source: trunk/samhainrc.freebsd@ 273

Last change on this file since 273 was 101, checked in by rainer, 18 years ago

Fix compile bug with --with-kcheck

File size: 14.2 KB
Line 
1#####################################################################
2#
3# FreeBSD Configuration file for samhain.
4#
5#####################################################################
6#
7# -- empty lines and lines starting with '#', ';' or '//' are ignored
8# -- boolean options can be Yes/No or True/False or 1/0
9# -- you can PGP clearsign this file -- samhain will check (if compiled
10# with support) or otherwise ignore the signature
11# -- CHECK mail address
12#
13# To each log facility, you can assign a threshold severity. Only
14# reports with at least the threshold severity will be logged
15# to the respective facility (even further below).
16#
17#####################################################################
18# SETUP for file system checking:
19# (i) There are several policies, each has its own section. Put files
20# into the section for the appropriate policy (see below).
21# (ii) Section [EventSeverity]:
22# To each policy, you can assign a severity (further below).
23# (iii) Section [Log]:
24# To each log facility, you can assign a threshold severity. Only
25# reports with at least the threshold severity will be logged
26# to the respective facility (even further below).
27#####################################################################
28
29#####################################################################
30#
31# Files are defined with: file = /absolute/path
32#
33# Directories are defined with: dir = /absolute/path
34# or with an optional recursion depth (N <= 99): dir = N/absolute/path
35#
36# Directory inodes are checked. If you only want to check files
37# in a directory, but not the directory inode itself, use (e.g.):
38#
39# [ReadOnly]
40# dir = /some/directory
41# [IgnoreAll]
42# file = /some/directory
43#
44# You can use shell-style globbing patterns, like: file = /path/foo*
45#
46######################################################################
47
48[Misc]
49##
50## Add or subtract tests from the policies
51## - if you want to change their definitions,
52## you need to do that before using the policies
53##
54# RedefReadOnly = (no default)
55# RedefAttributes=(no default)
56# RedefLogFiles=(no default)
57# RedefGrowingLogFiles=(no default)
58# RedefIgnoreAll=(no default)
59# RedefIgnoreNone=(no default)
60# RedefUser0=(no default)
61# RedefUser1=(no default)
62
63#
64# --------- / --------------
65#
66
67[ReadOnly]
68dir = 0/
69
70[Attributes]
71file = /
72file = /proc
73file = /entropy
74file = /tmp
75file = /var
76
77#
78# --------- /dev -----------
79#
80
81[Attributes]
82dir = 99/dev
83
84[IgnoreAll]
85file = /dev/ttyp?
86
87[Misc]
88##
89## pseudo terminals are created/removed as needed
90##
91IgnoreAdded = /dev/(p|t)typ.*
92IgnoreMissing = /dev/(p|t)typ.*
93
94
95#
96# --------- /etc -----------
97#
98
99[ReadOnly]
100##
101## for these files, only access time is ignored
102##
103dir = 99/etc
104
105
106#
107# --------- /boot -----------
108#
109
110[ReadOnly]
111dir = 99/boot
112
113#
114# --------- /bin, /sbin -----------
115#
116
117[ReadOnly]
118dir = 99/bin
119dir = 99/sbin
120
121#
122# --------- /lib -----------
123#
124
125[ReadOnly]
126dir = 99/lib
127
128#
129# --------- /libexec -----------
130#
131
132[ReadOnly]
133dir = 99/libexec
134
135#
136# --------- /rescue -----------
137#
138
139[ReadOnly]
140dir = 99/rescue
141
142#
143# --------- /root -----------
144#
145
146[Attributes]
147##
148## for these files, only changes in permissions and ownership are checked
149##
150dir = 99/root
151
152#
153# --------- /stand -----------
154#
155
156[ReadOnly]
157dir = 99/stand
158
159#
160# --------- /usr -----------
161#
162
163[ReadOnly]
164dir = 99/usr
165
166[Attributes]
167dir = /usr/.snap
168dir = /usr/share/man/cat?
169file = /usr/compat/linux/etc
170file = /usr/compat/linux/etc/ld.so.cache
171
172[IgnoreAll]
173dir = -1/usr/home
174
175#
176# --------- /var -----------
177#
178
179[Attributes]
180
181dir = 0/var
182
183[LogFiles]
184##
185## for these files, changes in signature, timestamps, and size are ignored
186##
187
188file=/var/run/utmp
189
190[GrowingLogFiles]
191##
192## For these files, changes in signature, timestamps, and increase in size
193## are ignored. Logfile rotation will cause a report because of shrinking
194## size and different inode.
195##
196dir = 99/var/log
197
198[Attributes]
199#
200# rotated logs will change inode
201#
202file = /var/log/*.[0-9].bz2
203file = /var/log/*.[0-9].log
204file = /var/log/*.[0-9]
205file = /var/log/*.[0-9][0-9]
206file = /var/log/*.old
207
208file = /var/log/sendmail.st
209
210
211[Misc]
212#
213# Various naming schemes for rotated logs
214#
215IgnoreAdded = /var/log/.*\.[0-9]+$
216IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
217IgnoreAdded = /var/log/.*\.[0-9]+\.bz2$
218IgnoreAdded = /var/log/.*\.[0-9]+\.log$
219
220
221[IgnoreNone]
222##
223## for these files, all modifications (even access time) are reported
224## - you may create some interesting-looking file (like /etc/safe_passwd),
225## just to watch whether someone will access it ...
226##
227
228
229
230[User0]
231[User1]
232## User0 and User1 are sections for files/dirs with user-definable checking
233## (see the manual)
234
235[EventSeverity]
236##
237## Here you can assign severities to policy violations.
238## If this severity exceeds the treshold of a log facility (see below),
239## a policy violation will be logged to that facility.
240##
241
242#
243# Severity for verification failures.
244#
245# SeverityReadOnly=crit
246# SeverityLogFiles=crit
247# SeverityGrowingLogs=crit
248# SeverityIgnoreNone=crit
249# SeverityAttributes=crit
250# SeverityUser0=crit
251# SeverityUser1=crit
252
253## We have a file in IgnoreAll that might or might not be present.
254## Setting the severity to 'info' prevents messages about deleted/new file.
255##
256# SeverityIgnoreAll=crit
257SeverityIgnoreAll=info
258
259## Files : file access problems
260# SeverityFiles=crit
261
262## Dirs : directory access problems
263# SeverityDirs=crit
264
265## Names : suspect (non-printable) characters in a pathname
266# SeverityNames=crit
267
268[Log]
269##
270## Switch on/OFF log facilities and set their threshold severity
271##
272## Values: debug, info, notice, warn, mark, err, crit, alert, none.
273## 'mark' is used for timestamps.
274##
275## Use 'none' to SWITCH OFF a log facility
276##
277## By default, everything equal to and above the threshold is logged.
278## The specifiers '*', '!', and '=' are interpreted as
279## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
280## at least on Linux). Examples:
281## MailSeverity=*
282## MailSeverity=!warn
283## MailSeverity==crit
284
285## E-mail
286##
287# MailSeverity=none
288
289## Console
290##
291# PrintSeverity=info
292
293## Logfile
294##
295# LogSeverity=mark
296
297## Syslog
298##
299# SyslogSeverity=none
300
301## Remote server (yule)
302##
303# ExportSeverity=none
304
305## External script or program
306##
307# ExternalSeverity = none
308
309## Logging to a database
310##
311# DatabaseSeverity = none
312
313## Logging to a Prelude-IDS
314##
315# PreludeSeverity = crit
316
317
318#####################################################
319#
320# Optional modules
321#
322#####################################################
323
324# [SuidCheck]
325##
326## --- Check the filesystem for SUID/SGID binaries
327##
328
329## Switch on
330#
331# SuidCheckActive = yes
332
333## Interval for check (seconds)
334#
335# SuidCheckInterval = 7200
336
337## Alternative: crontab-like schedule
338#
339# SuidCheckSchedule = NULL
340
341## Directory to exclude
342#
343# SuidCheckExclude = NULL
344
345## Limit on files per second (0 == no limit)
346#
347# SuidCheckFps = 0
348
349## Alternative: yield after every file
350#
351# SuidCheckYield = no
352
353## Severity of a detection
354#
355# SeveritySuidCheck = crit
356
357## Quarantine SUID/SGID files if found
358#
359# SuidCheckQuarantineFiles = yes
360
361## Method for Quarantining files:
362# 0 - Delete the file.
363# 1 - Remove SUID/SGID permissions from file.
364# 2 - Move SUID/SGID file to quarantine dir.
365#
366# SuidCheckQuarantineMethod = 0
367
368## For method 1 and 3, really delete instead of truncating
369#
370# SuidCheckQuarantineDelete = yes
371
372# [Kernel]
373##
374## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
375##
376
377## Switch on/off
378#
379# KernelCheckActive = True
380
381## Check interval (seconds); btw., the check is VERY fast
382#
383# KernelCheckInterval = 300
384
385## Severity
386#
387# SeverityKernel = crit
388
389
390# [Utmp]
391##
392## --- Logging of login/logout events
393##
394
395## Switch on/off
396#
397# LoginCheckActive = True
398
399## Severity for logins, multiple logins, logouts
400#
401# SeverityLogin=info
402# SeverityLoginMulti=warn
403# SeverityLogout=info
404
405## Interval for login/logout checks
406#
407# LoginCheckInterval = 300
408
409
410# [Database]
411##
412## --- Logging to a relational database
413##
414
415## Database name
416#
417# SetDBName = samhain
418
419## Database table
420#
421# SetDBTable = log
422
423## Database user
424#
425# SetDBUser = samhain
426
427## Database password
428#
429# SetDBPassword = (default: none)
430
431## Database host
432#
433# SetDBHost = localhost
434
435## Log the server timestamp for received messages
436#
437# SetDBServerTstamp = True
438
439## Use a persistent connection
440#
441# UsePersistent = True
442
443
444# [External]
445##
446## Interface to call external scripts/programs for logging
447##
448
449## The absolute path to the command
450## - Each invocation of this directive will end the definition of the
451## preceding command, and start the definition of
452## an additional, new command
453#
454# OpenCommand = (no default)
455
456## Type (log or srv)
457## - log for log messages, srv for messages received by the server
458#
459# SetType = log
460
461## The command (full command line) to execute
462#
463# SetCommandLine = (no default)
464
465## The environment (KEY=value; repeat for more)
466#
467# SetEnviron = TZ=(your timezone)
468
469## The TIGER192 checksum (optional)
470#
471# SetChecksum = (no default)
472
473## User who runs the command
474#
475# SetCredentials = (default: samhain process uid)
476
477## Words not allowed in message
478#
479# SetFilterNot = (none)
480
481## Words required (ALL of them)
482#
483# SetFilterAnd = (none)
484
485## Words required (at least one)
486#
487# SetFilterOr = (none)
488
489## Deadtime between consecutive calls
490#
491# SetDeadtime = 0
492
493## Add default environment (HOME, PATH, SHELL)
494#
495# SetDefault = no
496
497
498
499#####################################################
500#
501# Miscellaneous configuration options
502#
503#####################################################
504
505[Misc]
506
507## whether to become a daemon process
508## (this is not honoured on database initialisation)
509#
510# Daemon = no
511Daemon = yes
512
513# whether to test signature of files (init/check/none)
514# - if 'none', then we have to decide this on the command line -
515#
516# ChecksumTest = none
517ChecksumTest=check
518
519# Set nice level (-19 to 19, see 'man nice'),
520# and I/O limit (kilobytes per second; 0 == off)
521# to reduce load on host.
522#
523# SetNiceLevel = 0
524# SetIOLimit = 0
525
526## The version string to embed in file signature databases
527#
528# VersionString = NULL
529
530## Interval between time stamp messages
531#
532# SetLoopTime = 60
533SetLoopTime = 600
534
535## Interval between file checks
536#
537# SetFileCheckTime = 600
538SetFileCheckTime = 7200
539
540## Alternative: crontab-like schedule
541#
542# FileCheckScheduleOne = NULL
543
544## Alternative: crontab-like schedule(2)
545#
546# FileCheckScheduleTwo = NULL
547
548## Report only once on modified files
549## Setting this to 'FALSE' will generate a report for any policy
550## violation (old and new ones) each time the daemon checks the file system.
551#
552# ReportOnlyOnce = True
553
554## Report in full detail
555#
556# ReportFullDetail = False
557
558## Report file timestamps in local time rather than GMT
559#
560# UseLocalTime = No
561
562## The console device (can also be a file or named pipe)
563## - There are two console devices. Accordingly, you can use
564## this directive a second time to set the second console device.
565## If you have not defined the second device at compile time,
566## and you don't want to use it, then:
567## setting it to /dev/null is less effective than just leaving
568## it alone (setting to /dev/null will waste time by opening
569## /dev/null and writing to it)
570#
571# SetConsole = /dev/console
572
573## Activate the SysV IPC message queue
574#
575# MessageQueueActive = False
576
577
578## If false, skip reverse lookup when connecting to a host known
579## by name rather than IP address (i.e. trust the DNS)
580#
581# SetReverseLookup = True
582
583
584## --- E-Mail ---
585
586# Only highest-level (alert) reports will be mailed immediately,
587# others will be queued. Here you can define, when the queue will
588# be flushed (Note: the queue is automatically flushed after
589# completing a file check).
590#
591# SetMailTime = 86400
592
593## Maximum number of mails to queue
594#
595# SetMailNum = 10
596
597## Recipient (max. 8)
598#
599# SetMailAddress=root@localhost
600
601## Mail relay (IP address)
602#
603# SetMailRelay = NULL
604
605## Custom subject format
606#
607# MailSubject = NULL
608
609## --- end E-Mail ---
610
611
612## Path to the executable. If set, will be checksummed after startup
613## and before exit.
614#
615# SamhainPath = (no default)
616
617
618## The IP address of the log server
619#
620# SetLogServer = (default: compiled-in)
621
622## The IP address of the time server
623#
624# SetTimeServer = (default: compiled-in)
625
626## Trusted Users (comma delimited list of user names)
627#
628# TrustedUser = (no default; this adds to the compiled-in list)
629
630## Path to the file signature database
631#
632# SetDatabasePath = (default: compiled-in)
633
634## Path to the log file
635#
636# SetLogfilePath = (default: compiled-in)
637
638## Path to the PID file
639#
640# SetLockPath = (default: compiled-in)
641
642
643## The digest/checksum/hash algorithm
644#
645# DigestAlgo = TIGER192
646
647
648## Custom format for message header.
649## CAREFUL if you use XML logfile format.
650##
651## %S severity
652## %T timestamp
653## %C class
654##
655## %F source file
656## %L source line
657#
658# MessageHeader="%S %T "
659
660
661## Don't log path to config/database file on startup
662#
663# HideSetup = False
664
665## The syslog facility, if you log to syslog
666#
667# SyslogFacility = LOG_AUTHPRIV
668SyslogFacility=LOG_LOCAL2
669
670## The message authentication method
671## - If you change this, you *must* change it
672## on client *and* server
673#
674# MACType = HMAC-TIGER
675
676
677## The Prelude-IDS profile to use for reporting
678## default value is "samhain"
679#
680# PreludeProfile = samhain
681
682## Map these samhain severities to impact severity 'info' severity
683#
684# PreludeMapToInfo =
685
686## Map these samhain severities to impact severity 'low' severity
687#
688# PreludeMapToLow = debug info
689
690## Map these samhain severities to impact severity 'medium' severity
691#
692# PreludeMapToMedium = notice warn err
693
694## Map these samhain severities to impact severity 'high' severity
695#
696# PreludeMapToHigh = crit alert
697
698# everything below is ignored
699[EOF]
700
701#####################################################################
702# This would be the proper syntax for parts that should only be
703# included for certain hosts.
704# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
705# result still has the proper syntax for the config file.
706# You may have any number of @HOSTNAME/@end brackets.
707# HOSTNAME should be the fully qualified 'official' name
708# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
709# No IP number - except if samhain cannot determine the
710# fully qualified hostname.
711#
712# @HOSTNAME
713# file=/foo/bar
714# @end
715#
716# These are two examples for conditional inclusion/exclusion
717# of a machine based on the output from 'uname -srm'
718# $Linux:2.*.7:i666
719# file=/foo/bar3
720# $end
721#
722# !$Linux:2.*.7:i686
723# file=/foo/bar2
724# $end
725#
726#####################################################################
Note: See TracBrowser for help on using the repository browser.