| 1 | #####################################################################
|
|---|
| 2 | #
|
|---|
| 3 | # AIX 5.2.0 configuration file for Samhain.
|
|---|
| 4 | #
|
|---|
| 5 | ####################################################################
|
|---|
| 6 | #
|
|---|
| 7 | # Date : 23.10.2003
|
|---|
| 8 | # Author : Christoph Kiefer (chkiefer@intergga.ch)
|
|---|
| 9 | # Comment : Samhain client configuration file. Should work
|
|---|
| 10 | # for AIX 5.1.0. The Samhain version is 1.7.12
|
|---|
| 11 | # This configuration fits MY needs, YOU will
|
|---|
| 12 | # probably have to modify it.
|
|---|
| 13 | #
|
|---|
| 14 | # Changes : Date Name Remarks
|
|---|
| 15 | # 23.10.2003 Christoph Kiefer Initial Version
|
|---|
| 16 | #
|
|---|
| 17 | #####################################################################
|
|---|
| 18 | #
|
|---|
| 19 | # -- empty lines and lines starting with '#', ';' or '//' are ignored
|
|---|
| 20 | # -- boolean options can be Yes/No or True/False or 1/0
|
|---|
| 21 | # -- you can PGP clearsign this file -- samhain will check (if compiled
|
|---|
| 22 | # with support) or otherwise ignore the signature
|
|---|
| 23 | # -- CHECK mail address
|
|---|
| 24 | #
|
|---|
| 25 | # To each log facility, you can assign a threshold severity. Only
|
|---|
| 26 | # reports with at least the threshold severity will be logged
|
|---|
| 27 | # to the respective facility (even further below).
|
|---|
| 28 | #
|
|---|
| 29 | #####################################################################
|
|---|
| 30 | # SETUP for file system checking:
|
|---|
| 31 | # (i) There are several policies, each has its own section. Put files
|
|---|
| 32 | # into the section for the appropriate policy (see below).
|
|---|
| 33 | # (ii) Section [EventSeverity]:
|
|---|
| 34 | # To each policy, you can assign a severity (further below).
|
|---|
| 35 | # (iii) Section [Log]:
|
|---|
| 36 | # To each log facility, you can assign a threshold severity. Only
|
|---|
| 37 | # reports with at least the threshold severity will be logged
|
|---|
| 38 | # to the respective facility (even further below).
|
|---|
| 39 | #####################################################################
|
|---|
| 40 |
|
|---|
| 41 | #####################################################################
|
|---|
| 42 | #
|
|---|
| 43 | # Files are defined with: file = /absolute/path
|
|---|
| 44 | #
|
|---|
| 45 | # Directories are defined with: dir = /absolute/path
|
|---|
| 46 | # or with an optional recursion depth (N <= 99): dir = N/absolute/path
|
|---|
| 47 | #
|
|---|
| 48 | # Directory inodes are checked. If you only want to check files
|
|---|
| 49 | # in a directory, but not the directory inode itself, use (e.g.):
|
|---|
| 50 | #
|
|---|
| 51 | # [ReadOnly]
|
|---|
| 52 | # dir = /some/directory
|
|---|
| 53 | # [IgnoreAll]
|
|---|
| 54 | # file = /some/directory
|
|---|
| 55 | #
|
|---|
| 56 | # You can use shell-style globbing patterns, like: file = /path/foo*
|
|---|
| 57 | #
|
|---|
| 58 | ######################################################################
|
|---|
| 59 |
|
|---|
| 60 | [Misc]
|
|---|
| 61 | MessageHeader=""
|
|---|
| 62 | RedefLogFiles=-INO
|
|---|
| 63 | SetFilecheckTime=3600
|
|---|
| 64 | SetLoopTime=3600
|
|---|
| 65 | SetRecursionLevel=99
|
|---|
| 66 | DigestAlgo=SHA1
|
|---|
| 67 | ChecksumTest=check
|
|---|
| 68 | SetTimeServer=localhost
|
|---|
| 69 | ReportFullDetail=no
|
|---|
| 70 | Daemon=yes
|
|---|
| 71 | HideSetup=yes
|
|---|
| 72 | ReportOnlyOnce=yes
|
|---|
| 73 | UseLocalTime=yes
|
|---|
| 74 |
|
|---|
| 75 | ## The Prelude-IDS profile to use for reporting
|
|---|
| 76 | ## default value is "samhain"
|
|---|
| 77 | #
|
|---|
| 78 | # PreludeProfile = samhain
|
|---|
| 79 |
|
|---|
| 80 | ## Map these samhain severities to impact severity 'info' severity
|
|---|
| 81 | #
|
|---|
| 82 | # PreludeMapToInfo =
|
|---|
| 83 |
|
|---|
| 84 | ## Map these samhain severities to impact severity 'low' severity
|
|---|
| 85 | #
|
|---|
| 86 | # PreludeMapToLow = debug info
|
|---|
| 87 |
|
|---|
| 88 | ## Map these samhain severities to impact severity 'medium' severity
|
|---|
| 89 | #
|
|---|
| 90 | # PreludeMapToMedium = notice warn err
|
|---|
| 91 |
|
|---|
| 92 | ## Map these samhain severities to impact severity 'high' severity
|
|---|
| 93 | #
|
|---|
| 94 | # PreludeMapToHigh = crit alert
|
|---|
| 95 |
|
|---|
| 96 | [IgnoreAll]
|
|---|
| 97 | dir=-1/etc/objrepos
|
|---|
| 98 | dir=-1/etc/vg
|
|---|
| 99 | dir=-1/dev/.SRC-unix
|
|---|
| 100 | dir=-1/dev/pts
|
|---|
| 101 | dir=-1/opt
|
|---|
| 102 | dir=-1/tmp
|
|---|
| 103 | dir=-1/usr/share/lib/objrepos
|
|---|
| 104 | dir=-1/usr/share/man
|
|---|
| 105 | dir=-1/var/adm/cron
|
|---|
| 106 | dir=-1/var/tmp
|
|---|
| 107 | file=/dev/log*
|
|---|
| 108 |
|
|---|
| 109 | [Attributes]
|
|---|
| 110 | file=/etc/lpp/diagnostics/data/*
|
|---|
| 111 | file=/audit/auditb
|
|---|
| 112 | file=/dev
|
|---|
| 113 | # file=/etc/bootpd.dump
|
|---|
| 114 | file=/etc/bootptab
|
|---|
| 115 | file=/etc/inittab
|
|---|
| 116 | file=/etc/xtab
|
|---|
| 117 | dir=/dev
|
|---|
| 118 | dir=/usr/dt
|
|---|
| 119 | dir=/usr/lib/instl
|
|---|
| 120 | dir=/usr/lib/lpd
|
|---|
| 121 | dir=/usr/lib/mh
|
|---|
| 122 | dir=/usr/lib/sa
|
|---|
| 123 | dir=/usr/lpp
|
|---|
| 124 |
|
|---|
| 125 | [LogFiles]
|
|---|
| 126 | file=/etc/rmtab
|
|---|
| 127 | file=/etc/security/failedlogin
|
|---|
| 128 | file=/etc/security/lastlog
|
|---|
| 129 | file=/etc/security/portlog
|
|---|
| 130 | file=/etc/utmp
|
|---|
| 131 | # file=/smit.log
|
|---|
| 132 | file=/var/adm/*log*
|
|---|
| 133 | file=/var/adm/ras/*log*
|
|---|
| 134 | file=/var/adm/wtmp
|
|---|
| 135 | file=/var/log/*log*
|
|---|
| 136 |
|
|---|
| 137 | [IgnoreNone]
|
|---|
| 138 | file=/etc/tsh_profile
|
|---|
| 139 |
|
|---|
| 140 | [ReadOnly]
|
|---|
| 141 | dir=/etc/security/ldap
|
|---|
| 142 | file=/etc/*.cnf
|
|---|
| 143 | file=/etc/*conf*
|
|---|
| 144 | file=/etc/aliases
|
|---|
| 145 | file=/etc/dumpdates
|
|---|
| 146 | file=/etc/environment
|
|---|
| 147 | file=/etc/exports
|
|---|
| 148 | file=/etc/filesystems
|
|---|
| 149 | file=/etc/ftpusers
|
|---|
| 150 | file=/etc/group
|
|---|
| 151 | file=/etc/hosts*
|
|---|
| 152 | file=/etc/motd
|
|---|
| 153 | file=/etc/passwd
|
|---|
| 154 | file=/etc/profile
|
|---|
| 155 | file=/etc/protocols
|
|---|
| 156 | file=/etc/publickey
|
|---|
| 157 | file=/etc/rc.*
|
|---|
| 158 | file=/etc/rpc
|
|---|
| 159 | file=/etc/security/acl
|
|---|
| 160 | file=/etc/security/environ
|
|---|
| 161 | file=/etc/security/group
|
|---|
| 162 | file=/etc/security/limits
|
|---|
| 163 | file=/etc/security/login.cfg
|
|---|
| 164 | file=/etc/security/passwd
|
|---|
| 165 | file=/etc/security/roles
|
|---|
| 166 | file=/etc/security/smitacl.*
|
|---|
| 167 | file=/etc/security/user*
|
|---|
| 168 | file=/etc/sendmail.cf
|
|---|
| 169 | file=/etc/services
|
|---|
| 170 | file=/etc/sudoers
|
|---|
| 171 | file=/etc/swapspaces
|
|---|
| 172 | file=/etc/vfs
|
|---|
| 173 | # file=/smit.script
|
|---|
| 174 | dir=/etc/mail
|
|---|
| 175 | dir=/etc/rc.d
|
|---|
| 176 | dir=/etc/security/audit
|
|---|
| 177 | dir=/home/root
|
|---|
| 178 | dir=/sbin
|
|---|
| 179 | dir=/usr/X11R6
|
|---|
| 180 | dir=/usr/bin
|
|---|
| 181 | dir=/usr/ccs
|
|---|
| 182 | dir=/usr/etc
|
|---|
| 183 | dir=/usr/include
|
|---|
| 184 | dir=/usr/lib/boot
|
|---|
| 185 | dir=/usr/lib/methods
|
|---|
| 186 | dir=/usr/lib/microcode
|
|---|
| 187 | dir=/usr/lib/security
|
|---|
| 188 | dir=/usr/lib/smit
|
|---|
| 189 | dir=/usr/local/bin
|
|---|
| 190 | dir=/usr/sbin
|
|---|
| 191 | dir=/usr/share
|
|---|
| 192 | dir=/usr/ucb
|
|---|
| 193 |
|
|---|
| 194 | [EventSeverity]
|
|---|
| 195 | SeverityAttributes=crit
|
|---|
| 196 | SeverityDirs=err
|
|---|
| 197 | SeverityFiles=err
|
|---|
| 198 | SeverityGrowingLogs=warn
|
|---|
| 199 | SeverityIgnoreNone=crit
|
|---|
| 200 | SeverityLogFiles=crit
|
|---|
| 201 | SeverityReadOnly=crit
|
|---|
| 202 | SeverityIgnoreAll=info
|
|---|
| 203 | SeverityNames=info
|
|---|
| 204 |
|
|---|
| 205 | [Log]
|
|---|
| 206 | ExportClass=RUN FIL PANIC ERR ENET EINPUT
|
|---|
| 207 | LogSeverity=none
|
|---|
| 208 | MailSeverity=none
|
|---|
| 209 | PrintSeverity=none
|
|---|
| 210 | ExportSeverity=warn
|
|---|
| 211 | SyslogSeverity=warn
|
|---|
| 212 |
|
|---|
| 213 | ## Logging to a Prelude-IDS
|
|---|
| 214 | ##
|
|---|
| 215 | # PreludeSeverity = crit
|
|---|
| 216 |
|
|---|
| 217 | [SuidCheck]
|
|---|
| 218 | SuidCheckExclude=/proc
|
|---|
| 219 | SuidCheckActive=1
|
|---|
| 220 | SuidCheckInterval=1800
|
|---|
| 221 | SuidCheckFps=250
|
|---|
| 222 | #SuidCheckYield=no
|
|---|
| 223 | SeveritySuidCheck=alert
|
|---|
| 224 | #SuidCheckQuarantineFiles=yes
|
|---|
| 225 | #SuidCheckQuarantineMethod=0
|
|---|
| 226 | # SuidCheckQuarantineDelete = yes
|
|---|
| 227 |
|
|---|
| 228 |
|
|---|
| 229 | [Utmp]
|
|---|
| 230 | LoginCheckActive=1
|
|---|
| 231 | LoginCheckInterval=30
|
|---|
| 232 | SeverityLogin=info
|
|---|
| 233 | SeverityLogout=info
|
|---|
| 234 | SeverityLoginMulti=warn
|
|---|
| 235 |
|
|---|
| 236 | [EOF]
|
|---|
