NAME¶

samhainrc - samhain(8) configuration file

WARNING¶

The information in this man page is not always up to date.The authoritative documentation is the user manual.

DESCRIPTION¶

The configuration file forsamhain(8)is namedsamhainrcand located in/etcby default.

It contains several sections, indicated by headings in square brackets.Each section may hold zero or morekey=valuepairs. Blank lines and lines starting with '#' are comments.Everything before the first section and after an[EOF]is ignored. The file may be (clear text) signed by PGP/GnuPG, andsamhainmay invoke GnuPG to check the signatureif compiled with support for it.

Conditional inclusion of entries for some host(s) issupported via any number of@hostname/@enddirectives.@hostnameand@endmust each be on separate lines. Lines in between will only beread ifhostname(which may be a regular expression) matches the local host.

Likewise, conditional inclusion of entries based on system type issupported via any number of$sysname:release:machine/$enddirectives.
sysname:release:machinecan be inferred fromuname -srmand may be a regular expression.

Filenames/directories to check may be wildcard patterns.

Options given on the command line will overridethose in the configuration file.The recognized sections in the configuration file are as follows:

Boolean options can be set with any of 1|true|yes or 0|false|no.

[ReadOnly]

This section may contain
file=PATHand
dir=[depth]PATHentries for files and directories to check. All modifications except accesstimes will be reported for these files.[depth] (use without brackets)is an optional parameter to define a per-directory recursiondepth.

[LogFiles]

As above, but modifications of timestamps, file size, and signature willbe ignored.

[GrowingLogFiles]

As above, but modifications of file size will only be ignored if the size hasincreased.

[Attributes]

As above, but only modifications of ownership and access permissionswill be checked.

[IgnoreAll]

As above, but report no modifications forthese files/directories. Access failureswill still be reported.

[IgnoreNone]

As above, but report all modifications for these files/directories,including access time.

[User0]

[User1]

[User2]

[User3]

[User4]

These are reserved for user-defined policies.

[Prelink]

For prelinked executables / libraries or directories holding them.

[Log]

This section defines the filtering rules for logging.It may contain the following entries:
MailSeverity=valwhere the threshold valuevalmay be one ofdebug,info,notice,warn,mark,err,crit,alert,ornone.By default, everything equal to and above the threshold will be logged.The specifiers*,!,and=are interpreted as 'all', 'all but', and 'only', respectively (likein the Linux version of syslogd(8)).Time stamps have the prioritywarn,system-level errors have the priorityerr,and important start-up messages the priorityalert.The signature key for the log file will never be logged to syslog or thelog file itself.For failures to verify file integrity, error levels are definedin the next section.
PrintSeverity=val,
LogSeverity=val,
ExportSeverity=val,
ExternalSeverity=val,
PreludeSeverity=val,
DatabaseSeverity=val,and
SyslogSeverity=valset the thresholds for logging via stdout (or/dev/console),log file, TCP forwarding, calling external programs,andsyslog(3).

[EventSeverity]

SeverityReadOnly=val,
SeverityLogFiles=val,
SeverityGrowingLogs=val,
SeverityIgnoreNone=val,
SeverityIgnoreAll=val,
SeverityPrelink=val,
SeverityUser0=val,
SeverityUser1=val,
SeverityUser2=val,
SeverityUser3=val,and
SeverityUser4=valdefine the error levels for failures to verify the integrity offiles/directories of the respective types. I.e. if such a file showsunexpected modifications, an error of levelvalwill be generated, and logged to all facilities with a threshold of at leastval.
SeverityFiles=valsets the error level for file access problems, and
SeverityDirs=valfor directory access problems.
SeverityNames=valsets the error level for obscure file names(e.g. non-printable characters), and for fileswith invalid UIDs/GIDs.

[External]

OpenCommand=pathStart the definition of an external logging program|script.
SetType=log|srvType/purpose of program (log for logging).
SetCommandline=listCommand line options.
SetEnviron=KEY=valEnvironment for external program.
SetChecksum=valChecksum of the external program (checked before invoking).
SetCredentials=usernameUser as who the program will run.
SetFilterNot=listWords not allowed in message.
SetFilterAnd=listWords required (ALL) in message.
SetFilterOr=listWords required (at least one) in message.
SetDeadtime=secondsTime between consecutive calls.

[Utmp]

Configuration for watching login/logout events.
LoginCheckActive=0|1Switch off/on login/logout reporting.
LoginCheckInterval=valInterval (seconds) between checks for login/logout events.
SeverityLogin=val
SeverityLoginMulti=val
SeverityLogout=valSeverity levels for logins, multiple loginsby same user, and logouts.

[SuidCheck]

Settings for finding SUID/SGID files on disk.
SuidCheckActive=0|1Switch off/on the check.
SuidCheckExclude=path
A directory (and its subdirectories)
to exclude from the check. Only one directory can be specified this way.
SuidCheckSchedule=scheduleCrontab-like schedule for checks.
SeveritySuidCheck=severitySeverity for events.
SuidCheckFps=fpsLimit files per seconds for SUID check.
SuidCheckNosuid=0|1Check filesystems mounted as nosuid. Defaults to not.
SuidCheckQuarantineFiles=0|1Whether to quarantine files. Defaults to not.
SuidCheckQuarantineMethod=0|1|2Quarantine method. Delete = 1, remove suid/sgid flags = 1, move to quarantine directory = 2. Defaults to 1 (remove suid/sgid flags).

[Mounts]

Configuration for checking mounts.
MountCheckActive=0|1Switch off/on this module.
MountCheckInterval=seconds
The interval between checks (default 300).
SeverityMountMissing=severitySeverity for reports on missing mounts.
SeverityOptionMissing=severitySeverity for reports on missing mount options.
CheckMount=path[mount_options]
Mount point to check. Mount options must be given ascomma-separated list, separated by a blank from the preceding mount point.

[UserFiles]

Configuration for checking paths relative to user home directories.
UserFilesActive=0|1Switch off/on this module.
UserFilesName=filenamepolicy
Files to check for under each $HOME. Allowed values for 'policy'are: allignore, attributes, logfiles, loggrow, noignore (default),readonly, user0, user1, user2, user3, and user4.
UserFilesCheckUids=uid_listA list of UIDs where we want to check. The defaultis all. Ranges (e.g. 100-500) are allowed. If there is an open range (e.g.1000-), it must be last in the list.

[ProcessCheck]

Settings for finding hidden/fake,required processes on the local host.
ProcessCheckActive=0|1Switch off/on the check.
ProcessCheckInterval=seconds
The interval between checks (default 300).
SeverityProcessCheck=severitySeverity for events (default crit).
ProcessCheckMinPID=pidThe minimum PID to check (default 0).
ProcessCheckMaxPID=pidThe maximum PID to check (default 32767).
ProcessCheckPSPath=pathThe path to ps (autodetected at compile time).
ProcessCheckPSArg=argumentThe argument to ps (autodetected at compile time).Must yield PID in first column.
ProcessCheckExists=regular_expressionCheck for existence of a process matching the given regular expression.

[PortCheck]

Settings for checking open ports on the local host.
PortCheckActive=0|1Switch off/on the check.
PortCheckInterval=seconds
The interval between checks (default 300).
PortCheckUDP=yes|noWhether to check UPD ports as well (default yes).
SeverityPortCheck=severitySeverity for events (default crit).
PortCheckInterface=ip_addressAdditional interface to check.
PortCheckOptional=ip_address:listPorts that may, but need not be open. The ip_address is the oneof the interface, the list must becomma or whitespace separated, each item must be (port|service)/protocol,e.g. 22/tcp,nfs/tcp/nfs/udp.
PortCheckRequired=ip_address:listPorts that are required to be open. The ip_address is the oneof the interface, the list must becomma or whitespace separated, each item must be (port|service)/protocol,e.g. 22/tcp,nfs/tcp/nfs/udp.

[Database]

Settings forloggingto a database.
SetDBHost=db_hostHost where the DB server runs (default: localhost).Should be a numeric IP address for PostgreSQL.
SetDBName=db_nameName of the database (default: samhain).
SetDBTable=db_tableName of the database table (default: log).
SetDBUser=db_userConnect as this user (default: samhain).
SetDBPassword=db_passwordUse this password (default: none).
SetDBServerTstamp=true|falseLog server timestamp for client messages (default: true).
UsePersistent=true|falseUse a persistent connection (default: true).

[Misc]

Daemon=no|yesDetach from controlling terminal to become a daemon.
MessageHeader=formatCostom format for message header. Replacements:%Fsource file name,%Lsource file line,%Sseverity,%Ttimestamp,%Cmessage class.
VersionString=stringSet version string to include in file signature database(along with hostname and date).
SetReverseLookup=true|falseIf false, skip reverse lookups when connecting to a host known by namerather than IP address.
HideSetup=yes|noDon't log name of config/database files on startup.
SyslogFacility=facilitySet the syslog facility to use. Default is LOG_AUTHPRIV.
MACType=HASH-TIGER|HMAC-TIGERSet type of message authentication code (HMAC).Must be identical on client and server.
StartupLoadDelay=valDefines the interval (in seconds) to wait after startup beforeloading the databse from the server. Default is no wait.
SetLoopTime=valDefines the interval (in seconds) for timestamps.
SetConsole=deviceSet the console device (default /dev/console).
MessageQueueActive=1|0Whether to use a SysV IPC message queue.
PreludeMapToInfo=listofseveritiesThe severities (see section[Log])that should be mapped to impactseverityinfoin prelude.
PreludeMapToLow=listofseveritiesThe severities (see section[Log])that should be mapped to impactseveritylowin prelude.
PreludeMapToMedium=listofseveritiesThe severities (see section[Log])that should be mapped to impactseveritymediumin prelude.
PreludeMapToHigh=listofseveritiesThe severities (see section[Log])that should be mapped to impactseverityhighin prelude.
SetMailTime=valdefines the maximum interval (in seconds) between succesive e-mail reports.Mail might be empty if there are no events to report.
SetMailNum=valdefines the maximum number of messages that are stored before e-mailing them.Messages of highest priority are always sent immediately.
SetMailAddress=username@hostsets the recipient address for mailing.No aliases should be used.For security, you should prefer a numerical host address.
SetMailRelay=serversets the hostname for the mail relay server (if you need one).If no relay server is given, mail is sent directly to the host given in themail address, otherwise it is sent to the relay server, who shouldforward it to the given address.
SetMailSubject=valdefines a custom format for the subject of an email message.
SetMailSender=valdefines the sender for the 'From:' field of a message.
SetMailFilterAnd=listdefines a list of strings all of which must match a message, otherwiseit will not be mailed.
SetMailFilterOr=listdefines a list of strings at least one of which must match a message, otherwiseit will not be mailed.
SetMailFilterNot=listdefines a list of strings none of which should match a message, otherwiseit will not be mailed.
SamhainPath=/path/to/binarysets the path to the samhain binary. If set, samhain will checksumits own binary both on startup and termination, and compare both.
SetBindAddress=IP_addressThe IP address (i.e. interface on multi-interface box) to usefor outgoing connections.
SetTimeServer=serversets the hostname for the time server.
TrustedUser=name|uidAdd a user to the set of trusted users (root and the effective userare always trusted. You can add up to 7 more users).
SetLogfilePath=AUTO|/pathPath to logfile (AUTO to tack hostname on compiled-in path).
SetLockfilePath=AUTO|/pathPath to lockfile (AUTO to tack hostname on compiled-in path).

Standalone or client only

SetNiceLevel=-19..19Set scheduling priority during file check.
SetIOLimit=bpsSet IO limits (kilobytes per second) for file check.
SetFilecheckTime=valDefines the interval (in seconds) between succesive file checks.
FileCheckScheduleOne=scheduleCrontab-like schedule for file checks. If used,SetFilecheckTimeis ignored.
UseHardlinkCheck=yes|noCompare number of hardlinks to number of subdirectories for directories.
HardlinkOffset=N:/pathException (use multiple times for multipleexceptions). N is offset (actual - expected hardlinks) for /path.
AddOKChars=N1,N2,..List of additional acceptable characters (byte value(s)) for the check forweird filenames. Nn may be hex (leading '0x': 0xNN), octal(leading zero: 0NNN), or decimal.Useallfor all.
FilenamesAreUTF8=yes|noWhether filenames are UTF-8 encoded (defaults to no). If yes, filenamesare checked for invalid UTF-8 encoding and for ending in invisible characters.
IgnoreAdded=path_regexIgnore if this file/directory is added/created.
IgnoreMissing=path_regexIgnore if this file/directory is missing/deleted.
ReportOnlyOnce=yes|noReport only once on a modified file (default yes).
ReportFullDetail=yes|noReport in full detail on modified files (not only modified items).
UseLocalTime=yes|noReport file timestamps in local time rather than GMT (default no).Do not use this with Beltane.
ChecksumTest={init|update|check|none}defines whether to initialize/update the database or verify files against it.If 'none', you should supply the required option on the command line.
SetPrelinkPath=pathPath of the prelink executable (default /usr/sbin/prelink).
SetPrelinkChecksum=checksumTIGER192 checksum of the prelink executable (no default).
SetLogServer=serversets the hostname for the log server.
SetServerPort=portnumbersets the port on the server to connect to.
SetDatabasePath=AUTO|/pathPath to database (AUTO to tack hostname on compiled-in path).
DigestAlgo=SHA1|MD5Use SHA1 or MD5 instead of the TIGER checksum (default: TIGER192).
RedefReadOnly=+/-XXX,+/-YYY,...Add or subtract tests XXX from the ReadOnly policy.Tests are: CHK (checksum), TXT (store literal content), LNK (link),HLN (hardlink), INO (inode), USR (user), GRP (group), MTM (mtime),ATM (atime), CTM (ctime), SIZ (size), RDEV (device numbers)and/or MOD (file mode).
RedefAttributes=+/-XXX,+/-YYY,...Add or subtract tests XXX from the Attributes policy.
RedefLogFiles=+/-XXX,+/-YYY,...Add or subtract tests XXX from the LogFiles policy.
RedefGrowingLogFiles=+/-XXX,+/-YYY,...Add or subtract tests XXX from the GrowingLogFiles policy.
RedefIgnoreAll=+/-XXX,+/-YYY,...Add or subtract tests XXX from the IgnoreAll policy.
RedefIgnoreNone=+/-XXX,+/-YYY,...Add or subtract tests XXX from the IgnoreNone policy.
RedefUser0=+/-XXX,+/-YYY,...Add or subtract tests XXX from the User0 policy.
RedefUser1=+/-XXX,+/-YYY,...Add or subtract tests XXX from the User1 policy.
RedefUser2=+/-XXX,+/-YYY,...Add or subtract tests XXX from the User2 policy.
RedefUser3=+/-XXX,+/-YYY,...Add or subtract tests XXX from the User3 policy.
RedefUser4=+/-XXX,+/-YYY,...Add or subtract tests XXX from the User4 policy.

Server Only

SetUseSocket=yes|noIf unset, do not open the command socket. The default is no.
SetSocketAllowUid=UIDWhich user can connect to the command socket. The default is 0 (root).
SetSocketPassword=passwordPassword (max. 14 chars, no '@') for password-based authentication on thecommand socket (only if the OS does not support passingcredentials via sockets).
SetChrootDir=pathIf set, chroot to this directory after startup.
SetStripDomain=yes|noWhether to strip the domain from the client hostname whenlogging client messages (default: yes).
SetClientFromAccept=true|falseIf true, use client address as known to the communication layer. Else(default) use client name as claimed by the client, try to verify againstthe address known to the communication layer, and accept(with a warning message) even if this fails.
UseClientSeverity=yes|noUse the severity of client messages.
UseClientClass=yes|noUse the class of client messages.
SetServerPort=numberThe port that the server should use for listening (default is 49777).
SetServerInterface=IPaddressThe IP address (i.e. interface on multi-interface box) that theserver should use for listening (default is all). Use INADDR_ANY to resetto all.
SeverityLookup=severitySeverity of the message on client address != socket peer.
UseSeparateLogs=true|falseIf true, messages from different clients will be logged to separatelog files (the name of the client will be appended to the name of the mainlog file to construct the logfile name).
SetClientTimeLimit=secondsThe maximum time between client messages. If exceeded, a warning willbe issued (the default is 86400 sec = 1 day).
SetUDPActive=yes|noyule 1.2.8+: Also listen on 514/udp (syslog).

[Clients]

This section is only relevant ifsamhainis run as a log server for clients running on another (or the same) machine.
Client=hostname@salt@verifierregisters a client at hosthostname(fully qualified hostname required) for access to thelog server.Log entries from unregistered clients will not be accepted.To generate a salt and a valid verifier, use the commandsamhain -Ppassword,wherepasswordis the password of the client. A simple utility programsamhain_setpwdis provided to re-set the compiled-in default password of the clientexecutable to a user-definedvalue.

[EOF]

An optional end marker. Everything below is ignored.

SEEALSO¶

samhain(8)

AUTHOR¶

Rainer Wichmann (http://la-samhna.de)

BUGREPORTS¶

If you find a bug insamhain,please send electronic mail tosupport@la-samhna.de.Please include your operating system and its revision, the version ofsamhain,what C compiler you used to compile it, your 'configure' options, andanything else you deem helpful.

COPYINGPERMISSIONS¶

Copyright (©) 2000, 2004, 2005 Rainer Wichmann

Permission is granted to make and distribute verbatim copies ofthis manual page provided the copyright notice and this permissionnotice are preserved on all copies.

Permission is granted to copy and distribute modified versions of thismanual page under the conditions for verbatim copying, provided thatthe entire resulting derived work is distributed under the terms of apermission notice identical to this one.