Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
SAMHAINRC(5)		       samhainrc manual			  SAMHAINRC(5)

       samhainrc - samhain(8) configuration file

       The information in this man page	is not always up to date.  The author-
       itative documentation is	the user manual.

       The configuration file for samhain(8) is	named samhainrc	and located in
       /etc by default.

       It contains several sections, indicated by headings in square brackets.
       Each section may	hold zero or more key=value  pairs.  Blank  lines  and
       lines starting with '#' are comments.  Everything before	the first sec-
       tion and	after an [EOF] is ignored. The file may	be (clear text)	signed
       by  PGP/GnuPG,  and  samhain may	invoke GnuPG to	check the signature if
       compiled	with support for it.

       Conditional inclusion of	entries	for some host(s) is supported via  any
       number  of  @hostname/@end directives.  @hostname and @end must each be
       on separate lines. Lines	in between  will  only	be  read  if  hostname
       (which may be a regular expression) matches the local host.

       Likewise, conditional inclusion of entries based	on system type is sup-
       ported via any number of	$sysname:release:machine/$end directives.
       sysname:release:machine can be inferred from uname -srm and  may	 be  a
       regular expression.

       Filenames/directories to	check may be wildcard patterns.

       Options given on	the command line will override those in	the configura-
       tion file.  The recognized sections in the configuration	 file  are  as

       Boolean options can be set with any of 1|true|yes or 0|false|no.

	      This section may contain
	      file=PATH	and
	      dir=[depth]PATH  entries for files and directories to check. All
	      modifications except access times	will  be  reported  for	 these
	      files.   [depth] (use without brackets) is an optional parameter
	      to define	a per-directory	recursion depth.

	      As above,	but modifications of timestamps, file size, and	signa-
	      ture will	be ignored.

	      As above,	but modifications of file size will only be ignored if
	      the size has increased.

	      As above,	but only modifications of ownership and	access permis-
	      sions will be checked.

	      As  above,  but report no	modifications for these	files/directo-
	      ries. Access failures will still be reported.

	      As above,	but report all modifications for these	files/directo-
	      ries, including access time.





	      These are	reserved for user-defined policies.

	      For  prelinked  executables  /  libraries	or directories holding

       [Log]  This section defines the filtering rules for  logging.   It  may
	      contain the following entries:
	      MailSeverity=val where the threshold value val may be one	of de-
	      bug, info, notice, warn, mark, err, crit,	alert,	or  none.   By
	      default,	everything  equal  to  and above the threshold will be
	      logged.  The specifiers *, !, and	= are  interpreted  as	'all',
	      'all  but',  and 'only', respectively (like in the Linux version
	      of syslogd(8)).	Time  stamps  have  the	 priority  warn,  sys-
	      tem-level	 errors	 have the priority err,	and important start-up
	      messages the priority alert.  The	signature key for the log file
	      will  never  be  logged  to  syslog or the log file itself.  For
	      failures to verify file integrity, error levels are  defined  in
	      the next section.
	      DatabaseSeverity=val, and
	      SyslogSeverity=val set the thresholds for	logging	via stdout (or
	      /dev/console), log file, TCP forwarding, calling	external  pro-
	      grams, and syslog(3).

	      SeverityUser3=val, and
	      SeverityUser4=val	define the error levels	for failures to	verify
	      the integrity of files/directories of the	respective types. I.e.
	      if such a	file shows unexpected modifications, an	error of level
	      val will be generated, and  logged  to  all  facilities  with  a
	      threshold	of at least val.
	      SeverityFiles=val	sets the error level for file access problems,
	      SeverityDirs=val for directory access problems.
	      SeverityNames=val	sets the error level for  obscure  file	 names
	      (e.g.  non-printable  characters),  and  for  files with invalid

	      OpenCommand=path Start the definition  of	 an  external  logging
	      SetType=log|srv Type/purpose of program (log for logging).
	      SetCommandline=list Command line options.
	      SetEnviron=KEY=val Environment for external program.
	      SetChecksum=val Checksum of the external program (checked	before
	      SetCredentials=username User as who the program will run.
	      SetFilterNot=list	Words not allowed in message.
	      SetFilterAnd=list	Words required (ALL) in	message.
	      SetFilterOr=list Words required (at least	one) in	message.
	      SetDeadtime=seconds Time between consecutive calls.

       [Utmp] Configuration for	watching login/logout events.
	      LoginCheckActive=0|1 Switch off/on login/logout reporting.
	      LoginCheckInterval=val Interval (seconds)	between	checks for lo-
	      gin/logout events.
	      SeverityLogout=val  Severity  levels for logins, multiple	logins
	      by same user, and	logouts.

	      Settings for finding SUID/SGID files on disk.
	      SuidCheckActive=0|1 Switch off/on	the check.
		A directory (and its subdirectories)
		to exclude from	the check. Only	one directory can be specified
	      this way.
	      SuidCheckSchedule=schedule Crontab-like schedule for checks.
	      SeveritySuidCheck=severity Severity for events.
	      SuidCheckFps=fps Limit files per seconds for SUID	check.
	      SuidCheckNosuid=0|1  Check  filesystems  mounted	as nosuid. De-
	      faults to	not.
	      SuidCheckQuarantineFiles=0|1 Whether to  quarantine  files.  De-
	      faults to	not.
	      SuidCheckQuarantineMethod=0|1|2  Quarantine  method. Delete = 1,
	      remove suid/sgid flags = 1, move to quarantine  directory	 =  2.
	      Defaults to 1 (remove suid/sgid flags).

	      Configuration for	checking mounts.
	      MountCheckActive=0|1 Switch off/on this module.
		The interval between checks (default 300).
	      SeverityMountMissing=severity  Severity  for  reports on missing
	      SeverityOptionMissing=severity Severity for reports  on  missing
	      mount options.
	      CheckMount=path [mount_options]
	      Mount point to check. Mount options must be given	as comma-sepa-
	      rated list, separated by a blank from the	preceding mount	point.

	      Configuration for	checking paths relative	to user	home  directo-
	      UserFilesActive=0|1 Switch off/on	this module.
	      UserFilesName=filename policy
	      Files to check for under each $HOME. Allowed values for 'policy'
	      are: allignore, attributes,  logfiles,  loggrow,	noignore  (de-
	      fault), readonly,	user0, user1, user2, user3, and	user4.
	      UserFilesCheckUids=uid_list  A  list  of	UIDs  where we want to
	      check. The default is all. Ranges	(e.g. 100-500) are allowed. If
	      there  is	 an  open  range (e.g.	1000-),	it must	be last	in the

	      Settings for finding hidden/fake,required	processes on the local
	      ProcessCheckActive=0|1 Switch off/on the check.
		The interval between checks (default 300).
	      SeverityProcessCheck=severity   Severity	 for  events  (default
	      ProcessCheckMinPID=pid The minimum PID to	check (default 0).
	      ProcessCheckMaxPID=pid The maximum PID to	check (default 32767).
	      ProcessCheckPSPath=path The path to ps (autodetected at  compile
	      ProcessCheckPSArg=argument  The  argument	to ps (autodetected at
	      compile time).  Must yield PID in	first column.
	      ProcessCheckExists=regular_expression Check for existence	 of  a
	      process matching the given regular expression.

	      Settings for checking open ports on the local host.
	      PortCheckActive=0|1 Switch off/on	the check.
		The interval between checks (default 300).
	      PortCheckUDP=yes|no  Whether to check UPD	ports as well (default
	      SeverityPortCheck=severity Severity for events (default crit).
	      PortCheckInterface=ip_address Additional interface to check.
	      PortCheckOptional=ip_address:list	Ports that may,	but  need  not
	      be  open.	 The  ip_address is the	one of the interface, the list
	      must be  comma  or  whitespace  separated,  each	item  must  be
	      (port|service)/protocol, e.g. 22/tcp,nfs/tcp/nfs/udp.
	      PortCheckRequired=ip_address:list	 Ports that are	required to be
	      open. The	ip_address is the one of the interface,	the list  must
	      be  comma	 or whitespace separated, each item must be (port|ser-
	      vice)/protocol, e.g. 22/tcp,nfs/tcp/nfs/udp.

	      Settings for logging to a	database.
	      SetDBHost=db_host	Host where the DB server runs (default:	local-
	      host).  Should be	a numeric IP address for PostgreSQL.
	      SetDBName=db_name	Name of	the database (default: samhain).
	      SetDBTable=db_table Name of the database table (default: log).
	      SetDBUser=db_user	Connect	as this	user (default: samhain).
	      SetDBPassword=db_password	Use this password (default: none).
	      SetDBServerTstamp=true|false  Log	 server	 timestamp  for	client
	      messages (default: true).
	      UsePersistent=true|false Use a persistent	 connection  (default:

       [Misc] Daemon=no|yes  Detach from controlling terminal to become	a dae-
	      MessageHeader=format Costom format for message header.  Replace-
	      ments: %F	source file name, %L source file line, %S severity, %T
	      timestamp, %C message class.
	      VersionString=string Set version string to include in file  sig-
	      nature database (along with hostname and date).
	      SetReverseLookup=true|false  If false, skip reverse lookups when
	      connecting to a host known by name rather	than IP	address.
	      HideSetup=yes|no Don't log  name	of  config/database  files  on
	      SyslogFacility=facility  Set the syslog facility to use. Default
	      is LOG_AUTHPRIV.
	      MACType=HASH-TIGER|HMAC-TIGER Set	type of	message	authentication
	      code (HMAC).  Must be identical on client	and server.
	      StartupLoadDelay=val  Defines  the interval (in seconds) to wait
	      after startup before loading the databse from  the  server.  De-
	      fault is no wait.
	      SetLoopTime=val  Defines	the  interval  (in  seconds) for time-
	      SetConsole=device	Set the	console	device (default	/dev/console).
	      MessageQueueActive=1|0 Whether to	use a SysV IPC message queue.
	      PreludeMapToInfo=listofseverities	The  severities	 (see  section
	      [Log]) that should be mapped to impact severity info in prelude.
	      PreludeMapToLow=listofseverities	The  severities	 (see  section
	      [Log]) that should be mapped to impact severity low in prelude.
	      PreludeMapToMedium=listofseverities The severities (see  section
	      [Log])  that  should be mapped to	impact severity	medium in pre-
	      PreludeMapToHigh=listofseverities	The  severities	 (see  section
	      [Log]) that should be mapped to impact severity high in prelude.
	      SetMailTime=val  defines	the  maximum interval (in seconds) be-
	      tween succesive e-mail reports.  Mail might be  empty  if	 there
	      are no events to report.
	      SetMailNum=val  defines  the maximum number of messages that are
	      stored before e-mailing them.  Messages of highest priority  are
	      always sent immediately.
	      SetMailAddress=username@host  sets  the  recipient  address  for
	      mailing.	No aliases should be used.  For	security,  you	should
	      prefer a numerical host address.
	      SetMailRelay=server  sets	the hostname for the mail relay	server
	      (if you need one).  If no	relay server is	given,	mail  is  sent
	      directly	to the host given in the mail address, otherwise it is
	      sent to the relay	server,	who should forward it to the given ad-
	      SetMailSubject=val defines a custom format for the subject of an
	      email message.
	      SetMailSender=val	defines	the sender for the 'From:' field of  a
	      SetMailFilterAnd=list  defines  a	 list  of strings all of which
	      must match a message, otherwise it will not be mailed.
	      SetMailFilterOr=list defines a list of strings at	least  one  of
	      which must match a message, otherwise it will not	be mailed.
	      SetMailFilterNot=list  defines  a	 list of strings none of which
	      should match a message, otherwise	it will	not be mailed.
	      SamhainPath=/path/to/binary sets the path	to the samhain binary.
	      If set, samhain will checksum its	own binary both	on startup and
	      termination, and compare both.
	      SetBindAddress=IP_address	The  IP	 address  (i.e.	 interface  on
	      multi-interface box) to use for outgoing connections.
	      SetTimeServer=server sets	the hostname for the time server.
	      TrustedUser=name|uid  Add	 a  user  to  the set of trusted users
	      (root and	the effective user are always trusted. You can add  up
	      to 7 more	users).
	      SetLogfilePath=AUTO|/path	Path to	logfile	(AUTO to tack hostname
	      on compiled-in path).
	      SetLockfilePath=AUTO|/path Path to lockfile (AUTO	to tack	 host-
	      name on compiled-in path).

       Standalone or client only
	      SetNiceLevel=-19..19 Set scheduling priority during file check.
	      SetIOLimit=bps  Set  IO  limits  (kilobytes per second) for file
	      SetFilecheckTime=val Defines the interval	(in  seconds)  between
	      succesive	file checks.
	      FileCheckScheduleOne=schedule  Crontab-like  schedule  for  file
	      checks. If used, SetFilecheckTime	is ignored.
	      UseHardlinkCheck=yes|no Compare number of	hardlinks to number of
	      subdirectories for directories.
	      HardlinkOffset=N:/path  Exception	(use multiple times for	multi-
	      ple exceptions). N is offset (actual - expected  hardlinks)  for
	      AddOKChars=N1,N2,..   List  of  additional acceptable characters
	      (byte value(s)) for the check for	weird filenames. Nn may	be hex
	      (leading	'0x':  0xNN),  octal (leading zero: 0NNN), or decimal.
	      Use all for all.
	      FilenamesAreUTF8=yes|no Whether filenames	are UTF-8 encoded (de-
	      faults  to  no). If yes, filenames are checked for invalid UTF-8
	      encoding and for ending in invisible characters.
	      IgnoreAdded=path_regex  Ignore   if   this   file/directory   is
	      IgnoreMissing=path_regex	Ignore if this file/directory is miss-
	      ReportOnlyOnce=yes|no Report only	once on	a modified  file  (de-
	      fault yes).
	      ReportFullDetail=yes|no  Report in full detail on	modified files
	      (not only	modified items).
	      UseLocalTime=yes|no Report file timestamps in local time	rather
	      than GMT (default	no).  Do not use this with Beltane.
	      ChecksumTest={init|update|check|none}  defines  whether  to ini-
	      tialize/update the database or  verify  files  against  it.   If
	      'none',  you  should  supply  the	required option	on the command
	      SetPrelinkPath=path Path	of  the	 prelink  executable  (default
	      SetPrelinkChecksum=checksum TIGER192 checksum of the prelink ex-
	      ecutable (no default).
	      SetLogServer=server sets the hostname for	the log	server.
	      SetServerPort=portnumber sets the	port on	the server to  connect
	      SetDatabasePath=AUTO|/path  Path to database (AUTO to tack host-
	      name on compiled-in path).
	      DigestAlgo=SHA1|MD5 Use SHA1 or MD5 instead of the TIGER	check-
	      sum (default: TIGER192).
	      RedefReadOnly=+/-XXX,+/-YYY,...	Add or subtract	tests XXX from
	      the ReadOnly policy.  Tests are: CHK (checksum), TXT (store lit-
	      eral  content),  LNK  (link),  HLN  (hardlink), INO (inode), USR
	      (user), GRP (group), MTM (mtime),	ATM (atime), CTM (ctime),  SIZ
	      (size), RDEV (device numbers) and/or MOD (file mode).
	      RedefAttributes=+/-XXX,+/-YYY,...	  Add  or  subtract  tests XXX
	      from the Attributes policy.
	      RedefLogFiles=+/-XXX,+/-YYY,...  Add or subtract tests XXX  from
	      the LogFiles policy.
	      RedefGrowingLogFiles=+/-XXX,+/-YYY,...   Add  or	subtract tests
	      XXX from the GrowingLogFiles policy.
	      RedefIgnoreAll=+/-XXX,+/-YYY,...	Add or subtract	tests XXX from
	      the IgnoreAll policy.
	      RedefIgnoreNone=+/-XXX,+/-YYY,...	  Add  or  subtract  tests XXX
	      from the IgnoreNone policy.
	      RedefUser0=+/-XXX,+/-YYY,...  Add	or subtract tests XXX from the
	      User0 policy.
	      RedefUser1=+/-XXX,+/-YYY,...  Add	or subtract tests XXX from the
	      User1 policy.
	      RedefUser2=+/-XXX,+/-YYY,...  Add	or subtract tests XXX from the
	      User2 policy.
	      RedefUser3=+/-XXX,+/-YYY,...  Add	or subtract tests XXX from the
	      User3 policy.
	      RedefUser4=+/-XXX,+/-YYY,...  Add	or subtract tests XXX from the
	      User4 policy.

       Server Only
	      SetUseSocket=yes|no  If  unset,  do not open the command socket.
	      The default is no.
	      SetSocketAllowUid=UID Which user	can  connect  to  the  command
	      socket. The default is 0 (root).
	      SetSocketPassword=password  Password (max. 14 chars, no '@') for
	      password-based authentication on the command socket (only	if the
	      OS does not support passing credentials via sockets).
	      SetChrootDir=path	  If  set,  chroot  to	this  directory	 after
	      SetStripDomain=yes|no Whether  to	 strip	the  domain  from  the
	      client hostname when logging client messages (default: yes).
	      SetClientFromAccept=true|false  If  true,	 use client address as
	      known to the communication layer.	Else (default) use client name
	      as  claimed  by  the  client,  try to verify against the address
	      known to the communication layer,	and  accept  (with  a  warning
	      message) even if this fails.
	      UseClientSeverity=yes|no Use the severity	of client messages.
	      UseClientClass=yes|no Use	the class of client messages.
	      SetServerPort=number  The	 port  that  the server	should use for
	      listening	(default is 49777).
	      SetServerInterface=IPaddress The IP address (i.e.	 interface  on
	      multi-interface  box)  that  the server should use for listening
	      (default is all).	Use INADDR_ANY to reset	to all.
	      SeverityLookup=severity Severity of the message  on  client  ad-
	      dress != socket peer.
	      UseSeparateLogs=true|false  If  true,  messages  from  different
	      clients will be logged to	separate log files (the	 name  of  the
	      client will be appended to the name of the main log file to con-
	      struct the logfile name).
	      SetClientTimeLimit=seconds The maximum time between client  mes-
	      sages.  If  exceeded,  a	warning	will be	issued (the default is
	      86400 sec	= 1 day).
	      SetUDPActive=yes|no yule 1.2.8+: Also listen  on	514/udp	 (sys-

	      This  section is only relevant if	samhain	is run as a log	server
	      for clients running on another (or the same) machine.
	      Client=hostname@salt@verifier registers a	client at  host	 host-
	      name  (fully  qualified hostname required) for access to the log
	      server.  Log entries from	unregistered clients will not  be  ac-
	      cepted.	To  generate a salt and	a valid	verifier, use the com-
	      mand samhain -P password,	where password is the password of  the
	      client.  A  simple utility program samhain_setpwd	is provided to
	      re-set the compiled-in default password of the client executable
	      to a user-defined	value.

       [EOF]  An optional end marker. Everything below is ignored.


       Rainer Wichmann (

       If  you	find  a	 bug  in  samhain, please send electronic mail to sup-  Please include your operating system	and its	 revi-
       sion,  the  version of samhain, what C compiler you used	to compile it,
       your 'configure'	options, and anything else you deem helpful.

       Copyright ((C)) 2000, 2004, 2005	Rainer Wichmann

       Permission is granted to	make and distribute verbatim  copies  of  this
       manual  page  provided  the copyright notice and	this permission	notice
       are preserved on	all copies.

       Permission is granted to	copy and distribute modified versions of  this
       manual  page  under  the	conditions for verbatim	copying, provided that
       the entire resulting derived work is distributed	under the terms	 of  a
       permission notice identical to this one.

				 Jul 29, 2004			  SAMHAINRC(5)


Want to link to this manual page? Use this URL:

home | help