1 | #####################################################################
|
---|
2 | #
|
---|
3 | # Configuration file template for samhain.
|
---|
4 | #
|
---|
5 | #####################################################################
|
---|
6 | #
|
---|
7 | # -- empty lines and lines starting with '#', ';' or '//' are ignored
|
---|
8 | # -- boolean options can be Yes/No or True/False or 1/0
|
---|
9 | # -- you can PGP clearsign this file -- samhain will check (if compiled
|
---|
10 | # with support) or otherwise ignore the signature
|
---|
11 | # -- CHECK mail address
|
---|
12 | #
|
---|
13 | # To each log facility, you can assign a threshold severity. Only
|
---|
14 | # reports with at least the threshold severity will be logged
|
---|
15 | # to the respective facility (even further below).
|
---|
16 | #
|
---|
17 | #####################################################################
|
---|
18 | #
|
---|
19 | # SETUP for file system checking:
|
---|
20 | #
|
---|
21 | # (i) There are several policies, each has its own section. Put files
|
---|
22 | # into the section for the appropriate policy (see below).
|
---|
23 | # (ii) Section [EventSeverity]:
|
---|
24 | # To each policy, you can assign a severity (further below).
|
---|
25 | # (iii) Section [Log]:
|
---|
26 | # To each log facility, you can assign a threshold severity. Only
|
---|
27 | # reports with at least the threshold severity will be logged
|
---|
28 | # to the respective facility (even further below).
|
---|
29 | #
|
---|
30 | #####################################################################
|
---|
31 |
|
---|
32 | #####################################################################
|
---|
33 | #
|
---|
34 | # Files are defined with: file = /absolute/path
|
---|
35 | #
|
---|
36 | # Directories are defined with: dir = /absolute/path
|
---|
37 | # or with an optional recursion depth (N <= 99): dir = N/absolute/path
|
---|
38 | #
|
---|
39 | # Directory inodes are checked. If you only want to check files
|
---|
40 | # in a directory, but not the directory inode itself, use (e.g.):
|
---|
41 | #
|
---|
42 | # [ReadOnly]
|
---|
43 | # dir = /some/directory
|
---|
44 | # [IgnoreAll]
|
---|
45 | # file = /some/directory
|
---|
46 | #
|
---|
47 | # You can use shell-style globbing patterns, like: file = /path/foo*
|
---|
48 | #
|
---|
49 | ######################################################################
|
---|
50 |
|
---|
51 | [Misc]
|
---|
52 | ##
|
---|
53 | ## Add or subtract tests from the policies
|
---|
54 | ## - if you want to change their definitions,
|
---|
55 | ## you need to do that before using the policies
|
---|
56 | ##
|
---|
57 | # RedefReadOnly = (no default)
|
---|
58 | # RedefAttributes=(no default)
|
---|
59 | # RedefLogFiles=(no default)
|
---|
60 | # RedefGrowingLogFiles=(no default)
|
---|
61 | # RedefIgnoreAll=(no default)
|
---|
62 | # RedefIgnoreNone=(no default)
|
---|
63 |
|
---|
64 | # RedefUser0=(no default)
|
---|
65 | # RedefUser1=(no default)
|
---|
66 |
|
---|
67 | #
|
---|
68 | # --------- / --------------
|
---|
69 | #
|
---|
70 |
|
---|
71 | [ReadOnly]
|
---|
72 | dir = 0/
|
---|
73 |
|
---|
74 | [Attributes]
|
---|
75 | file = /tmp
|
---|
76 | file = /dev
|
---|
77 | file = /media
|
---|
78 | file = /proc
|
---|
79 | file = /sys
|
---|
80 |
|
---|
81 | #
|
---|
82 | # --------- /etc -----------
|
---|
83 | #
|
---|
84 |
|
---|
85 | [ReadOnly]
|
---|
86 | ##
|
---|
87 | ## for these files, only access time is ignored
|
---|
88 | ##
|
---|
89 | dir = 99/etc
|
---|
90 |
|
---|
91 | [Attributes]
|
---|
92 | ##
|
---|
93 | ## check permission and ownership
|
---|
94 | ##
|
---|
95 | file = /etc/mtab
|
---|
96 | file = /etc/adjtime
|
---|
97 | file = /etc/motd
|
---|
98 | file = /etc/lvm/.cache
|
---|
99 |
|
---|
100 | # On Ubuntu, these are in /var/lib rather than /etc
|
---|
101 | file = /etc/cups/certs
|
---|
102 | file = /etc/cups/certs/0
|
---|
103 |
|
---|
104 | # managed by fstab-sync on Fedora Core
|
---|
105 | file = /etc/fstab
|
---|
106 |
|
---|
107 | # modified when booting
|
---|
108 | file = /etc/sysconfig/hwconf
|
---|
109 |
|
---|
110 | # There are files in /etc that might change, thus changing the directory
|
---|
111 | # timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
|
---|
112 |
|
---|
113 | file = /etc
|
---|
114 |
|
---|
115 | #
|
---|
116 | # --------- /boot -----------
|
---|
117 | #
|
---|
118 |
|
---|
119 | [ReadOnly]
|
---|
120 | dir = 99/boot
|
---|
121 |
|
---|
122 | #
|
---|
123 | # --------- /bin, /sbin -----------
|
---|
124 | #
|
---|
125 |
|
---|
126 | [Prelink]
|
---|
127 | dir = 99/bin
|
---|
128 | dir = 99/sbin
|
---|
129 |
|
---|
130 | #
|
---|
131 | # --------- /lib -----------
|
---|
132 | #
|
---|
133 |
|
---|
134 | [Prelink]
|
---|
135 | dir = 99/lib
|
---|
136 | dir = 99/lib64
|
---|
137 |
|
---|
138 | [ReadOnly]
|
---|
139 | dir = 99/lib/modules
|
---|
140 | dir = 99/usr/lib/locale
|
---|
141 | dir = 99/usr/X11R6/lib/X11/xfig
|
---|
142 | dir = 99/usr/X11R6/lib64/X11/xfig
|
---|
143 |
|
---|
144 | #
|
---|
145 | # --------- /dev -----------
|
---|
146 | #
|
---|
147 |
|
---|
148 | [Attributes]
|
---|
149 | dir = 99/dev
|
---|
150 |
|
---|
151 | [IgnoreAll]
|
---|
152 | ##
|
---|
153 | ## pseudo terminals are created/removed as needed
|
---|
154 | ##
|
---|
155 | dir = -1/dev/pts
|
---|
156 |
|
---|
157 | # dir = -1/dev/.udevdb
|
---|
158 |
|
---|
159 | file = /dev/ppp
|
---|
160 |
|
---|
161 | #
|
---|
162 | # --------- /usr -----------
|
---|
163 | #
|
---|
164 |
|
---|
165 | [ReadOnly]
|
---|
166 | dir = 99/usr
|
---|
167 |
|
---|
168 | [Prelink]
|
---|
169 | dir = 99/usr/lib
|
---|
170 | dir = 99/usr/lib64
|
---|
171 | dir = 99/usr/bin
|
---|
172 | dir = 99/usr/sbin
|
---|
173 | dir = 99/usr/X11R6/bin
|
---|
174 | dir = 99/usr/kerberos/bin
|
---|
175 | dir = 99/usr/games
|
---|
176 | dir = 99/usr/libexec
|
---|
177 | dir = 99/usr/X11R6/lib
|
---|
178 | dir = 99/usr/X11R6/lib64
|
---|
179 | dir = 99/usr/kerberos/lib
|
---|
180 | dir = 99/usr/kerberos/lib64
|
---|
181 | dir = 99/usr/X11R6/LessTif
|
---|
182 |
|
---|
183 | #
|
---|
184 | # --------- /var -----------
|
---|
185 | #
|
---|
186 |
|
---|
187 | [ReadOnly]
|
---|
188 | dir = 99/var
|
---|
189 |
|
---|
190 | [Prelink]
|
---|
191 | dir = 99/var/ftp/bin
|
---|
192 | dir = 99/var/ftp/lib
|
---|
193 | dir = 99/var/ftp/lib64
|
---|
194 |
|
---|
195 | [IgnoreAll]
|
---|
196 | dir = -1/var/cache
|
---|
197 | dir = -1/var/backups
|
---|
198 | dir = -1/var/games
|
---|
199 | dir = -1/var/gdm
|
---|
200 | dir = -1/var/lock
|
---|
201 | dir = -1/var/mail
|
---|
202 | dir = -1/var/run
|
---|
203 | dir = -1/var/spool
|
---|
204 | dir = -1/var/tmp
|
---|
205 | dir = -1/var/lib/texmf
|
---|
206 | dir = -1/var/lib/scrollkeeper
|
---|
207 |
|
---|
208 |
|
---|
209 | [Attributes]
|
---|
210 |
|
---|
211 | dir = /var/lib/nfs
|
---|
212 | dir = /var/lib/pcmcia
|
---|
213 |
|
---|
214 | # /var/lib/rpm changes if packets are installed;
|
---|
215 | # /var/lib/rpm/__db.00[123] even more frequently
|
---|
216 | file = /var/lib/rpm/__db.00?
|
---|
217 |
|
---|
218 | file = /var/lib/acpi-support/vbestate
|
---|
219 | file = /var/lib/alsa/asound.state
|
---|
220 | file = /var/lib/apt/lists/lock
|
---|
221 | file = /var/lib/apt/lists/partial
|
---|
222 | file = /var/lib/cups/certs
|
---|
223 | file = /var/lib/cups/certs/0
|
---|
224 | file = /var/lib/dpkg/lock
|
---|
225 | file = /var/lib/gdm
|
---|
226 | file = /var/lib/gdm/.cookie
|
---|
227 | file = /var/lib/gdm/.gdmfifo
|
---|
228 | file = /var/lib/gdm/:0.Xauth
|
---|
229 | file = /var/lib/gdm/:0.Xservers
|
---|
230 | file = /var/lib/logrotate/status
|
---|
231 | file = /var/lib/mysql
|
---|
232 | file = /var/lib/mysql/ib_logfile0
|
---|
233 | file = /var/lib/mysql/ibdata1
|
---|
234 | file = /var/lib/slocate
|
---|
235 | file = /var/lib/slocate/slocate.db
|
---|
236 | file = /var/lib/slocate/slocate.db.tmp
|
---|
237 | file = /var/lib/urandom
|
---|
238 | file = /var/lib/urandom/random-seed
|
---|
239 | file = /var/lib/random-seed
|
---|
240 | file = /var/lib/xkb
|
---|
241 |
|
---|
242 |
|
---|
243 | [GrowingLogFiles]
|
---|
244 | ##
|
---|
245 | ## For these files, changes in signature, timestamps, and increase in size
|
---|
246 | ## are ignored. Logfile rotation will cause a report because of shrinking
|
---|
247 | ## size and different inode.
|
---|
248 | ##
|
---|
249 | dir = 99/var/log
|
---|
250 |
|
---|
251 | [Attributes]
|
---|
252 | #
|
---|
253 | # rotated logs will change inode
|
---|
254 | #
|
---|
255 | #file = /var/log/*.[0-9].gz
|
---|
256 | #file = /var/log/*.[0-9].log
|
---|
257 | file = /var/log/*.[0-9]
|
---|
258 | #file = /var/log/*.old
|
---|
259 | #file = /var/log/*/*.[0-9].gz
|
---|
260 | #file = /var/log/*/*.[0-9][0-9].gz
|
---|
261 | #file = /var/log/*/*.log.[0-9]
|
---|
262 |
|
---|
263 | [Misc]
|
---|
264 | #
|
---|
265 | # Various naming schemes for rotated logs
|
---|
266 | #
|
---|
267 | IgnoreAdded = /var/log/.*\.[0-9]+$
|
---|
268 | IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
|
---|
269 | IgnoreAdded = /var/log/.*\.[0-9]+\.log$
|
---|
270 | #
|
---|
271 | # Subdirectories
|
---|
272 | #
|
---|
273 | IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$
|
---|
274 | IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$
|
---|
275 | IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$
|
---|
276 | #
|
---|
277 | IgnoreAdded = /var/lib/slocate/slocate.db.tmp
|
---|
278 | IgnoreMissing = /var/lib/slocate/slocate.db.tmp
|
---|
279 |
|
---|
280 | #
|
---|
281 | # --------- other policies -----------
|
---|
282 | #
|
---|
283 |
|
---|
284 | [IgnoreNone]
|
---|
285 | ##
|
---|
286 | ## for these files, all modifications (even access time) are reported
|
---|
287 | ## - you may create some interesting-looking file (like /etc/safe_passwd),
|
---|
288 | ## just to watch whether someone will access it ...
|
---|
289 | ##
|
---|
290 |
|
---|
291 | [Prelink]
|
---|
292 | ##
|
---|
293 | ## Use for prelinked files or directories holding them
|
---|
294 | ##
|
---|
295 |
|
---|
296 | [User0]
|
---|
297 | [User1]
|
---|
298 | ## User0 and User1 are sections for files/dirs with user-definable checking
|
---|
299 | ## (see the manual)
|
---|
300 |
|
---|
301 |
|
---|
302 |
|
---|
303 | [EventSeverity]
|
---|
304 | ##
|
---|
305 | ## Here you can assign severities to policy violations.
|
---|
306 | ## If this severity exceeds the treshold of a log facility (see below),
|
---|
307 | ## a policy violation will be logged to that facility.
|
---|
308 | ##
|
---|
309 | ## Severity for verification failures.
|
---|
310 | ##
|
---|
311 | # SeverityReadOnly=crit
|
---|
312 | # SeverityLogFiles=crit
|
---|
313 | # SeverityGrowingLogs=crit
|
---|
314 | # SeverityIgnoreNone=crit
|
---|
315 | # SeverityAttributes=crit
|
---|
316 | # SeverityUser0=crit
|
---|
317 | # SeverityUser1=crit
|
---|
318 | # SeverityIgnoreAll=crit
|
---|
319 |
|
---|
320 |
|
---|
321 | ## Files : file access problems
|
---|
322 | # SeverityFiles=crit
|
---|
323 |
|
---|
324 | ## Dirs : directory access problems
|
---|
325 | # SeverityDirs=crit
|
---|
326 |
|
---|
327 | ## Names : suspect (non-printable) characters in a pathname
|
---|
328 | # SeverityNames=crit
|
---|
329 |
|
---|
330 | [Log]
|
---|
331 | ##
|
---|
332 | ## Switch on/OFF log facilities and set their threshold severity
|
---|
333 | ##
|
---|
334 | ## Values: debug, info, notice, warn, mark, err, crit, alert, none.
|
---|
335 | ## 'mark' is used for timestamps.
|
---|
336 | ##
|
---|
337 | ##
|
---|
338 | ## Use 'none' to SWITCH OFF a log facility
|
---|
339 | ##
|
---|
340 | ## By default, everything equal to and above the threshold is logged.
|
---|
341 | ## The specifiers '*', '!', and '=' are interpreted as
|
---|
342 | ## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
|
---|
343 | ## at least on Linux). Examples:
|
---|
344 | ## MailSeverity=*
|
---|
345 | ## MailSeverity=!warn
|
---|
346 | ## MailSeverity==crit
|
---|
347 |
|
---|
348 | ## E-mail
|
---|
349 | ##
|
---|
350 | # MailSeverity=none
|
---|
351 |
|
---|
352 | ## Console
|
---|
353 | ##
|
---|
354 | # PrintSeverity=info
|
---|
355 |
|
---|
356 | ## Logfile
|
---|
357 | ##
|
---|
358 | # LogSeverity=mark
|
---|
359 |
|
---|
360 | ## Syslog
|
---|
361 | ##
|
---|
362 | # SyslogSeverity=none
|
---|
363 |
|
---|
364 | ## Remote server (yule)
|
---|
365 | ##
|
---|
366 | # ExportSeverity=none
|
---|
367 |
|
---|
368 | ## External script or program
|
---|
369 | ##
|
---|
370 | # ExternalSeverity = none
|
---|
371 |
|
---|
372 | ## Logging to a database
|
---|
373 | ##
|
---|
374 | # DatabaseSeverity = none
|
---|
375 |
|
---|
376 | ## Logging to a Prelude-IDS
|
---|
377 | ##
|
---|
378 | PreludeSeverity = crit
|
---|
379 | PreludeClass= EVENT
|
---|
380 |
|
---|
381 |
|
---|
382 |
|
---|
383 | #####################################################
|
---|
384 | #
|
---|
385 | # Optional modules
|
---|
386 | #
|
---|
387 | #####################################################
|
---|
388 |
|
---|
389 | # [SuidCheck]
|
---|
390 | ##
|
---|
391 | ## --- Check the filesystem for SUID/SGID binaries
|
---|
392 | ##
|
---|
393 |
|
---|
394 | ## Switch on
|
---|
395 | #
|
---|
396 | # SuidCheckActive = yes
|
---|
397 |
|
---|
398 | ## Interval for check (seconds)
|
---|
399 | #
|
---|
400 | # SuidCheckInterval = 7200
|
---|
401 |
|
---|
402 | ## Alternative: crontab-like schedule
|
---|
403 | #
|
---|
404 | # SuidCheckSchedule = NULL
|
---|
405 |
|
---|
406 | ## Directory to exclude
|
---|
407 | #
|
---|
408 | # SuidCheckExclude = NULL
|
---|
409 |
|
---|
410 | ## Limit on files per second (0 == no limit)
|
---|
411 | #
|
---|
412 | # SuidCheckFps = 0
|
---|
413 |
|
---|
414 | ## Alternative: yield after every file
|
---|
415 | #
|
---|
416 | # SuidCheckYield = no
|
---|
417 |
|
---|
418 | ## Severity of a detection
|
---|
419 | #
|
---|
420 | # SeveritySuidCheck = crit
|
---|
421 |
|
---|
422 | ## Quarantine SUID/SGID files if found
|
---|
423 | #
|
---|
424 | # SuidCheckQuarantineFiles = yes
|
---|
425 |
|
---|
426 | ## Method for Quarantining files:
|
---|
427 | # 0 - Delete or truncate the file.
|
---|
428 | # 1 - Remove SUID/SGID permissions from file.
|
---|
429 | # 2 - Move SUID/SGID file to quarantine dir.
|
---|
430 | #
|
---|
431 | # SuidCheckQuarantineMethod = 0
|
---|
432 |
|
---|
433 | ## For method 1 and 3, really delete instead of truncating
|
---|
434 | #
|
---|
435 | # SuidCheckQuarantineDelete = yes
|
---|
436 |
|
---|
437 | #[Kernel]
|
---|
438 | ##
|
---|
439 | ## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
|
---|
440 | ##
|
---|
441 |
|
---|
442 | ## Switch on/off
|
---|
443 | #
|
---|
444 | # KernelCheckActive = True
|
---|
445 |
|
---|
446 | ## Check interval (seconds); btw., the check is VERY fast
|
---|
447 | #
|
---|
448 | # KernelCheckInterval = 300
|
---|
449 |
|
---|
450 | ## Severity
|
---|
451 | #
|
---|
452 | # SeverityKernel = crit
|
---|
453 |
|
---|
454 |
|
---|
455 | # [Utmp]
|
---|
456 | ##
|
---|
457 | ## --- Logging of login/logout events
|
---|
458 | ##
|
---|
459 |
|
---|
460 | ## Switch on/off
|
---|
461 | #
|
---|
462 | # LoginCheckActive = True
|
---|
463 |
|
---|
464 | ## Severity for logins, multiple logins, logouts
|
---|
465 | #
|
---|
466 | # SeverityLogin=info
|
---|
467 | # SeverityLoginMulti=warn
|
---|
468 | # SeverityLogout=info
|
---|
469 |
|
---|
470 | ## Interval for login/logout checks
|
---|
471 | #
|
---|
472 | # LoginCheckInterval = 300
|
---|
473 |
|
---|
474 |
|
---|
475 | # [Database]
|
---|
476 | ##
|
---|
477 | ## --- Logging to a relational database
|
---|
478 | ##
|
---|
479 |
|
---|
480 | ## Database name
|
---|
481 | #
|
---|
482 | # SetDBName = samhain
|
---|
483 |
|
---|
484 | ## Database table
|
---|
485 | #
|
---|
486 | # SetDBTable = log
|
---|
487 |
|
---|
488 | ## Database user
|
---|
489 | #
|
---|
490 | # SetDBUser = samhain
|
---|
491 |
|
---|
492 | ## Database password
|
---|
493 | #
|
---|
494 | # SetDBPassword = (default: none)
|
---|
495 |
|
---|
496 | ## Database host
|
---|
497 | #
|
---|
498 | # SetDBHost = localhost
|
---|
499 |
|
---|
500 | ## Log the server timestamp for received messages
|
---|
501 | #
|
---|
502 | # SetDBServerTstamp = True
|
---|
503 |
|
---|
504 | ## Use a persistent connection
|
---|
505 | #
|
---|
506 | # UsePersistent = True
|
---|
507 |
|
---|
508 | # [External]
|
---|
509 | ##
|
---|
510 | ## Interface to call external scripts/programs for logging
|
---|
511 | ##
|
---|
512 |
|
---|
513 | ## The absolute path to the command
|
---|
514 | ## - Each invocation of this directive will end the definition of the
|
---|
515 | ## preceding command, and start the definition of
|
---|
516 | ## an additional, new command
|
---|
517 | #
|
---|
518 | # OpenCommand = (no default)
|
---|
519 |
|
---|
520 | ## Type (log or rv)
|
---|
521 | ## - log for log messages, srv for messages received by the server
|
---|
522 | #
|
---|
523 | # SetType = log
|
---|
524 |
|
---|
525 | ## The command (full command line) to execute
|
---|
526 | #
|
---|
527 | # SetCommandLine = (no default)
|
---|
528 |
|
---|
529 | ## The environment (KEY=value; repeat for more)
|
---|
530 | #
|
---|
531 | # SetEnviron = TZ=(your timezone)
|
---|
532 |
|
---|
533 | ## The TIGER192 checksum (optional)
|
---|
534 | #
|
---|
535 | # SetChecksum = (no default)
|
---|
536 |
|
---|
537 | ## User who runs the command
|
---|
538 | #
|
---|
539 | # SetCredentials = (default: samhain process uid)
|
---|
540 |
|
---|
541 | ## Words not allowed in message
|
---|
542 | #
|
---|
543 | # SetFilterNot = (none)
|
---|
544 |
|
---|
545 | ## Words required (ALL of them)
|
---|
546 | #
|
---|
547 | # SetFilterAnd = (none)
|
---|
548 |
|
---|
549 | ## Words required (at least one)
|
---|
550 | #
|
---|
551 | # SetFilterOr = (none)
|
---|
552 |
|
---|
553 | ## Deadtime between consecutive calls
|
---|
554 | #
|
---|
555 | # SetDeadtime = 0
|
---|
556 |
|
---|
557 | ## Add default environment (HOME, PATH, SHELL)
|
---|
558 | #
|
---|
559 | # SetDefault = no
|
---|
560 |
|
---|
561 |
|
---|
562 | #####################################################
|
---|
563 | #
|
---|
564 | # Miscellaneous configuration options
|
---|
565 | #
|
---|
566 | #####################################################
|
---|
567 |
|
---|
568 | [Misc]
|
---|
569 |
|
---|
570 | ## whether to become a daemon process
|
---|
571 | ## (this is not honoured on database initialisation)
|
---|
572 | #
|
---|
573 | # Daemon = no
|
---|
574 | Daemon = yes
|
---|
575 |
|
---|
576 | ## whether to test signature of files (init/check/none)
|
---|
577 | ## - if 'none', then we have to decide this on the command line -
|
---|
578 | #
|
---|
579 | # ChecksumTest = none
|
---|
580 | ChecksumTest=check
|
---|
581 |
|
---|
582 | ## Set nice level (-19 to 19, see 'man nice'),
|
---|
583 | ## and I/O limit (kilobytes per second; 0 == off)
|
---|
584 | ## to reduce load on host.
|
---|
585 | #
|
---|
586 | # SetNiceLevel = 0
|
---|
587 | # SetIOLimit = 0
|
---|
588 |
|
---|
589 | ## The version string to embed in file signature databases
|
---|
590 | #
|
---|
591 | # VersionString = NULL
|
---|
592 |
|
---|
593 | ## Interval between time stamp messages
|
---|
594 | #
|
---|
595 | # SetLoopTime = 60
|
---|
596 | SetLoopTime = 600
|
---|
597 |
|
---|
598 | ## Interval between file checks
|
---|
599 | #
|
---|
600 | # SetFileCheckTime = 600
|
---|
601 | SetFileCheckTime = 7200
|
---|
602 |
|
---|
603 | ## Alternative: crontab-like schedule
|
---|
604 | #
|
---|
605 | # FileCheckScheduleOne = NULL
|
---|
606 |
|
---|
607 | ## Alternative: crontab-like schedule(2)
|
---|
608 | #
|
---|
609 | # FileCheckScheduleTwo = NULL
|
---|
610 |
|
---|
611 | ## Report only once on modified fles
|
---|
612 | ## Setting this to 'FALSE' will generate a report for any policy
|
---|
613 | ## violation (old and new ones) each time the daemon checks the file system.
|
---|
614 | #
|
---|
615 | # ReportOnlyOnce = True
|
---|
616 |
|
---|
617 | ## Report in full detail
|
---|
618 | #
|
---|
619 | # ReportFullDetail = False
|
---|
620 |
|
---|
621 | ## Report file timestamps in local time rather than GMT
|
---|
622 | #
|
---|
623 | # UseLocalTime = No
|
---|
624 |
|
---|
625 | ## The console device (can also be a file or named pipe)
|
---|
626 | ## - There are two console devices. Accordingly, you can use
|
---|
627 | ## this directive a second time to set the second console device.
|
---|
628 | ## If you have not defined the second device at compile time,
|
---|
629 | ## and you don't want to use it, then:
|
---|
630 | ## setting it to /dev/null is less effective than just leaving
|
---|
631 | ## it alone (setting to /dev/null will waste time by opening
|
---|
632 | ## /dev/null and writing to it)
|
---|
633 | #
|
---|
634 | # SetConsole = /dev/console
|
---|
635 |
|
---|
636 | ## Activate the SysV IPC message queue
|
---|
637 | #
|
---|
638 | # MessageQueueActive = False
|
---|
639 |
|
---|
640 |
|
---|
641 | ## If false, skip reverse lookup when connecting to a host known
|
---|
642 | ## by name rather than IP address (i.e. trust the DNS)
|
---|
643 | #
|
---|
644 | # SetReverseLookup = True
|
---|
645 |
|
---|
646 | ## --- E-Mail ---
|
---|
647 |
|
---|
648 | # Only highest-level (alert) reports will be mailed immediately,
|
---|
649 | # others will be queued. Here you can define, when the queue will
|
---|
650 | # be flushed (Note: the queue is automatically flushed after
|
---|
651 | # completing a file check).
|
---|
652 | #
|
---|
653 | # SetMailTime = 86400
|
---|
654 |
|
---|
655 | ## Maximum number of mails to queue
|
---|
656 | #
|
---|
657 | # SetMailNum = 10
|
---|
658 |
|
---|
659 | ## Recipient (max. 8)
|
---|
660 | #
|
---|
661 | # SetMailAddress=root@localhost
|
---|
662 |
|
---|
663 | ## Mail relay (IP address)
|
---|
664 | #
|
---|
665 | # SetMailRelay = NULL
|
---|
666 |
|
---|
667 | ## Custom subject format
|
---|
668 | #
|
---|
669 | # MailSubject = NULL
|
---|
670 |
|
---|
671 | ## --- end E-Mail ---
|
---|
672 |
|
---|
673 | ## Path to the prelink executable
|
---|
674 | #
|
---|
675 | # SetPrelinkPath = /usr/sbin/prelink
|
---|
676 |
|
---|
677 | ## TIGER192 checksum of the prelink executable
|
---|
678 | #
|
---|
679 | # SetPrelinkChecksum = (no default)
|
---|
680 |
|
---|
681 |
|
---|
682 | ## Path to the executable. If set, will be checksummed after startup
|
---|
683 | ## and before exit.
|
---|
684 | #
|
---|
685 | # SamhainPath = (no default)
|
---|
686 |
|
---|
687 |
|
---|
688 | ## The IP address of the log server
|
---|
689 | #
|
---|
690 | # SetLogServer = (default: compiled-in)
|
---|
691 |
|
---|
692 | ## The IP address of the time server
|
---|
693 | #
|
---|
694 | # SetTimeServer = (default: compiled-in)
|
---|
695 |
|
---|
696 | ## Trusted Users (comma delimited list of user names)
|
---|
697 | #
|
---|
698 | # TrustedUser = (no default; this adds to the compiled-in list)
|
---|
699 |
|
---|
700 | ## Path to the file signature database
|
---|
701 | #
|
---|
702 | # SetDatabasePath = (default: compiled-in)
|
---|
703 |
|
---|
704 | ## Path to the log file
|
---|
705 | #
|
---|
706 | # SetLogfilePath = (default: compiled-in)
|
---|
707 |
|
---|
708 | ## Path to the PID file
|
---|
709 | #
|
---|
710 | # SetLockPath = (default: compiled-in)
|
---|
711 |
|
---|
712 |
|
---|
713 | ## The digest/checksum/hash algorithm
|
---|
714 | #
|
---|
715 | # DigestAlgo = TIGER192
|
---|
716 |
|
---|
717 |
|
---|
718 | ## Custom format for message header.
|
---|
719 | ## CAREFUL if you use XML logfile format.
|
---|
720 | ##
|
---|
721 | ## %S severity
|
---|
722 | ## %T timestamp
|
---|
723 | ## %C class
|
---|
724 | ##
|
---|
725 | ## %F source file
|
---|
726 | ## %L source line
|
---|
727 | #
|
---|
728 | # MessageHeader="%S %T "
|
---|
729 |
|
---|
730 |
|
---|
731 | ## Don't log path to config/database file on startup
|
---|
732 | #
|
---|
733 | # HideSetup = False
|
---|
734 |
|
---|
735 | ## The syslog facility, if you log to syslog
|
---|
736 | #
|
---|
737 | # SyslogFacility = LOG_AUTHPRIV
|
---|
738 | SyslogFacility=LOG_LOCAL2
|
---|
739 |
|
---|
740 | ## The message authentication method
|
---|
741 | ## - If you change this, you *must* change it
|
---|
742 | ## on client *and* server
|
---|
743 | #
|
---|
744 | # MACType = HMAC-TIGER
|
---|
745 |
|
---|
746 |
|
---|
747 | ## The Prelude-IDS profile to use for reporting
|
---|
748 | ## default value is "samhain"
|
---|
749 | #
|
---|
750 | PreludeProfile = samhain
|
---|
751 |
|
---|
752 | ## Map these samhain severities to impact severity 'info' severity
|
---|
753 | #
|
---|
754 | # PreludeMapToInfo =
|
---|
755 |
|
---|
756 | ## Map these samhain severities to impact severity 'low' severity
|
---|
757 | #
|
---|
758 | # PreludeMapToLow = debug info
|
---|
759 |
|
---|
760 | ## Map these samhain severities to impact severity 'medium' severity
|
---|
761 | #
|
---|
762 | # PreludeMapToMedium = notice warn err
|
---|
763 |
|
---|
764 | ## Map these samhain severities to impact severity 'high' severity
|
---|
765 | #
|
---|
766 | # PreludeMapToHigh = crit alert
|
---|
767 |
|
---|
768 |
|
---|
769 | ## everything below is ignored
|
---|
770 | [EOF]
|
---|
771 |
|
---|
772 | #####################################################################
|
---|
773 | # This would be the proper syntax for parts that should only be
|
---|
774 | # included for certain hosts.
|
---|
775 | # You may enclose anything in a @HOSTNAME/@end bracket, as long as the
|
---|
776 | # result still has the proper syntax for the config file.
|
---|
777 | # You may have any number of @HOSTNAME/@end brackets.
|
---|
778 | # HOSTNAME should be the fully qualified 'official' name
|
---|
779 | # (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
|
---|
780 | # No IP number - except if samhain cannot determine the
|
---|
781 | # fully qualified hostname.
|
---|
782 | #
|
---|
783 | # @HOSTNAME
|
---|
784 | # file=/foo/bar
|
---|
785 | # @end
|
---|
786 | #
|
---|
787 | # These are two examples for conditional inclusion/exclusion
|
---|
788 | # of a machine based on the output from 'uname -srm'
|
---|
789 | # $Linux:2.*.7:i666
|
---|
790 | # file=/foo/bar3
|
---|
791 | # $end
|
---|
792 | #
|
---|
793 | # !$Linux:2.*.7:i686
|
---|
794 | # file=/foo/bar2
|
---|
795 | # $end
|
---|
796 | #
|
---|
797 | #####################################################################
|
---|