bionic (5) samhainrc.5.gz

Provided by: samhain_4.1.4-2build1_amd64 bug

NAME

       samhainrc - samhain(8) configuration file

WARNING

       The  information  in this man page is not always up to date.  The authoritative documentation is the user
       manual.

DESCRIPTION

       The configuration file for samhain(8) is named samhainrc and located in /etc by default.

       It contains several sections, indicated by headings in square brackets.  Each section may  hold  zero  or
       more  key=value pairs. Blank lines and lines starting with '#' are comments.  Everything before the first
       section and after an [EOF] is ignored. The file may be (clear text) signed by PGP/GnuPG, and samhain  may
       invoke GnuPG to check the signature if compiled with support for it.

       Conditional  inclusion  of  entries  for  some  host(s)  is  supported  via  any number of @hostname/@end
       directives.  @hostname and @end must each be on separate lines. Lines in between will  only  be  read  if
       hostname (which may be a regular expression) matches the local host.

       Likewise,  conditional  inclusion  of  entries  based  on  system  type  is  supported  via any number of
       $sysname:release:machine/$end directives.
       sysname:release:machine can be inferred from uname -srm and may be a regular expression.

       Filenames/directories to check may be wildcard patterns.

       Options given on the command line will override those in the configuration file.  The recognized sections
       in the configuration file are as follows:

       Boolean options can be set with any of 1|true|yes or 0|false|no.

       [ReadOnly]
              This section may contain
              file=PATH and
              dir=[depth]PATH  entries for files and directories to check. All modifications except access times
              will be reported for these files.  [depth] (use without brackets)  is  an  optional  parameter  to
              define a per-directory recursion depth.

       [LogFiles]
              As above, but modifications of timestamps, file size, and signature will be ignored.

       [GrowingLogFiles]
              As above, but modifications of file size will only be ignored if the size has increased.

       [Attributes]
              As above, but only modifications of ownership and access permissions will be checked.

       [IgnoreAll]
              As  above,  but report no modifications for these files/directories. Access failures will still be
              reported.

       [IgnoreNone]
              As above, but report all modifications for these files/directories, including access time.

       [User0]

       [User1]

       [User2]

       [User3]

       [User4]
              These are reserved for user-defined policies.

       [Prelink]
              For prelinked executables / libraries or directories holding them.

       [Log]  This section defines the filtering rules for logging.  It may contain the following entries:
              MailSeverity=val where the threshold value val may be one of debug, info, notice, warn, mark, err,
              crit,  alert,  or  none.   By default, everything equal to and above the threshold will be logged.
              The specifiers *, !, and = are interpreted as 'all', 'all but', and 'only', respectively (like  in
              the  Linux  version  of syslogd(8)).  Time stamps have the priority warn, system-level errors have
              the priority err, and important start-up messages the priority alert.  The signature key  for  the
              log  file  will  never  be  logged  to syslog or the log file itself.  For failures to verify file
              integrity, error levels are defined in the next section.
              PrintSeverity=val,
              LogSeverity=val,
              ExportSeverity=val,
              ExternalSeverity=val,
              PreludeSeverity=val,
              DatabaseSeverity=val, and
              SyslogSeverity=val set the thresholds for logging via stdout  (or  /dev/console),  log  file,  TCP
              forwarding, calling external programs, and syslog(3).

       [EventSeverity]
              SeverityReadOnly=val,
              SeverityLogFiles=val,
              SeverityGrowingLogs=val,
              SeverityIgnoreNone=val,
              SeverityIgnoreAll=val,
              SeverityPrelink=val,
              SeverityUser0=val,
              SeverityUser1=val,
              SeverityUser2=val,
              SeverityUser3=val, and
              SeverityUser4=val   define   the   error   levels   for   failures  to  verify  the  integrity  of
              files/directories of the respective types. I.e. if such a file shows unexpected modifications,  an
              error  of  level  val will be generated, and logged to all facilities with a threshold of at least
              val.
              SeverityFiles=val sets the error level for file access problems, and
              SeverityDirs=val for directory access problems.
              SeverityNames=val sets the error level for obscure file names (e.g. non-printable characters), and
              for files with invalid UIDs/GIDs.

       [External]
              OpenCommand=path Start the definition of an external logging program|script.
              SetType=log|srv Type/purpose of program (log for logging).
              SetCommandline=list Command line options.
              SetEnviron=KEY=val Environment for external program.
              SetChecksum=val Checksum of the external program (checked before invoking).
              SetCredentials=username User as who the program will run.
              SetFilterNot=list Words not allowed in message.
              SetFilterAnd=list Words required (ALL) in message.
              SetFilterOr=list Words required (at least one) in message.
              SetDeadtime=seconds Time between consecutive calls.

       [Utmp] Configuration for watching login/logout events.
              LoginCheckActive=0|1 Switch off/on login/logout reporting.
              LoginCheckInterval=val Interval (seconds) between checks for login/logout events.
              SeverityLogin=val
              SeverityLoginMulti=val
              SeverityLogout=val Severity levels for logins, multiple logins by same user, and logouts.

       [SuidCheck]
              Settings for finding SUID/SGID files on disk.
              SuidCheckActive=0|1 Switch off/on the check.
              SuidCheckExclude=path
                A directory (and its subdirectories)
                to exclude from the check. Only one directory can be specified this way.
              SuidCheckSchedule=schedule Crontab-like schedule for checks.
              SeveritySuidCheck=severity Severity for events.
              SuidCheckFps=fps Limit files per seconds for SUID check.
              SuidCheckNosuid=0|1 Check filesystems mounted as nosuid. Defaults to not.
              SuidCheckQuarantineFiles=0|1 Whether to quarantine files. Defaults to not.
              SuidCheckQuarantineMethod=0|1|2 Quarantine method. Delete = 1, remove suid/sgid flags = 1, move to
              quarantine directory = 2. Defaults to 1 (remove suid/sgid flags).

       [Mounts]
              Configuration for checking mounts.
              MountCheckActive=0|1 Switch off/on this module.
              MountCheckInterval=seconds
                The interval between checks (default 300).
              SeverityMountMissing=severity Severity for reports on missing mounts.
              SeverityOptionMissing=severity Severity for reports on missing mount options.
              CheckMount=path [mount_options]
              Mount point to check. Mount options must be given as comma-separated list, separated  by  a  blank
              from the preceding mount point.

       [UserFiles]
              Configuration for checking paths relative to user home directories.
              UserFilesActive=0|1 Switch off/on this module.
              UserFilesName=filename policy
              Files  to  check  for  under  each  $HOME. Allowed values for 'policy' are: allignore, attributes,
              logfiles, loggrow, noignore (default), readonly, user0, user1, user2, user3, and user4.
              UserFilesCheckUids=uid_list A list of UIDs where we want to check.  The  default  is  all.  Ranges
              (e.g. 100-500) are allowed. If there is an open range (e.g.  1000-), it must be last in the list.

       [ProcessCheck]
              Settings for finding hidden/fake,required processes on the local host.
              ProcessCheckActive=0|1 Switch off/on the check.
              ProcessCheckInterval=seconds
                The interval between checks (default 300).
              SeverityProcessCheck=severity Severity for events (default crit).
              ProcessCheckMinPID=pid The minimum PID to check (default 0).
              ProcessCheckMaxPID=pid The maximum PID to check (default 32767).
              ProcessCheckPSPath=path The path to ps (autodetected at compile time).
              ProcessCheckPSArg=argument  The  argument to ps (autodetected at compile time).  Must yield PID in
              first column.
              ProcessCheckExists=regular_expression Check for existence of a process matching the given  regular
              expression.

       [PortCheck]
              Settings for checking open ports on the local host.
              PortCheckActive=0|1 Switch off/on the check.
              PortCheckInterval=seconds
                The interval between checks (default 300).
              PortCheckUDP=yes|no Whether to check UPD ports as well (default yes).
              SeverityPortCheck=severity Severity for events (default crit).
              PortCheckInterface=ip_address Additional interface to check.
              PortCheckOptional=ip_address:list  Ports that may, but need not be open. The ip_address is the one
              of  the  interface,  the  list  must  be  comma  or  whitespace  separated,  each  item  must   be
              (port|service)/protocol, e.g. 22/tcp,nfs/tcp/nfs/udp.
              PortCheckRequired=ip_address:list Ports that are required to be open. The ip_address is the one of
              the  interface,  the  list  must  be  comma  or  whitespace   separated,   each   item   must   be
              (port|service)/protocol, e.g. 22/tcp,nfs/tcp/nfs/udp.

       [Database]
              Settings for logging to a database.
              SetDBHost=db_host  Host  where  the  DB  server runs (default: localhost).  Should be a numeric IP
              address for PostgreSQL.
              SetDBName=db_name Name of the database (default: samhain).
              SetDBTable=db_table Name of the database table (default: log).
              SetDBUser=db_user Connect as this user (default: samhain).
              SetDBPassword=db_password Use this password (default: none).
              SetDBServerTstamp=true|false Log server timestamp for client messages (default: true).
              UsePersistent=true|false Use a persistent connection (default: true).

       [Misc] Daemon=no|yes Detach from controlling terminal to become a daemon.
              MessageHeader=format Costom format for message header.  Replacements:  %F  source  file  name,  %L
              source file line, %S severity, %T timestamp, %C message class.
              VersionString=string Set version string to include in file signature database (along with hostname
              and date).
              SetReverseLookup=true|false If false, skip reverse lookups when connecting to a host known by name
              rather than IP address.
              HideSetup=yes|no Don't log name of config/database files on startup.
              SyslogFacility=facility Set the syslog facility to use. Default is LOG_AUTHPRIV.
              MACType=HASH-TIGER|HMAC-TIGER  Set  type of message authentication code (HMAC).  Must be identical
              on client and server.
              StartupLoadDelay=val Defines the interval (in seconds) to wait after startup  before  loading  the
              databse from the server. Default is no wait.
              SetLoopTime=val Defines the interval (in seconds) for timestamps.
              SetConsole=device Set the console device (default /dev/console).
              MessageQueueActive=1|0 Whether to use a SysV IPC message queue.
              PreludeMapToInfo=listofseverities  The  severities  (see  section  [Log]) that should be mapped to
              impact severity info in prelude.
              PreludeMapToLow=listofseverities The severities (see section  [Log])  that  should  be  mapped  to
              impact severity low in prelude.
              PreludeMapToMedium=listofseverities  The  severities  (see section [Log]) that should be mapped to
              impact severity medium in prelude.
              PreludeMapToHigh=listofseverities The severities (see section [Log])  that  should  be  mapped  to
              impact severity high in prelude.
              SetMailTime=val  defines the maximum interval (in seconds) between succesive e-mail reports.  Mail
              might be empty if there are no events to report.
              SetMailNum=val defines the maximum number of messages  that  are  stored  before  e-mailing  them.
              Messages of highest priority are always sent immediately.
              SetMailAddress=username@host  sets  the recipient address for mailing.  No aliases should be used.
              For security, you should prefer a numerical host address.
              SetMailRelay=server sets the hostname for the mail relay server (if you need one).   If  no  relay
              server is given, mail is sent directly to the host given in the mail address, otherwise it is sent
              to the relay server, who should forward it to the given address.
              SetMailSubject=val defines a custom format for the subject of an email message.
              SetMailSender=val defines the sender for the 'From:' field of a message.
              SetMailFilterAnd=list defines a list of strings all of which must match a  message,  otherwise  it
              will not be mailed.
              SetMailFilterOr=list  defines  a  list  of  strings  at  least  one of which must match a message,
              otherwise it will not be mailed.
              SetMailFilterNot=list defines a list of strings none of which should match a message, otherwise it
              will not be mailed.
              SamhainPath=/path/to/binary sets the path to the samhain binary. If set, samhain will checksum its
              own binary both on startup and termination, and compare both.
              SetBindAddress=IP_address The IP address (i.e.  interface  on  multi-interface  box)  to  use  for
              outgoing connections.
              SetTimeServer=server sets the hostname for the time server.
              TrustedUser=name|uid  Add  a  user  to  the  set of trusted users (root and the effective user are
              always trusted. You can add up to 7 more users).
              SetLogfilePath=AUTO|/path Path to logfile (AUTO to tack hostname on compiled-in path).
              SetLockfilePath=AUTO|/path Path to lockfile (AUTO to tack hostname on compiled-in path).

       Standalone or client only
              SetNiceLevel=-19..19 Set scheduling priority during file check.
              SetIOLimit=bps Set IO limits (kilobytes per second) for file check.
              SetFilecheckTime=val Defines the interval (in seconds) between succesive file checks.
              FileCheckScheduleOne=schedule Crontab-like schedule for file checks. If used, SetFilecheckTime  is
              ignored.
              UseHardlinkCheck=yes|no Compare number of hardlinks to number of subdirectories for directories.
              HardlinkOffset=N:/path Exception (use multiple times for multiple exceptions). N is offset (actual
              - expected hardlinks) for /path.
              AddOKChars=N1,N2,..  List of additional acceptable characters (byte value(s)) for  the  check  for
              weird  filenames. Nn may be hex (leading '0x': 0xNN), octal (leading zero: 0NNN), or decimal.  Use
              all for all.
              FilenamesAreUTF8=yes|no Whether filenames are UTF-8 encoded (defaults to no).  If  yes,  filenames
              are checked for invalid UTF-8 encoding and for ending in invisible characters.
              IgnoreAdded=path_regex Ignore if this file/directory is added/created.
              IgnoreMissing=path_regex Ignore if this file/directory is missing/deleted.
              ReportOnlyOnce=yes|no Report only once on a modified file (default yes).
              ReportFullDetail=yes|no Report in full detail on modified files (not only modified items).
              UseLocalTime=yes|no Report file timestamps in local time rather than GMT (default no).  Do not use
              this with Beltane.
              ChecksumTest={init|update|check|none} defines whether to initialize/update the database or  verify
              files against it.  If 'none', you should supply the required option on the command line.
              SetPrelinkPath=path Path of the prelink executable (default /usr/sbin/prelink).
              SetPrelinkChecksum=checksum TIGER192 checksum of the prelink executable (no default).
              SetLogServer=server sets the hostname for the log server.
              SetServerPort=portnumber sets the port on the server to connect to.
              SetDatabasePath=AUTO|/path Path to database (AUTO to tack hostname on compiled-in path).
              DigestAlgo=SHA1|MD5 Use SHA1 or MD5 instead of the TIGER checksum (default: TIGER192).
              RedefReadOnly=+/-XXX,+/-YYY,...   Add  or subtract tests XXX from the ReadOnly policy.  Tests are:
              CHK (checksum), TXT (store literal content), LNK (link), HLN (hardlink), INO (inode), USR  (user),
              GRP  (group),  MTM (mtime), ATM (atime), CTM (ctime), SIZ (size), RDEV (device numbers) and/or MOD
              (file mode).
              RedefAttributes=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the Attributes policy.
              RedefLogFiles=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the LogFiles policy.
              RedefGrowingLogFiles=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the GrowingLogFiles policy.
              RedefIgnoreAll=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the IgnoreAll policy.
              RedefIgnoreNone=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the IgnoreNone policy.
              RedefUser0=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the User0 policy.
              RedefUser1=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the User1 policy.
              RedefUser2=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the User2 policy.
              RedefUser3=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the User3 policy.
              RedefUser4=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the User4 policy.

       Server Only
              SetUseSocket=yes|no If unset, do not open the command socket. The default is no.
              SetSocketAllowUid=UID Which user can connect to the command socket. The default is 0 (root).
              SetSocketPassword=password Password (max. 14 chars, no '@') for password-based  authentication  on
              the command socket (only if the OS does not support passing credentials via sockets).
              SetChrootDir=path If set, chroot to this directory after startup.
              SetStripDomain=yes|no  Whether  to  strip  the domain from the client hostname when logging client
              messages (default: yes).
              SetClientFromAccept=true|false If true, use client address as known to  the  communication  layer.
              Else  (default)  use client name as claimed by the client, try to verify against the address known
              to the communication layer, and accept (with a warning message) even if this fails.
              UseClientSeverity=yes|no Use the severity of client messages.
              UseClientClass=yes|no Use the class of client messages.
              SetServerPort=number The port that the server should use for listening (default is 49777).
              SetServerInterface=IPaddress The IP address (i.e.  interface  on  multi-interface  box)  that  the
              server should use for listening (default is all). Use INADDR_ANY to reset to all.
              SeverityLookup=severity Severity of the message on client address != socket peer.
              UseSeparateLogs=true|false If true, messages from different clients will be logged to separate log
              files (the name of the client will be appended to the name of the main log file to  construct  the
              logfile name).
              SetClientTimeLimit=seconds  The  maximum time between client messages. If exceeded, a warning will
              be issued (the default is 86400 sec = 1 day).
              SetUDPActive=yes|no yule 1.2.8+: Also listen on 514/udp (syslog).

       [Clients]
              This section is only relevant if samhain is run as a log server for clients running on another (or
              the same) machine.
              Client=hostname@salt@verifier  registers  a  client  at  host  hostname  (fully qualified hostname
              required) for access to the log server.   Log  entries  from  unregistered  clients  will  not  be
              accepted.   To  generate  a  salt and a valid verifier, use the command samhain -P password, where
              password is the password of the client. A simple utility program  samhain_setpwd  is  provided  to
              re-set the compiled-in default password of the client executable to a user-defined value.

       [EOF]  An optional end marker. Everything below is ignored.

SEE ALSO

       samhain(8)

AUTHOR

       Rainer Wichmann (http://la-samhna.de)

BUG REPORTS

       If  you  find a bug in samhain, please send electronic mail to support@la-samhna.de.  Please include your
       operating system and its revision, the version of samhain, what C compiler you used to compile  it,  your
       'configure' options, and anything else you deem helpful.

COPYING PERMISSIONS

       Copyright (©) 2000, 2004, 2005 Rainer Wichmann

       Permission  is  granted to make and distribute verbatim copies of this manual page provided the copyright
       notice and this permission notice are preserved on all copies.

       Permission is granted to copy and distribute modified versions of this manual page under  the  conditions
       for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a
       permission notice identical to this one.

                                                  Jul 29, 2004                                      SAMHAINRC(5)