source: trunk/man/samhainrc.5@ 7

Last change on this file since 7 was 1, checked in by katerina, 19 years ago

Initial import

File size: 17.7 KB
Line 
1.TH SAMHAINRC 5 "Jul 29, 2004" "" "samhainrc manual"
2.SH NAME
3samhainrc \- samhain(8) configuration file
4
5.SH WARNING
6.PP
7The information in this man page is not always up to date.
8The authoritative documentation is the user manual.
9
10.SH DESCRIPTION
11.PP
12The configuration file for
13.BR samhain (8)
14is named
15.I samhainrc
16and located in
17.I /etc
18by default.
19.PP
20It contains several sections, indicated by headings in square brackets.
21Each section may hold zero or more
22.BI key= value
23pairs. Blank lines and lines starting with '#' are comments.
24Everything before the first section and after an
25.I "[EOF]"
26is ignored. The file may be (clear text) signed by PGP/GnuPG, and
27.B samhain
28may invoke GnuPG to check the signature
29if compiled with support for it.
30.PP
31Conditional inclusion of entries for some host(s) is
32supported via any number of
33.BI @ hostname /@ end
34directives.
35.BI @ hostname
36and
37.BI @ end
38must each be on separate lines. Lines in between will only be
39read if
40.I "hostname"
41(which may be a regular expression) matches the local host.
42.PP
43Likewise, conditional inclusion of entries based on system type is
44supported via any number of
45.BI $ sysname:release:machine /$ end
46directives.
47.br
48.I "sysname:release:machine"
49can be inferred from
50.I "uname -srm"
51and may be a regular expression.
52.PP
53Filenames/directories to check may be wildcard patterns.
54.PP
55Options given on the command line will override
56those in the configuration file.
57The recognized sections in the configuration file are as follows:
58.PP
59Boolean options can be set with any of 1|true|yes or 0|false|no.
60.TP
61.I "[ReadOnly]"
62This section may contain
63.br
64.BI file= PATH
65and
66.br
67.BI dir= [depth]PATH
68entries for files and directories to check. All modifications except access
69times will be reported for these files.
70.I [depth] (use without brackets)
71is an optional parameter to define a per\-directory recursion
72depth.
73.TP
74.I "[LogFiles]"
75As above, but modifications of timestamps, file size, and signature will
76be ignored.
77.TP
78.I "[GrowingLogFiles]"
79As above, but modifications of file size will only be ignored if the size has
80.IR increased .
81.TP
82.I "[Attributes]"
83As above, but only modifications of ownership and access permissions
84will be checked.
85.TP
86.I "[IgnoreAll]"
87As above, but report no modifications for
88these files/directories. Access failures
89will still be reported.
90.TP
91.I "[IgnoreNone]"
92As above, but report all modifications for these files/directories,
93including access time.
94.TP
95.I "[User0]"
96.TP
97.I "[User1]"
98These are reserved for user-defined policies.
99.TP
100.I "[Prelink]"
101For prelinked executables / libraries or directories holding them.
102.TP
103.I "[Log]"
104This section defines the filtering rules for logging.
105It may contain the following entries:
106.br
107.BI MailSeverity= val
108where the threshold value
109.I val
110may be one of
111.IR debug ,
112.IR info ,
113.IR notice ,
114.IR warn ,
115.IR mark ,
116.IR err ,
117.IR crit ,
118.IR alert ,
119or
120.IR none .
121By default, everything equal to and above the threshold will be logged.
122The specifiers
123.IR * ,
124.IR ! ,
125and
126.I =
127are interpreted as 'all', 'all but', and 'only', respectively (like
128in the Linux version of syslogd(8)).
129Time stamps have the priority
130.IR warn ,
131system\-level errors have the priority
132.IR err ,
133and important start\-up messages the priority
134.IR alert .
135The signature key for the log file will never be logged to syslog or the
136log file itself.
137For failures to verify file integrity, error levels are defined
138in the next section.
139.br
140.BI PrintSeverity= val,
141.br
142.BI LogSeverity= val,
143.br
144.BI ExportSeverity= val,
145.br
146.BI ExternalSeverity= val,
147.br
148.BI PreludeSeverity= val,
149.br
150.BI DatabaseSeverity= val,
151and
152.br
153.BI SyslogSeverity= val
154set the thresholds for logging via stdout (or
155.IR /dev/console ),
156log file, TCP forwarding, calling external programs,
157and
158.BR syslog (3).
159.TP
160.I "[EventSeverity]"
161.BI SeverityReadOnly= val,
162.br
163.BI SeverityLogFiles= val,
164.br
165.BI SeverityGrowingLogs= val,
166.br
167.BI SeverityIgnoreNone= val,
168.br
169.BI SeverityIgnoreAll= val,
170.br
171.BI SeverityPrelink= val,
172.br
173.BI SeverityUser0= val,
174and
175.br
176.BI SeverityUser1= val
177define the error levels for failures to verify the integrity of
178files/directories of the respective types. I.e. if such a file shows
179unexpected modifications, an error of level
180.I val
181will be generated, and logged to all facilities with a threshold of at least
182.IR val .
183.br
184.BI SeverityFiles= val
185sets the error level for file access problems, and
186.br
187.BI SeverityDirs= val
188for directory access problems.
189.br
190.BI SeverityNames= val
191sets the error level for obscure file names
192(e.g. non\-printable characters), and for files
193with invalid UIDs/GIDs.
194.TP
195.I "[External]"
196.BI OpenCommand= path
197Start the definition of an external logging program|script.
198.br
199.BI SetType= log|srv
200Type/purpose of program (log for logging).
201.br
202.BI SetCommandline= list
203Command line options.
204.br
205.BI SetEnviron= KEY=val
206Environment for external program.
207.br
208.BI SetChecksum= val
209Checksum of the external program (checked before invoking).
210.br
211.BI SetCredentials= username
212User as who the program will run.
213.br
214.BI SetFilterNot= list
215Words not allowed in message.
216.br
217.BI SetFilterAnd= list
218Words required (ALL) in message.
219.br
220.BI SetFilterOr= list
221Words required (at least one) in message.
222.br
223.BI SetDeadtime= seconds
224Time between consecutive calls.
225.TP
226.I "[Utmp]"
227Configuration for watching login/logout events.
228.br
229.BI LoginCheckActive= 0|1
230Switch off/on login/logout reporting.
231.br
232.BI LoginCheckInterval= val
233Interval (seconds) between checks for login/logout events.
234.br
235.BI SeverityLogin= val
236.br
237.BI SeverityLoginMulti= val
238.br
239.BI SeverityLogout= val
240Severity levels for logins, multiple logins
241by same user, and logouts.
242.TP
243.I "[Kernel]"
244Configuration for detecting kernel rootkits.
245.br
246.BI KernelCheckActive= 0|1
247Switch off/on checking of kernel syscalls to detect kernel module rootkits.
248.br
249.BI KernelCheckInterval= val
250Interval (seconds) between checks.
251.br
252.BI SeverityKernel= val
253Severity level for clobbered kernel syscalls.
254.br
255.BI KernelCheckIDT= 0|1
256Whether to check the interrrupt descriptor table.
257.br
258.BI KernelSystemCall= address
259The address of system_call (grep system_call System.map).
260Required after a kernel update.
261.br
262.BI KernelProcRoot= address
263The address of proc_root (grep ' proc_root$' System.map).
264Required after a kernel update.
265.br
266.BI KernelProcRootIops= address
267The address of proc_root_inode_operations
268(grep proc_root_inode_operations System.map).
269Required after a kernel update.
270.br
271.BI KernelProcRootLookup= address
272The address of proc_root_lookup (grep proc_root_lookup System.map).
273Required after a kernel update.
274.TP
275.I "[SuidCheck]"
276Settings for finding SUID/SGID files on disk.
277.br
278.BI SuidCheckActive= 0|1
279Switch off/on the check.
280.br
281.BI SuidCheckExclude= path
282 A directory (and its subdirectories)
283 to exclude from the check. Only one directory can be specified this way.
284.br
285.BI SuidCheckSchedule= schedule
286Crontab-like schedule for checks.
287.br
288.BI SeveritySuidCheck= severity
289Severity for events.
290.br
291.BI SuidCheckFps= fps
292Limit files per seconds for SUID check.
293.TP
294.I "[Database]"
295Settings for
296.I logging
297to a database.
298.br
299.BI SetDBHost= db_host
300Host where the DB server runs (default: localhost).
301Should be a numeric IP address for PostgreSQL.
302.br
303.BI SetDBName= db_name
304Name of the database (default: samhain).
305.br
306.BI SetDBTable= db_table
307Name of the database table (default: log).
308.br
309.BI SetDBUser= db_user
310Connect as this user (default: samhain).
311.br
312.BI SetDBPassword= db_password
313Use this password (default: none).
314.br
315.BI SetDBServerTstamp= true|false
316Log server timestamp for client messages (default: true).
317.br
318.BI UsePersistent= true|false
319Use a persistent connection (default: true).
320.TP
321.I "[Misc]"
322.BI Daemon= no|yes
323Detach from controlling terminal to become a daemon.
324.br
325.BI MessageHeader= format
326Costom format for message header. Replacements:
327.I %F
328source file name,
329.I %L
330source file line,
331.I %S
332severity,
333.I %T
334timestamp,
335.I %C
336message class.
337.br
338.BI VersionString= string
339Set version string to include in file signature database
340(along with hostname and date).
341.br
342.BI SetReverseLookup= true|false
343If false, skip reverse lookups when connecting to a host known by name
344rather than IP address.
345.br
346.BI HideSetup= yes|no
347Don't log name of config/database files on startup.
348.br
349.BI SyslogFacility= facility
350Set the syslog facility to use. Default is LOG_AUTHPRIV.
351.br
352.BI MACType= HASH-TIGER|HMAC-TIGER
353Set type of message authentication code (HMAC).
354Must be identical on client and server.
355.br
356.BI SetLoopTime= val
357Defines the interval (in seconds) for timestamps.
358.br
359.BI SetConsole= device
360Set the console device (default /dev/console).
361.br
362.BI MessageQueueActive= 1|0
363Whether to use a SysV IPC message queue.
364.br
365.BI PreludeMapToInfo= list of severities
366The severities (see section
367.IR [Log] )
368that should be mapped to impact
369severity
370.I info
371in prelude.
372.br
373.BI PreludeMapToLow= list of severities
374The severities (see section
375.IR [Log] )
376that should be mapped to impact
377severity
378.I low
379in prelude.
380.br
381.BI PreludeMapToMedium= list of severities
382The severities (see section
383.IR [Log] )
384that should be mapped to impact
385severity
386.I medium
387in prelude.
388.br
389.BI PreludeMapToHigh= list of severities
390The severities (see section
391.IR [Log] )
392that should be mapped to impact
393severity
394.I high
395in prelude.
396.br
397.BI SetMailTime= val
398defines the maximum interval (in seconds) between succesive e\-mail reports.
399Mail might be empty if there are no events to report.
400.br
401.BI SetMailNum= val
402defines the maximum number of messages that are stored before e\-mailing them.
403Messages of highest priority are always sent immediately.
404.br
405.BI SetMailAddress= username @ host
406sets the recipient address for mailing.
407.I "No aliases should be used."
408For security, you should prefer a numerical host address.
409.br
410.BI SetMailRelay= server
411sets the hostname for the mail relay server (if you need one).
412If no relay server is given, mail is sent directly to the host given in the
413mail address, otherwise it is sent to the relay server, who should
414forward it to the given address.
415.br
416.BI SetMailSubject= val
417defines a custom format for the subject of an email message.
418.br
419.BI SetMailSender= val
420defines the sender for the 'From:' field of a message.
421.br
422.BI SetMailFilterAnd= list
423defines a list of strings all of which must match a message, otherwise
424it will not be mailed.
425.br
426.BI SetMailFilterOr= list
427defines a list of strings at least one of which must match a message, otherwise
428it will not be mailed.
429.br
430.BI SetMailFilterNot= list
431defines a list of strings none of which should match a message, otherwise
432it will not be mailed.
433.br
434.BI SamhainPath= /path/to/binary
435sets the path to the samhain binary. If set, samhain will checksum
436its own binary both on startup and termination, and compare both.
437.br
438.BI SetBindAddress= IP_address
439The IP address (i.e. interface on multi-interface box) to use
440for outgoing connections.
441.br
442.BI SetTimeServer= server
443sets the hostname for the time server.
444.br
445.BI TrustedUser= name|uid
446Add a user to the set of trusted users (root and the effective user
447are always trusted. You can add up to 7 more users).
448.br
449.BI SetLogfilePath= AUTO|/path
450Path to logfile (AUTO to tack hostname on compiled-in path).
451.br
452.BI SetLockfilePath= AUTO|/path
453Path to lockfile (AUTO to tack hostname on compiled-in path).
454.TP
455.B Standalone or client only
456.br
457.BI SetNiceLevel= -19..19
458Set scheduling priority during file check.
459.br
460.BI SetIOLimit= bps
461Set IO limits (kilobytes per second) for file check.
462.br
463.BI SetFilecheckTime= val
464Defines the interval (in seconds) between succesive file checks.
465.br
466.BI FileCheckScheduleOne= schedule
467Crontab-like schedule for file checks. If used,
468.I SetFilecheckTime
469is ignored.
470.br
471.BI UseHardlinkCheck= yes|no
472Compare number of hardlinks to number of subdirectories for directories.
473.br
474.BI HardlinkOffset= N:/path
475Exception (use multiple times for multiple
476exceptions). N is offset (actual - expected hardlinks) for /path.
477.br
478.BI AddOKChars= N1,N2,..
479List of additional acceptable characters (byte value(s)) for the check for
480weird filenames. Nn may be hex (leading '0x': 0xNN), octal
481(leading zero: 0NNN), or decimal.
482Use
483.I all
484for all.
485.br
486.br
487.BI IgnoreAdded= path_regex
488Ignore if this file/directory is added/created.
489.br
490.BI IgnoreMissing= path_regex
491Ignore if this file/directory is missing/deleted.
492.br
493.BI ReportOnlyOnce= yes|no
494Report only once on a modified file (default yes).
495.br
496.BI ReportFullDetail= yes|no
497Report in full detail on modified files (not only modified items).
498.br
499.BI UseLocalTime= yes|no
500Report file timestamps in local time rather than GMT (default no).
501Do not use this with Beltane.
502.br
503.BI ChecksumTest= {init|update|check|none}
504defines whether to initialize/update the database or verify files against it.
505If 'none', you should supply the required option on the command line.
506.br
507.BI SetPrelinkPath= path
508Path of the prelink executable (default /usr/sbin/prelink).
509.br
510.BI SetPrelinkChecksum= checksum
511TIGER192 checksum of the prelink executable (no default).
512.br
513.BI SetLogServer= server
514sets the hostname for the log server.
515.br
516.BI SetDatabasePath= AUTO|/path
517Path to database (AUTO to tack hostname on compiled-in path).
518.br
519.BI DigestAlgo= SHA1|MD5
520Use SHA1 or MD5 instead of the TIGER checksum (default: TIGER192).
521.br
522.BI RedefReadOnly= +/-XXX,+/-YYY,...
523Add or subtract tests XXX from the ReadOnly policy.
524Tests are: CHK (checksum), LNK (link),
525HLN (hardlink), INO (inode), USR (user), GRP (group), MTM (mtime),
526ATM (atime), CTM (ctime), SIZ (size), RDEV (device numbers)
527and/or MOD (file mode).
528.br
529.BI RedefAttributes= +/-XXX,+/-YYY,...
530Add or subtract tests XXX from the Attributes policy.
531.br
532.BI RedefLogFiles= +/-XXX,+/-YYY,...
533Add or subtract tests XXX from the LogFiles policy.
534.br
535.BI RedefGrowingLogFiles= +/-XXX,+/-YYY,...
536Add or subtract tests XXX from the GrowingLogFiles policy.
537.br
538.BI RedefIgnoreAll= +/-XXX,+/-YYY,...
539Add or subtract tests XXX from the IgnoreAll policy.
540.br
541.BI RedefIgnoreNone= +/-XXX,+/-YYY,...
542Add or subtract tests XXX from the IgnoreNone policy.
543.br
544.BI RedefUser0= +/-XXX,+/-YYY,...
545Add or subtract tests XXX from the User0 policy.
546.br
547.BI RedefUser1= +/-XXX,+/-YYY,...
548Add or subtract tests XXX from the User1 policy.
549.TP
550.B Server Only
551.br
552.BI SetUseSocket= yes|no
553If unset, do not open the command socket. The default is no.
554.br
555.BI SetSocketAllowUid= UID
556Which user can connect to the command socket. The default is 0 (root).
557.br
558.BI SetSocketPassword= password
559Password (max. 14 chars, no '@') for password-based authentication on the
560command socket (only if the OS does not support passing
561credentials via sockets).
562.br
563.BI SetChrootDir= path
564If set, chroot to this directory after startup.
565.br
566.BI SetStripDomain= yes|no
567Whether to strip the domain from the client hostname when
568logging client messages (default: yes).
569.br
570.BI SetClientFromAccept= true|false
571If true, use client address as known to the communication layer. Else
572(default) use client name as claimed by the client, try to verify against
573the address known to the communication layer, and accept
574(with a warning message) even if this fails.
575.br
576.BI UseClientSeverity= yes|no
577Use the severity of client messages.
578.br
579.BI UseClientClass= yes|no
580Use the class of client messages.
581.br
582.BI SetServerPort= number
583The port that the server should use for listening (default is 49777).
584.br
585.BI SetServerInterface= IPaddress
586The IP address (i.e. interface on multi-interface box) that the
587server should use for listening (default is all). Use INADDR_ANY to reset
588to all.
589.br
590.BI SeverityLookup= severity
591Severity of the message on client address != socket peer.
592.br
593.BI UseSeparateLogs= true|false
594If true, messages from different clients will be logged to separate
595log files (the name of the client will be appended to the name of the main
596log file to construct the logfile name).
597.br
598.BI SetClientTimeLimit= seconds
599The maximum time between client messages. If exceeded, a warning will
600be issued (the default is 86400 sec = 1 day).
601.br
602.BI SetUDPActive= yes|no
603yule 1.2.8+: Also listen on 514/udp (syslog).
604
605
606.TP
607.I "[Clients]"
608This section is only relevant if
609.B samhain
610is run as a log server for clients running on another (or the same) machine.
611.br
612.BI Client= hostname @ salt @ verifier
613registers a client at host
614.I hostname
615(fully qualified hostname required) for access to the
616log server.
617Log entries from unregistered clients will not be accepted.
618To generate a salt and a valid verifier, use the command
619.B "samhain -P"
620.IR "password" ,
621where
622.I password
623is the password of the client. A simple utility program
624.B samhain_setpwd
625is provided to re\-set the compiled\-in default password of the client
626executable to a user\-defined
627value.
628.TP
629.I "[EOF]"
630An optional end marker. Everything below is ignored.
631
632.SH SEE ALSO
633.PP
634.BR samhain (8)
635
636.SH AUTHOR
637.PP
638Rainer Wichmann (http://la\-samhna.de)
639
640.SH BUG REPORTS
641.PP
642If you find a bug in
643.BR samhain ,
644please send electronic mail to
645.IR support@la\-samhna.de .
646Please include your operating system and its revision, the version of
647.BR samhain ,
648what C compiler you used to compile it, your 'configure' options, and
649anything else you deem helpful.
650
651.SH COPYING PERMISSIONS
652.PP
653Copyright (\(co) 2000, 2004, 2005 Rainer Wichmann
654.PP
655Permission is granted to make and distribute verbatim copies of
656this manual page provided the copyright notice and this permission
657notice are preserved on all copies.
658.ig
659Permission is granted to process this file through troff and print the
660results, provided the printed document carries copying permission
661notice identical to this one except for the removal of this paragraph
662(this paragraph not being relevant to the printed manual page).
663..
664.PP
665Permission is granted to copy and distribute modified versions of this
666manual page under the conditions for verbatim copying, provided that
667the entire resulting derived work is distributed under the terms of a
668permission notice identical to this one.
669
Note: See TracBrowser for help on using the repository browser.