Ticket #60: samhainrc

File samhainrc, 16.0 KB (added by anonymous, 18 years ago)
Line 
1#####################################################################
2#
3# Configuration file template for samhain.
4#
5#####################################################################
6#
7# -- empty lines and lines starting with '#', ';' or '//' are ignored
8# -- boolean options can be Yes/No or True/False or 1/0
9# -- you can PGP clearsign this file -- samhain will check (if compiled
10# with support) or otherwise ignore the signature
11# -- CHECK mail address
12#
13# To each log facility, you can assign a threshold severity. Only
14# reports with at least the threshold severity will be logged
15# to the respective facility (even further below).
16#
17#####################################################################
18#
19# SETUP for file system checking:
20#
21# (i) There are several policies, each has its own section. Put files
22# into the section for the appropriate policy (see below).
23# (ii) Section [EventSeverity]:
24# To each policy, you can assign a severity (further below).
25# (iii) Section [Log]:
26# To each log facility, you can assign a threshold severity. Only
27# reports with at least the threshold severity will be logged
28# to the respective facility (even further below).
29#
30#####################################################################
31
32#####################################################################
33#
34# Files are defined with: file = /absolute/path
35#
36# Directories are defined with: dir = /absolute/path
37# or with an optional recursion depth (N <= 99): dir = N/absolute/path
38#
39# Directory inodes are checked. If you only want to check files
40# in a directory, but not the directory inode itself, use (e.g.):
41#
42# [ReadOnly]
43# dir = /some/directory
44# [IgnoreAll]
45# file = /some/directory
46#
47# You can use shell-style globbing patterns, like: file = /path/foo*
48#
49######################################################################
50
51[Misc]
52##
53## Add or subtract tests from the policies
54## - if you want to change their definitions,
55## you need to do that before using the policies
56##
57# RedefReadOnly = (no default)
58# RedefAttributes=(no default)
59# RedefLogFiles=(no default)
60# RedefGrowingLogFiles=(no default)
61# RedefIgnoreAll=(no default)
62# RedefIgnoreNone=(no default)
63
64# RedefUser0=(no default)
65# RedefUser1=(no default)
66
67#
68# --------- / --------------
69#
70
71[ReadOnly]
72dir = 0/
73
74[Attributes]
75file = /tmp
76file = /dev
77file = /media
78file = /proc
79file = /sys
80
81#
82# --------- /etc -----------
83#
84
85[ReadOnly]
86##
87## for these files, only access time is ignored
88##
89dir = 99/etc
90
91[Attributes]
92##
93## check permission and ownership
94##
95file = /etc/mtab
96file = /etc/adjtime
97file = /etc/motd
98file = /etc/lvm/.cache
99
100# On Ubuntu, these are in /var/lib rather than /etc
101file = /etc/cups/certs
102file = /etc/cups/certs/0
103
104# managed by fstab-sync on Fedora Core
105file = /etc/fstab
106
107# modified when booting
108file = /etc/sysconfig/hwconf
109
110# There are files in /etc that might change, thus changing the directory
111# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
112
113file = /etc
114
115#
116# --------- /boot -----------
117#
118
119[ReadOnly]
120dir = 99/boot
121
122#
123# --------- /bin, /sbin -----------
124#
125
126[Prelink]
127dir = 99/bin
128dir = 99/sbin
129
130#
131# --------- /lib -----------
132#
133
134[Prelink]
135dir = 99/lib
136dir = 99/lib64
137
138[ReadOnly]
139dir = 99/lib/modules
140dir = 99/usr/lib/locale
141dir = 99/usr/X11R6/lib/X11/xfig
142dir = 99/usr/X11R6/lib64/X11/xfig
143
144#
145# --------- /dev -----------
146#
147
148[Attributes]
149dir = 99/dev
150
151[IgnoreAll]
152##
153## pseudo terminals are created/removed as needed
154##
155dir = -1/dev/pts
156
157# dir = -1/dev/.udevdb
158
159file = /dev/ppp
160
161#
162# --------- /usr -----------
163#
164
165[ReadOnly]
166dir = 99/usr
167
168[Prelink]
169dir = 99/usr/lib
170dir = 99/usr/lib64
171dir = 99/usr/bin
172dir = 99/usr/sbin
173dir = 99/usr/X11R6/bin
174dir = 99/usr/kerberos/bin
175dir = 99/usr/games
176dir = 99/usr/libexec
177dir = 99/usr/X11R6/lib
178dir = 99/usr/X11R6/lib64
179dir = 99/usr/kerberos/lib
180dir = 99/usr/kerberos/lib64
181dir = 99/usr/X11R6/LessTif
182
183#
184# --------- /var -----------
185#
186
187[ReadOnly]
188dir = 99/var
189
190[Prelink]
191dir = 99/var/ftp/bin
192dir = 99/var/ftp/lib
193dir = 99/var/ftp/lib64
194
195[IgnoreAll]
196dir = -1/var/cache
197dir = -1/var/backups
198dir = -1/var/games
199dir = -1/var/gdm
200dir = -1/var/lock
201dir = -1/var/mail
202dir = -1/var/run
203dir = -1/var/spool
204dir = -1/var/tmp
205dir = -1/var/lib/texmf
206dir = -1/var/lib/scrollkeeper
207
208
209[Attributes]
210
211dir = /var/lib/nfs
212dir = /var/lib/pcmcia
213
214# /var/lib/rpm changes if packets are installed;
215# /var/lib/rpm/__db.00[123] even more frequently
216file = /var/lib/rpm/__db.00?
217
218file = /var/lib/acpi-support/vbestate
219file = /var/lib/alsa/asound.state
220file = /var/lib/apt/lists/lock
221file = /var/lib/apt/lists/partial
222file = /var/lib/cups/certs
223file = /var/lib/cups/certs/0
224file = /var/lib/dpkg/lock
225file = /var/lib/gdm
226file = /var/lib/gdm/.cookie
227file = /var/lib/gdm/.gdmfifo
228file = /var/lib/gdm/:0.Xauth
229file = /var/lib/gdm/:0.Xservers
230file = /var/lib/logrotate/status
231file = /var/lib/mysql
232file = /var/lib/mysql/ib_logfile0
233file = /var/lib/mysql/ibdata1
234file = /var/lib/slocate
235file = /var/lib/slocate/slocate.db
236file = /var/lib/slocate/slocate.db.tmp
237file = /var/lib/urandom
238file = /var/lib/urandom/random-seed
239file = /var/lib/random-seed
240file = /var/lib/xkb
241
242
243[GrowingLogFiles]
244##
245## For these files, changes in signature, timestamps, and increase in size
246## are ignored. Logfile rotation will cause a report because of shrinking
247## size and different inode.
248##
249dir = 99/var/log
250
251[Attributes]
252#
253# rotated logs will change inode
254#
255#file = /var/log/*.[0-9].gz
256#file = /var/log/*.[0-9].log
257file = /var/log/*.[0-9]
258#file = /var/log/*.old
259#file = /var/log/*/*.[0-9].gz
260#file = /var/log/*/*.[0-9][0-9].gz
261#file = /var/log/*/*.log.[0-9]
262
263[Misc]
264#
265# Various naming schemes for rotated logs
266#
267IgnoreAdded = /var/log/.*\.[0-9]+$
268IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
269IgnoreAdded = /var/log/.*\.[0-9]+\.log$
270#
271# Subdirectories
272#
273IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$
274IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$
275IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$
276#
277IgnoreAdded = /var/lib/slocate/slocate.db.tmp
278IgnoreMissing = /var/lib/slocate/slocate.db.tmp
279
280#
281# --------- other policies -----------
282#
283
284[IgnoreNone]
285##
286## for these files, all modifications (even access time) are reported
287## - you may create some interesting-looking file (like /etc/safe_passwd),
288## just to watch whether someone will access it ...
289##
290
291[Prelink]
292##
293## Use for prelinked files or directories holding them
294##
295
296[User0]
297[User1]
298## User0 and User1 are sections for files/dirs with user-definable checking
299## (see the manual)
300
301
302
303[EventSeverity]
304##
305## Here you can assign severities to policy violations.
306## If this severity exceeds the treshold of a log facility (see below),
307## a policy violation will be logged to that facility.
308##
309## Severity for verification failures.
310##
311# SeverityReadOnly=crit
312# SeverityLogFiles=crit
313# SeverityGrowingLogs=crit
314# SeverityIgnoreNone=crit
315# SeverityAttributes=crit
316# SeverityUser0=crit
317# SeverityUser1=crit
318# SeverityIgnoreAll=crit
319
320
321## Files : file access problems
322# SeverityFiles=crit
323
324## Dirs : directory access problems
325# SeverityDirs=crit
326
327## Names : suspect (non-printable) characters in a pathname
328# SeverityNames=crit
329
330[Log]
331##
332## Switch on/OFF log facilities and set their threshold severity
333##
334## Values: debug, info, notice, warn, mark, err, crit, alert, none.
335## 'mark' is used for timestamps.
336##
337##
338## Use 'none' to SWITCH OFF a log facility
339##
340## By default, everything equal to and above the threshold is logged.
341## The specifiers '*', '!', and '=' are interpreted as
342## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
343## at least on Linux). Examples:
344## MailSeverity=*
345## MailSeverity=!warn
346## MailSeverity==crit
347
348## E-mail
349##
350# MailSeverity=none
351
352## Console
353##
354# PrintSeverity=info
355
356## Logfile
357##
358# LogSeverity=mark
359
360## Syslog
361##
362# SyslogSeverity=none
363
364## Remote server (yule)
365##
366# ExportSeverity=none
367
368## External script or program
369##
370# ExternalSeverity = none
371
372## Logging to a database
373##
374# DatabaseSeverity = none
375
376## Logging to a Prelude-IDS
377##
378PreludeSeverity = crit
379PreludeClass= EVENT
380
381
382
383#####################################################
384#
385# Optional modules
386#
387#####################################################
388
389# [SuidCheck]
390##
391## --- Check the filesystem for SUID/SGID binaries
392##
393
394## Switch on
395#
396# SuidCheckActive = yes
397
398## Interval for check (seconds)
399#
400# SuidCheckInterval = 7200
401
402## Alternative: crontab-like schedule
403#
404# SuidCheckSchedule = NULL
405
406## Directory to exclude
407#
408# SuidCheckExclude = NULL
409
410## Limit on files per second (0 == no limit)
411#
412# SuidCheckFps = 0
413
414## Alternative: yield after every file
415#
416# SuidCheckYield = no
417
418## Severity of a detection
419#
420# SeveritySuidCheck = crit
421
422## Quarantine SUID/SGID files if found
423#
424# SuidCheckQuarantineFiles = yes
425
426## Method for Quarantining files:
427# 0 - Delete or truncate the file.
428# 1 - Remove SUID/SGID permissions from file.
429# 2 - Move SUID/SGID file to quarantine dir.
430#
431# SuidCheckQuarantineMethod = 0
432
433## For method 1 and 3, really delete instead of truncating
434#
435# SuidCheckQuarantineDelete = yes
436
437#[Kernel]
438##
439## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
440##
441
442## Switch on/off
443#
444# KernelCheckActive = True
445
446## Check interval (seconds); btw., the check is VERY fast
447#
448# KernelCheckInterval = 300
449
450## Severity
451#
452# SeverityKernel = crit
453
454
455# [Utmp]
456##
457## --- Logging of login/logout events
458##
459
460## Switch on/off
461#
462# LoginCheckActive = True
463
464## Severity for logins, multiple logins, logouts
465#
466# SeverityLogin=info
467# SeverityLoginMulti=warn
468# SeverityLogout=info
469
470## Interval for login/logout checks
471#
472# LoginCheckInterval = 300
473
474
475# [Database]
476##
477## --- Logging to a relational database
478##
479
480## Database name
481#
482# SetDBName = samhain
483
484## Database table
485#
486# SetDBTable = log
487
488## Database user
489#
490# SetDBUser = samhain
491
492## Database password
493#
494# SetDBPassword = (default: none)
495
496## Database host
497#
498# SetDBHost = localhost
499
500## Log the server timestamp for received messages
501#
502# SetDBServerTstamp = True
503
504## Use a persistent connection
505#
506# UsePersistent = True
507
508# [External]
509##
510## Interface to call external scripts/programs for logging
511##
512
513## The absolute path to the command
514## - Each invocation of this directive will end the definition of the
515## preceding command, and start the definition of
516## an additional, new command
517#
518# OpenCommand = (no default)
519
520## Type (log or rv)
521## - log for log messages, srv for messages received by the server
522#
523# SetType = log
524
525## The command (full command line) to execute
526#
527# SetCommandLine = (no default)
528
529## The environment (KEY=value; repeat for more)
530#
531# SetEnviron = TZ=(your timezone)
532
533## The TIGER192 checksum (optional)
534#
535# SetChecksum = (no default)
536
537## User who runs the command
538#
539# SetCredentials = (default: samhain process uid)
540
541## Words not allowed in message
542#
543# SetFilterNot = (none)
544
545## Words required (ALL of them)
546#
547# SetFilterAnd = (none)
548
549## Words required (at least one)
550#
551# SetFilterOr = (none)
552
553## Deadtime between consecutive calls
554#
555# SetDeadtime = 0
556
557## Add default environment (HOME, PATH, SHELL)
558#
559# SetDefault = no
560
561
562#####################################################
563#
564# Miscellaneous configuration options
565#
566#####################################################
567
568[Misc]
569
570## whether to become a daemon process
571## (this is not honoured on database initialisation)
572#
573# Daemon = no
574Daemon = yes
575
576## whether to test signature of files (init/check/none)
577## - if 'none', then we have to decide this on the command line -
578#
579# ChecksumTest = none
580ChecksumTest=check
581
582## Set nice level (-19 to 19, see 'man nice'),
583## and I/O limit (kilobytes per second; 0 == off)
584## to reduce load on host.
585#
586# SetNiceLevel = 0
587# SetIOLimit = 0
588
589## The version string to embed in file signature databases
590#
591# VersionString = NULL
592
593## Interval between time stamp messages
594#
595# SetLoopTime = 60
596SetLoopTime = 600
597
598## Interval between file checks
599#
600# SetFileCheckTime = 600
601SetFileCheckTime = 7200
602
603## Alternative: crontab-like schedule
604#
605# FileCheckScheduleOne = NULL
606
607## Alternative: crontab-like schedule(2)
608#
609# FileCheckScheduleTwo = NULL
610
611## Report only once on modified fles
612## Setting this to 'FALSE' will generate a report for any policy
613## violation (old and new ones) each time the daemon checks the file system.
614#
615# ReportOnlyOnce = True
616
617## Report in full detail
618#
619# ReportFullDetail = False
620
621## Report file timestamps in local time rather than GMT
622#
623# UseLocalTime = No
624
625## The console device (can also be a file or named pipe)
626## - There are two console devices. Accordingly, you can use
627## this directive a second time to set the second console device.
628## If you have not defined the second device at compile time,
629## and you don't want to use it, then:
630## setting it to /dev/null is less effective than just leaving
631## it alone (setting to /dev/null will waste time by opening
632## /dev/null and writing to it)
633#
634# SetConsole = /dev/console
635
636## Activate the SysV IPC message queue
637#
638# MessageQueueActive = False
639
640
641## If false, skip reverse lookup when connecting to a host known
642## by name rather than IP address (i.e. trust the DNS)
643#
644# SetReverseLookup = True
645
646## --- E-Mail ---
647
648# Only highest-level (alert) reports will be mailed immediately,
649# others will be queued. Here you can define, when the queue will
650# be flushed (Note: the queue is automatically flushed after
651# completing a file check).
652#
653# SetMailTime = 86400
654
655## Maximum number of mails to queue
656#
657# SetMailNum = 10
658
659## Recipient (max. 8)
660#
661# SetMailAddress=root@localhost
662
663## Mail relay (IP address)
664#
665# SetMailRelay = NULL
666
667## Custom subject format
668#
669# MailSubject = NULL
670
671## --- end E-Mail ---
672
673## Path to the prelink executable
674#
675# SetPrelinkPath = /usr/sbin/prelink
676
677## TIGER192 checksum of the prelink executable
678#
679# SetPrelinkChecksum = (no default)
680
681
682## Path to the executable. If set, will be checksummed after startup
683## and before exit.
684#
685# SamhainPath = (no default)
686
687
688## The IP address of the log server
689#
690# SetLogServer = (default: compiled-in)
691
692## The IP address of the time server
693#
694# SetTimeServer = (default: compiled-in)
695
696## Trusted Users (comma delimited list of user names)
697#
698# TrustedUser = (no default; this adds to the compiled-in list)
699
700## Path to the file signature database
701#
702# SetDatabasePath = (default: compiled-in)
703
704## Path to the log file
705#
706# SetLogfilePath = (default: compiled-in)
707
708## Path to the PID file
709#
710# SetLockPath = (default: compiled-in)
711
712
713## The digest/checksum/hash algorithm
714#
715# DigestAlgo = TIGER192
716
717
718## Custom format for message header.
719## CAREFUL if you use XML logfile format.
720##
721## %S severity
722## %T timestamp
723## %C class
724##
725## %F source file
726## %L source line
727#
728# MessageHeader="%S %T "
729
730
731## Don't log path to config/database file on startup
732#
733# HideSetup = False
734
735## The syslog facility, if you log to syslog
736#
737# SyslogFacility = LOG_AUTHPRIV
738SyslogFacility=LOG_LOCAL2
739
740## The message authentication method
741## - If you change this, you *must* change it
742## on client *and* server
743#
744# MACType = HMAC-TIGER
745
746
747## The Prelude-IDS profile to use for reporting
748## default value is "samhain"
749#
750PreludeProfile = samhain
751
752## Map these samhain severities to impact severity 'info' severity
753#
754# PreludeMapToInfo =
755
756## Map these samhain severities to impact severity 'low' severity
757#
758# PreludeMapToLow = debug info
759
760## Map these samhain severities to impact severity 'medium' severity
761#
762# PreludeMapToMedium = notice warn err
763
764## Map these samhain severities to impact severity 'high' severity
765#
766# PreludeMapToHigh = crit alert
767
768
769## everything below is ignored
770[EOF]
771
772#####################################################################
773# This would be the proper syntax for parts that should only be
774# included for certain hosts.
775# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
776# result still has the proper syntax for the config file.
777# You may have any number of @HOSTNAME/@end brackets.
778# HOSTNAME should be the fully qualified 'official' name
779# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
780# No IP number - except if samhain cannot determine the
781# fully qualified hostname.
782#
783# @HOSTNAME
784# file=/foo/bar
785# @end
786#
787# These are two examples for conditional inclusion/exclusion
788# of a machine based on the output from 'uname -srm'
789# $Linux:2.*.7:i666
790# file=/foo/bar3
791# $end
792#
793# !$Linux:2.*.7:i686
794# file=/foo/bar2
795# $end
796#
797#####################################################################