source: branches/samhain-2_2-branch/samhainrc.linux@ 126

Last change on this file since 126 was 18, checked in by rainer, 19 years ago

Optimized version of tiger algorithm, and basic ingredients for unit testing (part 2)

File size: 15.5 KB
Line 
1#####################################################################
2#
3# Configuration file template for samhain.
4#
5#####################################################################
6#
7# -- empty lines and lines starting with '#', ';' or '//' are ignored
8# -- boolean options can be Yes/No or True/False or 1/0
9# -- you can PGP clearsign this file -- samhain will check (if compiled
10# with support) or otherwise ignore the signature
11# -- CHECK mail address
12#
13# To each log facility, you can assign a threshold severity. Only
14# reports with at least the threshold severity will be logged
15# to the respective facility (even further below).
16#
17#####################################################################
18#
19# SETUP for file system checking:
20#
21# (i) There are several policies, each has its own section. Put files
22# into the section for the appropriate policy (see below).
23# (ii) Section [EventSeverity]:
24# To each policy, you can assign a severity (further below).
25# (iii) Section [Log]:
26# To each log facility, you can assign a threshold severity. Only
27# reports with at least the threshold severity will be logged
28# to the respective facility (even further below).
29#
30#####################################################################
31
32#####################################################################
33#
34# Files are defined with: file = /absolute/path
35#
36# Directories are defined with: dir = /absolute/path
37# or with an optional recursion depth (N <= 99): dir = N/absolute/path
38#
39# Directory inodes are checked. If you only want to check files
40# in a directory, but not the directory inode itself, use (e.g.):
41#
42# [ReadOnly]
43# dir = /some/directory
44# [IgnoreAll]
45# file = /some/directory
46#
47# You can use shell-style globbing patterns, like: file = /path/foo*
48#
49######################################################################
50
51[Misc]
52##
53## Add or subtract tests from the policies
54## - if you want to change their definitions,
55## you need to do that before using the policies
56##
57# RedefReadOnly = (no default)
58# RedefAttributes=(no default)
59# RedefLogFiles=(no default)
60# RedefGrowingLogFiles=(no default)
61# RedefIgnoreAll=(no default)
62# RedefIgnoreNone=(no default)
63
64# RedefUser0=(no default)
65# RedefUser1=(no default)
66
67#
68# --------- / --------------
69#
70
71[ReadOnly]
72dir = 0/
73
74[Attributes]
75file = /tmp
76file = /dev
77file = /media
78file = /proc
79file = /sys
80
81#
82# --------- /etc -----------
83#
84
85[ReadOnly]
86##
87## for these files, only access time is ignored
88##
89dir = 99/etc
90
91[Attributes]
92##
93## check permission and ownership
94##
95file = /etc/mtab
96file = /etc/adjtime
97file = /etc/motd
98file = /etc/lvm/.cache
99
100# On Ubuntu, these are in /var/lib rather than /etc
101file = /etc/cups/certs
102file = /etc/cups/certs/0
103
104# managed by fstab-sync on Fedora Core
105file = /etc/fstab
106
107# modified when booting
108file = /etc/sysconfig/hwconf
109
110# There are files in /etc that might change, thus changing the directory
111# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
112
113file = /etc
114
115#
116# --------- /boot -----------
117#
118
119[ReadOnly]
120dir = 99/boot
121
122#
123# --------- /bin, /sbin -----------
124#
125
126[ReadOnly]
127dir = 99/bin
128dir = 99/sbin
129
130#
131# --------- /lib -----------
132#
133
134[ReadOnly]
135dir = 99/lib
136
137#
138# --------- /dev -----------
139#
140
141[Attributes]
142dir = 99/dev
143
144[IgnoreAll]
145##
146## pseudo terminals are created/removed as needed
147##
148dir = -1/dev/pts
149
150# dir = -1/dev/.udevdb
151
152file = /dev/ppp
153
154#
155# --------- /usr -----------
156#
157
158[ReadOnly]
159dir = 99/usr
160
161#
162# --------- /var -----------
163#
164
165[ReadOnly]
166dir = 99/var
167
168[IgnoreAll]
169dir = -1/var/cache
170dir = -1/var/backups
171dir = -1/var/games
172dir = -1/var/gdm
173dir = -1/var/lock
174dir = -1/var/mail
175dir = -1/var/run
176dir = -1/var/spool
177dir = -1/var/tmp
178dir = -1/var/lib/texmf
179dir = -1/var/lib/scrollkeeper
180
181
182[Attributes]
183
184dir = /var/lib/nfs
185dir = /var/lib/pcmcia
186
187# /var/lib/rpm changes if packets are installed;
188# /var/lib/rpm/__db.00[123] even more frequently
189file = /var/lib/rpm/__db.00?
190
191file = /var/lib/acpi-support/vbestate
192file = /var/lib/alsa/asound.state
193file = /var/lib/apt/lists/lock
194file = /var/lib/apt/lists/partial
195file = /var/lib/cups/certs
196file = /var/lib/cups/certs/0
197file = /var/lib/dpkg/lock
198file = /var/lib/gdm
199file = /var/lib/gdm/.cookie
200file = /var/lib/gdm/.gdmfifo
201file = /var/lib/gdm/:0.Xauth
202file = /var/lib/gdm/:0.Xservers
203file = /var/lib/logrotate/status
204file = /var/lib/mysql
205file = /var/lib/mysql/ib_logfile0
206file = /var/lib/mysql/ibdata1
207file = /var/lib/slocate
208file = /var/lib/slocate/slocate.db
209file = /var/lib/slocate/slocate.db.tmp
210file = /var/lib/urandom
211file = /var/lib/urandom/random-seed
212file = /var/lib/random-seed
213file = /var/lib/xkb
214
215
216[GrowingLogFiles]
217##
218## For these files, changes in signature, timestamps, and increase in size
219## are ignored. Logfile rotation will cause a report because of shrinking
220## size and different inode.
221##
222dir = 99/var/log
223
224[Attributes]
225#
226# rotated logs will change inode
227#
228file = /var/log/*.[0-9].gz
229file = /var/log/*.[0-9].log
230file = /var/log/*.[0-9]
231file = /var/log/*.old
232file = /var/log/*/*.[0-9].gz
233file = /var/log/*/*.[0-9][0-9].gz
234file = /var/log/*/*.log.[0-9]
235
236[Misc]
237#
238# Various naming schemes for rotated logs
239#
240IgnoreAdded = /var/log/.*\.[0-9]+$
241IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
242IgnoreAdded = /var/log/.*\.[0-9]+\.log$
243#
244# Subdirectories
245#
246IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$
247IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$
248IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$
249#
250IgnoreAdded = /var/lib/slocate/slocate.db.tmp
251IgnoreMissing = /var/lib/slocate/slocate.db.tmp
252
253#
254# --------- other policies -----------
255#
256
257[IgnoreNone]
258##
259## for these files, all modifications (even access time) are reported
260## - you may create some interesting-looking file (like /etc/safe_passwd),
261## just to watch whether someone will access it ...
262##
263
264[Prelink]
265##
266## Use for prelinked files or directories holding them
267##
268
269
270[User0]
271[User1]
272## User0 and User1 are sections for files/dirs with user-definable checking
273## (see the manual)
274
275
276
277[EventSeverity]
278##
279## Here you can assign severities to policy violations.
280## If this severity exceeds the treshold of a log facility (see below),
281## a policy violation will be logged to that facility.
282##
283## Severity for verification failures.
284##
285# SeverityReadOnly=crit
286# SeverityLogFiles=crit
287# SeverityGrowingLogs=crit
288# SeverityIgnoreNone=crit
289# SeverityAttributes=crit
290# SeverityUser0=crit
291# SeverityUser1=crit
292# SeverityIgnoreAll=crit
293
294
295## Files : file access problems
296# SeverityFiles=crit
297
298## Dirs : directory access problems
299# SeverityDirs=crit
300
301## Names : suspect (non-printable) characters in a pathname
302# SeverityNames=crit
303
304[Log]
305##
306## Switch on/OFF log facilities and set their threshold severity
307##
308## Values: debug, info, notice, warn, mark, err, crit, alert, none.
309## 'mark' is used for timestamps.
310##
311##
312## Use 'none' to SWITCH OFF a log facility
313##
314## By default, everything equal to and above the threshold is logged.
315## The specifiers '*', '!', and '=' are interpreted as
316## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
317## at least on Linux). Examples:
318## MailSeverity=*
319## MailSeverity=!warn
320## MailSeverity==crit
321
322## E-mail
323##
324# MailSeverity=none
325
326## Console
327##
328# PrintSeverity=info
329
330## Logfile
331##
332# LogSeverity=mark
333
334## Syslog
335##
336# SyslogSeverity=none
337
338## Remote server (yule)
339##
340# ExportSeverity=none
341
342## External script or program
343##
344# ExternalSeverity = none
345
346## Logging to a database
347##
348# DatabaseSeverity = none
349
350## Logging to a Prelude-IDS
351##
352# PreludeSeverity = crit
353
354
355
356#####################################################
357#
358# Optional modules
359#
360#####################################################
361
362# [SuidCheck]
363##
364## --- Check the filesystem for SUID/SGID binaries
365##
366
367## Switch on
368#
369# SuidCheckActive = yes
370
371## Interval for check (seconds)
372#
373# SuidCheckInterval = 7200
374
375## Alternative: crontab-like schedule
376#
377# SuidCheckSchedule = NULL
378
379## Directory to exclude
380#
381# SuidCheckExclude = NULL
382
383## Limit on files per second (0 == no limit)
384#
385# SuidCheckFps = 0
386
387## Alternative: yield after every file
388#
389# SuidCheckYield = no
390
391## Severity of a detection
392#
393# SeveritySuidCheck = crit
394
395## Quarantine SUID/SGID files if found
396#
397# SuidCheckQuarantineFiles = yes
398
399## Method for Quarantining files:
400# 0 - Delete or truncate the file.
401# 1 - Remove SUID/SGID permissions from file.
402# 2 - Move SUID/SGID file to quarantine dir.
403#
404# SuidCheckQuarantineMethod = 0
405
406## For method 1 and 3, really delete instead of truncating
407#
408# SuidCheckQuarantineDelete = yes
409
410#[Kernel]
411##
412## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
413##
414
415## Switch on/off
416#
417# KernelCheckActive = True
418
419## Check interval (seconds); btw., the check is VERY fast
420#
421# KernelCheckInterval = 300
422
423## Severity
424#
425# SeverityKernel = crit
426
427
428# [Utmp]
429##
430## --- Logging of login/logout events
431##
432
433## Switch on/off
434#
435# LoginCheckActive = True
436
437## Severity for logins, multiple logins, logouts
438#
439# SeverityLogin=info
440# SeverityLoginMulti=warn
441# SeverityLogout=info
442
443## Interval for login/logout checks
444#
445# LoginCheckInterval = 300
446
447
448# [Database]
449##
450## --- Logging to a relational database
451##
452
453## Database name
454#
455# SetDBName = samhain
456
457## Database table
458#
459# SetDBTable = log
460
461## Database user
462#
463# SetDBUser = samhain
464
465## Database password
466#
467# SetDBPassword = (default: none)
468
469## Database host
470#
471# SetDBHost = localhost
472
473## Log the server timestamp for received messages
474#
475# SetDBServerTstamp = True
476
477## Use a persistent connection
478#
479# UsePersistent = True
480
481# [External]
482##
483## Interface to call external scripts/programs for logging
484##
485
486## The absolute path to the command
487## - Each invocation of this directive will end the definition of the
488## preceding command, and start the definition of
489## an additional, new command
490#
491# OpenCommand = (no default)
492
493## Type (log or rv)
494## - log for log messages, srv for messages received by the server
495#
496# SetType = log
497
498## The command (full command line) to execute
499#
500# SetCommandLine = (no default)
501
502## The environment (KEY=value; repeat for more)
503#
504# SetEnviron = TZ=(your timezone)
505
506## The TIGER192 checksum (optional)
507#
508# SetChecksum = (no default)
509
510## User who runs the command
511#
512# SetCredentials = (default: samhain process uid)
513
514## Words not allowed in message
515#
516# SetFilterNot = (none)
517
518## Words required (ALL of them)
519#
520# SetFilterAnd = (none)
521
522## Words required (at least one)
523#
524# SetFilterOr = (none)
525
526## Deadtime between consecutive calls
527#
528# SetDeadtime = 0
529
530## Add default environment (HOME, PATH, SHELL)
531#
532# SetDefault = no
533
534
535#####################################################
536#
537# Miscellaneous configuration options
538#
539#####################################################
540
541[Misc]
542
543## whether to become a daemon process
544## (this is not honoured on database initialisation)
545#
546# Daemon = no
547Daemon = yes
548
549## whether to test signature of files (init/check/none)
550## - if 'none', then we have to decide this on the command line -
551#
552# ChecksumTest = none
553ChecksumTest=check
554
555## Set nice level (-19 to 19, see 'man nice'),
556## and I/O limit (kilobytes per second; 0 == off)
557## to reduce load on host.
558#
559# SetNiceLevel = 0
560# SetIOLimit = 0
561
562## The version string to embed in file signature databases
563#
564# VersionString = NULL
565
566## Interval between time stamp messages
567#
568# SetLoopTime = 60
569SetLoopTime = 600
570
571## Interval between file checks
572#
573# SetFileCheckTime = 600
574SetFileCheckTime = 7200
575
576## Alternative: crontab-like schedule
577#
578# FileCheckScheduleOne = NULL
579
580## Alternative: crontab-like schedule(2)
581#
582# FileCheckScheduleTwo = NULL
583
584## Report only once on modified fles
585## Setting this to 'FALSE' will generate a report for any policy
586## violation (old and new ones) each time the daemon checks the file system.
587#
588# ReportOnlyOnce = True
589
590## Report in full detail
591#
592# ReportFullDetail = False
593
594## Report file timestamps in local time rather than GMT
595#
596# UseLocalTime = No
597
598## The console device (can also be a file or named pipe)
599## - There are two console devices. Accordingly, you can use
600## this directive a second time to set the second console device.
601## If you have not defined the second device at compile time,
602## and you don't want to use it, then:
603## setting it to /dev/null is less effective than just leaving
604## it alone (setting to /dev/null will waste time by opening
605## /dev/null and writing to it)
606#
607# SetConsole = /dev/console
608
609## Activate the SysV IPC message queue
610#
611# MessageQueueActive = False
612
613
614## If false, skip reverse lookup when connecting to a host known
615## by name rather than IP address (i.e. trust the DNS)
616#
617# SetReverseLookup = True
618
619## --- E-Mail ---
620
621# Only highest-level (alert) reports will be mailed immediately,
622# others will be queued. Here you can define, when the queue will
623# be flushed (Note: the queue is automatically flushed after
624# completing a file check).
625#
626# SetMailTime = 86400
627
628## Maximum number of mails to queue
629#
630# SetMailNum = 10
631
632## Recipient (max. 8)
633#
634# SetMailAddress=root@localhost
635
636## Mail relay (IP address)
637#
638# SetMailRelay = NULL
639
640## Custom subject format
641#
642# MailSubject = NULL
643
644## --- end E-Mail ---
645
646## Path to the prelink executable
647#
648# SetPrelinkPath = /usr/sbin/prelink
649
650## TIGER192 checksum of the prelink executable
651#
652# SetPrelinkChecksum = (no default)
653
654
655## Path to the executable. If set, will be checksummed after startup
656## and before exit.
657#
658# SamhainPath = (no default)
659
660
661## The IP address of the log server
662#
663# SetLogServer = (default: compiled-in)
664
665## The IP address of the time server
666#
667# SetTimeServer = (default: compiled-in)
668
669## Trusted Users (comma delimited list of user names)
670#
671# TrustedUser = (no default; this adds to the compiled-in list)
672
673## Path to the file signature database
674#
675# SetDatabasePath = (default: compiled-in)
676
677## Path to the log file
678#
679# SetLogfilePath = (default: compiled-in)
680
681## Path to the PID file
682#
683# SetLockPath = (default: compiled-in)
684
685
686## The digest/checksum/hash algorithm
687#
688# DigestAlgo = TIGER192
689
690
691## Custom format for message header.
692## CAREFUL if you use XML logfile format.
693##
694## %S severity
695## %T timestamp
696## %C class
697##
698## %F source file
699## %L source line
700#
701# MessageHeader="%S %T "
702
703
704## Don't log path to config/database file on startup
705#
706# HideSetup = False
707
708## The syslog facility, if you log to syslog
709#
710# SyslogFacility = LOG_AUTHPRIV
711SyslogFacility=LOG_LOCAL2
712
713## The message authentication method
714## - If you change this, you *must* change it
715## on client *and* server
716#
717# MACType = HMAC-TIGER
718
719
720## The Prelude-IDS profile to use for reporting
721## default value is "samhain"
722#
723# PreludeProfile = samhain
724
725## Map these samhain severities to impact severity 'info' severity
726#
727# PreludeMapToInfo =
728
729## Map these samhain severities to impact severity 'low' severity
730#
731# PreludeMapToLow = debug info
732
733## Map these samhain severities to impact severity 'medium' severity
734#
735# PreludeMapToMedium = notice warn err
736
737## Map these samhain severities to impact severity 'high' severity
738#
739# PreludeMapToHigh = crit alert
740
741
742## everything below is ignored
743[EOF]
744
745#####################################################################
746# This would be the proper syntax for parts that should only be
747# included for certain hosts.
748# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
749# result still has the proper syntax for the config file.
750# You may have any number of @HOSTNAME/@end brackets.
751# HOSTNAME should be the fully qualified 'official' name
752# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
753# No IP number - except if samhain cannot determine the
754# fully qualified hostname.
755#
756# @HOSTNAME
757# file=/foo/bar
758# @end
759#
760# These are two examples for conditional inclusion/exclusion
761# of a machine based on the output from 'uname -srm'
762# $Linux:2.*.7:i666
763# file=/foo/bar3
764# $end
765#
766# !$Linux:2.*.7:i686
767# file=/foo/bar2
768# $end
769#
770#####################################################################
Note: See TracBrowser for help on using the repository browser.