= val,
186and
187.br
188.BI SeverityUser4= val
189define the error levels for failures to verify the integrity of
190files/directories of the respective types. I.e. if such a file shows
191unexpected modifications, an error of level
192.I val
193will be generated, and logged to all facilities with a threshold of at least
194.IR val .
195.br
196.BI SeverityFiles= val
197sets the error level for file access problems, and
198.br
199.BI SeverityDirs= val
200for directory access problems.
201.br
202.BI SeverityNames= val
203sets the error level for obscure file names
204(e.g. non\-printable characters), and for files
205with invalid UIDs/GIDs.
206.TP
207.I "[External]"
208.BI OpenCommand= path
209Start the definition of an external logging program|script.
210.br
211.BI SetType= log|srv
212Type/purpose of program (log for logging).
213.br
214.BI SetCommandline= list
215Command line options.
216.br
217.BI SetEnviron= KEY=val
218Environment for external program.
219.br
220.BI SetChecksum= val
221Checksum of the external program (checked before invoking).
222.br
223.BI SetCredentials= username
224User as who the program will run.
225.br
226.BI SetFilterNot= list
227Words not allowed in message.
228.br
229.BI SetFilterAnd= list
230Words required (ALL) in message.
231.br
232.BI SetFilterOr= list
233Words required (at least one) in message.
234.br
235.BI SetDeadtime= seconds
236Time between consecutive calls.
237.TP
238.I "[Utmp]"
239Configuration for watching login/logout events.
240.br
241.BI LoginCheckActive= 0|1
242Switch off/on login/logout reporting.
243.br
244.BI LoginCheckInterval= val
245Interval (seconds) between checks for login/logout events.
246.br
247.BI SeverityLogin= val
248.br
249.BI SeverityLoginMulti= val
250.br
251.BI SeverityLogout= val
252Severity levels for logins, multiple logins
253by same user, and logouts.
254.TP
255.I "[SuidCheck]"
256Settings for finding SUID/SGID files on disk.
257.br
258.BI SuidCheckActive= 0|1
259Switch off/on the check.
260.br
261.BI SuidCheckExclude= path
262 A directory (and its subdirectories)
263 to exclude from the check. Only one directory can be specified this way.
264.br
265.BI SuidCheckSchedule= schedule
266Crontab-like schedule for checks.
267.br
268.BI SeveritySuidCheck= severity
269Severity for events.
270.br
271.BI SuidCheckFps= fps
272Limit files per seconds for SUID check.
273.br
274.BI SuidCheckNosuid= 0|1
275Check filesystems mounted as nosuid. Defaults to not.
276.br
277.BI SuidCheckQuarantineFiles= 0|1
278Whether to quarantine files. Defaults to not.
279.br
280.BI SuidCheckQuarantineMethod= 0|1|2
281Quarantine method. Delete = 1, remove suid/sgid flags = 1, move to quarantine directory = 2. Defaults to 1 (remove suid/sgid flags).
282.br
283.BI
284.TP
285.I "[Mounts]"
286Configuration for checking mounts.
287.br
288.BI MountCheckActive= 0|1
289Switch off/on this module.
290.br
291.BI MountCheckInterval= seconds
292 The interval between checks (default 300).
293.br
294.BI SeverityMountMissing= severity
295Severity for reports on missing mounts.
296.br
297.BI SeverityOptionMissing= severity
298Severity for reports on missing mount options.
299.br
300.BI CheckMount= path
301[mount_options]
302.br
303Mount point to check. Mount options must be given as
304comma-separated list, separated by a blank from the preceding mount point.
305.TP
306.I "[UserFiles]"
307Configuration for checking paths relative to user home directories.
308.br
309.BI UserFilesActive= 0|1
310Switch off/on this module.
311.br
312.BI UserFilesName= filename
313policy
314.br
315Files to check for under each $HOME. Allowed values for 'policy'
316are: allignore, attributes, logfiles, loggrow, noignore (default),
317readonly, user0, user1, user2, user3, and user4.
318.br
319.BI UserFilesCheckUids= uid_list
320A list of UIDs where we want to check. The default
321is all. Ranges (e.g. 100-500) are allowed. If there is an open range (e.g.
3221000-), it must be last in the list.
323.TP
324.I "[ProcessCheck]"
325Settings for finding hidden/fake,required processes on the local host.
326.br
327.BI ProcessCheckActive= 0|1
328Switch off/on the check.
329.br
330.BI ProcessCheckInterval= seconds
331 The interval between checks (default 300).
332.br
333.BI SeverityProcessCheck= severity
334Severity for events (default crit).
335.br
336.BI ProcessCheckMinPID= pid
337The minimum PID to check (default 0).
338.br
339.BI ProcessCheckMaxPID= pid
340The maximum PID to check (default 32767).
341.br
342.BI ProcessCheckPSPath= path
343The path to ps (autodetected at compile time).
344.br
345.BI ProcessCheckPSArg= argument
346The argument to ps (autodetected at compile time).
347Must yield PID in first column.
348.br
349.BI ProcessCheckExists= regular_expression
350Check for existence of a process matching the given regular expression.
351.TP
352.I "[PortCheck]"
353Settings for checking open ports on the local host.
354.br
355.BI PortCheckActive= 0|1
356Switch off/on the check.
357.br
358.BI PortCheckInterval= seconds
359 The interval between checks (default 300).
360.br
361.BI PortCheckUDP= yes|no
362Whether to check UPD ports as well (default yes).
363.br
364.BI SeverityPortCheck= severity
365Severity for events (default crit).
366.br
367.BI PortCheckInterface= ip_address
368Additional interface to check.
369.br
370.BI PortCheckOptional= ip_address:list
371Ports that may, but need not be open. The ip_address is the one
372of the interface, the list must be
373comma or whitespace separated, each item must be (port|service)/protocol,
374e.g. 22/tcp,nfs/tcp/nfs/udp.
375.br
376.BI PortCheckRequired= ip_address:list
377Ports that are required to be open. The ip_address is the one
378of the interface, the list must be
379comma or whitespace separated, each item must be (port|service)/protocol,
380e.g. 22/tcp,nfs/tcp/nfs/udp.
381.TP
382.I "[Database]"
383Settings for
384.I logging
385to a database.
386.br
387.BI SetDBHost= db_host
388Host where the DB server runs (default: localhost).
389Should be a numeric IP address for PostgreSQL.
390.br
391.BI SetDBName= db_name
392Name of the database (default: samhain).
393.br
394.BI SetDBTable= db_table
395Name of the database table (default: log).
396.br
397.BI SetDBUser= db_user
398Connect as this user (default: samhain).
399.br
400.BI SetDBPassword= db_password
401Use this password (default: none).
402.br
403.BI SetDBServerTstamp= true|false
404Log server timestamp for client messages (default: true).
405.br
406.BI UsePersistent= true|false
407Use a persistent connection (default: true).
408.TP
409.I "[Misc]"
410.BI Daemon= no|yes
411Detach from controlling terminal to become a daemon.
412.br
413.BI MessageHeader= format
414Costom format for message header. Replacements:
415.I %F
416source file name,
417.I %L
418source file line,
419.I %S
420severity,
421.I %T
422timestamp,
423.I %C
424message class.
425.br
426.BI VersionString= string
427Set version string to include in file signature database
428(along with hostname and date).
429.br
430.BI SetReverseLookup= true|false
431If false, skip reverse lookups when connecting to a host known by name
432rather than IP address.
433.br
434.BI HideSetup= yes|no
435Don't log name of config/database files on startup.
436.br
437.BI SyslogFacility= facility
438Set the syslog facility to use. Default is LOG_AUTHPRIV.
439.br
440.BI MACType= HASH-TIGER|HMAC-TIGER
441Set type of message authentication code (HMAC).
442Must be identical on client and server.
443.br
444.BI StartupLoadDelay= val
445Defines the interval (in seconds) to wait after startup before
446loading the databse from the server. Default is no wait.
447.br
448.BI SetLoopTime= val
449Defines the interval (in seconds) for timestamps.
450.br
451.BI SetConsole= device
452Set the console device (default /dev/console).
453.br
454.BI MessageQueueActive= 1|0
455Whether to use a SysV IPC message queue.
456.br
457.BI PreludeMapToInfo= list of severities
458The severities (see section
459.IR [Log] )
460that should be mapped to impact
461severity
462.I info
463in prelude.
464.br
465.BI PreludeMapToLow= list of severities
466The severities (see section
467.IR [Log] )
468that should be mapped to impact
469severity
470.I low
471in prelude.
472.br
473.BI PreludeMapToMedium= list of severities
474The severities (see section
475.IR [Log] )
476that should be mapped to impact
477severity
478.I medium
479in prelude.
480.br
481.BI PreludeMapToHigh= list of severities
482The severities (see section
483.IR [Log] )
484that should be mapped to impact
485severity
486.I high
487in prelude.
488.br
489.BI SetMailTime= val
490defines the maximum interval (in seconds) between succesive e\-mail reports.
491Mail might be empty if there are no events to report.
492.br
493.BI SetMailNum= val
494defines the maximum number of messages that are stored before e\-mailing them.
495Messages of highest priority are always sent immediately.
496.br
497.BI SetMailAddress= username @ host
498sets the recipient address for mailing.
499.I "No aliases should be used."
500For security, you should prefer a numerical host address.
501.br
502.BI SetMailRelay= server
503sets the hostname for the mail relay server (if you need one).
504If no relay server is given, mail is sent directly to the host given in the
505mail address, otherwise it is sent to the relay server, who should
506forward it to the given address.
507.br
508.BI SetMailSubject= val
509defines a custom format for the subject of an email message.
510.br
511.BI SetMailSender= val
512defines the sender for the 'From:' field of a message.
513.br
514.BI SetMailFilterAnd= list
515defines a list of strings all of which must match a message, otherwise
516it will not be mailed.
517.br
518.BI SetMailFilterOr= list
519defines a list of strings at least one of which must match a message, otherwise
520it will not be mailed.
521.br
522.BI SetMailFilterNot= list
523defines a list of strings none of which should match a message, otherwise
524it will not be mailed.
525.br
526.BI SamhainPath= /path/to/binary
527sets the path to the samhain binary. If set, samhain will checksum
528its own binary both on startup and termination, and compare both.
529.br
530.BI SetBindAddress= IP_address
531The IP address (i.e. interface on multi-interface box) to use
532for outgoing connections.
533.br
534.BI SetTimeServer= server
535sets the hostname for the time server.
536.br
537.BI TrustedUser= name|uid
538Add a user to the set of trusted users (root and the effective user
539are always trusted. You can add up to 7 more users).
540.br
541.BI SetLogfilePath= AUTO|/path
542Path to logfile (AUTO to tack hostname on compiled-in path).
543.br
544.BI SetLockfilePath= AUTO|/path
545Path to lockfile (AUTO to tack hostname on compiled-in path).
546.TP
547.B Standalone or client only
548.br
549.BI SetNiceLevel= -19..19
550Set scheduling priority during file check.
551.br
552.BI SetIOLimit= bps
553Set IO limits (kilobytes per second) for file check.
554.br
555.BI SetFilecheckTime= val
556Defines the interval (in seconds) between succesive file checks.
557.br
558.BI FileCheckScheduleOne= schedule
559Crontab-like schedule for file checks. If used,
560.I SetFilecheckTime
561is ignored.
562.br
563.BI UseHardlinkCheck= yes|no
564Compare number of hardlinks to number of subdirectories for directories.
565.br
566.BI HardlinkOffset= N:/path
567Exception (use multiple times for multiple
568exceptions). N is offset (actual - expected hardlinks) for /path.
569.br
570.BI AddOKChars= N1,N2,..
571List of additional acceptable characters (byte value(s)) for the check for
572weird filenames. Nn may be hex (leading '0x': 0xNN), octal
573(leading zero: 0NNN), or decimal.
574Use
575.I all
576for all.
577.br
578.BI FilenamesAreUTF8= yes|no
579Whether filenames are UTF-8 encoded (defaults to no). If yes, filenames
580are checked for invalid UTF-8 encoding and for ending in invisible characters.
581.br
582.BI IgnoreAdded= path_regex
583Ignore if this file/directory is added/created.
584.br
585.BI IgnoreMissing= path_regex
586Ignore if this file/directory is missing/deleted.
587.br
588.BI ReportOnlyOnce= yes|no
589Report only once on a modified file (default yes).
590.br
591.BI ReportFullDetail= yes|no
592Report in full detail on modified files (not only modified items).
593.br
594.BI UseLocalTime= yes|no
595Report file timestamps in local time rather than GMT (default no).
596Do not use this with Beltane.
597.br
598.BI ChecksumTest= {init|update|check|none}
599defines whether to initialize/update the database or verify files against it.
600If 'none', you should supply the required option on the command line.
601.br
602.BI SetPrelinkPath= path
603Path of the prelink executable (default /usr/sbin/prelink).
604.br
605.BI SetPrelinkChecksum= checksum
606TIGER192 checksum of the prelink executable (no default).
607.br
608.BI SetLogServer= server
609sets the hostname for the log server.
610.br
611.BI SetServerPort= portnumber
612sets the port on the server to connect to.
613.br
614.BI SetDatabasePath= AUTO|/path
615Path to database (AUTO to tack hostname on compiled-in path).
616.br
617.BI DigestAlgo= SHA1|MD5
618Use SHA1 or MD5 instead of the TIGER checksum (default: TIGER192).
619.br
620.BI RedefReadOnly= +/-XXX,+/-YYY,...
621Add or subtract tests XXX from the ReadOnly policy.
622Tests are: CHK (checksum), TXT (store literal content), LNK (link),
623HLN (hardlink), INO (inode), USR (user), GRP (group), MTM (mtime),
624ATM (atime), CTM (ctime), SIZ (size), RDEV (device numbers)
625and/or MOD (file mode).
626.br
627.BI RedefAttributes= +/-XXX,+/-YYY,...
628Add or subtract tests XXX from the Attributes policy.
629.br
630.BI RedefLogFiles= +/-XXX,+/-YYY,...
631Add or subtract tests XXX from the LogFiles policy.
632.br
633.BI RedefGrowingLogFiles= +/-XXX,+/-YYY,...
634Add or subtract tests XXX from the GrowingLogFiles policy.
635.br
636.BI RedefIgnoreAll= +/-XXX,+/-YYY,...
637Add or subtract tests XXX from the IgnoreAll policy.
638.br
639.BI RedefIgnoreNone= +/-XXX,+/-YYY,...
640Add or subtract tests XXX from the IgnoreNone policy.
641.br
642.BI RedefUser0= +/-XXX,+/-YYY,...
643Add or subtract tests XXX from the User0 policy.
644.br
645.BI RedefUser1= +/-XXX,+/-YYY,...
646Add or subtract tests XXX from the User1 policy.
647.br
648.BI RedefUser2= +/-XXX,+/-YYY,...
649Add or subtract tests XXX from the User2 policy.
650.br
651.BI RedefUser3= +/-XXX,+/-YYY,...
652Add or subtract tests XXX from the User3 policy.
653.br
654.BI RedefUser4= +/-XXX,+/-YYY,...
655Add or subtract tests XXX from the User4 policy.
656.TP
657.B Server Only
658.br
659.BI SetUseSocket= yes|no
660If unset, do not open the command socket. The default is no.
661.br
662.BI SetSocketAllowUid= UID
663Which user can connect to the command socket. The default is 0 (root).
664.br
665.BI SetSocketPassword= password
666Password (max. 14 chars, no '@') for password-based authentication on the
667command socket (only if the OS does not support passing
668credentials via sockets).
669.br
670.BI SetChrootDir= path
671If set, chroot to this directory after startup.
672.br
673.BI SetStripDomain= yes|no
674Whether to strip the domain from the client hostname when
675logging client messages (default: yes).
676.br
677.BI SetClientFromAccept= true|false
678If true, use client address as known to the communication layer. Else
679(default) use client name as claimed by the client, try to verify against
680the address known to the communication layer, and accept
681(with a warning message) even if this fails.
682.br
683.BI UseClientSeverity= yes|no
684Use the severity of client messages.
685.br
686.BI UseClientClass= yes|no
687Use the class of client messages.
688.br
689.BI SetServerPort= number
690The port that the server should use for listening (default is 49777).
691.br
692.BI SetServerInterface= IPaddress
693The IP address (i.e. interface on multi-interface box) that the
694server should use for listening (default is all). Use INADDR_ANY to reset
695to all.
696.br
697.BI SeverityLookup= severity
698Severity of the message on client address != socket peer.
699.br
700.BI UseSeparateLogs= true|false
701If true, messages from different clients will be logged to separate
702log files (the name of the client will be appended to the name of the main
703log file to construct the logfile name).
704.br
705.BI SetClientTimeLimit= seconds
706The maximum time between client messages. If exceeded, a warning will
707be issued (the default is 86400 sec = 1 day).
708.br
709.BI SetUDPActive= yes|no
710yule 1.2.8+: Also listen on 514/udp (syslog).
711
712
713.TP
714.I "[Clients]"
715This section is only relevant if
716.B samhain
717is run as a log server for clients running on another (or the same) machine.
718.br
719.BI Client= hostname @ salt @ verifier
720registers a client at host
721.I hostname
722(fully qualified hostname required) for access to the
723log server.
724Log entries from unregistered clients will not be accepted.
725To generate a salt and a valid verifier, use the command
726.B "samhain -P"
727.IR "password" ,
728where
729.I password
730is the password of the client. A simple utility program
731.B samhain_setpwd
732is provided to re\-set the compiled\-in default password of the client
733executable to a user\-defined
734value.
735.TP
736.I "[EOF]"
737An optional end marker. Everything below is ignored.
738
739.SH SEE ALSO
740.PP
741.BR samhain (8)
742
743.SH AUTHOR
744.PP
745Rainer Wichmann (http://la\-samhna.de)
746
747.SH BUG REPORTS
748.PP
749If you find a bug in
750.BR samhain ,
751please send electronic mail to
752.IR support@la\-samhna.de .
753Please include your operating system and its revision, the version of
754.BR samhain ,
755what C compiler you used to compile it, your 'configure' options, and
756anything else you deem helpful.
757
758.SH COPYING PERMISSIONS
759.PP
760Copyright (\(co) 2000, 2004, 2005 Rainer Wichmann
761.PP
762Permission is granted to make and distribute verbatim copies of
763this manual page provided the copyright notice and this permission
764notice are preserved on all copies.
765.ig
766Permission is granted to process this file through troff and print the
767results, provided the printed document carries copying permission
768notice identical to this one except for the removal of this paragraph
769(this paragraph not being relevant to the printed manual page).
770..
771.PP
772Permission is granted to copy and distribute modified versions of this
773manual page under the conditions for verbatim copying, provided that
774the entire resulting derived work is distributed under the terms of a
775permission notice identical to this one.
776
Note: See TracBrowser for help on using the repository browser.