Configuration — Basic

The configuration file for samhain is named samhainrc by default. Also by default, it is placed in /etc. (Name and location is configurable at compile time). The distribution package comes with a commented sample configuration file. The layout of the configuration file is described in more details in the Section called General in the appendix called List of configuration file options.

Definitions

Events (e.g. unauthorized modifications of files monitored by samhain) will generate messages of some severity. These messages will be logged to all logging facilities, whose threshold is equal to, or lower than, the severity of the message.

Severity levels

The following severity levels are defined:

Most events (e.g. timestamps, internal errors, program startup/exit) have fixed severities. The following events have configurable severities:

Severity levels for events (see the Section called Severity levels>) are set in the EventSeverity and (for login/logout events) the Utmp sections of the configuration file.

In the configuration file, these can be set as follows:

  [EventSeverity]  
  #  
  # these are policies (see the Section called Monitoring policies in the chapter called Configuration — samhain, the file monitor>) 
  # 
  SeverityReadOnly=crit 
  SeverityLogFiles=crit
  SeverityGrowingLogs=warn 
  SeverityIgnoreNone=crit 
  SeverityIgnoreAll=info 
  #  
  # these are access errors 
  # 
  SeverityFiles=err 
  SeverityDirs=err 
  #  
  # these are obscure file names 
  # and/or invalid UIDs/GIDs (no such user/group) 
  # 
  SeverityNames=info 
  #  
  # This is the section for login/logout monitoring 
  # 
  [Utmp]  
  SeverityLogin=notice
  SeverityLogout=notice 
  # multiple logins by same user 
  SeverityLoginMulti=err 

Thresholds and Classes — Activating logging facilities and filtering messages

All messages have a severity (see the Section called Severity levels>) and a class (see the Section called Classes>), with somewhat orthogonal meaning:

The severity ranks messages with respect to their importance. Most events (e.g. timestamps, internal errors, program startup/exit) have fixed severities. However, as importance sometimes is a matter of taste, some events have configurable severities (see the Section called Definitions>).

Classes refer to the purpose/category of a message. As such, they should (ideally) be useful to exclude messages that are not interesting in some context (e.g. startup/stop messages may seem useless noise if samhain is run from cron).

Obviously, as severity is a rank, the most natural way to exclude unwanted messages is to set a threshold. On the other hand, as the message class is a category, the most natural way to exclude messages is to list those message classes that you want.

Messages are only logged to a log facility if their severity is at least as high as the threshold of that facility, and their class is one of those wanted (by default: all). Thresholds and class lists can be specified individually for each facility.

WarningCAVEAT
 

Most log facilities are off by default.

TipTIP
 

A threshold of none switches off the respective facility.

TipTIP (server only)
 

By default, messages received by the server are treated specially, and are always logged to the logfile, and never to mail or syslog. If you don't like that, use the option UseClientSeverity=yes (section [Misc]).

Thresholds and class lists are set in the Log section of the configuration file. For each threshold option FacilitySeverity there is also a corresponding option FacilityClass to limit that facility to messages within a given set of class. The argument must be a list of valid message classes, separated by space or comma.

System calls: certain system calls (execve, utime, unlink, dup (+ dup2), chdir, open, kill, exit (+ _exit), fork, setuid, setgid, pipe) can be logged (only to console and syslog). You can determine the set of system calls to log via the option LogCalls=call1, call2, .... By default, this is off (nothing is logged). The priority is notice, and the class is AUD.

Example:

  [Log]  
  #  
  # Threshold for E-mails (none = switched off)
  # 
  MailSeverity=none  
  #  
  # Threshold for log file 
  # 
  LogSeverity=err 
  LogClass=RUN FIL STAMP 
  #  
  # Threshold for console 
  # 
  PrintSeverity=info
  #  
  # Threshold for syslog (none = switched off)
  # 
  SyslogSeverity=none 
  #  
  # Threshold for logging to Prelude (none = switched off)
  # 
  PreludeSeverity=none 
  #  
  # Threshold for forwarding to the log server
  # 
  ExportSeverity=crit 
  #  
  # Threshold for invoking an external program
  # 
  ExternalSeverity=crit
  #  
  # Threshold for logging to a SQL database
  # 
  DatabaseSeverity=err
  #  
  # System calls to log
  # 
  LogCalls=open, kill