1 | # |
---|
2 | # From pkgsrc-wip, Author: Brian Seklecki |
---|
3 | # |
---|
4 | |
---|
5 | [Misc] |
---|
6 | RedefUser0=+INO, +SIZ, +RDEV, +CHK, -MOD, -MTM, -ATM, -CTM, -GRP, -USR |
---|
7 | |
---|
8 | # The new Samhain behavior is to check the checksum up the last-known size of |
---|
9 | # the file, but *yes*, the inode will change when it becomes rotated and the size |
---|
10 | # will get reset to a lesser value (in which case the check should know to passively |
---|
11 | # fail) |
---|
12 | RedefGrowingLogFiles=-INO, -SIZ, +CHK, -MTM, -ATM, -CTM |
---|
13 | |
---|
14 | # |
---|
15 | # --------- / -------------- |
---|
16 | # |
---|
17 | |
---|
18 | [ReadOnly] |
---|
19 | dir = 99/ |
---|
20 | |
---|
21 | # This covers the contents of / including: /boot, /bin, /sbin, /lib, /libexec, |
---|
22 | # /rescue, /root, /altroot, /usr, /var, /stand, /mnt, /tmp, /proc, /kern (Even |
---|
23 | # though /usr and /var will recieve overrides) |
---|
24 | |
---|
25 | [Attributes] |
---|
26 | file = /proc |
---|
27 | file = /kern |
---|
28 | |
---|
29 | [IgnoreAll] |
---|
30 | dir=-1/proc |
---|
31 | dir=-1/kern |
---|
32 | |
---|
33 | # |
---|
34 | # --------- /tmp ----------- |
---|
35 | # |
---|
36 | [Attributes] |
---|
37 | file=/tmp |
---|
38 | [IgnoreAll] |
---|
39 | dir=-1/tmp |
---|
40 | |
---|
41 | |
---|
42 | |
---|
43 | # |
---|
44 | # --------- /root -------------- |
---|
45 | # |
---|
46 | |
---|
47 | # Per section 5.4.2.1 of the manual, Rule #5, there are lock file written here |
---|
48 | # that changes the mtime/ctime of the dir, so we want to watch perms/ownership, |
---|
49 | # ignore ctime/mtime/size, etc., but still watch the critical files inside. |
---|
50 | # Note: in theory, /root should never change if you use sudo(8) w/o "-H" |
---|
51 | [ReadOnly] |
---|
52 | dir=/root/.gnupg |
---|
53 | [Attributes] |
---|
54 | file=/root/.gnupg |
---|
55 | file=/root/.gnupg/random_seed |
---|
56 | |
---|
57 | # |
---|
58 | # --------- /dev ----------- |
---|
59 | # |
---|
60 | |
---|
61 | [Attributes] |
---|
62 | dir = 99/dev |
---|
63 | |
---|
64 | # User0 will be for /dev/tty* and other devices where Owner/Group/Mode can |
---|
65 | # change but the Inode/Size/Device/Checksum should not change. |
---|
66 | |
---|
67 | [User0] |
---|
68 | file=/dev/tty* |
---|
69 | file=/dev/pty* |
---|
70 | |
---|
71 | # |
---|
72 | # --------- /etc ----------- |
---|
73 | # |
---|
74 | |
---|
75 | [ReadOnly] |
---|
76 | ## |
---|
77 | ## for these files, only access time is ignored |
---|
78 | ## |
---|
79 | dir = 99/etc |
---|
80 | |
---|
81 | |
---|
82 | # If you're running dhclient(8), resolv.conf will get re-written at renewal |
---|
83 | # time so pray that he dhcpd(8) on your network doesn't get owned. |
---|
84 | # Crytpo-signed DHCP traffic would be too much to ask from ISC, but maybe |
---|
85 | # not from the OpenBSD hack |
---|
86 | |
---|
87 | [Attributes] |
---|
88 | file=/etc/dhclient.conf |
---|
89 | |
---|
90 | # If you run CUPS, /etc/printcap gets re-written if you have |
---|
91 | # "Browsing On" and "Printcap /etc/printcap" in cupsd.conf(5) |
---|
92 | [Attributes] |
---|
93 | file=/etc/printcap |
---|
94 | |
---|
95 | |
---|
96 | # |
---|
97 | # --------- /usr ----------- |
---|
98 | # |
---|
99 | |
---|
100 | # note about the following two: this reduced the size |
---|
101 | # of the database greatly |
---|
102 | |
---|
103 | # |
---|
104 | # --------- /usr/pkgsrc ----------- |
---|
105 | # |
---|
106 | |
---|
107 | # Leave this uncommented if you CVS update your pkgsrc |
---|
108 | # periodically/automatically. If you do not, comment it |
---|
109 | # out and you should be informed about any unauthorized |
---|
110 | # modifications to pkgsrc (which is an attack vector) |
---|
111 | |
---|
112 | [IgnoreAll] |
---|
113 | dir=-1/usr/pkgsrc |
---|
114 | |
---|
115 | # |
---|
116 | # --------- /usr/src ----------- |
---|
117 | # |
---|
118 | |
---|
119 | # Leave this uncommented if you CVS update your src |
---|
120 | # periodically/automatically. If you do not, comment it |
---|
121 | # out and you should be informed about any unauthorized |
---|
122 | # modifications to src (which is an attack vector) |
---|
123 | |
---|
124 | |
---|
125 | [IgnoreAll] |
---|
126 | dir=-1/usr/src |
---|
127 | |
---|
128 | |
---|
129 | # |
---|
130 | # --------- /usr/home (/home) ----------- |
---|
131 | # |
---|
132 | |
---|
133 | |
---|
134 | # /home may be a symlink to /usr/home on a stock system, but most admins cane |
---|
135 | # that shit. [Attributes] could be replaced here by [ReadOnly] if we wanted to |
---|
136 | # know about new users being added (on systems where there are no new users) |
---|
137 | |
---|
138 | [Attributes] |
---|
139 | file = /home |
---|
140 | [IgnoreAll] |
---|
141 | dir = -1/home |
---|
142 | |
---|
143 | # |
---|
144 | # --------- /usr/compat/linux/etc ----------- |
---|
145 | # |
---|
146 | |
---|
147 | # You're basically compromising your system by enabling Linux emulation anyway |
---|
148 | |
---|
149 | [Attributes] |
---|
150 | file = /usr/compat/linux/etc |
---|
151 | file = /usr/compat/linux/etc/ld.so.cache |
---|
152 | |
---|
153 | # |
---|
154 | # --------- /usr/compat/linux/proc ----------- |
---|
155 | # |
---|
156 | |
---|
157 | # Uncomment if you have Linux Emulation/Compat Installed/Setup/Mounted |
---|
158 | [Attributes] |
---|
159 | file=/emul/linux/proc |
---|
160 | [IgnoreAll] |
---|
161 | dir=-1/emul/linux/proc |
---|
162 | |
---|
163 | |
---|
164 | # |
---|
165 | # --------- /var/run ----------- |
---|
166 | # |
---|
167 | |
---|
168 | # New PID files may come, and PID files may go (as services on a system change), |
---|
169 | # but then probably a database rebuild will occur. But at the time of the |
---|
170 | # database init, we should consider everything in here subject to change |
---|
171 | # (checksum, times, size) during a daemon restart, but everything else stays |
---|
172 | # the same. |
---|
173 | |
---|
174 | # If you have periodic scripts that HUP daemons, the PID should be unachanged. |
---|
175 | # However, force-restarts will be a new PID, so consider this |
---|
176 | |
---|
177 | [Attributes] |
---|
178 | dir=99/var/run |
---|
179 | |
---|
180 | [Misc] |
---|
181 | # Ignore sudo(8) TTY/PTY "Tickets" if you use sudo |
---|
182 | IgnoreMissing = /var/run/sudo/[[:alnum:]]{1,9}/(p|t)ty.*$ |
---|
183 | IgnoreAdded = /var/run/sudo/[[:alnum:]]{1,9}/(p|t)ty.*$ |
---|
184 | |
---|
185 | # |
---|
186 | # --------- /var/(spool|queue|etc.) ----------- |
---|
187 | # |
---|
188 | |
---|
189 | [Attributes] |
---|
190 | file=/var/cron/tabs |
---|
191 | file=/var/spool/mqueue |
---|
192 | file=/var/spool/clientmqueue |
---|
193 | file=/var/mail |
---|
194 | file=/var/tmp |
---|
195 | |
---|
196 | # |
---|
197 | # --------- /var/at ----------- |
---|
198 | # |
---|
199 | |
---|
200 | # As deep as /var/at/ will be watched by 99/ |
---|
201 | |
---|
202 | [Attributes] |
---|
203 | file=/var/at/spool |
---|
204 | file=/var/at/jobs |
---|
205 | |
---|
206 | # |
---|
207 | # --------- /var/db ----------- |
---|
208 | # |
---|
209 | |
---|
210 | # Some files are written directly into /var/db |
---|
211 | [Attributes] |
---|
212 | file=/var/db |
---|
213 | |
---|
214 | [Attributes] |
---|
215 | # Updatedb per /etc/periodic.d/weekly/310.locate (FreeBSD) or /etc/weekly (NetBSD) |
---|
216 | file=/var/db/locate.database |
---|
217 | |
---|
218 | [Misc] |
---|
219 | # this file comes and goes with portaudit(1)/portversion(1)/pkg_version(1) |
---|
220 | # Other is ISC DHCLIENT related |
---|
221 | IgnoreAdded=/var/db/(pkgdb.fixme|dhclient.leases.*) |
---|
222 | IgnoreMissing=/var/db/(pkgdb.fixme|dhclient.leases.*) |
---|
223 | |
---|
224 | |
---|
225 | # |
---|
226 | # --------- /var/db/mysql ----------- |
---|
227 | # |
---|
228 | |
---|
229 | # The same for MySQL, except it's probably owned by the time you get done |
---|
230 | # installing it. |
---|
231 | |
---|
232 | [Attributes] |
---|
233 | file=/var/db/mysql |
---|
234 | [IgnoreAll] |
---|
235 | dir=-1/var/db/mysql |
---|
236 | |
---|
237 | #################################################################### |
---|
238 | # The next three entries depend on your security paranoia policy about |
---|
239 | # SRC and PORTSs trees, etc. Remember, Ports is the only default attack |
---|
240 | # vector against FreeBSD machines. |
---|
241 | #################################################################### |
---|
242 | |
---|
243 | |
---|
244 | # |
---|
245 | # --------- /var/db/pkg ----------- |
---|
246 | # |
---|
247 | |
---|
248 | # This database directory gets updated if a cvsup(8)/cvs(8)/sup(8) update |
---|
249 | # occurs to a Pkgsrc source tree and then "pkgdb(8) -fu" is run. |
---|
250 | |
---|
251 | [Attributes] |
---|
252 | file=/var/db/pkg |
---|
253 | [IgnoreAll] |
---|
254 | dir=-1/var/db/pkg |
---|
255 | |
---|
256 | |
---|
257 | # |
---|
258 | # --------- /var/db/entropy ----------- |
---|
259 | # |
---|
260 | [Attributes] |
---|
261 | file=/var/db/entropy |
---|
262 | [IgnoreAll] |
---|
263 | dir=-1/var/db/entropy |
---|
264 | |
---|
265 | # |
---|
266 | # --------- /var/msgs ----------- |
---|
267 | # |
---|
268 | |
---|
269 | [Attributes] |
---|
270 | dir=-1/var/msgs |
---|
271 | |
---|
272 | # |
---|
273 | # --------- /var/backups ----------- |
---|
274 | # |
---|
275 | |
---|
276 | # /etc/daily /etc/security write old revisions of system |
---|
277 | # critical files into here daily |
---|
278 | [Attributes] |
---|
279 | dir=-1/var/backups |
---|
280 | |
---|
281 | # |
---|
282 | # --------- /var/log ----------- |
---|
283 | # |
---|
284 | |
---|
285 | # Keep this section in sync with: |
---|
286 | # * /etc/newsyslog.conf |
---|
287 | # * /etc/syslogd.conf OR: |
---|
288 | # * /usr/pkg/etc/syslog-ng/syslog-ng.conf |
---|
289 | |
---|
290 | # For these files, changes in signature, timestamps, and increase in size |
---|
291 | # are ignored, however: |
---|
292 | # Per discussion on the forum, this behavior change is needed due to the behavior |
---|
293 | # of newsyslog(8) rotation method File sizes will get smaller, inodes will change |
---|
294 | # as they rotate. |
---|
295 | |
---|
296 | # NOTES ON LOG ROTATION BEHAVIOR: |
---|
297 | # See comments about modifications to [GrowingLogFiles] to ignore INODE changes |
---|
298 | # As newsyslog(8)/newsyslog.conf(5) has the default behavior of: |
---|
299 | # - First move logfile.log to logfile.log.0 |
---|
300 | # - then bzip2 -v9 logfile.log.0 |
---|
301 | # - then touch(1) logfile.log |
---|
302 | # - then HUP if applicable & reopen the new file (new inode) |
---|
303 | # - Therefore, Ignore Singature, Size (if grow), and Inode changes |
---|
304 | # But also, there's [IgnoreMissing] regexp to account for log file pruing from |
---|
305 | # the filesystem, and [IgnoreAdded] for the first Nth rotations of the logfile |
---|
306 | # per newsyslog.conf(5) |
---|
307 | |
---|
308 | |
---|
309 | # NetBSD defaults |
---|
310 | [Misc] |
---|
311 | IgnoreAdded = /var/log/(cron|xferlog|messages|maillog|secure|pflog|sendmail\.st|kerberos\.log|authlog|aculog|wtmp|wtmpx)\.[0-9](\.bz2|\.gz)?$ |
---|
312 | IgnoreMissing= /var/log/(cron|xferlog|messages|maillog|secure|pflog|sendmail\.st|kerberos\.log|authlog|aculog|wtmp|wtmpx)\.[0-9](\.bz2|\.gz)?$ |
---|
313 | |
---|
314 | # Local services you may need to account for |
---|
315 | IgnoreAdded = /var/log/(snmpd\.log|postgresq\.log|samhain\.log|httpd-error\.log|httpd-access\.log|httpd-ssl_request\.log)\.[0-9](\.bz2|\.gz)?$ |
---|
316 | IgnoreMissing = /var/log/(snmpd\.log|postgresq\.log|samhain\.log|httpd-error\.log|httpd-access\.log|httpd-ssl_request\.log)\.[0-9](\.bz2|\.gz)?$ |
---|
317 | |
---|
318 | [Attributes] |
---|
319 | dir=99/var/log |
---|
320 | |
---|
321 | # NetBSD Stock Defaults |
---|
322 | [GrowingLogFiles] |
---|
323 | File = /var/log/aculog |
---|
324 | File = /var/log/authlog |
---|
325 | File = /var/log/cron |
---|
326 | File = /var/log/kerberos.log |
---|
327 | File = /var/log/lpd-errs |
---|
328 | File = /var/log/maillog |
---|
329 | File = /var/log/messages |
---|
330 | File = /var/log/secure |
---|
331 | File = /var/log/wtmp |
---|
332 | File = /var/log/wtmpx |
---|
333 | File = /var/log/xferlog |
---|
334 | File = /var/log/pflog |
---|
335 | |
---|
336 | [Attributes] |
---|
337 | # A binary-type logfile (Screw sendmail!) |
---|
338 | File = /var/log/sendmail.st |
---|
339 | |
---|
340 | # NetBSD gzip(1)'s by default but newsyslog.conf(5) has bzip2 support |
---|
341 | [Attributes] |
---|
342 | File = /var/log/*.[0-9].gz |
---|
343 | #File = /var/log/*.[0-9].bz2 |
---|
344 | |
---|
345 | # |
---|
346 | # --------- makewhatis(8) ----------- |
---|
347 | # |
---|
348 | |
---|
349 | # Account for updated whatis(8) database given manpath.conf(5)/man.conf(5) |
---|
350 | #and manpath(1) |
---|
351 | |
---|
352 | [Attributes] |
---|
353 | file=/usr/pkg/man/whatis.db |
---|
354 | file=/usr/pkg/man |
---|
355 | file=/usr/share/man/whatis.db |
---|
356 | file=/usr/share/man |
---|
357 | |
---|
358 | ############################################## |
---|
359 | ######## END FILE SECTION #################### |
---|
360 | ############################################## |
---|
361 | |
---|
362 | [EventSeverity] |
---|
363 | |
---|
364 | SeverityReadOnly=crit |
---|
365 | SeverityLogFiles=crit |
---|
366 | SeverityGrowingLogs=crit |
---|
367 | SeverityIgnoreNone=crit |
---|
368 | SeverityAttributes=crit |
---|
369 | SeverityUser0=crit |
---|
370 | SeverityUser1=crit |
---|
371 | |
---|
372 | ## We have a file in IgnoreAll that might or might not be present. |
---|
373 | ## Setting the severity to 'info' prevents messages about deleted/new file. |
---|
374 | ## |
---|
375 | # SeverityIgnoreAll=crit |
---|
376 | SeverityIgnoreAll=info |
---|
377 | |
---|
378 | ## Files : file access problems |
---|
379 | SeverityFiles=info |
---|
380 | |
---|
381 | ## Dirs : directory access problems |
---|
382 | SeverityDirs=info |
---|
383 | |
---|
384 | ## Names : suspect (non-printable) characters in a pathname |
---|
385 | SeverityNames=crit |
---|
386 | |
---|
387 | [Log] |
---|
388 | ## Values: debug, info, notice, warn, mark, err, crit, alert, none. |
---|
389 | ## 'mark' is used for timestamps. |
---|
390 | ## |
---|
391 | ## Use 'none' to SWITCH OFF a log facility |
---|
392 | ## |
---|
393 | ## By default, everything equal to and above the threshold is logged. |
---|
394 | ## The specifiers '*', '!', and '=' are interpreted as |
---|
395 | ## 'all', 'all but', and 'only', respectively (like syslogd(8) does, |
---|
396 | ## at least on Linux). Examples: |
---|
397 | ## MailSeverity=* |
---|
398 | ## MailSeverity=!warn |
---|
399 | ## MailSeverity==crit |
---|
400 | |
---|
401 | ## E-mail |
---|
402 | ## |
---|
403 | MailSeverity=warn |
---|
404 | |
---|
405 | ## Console |
---|
406 | ## |
---|
407 | PrintSeverity=notice |
---|
408 | |
---|
409 | ## Logfile |
---|
410 | ## |
---|
411 | LogSeverity=info |
---|
412 | |
---|
413 | ## Syslog |
---|
414 | ## |
---|
415 | # Syslog logging is redundant at this time |
---|
416 | # |
---|
417 | #SyslogSeverity=notice |
---|
418 | |
---|
419 | ## Remote server (yule) |
---|
420 | ## |
---|
421 | # ExportSeverity=none |
---|
422 | |
---|
423 | ## External script or program |
---|
424 | ## |
---|
425 | # ExternalSeverity = none |
---|
426 | |
---|
427 | ## Logging to a database |
---|
428 | ## |
---|
429 | # DatabaseSeverity = none |
---|
430 | |
---|
431 | ## Logging to a Prelude-IDS |
---|
432 | ## |
---|
433 | # PreludeSeverity = crit |
---|
434 | |
---|
435 | |
---|
436 | ##################################################### |
---|
437 | # |
---|
438 | # Optional modules |
---|
439 | # |
---|
440 | ##################################################### |
---|
441 | |
---|
442 | #[SuidCheck] |
---|
443 | ## |
---|
444 | ## --- Check the filesystem for SUID/SGID binaries |
---|
445 | ## |
---|
446 | |
---|
447 | ## Switch on |
---|
448 | # |
---|
449 | #SuidCheckActive = yes |
---|
450 | |
---|
451 | ## Interval for check (seconds) |
---|
452 | # |
---|
453 | #SuidCheckInterval = 5400 |
---|
454 | |
---|
455 | ## Alternative: crontab-like schedule |
---|
456 | # |
---|
457 | #SuidCheckSchedule = NULL |
---|
458 | |
---|
459 | ## Directory to exclude |
---|
460 | # |
---|
461 | # SuidCheckExclude = NULL |
---|
462 | |
---|
463 | ## Limit on files per second (0 == no limit) |
---|
464 | # |
---|
465 | # SuidCheckFps = 0 |
---|
466 | |
---|
467 | ## Alternative: yield after every file |
---|
468 | # |
---|
469 | # SuidCheckYield = no |
---|
470 | |
---|
471 | ## Severity of a detection |
---|
472 | # |
---|
473 | # SeveritySuidCheck = crit |
---|
474 | |
---|
475 | ## Quarantine SUID/SGID files if found |
---|
476 | # |
---|
477 | # SuidCheckQuarantineFiles = yes |
---|
478 | |
---|
479 | ## Method for Quarantining files: |
---|
480 | # 0 - Delete the file. |
---|
481 | # 1 - Remove SUID/SGID permissions from file. |
---|
482 | # 2 - Move SUID/SGID file to quarantine dir. |
---|
483 | # |
---|
484 | # SuidCheckQuarantineMethod = 0 |
---|
485 | |
---|
486 | ## For method 1 and 3, really delete instead of truncating |
---|
487 | # |
---|
488 | # SuidCheckQuarantineDelete = yes |
---|
489 | |
---|
490 | #[Mounts] |
---|
491 | #MountCheckActive=1 |
---|
492 | #MountCheckInterval=7200 |
---|
493 | #SeverityMountMissing=crit |
---|
494 | #SeverityOptionMissing=crit |
---|
495 | # |
---|
496 | #checkmount=/ |
---|
497 | #checkmount=/dev |
---|
498 | #checkmount=/usr |
---|
499 | #checkmount=/var |
---|
500 | #checkmount=/var/log |
---|
501 | #checkmount=/opt |
---|
502 | #checkmount=/export |
---|
503 | #checkmount=/tmp |
---|
504 | |
---|
505 | |
---|
506 | |
---|
507 | #[Utmp] |
---|
508 | ## |
---|
509 | ## --- Logging of login/logout events |
---|
510 | ## |
---|
511 | |
---|
512 | ## Switch on/off |
---|
513 | # |
---|
514 | #LoginCheckActive = True |
---|
515 | |
---|
516 | ## Severity for logins, multiple logins, logouts |
---|
517 | # |
---|
518 | #SeverityLogin=info |
---|
519 | #SeverityLoginMulti=crit |
---|
520 | #SeverityLogout=info |
---|
521 | |
---|
522 | ## Interval for login/logout checks |
---|
523 | # |
---|
524 | #LoginCheckInterval = 300 |
---|
525 | |
---|
526 | |
---|
527 | # [Database] |
---|
528 | ## |
---|
529 | ## --- Logging to a relational database |
---|
530 | ## |
---|
531 | |
---|
532 | ## Database name |
---|
533 | # |
---|
534 | # SetDBName = samhain |
---|
535 | |
---|
536 | ## Database table |
---|
537 | # |
---|
538 | # SetDBTable = log |
---|
539 | |
---|
540 | ## Database user |
---|
541 | # |
---|
542 | # SetDBUser = samhain |
---|
543 | |
---|
544 | ## Database password |
---|
545 | # |
---|
546 | # SetDBPassword = (default: none) |
---|
547 | |
---|
548 | ## Database host |
---|
549 | # |
---|
550 | # SetDBHost = localhost |
---|
551 | |
---|
552 | ## Log the server timestamp for received messages |
---|
553 | # |
---|
554 | # SetDBServerTstamp = True |
---|
555 | |
---|
556 | ## Use a persistent connection |
---|
557 | # |
---|
558 | # UsePersistent = True |
---|
559 | |
---|
560 | |
---|
561 | # [External] |
---|
562 | ## |
---|
563 | ## Interface to call external scripts/programs for logging |
---|
564 | ## |
---|
565 | |
---|
566 | ## The absolute path to the command |
---|
567 | ## - Each invocation of this directive will end the definition of the |
---|
568 | ## preceding command, and start the definition of |
---|
569 | ## an additional, new command |
---|
570 | # |
---|
571 | # OpenCommand = (no default) |
---|
572 | |
---|
573 | ## Type (log or srv) |
---|
574 | ## - log for log messages, srv for messages received by the server |
---|
575 | # |
---|
576 | # SetType = log |
---|
577 | |
---|
578 | ## The command (full command line) to execute |
---|
579 | # |
---|
580 | # SetCommandLine = (no default) |
---|
581 | |
---|
582 | ## The environment (KEY=value; repeat for more) |
---|
583 | # |
---|
584 | # SetEnviron = TZ=(your timezone) |
---|
585 | |
---|
586 | ## The TIGERpkg checksum (optional) |
---|
587 | # |
---|
588 | # SetChecksum = (no default) |
---|
589 | |
---|
590 | ## User who runs the command |
---|
591 | # |
---|
592 | # SetCredentials = (default: samhain process uid) |
---|
593 | |
---|
594 | ## Words not allowed in message |
---|
595 | # |
---|
596 | # SetFilterNot = (none) |
---|
597 | |
---|
598 | ## Words required (ALL of them) |
---|
599 | # |
---|
600 | # SetFilterAnd = (none) |
---|
601 | |
---|
602 | ## Words required (at least one) |
---|
603 | # |
---|
604 | # SetFilterOr = (none) |
---|
605 | |
---|
606 | ## Deadtime between consecutive calls |
---|
607 | # |
---|
608 | # SetDeadtime = 0 |
---|
609 | |
---|
610 | ## Add default environment (HOME, PATH, SHELL) |
---|
611 | # |
---|
612 | # SetDefault = no |
---|
613 | |
---|
614 | |
---|
615 | |
---|
616 | ##################################################### |
---|
617 | # |
---|
618 | # Miscellaneous configuration options |
---|
619 | # |
---|
620 | ##################################################### |
---|
621 | |
---|
622 | [Misc] |
---|
623 | |
---|
624 | ## whether to become a daemon process |
---|
625 | ## (this is not honoured on database initialisation) |
---|
626 | # |
---|
627 | # Daemon = no |
---|
628 | Daemon = yes |
---|
629 | |
---|
630 | # whether to test signature of files (init/check/none) |
---|
631 | # - if 'none', then we have to decide this on the command line - |
---|
632 | # |
---|
633 | # ChecksumTest = none |
---|
634 | ChecksumTest=check |
---|
635 | |
---|
636 | # Set nice level (-19 to 19, see 'man nice'), |
---|
637 | # and I/O limit (kilobytes per second; 0 == off) |
---|
638 | # to reduce load on host. |
---|
639 | # |
---|
640 | SetNiceLevel = 19 |
---|
641 | # SetIOLimit = 0 |
---|
642 | |
---|
643 | ## The version string to embed in file signature databases |
---|
644 | # |
---|
645 | # VersionString = NULL |
---|
646 | |
---|
647 | ## Interval between time stamp messages |
---|
648 | # |
---|
649 | # SetLoopTime = 60 |
---|
650 | SetLoopTime = 7200 |
---|
651 | |
---|
652 | ## Interval between file checks |
---|
653 | # |
---|
654 | # SetFileCheckTime = 600 |
---|
655 | SetFileCheckTime = 43200 |
---|
656 | |
---|
657 | ## Alternative: crontab-like schedule |
---|
658 | # |
---|
659 | # FileCheckScheduleOne = NULL |
---|
660 | |
---|
661 | ## Alternative: crontab-like schedule(2) |
---|
662 | # |
---|
663 | # FileCheckScheduleTwo = NULL |
---|
664 | |
---|
665 | ## Report only once on modified files |
---|
666 | ## Setting this to 'FALSE' will generate a report for any policy |
---|
667 | ## violation (old and new ones) each time the daemon checks the file system. |
---|
668 | # |
---|
669 | ReportOnlyOnce = True |
---|
670 | |
---|
671 | ## Report in full detail |
---|
672 | # |
---|
673 | ReportFullDetail = True |
---|
674 | |
---|
675 | ## Report file timestamps in local time rather than GMT |
---|
676 | # |
---|
677 | UseLocalTime = Yes |
---|
678 | |
---|
679 | ## The console device (can also be a file or named pipe) |
---|
680 | ## - There are two console devices. Accordingly, you can use |
---|
681 | ## this directive a second time to set the second console device. |
---|
682 | ## If you have not defined the second device at compile time, |
---|
683 | ## and you don't want to use it, then: |
---|
684 | ## setting it to /dev/null is less effective than just leaving |
---|
685 | ## it alone (setting to /dev/null will waste time by opening |
---|
686 | ## /dev/null and writing to it) |
---|
687 | # |
---|
688 | # SetConsole = /dev/console |
---|
689 | |
---|
690 | ## Activate the SysV IPC message queue |
---|
691 | # |
---|
692 | # MessageQueueActive = False |
---|
693 | |
---|
694 | |
---|
695 | ## If false, skip reverse lookup when connecting to a host known |
---|
696 | ## by name rather than IP address (i.e. trust the DNS) |
---|
697 | # |
---|
698 | SetReverseLookup = True |
---|
699 | |
---|
700 | |
---|
701 | ## --- E-Mail --- |
---|
702 | |
---|
703 | # Only highest-level (alert) reports will be mailed immediately, |
---|
704 | # others will be queued. Here you can define, when the queue will |
---|
705 | # be flushed (Note: the queue is automatically flushed after |
---|
706 | # completing a file check). |
---|
707 | # |
---|
708 | # SetMailTime = 86400 |
---|
709 | |
---|
710 | ## Maximum number of mails to queue |
---|
711 | # |
---|
712 | # SetMailNum = 10 |
---|
713 | |
---|
714 | ## Recipient (max. 8) |
---|
715 | # |
---|
716 | #SetMailAddress=infosec@noc.myorg.tld |
---|
717 | |
---|
718 | ## Mail relay (IP address) |
---|
719 | # |
---|
720 | SetMailRelay = 127.0.0.1 |
---|
721 | |
---|
722 | ## Custom subject format |
---|
723 | # |
---|
724 | MailSubject = Synchrotone Samhain: %S |
---|
725 | SetMailSender = samhain@synchrotone.pgh.pub.collaborativefusion.com |
---|
726 | |
---|
727 | ## --- end E-Mail --- |
---|
728 | |
---|
729 | |
---|
730 | ## Path to the executable. If set, will be checksummed after startup |
---|
731 | ## and before exit. |
---|
732 | # |
---|
733 | SamhainPath = /usr/pkg/sbin/samhain |
---|
734 | |
---|
735 | ## The IP address of the log server |
---|
736 | # |
---|
737 | # SetLogServer = (default: compiled-in) |
---|
738 | |
---|
739 | ## The IP address of the time server |
---|
740 | # |
---|
741 | # SetTimeServer = (default: compiled-in) |
---|
742 | |
---|
743 | ## Trusted Users (comma delimited list of user names) |
---|
744 | # |
---|
745 | # TrustedUser = (no default; this adds to the compiled-in list) |
---|
746 | |
---|
747 | ## Path to the file signature database |
---|
748 | # |
---|
749 | SetDatabasePath = /usr/pkg/var/samhain/samhain.db |
---|
750 | |
---|
751 | ## Path to the log file |
---|
752 | # |
---|
753 | # SetLogfilePath = (default: compiled-in) |
---|
754 | |
---|
755 | ## Path to the PID file |
---|
756 | # |
---|
757 | # SetLockfilePath = (default: compiled-in) |
---|
758 | |
---|
759 | |
---|
760 | ## The digest/checksum/hash algorithm (default: TIGER192; others: MD5, SHA1) |
---|
761 | # |
---|
762 | # DigestAlgo = TIGER192 |
---|
763 | |
---|
764 | |
---|
765 | ## Custom format for message header. |
---|
766 | ## CAREFUL if you use XML logfile format. |
---|
767 | ## |
---|
768 | ## %S severity |
---|
769 | ## %T timestamp |
---|
770 | ## %C class |
---|
771 | ## |
---|
772 | ## %F source file |
---|
773 | ## %L source line |
---|
774 | # |
---|
775 | # MessageHeader="%S %T " |
---|
776 | |
---|
777 | |
---|
778 | ## Don't log path to config/database file on startup |
---|
779 | # |
---|
780 | # HideSetup = False |
---|
781 | |
---|
782 | ## The syslog facility, if you log to syslog |
---|
783 | # |
---|
784 | # SyslogFacility = LOG_AUTHPRIV |
---|
785 | SyslogFacility=LOG_LOCAL2 |
---|
786 | |
---|
787 | ## The message authentication method |
---|
788 | ## - If you change this, you *must* change it |
---|
789 | ## on client *and* server |
---|
790 | # |
---|
791 | # MACType = HMAC-TIGER |
---|
792 | |
---|
793 | |
---|
794 | ## The Prelude-IDS profile to use for reporting |
---|
795 | ## default value is "samhain" |
---|
796 | # |
---|
797 | # PreludeProfile = samhain |
---|
798 | |
---|
799 | ## Map these samhain severities to impact severity 'info' severity |
---|
800 | # |
---|
801 | # PreludeMapToInfo = |
---|
802 | |
---|
803 | ## Map these samhain severities to impact severity 'low' severity |
---|
804 | # |
---|
805 | # PreludeMapToLow = debug info |
---|
806 | |
---|
807 | ## Map these samhain severities to impact severity 'medium' severity |
---|
808 | # |
---|
809 | # PreludeMapToMedium = notice warn err |
---|
810 | |
---|
811 | ## Map these samhain severities to impact severity 'high' severity |
---|
812 | # |
---|
813 | # PreludeMapToHigh = crit alert |
---|
814 | |
---|
815 | # everything below is ignored |
---|
816 | [EOF] |
---|
817 | |
---|
818 | ##################################################################### |
---|
819 | # This would be the proper syntax for parts that should only be |
---|
820 | # included for certain hosts. |
---|
821 | # You may enclose anything in a @HOSTNAME/@end bracket, as long as the |
---|
822 | # result still has the proper syntax for the config file. |
---|
823 | # You may have any number of @HOSTNAME/@end brackets. |
---|
824 | # HOSTNAME should be the fully qualified 'official' name |
---|
825 | # (e.g. 'nixon.watergate.com', not 'nixon'), no aliases. |
---|
826 | # No IP number - except if samhain cannot determine the |
---|
827 | # fully qualified hostname. |
---|
828 | # |
---|
829 | # @HOSTNAME |
---|
830 | # file=/foo/bar |
---|
831 | # @end |
---|
832 | # |
---|
833 | # These are two examples for conditional inclusion/exclusion |
---|
834 | # of a machine based on the output from 'uname -srm' |
---|
835 | # $Linux:2.*.7:i666 |
---|
836 | # file=/foo/bar3 |
---|
837 | # $end |
---|
838 | # |
---|
839 | # !$Linux:2.*.7:i686 |
---|
840 | # file=/foo/bar2 |
---|
841 | # $end |
---|
842 | # |
---|
843 | ##################################################################### |
---|