/usr/share/doc/samhain/manual.html/configuration-email.html is in samhain 4.1.4-2build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>4. E-mail</title><link rel="stylesheet" type="text/css" href="docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><link rel="home" href="index.html" title="The Samhain Host Integrity Monitoring System"><link rel="up" href="basic-configuration.html" title="Chapter 4. Configuration of logging facilities"><link rel="prev" href="thresholds.html" title="3. Activating logging facilities and filtering messages"><link rel="next" href="trustedexample.html" title="5. Log file"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/header.html"--><!--#endif--><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">4. E-mail</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="thresholds.html">Prev</a> </td><th width="60%" align="center">Chapter 4. Configuration of logging facilities</th><td width="20%" align="right"> <a accesskey="n" href="trustedexample.html">Next</a></td></tr></table><hr></div><div class="sect1"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="configuration-email"></a>4. E-mail</h2></div></div></div><p>It is possible to define email recipients at
compile-time, but it is also possible to define recipients,
or aliases (lists of recipients) in the configuration file.
Each recipient (list) definition starts with either:</p><p>
<span class="command"><strong>SetMailAddress=
<em class="replaceable"><code>recipient</code></em></strong></span>
</p><p>or:</p><p>
<span class="command"><strong>SetMailAlias=
<em class="replaceable"><code>listname</code></em>:
<em class="replaceable"><code>addresslist</code></em></strong></span>
</p><p>Filters and/or a threshold severity for the recipient
(list) may follow. The definition of a recipient is ended (a)
explicitely when terminated with the line
<span class="command"><strong>CloseAddress</strong></span> , or (b)
implicitely when another recipient (list) definition is
started.</p><p>Items that can/must be configured are:
</p><div class="variablelist"><dl class="variablelist"><dt><span class="term">Recipients address</span></dt><dd><p>
<span class="command"><strong>SetMailAddress=
<em class="replaceable"><code>
username@hostname</code></em></strong></span>
</p><p>Each address must on a separate line in the
configuration file.</p><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Tip: Tip"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Tip]" src="stylesheet-images/tip.png"></td><th align="left">Tip</th></tr><tr><td align="left" valign="top"><p>it is recommended to use numerical IP addresses
instead of host names (to avoid DNS lookups).</p></td></tr></table></div></dd><dt><span class="term">Recipients address list</span></dt><dd><p>
<span class="command"><strong>SetMailAlias=
<em class="replaceable"><code>listname</code></em>:
<em class="replaceable"><code>addresslist</code></em></strong></span>
</p><p>Define an alias for a list of (already defined)
recipients. The format is
<span class="emphasis"><em>listname</em></span>":"
<span class="emphasis"><em>addresslist</em></span>, where addresses in
<span class="emphasis"><em>addresslist</em></span> can be separated by
comma, tab, or space. Logging threshold and filters
(see below) can be set for a list as for an individual
recipient, but will take effect only for email that is
specifically targeted at the list (e.g. via a per-queue
rule in the logfile monitoring module).</p></dd><dt><span class="term">Logging threshold</span></dt><dd><p>
<span class="command"><strong>SetAddrSeverity=
<em class="replaceable"><code>severity</code></em></strong></span>
</p><p>This defines a logging threshold severity for the
last defined recipient (list). The syntax is the same
as for
<span class="command"><strong>MailSeverity</strong></span> .</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: MailSeverity and SetAddrSeverity"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="stylesheet-images/note.png"></td><th align="left">MailSeverity and SetAddrSeverity</th></tr><tr><td align="left" valign="top"><p>The MailSeverity setting in the [Log] section
defines an upper bound for
<span class="emphasis"><em>all recipients</em></span>. Messages not
included by the MailSeverity setting will never be
emailed.</p></td></tr></table></div></dd><dt><span class="term">NOT Filter</span></dt><dd><p>
<span class="command"><strong>SetMailFilterNot=
<em class="replaceable"><code>list_of_regexes</code></em></strong></span>
</p><p>Defines a filtering condition for the last
defined recipient (list). If there is no recipient
(list) defined yet, it applies to the compiled-in
recipients.</p><p>List items are POSIX regular expressions. As
whitespace (blank or tab) is a valid separator in a
list, strings with whitespace must be enclosed in
single or double quotes. If a string begins with a
double quote, enclose it in single quotes (and vice
versa).</p><p>If used, then NONE of the regular expressions in
<span class="emphasis"><em>list</em></span> can occur in a message,
otherwise it will not be sent by email.</p></dd><dt><span class="term">AND Filter</span></dt><dd><p>
<span class="command"><strong>SetMailFilterAnd=
<em class="replaceable"><code>list</code></em></strong></span>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Order of evaluation"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="stylesheet-images/note.png"></td><th align="left">Order of evaluation</th></tr><tr><td align="left" valign="top"><p>AND conditions are evaluated after all NOT
conditions.</p></td></tr></table></div><p>If used, then ALL strings in
<span class="emphasis"><em>list</em></span> must occur in a message,
otherwise it will not be sent by email. The syntax is
the same as for
<span class="command"><strong>
SetMailFilterNot</strong></span> .</p></dd><dt><span class="term">OR Filter</span></dt><dd><p>
<span class="command"><strong>SetMailFilterOr=
<em class="replaceable"><code>list</code></em></strong></span>
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Note: Order of evaluation"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Note]" src="stylesheet-images/note.png"></td><th align="left">Order of evaluation</th></tr><tr><td align="left" valign="top"><p>OR conditions are evaluated after all AND
conditions.</p></td></tr></table></div><p>If used, then AT LEAST ONE of the strings in
<span class="emphasis"><em>list</em></span> must occur in a message,
otherwise it will not be sent by email. The syntax is
the same as for
<span class="command"><strong>
SetMailFilterNot</strong></span> .</p></dd><dt><span class="term">Closing a recipient (list) definition</span></dt><dd><p>
<span class="command"><strong>CloseAddress</strong></span>
</p><p>This explicitely closes the definition of a
recipient (list). However, this is optional syntactic
sugar (i.e. not really required), since recipient
(list) definitions are closed implicitely by the
beginning of another recipient (list) definition (i.e.
<span class="command"><strong>SetMailAddress</strong></span> or
<span class="command"><strong>
SetMailAlias</strong></span> ).</p></dd><dt><span class="term">Relay host / Mail exchanger</span></dt><dd><p>
<span class="command"><strong>SetMailRelay=
<em class="replaceable"><code>
mail.some_domain.com</code></em></strong></span>
</p><p>You may need this option because some sites don't
allow outbound e-mail connections from any arbitrary
host. If the recipient is offsite, and your site uses a
mail relay host to route outbound e-mails, you need to
specify the relay host.</p></dd><dt><span class="term">Maximum interval</span></dt><dd><p>
<span class="command"><strong>SetMailTime=
<em class="replaceable"><code>86400</code></em></strong></span>
</p><p>You may want to set a maximum interval between
any two consecutive e-mails, to be sure that
<span class="application">samhain</span> is
still 'alive'.</p></dd><dt><span class="term">Maximum pending</span></dt><dd><p>
<span class="command"><strong>SetMailNum=
<em class="replaceable"><code>10</code></em></strong></span>
</p><p>Messages can be queued to send several messages
in one e-mail. You may want to set the the maximum
number of messages to queue. (Note: messages of highest
priority (alert) are always sent immediately. At most
128 messages can be queued.</p></dd><dt><span class="term">Multiple recipients</span></dt><dd><p>
<span class="command"><strong>MailSingle=
<em class="replaceable"><code>yes/no</code></em></strong></span>
</p><p>If there are multiple recipients, whether to send
a single mail with the recipient list, or send multiple
mails. If all recipients are on same domain, a single
mail may suffice, otherwise it depends on whether the
mail server supports forwarding (for security, most
don't).</p></dd><dt><span class="term">Subject line</span></dt><dd><p>
<span class="command"><strong>MailSubject=
<em class="replaceable"><code>string</code></em></strong></span>
</p><p>Here,
<span class="emphasis"><em>string</em></span> may contain the placeholders
%T, %H, %S, and/or %M that will get replaced by the
time, hostname, message severity and message text,
respectively. The default subject line is equivalent to
"%T %H". This option may be useful if you want to send
emails to an email-to-sms gateway.</p></dd><dt><span class="term">Sender</span></dt><dd><p>
<span class="command"><strong>SetMailSender=
<em class="replaceable"><code>string</code></em></strong></span>
</p><p>Here,
<span class="emphasis"><em>string</em></span> is the address that is
inserted in the From: field. If a name without domain
is given (i.e. without '@xyz.tld'), the FQDN of the
local host will be added automatically.</p></dd><dt><span class="term">SMTP port</span></dt><dd><p>
<span class="command"><strong>SetMailPort=
<em class="replaceable"><code>port_number</code></em></strong></span>
</p><p>This option allows to specify a custom port for
SMTP (the default is 25).</p></dd></dl></div><p>
<span class="emphasis"><em>Example:</em></span>
</p><pre class="programlisting">
[Misc]
#
# Do not send messages about added files, and startup messages.
# We have no recipient defined yet, thus this applies to
# compiled-in recipients only (if there are any).
#
SetMailFilterNot = 'POLICY ADDED', START
#
# E-mail recipient (offsite in this case).
#
SetMailAddress=username@host.some_domain.com
SetMailFilterNot = LOGKEY
CloseAddress
#
# Need a relay host for outgoing mail.
#
SetMailRelay=relay.mydomain.com
#
# Number of pending mails.
#
SetMailNum=10
#
# Maximum time between e-mails.
# Want a message every day, just to be sure that the
# program still runs.
#
SetMailTime=86400
#
# Do not send messages about added files, and startup messages
#
SetMailFilterNot = 'POLICY ADDED', START
#
# To all recipients in a single mail.
MailSingle=yes
</pre><div class="sect2"><div class="titlepage"><div><div><h3 class="title"><a name="emaildetails"></a>4.1. E-mail reports and their integrity</h3></div></div></div><p>The subject line contains timestamp and local
hostname, which are repeated in the message body.
<span class="application">samhain</span> uses its
own built-in SMTP code rather than the system mailer,
because in case of temporary connection failures, the
system mailer (e.g.
<span class="application">sendmail</span> ) would
queue the message on disk, where it may become visible to
unauthorized persons.</p><p>During temporary connection failures, messages are
stored in memory. The maximum number of stored messages is
128.
<span class="application">samhain</span> will
re-try to mail every hour for at most 48 hours. In
conformance with RFC 821,
<span class="application">samhain</span> will keep
the responsibility for the message delivery until the
recipient's mail server has confirmed receipt of the e-mail
(except that, as noted above, after 48 hours it will assume
a permanent connection failure, i.e. e-mailing will be
switched off).</p><p>The body of the mail may consist of several messages
that were pending on the internal queue (see
<a class="xref" href="configfacility.html" title="2. Available logging facilities">Section 2</a> ), followed by a
signature that is computed from the message and a key. The
key is initialized with a random number, and for each
e-mail iterated by a
<span class="emphasis"><em>hash chain</em></span>.</p><p>The initial key is revealed in the first email sent
(obviously, you have to believe that this first e-mail is
authentic). This initial key is not transmitted in
cleartext, but encrypted with a one-time pad (
<a class="xref" href="keypad.html" title="2. Integrity of the samhain executable">Section 2</a> ).</p><p>The signature is followed by a unique identification
string. This is used to identify seperate audit trails
(here, a
<span class="emphasis"><em>trail</em></span> is a sequence of e-mails from the
same run of
<span class="application">samhain</span> ), and to
enumerate individual e-mails within a trail.</p><p>The mail thus looks like:</p><pre class="programlisting">
-----BEGIN MESSAGE-----
first message
second message
...
-----BEGIN SIGNATURE-----
signature
ID TRAIL_ID:hostname
-----END MESSAGE-----</pre><div class="tip" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Tip: Integrity verification"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Tip]" src="stylesheet-images/tip.png"></td><th align="left">Integrity verification</th></tr><tr><td align="left" valign="top"><p>
<span class="emphasis"><em>To verify the integrity</em></span> of an e-mail
audit trail, a convenience function is provided:</p><p>
<span class="command"><strong>samhain -M
<em class="replaceable"><code>/mailbox/file/path</code></em></strong></span>
</p><p>The mailbox file may contain multiple and/or
overlapping audit trails from different runs of
<span class="application">samhain</span> and/or
different clients (hosts).</p></td></tr></table></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Warning: CAVEATS"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Warning]" src="stylesheet-images/warning.png"></td><th align="left">CAVEATS</th></tr><tr><td align="left" valign="top"><p>Verification will fail, if the compiled-in key of
the verifying executable is different from the one that
generated the message(s) (see
<a class="xref" href="keypad.html" title="2. Integrity of the samhain executable">Section 2</a> ).</p><p>If you use a pre-compiled executable from some
binary distribution, be sure to read
<a class="xref" href="keypad.html" title="2. Integrity of the samhain executable">Section 2</a> carefully.</p></td></tr></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="thresholds.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="basic-configuration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="trustedexample.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">3. Activating logging facilities and filtering
messages </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 5. Log file</td></tr></table></div><!--#if expr="! ($HTTP_USER_AGENT = /MSIE/)"--><!--#include virtual="/resources/ssi/footer.html"--><!--#endif--></body></html>
|