Provided by: samhain_2.2.3-6.2_i386 bug


       samhainrc - samhain(8) configuration file


       The  information  in  this  man  page  is  not  always up to date.  The
       authoritative documentation is the user manual.


       The configuration file for samhain(8) is named samhainrc and located in
       /etc by default.

       It contains several sections, indicated by headings in square brackets.
       Each section may hold zero or more key=value  pairs.  Blank  lines  and
       lines  starting  with  ’#’  are  comments.  Everything before the first
       section and after an [EOF] is ignored. The file  may  be  (clear  text)
       signed  by  PGP/GnuPG,  and  samhain  may  invoke  GnuPG  to  check the
       signature if compiled with support for it.

       Conditional inclusion of entries for some host(s) is supported via  any
       number  of  @hostname/@end directives.  @hostname and @end must each be
       on separate lines. Lines in between  will  only  be  read  if  hostname
       (which may be a regular expression) matches the local host.

       Likewise,  conditional  inclusion  of  entries  based on system type is
       supported via any number of $sysname:release:machine/$end directives.
       sysname:release:machine can be inferred from uname -srm and  may  be  a
       regular expression.

       Filenames/directories to check may be wildcard patterns.

       Options   given  on  the  command  line  will  override  those  in  the
       configuration file.  The recognized sections in the configuration  file
       are as follows:

       Boolean options can be set with any of 1|true|yes or 0|false|no.

              This section may contain
              file=PATH and
              dir=[depth]PATH  entries for files and directories to check. All
              modifications except access times will  be  reported  for  these
              files.   [depth] (use without brackets) is an optional parameter
              to define a per-directory recursion depth.

              As above,  but  modifications  of  timestamps,  file  size,  and
              signature will be ignored.

              As above, but modifications of file size will only be ignored if
              the size has increased.

              As  above,  but  only  modifications  of  ownership  and  access
              permissions will be checked.

              As    above,    but    report   no   modifications   for   these
              files/directories. Access failures will still be reported.

              As   above,   but   report   all   modifications    for    these
              files/directories, including access time.





              These are reserved for user-defined policies.

              For  prelinked  executables  /  libraries or directories holding

       [Log]  This section defines the filtering rules for  logging.   It  may
              contain the following entries:
              MailSeverity=val  where  the  threshold  value val may be one of
              debug, info, notice, warn, mark, err, crit, alert, or none.   By
              default,  everything  equal  to  and above the threshold will be
              logged.  The specifiers *, !, and = are  interpreted  as  ’all’,
              ’all  but’,  and ’only’, respectively (like in the Linux version
              of  syslogd(8)).   Time   stamps   have   the   priority   warn,
              system-level   errors  have  the  priority  err,  and  important
              start-up messages the priority alert.  The signature key for the
              log  file will never be logged to syslog or the log file itself.
              For failures to verify file integrity, error levels are  defined
              in the next section.
              DatabaseSeverity=val, and
              SyslogSeverity=val set the thresholds for logging via stdout (or
              /dev/console),  log  file,  TCP  forwarding,  calling   external
              programs, and syslog(3).

              SeverityUser3=val, and
              SeverityUser4=val define the error levels for failures to verify
              the integrity of files/directories of the respective types. I.e.
              if such a file shows unexpected modifications, an error of level
              val will be generated, and  logged  to  all  facilities  with  a
              threshold of at least val.
              SeverityFiles=val sets the error level for file access problems,
              SeverityDirs=val for directory access problems.
              SeverityNames=val sets the error level for  obscure  file  names
              (e.g.  non-printable  characters),  and  for  files with invalid

              OpenCommand=path Start the definition  of  an  external  logging
              SetType=log|srv Type/purpose of program (log for logging).
              SetCommandline=list Command line options.
              SetEnviron=KEY=val Environment for external program.
              SetChecksum=val Checksum of the external program (checked before
              SetCredentials=username User as who the program will run.
              SetFilterNot=list Words not allowed in message.
              SetFilterAnd=list Words required (ALL) in message.
              SetFilterOr=list Words required (at least one) in message.
              SetDeadtime=seconds Time between consecutive calls.

       [Utmp] Configuration for watching login/logout events.
              LoginCheckActive=0|1 Switch off/on login/logout reporting.
              LoginCheckInterval=val Interval  (seconds)  between  checks  for
              login/logout events.
              SeverityLogout=val  Severity  levels for logins, multiple logins
              by same user, and logouts.

              Configuration for detecting kernel rootkits.
              KernelCheckActive=0|1 Switch off/on checking of kernel  syscalls
              to detect kernel module rootkits.
              KernelCheckInterval=val Interval (seconds) between checks.
              SeverityKernel=val Severity level for clobbered kernel syscalls.
              KernelCheckIDT=0|1 Whether to check  the  interrrupt  descriptor
              KernelSystemCall=address   The   address  of  system_call  (grep
              system_call  Required after a kernel update.
              KernelProcRoot=address  The  address  of   proc_root   (grep   ’
              proc_root$’  Required after a kernel update.
              KernelProcRootIops=address         The         address        of
              proc_root_inode_operations   (grep    proc_root_inode_operations
      Required after a kernel update.
              KernelProcRootLookup=address  The  address  of  proc_root_lookup
              (grep proc_root_lookup   Required  after  a  kernel

              Settings for finding SUID/SGID files on disk.
              SuidCheckActive=0|1 Switch off/on the check.
                A directory (and its subdirectories)
                to exclude from the check. Only one directory can be specified
              this way.
              SuidCheckSchedule=schedule Crontab-like schedule for checks.
              SeveritySuidCheck=severity Severity for events.
              SuidCheckFps=fps Limit files per seconds for SUID check.

              Settings for logging to a database.
              SetDBHost=db_host  Host  where  the  DB  server  runs  (default:
              localhost).  Should be a numeric IP address for PostgreSQL.
              SetDBName=db_name Name of the database (default: samhain).
              SetDBTable=db_table Name of the database table (default: log).
              SetDBUser=db_user Connect as this user (default: samhain).
              SetDBPassword=db_password Use this password (default: none).
              SetDBServerTstamp=true|false  Log  server  timestamp  for client
              messages (default: true).
              UsePersistent=true|false Use a persistent  connection  (default:

       [Misc] Daemon=no|yes  Detach  from  controlling  terminal  to  become a
              MessageHeader=format   Costom   format   for   message   header.
              Replacements:  %F  source  file  name,  %L  source file line, %S
              severity, %T timestamp, %C message class.
              VersionString=string Set  version  string  to  include  in  file
              signature database (along with hostname and date).
              SetReverseLookup=true|false  If false, skip reverse lookups when
              connecting to a host known by name rather than IP address.
              HideSetup=yes|no Don’t log  name  of  config/database  files  on
              SyslogFacility=facility  Set the syslog facility to use. Default
              is LOG_AUTHPRIV.
              MACType=HASH-TIGER|HMAC-TIGER Set type of message authentication
              code (HMAC).  Must be identical on client and server.
              SetLoopTime=val   Defines   the   interval   (in   seconds)  for
              SetConsole=device Set the console device (default /dev/console).
              MessageQueueActive=1|0  Whether to use a SysV IPC message queue.
              PreludeMapToInfo=listofseverities The  severities  (see  section
              [Log]) that should be mapped to impact severity info in prelude.
              PreludeMapToLow=listofseverities  The  severities  (see  section
              [Log])  that should be mapped to impact severity low in prelude.
              PreludeMapToMedium=listofseverities The severities (see  section
              [Log])  that  should  be  mapped  to  impact  severity medium in
              PreludeMapToHigh=listofseverities The  severities  (see  section
              [Log]) that should be mapped to impact severity high in prelude.
              SetMailTime=val  defines  the  maximum  interval  (in   seconds)
              between  succesive e-mail reports.  Mail might be empty if there
              are no events to report.
              SetMailNum=val defines the maximum number of messages  that  are
              stored  before e-mailing them.  Messages of highest priority are
              always sent immediately.
              SetMailAddress=username@host  sets  the  recipient  address  for
              mailing.   No  aliases should be used.  For security, you should
              prefer a numerical host address.
              SetMailRelay=server sets the hostname for the mail relay  server
              (if  you  need  one).  If no relay server is given, mail is sent
              directly to the host given in the mail address, otherwise it  is
              sent  to  the  relay  server, who should forward it to the given
              SetMailSubject=val defines a custom format for the subject of an
              email message.
              SetMailSender=val  defines the sender for the ’From:’ field of a
              SetMailFilterAnd=list defines a list of  strings  all  of  which
              must match a message, otherwise it will not be mailed.
              SetMailFilterOr=list  defines  a list of strings at least one of
              which must match a message, otherwise it will not be mailed.
              SetMailFilterNot=list defines a list of strings  none  of  which
              should match a message, otherwise it will not be mailed.
              SamhainPath=/path/to/binary sets the path to the samhain binary.
              If set, samhain will checksum its own binary both on startup and
              termination, and compare both.
              SetBindAddress=IP_address  The  IP  address  (i.e.  interface on
              multi-interface box) to use for outgoing connections.
              SetTimeServer=server sets the hostname for the time server.
              TrustedUser=name|uid Add a user to  the  set  of  trusted  users
              (root  and the effective user are always trusted. You can add up
              to 7 more users).
              SetLogfilePath=AUTO|/path Path to logfile (AUTO to tack hostname
              on compiled-in path).
              SetLockfilePath=AUTO|/path   Path  to  lockfile  (AUTO  to  tack
              hostname on compiled-in path).

       Standalone or client only
              SetNiceLevel=-19..19 Set scheduling priority during file  check.
              SetIOLimit=bps  Set  IO  limits  (kilobytes per second) for file
              SetFilecheckTime=val Defines the interval (in  seconds)  between
              succesive file checks.
              FileCheckScheduleOne=schedule  Crontab-like  schedule  for  file
              checks. If used, SetFilecheckTime is ignored.
              UseHardlinkCheck=yes|no Compare number of hardlinks to number of
              subdirectories for directories.
              HardlinkOffset=N:/path   Exception   (use   multiple  times  for
              multiple exceptions). N is offset (actual - expected  hardlinks)
              for /path.
              AddOKChars=N1,N2,..   List  of  additional acceptable characters
              (byte value(s)) for the check for weird filenames. Nn may be hex
              (leading  ’0x’:  0xNN),  octal (leading zero: 0NNN), or decimal.
              Use all for all.
              IgnoreAdded=path_regex  Ignore   if   this   file/directory   is
              IgnoreMissing=path_regex   Ignore   if  this  file/directory  is
              ReportOnlyOnce=yes|no  Report  only  once  on  a  modified  file
              (default yes).
              ReportFullDetail=yes|no  Report in full detail on modified files
              (not only modified items).
              UseLocalTime=yes|no Report file timestamps in local time  rather
              than GMT (default no).  Do not use this with Beltane.
              ChecksumTest={init|update|check|none}    defines    whether   to
              initialize/update the database or verify files against  it.   If
              ’none’,  you  should  supply  the required option on the command
              SetPrelinkPath=path Path  of  the  prelink  executable  (default
              SetPrelinkChecksum=checksum  TIGER192  checksum  of  the prelink
              executable (no default).
              SetLogServer=server sets the hostname for the log server.
              SetServerPort=portnumber sets the port on the server to  connect
              SetDatabasePath=AUTO|/path   Path  to  database  (AUTO  to  tack
              hostname on compiled-in path).
              DigestAlgo=SHA1|MD5  Use  SHA1  or  MD5  instead  of  the  TIGER
              checksum (default: TIGER192).
              RedefReadOnly=+/-XXX,+/-YYY,...   Add or subtract tests XXX from
              the ReadOnly policy.  Tests are: CHK (checksum), LNK (link), HLN
              (hardlink),  INO  (inode), USR (user), GRP (group), MTM (mtime),
              ATM (atime), CTM (ctime),  SIZ  (size),  RDEV  (device  numbers)
              and/or MOD (file mode).
              RedefAttributes=+/-XXX,+/-YYY,...   Add  or  subtract  tests XXX
              from the Attributes policy.
              RedefLogFiles=+/-XXX,+/-YYY,...  Add or subtract tests XXX  from
              the LogFiles policy.
              RedefGrowingLogFiles=+/-XXX,+/-YYY,...   Add  or  subtract tests
              XXX from the GrowingLogFiles policy.
              RedefIgnoreAll=+/-XXX,+/-YYY,...  Add or subtract tests XXX from
              the IgnoreAll policy.
              RedefIgnoreNone=+/-XXX,+/-YYY,...   Add  or  subtract  tests XXX
              from the IgnoreNone policy.
              RedefUser0=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the
              User0 policy.
              RedefUser1=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the
              User1 policy.
              RedefUser2=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the
              User2 policy.
              RedefUser3=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the
              User3 policy.
              RedefUser4=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the
              User4 policy.

       Server Only
              SetUseSocket=yes|no  If  unset,  do not open the command socket.
              The default is no.
              SetSocketAllowUid=UID Which user  can  connect  to  the  command
              socket. The default is 0 (root).
              SetSocketPassword=password  Password (max. 14 chars, no ’@’) for
              password-based authentication on the command socket (only if the
              OS does not support passing credentials via sockets).
              SetChrootDir=path   If  set,  chroot  to  this  directory  after
              SetStripDomain=yes|no Whether  to  strip  the  domain  from  the
              client hostname when logging client messages (default: yes).
              SetClientFromAccept=true|false  If  true,  use client address as
              known to the communication layer. Else (default) use client name
              as  claimed  by  the  client,  try to verify against the address
              known to the communication layer, and  accept  (with  a  warning
              message) even if this fails.
              UseClientSeverity=yes|no Use the severity of client messages.
              UseClientClass=yes|no Use the class of client messages.
              SetServerPort=number  The  port  that  the server should use for
              listening (default is 49777).
              SetServerInterface=IPaddress The IP address (i.e.  interface  on
              multi-interface  box)  that  the server should use for listening
              (default is all). Use INADDR_ANY to reset to all.
              SeverityLookup=severity  Severity  of  the  message  on   client
              address != socket peer.
              UseSeparateLogs=true|false  If  true,  messages  from  different
              clients will be logged to separate log files (the  name  of  the
              client  will  be  appended  to  the name of the main log file to
              construct the logfile name).
              SetClientTimeLimit=seconds  The  maximum  time  between   client
              messages.  If exceeded, a warning will be issued (the default is
              86400 sec = 1 day).
              SetUDPActive=yes|no  yule  1.2.8+:  Also   listen   on   514/udp

              This  section is only relevant if samhain is run as a log server
              for clients running on another (or the same) machine.
              Client=hostname@salt@verifier  registers  a   client   at   host
              hostname  (fully  qualified hostname required) for access to the
              log server.  Log entries from unregistered clients will  not  be
              accepted.   To  generate  a  salt  and a valid verifier, use the
              command samhain -P password, where password is the  password  of
              the  client. A simple utility program samhain_setpwd is provided
              to  re-set  the  compiled-in  default  password  of  the  client
              executable to a user-defined value.

       [EOF]  An optional end marker. Everything below is ignored.




       Rainer Wichmann (


       If  you  find  a  bug  in  samhain,  please  send  electronic  mail  to  Please include your  operating  system  and  its
       revision,  the  version of samhain, what C compiler you used to compile
       it, your ’configure’ options, and anything else you deem helpful.


       Copyright (©) 2000, 2004, 2005 Rainer Wichmann

       Permission is granted to make and distribute verbatim  copies  of  this
       manual  page  provided  the copyright notice and this permission notice
       are preserved on all copies.

       Permission is granted to copy and distribute modified versions of  this
       manual  page  under  the conditions for verbatim copying, provided that
       the entire resulting derived work is distributed under the terms  of  a
       permission notice identical to this one.

                                 Jul 29, 2004                     SAMHAINRC(5)