13. Miscellaneous

Section heading:

[Misc]

Entries:

Daemon= boolean — Whether to become a daemon (default: no)

MessageHeader= "%S %T " — Specify custom format for message header. The following placeholders are supported: %S for the message severity, %T for the timestamp, %C for the message class, %F for the source file, %L for the source line number, and %E for the status (might provide additional information in case of internal errors).

VersionString= string — Set version string to include in file signature database (along with hostname and date).

SetReverseLookup= boolean — If false, skip reverse lookups when connecting to a host known by name rather than IP address.

AvoidBlock= boolean — Run stat/lstat system calls in a subprocess to avoid that a flaky NFS mount blocks the process (defaults to off for the server, on for the client/standalone executable, except off for Cygwin/Windows).

HideSetup= boolean — Don't log names of config/database files on startup.

SyslogFacility= LOG_xxx — Set syslog facility (default is LOG_AUTHPRIV).

SyslogMapStampTo= LOG_xxx — Set syslog priority for heartbeat messages (timestamps). Default is LOG_ERR.

MACType= HASH-TIGER/HMAC-TIGER — Set type of message authentication code (HMAC). Must be identical on client and server.

SetLoopTime= seconds — Interval between timestamp messages (60).

SetConsole= device — Set the console device (/dev/console).

SetReportFile= path — Set the path for file check reports (none). Can be an absolute path or 'none' to disable. Format is lines comprised of a timestamp string followed by number of seconds since the Epoch followed by six integers: bytes hashed, dirs checked, files checked, files reported, errors, files that should be but aren't directories.

SetReportGroup= group — Set the unix group (numeric or name, defaults to 0) for the file check reports.

SetSigtrapMaxDuration= microseconds — This directive allows to configure the timeout for handling the sigtrap signal in the antidebug code (enabled with the --enable-ptrace configure option) (500000, equal to 500ms). Set to a higher value if the antidebug handler is triggered under high load. Note that for security, you can set this value only once while the daemon runs.

MessageQueueActive= boolean — Use SysV IPC message queue (false).

PreludeMapToInfo= list of samhain severities — The severities that should be mapped to impact severity 'info' in prelude reports (default: none). This option is only available with libprelude 0.9.

PreludeMapToLow= list of samhain severities — The severities that should be mapped to impact severity 'low' in prelude reports (default: none). This option is only available with libprelude 0.9.

PreludeMapToMedium= list of samhain severities — The severities that should be mapped to impact severity 'medium' in prelude reports (default: none). This option is only available with libprelude 0.9.

PreludeMapToHigh= list of samhain severities — The severities that should be mapped to impact severity 'high' in prelude reports (default: none). This option is only available with libprelude 0.9.

PreludeProfile= profile — Set the profile (sensor name) for use with the Prelude IDS. This option is only available with libprelude 0.9. Default is 'samhain' (prelude 0.9) or 'Samhain' (prelude 0.8).

SetMailAddress= recepient — Add a recepient e-mail address.

SetMailAlias= listname: username@hostname — Add a list of recepient e-mail address.

SetAddrSeverity= severity — Defines a severity threshold for an individual recipient (list). Must be a subset of the global MailSeverity setting. Applies to the last defined recipient (list).

SetMailFilterAnd= list — Defines a list of strings all of which must match a message, otherwise it will not be mailed. Applies to the last defined recipient (list).

SetMailFilterOr= list — Defines a list of strings at least one of which must match a message, otherwise it will not be mailed. Applies to the last defined recipient (list).

SetMailFilterNot= list — Defines a list of strings none of which should match a message, otherwise it will not be mailed. Applies to the last defined recipient (list).

CloseAddress — Explicitely closes the definition of a recipient (list).

SetMailTime= seconds — Maximum time interval between mail messages (86400 sec).

SetMailNum= 0 -- 16383 — Maximum number of pending mails on internal queue (10).

SetMailRelay= IP address — The mail relay (for offsite mail; default: none).

MailSubject= string — Custom format for the email subject (none).

SetMailSender= string — Sender for the 'From:' field.

SetMailPort= port number — Port number to use for SMTP (default: 25).

SamhainPath= path — The path of the process image.

SetBindAddress= IP address — The IP address (i.e. interface on multi-interface box) to use for outgoing connections (e.g. e-mail).

SetTimeServer= IP address — The time server. Note that the simple 'time' service (port 37/tcp) is used.

TrustedUser= username(,username,..) . — List of additional trusted users.

SetLogfilePath= AUTO or /path — Path to log file (AUTO to tack hostname on compiled-in path).

SetLockfilePath= AUTO or /path — Path to lock file (AUTO to tack hostname on compiled-in path).

The following options are only relevant for standalone or client executables:

SetNiceLevel= -19..19 — Set scheduling priority during file check. — (see 'man nice').

SetIOLimit= bps — Set IO limits (kilobytes per second) for file check.

SetDropCache= boolean — Drop checksummed files from cache (unless they were cached before). Defaults to false for performance reasons.

ReportCheckflags= boolean — Report checking policy (check flags) for new files, and if changed also for changed files (defaults to no). Added in version 4.0.

StartupLoadDelay= seconds — At startup, delay the download of the baseline databse from the server for the given time span (default is no delay).

SetDeltaRetryCount= integer — The number of times the client will retry to download a delta database from the server after the initial attempt has failed (default is 0, i.e. do not retry).

SetDeltaRetryInterval= seconds — The interval between successive tries to download a delta database (default is 60 seconds).

SetFilecheckTime= seconds — Interval between file checks (600).

FileCheckScheduleOne= schedule — Crontab-like schedule for file checks.

UseRsrcCheck= boolean — Check the ..namedfork/rsrc file on Mac OS X (defaults to no since this mechanism is deprecated by Apple).

UseHardlinkCheck= boolean — Compare number of hardlinks to number of subdirectories for directories.

HardlinkOffset= N: /path — Exception (use multiple times for multiple exceptions). N is offset (actual - expected hardlinks) for /path.

AddOKChars= N1, N2, .. — List of acceptable characters (byte value(s)) for the check for weird filenames. Nn may be hex (leading '0x': 0xNN), octal (leading zero: 0NNN), or decimal. Use 'all' for all.

FilenamesAreUTF8= boolean — If set, samhain will check for invalid UTF-8 encoding and for filenames ending in invisible characters.

IgnoreAdded= path_regex — Ignore if this file/directory is added/created. The path_regex argument has to start with a forward slash and has to match the full path..

IgnoreMissing= path_regex — Ignore if this file/directory is missing/deleted. the path_regex argument has to start with a forward slash and has to match the full path.

IgnoreModified= path_regex — Ignore if this file/directory is modified (3.0.11+, useful for transient files that get modified during their lifetime). the path_regex argument has to start with a forward slash and has to match the full path.

LooseDirCheck= boolean — Ignore changes of directory inodes if nothing but size and timestamps have changed.

SetAuditdFlags= r|w|x|a — Set the flags on which audit rules will trigger (defaults to wa [=write|change attributes]).

SkipChecksum= list of conditions — Skip checksumming if the list of condition holds true

FileType= definition — User-defined file type specification (to be used for the SkipChecksum= ... command).

ReportOnlyOnce= boolean — Report only once on a modified file (yes).

ReportFullDetail= boolean — Report in full detail on modified files (no).

UseLocalTime= boolean — Report file timestamps in local time rather than GMT (no). Do not use this with Beltane.

ChecksumTest= none/init/update/check — The default action (default is none).

SetPrelinkPath= path — The path to the prelink binary (default is /usr/sbin/prelink).

SetPrelinkChecksum= checksum — The checksum of the prelink binary.

SetLogServer= IP address — The log server.

SetServerPort= port number — The port on the log server (defaults to the compiled-in port, which is 49777 unless redefined at compile time).

SetThrottle= milliseconds — An option to throttle the network throughput when downloading the database from the server. The allowed maximum of 1000 msec throttles to about 64 kB/sec, less is faster.

SetDatabasePath= AUTO or /path — Path to database (AUTO to tack hostname on compiled-in path).

DigestAlgo= TIGER192/SHA1/MD5/SHA256 — Use SHA1, MD5, or SHA2-256 instead of the TIGER checksum (default: TIGER192).

RedefReadOnly= +XXX or -XXX — Add or subtract test XXX from the ReadOnly policy.

RedefAttributes= +XXX or -XXX — Add or subtract test XXX from the Attributes policy.

RedefLogFiles= +XXX or -XXX — Add or subtract test XXX from the LogFiles policy.

RedefGrowingLogFiles= -XXX or ~XXX — Add or subtract test XXX from the GrowingLogFiles policy.

RedefIgnoreAll= +XXX or -XXX — Add or subtract test XXX from the IgnoreAll policy.

RedefIgnoreNone= +XXX or -XXX — Add or subtract test XXX from the IgnoreNone policy.

RedefUser0= +XXX or -XXX — Add or subtract test XXX from the User0 policy.

RedefUser1= +XXX or -XXX — Add or subtract test XXX from the User1 policy.

RedefUser2= +XXX or -XXX — Add or subtract test XXX from the User2 policy.

RedefUser3= +XXX or -XXX — Add or subtract test XXX from the User3 policy.

RedefUser4= +XXX or -XXX — Add or subtract test XXX from the User4 policy.

UseACLCheck= boolean — Check ACL policies for files.

UseSelinuxCheck= boolean — Check SELINUX attributes for files.

SetFullSilent= boolean — Also suppress informational messages during silent file scan triggered by SIGTSTP.

The following options are only relevant for the server:

SetUseSocket= boolean — If unset, do not open the command socket (server only). This socket allows to advise the server to transmit commands to clients as soon as they connect to the server next time.

SetSocketAllowUid= UID — Which user can connect to the command socket. The default is 0 (root).

SetSocketPassword= password — Password (max. 14 chars, no '@') for password-based authentication on the command socket (only if the OS does not support passing credentials via sockets).

SetChrootDir= path — If set, chroot to this directory (server only).

SetStripDomain= boolean — Whether to strip the domain from the client hostname when logging client messages (server only; default: yes).

SetClientFromAccept= boolean — If true, use client address as known to the communication layer. Else (default) use client name as claimed by the client, try to verify against the address known to the communication layer, and accept (with a warning message) even if this fails.

UseClientSeverity= boolean — If set to 'yes', don't assign a special severity (priority) to client messages.

UseClientClass= boolean — If set to 'yes', don't assign a special class to client messages.

SetServerPort= port number — The port that the server should use for listening (default is 49777).

SetServerInterface= IP address — The IP address (i.e. interface on multi-interface box) that the server should use for listening (default is all). Use INADDR_ANY to reset to all.

SeverityLookup= severity — Severity for name lookup errors when verifying (on the server side) that the socket peer matches the hostname claimed by the client. See the preceding option.

UseSeparateLogs= boolean — If true, messages from different clients will be logged to separate log files (the name of the client will be appended to the name of the main log file to construct the logfile name). Default: false.

SetClientTimeLimit= seconds — Maximum time limit until next client message (server-only). If no message is received from a client within that limit, the respective client will be reported as dead.

SetConnectionTimeout= seconds — Timeout after which a currently active connection to a client will be closed by the server (900 seconds). This timeout has the purpose to prevent bad clients from hogging server resources.

SetUDPActive= boolean — yule 1.2.8+: Listen on 514/udp (syslog). Default: false.

Remarks: (i) root and the effective user are always trusted. (ii) If no time server is given, the local host clock is used. (iii) If the path of the process image is given, the process image will be checksummed at startup and exit, and both checksums compared.