source: trunk/samhainrc.freebsd@ 552

Last change on this file since 552 was 481, checked in by katerina, 9 years ago

Enhancements and fixes for tickets #374, #375, #376, #377, #378, and #379.

File size: 13.9 KB
RevLine 
[1]1#####################################################################
2#
3# FreeBSD Configuration file for samhain.
4#
5#####################################################################
6#
7# -- empty lines and lines starting with '#', ';' or '//' are ignored
8# -- boolean options can be Yes/No or True/False or 1/0
9# -- you can PGP clearsign this file -- samhain will check (if compiled
10# with support) or otherwise ignore the signature
11# -- CHECK mail address
12#
13# To each log facility, you can assign a threshold severity. Only
14# reports with at least the threshold severity will be logged
15# to the respective facility (even further below).
16#
17#####################################################################
18# SETUP for file system checking:
19# (i) There are several policies, each has its own section. Put files
20# into the section for the appropriate policy (see below).
21# (ii) Section [EventSeverity]:
22# To each policy, you can assign a severity (further below).
23# (iii) Section [Log]:
24# To each log facility, you can assign a threshold severity. Only
25# reports with at least the threshold severity will be logged
26# to the respective facility (even further below).
27#####################################################################
28
29#####################################################################
30#
31# Files are defined with: file = /absolute/path
32#
33# Directories are defined with: dir = /absolute/path
34# or with an optional recursion depth (N <= 99): dir = N/absolute/path
35#
36# Directory inodes are checked. If you only want to check files
37# in a directory, but not the directory inode itself, use (e.g.):
38#
39# [ReadOnly]
40# dir = /some/directory
41# [IgnoreAll]
42# file = /some/directory
43#
44# You can use shell-style globbing patterns, like: file = /path/foo*
45#
46######################################################################
47
48[Misc]
49##
50## Add or subtract tests from the policies
51## - if you want to change their definitions,
52## you need to do that before using the policies
53##
54# RedefReadOnly = (no default)
55# RedefAttributes=(no default)
56# RedefLogFiles=(no default)
57# RedefGrowingLogFiles=(no default)
58# RedefIgnoreAll=(no default)
59# RedefIgnoreNone=(no default)
60# RedefUser0=(no default)
61# RedefUser1=(no default)
62
[14]63#
64# --------- / --------------
65#
66
67[ReadOnly]
68dir = 0/
69
[1]70[Attributes]
[14]71file = /
72file = /proc
73file = /entropy
74file = /tmp
75file = /var
76
77#
78# --------- /dev -----------
79#
80
81[Attributes]
82dir = 99/dev
83
84[IgnoreAll]
85file = /dev/ttyp?
86
87[Misc]
[1]88##
[14]89## pseudo terminals are created/removed as needed
90##
91IgnoreAdded = /dev/(p|t)typ.*
92IgnoreMissing = /dev/(p|t)typ.*
93
94
95#
96# --------- /etc -----------
97#
98
99[ReadOnly]
100##
101## for these files, only access time is ignored
102##
103dir = 99/etc
104
105
106#
107# --------- /boot -----------
108#
109
110[ReadOnly]
111dir = 99/boot
112
113#
114# --------- /bin, /sbin -----------
115#
116
117[ReadOnly]
118dir = 99/bin
119dir = 99/sbin
120
121#
122# --------- /lib -----------
123#
124
125[ReadOnly]
126dir = 99/lib
127
128#
129# --------- /libexec -----------
130#
131
132[ReadOnly]
133dir = 99/libexec
134
135#
136# --------- /rescue -----------
137#
138
139[ReadOnly]
140dir = 99/rescue
141
142#
143# --------- /root -----------
144#
145
146[Attributes]
147##
[1]148## for these files, only changes in permissions and ownership are checked
149##
[14]150dir = 99/root
[1]151
[14]152#
153# --------- /stand -----------
154#
[1]155
[14]156[ReadOnly]
157dir = 99/stand
[1]158
[14]159#
160# --------- /usr -----------
161#
[1]162
[14]163[ReadOnly]
164dir = 99/usr
165
166[Attributes]
167dir = /usr/.snap
168dir = /usr/share/man/cat?
169file = /usr/compat/linux/etc
170file = /usr/compat/linux/etc/ld.so.cache
171
172[IgnoreAll]
173dir = -1/usr/home
174
175#
176# --------- /var -----------
177#
178
179[Attributes]
180
181dir = 0/var
182
[1]183[LogFiles]
184##
185## for these files, changes in signature, timestamps, and size are ignored
186##
187
188file=/var/run/utmp
189
190[GrowingLogFiles]
191##
[14]192## For these files, changes in signature, timestamps, and increase in size
193## are ignored. Logfile rotation will cause a report because of shrinking
194## size and different inode.
[1]195##
[14]196dir = 99/var/log
[1]197
[14]198[Attributes]
199#
200# rotated logs will change inode
201#
202file = /var/log/*.[0-9].bz2
203file = /var/log/*.[0-9].log
204file = /var/log/*.[0-9]
205file = /var/log/*.[0-9][0-9]
206file = /var/log/*.old
[1]207
[14]208file = /var/log/sendmail.st
[1]209
210
[14]211[Misc]
212#
213# Various naming schemes for rotated logs
214#
215IgnoreAdded = /var/log/.*\.[0-9]+$
216IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
217IgnoreAdded = /var/log/.*\.[0-9]+\.bz2$
218IgnoreAdded = /var/log/.*\.[0-9]+\.log$
[1]219
220
221[IgnoreNone]
222##
223## for these files, all modifications (even access time) are reported
224## - you may create some interesting-looking file (like /etc/safe_passwd),
225## just to watch whether someone will access it ...
226##
227
228
229
230[User0]
231[User1]
232## User0 and User1 are sections for files/dirs with user-definable checking
233## (see the manual)
234
235[EventSeverity]
236##
237## Here you can assign severities to policy violations.
238## If this severity exceeds the treshold of a log facility (see below),
239## a policy violation will be logged to that facility.
240##
241
242#
243# Severity for verification failures.
244#
245# SeverityReadOnly=crit
246# SeverityLogFiles=crit
247# SeverityGrowingLogs=crit
248# SeverityIgnoreNone=crit
249# SeverityAttributes=crit
250# SeverityUser0=crit
251# SeverityUser1=crit
252
253## We have a file in IgnoreAll that might or might not be present.
254## Setting the severity to 'info' prevents messages about deleted/new file.
255##
256# SeverityIgnoreAll=crit
257SeverityIgnoreAll=info
258
259## Files : file access problems
260# SeverityFiles=crit
261
262## Dirs : directory access problems
263# SeverityDirs=crit
264
265## Names : suspect (non-printable) characters in a pathname
266# SeverityNames=crit
267
268[Log]
269##
270## Switch on/OFF log facilities and set their threshold severity
271##
272## Values: debug, info, notice, warn, mark, err, crit, alert, none.
273## 'mark' is used for timestamps.
274##
275## Use 'none' to SWITCH OFF a log facility
276##
277## By default, everything equal to and above the threshold is logged.
278## The specifiers '*', '!', and '=' are interpreted as
279## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
280## at least on Linux). Examples:
281## MailSeverity=*
282## MailSeverity=!warn
283## MailSeverity==crit
284
285## E-mail
286##
287# MailSeverity=none
288
289## Console
290##
291# PrintSeverity=info
292
293## Logfile
294##
295# LogSeverity=mark
296
297## Syslog
298##
299# SyslogSeverity=none
300
301## Remote server (yule)
302##
303# ExportSeverity=none
304
305## External script or program
306##
307# ExternalSeverity = none
308
309## Logging to a database
310##
311# DatabaseSeverity = none
312
313## Logging to a Prelude-IDS
314##
315# PreludeSeverity = crit
316
317
318#####################################################
319#
320# Optional modules
321#
322#####################################################
323
324# [SuidCheck]
325##
326## --- Check the filesystem for SUID/SGID binaries
327##
328
329## Switch on
330#
331# SuidCheckActive = yes
332
333## Interval for check (seconds)
334#
335# SuidCheckInterval = 7200
336
337## Alternative: crontab-like schedule
338#
339# SuidCheckSchedule = NULL
340
341## Directory to exclude
342#
343# SuidCheckExclude = NULL
344
345## Limit on files per second (0 == no limit)
346#
347# SuidCheckFps = 0
348
349## Alternative: yield after every file
350#
351# SuidCheckYield = no
352
353## Severity of a detection
354#
355# SeveritySuidCheck = crit
356
357## Quarantine SUID/SGID files if found
358#
359# SuidCheckQuarantineFiles = yes
360
361## Method for Quarantining files:
362# 0 - Delete the file.
363# 1 - Remove SUID/SGID permissions from file.
364# 2 - Move SUID/SGID file to quarantine dir.
365#
366# SuidCheckQuarantineMethod = 0
367
368## For method 1 and 3, really delete instead of truncating
369#
370# SuidCheckQuarantineDelete = yes
371
372
373# [Utmp]
374##
375## --- Logging of login/logout events
376##
377
378## Switch on/off
379#
380# LoginCheckActive = True
381
382## Severity for logins, multiple logins, logouts
383#
384# SeverityLogin=info
385# SeverityLoginMulti=warn
386# SeverityLogout=info
387
388## Interval for login/logout checks
389#
390# LoginCheckInterval = 300
391
392
393# [Database]
394##
395## --- Logging to a relational database
396##
397
398## Database name
399#
400# SetDBName = samhain
401
402## Database table
403#
404# SetDBTable = log
405
406## Database user
407#
408# SetDBUser = samhain
409
410## Database password
411#
412# SetDBPassword = (default: none)
413
414## Database host
415#
416# SetDBHost = localhost
417
418## Log the server timestamp for received messages
419#
420# SetDBServerTstamp = True
421
422## Use a persistent connection
423#
424# UsePersistent = True
425
426
427# [External]
428##
429## Interface to call external scripts/programs for logging
430##
431
432## The absolute path to the command
433## - Each invocation of this directive will end the definition of the
434## preceding command, and start the definition of
435## an additional, new command
436#
437# OpenCommand = (no default)
438
439## Type (log or srv)
440## - log for log messages, srv for messages received by the server
441#
442# SetType = log
443
444## The command (full command line) to execute
445#
446# SetCommandLine = (no default)
447
448## The environment (KEY=value; repeat for more)
449#
450# SetEnviron = TZ=(your timezone)
451
452## The TIGER192 checksum (optional)
453#
454# SetChecksum = (no default)
455
456## User who runs the command
457#
458# SetCredentials = (default: samhain process uid)
459
460## Words not allowed in message
461#
462# SetFilterNot = (none)
463
464## Words required (ALL of them)
465#
466# SetFilterAnd = (none)
467
468## Words required (at least one)
469#
470# SetFilterOr = (none)
471
472## Deadtime between consecutive calls
473#
474# SetDeadtime = 0
475
476## Add default environment (HOME, PATH, SHELL)
477#
478# SetDefault = no
479
480
481
482#####################################################
483#
484# Miscellaneous configuration options
485#
486#####################################################
487
488[Misc]
489
490## whether to become a daemon process
491## (this is not honoured on database initialisation)
492#
493# Daemon = no
494Daemon = yes
495
496# whether to test signature of files (init/check/none)
497# - if 'none', then we have to decide this on the command line -
498#
499# ChecksumTest = none
500ChecksumTest=check
501
502# Set nice level (-19 to 19, see 'man nice'),
503# and I/O limit (kilobytes per second; 0 == off)
504# to reduce load on host.
505#
506# SetNiceLevel = 0
507# SetIOLimit = 0
508
509## The version string to embed in file signature databases
510#
511# VersionString = NULL
512
513## Interval between time stamp messages
514#
515# SetLoopTime = 60
516SetLoopTime = 600
517
518## Interval between file checks
519#
520# SetFileCheckTime = 600
521SetFileCheckTime = 7200
522
523## Alternative: crontab-like schedule
524#
525# FileCheckScheduleOne = NULL
526
527## Alternative: crontab-like schedule(2)
528#
529# FileCheckScheduleTwo = NULL
530
[101]531## Report only once on modified files
[1]532## Setting this to 'FALSE' will generate a report for any policy
533## violation (old and new ones) each time the daemon checks the file system.
534#
535# ReportOnlyOnce = True
536
537## Report in full detail
538#
539# ReportFullDetail = False
540
541## Report file timestamps in local time rather than GMT
542#
543# UseLocalTime = No
544
545## The console device (can also be a file or named pipe)
546## - There are two console devices. Accordingly, you can use
547## this directive a second time to set the second console device.
548## If you have not defined the second device at compile time,
549## and you don't want to use it, then:
550## setting it to /dev/null is less effective than just leaving
551## it alone (setting to /dev/null will waste time by opening
552## /dev/null and writing to it)
553#
554# SetConsole = /dev/console
555
556## Activate the SysV IPC message queue
557#
558# MessageQueueActive = False
559
560
561## If false, skip reverse lookup when connecting to a host known
562## by name rather than IP address (i.e. trust the DNS)
563#
564# SetReverseLookup = True
565
566
567## --- E-Mail ---
568
569# Only highest-level (alert) reports will be mailed immediately,
570# others will be queued. Here you can define, when the queue will
571# be flushed (Note: the queue is automatically flushed after
572# completing a file check).
573#
574# SetMailTime = 86400
575
576## Maximum number of mails to queue
577#
578# SetMailNum = 10
579
580## Recipient (max. 8)
581#
582# SetMailAddress=root@localhost
583
584## Mail relay (IP address)
585#
586# SetMailRelay = NULL
587
588## Custom subject format
589#
590# MailSubject = NULL
591
592## --- end E-Mail ---
593
594
595## Path to the executable. If set, will be checksummed after startup
596## and before exit.
597#
598# SamhainPath = (no default)
599
600
601## The IP address of the log server
602#
603# SetLogServer = (default: compiled-in)
604
605## The IP address of the time server
606#
607# SetTimeServer = (default: compiled-in)
608
609## Trusted Users (comma delimited list of user names)
610#
611# TrustedUser = (no default; this adds to the compiled-in list)
612
613## Path to the file signature database
614#
615# SetDatabasePath = (default: compiled-in)
616
617## Path to the log file
618#
619# SetLogfilePath = (default: compiled-in)
620
621## Path to the PID file
622#
[387]623# SetLockfilePath = (default: compiled-in)
[1]624
625
626## The digest/checksum/hash algorithm
627#
628# DigestAlgo = TIGER192
629
630
631## Custom format for message header.
632## CAREFUL if you use XML logfile format.
633##
634## %S severity
635## %T timestamp
636## %C class
637##
638## %F source file
639## %L source line
640#
641# MessageHeader="%S %T "
642
643
644## Don't log path to config/database file on startup
645#
646# HideSetup = False
647
648## The syslog facility, if you log to syslog
649#
650# SyslogFacility = LOG_AUTHPRIV
651SyslogFacility=LOG_LOCAL2
652
653## The message authentication method
654## - If you change this, you *must* change it
655## on client *and* server
656#
657# MACType = HMAC-TIGER
658
659
660## The Prelude-IDS profile to use for reporting
661## default value is "samhain"
662#
663# PreludeProfile = samhain
664
665## Map these samhain severities to impact severity 'info' severity
666#
667# PreludeMapToInfo =
668
669## Map these samhain severities to impact severity 'low' severity
670#
671# PreludeMapToLow = debug info
672
673## Map these samhain severities to impact severity 'medium' severity
674#
675# PreludeMapToMedium = notice warn err
676
677## Map these samhain severities to impact severity 'high' severity
678#
679# PreludeMapToHigh = crit alert
680
681# everything below is ignored
682[EOF]
683
684#####################################################################
685# This would be the proper syntax for parts that should only be
686# included for certain hosts.
687# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
688# result still has the proper syntax for the config file.
689# You may have any number of @HOSTNAME/@end brackets.
690# HOSTNAME should be the fully qualified 'official' name
691# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
692# No IP number - except if samhain cannot determine the
693# fully qualified hostname.
694#
695# @HOSTNAME
696# file=/foo/bar
697# @end
698#
699# These are two examples for conditional inclusion/exclusion
700# of a machine based on the output from 'uname -srm'
701# $Linux:2.*.7:i666
702# file=/foo/bar3
703# $end
704#
705# !$Linux:2.*.7:i686
706# file=/foo/bar2
707# $end
708#
709#####################################################################
Note: See TracBrowser for help on using the repository browser.