Provided by: samhain_2.0.10a-2_i386 bug

NAME

       samhainrc - samhain(8) configuration file

WARNING

       The  information  in  this  man  page  is  not  always up to date.  The
       authoritative documentation is the user manual.

DESCRIPTION

       The configuration file for samhain(8) is named samhainrc and located in
       /etc by default.

       It contains several sections, indicated by headings in square brackets.
       Each section may hold zero or more key=value  pairs.  Blank  lines  and
       lines  starting  with  ’#’  are  comments.  Everything before the first
       section and after an [EOF] is ignored. The file  may  be  (clear  text)
       signed  by  PGP/GnuPG,  and  samhain  may  invoke  GnuPG  to  check the
       signature if compiled with support for it.

       Conditional inclusion of entries for some host(s) is supported via  any
       number  of  @hostname/@end directives.  @hostname and @end must each be
       on separate lines. Lines in between  will  only  be  read  if  hostname
       (which may be a regular expression) matches the local host.

       Likewise,  conditional  inclusion  of  entries  based on system type is
       supported via any number of $sysname:release:machine/$end directives.
       sysname:release:machine can be inferred from uname -srm and  may  be  a
       regular expression.

       Filenames/directories to check may be wildcard patterns.

       Options   given  on  the  command  line  will  override  those  in  the
       configuration file.  The recognized sections in the configuration  file
       are as follows:

       Boolean options can be set with any of 1|true|yes or 0|false|no.

       [ReadOnly]
              This section may contain
              file=PATH and
              dir=[depth]PATH  entries for files and directories to check. All
              modifications except access times will  be  reported  for  these
              files.   [depth] (use without brackets) is an optional parameter
              to define a per-directory recursion depth.

       [LogFiles]
              As above,  but  modifications  of  timestamps,  file  size,  and
              signature will be ignored.

       [GrowingLogFiles]
              As above, but modifications of file size will only be ignored if
              the size has increased.

       [Attributes]
              As  above,  but  only  modifications  of  ownership  and  access
              permissions will be checked.

       [IgnoreAll]
              As    above,    but    report   no   modifications   for   these
              files/directories. Access failures will still be reported.

       [IgnoreNone]
              As   above,   but   report   all   modifications    for    these
              files/directories, including access time.

       [User0]

       [User1]
              These are reserved for user-defined policies.

       [Prelink]
              For  prelinked  executables  /  libraries or directories holding
              them.

       [Log]  This section defines the filtering rules for  logging.   It  may
              contain the following entries:
              MailSeverity=val  where  the  threshold  value val may be one of
              debug, info, notice, warn, mark, err, crit, alert, or none.   By
              default,  everything  equal  to  and above the threshold will be
              logged.  The specifiers *, !, and = are  interpreted  as  ’all’,
              ’all  but’,  and ’only’, respectively (like in the Linux version
              of  syslogd(8)).   Time   stamps   have   the   priority   warn,
              system-level   errors  have  the  priority  err,  and  important
              start-up messages the priority alert.  The signature key for the
              log  file will never be logged to syslog or the log file itself.
              For failures to verify file integrity, error levels are  defined
              in the next section.
              PrintSeverity=val,
              LogSeverity=val,
              ExportSeverity=val,
              ExternalSeverity=val,
              PreludeSeverity=val,
              DatabaseSeverity=val, and
              SyslogSeverity=val set the thresholds for logging via stdout (or
              /dev/console),  log  file,  TCP  forwarding,  calling   external
              programs, and syslog(3).

       [EventSeverity]
              SeverityReadOnly=val,
              SeverityLogFiles=val,
              SeverityGrowingLogs=val,
              SeverityIgnoreNone=val,
              SeverityIgnoreAll=val,
              SeverityPrelink=val,
              SeverityUser0=val, and
              SeverityUser1=val define the error levels for failures to verify
              the integrity of files/directories of the respective types. I.e.
              if such a file shows unexpected modifications, an error of level
              val will be generated, and  logged  to  all  facilities  with  a
              threshold of at least val.
              SeverityFiles=val sets the error level for file access problems,
              and
              SeverityDirs=val for directory access problems.
              SeverityNames=val sets the error level for  obscure  file  names
              (e.g.  non-printable  characters),  and  for  files with invalid
              UIDs/GIDs.

       [External]
              OpenCommand=path Start the definition  of  an  external  logging
              program|script.
              SetType=log|srv Type/purpose of program (log for logging).
              SetCommandline=list Command line options.
              SetEnviron=KEY=val Environment for external program.
              SetChecksum=val Checksum of the external program (checked before
              invoking).
              SetCredentials=username User as who the program will run.
              SetFilterNot=list Words not allowed in message.
              SetFilterAnd=list Words required (ALL) in message.
              SetFilterOr=list Words required (at least one) in message.
              SetDeadtime=seconds Time between consecutive calls.

       [Utmp] Configuration for watching login/logout events.
              LoginCheckActive=0|1 Switch off/on login/logout reporting.
              LoginCheckInterval=val Interval  (seconds)  between  checks  for
              login/logout events.
              SeverityLogin=val
              SeverityLoginMulti=val
              SeverityLogout=val  Severity  levels for logins, multiple logins
              by same user, and logouts.

       [Kernel]
              Configuration for detecting kernel rootkits.
              KernelCheckActive=0|1 Switch off/on checking of kernel  syscalls
              to detect kernel module rootkits.
              KernelCheckInterval=val Interval (seconds) between checks.
              SeverityKernel=val Severity level for clobbered kernel syscalls.
              KernelCheckIDT=0|1 Whether to check  the  interrrupt  descriptor
              table.
              KernelSystemCall=address   The   address  of  system_call  (grep
              system_call System.map).  Required after a kernel update.
              KernelProcRoot=address  The  address  of   proc_root   (grep   ’
              proc_root$’ System.map).  Required after a kernel update.
              KernelProcRootIops=address         The         address        of
              proc_root_inode_operations   (grep    proc_root_inode_operations
              System.map).  Required after a kernel update.
              KernelProcRootLookup=address  The  address  of  proc_root_lookup
              (grep proc_root_lookup System.map).   Required  after  a  kernel
              update.

       [SuidCheck]
              Settings for finding SUID/SGID files on disk.
              SuidCheckActive=0|1 Switch off/on the check.
              SuidCheckExclude=path
                A directory (and its subdirectories)
                to exclude from the check. Only one directory can be specified
              this way.
              SuidCheckSchedule=schedule Crontab-like schedule for checks.
              SeveritySuidCheck=severity Severity for events.
              SuidCheckFps=fps Limit files per seconds for SUID check.

       [Database]
              Settings for logging to a database.
              SetDBHost=db_host  Host  where  the  DB  server  runs  (default:
              localhost).  Should be a numeric IP address for PostgreSQL.
              SetDBName=db_name Name of the database (default: samhain).
              SetDBTable=db_table Name of the database table (default: log).
              SetDBUser=db_user Connect as this user (default: samhain).
              SetDBPassword=db_password Use this password (default: none).
              SetDBServerTstamp=true|false  Log  server  timestamp  for client
              messages (default: true).
              UsePersistent=true|false Use a persistent  connection  (default:
              true).

       [Misc] Daemon=no|yes  Detach  from  controlling  terminal  to  become a
              daemon.
              MessageHeader=format   Costom   format   for   message   header.
              Replacements:  %F  source  file  name,  %L  source file line, %S
              severity, %T timestamp, %C message class.
              VersionString=string Set  version  string  to  include  in  file
              signature database (along with hostname and date).
              SetReverseLookup=true|false  If false, skip reverse lookups when
              connecting to a host known by name rather than IP address.
              HideSetup=yes|no Don’t log  name  of  config/database  files  on
              startup.
              SyslogFacility=facility  Set the syslog facility to use. Default
              is LOG_AUTHPRIV.
              MACType=HASH-TIGER|HMAC-TIGER Set type of message authentication
              code (HMAC).  Must be identical on client and server.
              SetLoopTime=val   Defines   the   interval   (in   seconds)  for
              timestamps.
              SetConsole=device Set the console device (default /dev/console).
              MessageQueueActive=1|0  Whether to use a SysV IPC message queue.
              PreludeMapToInfo=listofseverities The  severities  (see  section
              [Log]) that should be mapped to impact severity info in prelude.
              PreludeMapToLow=listofseverities  The  severities  (see  section
              [Log])  that should be mapped to impact severity low in prelude.
              PreludeMapToMedium=listofseverities The severities (see  section
              [Log])  that  should  be  mapped  to  impact  severity medium in
              prelude.
              PreludeMapToHigh=listofseverities The  severities  (see  section
              [Log]) that should be mapped to impact severity high in prelude.
              SetMailTime=val  defines  the  maximum  interval  (in   seconds)
              between  succesive e-mail reports.  Mail might be empty if there
              are no events to report.
              SetMailNum=val defines the maximum number of messages  that  are
              stored  before e-mailing them.  Messages of highest priority are
              always sent immediately.
              SetMailAddress=username@host  sets  the  recipient  address  for
              mailing.   No  aliases should be used.  For security, you should
              prefer a numerical host address.
              SetMailRelay=server sets the hostname for the mail relay  server
              (if  you  need  one).  If no relay server is given, mail is sent
              directly to the host given in the mail address, otherwise it  is
              sent  to  the  relay  server, who should forward it to the given
              address.
              SetMailSubject=val defines a custom format for the subject of an
              email message.
              SetMailSender=val  defines the sender for the ’From:’ field of a
              message.
              SamhainPath=/path/to/binary sets the path to the samhain binary.
              If set, samhain will checksum its own binary both on startup and
              termination, and compare both.
              SetBindAddress=IP_address The  IP  address  (i.e.  interface  on
              multi-interface box) to use for outgoing connections.
              SetTimeServer=server sets the hostname for the time server.
              TrustedUser=name|uid  Add  a  user  to  the set of trusted users
              (root and the effective user are always trusted. You can add  up
              to 7 more users).
              SetLogfilePath=AUTO|/path Path to logfile (AUTO to tack hostname
              on compiled-in path).
              SetLockfilePath=AUTO|/path  Path  to  lockfile  (AUTO  to   tack
              hostname on compiled-in path).

       Standalone or client only
              SetNiceLevel=-19..19  Set scheduling priority during file check.
              SetIOLimit=bps Set IO limits (kilobytes  per  second)  for  file
              check.
              SetFilecheckTime=val  Defines  the interval (in seconds) between
              succesive file checks.
              FileCheckScheduleOne=schedule  Crontab-like  schedule  for  file
              checks. If used, SetFilecheckTime is ignored.
              UseHardlinkCheck=yes|no Compare number of hardlinks to number of
              subdirectories for directories.
              HardlinkOffset=N:/path  Exception  (use   multiple   times   for
              multiple  exceptions). N is offset (actual - expected hardlinks)
              for /path.
              AddOKChars=N1,N2,..  List of  additional  acceptable  characters
              (byte value(s)) for the check for weird filenames. Nn may be hex
              (leading ’0x’: 0xNN), octal (leading zero:  0NNN),  or  decimal.
              Use all for all.
              IgnoreAdded=path_regex   Ignore   if   this   file/directory  is
              added/created.
              IgnoreMissing=path_regex  Ignore  if  this   file/directory   is
              missing/deleted.
              ReportOnlyOnce=yes|no  Report  only  once  on  a  modified  file
              (default yes).
              ReportFullDetail=yes|no Report in full detail on modified  files
              (not only modified items).
              UseLocalTime=yes|no  Report file timestamps in local time rather
              than GMT (default no).  Do not use this with Beltane.
              ChecksumTest={init|update|check|none}   defines    whether    to
              initialize/update  the  database or verify files against it.  If
              ’none’, you should supply the required  option  on  the  command
              line.
              SetPrelinkPath=path  Path  of  the  prelink  executable (default
              /usr/sbin/prelink).
              SetPrelinkChecksum=checksum TIGER192  checksum  of  the  prelink
              executable (no default).
              SetLogServer=server sets the hostname for the log server.
              SetDatabasePath=AUTO|/path   Path  to  database  (AUTO  to  tack
              hostname on compiled-in path).
              DigestAlgo=SHA1|MD5  Use  SHA1  or  MD5  instead  of  the  TIGER
              checksum (default: TIGER192).
              RedefReadOnly=+/-XXX,+/-YYY,...   Add or subtract tests XXX from
              the ReadOnly policy.  Tests are: CHK (checksum), LNK (link), HLN
              (hardlink),  INO  (inode), USR (user), GRP (group), MTM (mtime),
              ATM (atime), CTM (ctime),  SIZ  (size),  RDEV  (device  numbers)
              and/or MOD (file mode).
              RedefAttributes=+/-XXX,+/-YYY,...   Add  or  subtract  tests XXX
              from the Attributes policy.
              RedefLogFiles=+/-XXX,+/-YYY,...  Add or subtract tests XXX  from
              the LogFiles policy.
              RedefGrowingLogFiles=+/-XXX,+/-YYY,...   Add  or  subtract tests
              XXX from the GrowingLogFiles policy.
              RedefIgnoreAll=+/-XXX,+/-YYY,...  Add or subtract tests XXX from
              the IgnoreAll policy.
              RedefIgnoreNone=+/-XXX,+/-YYY,...   Add  or  subtract  tests XXX
              from the IgnoreNone policy.
              RedefUser0=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the
              User0 policy.
              RedefUser1=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the
              User1 policy.

       Server Only
              SetUseSocket=yes|no If unset, do not open  the  command  socket.
              The default is no.
              SetSocketAllowUid=UID  Which  user  can  connect  to the command
              socket. The default is 0 (root).
              SetSocketPassword=password Password (max. 14 chars, no ’@’)  for
              password-based authentication on the command socket (only if the
              OS does not support passing credentials via sockets).
              SetChrootDir=path  If  set,  chroot  to  this  directory   after
              startup.
              SetStripDomain=yes|no  Whether  to  strip  the  domain  from the
              client hostname when logging client messages (default: yes).
              SetClientFromAccept=true|false If true, use  client  address  as
              known to the communication layer. Else (default) use client name
              as claimed by the client, try  to  verify  against  the  address
              known  to  the  communication  layer, and accept (with a warning
              message) even if this fails.
              UseClientSeverity=yes|no Use the severity of client messages.
              UseClientClass=yes|no Use the class of client messages.
              SetServerPort=number The port that the  server  should  use  for
              listening (default is 49777).
              SetServerInterface=IPaddress  The  IP address (i.e. interface on
              multi-interface box) that the server should  use  for  listening
              (default is all). Use INADDR_ANY to reset to all.
              SeverityLookup=severity   Severity  of  the  message  on  client
              address != socket peer.
              UseSeparateLogs=true|false  If  true,  messages  from  different
              clients  will  be  logged to separate log files (the name of the
              client will be appended to the name of  the  main  log  file  to
              construct the logfile name).
              SetClientTimeLimit=seconds   The  maximum  time  between  client
              messages. If exceeded, a warning will be issued (the default  is
              86400 sec = 1 day).
              SetUDPActive=yes|no   yule   1.2.8+:   Also  listen  on  514/udp
              (syslog).

       [Clients]
              This section is only relevant if samhain is run as a log  server
              for clients running on another (or the same) machine.
              Client=hostname@salt@verifier   registers   a   client  at  host
              hostname (fully qualified hostname required) for access  to  the
              log  server.   Log entries from unregistered clients will not be
              accepted.  To generate a salt and  a  valid  verifier,  use  the
              command  samhain  -P password, where password is the password of
              the client. A simple utility program samhain_setpwd is  provided
              to  re-set  the  compiled-in  default  password  of  the  client
              executable to a user-defined value.

       [EOF]  An optional end marker. Everything below is ignored.

SEE ALSO

       samhain(8)

AUTHOR

       Rainer Wichmann (http://la-samhna.de)

BUG REPORTS

       If  you  find  a  bug  in  samhain,  please  send  electronic  mail  to
       support@la-samhna.de.   Please  include  your  operating system and its
       revision, the version of samhain, what C compiler you used  to  compile
       it, your ’configure’ options, and anything else you deem helpful.

COPYING PERMISSIONS

       Copyright (©) 2000, 2004, 2005 Rainer Wichmann

       Permission  is  granted  to make and distribute verbatim copies of this
       manual page provided the copyright notice and  this  permission  notice
       are preserved on all copies.

       Permission  is granted to copy and distribute modified versions of this
       manual page under the conditions for verbatim  copying,  provided  that
       the  entire  resulting derived work is distributed under the terms of a
       permission notice identical to this one.

                                 Jul 29, 2004                     SAMHAINRC(5)