Index: trunk/man/samhain.8 =================================================================== --- trunk/man/samhain.8 (revision 591) +++ trunk/man/samhain.8 (revision 1) @@ -1,3 +1,3 @@ -.TH SAMHAIN 8 "26 June 2015" "" "Samhain manual" +.TH SAMHAIN 8 "07 August 2004" "" "Samhain manual" .SH NAME samhain \- check file integrity @@ -14,5 +14,5 @@ { .I \-t update|\-\-set\-checksum\-test=update -} [\-D | \-\-daemon | \-\-foreground] [\-\-forever] [\-r DEPTH|\-\-recursion=DEPTH] [log-options] +} [\-r DEPTH|\-\-recursion=DEPTH] [log-options] .B samhain @@ -21,16 +21,4 @@ } [\-D | \-\-daemon | \-\-foreground] [\-\-forever] [\-r DEPTH,\-\-recursion=DEPTH] [log-options] -.B samhain -[ \-p threshold ] { -.I \-\-verify\-database=database -} - -.B samhain -[ \-p threshold ] { -.I \-\-create\-database=file\-list -} - - - .SS "LISTING THE DATABASE" .PP @@ -39,6 +27,4 @@ [\-a | \-\-full\-detail] [\-\-delimited] -[\-\-binary] -[\-\-list\-filter=file] \-d .IR file | @@ -64,7 +50,4 @@ .B samhain -.RI \-\-server\-port= portnumber - -.B samhain \-H .I string @@ -74,7 +57,4 @@ .B samhain \-c | \-\-copyright - -.B samhain -\-v | \-\-version .B samhain @@ -215,27 +195,4 @@ [\-r DEPTH|\-\-recursion=DEPTH] Set the (global) recursion depth. -.TP -[\-D|\-\-daemon] -Run as daemon. File checks are performed as specified by the timing -options in the configuration file. Updates are saved after each file check. -.TP -[\-\-foreground] -Run in the foreground. This will cause samhain to exit after the update, -unless the option -.I "\-\-forever" -is used. -.TP -[\-\-forever] -If not running as daemon, do not exit after finishing the update, but -loop forever, and perform checks with corresponding database updates -according to the timing options in the -configuration file. -.TP -[\-i|\-\-interactive] -Run update in interactive mode. -.TP -[\-\-listfile=PATH] -Run the update with a list of 'good' filepaths given in file (one path per line). - .PP @@ -266,31 +223,4 @@ configuration file. -.PP -.B samhain -[ \-p\ threshold ] -.I "\-\-verify\-database=database" - -Check the filesystem against the database given as argument, -and exit with an appropriate exit status. The configuration file -will -.B not -be read. - -.PP -.B samhain -[ \-p\ threshold ] -.I "\-\-create\-database=file\-list" - -Initialize a database from the given file list. -The configuration file -will -.B not -be read. The policy used will be -.I ReadOnly. -File content will be stored for a file -if its path in the list is preceded with a -.B + -sign. - .SS "OPTIONS FOR LISTING THE DATABASE" .PP @@ -310,24 +240,8 @@ [\-a | \-\-full\-detail] List all informations for each file, not only those you would get -with ls \-l. Must precede the \-d option. +with ls \-l. .TP [\-\-delimited] List all informations for each file, in a comma-separated format. -Must precede the \-d option. -.TP -[\-\-binary] -List data in the binary format of the database, thus writing another -database. -Must precede the \-d option. -.TP -.RI [\-\-list\-filter= file ] -Filter the output of the database listing by a list of files given -in a text file. Together with \-\-binary this allows to write a -partial database. Must precede the \-d option. -.TP -.RI [\-\-list\-file= file ] -List the literal content of the given file as stored in the database. -Content is not stored by default, must be enabled in the runtime -configuration file. Must precede the \-d option. .SS "OPTIONS TO VERIFY AN AUDIT TRAIL" @@ -372,9 +286,4 @@ .B samhain -.RI \-\-server\-port= portnumber - -Choose the port on the server host to which the client will connect. - -.B samhain \-H .I string @@ -392,12 +301,7 @@ .B samhain -\-v | \-\-version - -Show version and compiled-in options. - -.B samhain \-h | \-\-help -Print supported command line options (depending on compilation options). +Print supported options (depending on compilation options). .B samhain Index: trunk/man/samhainrc.5 =================================================================== --- trunk/man/samhainrc.5 (revision 591) +++ trunk/man/samhainrc.5 (revision 1) @@ -96,10 +96,4 @@ .TP .I "[User1]" -.TP -.I "[User2]" -.TP -.I "[User3]" -.TP -.I "[User4]" These are reserved for user-defined policies. .TP @@ -178,13 +172,7 @@ .br .BI SeverityUser0= val, -.br -.BI SeverityUser1= val, -.br -.BI SeverityUser2= val, -.br -.BI SeverityUser3= val, and .br -.BI SeverityUser4= val +.BI SeverityUser1= val define the error levels for failures to verify the integrity of files/directories of the respective types. I.e. if such a file shows @@ -253,4 +241,36 @@ by same user, and logouts. .TP +.I "[Kernel]" +Configuration for detecting kernel rootkits. +.br +.BI KernelCheckActive= 0|1 +Switch off/on checking of kernel syscalls to detect kernel module rootkits. +.br +.BI KernelCheckInterval= val +Interval (seconds) between checks. +.br +.BI SeverityKernel= val +Severity level for clobbered kernel syscalls. +.br +.BI KernelCheckIDT= 0|1 +Whether to check the interrrupt descriptor table. +.br +.BI KernelSystemCall= address +The address of system_call (grep system_call System.map). +Required after a kernel update. +.br +.BI KernelProcRoot= address +The address of proc_root (grep ' proc_root$' System.map). +Required after a kernel update. +.br +.BI KernelProcRootIops= address +The address of proc_root_inode_operations +(grep proc_root_inode_operations System.map). +Required after a kernel update. +.br +.BI KernelProcRootLookup= address +The address of proc_root_lookup (grep proc_root_lookup System.map). +Required after a kernel update. +.TP .I "[SuidCheck]" Settings for finding SUID/SGID files on disk. @@ -271,112 +291,4 @@ .BI SuidCheckFps= fps Limit files per seconds for SUID check. -.br -.BI SuidCheckNosuid= 0|1 -Check filesystems mounted as nosuid. Defaults to not. -.br -.BI SuidCheckQuarantineFiles= 0|1 -Whether to quarantine files. Defaults to not. -.br -.BI SuidCheckQuarantineMethod= 0|1|2 -Quarantine method. Delete = 1, remove suid/sgid flags = 1, move to quarantine directory = 2. Defaults to 1 (remove suid/sgid flags). -.br -.BI -.TP -.I "[Mounts]" -Configuration for checking mounts. -.br -.BI MountCheckActive= 0|1 -Switch off/on this module. -.br -.BI MountCheckInterval= seconds - The interval between checks (default 300). -.br -.BI SeverityMountMissing= severity -Severity for reports on missing mounts. -.br -.BI SeverityOptionMissing= severity -Severity for reports on missing mount options. -.br -.BI CheckMount= path -[mount_options] -.br -Mount point to check. Mount options must be given as -comma-separated list, separated by a blank from the preceding mount point. -.TP -.I "[UserFiles]" -Configuration for checking paths relative to user home directories. -.br -.BI UserFilesActive= 0|1 -Switch off/on this module. -.br -.BI UserFilesName= filename -policy -.br -Files to check for under each $HOME. Allowed values for 'policy' -are: allignore, attributes, logfiles, loggrow, noignore (default), -readonly, user0, user1, user2, user3, and user4. -.br -.BI UserFilesCheckUids= uid_list -A list of UIDs where we want to check. The default -is all. Ranges (e.g. 100-500) are allowed. If there is an open range (e.g. -1000-), it must be last in the list. -.TP -.I "[ProcessCheck]" -Settings for finding hidden/fake,required processes on the local host. -.br -.BI ProcessCheckActive= 0|1 -Switch off/on the check. -.br -.BI ProcessCheckInterval= seconds - The interval between checks (default 300). -.br -.BI SeverityProcessCheck= severity -Severity for events (default crit). -.br -.BI ProcessCheckMinPID= pid -The minimum PID to check (default 0). -.br -.BI ProcessCheckMaxPID= pid -The maximum PID to check (default 32767). -.br -.BI ProcessCheckPSPath= path -The path to ps (autodetected at compile time). -.br -.BI ProcessCheckPSArg= argument -The argument to ps (autodetected at compile time). -Must yield PID in first column. -.br -.BI ProcessCheckExists= regular_expression -Check for existence of a process matching the given regular expression. -.TP -.I "[PortCheck]" -Settings for checking open ports on the local host. -.br -.BI PortCheckActive= 0|1 -Switch off/on the check. -.br -.BI PortCheckInterval= seconds - The interval between checks (default 300). -.br -.BI PortCheckUDP= yes|no -Whether to check UPD ports as well (default yes). -.br -.BI SeverityPortCheck= severity -Severity for events (default crit). -.br -.BI PortCheckInterface= ip_address -Additional interface to check. -.br -.BI PortCheckOptional= ip_address:list -Ports that may, but need not be open. The ip_address is the one -of the interface, the list must be -comma or whitespace separated, each item must be (port|service)/protocol, -e.g. 22/tcp,nfs/tcp/nfs/udp. -.br -.BI PortCheckRequired= ip_address:list -Ports that are required to be open. The ip_address is the one -of the interface, the list must be -comma or whitespace separated, each item must be (port|service)/protocol, -e.g. 22/tcp,nfs/tcp/nfs/udp. .TP .I "[Database]" @@ -442,8 +354,4 @@ Must be identical on client and server. .br -.BI StartupLoadDelay= val -Defines the interval (in seconds) to wait after startup before -loading the databse from the server. Default is no wait. -.br .BI SetLoopTime= val Defines the interval (in seconds) for timestamps. @@ -576,7 +484,4 @@ for all. .br -.BI FilenamesAreUTF8= yes|no -Whether filenames are UTF-8 encoded (defaults to no). If yes, filenames -are checked for invalid UTF-8 encoding and for ending in invisible characters. .br .BI IgnoreAdded= path_regex @@ -609,7 +514,4 @@ sets the hostname for the log server. .br -.BI SetServerPort= portnumber -sets the port on the server to connect to. -.br .BI SetDatabasePath= AUTO|/path Path to database (AUTO to tack hostname on compiled-in path). @@ -620,5 +522,5 @@ .BI RedefReadOnly= +/-XXX,+/-YYY,... Add or subtract tests XXX from the ReadOnly policy. -Tests are: CHK (checksum), TXT (store literal content), LNK (link), +Tests are: CHK (checksum), LNK (link), HLN (hardlink), INO (inode), USR (user), GRP (group), MTM (mtime), ATM (atime), CTM (ctime), SIZ (size), RDEV (device numbers) @@ -645,13 +547,4 @@ .BI RedefUser1= +/-XXX,+/-YYY,... Add or subtract tests XXX from the User1 policy. -.br -.BI RedefUser2= +/-XXX,+/-YYY,... -Add or subtract tests XXX from the User2 policy. -.br -.BI RedefUser3= +/-XXX,+/-YYY,... -Add or subtract tests XXX from the User3 policy. -.br -.BI RedefUser4= +/-XXX,+/-YYY,... -Add or subtract tests XXX from the User4 policy. .TP .B Server Only