Section heading:
[Misc]
Entries:
Daemon=
boolean
— Whether
to become a daemon (default: no)
MessageHeader=
"%S %T "
— Specify
custom format for message header. The following placeholders
are supported: %S for the message severity, %T for the
timestamp, %C for the message class, %F for the source file,
%L for the source line number, and %E for the status (might
provide additional information in case of internal
errors).
VersionString=
string
— Set
version string to include in file signature database (along
with hostname and date).
SetReverseLookup=
boolean
— If
false, skip reverse lookups when connecting to a host known
by name rather than IP address.
AvoidBlock=
boolean
— Run
stat/lstat system calls in a subprocess to avoid that a flaky
NFS mount blocks the process (defaults to off for the server,
on for the client/standalone executable, except off for Cygwin/Windows).
HideSetup=
boolean
— Don't
log names of config/database files on startup.
SyslogFacility=
LOG_xxx
— Set
syslog facility (default is LOG_AUTHPRIV).
SyslogMapStampTo=
LOG_xxx
— Set
syslog priority for heartbeat messages (timestamps). Default
is LOG_ERR.
MACType=
HASH-TIGER/HMAC-TIGER
— Set
type of message authentication code (HMAC). Must be identical
on client and server.
SetLoopTime=
seconds
— Interval
between timestamp messages (60).
SetConsole=
device
— Set the
console device (/dev/console).
SetReportFile=
path
— Set the
path for file check reports (none). Can be an absolute path
or 'none' to disable. Format is lines comprised of a
timestamp string followed by number of seconds since the
Epoch followed by six integers: bytes hashed, dirs checked,
files checked, files reported, errors, files that should be
but aren't directories.
SetReportGroup=
group
— Set the
unix group (numeric or name, defaults to 0) for the file
check reports.
SetSigtrapMaxDuration=
microseconds
—
This directive allows to configure the timeout for handling
the sigtrap signal in the antidebug code (enabled with the
--enable-ptrace configure
option) (500000, equal to 500ms). Set to a higher value if
the antidebug handler is triggered under high load. Note that
for security, you can set this value only once while the
daemon runs.
MessageQueueActive=
boolean
— Use SysV
IPC message queue (false).
PreludeMapToInfo=
list of samhain
severities
— The severities
that should be mapped to impact severity 'info' in prelude
reports (default: none). This option is only available with
libprelude 0.9.
PreludeMapToLow=
list of samhain
severities
— The severities
that should be mapped to impact severity 'low' in prelude
reports (default: none). This option is only available with
libprelude 0.9.
PreludeMapToMedium=
list of samhain
severities
— The severities
that should be mapped to impact severity 'medium' in prelude
reports (default: none). This option is only available with
libprelude 0.9.
PreludeMapToHigh=
list of samhain
severities
— The severities
that should be mapped to impact severity 'high' in prelude
reports (default: none). This option is only available with
libprelude 0.9.
PreludeProfile=
profile
— Set the
profile (sensor name) for use with the Prelude IDS. This
option is only available with libprelude 0.9. Default is
'samhain' (prelude 0.9) or 'Samhain' (prelude 0.8).
SetMailAddress=
recepient
— Add a
recepient e-mail address.
SetMailAlias=
listname
:
username@hostname
—
Add a list of recepient e-mail address.
SetAddrSeverity=
severity
— Defines
a severity threshold for an individual recipient (list). Must
be a subset of the global MailSeverity setting. Applies to
the last defined recipient (list).
SetMailFilterAnd=
list
— Defines a
list of strings all of which must match a message, otherwise
it will not be mailed. Applies to the last defined recipient
(list).
SetMailFilterOr=
list
— Defines a
list of strings at least one of which must match a message,
otherwise it will not be mailed. Applies to the last defined
recipient (list).
SetMailFilterNot=
list
— Defines a
list of strings none of which should match a message,
otherwise it will not be mailed. Applies to the last defined
recipient (list).
CloseAddress — Explicitely closes the definition of a recipient (list).
SetMailTime=
seconds
— Maximum
time interval between mail messages (86400 sec).
SetMailNum=
0 -- 16383
—
Maximum number of pending mails on internal queue
(10).
SetMailRelay=
IP address
— The
mail relay (for offsite mail; default: none).
MailSubject=
string
— Custom
format for the email subject (none).
SetMailSender=
string
— Sender
for the 'From:' field.
SetMailPort=
port number
— Port
number to use for SMTP (default: 25).
SamhainPath=
path
— The path of
the process image.
SetBindAddress=
IP address
— The
IP address (i.e. interface on multi-interface box) to use for
outgoing connections (e.g. e-mail).
SetTimeServer=
IP address
— The
time server. Note that the simple 'time' service (port
37/tcp) is used.
TrustedUser=
username(,username,..)
.
— List of additional trusted users.
SetLogfilePath=
AUTO or /path
—
Path to log file (AUTO to tack hostname on compiled-in
path).
SetLockfilePath=
AUTO or /path
—
Path to lock file (AUTO to tack hostname on compiled-in
path).
The following options are only relevant for standalone or client executables:
SetNiceLevel=
-19..19
— Set
scheduling priority during file check. — (see 'man
nice').
SetIOLimit=
bps
— Set IO
limits (kilobytes per second) for file check.
SetDropCache=
boolean
— Drop
checksummed files from cache (unless they were cached
before). Defaults to false for performance reasons.
ReportCheckflags=
boolean
— Report
checking policy (check flags) for new files, and if
changed also for changed files (defaults to no). Added in
version 4.0.
StartupLoadDelay=
seconds
— At
startup, delay the download of the baseline databse from the
server for the given time span (default is no delay).
SetDeltaRetryCount=
integer
— The
number of times the client will retry to download a delta
database from the server after the initial attempt has failed
(default is 0, i.e. do not retry).
SetDeltaRetryInterval=
seconds
— The
interval between successive tries to download a delta
database (default is 60 seconds).
SetFilecheckTime=
seconds
— Interval
between file checks (600).
FileCheckScheduleOne=
schedule
—
Crontab-like schedule for file checks.
UseRsrcCheck=
boolean
— Check
the ..namedfork/rsrc file on Mac OS X (defaults to no since
this mechanism is deprecated by Apple).
UseHardlinkCheck=
boolean
— Compare
number of hardlinks to number of subdirectories for
directories.
HardlinkOffset=
N
:
/path
— Exception
(use multiple times for multiple exceptions). N is offset
(actual - expected hardlinks) for
/path
.
AddOKChars=
N1, N2, ..
— List
of acceptable characters (byte value(s)) for the check for
weird filenames. Nn may be hex (leading '0x': 0xNN), octal
(leading zero: 0NNN), or decimal. Use 'all' for all.
FilenamesAreUTF8=
boolean
— If set,
samhain will check for invalid UTF-8 encoding and for
filenames ending in invisible characters.
IgnoreAdded=
path_regex
—
Ignore if this file/directory is added/created.
The path_regex argument has to start with a forward
slash and has to match the full path..
IgnoreMissing=
path_regex
—
Ignore if this file/directory is missing/deleted.
the path_regex argument has to start with a forward
slash and has to match the full path.
IgnoreModified=
path_regex
—
Ignore if this file/directory is modified (3.0.11+, useful
for transient files that get modified during their lifetime).
the path_regex argument has to start with a forward
slash and has to match the full path.
LooseDirCheck=
boolean
— Ignore
changes of directory inodes if nothing but size and
timestamps have changed.
SetAuditdFlags=
r|w|x|a
— Set
the flags on which audit rules will trigger (defaults to wa [=write|change attributes]).
SkipChecksum=
list of conditions
—
Skip checksumming if the list of condition holds
true
FileType=
definition
—
User-defined file type specification (to be used for the
SkipChecksum=
...
command).
ReportOnlyOnce=
boolean
— Report
only once on a modified file (yes).
ReportFullDetail=
boolean
— Report
in full detail on modified files (no).
UseLocalTime=
boolean
— Report
file timestamps in local time rather than GMT (no). Do not
use this with Beltane.
ChecksumTest=
none/init/update/check
— The
default action (default is none).
SetPrelinkPath=
path
— The path to
the prelink binary (default is
/usr/sbin/prelink
).
SetPrelinkChecksum=
checksum
— The
checksum of the prelink binary.
SetLogServer=
IP address
— The
log server.
SetServerPort=
port number
— The
port on the log server (defaults to the compiled-in port,
which is 49777 unless redefined at compile time).
SetThrottle=
milliseconds
— An
option to throttle the network throughput when downloading
the database from the server. The allowed maximum of 1000
msec throttles to about 64 kB/sec, less is faster.
SetDatabasePath=
AUTO or /path
—
Path to database (AUTO to tack hostname on compiled-in
path).
DigestAlgo=
TIGER192/SHA1/MD5/SHA256
— Use
SHA1, MD5, or SHA2-256 instead of the TIGER checksum
(default: TIGER192).
RedefReadOnly=
+XXX or -XXX
— Add
or subtract test XXX from the ReadOnly policy.
RedefAttributes=
+XXX or -XXX
— Add
or subtract test XXX from the Attributes policy.
RedefLogFiles=
+XXX or -XXX
— Add
or subtract test XXX from the LogFiles policy.
RedefGrowingLogFiles=
-XXX or ~XXX
— Add
or subtract test XXX from the GrowingLogFiles policy.
RedefIgnoreAll=
+XXX or -XXX
— Add
or subtract test XXX from the IgnoreAll policy.
RedefIgnoreNone=
+XXX or -XXX
— Add
or subtract test XXX from the IgnoreNone policy.
RedefUser0=
+XXX or -XXX
— Add
or subtract test XXX from the User0 policy.
RedefUser1=
+XXX or -XXX
— Add
or subtract test XXX from the User1 policy.
RedefUser2=
+XXX or -XXX
— Add
or subtract test XXX from the User2 policy.
RedefUser3=
+XXX or -XXX
— Add
or subtract test XXX from the User3 policy.
RedefUser4=
+XXX or -XXX
— Add
or subtract test XXX from the User4 policy.
UseAttributesCheck=
boolean
— Check
file attributes on linux file systems (default=yes).
UseACLCheck=
boolean
— Check
ACL policies for files.
UseSelinuxCheck=
boolean
— Check
SELINUX attributes for files.
SetFullSilent=
boolean
— Also
suppress informational messages during silent file scan
triggered by SIGTSTP.
The following options are only relevant for the server:
SetUseSocket=
boolean
— If
unset, do not open the command socket (server only). This
socket allows to advise the server to transmit commands to
clients as soon as they connect to the server next
time.
SetSocketAllowUid=
UID
— Which user
can connect to the command socket. The default is 0
(root).
SetSocketPassword=
password
—
Password (max. 14 chars, no '@') for password-based
authentication on the command socket (only if the OS does not
support passing credentials via sockets).
SetChrootDir=
path
— If set,
chroot to this directory (server only).
SetStripDomain=
boolean
— Whether
to strip the domain from the client hostname when logging
client messages (server only; default: yes).
SetClientFromAccept=
boolean
— If true,
use client address as known to the communication layer. Else
(default) use client name as claimed by the client, try to
verify against the address known to the communication layer,
and accept (with a warning message) even if this
fails.
UseClientSeverity=
boolean
— If set
to 'yes', don't assign a special severity (priority) to
client messages.
UseClientClass=
boolean
— If set
to 'yes', don't assign a special class to client
messages.
SetServerPort=
port number
— The
port that the server should use for listening (default is
49777).
SetServerInterface=
IP address
— The
IP address (i.e. interface on multi-interface box) that the
server should use for listening (default is all). Use
INADDR_ANY to reset to all.
SeverityLookup=
severity
—
Severity for name lookup errors when verifying (on the server
side) that the socket peer matches the hostname claimed by
the client. See the preceding option.
UseSeparateLogs=
boolean
— If true,
messages from different clients will be logged to separate
log files (the name of the client will be appended to the
name of the main log file to construct the logfile name).
Default: false.
SetClientTimeLimit=
seconds
— Maximum
time limit until next client message (server-only). If no
message is received from a client within that limit, the
respective client will be reported as dead.
SetConnectionTimeout=
seconds
— Timeout
after which a currently active connection to a client will be
closed by the server (900 seconds). This timeout has the
purpose to prevent bad clients from hogging server
resources.
SetUDPActive=
boolean
— yule
1.2.8+: Listen on 514/udp (syslog). Default: false.
Remarks: (i) root and the effective user are always trusted. (ii) If no time server is given, the local host clock is used. (iii) If the path of the process image is given, the process image will be checksummed at startup and exit, and both checksums compared.