Man Linux: Main Page and Category List


       samhainrc - samhain(8) configuration file


       The  information  in  this  man  page  is  not  always up to date.  The
       authoritative documentation is the user manual.


       The configuration file for samhain(8) is named samhainrc and located in
       /etc by default.

       It contains several sections, indicated by headings in square brackets.
       Each section may hold zero or more key=value  pairs.  Blank  lines  and
       lines  starting  with  ’#’  are  comments.  Everything before the first
       section and after an [EOF] is ignored. The file  may  be  (clear  text)
       signed  by  PGP/GnuPG,  and  samhain  may  invoke  GnuPG  to  check the
       signature if compiled with support for it.

       Conditional inclusion of entries for some host(s) is supported via  any
       number  of  @hostname/@end directives.  @hostname and @end must each be
       on separate lines. Lines in between  will  only  be  read  if  hostname
       (which may be a regular expression) matches the local host.

       Likewise,  conditional  inclusion  of  entries  based on system type is
       supported via any number of $sysname:release:machine/$end directives.
       sysname:release:machine can be inferred from uname -srm and  may  be  a
       regular expression.

       Filenames/directories to check may be wildcard patterns.

       Options   given  on  the  command  line  will  override  those  in  the
       configuration file.  The recognized sections in the configuration  file
       are as follows:

       Boolean options can be set with any of 1|true|yes or 0|false|no.

              This section may contain
              file=PATH and
              dir=[depth]PATH  entries for files and directories to check. All
              modifications except access times will  be  reported  for  these
              files.   [depth] (use without brackets) is an optional parameter
              to define a per-directory recursion depth.

              As above,  but  modifications  of  timestamps,  file  size,  and
              signature will be ignored.

              As above, but modifications of file size will only be ignored if
              the size has increased.

              As  above,  but  only  modifications  of  ownership  and  access
              permissions will be checked.

              As    above,    but    report   no   modifications   for   these
              files/directories. Access failures will still be reported.

              As   above,   but   report   all   modifications    for    these
              files/directories, including access time.





              These are reserved for user-defined policies.

              For  prelinked  executables  /  libraries or directories holding

       [Log]  This section defines the filtering rules for  logging.   It  may
              contain the following entries:
              MailSeverity=val  where  the  threshold  value val may be one of
              debug, info, notice, warn, mark, err, crit, alert, or none.   By
              default,  everything  equal  to  and above the threshold will be
              logged.  The specifiers *, !, and = are  interpreted  as  ’all’,
              ’all  but’,  and ’only’, respectively (like in the Linux version
              of  syslogd(8)).   Time   stamps   have   the   priority   warn,
              system-level   errors  have  the  priority  err,  and  important
              start-up messages the priority alert.  The signature key for the
              log  file will never be logged to syslog or the log file itself.
              For failures to verify file integrity, error levels are  defined
              in the next section.
              DatabaseSeverity=val, and
              SyslogSeverity=val set the thresholds for logging via stdout (or
              /dev/console),  log  file,  TCP  forwarding,  calling   external
              programs, and syslog(3).

              SeverityUser3=val, and
              SeverityUser4=val define the error levels for failures to verify
              the integrity of files/directories of the respective types. I.e.
              if such a file shows unexpected modifications, an error of level
              val will be generated, and  logged  to  all  facilities  with  a
              threshold of at least val.
              SeverityFiles=val sets the error level for file access problems,
              SeverityDirs=val for directory access problems.
              SeverityNames=val sets the error level for  obscure  file  names
              (e.g.  non-printable  characters),  and  for  files with invalid

              OpenCommand=path Start the definition  of  an  external  logging
              SetType=log|srv Type/purpose of program (log for logging).
              SetCommandline=list Command line options.
              SetEnviron=KEY=val Environment for external program.
              SetChecksum=val Checksum of the external program (checked before
              SetCredentials=username User as who the program will run.
              SetFilterNot=list Words not allowed in message.
              SetFilterAnd=list Words required (ALL) in message.
              SetFilterOr=list Words required (at least one) in message.
              SetDeadtime=seconds Time between consecutive calls.

       [Utmp] Configuration for watching login/logout events.
              LoginCheckActive=0|1 Switch off/on login/logout reporting.
              LoginCheckInterval=val Interval  (seconds)  between  checks  for
              login/logout events.
              SeverityLogout=val  Severity  levels for logins, multiple logins
              by same user, and logouts.

              Configuration for detecting kernel rootkits.
              KernelCheckActive=0|1 Switch off/on checking of kernel  syscalls
              to detect kernel module rootkits.
              KernelCheckInterval=val Interval (seconds) between checks.
              SeverityKernel=val Severity level for clobbered kernel syscalls.
              KernelCheckIDT=0|1 Whether to check  the  interrrupt  descriptor
              KernelSystemCall=address   The   address  of  system_call  (grep
              system_call  Required after a kernel update.
              KernelProcRoot=address  The  address  of   proc_root   (grep   ’
              proc_root$’  Required after a kernel update.
              KernelProcRootIops=address         The         address        of
              proc_root_inode_operations   (grep    proc_root_inode_operations
      Required after a kernel update.
              KernelProcRootLookup=address  The  address  of  proc_root_lookup
              (grep proc_root_lookup   Required  after  a  kernel

              Settings for finding SUID/SGID files on disk.
              SuidCheckActive=0|1 Switch off/on the check.
                A directory (and its subdirectories)
                to exclude from the check. Only one directory can be specified
              this way.
              SuidCheckSchedule=schedule Crontab-like schedule for checks.
              SeveritySuidCheck=severity Severity for events.
              SuidCheckFps=fps Limit files per seconds for SUID check.
              SuidCheckNosuid=0|1  Check  filesystems   mounted   as   nosuid.
              Defaults to not.
              SuidCheckQuarantineFiles=0|1   Whether   to   quarantine  files.
              Defaults to not.
              SuidCheckQuarantineMethod=0|1|2 Quarantine method. Delete  =  1,
              remove  suid/sgid  flags  = 1, move to quarantine directory = 2.
              Defaults to 1 (remove suid/sgid flags).

              Configuration for checking mounts.
              MountCheckActive=0|1 Switch off/on this module.
                The interval between checks (default 300).
              SeverityMountMissing=severity Severity for  reports  on  missing
              SeverityOptionMissing=severity  Severity  for reports on missing
              mount options.
              CheckMount=path [mount_options]
              Mount point to check. Mount options  must  be  given  as  comma-
              separated  list,  separated  by a blank from the preceding mount

              Configuration  for  checking  paths  relative   to   user   home
              UserFilesActive=0|1 Switch off/on this module.
              UserFilesName=filename policy
              Files to check for under each $HOME. Allowed values for ’policy’
              are:  allignore,   attributes,   logfiles,   loggrow,   noignore
              (default), readonly, user0, user1, user2, user3, and user4.
              UserFilesCheckUids=uid_list  A  list  of  UIDs  where we want to
              check. The default is all. Ranges (e.g. 100-500) are allowed. If
              there  is  an  open  range (e.g.  1000-), it must be last in the

              Settings for finding hidden/fake,required processes on the local
              ProcessCheckActive=0|1 Switch off/on the check.
                The interval between checks (default 300).
              SeverityProcessCheck=severity   Severity   for  events  (default
              ProcessCheckMinPID=pid The minimum PID to check (default 0).
              ProcessCheckMaxPID=pid The maximum PID to check (default 32767).
              ProcessCheckPSPath=path  The path to ps (autodetected at compile
              ProcessCheckPSArg=argument The argument to ps  (autodetected  at
              compile time).  Must yield PID in first column.
              ProcessCheckExists=regular_expression  Check  for existence of a
              process matching the given regular expression.

              Settings for checking open ports on the local host.
              PortCheckActive=0|1 Switch off/on the check.
                The interval between checks (default 300).
              PortCheckUDP=yes|no Whether to check UPD ports as well  (default
              SeverityPortCheck=severity Severity for events (default crit).
              PortCheckInterface=ip_address Additional interface to check.
              PortCheckOptional=ip_address:list  Ports  that may, but need not
              be open. The ip_address is the one of the  interface,  the  list
              must  be  comma  or  whitespace  separated,  each  item  must be
              (port|service)/protocol, e.g. 22/tcp,nfs/tcp/nfs/udp.
              PortCheckRequired=ip_address:list Ports that are required to  be
              open.  The ip_address is the one of the interface, the list must
              be  comma  or  whitespace   separated,   each   item   must   be
              (port|service)/protocol, e.g. 22/tcp,nfs/tcp/nfs/udp.

              Settings for logging to a database.
              SetDBHost=db_host  Host  where  the  DB  server  runs  (default:
              localhost).  Should be a numeric IP address for PostgreSQL.
              SetDBName=db_name Name of the database (default: samhain).
              SetDBTable=db_table Name of the database table (default: log).
              SetDBUser=db_user Connect as this user (default: samhain).
              SetDBPassword=db_password Use this password (default: none).
              SetDBServerTstamp=true|false Log  server  timestamp  for  client
              messages (default: true).
              UsePersistent=true|false  Use  a persistent connection (default:

       [Misc] Daemon=no|yes Detach  from  controlling  terminal  to  become  a
              MessageHeader=format   Costom   format   for   message   header.
              Replacements: %F source file  name,  %L  source  file  line,  %S
              severity, %T timestamp, %C message class.
              VersionString=string  Set  version  string  to  include  in file
              signature database (along with hostname and date).
              SetReverseLookup=true|false If false, skip reverse lookups  when
              connecting to a host known by name rather than IP address.
              HideSetup=yes|no  Don’t  log  name  of  config/database files on
              SyslogFacility=facility Set the syslog facility to use.  Default
              is LOG_AUTHPRIV.
              MACType=HASH-TIGER|HMAC-TIGER Set type of message authentication
              code (HMAC).  Must be identical on client and server.
              SetLoopTime=val  Defines   the   interval   (in   seconds)   for
              SetConsole=device Set the console device (default /dev/console).
              MessageQueueActive=1|0 Whether to use a SysV IPC message  queue.
              PreludeMapToInfo=listofseverities  The  severities  (see section
              [Log]) that should be mapped to impact severity info in prelude.
              PreludeMapToLow=listofseverities  The  severities  (see  section
              [Log]) that should be mapped to impact severity low in  prelude.
              PreludeMapToMedium=listofseverities  The severities (see section
              [Log]) that should  be  mapped  to  impact  severity  medium  in
              PreludeMapToHigh=listofseverities  The  severities  (see section
              [Log]) that should be mapped to impact severity high in prelude.
              SetMailTime=val   defines  the  maximum  interval  (in  seconds)
              between succesive e-mail reports.  Mail might be empty if  there
              are no events to report.
              SetMailNum=val  defines  the maximum number of messages that are
              stored before e-mailing them.  Messages of highest priority  are
              always sent immediately.
              SetMailAddress=username@host  sets  the  recipient  address  for
              mailing.  No aliases should be used.  For security,  you  should
              prefer a numerical host address.
              SetMailRelay=server  sets the hostname for the mail relay server
              (if you need one).  If no relay server is given,  mail  is  sent
              directly  to the host given in the mail address, otherwise it is
              sent to the relay server, who should forward  it  to  the  given
              SetMailSubject=val defines a custom format for the subject of an
              email message.
              SetMailSender=val defines the sender for the ’From:’ field of  a
              SetMailFilterAnd=list  defines  a  list  of strings all of which
              must match a message, otherwise it will not be mailed.
              SetMailFilterOr=list defines a list of strings at least  one  of
              which must match a message, otherwise it will not be mailed.
              SetMailFilterNot=list  defines  a  list of strings none of which
              should match a message, otherwise it will not be mailed.
              SamhainPath=/path/to/binary sets the path to the samhain binary.
              If set, samhain will checksum its own binary both on startup and
              termination, and compare both.
              SetBindAddress=IP_address The  IP  address  (i.e.  interface  on
              multi-interface box) to use for outgoing connections.
              SetTimeServer=server sets the hostname for the time server.
              TrustedUser=name|uid  Add  a  user  to  the set of trusted users
              (root and the effective user are always trusted. You can add  up
              to 7 more users).
              SetLogfilePath=AUTO|/path Path to logfile (AUTO to tack hostname
              on compiled-in path).
              SetLockfilePath=AUTO|/path  Path  to  lockfile  (AUTO  to   tack
              hostname on compiled-in path).

       Standalone or client only
              SetNiceLevel=-19..19  Set scheduling priority during file check.
              SetIOLimit=bps Set IO limits (kilobytes  per  second)  for  file
              SetFilecheckTime=val  Defines  the interval (in seconds) between
              succesive file checks.
              FileCheckScheduleOne=schedule  Crontab-like  schedule  for  file
              checks. If used, SetFilecheckTime is ignored.
              UseHardlinkCheck=yes|no Compare number of hardlinks to number of
              subdirectories for directories.
              HardlinkOffset=N:/path  Exception  (use   multiple   times   for
              multiple  exceptions). N is offset (actual - expected hardlinks)
              for /path.
              AddOKChars=N1,N2,..  List of  additional  acceptable  characters
              (byte value(s)) for the check for weird filenames. Nn may be hex
              (leading ’0x’: 0xNN), octal (leading zero:  0NNN),  or  decimal.
              Use all for all.
              FilenamesAreUTF8=yes|no  Whether  filenames  are  UTF-8  encoded
              (defaults to no). If yes,  filenames  are  checked  for  invalid
              UTF-8 encoding and for ending in invisible characters.
              IgnoreAdded=path_regex   Ignore   if   this   file/directory  is
              IgnoreMissing=path_regex  Ignore  if  this   file/directory   is
              ReportOnlyOnce=yes|no  Report  only  once  on  a  modified  file
              (default yes).
              ReportFullDetail=yes|no Report in full detail on modified  files
              (not only modified items).
              UseLocalTime=yes|no  Report file timestamps in local time rather
              than GMT (default no).  Do not use this with Beltane.
              ChecksumTest={init|update|check|none}   defines    whether    to
              initialize/update  the  database or verify files against it.  If
              ’none’, you should supply the required  option  on  the  command
              SetPrelinkPath=path  Path  of  the  prelink  executable (default
              SetPrelinkChecksum=checksum TIGER192  checksum  of  the  prelink
              executable (no default).
              SetLogServer=server sets the hostname for the log server.
              SetServerPort=portnumber  sets the port on the server to connect
              SetDatabasePath=AUTO|/path  Path  to  database  (AUTO  to   tack
              hostname on compiled-in path).
              DigestAlgo=SHA1|MD5  Use  SHA1  or  MD5  instead  of  the  TIGER
              checksum (default: TIGER192).
              RedefReadOnly=+/-XXX,+/-YYY,...  Add or subtract tests XXX  from
              the  ReadOnly  policy.   Tests  are:  CHK (checksum), TXT (store
              literal content), LNK (link), HLN (hardlink), INO  (inode),  USR
              (user),  GRP (group), MTM (mtime), ATM (atime), CTM (ctime), SIZ
              (size), RDEV (device numbers) and/or MOD (file mode).
              RedefAttributes=+/-XXX,+/-YYY,...  Add  or  subtract  tests  XXX
              from the Attributes policy.
              RedefLogFiles=+/-XXX,+/-YYY,...   Add or subtract tests XXX from
              the LogFiles policy.
              RedefGrowingLogFiles=+/-XXX,+/-YYY,...  Add  or  subtract  tests
              XXX from the GrowingLogFiles policy.
              RedefIgnoreAll=+/-XXX,+/-YYY,...  Add or subtract tests XXX from
              the IgnoreAll policy.
              RedefIgnoreNone=+/-XXX,+/-YYY,...  Add  or  subtract  tests  XXX
              from the IgnoreNone policy.
              RedefUser0=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the
              User0 policy.
              RedefUser1=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the
              User1 policy.
              RedefUser2=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the
              User2 policy.
              RedefUser3=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the
              User3 policy.
              RedefUser4=+/-XXX,+/-YYY,...  Add or subtract tests XXX from the
              User4 policy.

       Server Only
              SetUseSocket=yes|no If unset, do not open  the  command  socket.
              The default is no.
              SetSocketAllowUid=UID  Which  user  can  connect  to the command
              socket. The default is 0 (root).
              SetSocketPassword=password Password (max. 14 chars, no ’@’)  for
              password-based authentication on the command socket (only if the
              OS does not support passing credentials via sockets).
              SetChrootDir=path  If  set,  chroot  to  this  directory   after
              SetStripDomain=yes|no  Whether  to  strip  the  domain  from the
              client hostname when logging client messages (default: yes).
              SetClientFromAccept=true|false If true, use  client  address  as
              known to the communication layer. Else (default) use client name
              as claimed by the client, try  to  verify  against  the  address
              known  to  the  communication  layer, and accept (with a warning
              message) even if this fails.
              UseClientSeverity=yes|no Use the severity of client messages.
              UseClientClass=yes|no Use the class of client messages.
              SetServerPort=number The port that the  server  should  use  for
              listening (default is 49777).
              SetServerInterface=IPaddress  The  IP address (i.e. interface on
              multi-interface box) that the server should  use  for  listening
              (default is all). Use INADDR_ANY to reset to all.
              SeverityLookup=severity   Severity  of  the  message  on  client
              address != socket peer.
              UseSeparateLogs=true|false  If  true,  messages  from  different
              clients  will  be  logged to separate log files (the name of the
              client will be appended to the name of  the  main  log  file  to
              construct the logfile name).
              SetClientTimeLimit=seconds   The  maximum  time  between  client
              messages. If exceeded, a warning will be issued (the default  is
              86400 sec = 1 day).
              SetUDPActive=yes|no   yule   1.2.8+:   Also  listen  on  514/udp

              This section is only relevant if samhain is run as a log  server
              for clients running on another (or the same) machine.
              Client=hostname@salt@verifier   registers   a   client  at  host
              hostname (fully qualified hostname required) for access  to  the
              log  server.   Log entries from unregistered clients will not be
              accepted.  To generate a salt and  a  valid  verifier,  use  the
              command  samhain  -P password, where password is the password of
              the client. A simple utility program samhain_setpwd is  provided
              to  re-set  the  compiled-in  default  password  of  the  client
              executable to a user-defined value.

       [EOF]  An optional end marker. Everything below is ignored.




       Rainer Wichmann (


       If  you  find  a  bug  in  samhain,  please  send  electronic  mail  to   Please  include  your  operating system and its
       revision, the version of samhain, what C compiler you used  to  compile
       it, your ’configure’ options, and anything else you deem helpful.


       Copyright (©) 2000, 2004, 2005 Rainer Wichmann

       Permission  is  granted  to make and distribute verbatim copies of this
       manual page provided the copyright notice and  this  permission  notice
       are preserved on all copies.

       Permission  is granted to copy and distribute modified versions of this
       manual page under the conditions for verbatim  copying,  provided  that
       the  entire  resulting derived work is distributed under the terms of a
       permission notice identical to this one.

                                 Jul 29, 2004