This file is indexed.

/usr/share/doc/samhain/manual.html/configuration-email.html is in samhain 4.1.4-2build1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>4. E-mail</title><link rel="stylesheet" type="text/css" href="docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="The Samhain Host Integrity Monitoring System"><link rel="up" href="basic-configuration.html" title="Chapter 4. Configuration of logging facilities"><link rel="prev" href="thresholds.html" title="3. Activating logging facilities and filtering messages"><link rel="next" href="trustedexample.html" title="5. Log file"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/header.html"--><!--#endif--><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">4. E-mail</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="thresholds.html">Prev</a> </td><th width="60%" align="center">Chapter 4. Configuration of logging facilities</th><td width="20%" align="right"> <a accesskey="n" href="trustedexample.html">Next</a></td></tr></table><hr></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="configuration-email"></a>4. E-mail</h2></div></div></div><p>It is possible to define email recipients at
      compile-time, but it is also possible to define recipients,
      or aliases (lists of recipients) in the configuration file.
      Each recipient (list) definition starts with either:</p><p>
        <span class="command"><strong>SetMailAddress=
        <em class="replaceable"><code>recipient</code></em></strong></span> 
      </p><p>or:</p><p>
        <span class="command"><strong>SetMailAlias=
        <em class="replaceable"><code>listname</code></em>:
        <em class="replaceable"><code>addresslist</code></em></strong></span> 
      </p><p>Filters and/or a threshold severity for the recipient
      (list) may follow. The definition of a recipient is ended (a)
      explicitely when terminated with the line 
      <span class="command"><strong>CloseAddress</strong></span> , or (b)
      implicitely when another recipient (list) definition is
      started.</p><p>Items that can/must be configured are: 
      </p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Recipients address</span></dt><dd><p>
              <span class="command"><strong>SetMailAddress=
              <em class="replaceable"><code>
              username@hostname</code></em></strong></span> 
            </p><p>Each address must on a separate line in the
            configuration file.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Tip: Tip"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Tip]" src="stylesheet-images/tip.png"></td><th align="left">Tip</th></tr><tr><td align="left" valign="top"><p>it is recommended to use numerical IP addresses
              instead of host names (to avoid DNS lookups).</p></td></tr></table></div></dd><dt><span class="term">Recipients address list</span></dt><dd><p>
              <span class="command"><strong>SetMailAlias=
              <em class="replaceable"><code>listname</code></em>:
              <em class="replaceable"><code>addresslist</code></em></strong></span> 
            </p><p>Define an alias for a list of (already defined)
            recipients. The format is 
            <span class="emphasis"><em>listname</em></span>":" 
            <span class="emphasis"><em>addresslist</em></span>, where addresses in 
            <span class="emphasis"><em>addresslist</em></span> can be separated by
            comma, tab, or space. Logging threshold and filters
            (see below) can be set for a list as for an individual
            recipient, but will take effect only for email that is
            specifically targeted at the list (e.g. via a per-queue
            rule in the logfile monitoring module).</p></dd><dt><span class="term">Logging threshold</span></dt><dd><p>
              <span class="command"><strong>SetAddrSeverity=
              <em class="replaceable"><code>severity</code></em></strong></span> 
            </p><p>This defines a logging threshold severity for the
            last defined recipient (list). The syntax is the same
            as for 
            <span class="command"><strong>MailSeverity</strong></span> .</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: MailSeverity and SetAddrSeverity"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="stylesheet-images/note.png"></td><th align="left">MailSeverity and SetAddrSeverity</th></tr><tr><td align="left" valign="top"><p>The MailSeverity setting in the [Log] section
              defines an upper bound for 
              <span class="emphasis"><em>all recipients</em></span>. Messages not
              included by the MailSeverity setting will never be
              emailed.</p></td></tr></table></div></dd><dt><span class="term">NOT Filter</span></dt><dd><p>
              <span class="command"><strong>SetMailFilterNot=
              <em class="replaceable"><code>list_of_regexes</code></em></strong></span> 
            </p><p>Defines a filtering condition for the last
            defined recipient (list). If there is no recipient
            (list) defined yet, it applies to the compiled-in
            recipients.</p><p>List items are POSIX regular expressions. As
            whitespace (blank or tab) is a valid separator in a
            list, strings with whitespace must be enclosed in
            single or double quotes. If a string begins with a
            double quote, enclose it in single quotes (and vice
            versa).</p><p>If used, then NONE of the regular expressions in 
            <span class="emphasis"><em>list</em></span> can occur in a message,
            otherwise it will not be sent by email.</p></dd><dt><span class="term">AND Filter</span></dt><dd><p>
              <span class="command"><strong>SetMailFilterAnd=
              <em class="replaceable"><code>list</code></em></strong></span> 
            </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Order of evaluation"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="stylesheet-images/note.png"></td><th align="left">Order of evaluation</th></tr><tr><td align="left" valign="top"><p>AND conditions are evaluated after all NOT
              conditions.</p></td></tr></table></div><p>If used, then ALL strings in 
            <span class="emphasis"><em>list</em></span> must occur in a message,
            otherwise it will not be sent by email. The syntax is
            the same as for 
            <span class="command"><strong>
            SetMailFilterNot</strong></span> .</p></dd><dt><span class="term">OR Filter</span></dt><dd><p>
              <span class="command"><strong>SetMailFilterOr=
              <em class="replaceable"><code>list</code></em></strong></span> 
            </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Order of evaluation"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="stylesheet-images/note.png"></td><th align="left">Order of evaluation</th></tr><tr><td align="left" valign="top"><p>OR conditions are evaluated after all AND
              conditions.</p></td></tr></table></div><p>If used, then AT LEAST ONE of the strings in 
            <span class="emphasis"><em>list</em></span> must occur in a message,
            otherwise it will not be sent by email. The syntax is
            the same as for 
            <span class="command"><strong>
            SetMailFilterNot</strong></span> .</p></dd><dt><span class="term">Closing a recipient (list) definition</span></dt><dd><p>
              <span class="command"><strong>CloseAddress</strong></span> 
            </p><p>This explicitely closes the definition of a
            recipient (list). However, this is optional syntactic
            sugar (i.e. not really required), since recipient
            (list) definitions are closed implicitely by the
            beginning of another recipient (list) definition (i.e. 
            <span class="command"><strong>SetMailAddress</strong></span> or 
            <span class="command"><strong>
            SetMailAlias</strong></span> ).</p></dd><dt><span class="term">Relay host / Mail exchanger</span></dt><dd><p>
              <span class="command"><strong>SetMailRelay=
              <em class="replaceable"><code>
              mail.some_domain.com</code></em></strong></span> 
            </p><p>You may need this option because some sites don't
            allow outbound e-mail connections from any arbitrary
            host. If the recipient is offsite, and your site uses a
            mail relay host to route outbound e-mails, you need to
            specify the relay host.</p></dd><dt><span class="term">Maximum interval</span></dt><dd><p>
              <span class="command"><strong>SetMailTime=
              <em class="replaceable"><code>86400</code></em></strong></span> 
            </p><p>You may want to set a maximum interval between
            any two consecutive e-mails, to be sure that 
            <span class="application">samhain</span> is
            still 'alive'.</p></dd><dt><span class="term">Maximum pending</span></dt><dd><p>
              <span class="command"><strong>SetMailNum=
              <em class="replaceable"><code>10</code></em></strong></span> 
            </p><p>Messages can be queued to send several messages
            in one e-mail. You may want to set the the maximum
            number of messages to queue. (Note: messages of highest
            priority (alert) are always sent immediately. At most
            128 messages can be queued.</p></dd><dt><span class="term">Multiple recipients</span></dt><dd><p>
              <span class="command"><strong>MailSingle=
              <em class="replaceable"><code>yes/no</code></em></strong></span> 
            </p><p>If there are multiple recipients, whether to send
            a single mail with the recipient list, or send multiple
            mails. If all recipients are on same domain, a single
            mail may suffice, otherwise it depends on whether the
            mail server supports forwarding (for security, most
            don't).</p></dd><dt><span class="term">Subject line</span></dt><dd><p>
              <span class="command"><strong>MailSubject=
              <em class="replaceable"><code>string</code></em></strong></span> 
            </p><p>Here, 
            <span class="emphasis"><em>string</em></span> may contain the placeholders
            %T, %H, %S, and/or %M that will get replaced by the
            time, hostname, message severity and message text,
            respectively. The default subject line is equivalent to
            "%T %H". This option may be useful if you want to send
            emails to an email-to-sms gateway.</p></dd><dt><span class="term">Sender</span></dt><dd><p>
              <span class="command"><strong>SetMailSender=
              <em class="replaceable"><code>string</code></em></strong></span> 
            </p><p>Here, 
            <span class="emphasis"><em>string</em></span> is the address that is
            inserted in the From: field. If a name without domain
            is given (i.e. without '@xyz.tld'), the FQDN of the
            local host will be added automatically.</p></dd><dt><span class="term">SMTP port</span></dt><dd><p>
              <span class="command"><strong>SetMailPort=
              <em class="replaceable"><code>port_number</code></em></strong></span> 
            </p><p>This option allows to specify a custom port for
            SMTP (the default is 25).</p></dd></dl></div><p>
        <span class="emphasis"><em>Example:</em></span>
      </p><pre class="programlisting">
	[Misc]  
	#
	# Do not send messages about added files, and startup messages.
	# We have no recipient defined yet, thus this applies to
	# compiled-in recipients only (if there are any).
	#
	SetMailFilterNot = 'POLICY ADDED', START
	# 
	# E-mail recipient (offsite in this case). 
	# 
	SetMailAddress=username@host.some_domain.com
	SetMailFilterNot = LOGKEY
	CloseAddress
	# 
	# Need a relay host for outgoing mail. 
	# 
	SetMailRelay=relay.mydomain.com 
	#  
	# Number of pending mails. 
	# 
	SetMailNum=10 
	#  
	# Maximum time between e-mails. 
	# Want a message every day, just to be sure that the 
	# program still runs. 
	# 
	SetMailTime=86400
	#
	# Do not send messages about added files, and startup messages
	#
	SetMailFilterNot = 'POLICY ADDED', START
	#
	# To all recipients in a single mail. 
	MailSingle=yes 
      </pre><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="emaildetails"></a>4.1. E-mail reports and their integrity</h3></div></div></div><p>The subject line contains timestamp and local
        hostname, which are repeated in the message body. 
        <span class="application">samhain</span> uses its
        own built-in SMTP code rather than the system mailer,
        because in case of temporary connection failures, the
        system mailer (e.g. 
        <span class="application">sendmail</span> ) would
        queue the message on disk, where it may become visible to
        unauthorized persons.</p><p>During temporary connection failures, messages are
        stored in memory. The maximum number of stored messages is
        128. 
        <span class="application">samhain</span> will
        re-try to mail every hour for at most 48 hours. In
        conformance with RFC 821, 
        <span class="application">samhain</span> will keep
        the responsibility for the message delivery until the
        recipient's mail server has confirmed receipt of the e-mail
        (except that, as noted above, after 48 hours it will assume
        a permanent connection failure, i.e. e-mailing will be
        switched off).</p><p>The body of the mail may consist of several messages
        that were pending on the internal queue (see 
        <a class="xref" href="configfacility.html" title="2. Available logging facilities">Section 2</a> ), followed by a
        signature that is computed from the message and a key. The
        key is initialized with a random number, and for each
        e-mail iterated by a 
        <span class="emphasis"><em>hash chain</em></span>.</p><p>The initial key is revealed in the first email sent
        (obviously, you have to believe that this first e-mail is
        authentic). This initial key is not transmitted in
        cleartext, but encrypted with a one-time pad (
        <a class="xref" href="keypad.html" title="2. Integrity of the samhain executable">Section 2</a> ).</p><p>The signature is followed by a unique identification
        string. This is used to identify seperate audit trails
        (here, a 
        <span class="emphasis"><em>trail</em></span> is a sequence of e-mails from the
        same run of 
        <span class="application">samhain</span> ), and to
        enumerate individual e-mails within a trail.</p><p>The mail thus looks like:</p><pre class="programlisting">
	  -----BEGIN MESSAGE----- 
	first message 
	second message 
	... 
	-----BEGIN SIGNATURE----- 
	signature 
	ID TRAIL_ID:hostname 
	-----END MESSAGE-----</pre><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Tip: Integrity verification"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Tip]" src="stylesheet-images/tip.png"></td><th align="left">Integrity verification</th></tr><tr><td align="left" valign="top"><p>
          <span class="emphasis"><em>To verify the integrity</em></span> of an e-mail
          audit trail, a convenience function is provided:</p><p>
            <span class="command"><strong>samhain -M 
            <em class="replaceable"><code>/mailbox/file/path</code></em></strong></span> 
          </p><p>The mailbox file may contain multiple and/or
          overlapping audit trails from different runs of 
          <span class="application">samhain</span> and/or
          different clients (hosts).</p></td></tr></table></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Warning: CAVEATS"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Warning]" src="stylesheet-images/warning.png"></td><th align="left">CAVEATS</th></tr><tr><td align="left" valign="top"><p>Verification will fail, if the compiled-in key of
          the verifying executable is different from the one that
          generated the message(s) (see 
          <a class="xref" href="keypad.html" title="2. Integrity of the samhain executable">Section 2</a> ).</p><p>If you use a pre-compiled executable from some
          binary distribution, be sure to read 
          <a class="xref" href="keypad.html" title="2. Integrity of the samhain executable">Section 2</a>  carefully.</p></td></tr></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="thresholds.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="basic-configuration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="trustedexample.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">3. Activating logging facilities and filtering
      messages </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 5. Log file</td></tr></table></div><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/footer.html"--><!--#endif--></body></html>