Section heading:
[Misc]
Entries:
      Daemon=
      boolean — Whether
      to become a daemon (default: no)
      MessageHeader=
      "%S %T " — Specify
      custom format for message header. The following placeholders
      are supported: %S for the message severity, %T for the
      timestamp, %C for the message class, %F for the source file,
      %L for the source line number, and %E for the status (might
      provide additional information in case of internal
      errors).
      VersionString=
      string — Set
      version string to include in file signature database (along
      with hostname and date).
      SetReverseLookup=
      boolean — If
      false, skip reverse lookups when connecting to a host known
      by name rather than IP address.
      AvoidBlock=
      boolean — Run
      stat/lstat system calls in a subprocess to avoid that a flaky
      NFS mount blocks the process (defaults to off for the server,
      on for the client/standalone executable, except off for Cygwin/Windows).
      
      HideSetup=
      boolean — Don't
      log names of config/database files on startup.
      SyslogFacility=
      LOG_xxx — Set
      syslog facility (default is LOG_AUTHPRIV).
      SyslogMapStampTo=
      LOG_xxx — Set
      syslog priority for heartbeat messages (timestamps). Default
      is LOG_ERR.
      MACType=
      
      HASH-TIGER/HMAC-TIGER — Set
      type of message authentication code (HMAC). Must be identical
      on client and server.
      SetLoopTime=
      seconds — Interval
      between timestamp messages (60).
      SetConsole=
      device — Set the
      console device (/dev/console).
      SetReportFile=
      path — Set the
      path for file check reports (none). Can be an absolute path
      or 'none' to disable. Format is lines comprised of a
      timestamp string followed by number of seconds since the
      Epoch followed by six integers: bytes hashed, dirs checked,
      files checked, files reported, errors, files that should be
      but aren't directories.
      SetReportGroup=
      group — Set the
      unix group (numeric or name, defaults to 0) for the file
      check reports.
      SetSigtrapMaxDuration=
      microseconds —
      This directive allows to configure the timeout for handling
      the sigtrap signal in the antidebug code (enabled with the 
      --enable-ptrace configure
      option) (500000, equal to 500ms). Set to a higher value if
      the antidebug handler is triggered under high load. Note that
      for security, you can set this value only once while the
      daemon runs.
      MessageQueueActive=
      boolean — Use SysV
      IPC message queue (false).
      PreludeMapToInfo=
      list of samhain
      severities — The severities
      that should be mapped to impact severity 'info' in prelude
      reports (default: none). This option is only available with
      libprelude 0.9.
      PreludeMapToLow=
      list of samhain
      severities — The severities
      that should be mapped to impact severity 'low' in prelude
      reports (default: none). This option is only available with
      libprelude 0.9.
      PreludeMapToMedium=
      list of samhain
      severities — The severities
      that should be mapped to impact severity 'medium' in prelude
      reports (default: none). This option is only available with
      libprelude 0.9.
      PreludeMapToHigh=
      list of samhain
      severities — The severities
      that should be mapped to impact severity 'high' in prelude
      reports (default: none). This option is only available with
      libprelude 0.9.
      PreludeProfile=
      profile — Set the
      profile (sensor name) for use with the Prelude IDS. This
      option is only available with libprelude 0.9. Default is
      'samhain' (prelude 0.9) or 'Samhain' (prelude 0.8).
      SetMailAddress=
      recepient — Add a
      recepient e-mail address.
      SetMailAlias=
      listname:
      username@hostname —
      Add a list of recepient e-mail address.
      SetAddrSeverity=
      severity — Defines
      a severity threshold for an individual recipient (list). Must
      be a subset of the global MailSeverity setting. Applies to
      the last defined recipient (list).
      SetMailFilterAnd=
      list — Defines a
      list of strings all of which must match a message, otherwise
      it will not be mailed. Applies to the last defined recipient
      (list).
      SetMailFilterOr=
      list — Defines a
      list of strings at least one of which must match a message,
      otherwise it will not be mailed. Applies to the last defined
      recipient (list).
      SetMailFilterNot=
      list — Defines a
      list of strings none of which should match a message,
      otherwise it will not be mailed. Applies to the last defined
      recipient (list).
CloseAddress — Explicitely closes the definition of a recipient (list).
      SetMailTime=
      seconds — Maximum
      time interval between mail messages (86400 sec).
      SetMailNum=
      0 -- 16383 —
      Maximum number of pending mails on internal queue
      (10).
      SetMailRelay=
      IP address — The
      mail relay (for offsite mail; default: none).
      MailSubject=
      string — Custom
      format for the email subject (none).
      SetMailSender=
      string — Sender
      for the 'From:' field.
      SetMailPort=
      port number — Port
      number to use for SMTP (default: 25).
      SamhainPath=
      path — The path of
      the process image.
      SetBindAddress=
      IP address — The
      IP address (i.e. interface on multi-interface box) to use for
      outgoing connections (e.g. e-mail).
      SetTimeServer=
      IP address — The
      time server. Note that the simple 'time' service (port
      37/tcp) is used.
      TrustedUser=
      username(,username,..) .
      — List of additional trusted users.
      SetLogfilePath=
      AUTO or /path —
      Path to log file (AUTO to tack hostname on compiled-in
      path).
      SetLockfilePath=
      AUTO or /path —
      Path to lock file (AUTO to tack hostname on compiled-in
      path).
The following options are only relevant for standalone or client executables:
      SetNiceLevel=
      -19..19 — Set
      scheduling priority during file check. — (see 'man
      nice').
      SetIOLimit=
      bps — Set IO
      limits (kilobytes per second) for file check.
      SetDropCache=
      boolean — Drop
      checksummed files from cache (unless they were cached
      before). Defaults to false for performance reasons.
      ReportCheckflags=
      boolean — Report
      checking policy (check flags) for new files, and if
      changed also for changed files (defaults to no). Added in
      version 4.0.
      StartupLoadDelay=
      seconds — At
      startup, delay the download of the baseline databse from the
      server for the given time span (default is no delay).
      SetDeltaRetryCount=
      integer — The
      number of times the client will retry to download a delta
      database from the server after the initial attempt has failed
      (default is 0, i.e. do not retry).
      SetDeltaRetryInterval=
      seconds — The
      interval between successive tries to download a delta 
      database (default is 60 seconds).
      SetFilecheckTime=
      seconds — Interval
      between file checks (600).
      FileCheckScheduleOne=
      schedule —
      Crontab-like schedule for file checks.
      UseRsrcCheck=
      boolean — Check
      the ..namedfork/rsrc file on Mac OS X (defaults to no since
      this mechanism is deprecated by Apple).
      UseHardlinkCheck=
      boolean — Compare
      number of hardlinks to number of subdirectories for
      directories.
      HardlinkOffset=
      N:
      /path — Exception
      (use multiple times for multiple exceptions). N is offset
      (actual - expected hardlinks) for 
      
      /path.
      AddOKChars=
      N1, N2, .. — List
      of acceptable characters (byte value(s)) for the check for
      weird filenames. Nn may be hex (leading '0x': 0xNN), octal
      (leading zero: 0NNN), or decimal. Use 'all' for all.
      FilenamesAreUTF8=
      boolean — If set,
      samhain will check for invalid UTF-8 encoding and for
      filenames ending in invisible characters.
      IgnoreAdded=
      path_regex —
      Ignore if this file/directory is added/created. 
      The path_regex argument has to start with a forward
      slash and has to match the full path..
      IgnoreMissing=
      path_regex —
      Ignore if this file/directory is missing/deleted. 
      the path_regex argument has to start with a forward
      slash and has to match the full path.
      IgnoreModified=
      path_regex —
      Ignore if this file/directory is modified (3.0.11+, useful
      for transient files that get modified during their lifetime).
      
      the path_regex argument has to start with a forward
      slash and has to match the full path.
      LooseDirCheck=
      boolean — Ignore
      changes of directory inodes if nothing but size and
      timestamps have changed.
      SkipChecksum=
      list of conditions —
      Skip checksumming if the list of condition holds
      true
      FileType=
      definition —
      User-defined file type specification (to be used for the 
      SkipChecksum=
      ... command).
      ReportOnlyOnce=
      boolean — Report
      only once on a modified file (yes).
      ReportFullDetail=
      boolean — Report
      in full detail on modified files (no).
      UseLocalTime=
      boolean — Report
      file timestamps in local time rather than GMT (no). Do not
      use this with Beltane.
      ChecksumTest=
      
      none/init/update/check — The
      default action (default is none).
      SetPrelinkPath=
      path — The path to
      the prelink binary (default is 
      
      /usr/sbin/prelink).
      SetPrelinkChecksum=
      checksum — The
      checksum of the prelink binary.
      SetLogServer=
      IP address — The
      log server.
      SetServerPort=
      port number — The
      port on the log server (defaults to the compiled-in port,
      which is 49777 unless redefined at compile time).
      SetThrottle=
      milliseconds — An
      option to throttle the network throughput when downloading
      the database from the server. The allowed maximum of 1000
      msec throttles to about 64 kB/sec, less is faster.
      SetDatabasePath=
      AUTO or /path —
      Path to database (AUTO to tack hostname on compiled-in
      path).
      DigestAlgo=
      
      TIGER192/SHA1/MD5/SHA256 — Use
      SHA1, MD5, or SHA2-256 instead of the TIGER checksum
      (default: TIGER192).
      RedefReadOnly=
      +XXX or -XXX — Add
      or subtract test XXX from the ReadOnly policy.
      RedefAttributes=
      +XXX or -XXX — Add
      or subtract test XXX from the Attributes policy.
      RedefLogFiles=
      +XXX or -XXX — Add
      or subtract test XXX from the LogFiles policy.
      RedefGrowingLogFiles=
      -XXX or ~XXX — Add
      or subtract test XXX from the GrowingLogFiles policy.
      RedefIgnoreAll=
      +XXX or -XXX — Add
      or subtract test XXX from the IgnoreAll policy.
      RedefIgnoreNone=
      +XXX or -XXX — Add
      or subtract test XXX from the IgnoreNone policy.
      RedefUser0=
      +XXX or -XXX — Add
      or subtract test XXX from the User0 policy.
      RedefUser1=
      +XXX or -XXX — Add
      or subtract test XXX from the User1 policy.
      RedefUser2=
      +XXX or -XXX — Add
      or subtract test XXX from the User2 policy.
      RedefUser3=
      +XXX or -XXX — Add
      or subtract test XXX from the User3 policy.
      RedefUser4=
      +XXX or -XXX — Add
      or subtract test XXX from the User4 policy.
      UseACLCheck=
      boolean — Check
      ACL policies for files.
      UseSelinuxCheck=
      boolean — Check
      SELINUX attributes for files.
	SetFullSilent=
	boolean — Also
	suppress informational messages during silent file scan
	triggered by SIGTSTP.
      
The following options are only relevant for the server:
      SetUseSocket=
      boolean — If
      unset, do not open the command socket (server only). This
      socket allows to advise the server to transmit commands to
      clients as soon as they connect to the server next
      time.
      SetSocketAllowUid=
      UID — Which user
      can connect to the command socket. The default is 0
      (root).
      SetSocketPassword=
      password —
      Password (max. 14 chars, no '@') for password-based
      authentication on the command socket (only if the OS does not
      support passing credentials via sockets).
      SetChrootDir=
      path — If set,
      chroot to this directory (server only).
      SetStripDomain=
      boolean — Whether
      to strip the domain from the client hostname when logging
      client messages (server only; default: yes).
      SetClientFromAccept=
      boolean — If true,
      use client address as known to the communication layer. Else
      (default) use client name as claimed by the client, try to
      verify against the address known to the communication layer,
      and accept (with a warning message) even if this
      fails.
      UseClientSeverity=
      boolean — If set
      to 'yes', don't assign a special severity (priority) to
      client messages.
      UseClientClass=
      boolean — If set
      to 'yes', don't assign a special class to client
      messages.
      SetServerPort=
      port number — The
      port that the server should use for listening (default is
      49777).
      SetServerInterface=
      IP address — The
      IP address (i.e. interface on multi-interface box) that the
      server should use for listening (default is all). Use
      INADDR_ANY to reset to all.
      SeverityLookup=
      severity —
      Severity for name lookup errors when verifying (on the server
      side) that the socket peer matches the hostname claimed by
      the client. See the preceding option.
      UseSeparateLogs=
      boolean — If true,
      messages from different clients will be logged to separate
      log files (the name of the client will be appended to the
      name of the main log file to construct the logfile name).
      Default: false.
      SetClientTimeLimit=
      seconds — Maximum
      time limit until next client message (server-only). If no
      message is received from a client within that limit, the
      respective client will be reported as dead.
      SetConnectionTimeout=
      seconds — Timeout
      after which a currently active connection to a client will be
      closed by the server (900 seconds). This timeout has the
      purpose to prevent bad clients from hogging server
      resources.
      SetUDPActive=
      boolean — yule
      1.2.8+: Listen on 514/udp (syslog). Default: false.
Remarks: (i) root and the effective user are always trusted. (ii) If no time server is given, the local host clock is used. (iii) If the path of the process image is given, the process image will be checksummed at startup and exit, and both checksums compared.