source: trunk/samhainrc.freebsd@ 12

Last change on this file since 12 was 1, checked in by katerina, 19 years ago

Initial import

File size: 13.2 KB
Line 
1#####################################################################
2#
3# FreeBSD Configuration file for samhain.
4#
5#####################################################################
6#
7# -- empty lines and lines starting with '#', ';' or '//' are ignored
8# -- boolean options can be Yes/No or True/False or 1/0
9# -- you can PGP clearsign this file -- samhain will check (if compiled
10# with support) or otherwise ignore the signature
11# -- CHECK mail address
12#
13# To each log facility, you can assign a threshold severity. Only
14# reports with at least the threshold severity will be logged
15# to the respective facility (even further below).
16#
17#####################################################################
18# SETUP for file system checking:
19# (i) There are several policies, each has its own section. Put files
20# into the section for the appropriate policy (see below).
21# (ii) Section [EventSeverity]:
22# To each policy, you can assign a severity (further below).
23# (iii) Section [Log]:
24# To each log facility, you can assign a threshold severity. Only
25# reports with at least the threshold severity will be logged
26# to the respective facility (even further below).
27#####################################################################
28
29#####################################################################
30#
31# Files are defined with: file = /absolute/path
32#
33# Directories are defined with: dir = /absolute/path
34# or with an optional recursion depth (N <= 99): dir = N/absolute/path
35#
36# Directory inodes are checked. If you only want to check files
37# in a directory, but not the directory inode itself, use (e.g.):
38#
39# [ReadOnly]
40# dir = /some/directory
41# [IgnoreAll]
42# file = /some/directory
43#
44# You can use shell-style globbing patterns, like: file = /path/foo*
45#
46######################################################################
47
48[Misc]
49##
50## Add or subtract tests from the policies
51## - if you want to change their definitions,
52## you need to do that before using the policies
53##
54# RedefReadOnly = (no default)
55# RedefAttributes=(no default)
56# RedefLogFiles=(no default)
57# RedefGrowingLogFiles=(no default)
58# RedefIgnoreAll=(no default)
59# RedefIgnoreNone=(no default)
60# RedefUser0=(no default)
61# RedefUser1=(no default)
62
63[Attributes]
64##
65## for these files, only changes in permissions and ownership are checked
66##
67
68file=/usr/compat/linux/etc
69file=/usr/compat/linux/etc/ld.so.cache
70
71dir=/var/mail
72dir=/var/spool/lp/tmp
73dir=/var/tmp
74# dir=/var/dt/tmp
75dir=/tmp
76
77
78[LogFiles]
79##
80## for these files, changes in signature, timestamps, and size are ignored
81##
82
83file=/var/run/utmp
84
85
86[GrowingLogFiles]
87##
88## for these files, changes in signature, timestamps, and increase in size
89## are ignored
90##
91
92file=/var/log/wtmp
93file=/var/log/messages
94file=/var/log/maillog
95file=/var/log/lastlog
96file=/var/log/cron
97file=/var/log/auth.log
98
99
100[IgnoreAll]
101##
102## for these files, no modifications are reported
103##
104
105dir=/usr/share/man
106dir=/usr/share/games
107dir=/usr/share/misc
108dir=/usr/X11R6/man
109
110
111[IgnoreNone]
112##
113## for these files, all modifications (even access time) are reported
114## - you may create some interesting-looking file (like /etc/safe_passwd),
115## just to watch whether someone will access it ...
116##
117
118
119[ReadOnly]
120##
121## for these files, only access time is ignored
122##
123
124dir=/bin
125dir=/boot
126dir=3/etc
127dir=/sbin
128dir=1/stand
129dir=/stand/etc
130dir=/stand/modules
131dir=/usr
132dir=2/var/cron
133
134file=/kernel
135dir=/modules
136
137[User0]
138[User1]
139## User0 and User1 are sections for files/dirs with user-definable checking
140## (see the manual)
141
142[EventSeverity]
143##
144## Here you can assign severities to policy violations.
145## If this severity exceeds the treshold of a log facility (see below),
146## a policy violation will be logged to that facility.
147##
148
149#
150# Severity for verification failures.
151#
152# SeverityReadOnly=crit
153# SeverityLogFiles=crit
154# SeverityGrowingLogs=crit
155# SeverityIgnoreNone=crit
156# SeverityAttributes=crit
157# SeverityUser0=crit
158# SeverityUser1=crit
159
160## We have a file in IgnoreAll that might or might not be present.
161## Setting the severity to 'info' prevents messages about deleted/new file.
162##
163# SeverityIgnoreAll=crit
164SeverityIgnoreAll=info
165
166## Files : file access problems
167# SeverityFiles=crit
168
169## Dirs : directory access problems
170# SeverityDirs=crit
171
172## Names : suspect (non-printable) characters in a pathname
173# SeverityNames=crit
174
175[Log]
176##
177## Switch on/OFF log facilities and set their threshold severity
178##
179## Values: debug, info, notice, warn, mark, err, crit, alert, none.
180## 'mark' is used for timestamps.
181##
182## Use 'none' to SWITCH OFF a log facility
183##
184## By default, everything equal to and above the threshold is logged.
185## The specifiers '*', '!', and '=' are interpreted as
186## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
187## at least on Linux). Examples:
188## MailSeverity=*
189## MailSeverity=!warn
190## MailSeverity==crit
191
192## E-mail
193##
194# MailSeverity=none
195
196## Console
197##
198# PrintSeverity=info
199
200## Logfile
201##
202# LogSeverity=mark
203
204## Syslog
205##
206# SyslogSeverity=none
207
208## Remote server (yule)
209##
210# ExportSeverity=none
211
212## External script or program
213##
214# ExternalSeverity = none
215
216## Logging to a database
217##
218# DatabaseSeverity = none
219
220## Logging to a Prelude-IDS
221##
222# PreludeSeverity = crit
223
224
225#####################################################
226#
227# Optional modules
228#
229#####################################################
230
231# [SuidCheck]
232##
233## --- Check the filesystem for SUID/SGID binaries
234##
235
236## Switch on
237#
238# SuidCheckActive = yes
239
240## Interval for check (seconds)
241#
242# SuidCheckInterval = 7200
243
244## Alternative: crontab-like schedule
245#
246# SuidCheckSchedule = NULL
247
248## Directory to exclude
249#
250# SuidCheckExclude = NULL
251
252## Limit on files per second (0 == no limit)
253#
254# SuidCheckFps = 0
255
256## Alternative: yield after every file
257#
258# SuidCheckYield = no
259
260## Severity of a detection
261#
262# SeveritySuidCheck = crit
263
264## Quarantine SUID/SGID files if found
265#
266# SuidCheckQuarantineFiles = yes
267
268## Method for Quarantining files:
269# 0 - Delete the file.
270# 1 - Remove SUID/SGID permissions from file.
271# 2 - Move SUID/SGID file to quarantine dir.
272#
273# SuidCheckQuarantineMethod = 0
274
275## For method 1 and 3, really delete instead of truncating
276#
277# SuidCheckQuarantineDelete = yes
278
279# [Kernel]
280##
281## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
282##
283
284## Switch on/off
285#
286# KernelCheckActive = True
287
288## Check interval (seconds); btw., the check is VERY fast
289#
290# KernelCheckInterval = 300
291
292## Severity
293#
294# SeverityKernel = crit
295
296
297# [Utmp]
298##
299## --- Logging of login/logout events
300##
301
302## Switch on/off
303#
304# LoginCheckActive = True
305
306## Severity for logins, multiple logins, logouts
307#
308# SeverityLogin=info
309# SeverityLoginMulti=warn
310# SeverityLogout=info
311
312## Interval for login/logout checks
313#
314# LoginCheckInterval = 300
315
316
317# [Database]
318##
319## --- Logging to a relational database
320##
321
322## Database name
323#
324# SetDBName = samhain
325
326## Database table
327#
328# SetDBTable = log
329
330## Database user
331#
332# SetDBUser = samhain
333
334## Database password
335#
336# SetDBPassword = (default: none)
337
338## Database host
339#
340# SetDBHost = localhost
341
342## Log the server timestamp for received messages
343#
344# SetDBServerTstamp = True
345
346## Use a persistent connection
347#
348# UsePersistent = True
349
350
351# [External]
352##
353## Interface to call external scripts/programs for logging
354##
355
356## The absolute path to the command
357## - Each invocation of this directive will end the definition of the
358## preceding command, and start the definition of
359## an additional, new command
360#
361# OpenCommand = (no default)
362
363## Type (log or srv)
364## - log for log messages, srv for messages received by the server
365#
366# SetType = log
367
368## The command (full command line) to execute
369#
370# SetCommandLine = (no default)
371
372## The environment (KEY=value; repeat for more)
373#
374# SetEnviron = TZ=(your timezone)
375
376## The TIGER192 checksum (optional)
377#
378# SetChecksum = (no default)
379
380## User who runs the command
381#
382# SetCredentials = (default: samhain process uid)
383
384## Words not allowed in message
385#
386# SetFilterNot = (none)
387
388## Words required (ALL of them)
389#
390# SetFilterAnd = (none)
391
392## Words required (at least one)
393#
394# SetFilterOr = (none)
395
396## Deadtime between consecutive calls
397#
398# SetDeadtime = 0
399
400## Add default environment (HOME, PATH, SHELL)
401#
402# SetDefault = no
403
404
405
406#####################################################
407#
408# Miscellaneous configuration options
409#
410#####################################################
411
412[Misc]
413
414## whether to become a daemon process
415## (this is not honoured on database initialisation)
416#
417# Daemon = no
418Daemon = yes
419
420# whether to test signature of files (init/check/none)
421# - if 'none', then we have to decide this on the command line -
422#
423# ChecksumTest = none
424ChecksumTest=check
425
426# Set nice level (-19 to 19, see 'man nice'),
427# and I/O limit (kilobytes per second; 0 == off)
428# to reduce load on host.
429#
430# SetNiceLevel = 0
431# SetIOLimit = 0
432
433## The version string to embed in file signature databases
434#
435# VersionString = NULL
436
437## Interval between time stamp messages
438#
439# SetLoopTime = 60
440SetLoopTime = 600
441
442## Interval between file checks
443#
444# SetFileCheckTime = 600
445SetFileCheckTime = 7200
446
447## Alternative: crontab-like schedule
448#
449# FileCheckScheduleOne = NULL
450
451## Alternative: crontab-like schedule(2)
452#
453# FileCheckScheduleTwo = NULL
454
455## Report only once on modified fles
456## Setting this to 'FALSE' will generate a report for any policy
457## violation (old and new ones) each time the daemon checks the file system.
458#
459# ReportOnlyOnce = True
460
461## Report in full detail
462#
463# ReportFullDetail = False
464
465## Report file timestamps in local time rather than GMT
466#
467# UseLocalTime = No
468
469## The console device (can also be a file or named pipe)
470## - There are two console devices. Accordingly, you can use
471## this directive a second time to set the second console device.
472## If you have not defined the second device at compile time,
473## and you don't want to use it, then:
474## setting it to /dev/null is less effective than just leaving
475## it alone (setting to /dev/null will waste time by opening
476## /dev/null and writing to it)
477#
478# SetConsole = /dev/console
479
480## Activate the SysV IPC message queue
481#
482# MessageQueueActive = False
483
484
485## If false, skip reverse lookup when connecting to a host known
486## by name rather than IP address (i.e. trust the DNS)
487#
488# SetReverseLookup = True
489
490
491## --- E-Mail ---
492
493# Only highest-level (alert) reports will be mailed immediately,
494# others will be queued. Here you can define, when the queue will
495# be flushed (Note: the queue is automatically flushed after
496# completing a file check).
497#
498# SetMailTime = 86400
499
500## Maximum number of mails to queue
501#
502# SetMailNum = 10
503
504## Recipient (max. 8)
505#
506# SetMailAddress=root@localhost
507
508## Mail relay (IP address)
509#
510# SetMailRelay = NULL
511
512## Custom subject format
513#
514# MailSubject = NULL
515
516## --- end E-Mail ---
517
518
519## Path to the executable. If set, will be checksummed after startup
520## and before exit.
521#
522# SamhainPath = (no default)
523
524
525## The IP address of the log server
526#
527# SetLogServer = (default: compiled-in)
528
529## The IP address of the time server
530#
531# SetTimeServer = (default: compiled-in)
532
533## Trusted Users (comma delimited list of user names)
534#
535# TrustedUser = (no default; this adds to the compiled-in list)
536
537## Path to the file signature database
538#
539# SetDatabasePath = (default: compiled-in)
540
541## Path to the log file
542#
543# SetLogfilePath = (default: compiled-in)
544
545## Path to the PID file
546#
547# SetLockPath = (default: compiled-in)
548
549
550## The digest/checksum/hash algorithm
551#
552# DigestAlgo = TIGER192
553
554
555## Custom format for message header.
556## CAREFUL if you use XML logfile format.
557##
558## %S severity
559## %T timestamp
560## %C class
561##
562## %F source file
563## %L source line
564#
565# MessageHeader="%S %T "
566
567
568## Don't log path to config/database file on startup
569#
570# HideSetup = False
571
572## The syslog facility, if you log to syslog
573#
574# SyslogFacility = LOG_AUTHPRIV
575SyslogFacility=LOG_LOCAL2
576
577## The message authentication method
578## - If you change this, you *must* change it
579## on client *and* server
580#
581# MACType = HMAC-TIGER
582
583
584## The Prelude-IDS profile to use for reporting
585## default value is "samhain"
586#
587# PreludeProfile = samhain
588
589## Map these samhain severities to impact severity 'info' severity
590#
591# PreludeMapToInfo =
592
593## Map these samhain severities to impact severity 'low' severity
594#
595# PreludeMapToLow = debug info
596
597## Map these samhain severities to impact severity 'medium' severity
598#
599# PreludeMapToMedium = notice warn err
600
601## Map these samhain severities to impact severity 'high' severity
602#
603# PreludeMapToHigh = crit alert
604
605# everything below is ignored
606[EOF]
607
608#####################################################################
609# This would be the proper syntax for parts that should only be
610# included for certain hosts.
611# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
612# result still has the proper syntax for the config file.
613# You may have any number of @HOSTNAME/@end brackets.
614# HOSTNAME should be the fully qualified 'official' name
615# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
616# No IP number - except if samhain cannot determine the
617# fully qualified hostname.
618#
619# @HOSTNAME
620# file=/foo/bar
621# @end
622#
623# These are two examples for conditional inclusion/exclusion
624# of a machine based on the output from 'uname -srm'
625# $Linux:2.*.7:i666
626# file=/foo/bar3
627# $end
628#
629# !$Linux:2.*.7:i686
630# file=/foo/bar2
631# $end
632#
633#####################################################################
Note: See TracBrowser for help on using the repository browser.