source: trunk/samhainrc.freebsd@ 50

Last change on this file since 50 was 14, checked in by rainer, 19 years ago

update for default config files

File size: 14.2 KB
Line 
1#####################################################################
2#
3# FreeBSD Configuration file for samhain.
4#
5#####################################################################
6#
7# -- empty lines and lines starting with '#', ';' or '//' are ignored
8# -- boolean options can be Yes/No or True/False or 1/0
9# -- you can PGP clearsign this file -- samhain will check (if compiled
10# with support) or otherwise ignore the signature
11# -- CHECK mail address
12#
13# To each log facility, you can assign a threshold severity. Only
14# reports with at least the threshold severity will be logged
15# to the respective facility (even further below).
16#
17#####################################################################
18# SETUP for file system checking:
19# (i) There are several policies, each has its own section. Put files
20# into the section for the appropriate policy (see below).
21# (ii) Section [EventSeverity]:
22# To each policy, you can assign a severity (further below).
23# (iii) Section [Log]:
24# To each log facility, you can assign a threshold severity. Only
25# reports with at least the threshold severity will be logged
26# to the respective facility (even further below).
27#####################################################################
28
29#####################################################################
30#
31# Files are defined with: file = /absolute/path
32#
33# Directories are defined with: dir = /absolute/path
34# or with an optional recursion depth (N <= 99): dir = N/absolute/path
35#
36# Directory inodes are checked. If you only want to check files
37# in a directory, but not the directory inode itself, use (e.g.):
38#
39# [ReadOnly]
40# dir = /some/directory
41# [IgnoreAll]
42# file = /some/directory
43#
44# You can use shell-style globbing patterns, like: file = /path/foo*
45#
46######################################################################
47
48[Misc]
49##
50## Add or subtract tests from the policies
51## - if you want to change their definitions,
52## you need to do that before using the policies
53##
54# RedefReadOnly = (no default)
55# RedefAttributes=(no default)
56# RedefLogFiles=(no default)
57# RedefGrowingLogFiles=(no default)
58# RedefIgnoreAll=(no default)
59# RedefIgnoreNone=(no default)
60# RedefUser0=(no default)
61# RedefUser1=(no default)
62
63#
64# --------- / --------------
65#
66
67[ReadOnly]
68dir = 0/
69
70[Attributes]
71file = /
72file = /proc
73file = /entropy
74file = /tmp
75file = /var
76
77#
78# --------- /dev -----------
79#
80
81[Attributes]
82dir = 99/dev
83
84[IgnoreAll]
85file = /dev/ttyp?
86
87[Misc]
88##
89## pseudo terminals are created/removed as needed
90##
91IgnoreAdded = /dev/(p|t)typ.*
92IgnoreMissing = /dev/(p|t)typ.*
93
94
95#
96# --------- /etc -----------
97#
98
99[ReadOnly]
100##
101## for these files, only access time is ignored
102##
103dir = 99/etc
104
105
106#
107# --------- /boot -----------
108#
109
110[ReadOnly]
111dir = 99/boot
112
113#
114# --------- /bin, /sbin -----------
115#
116
117[ReadOnly]
118dir = 99/bin
119dir = 99/sbin
120
121#
122# --------- /lib -----------
123#
124
125[ReadOnly]
126dir = 99/lib
127
128#
129# --------- /libexec -----------
130#
131
132[ReadOnly]
133dir = 99/libexec
134
135#
136# --------- /rescue -----------
137#
138
139[ReadOnly]
140dir = 99/rescue
141
142#
143# --------- /root -----------
144#
145
146[Attributes]
147##
148## for these files, only changes in permissions and ownership are checked
149##
150dir = 99/root
151
152#
153# --------- /stand -----------
154#
155
156[ReadOnly]
157dir = 99/stand
158
159#
160# --------- /usr -----------
161#
162
163[ReadOnly]
164dir = 99/usr
165
166[Attributes]
167dir = /usr/.snap
168dir = /usr/share/man/cat?
169file = /usr/compat/linux/etc
170file = /usr/compat/linux/etc/ld.so.cache
171
172[IgnoreAll]
173dir = -1/usr/home
174
175#
176# --------- /var -----------
177#
178
179[ReadOnly]
180file = /var
181
182[Attributes]
183
184dir = 0/var
185
186[LogFiles]
187##
188## for these files, changes in signature, timestamps, and size are ignored
189##
190
191file=/var/run/utmp
192
193[GrowingLogFiles]
194##
195## For these files, changes in signature, timestamps, and increase in size
196## are ignored. Logfile rotation will cause a report because of shrinking
197## size and different inode.
198##
199dir = 99/var/log
200
201[Attributes]
202#
203# rotated logs will change inode
204#
205file = /var/log/*.[0-9].bz2
206file = /var/log/*.[0-9].log
207file = /var/log/*.[0-9]
208file = /var/log/*.[0-9][0-9]
209file = /var/log/*.old
210
211file = /var/log/sendmail.st
212
213
214[Misc]
215#
216# Various naming schemes for rotated logs
217#
218IgnoreAdded = /var/log/.*\.[0-9]+$
219IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
220IgnoreAdded = /var/log/.*\.[0-9]+\.bz2$
221IgnoreAdded = /var/log/.*\.[0-9]+\.log$
222
223
224[IgnoreNone]
225##
226## for these files, all modifications (even access time) are reported
227## - you may create some interesting-looking file (like /etc/safe_passwd),
228## just to watch whether someone will access it ...
229##
230
231
232
233[User0]
234[User1]
235## User0 and User1 are sections for files/dirs with user-definable checking
236## (see the manual)
237
238[EventSeverity]
239##
240## Here you can assign severities to policy violations.
241## If this severity exceeds the treshold of a log facility (see below),
242## a policy violation will be logged to that facility.
243##
244
245#
246# Severity for verification failures.
247#
248# SeverityReadOnly=crit
249# SeverityLogFiles=crit
250# SeverityGrowingLogs=crit
251# SeverityIgnoreNone=crit
252# SeverityAttributes=crit
253# SeverityUser0=crit
254# SeverityUser1=crit
255
256## We have a file in IgnoreAll that might or might not be present.
257## Setting the severity to 'info' prevents messages about deleted/new file.
258##
259# SeverityIgnoreAll=crit
260SeverityIgnoreAll=info
261
262## Files : file access problems
263# SeverityFiles=crit
264
265## Dirs : directory access problems
266# SeverityDirs=crit
267
268## Names : suspect (non-printable) characters in a pathname
269# SeverityNames=crit
270
271[Log]
272##
273## Switch on/OFF log facilities and set their threshold severity
274##
275## Values: debug, info, notice, warn, mark, err, crit, alert, none.
276## 'mark' is used for timestamps.
277##
278## Use 'none' to SWITCH OFF a log facility
279##
280## By default, everything equal to and above the threshold is logged.
281## The specifiers '*', '!', and '=' are interpreted as
282## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
283## at least on Linux). Examples:
284## MailSeverity=*
285## MailSeverity=!warn
286## MailSeverity==crit
287
288## E-mail
289##
290# MailSeverity=none
291
292## Console
293##
294# PrintSeverity=info
295
296## Logfile
297##
298# LogSeverity=mark
299
300## Syslog
301##
302# SyslogSeverity=none
303
304## Remote server (yule)
305##
306# ExportSeverity=none
307
308## External script or program
309##
310# ExternalSeverity = none
311
312## Logging to a database
313##
314# DatabaseSeverity = none
315
316## Logging to a Prelude-IDS
317##
318# PreludeSeverity = crit
319
320
321#####################################################
322#
323# Optional modules
324#
325#####################################################
326
327# [SuidCheck]
328##
329## --- Check the filesystem for SUID/SGID binaries
330##
331
332## Switch on
333#
334# SuidCheckActive = yes
335
336## Interval for check (seconds)
337#
338# SuidCheckInterval = 7200
339
340## Alternative: crontab-like schedule
341#
342# SuidCheckSchedule = NULL
343
344## Directory to exclude
345#
346# SuidCheckExclude = NULL
347
348## Limit on files per second (0 == no limit)
349#
350# SuidCheckFps = 0
351
352## Alternative: yield after every file
353#
354# SuidCheckYield = no
355
356## Severity of a detection
357#
358# SeveritySuidCheck = crit
359
360## Quarantine SUID/SGID files if found
361#
362# SuidCheckQuarantineFiles = yes
363
364## Method for Quarantining files:
365# 0 - Delete the file.
366# 1 - Remove SUID/SGID permissions from file.
367# 2 - Move SUID/SGID file to quarantine dir.
368#
369# SuidCheckQuarantineMethod = 0
370
371## For method 1 and 3, really delete instead of truncating
372#
373# SuidCheckQuarantineDelete = yes
374
375# [Kernel]
376##
377## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
378##
379
380## Switch on/off
381#
382# KernelCheckActive = True
383
384## Check interval (seconds); btw., the check is VERY fast
385#
386# KernelCheckInterval = 300
387
388## Severity
389#
390# SeverityKernel = crit
391
392
393# [Utmp]
394##
395## --- Logging of login/logout events
396##
397
398## Switch on/off
399#
400# LoginCheckActive = True
401
402## Severity for logins, multiple logins, logouts
403#
404# SeverityLogin=info
405# SeverityLoginMulti=warn
406# SeverityLogout=info
407
408## Interval for login/logout checks
409#
410# LoginCheckInterval = 300
411
412
413# [Database]
414##
415## --- Logging to a relational database
416##
417
418## Database name
419#
420# SetDBName = samhain
421
422## Database table
423#
424# SetDBTable = log
425
426## Database user
427#
428# SetDBUser = samhain
429
430## Database password
431#
432# SetDBPassword = (default: none)
433
434## Database host
435#
436# SetDBHost = localhost
437
438## Log the server timestamp for received messages
439#
440# SetDBServerTstamp = True
441
442## Use a persistent connection
443#
444# UsePersistent = True
445
446
447# [External]
448##
449## Interface to call external scripts/programs for logging
450##
451
452## The absolute path to the command
453## - Each invocation of this directive will end the definition of the
454## preceding command, and start the definition of
455## an additional, new command
456#
457# OpenCommand = (no default)
458
459## Type (log or srv)
460## - log for log messages, srv for messages received by the server
461#
462# SetType = log
463
464## The command (full command line) to execute
465#
466# SetCommandLine = (no default)
467
468## The environment (KEY=value; repeat for more)
469#
470# SetEnviron = TZ=(your timezone)
471
472## The TIGER192 checksum (optional)
473#
474# SetChecksum = (no default)
475
476## User who runs the command
477#
478# SetCredentials = (default: samhain process uid)
479
480## Words not allowed in message
481#
482# SetFilterNot = (none)
483
484## Words required (ALL of them)
485#
486# SetFilterAnd = (none)
487
488## Words required (at least one)
489#
490# SetFilterOr = (none)
491
492## Deadtime between consecutive calls
493#
494# SetDeadtime = 0
495
496## Add default environment (HOME, PATH, SHELL)
497#
498# SetDefault = no
499
500
501
502#####################################################
503#
504# Miscellaneous configuration options
505#
506#####################################################
507
508[Misc]
509
510## whether to become a daemon process
511## (this is not honoured on database initialisation)
512#
513# Daemon = no
514Daemon = yes
515
516# whether to test signature of files (init/check/none)
517# - if 'none', then we have to decide this on the command line -
518#
519# ChecksumTest = none
520ChecksumTest=check
521
522# Set nice level (-19 to 19, see 'man nice'),
523# and I/O limit (kilobytes per second; 0 == off)
524# to reduce load on host.
525#
526# SetNiceLevel = 0
527# SetIOLimit = 0
528
529## The version string to embed in file signature databases
530#
531# VersionString = NULL
532
533## Interval between time stamp messages
534#
535# SetLoopTime = 60
536SetLoopTime = 600
537
538## Interval between file checks
539#
540# SetFileCheckTime = 600
541SetFileCheckTime = 7200
542
543## Alternative: crontab-like schedule
544#
545# FileCheckScheduleOne = NULL
546
547## Alternative: crontab-like schedule(2)
548#
549# FileCheckScheduleTwo = NULL
550
551## Report only once on modified fles
552## Setting this to 'FALSE' will generate a report for any policy
553## violation (old and new ones) each time the daemon checks the file system.
554#
555# ReportOnlyOnce = True
556
557## Report in full detail
558#
559# ReportFullDetail = False
560
561## Report file timestamps in local time rather than GMT
562#
563# UseLocalTime = No
564
565## The console device (can also be a file or named pipe)
566## - There are two console devices. Accordingly, you can use
567## this directive a second time to set the second console device.
568## If you have not defined the second device at compile time,
569## and you don't want to use it, then:
570## setting it to /dev/null is less effective than just leaving
571## it alone (setting to /dev/null will waste time by opening
572## /dev/null and writing to it)
573#
574# SetConsole = /dev/console
575
576## Activate the SysV IPC message queue
577#
578# MessageQueueActive = False
579
580
581## If false, skip reverse lookup when connecting to a host known
582## by name rather than IP address (i.e. trust the DNS)
583#
584# SetReverseLookup = True
585
586
587## --- E-Mail ---
588
589# Only highest-level (alert) reports will be mailed immediately,
590# others will be queued. Here you can define, when the queue will
591# be flushed (Note: the queue is automatically flushed after
592# completing a file check).
593#
594# SetMailTime = 86400
595
596## Maximum number of mails to queue
597#
598# SetMailNum = 10
599
600## Recipient (max. 8)
601#
602# SetMailAddress=root@localhost
603
604## Mail relay (IP address)
605#
606# SetMailRelay = NULL
607
608## Custom subject format
609#
610# MailSubject = NULL
611
612## --- end E-Mail ---
613
614
615## Path to the executable. If set, will be checksummed after startup
616## and before exit.
617#
618# SamhainPath = (no default)
619
620
621## The IP address of the log server
622#
623# SetLogServer = (default: compiled-in)
624
625## The IP address of the time server
626#
627# SetTimeServer = (default: compiled-in)
628
629## Trusted Users (comma delimited list of user names)
630#
631# TrustedUser = (no default; this adds to the compiled-in list)
632
633## Path to the file signature database
634#
635# SetDatabasePath = (default: compiled-in)
636
637## Path to the log file
638#
639# SetLogfilePath = (default: compiled-in)
640
641## Path to the PID file
642#
643# SetLockPath = (default: compiled-in)
644
645
646## The digest/checksum/hash algorithm
647#
648# DigestAlgo = TIGER192
649
650
651## Custom format for message header.
652## CAREFUL if you use XML logfile format.
653##
654## %S severity
655## %T timestamp
656## %C class
657##
658## %F source file
659## %L source line
660#
661# MessageHeader="%S %T "
662
663
664## Don't log path to config/database file on startup
665#
666# HideSetup = False
667
668## The syslog facility, if you log to syslog
669#
670# SyslogFacility = LOG_AUTHPRIV
671SyslogFacility=LOG_LOCAL2
672
673## The message authentication method
674## - If you change this, you *must* change it
675## on client *and* server
676#
677# MACType = HMAC-TIGER
678
679
680## The Prelude-IDS profile to use for reporting
681## default value is "samhain"
682#
683# PreludeProfile = samhain
684
685## Map these samhain severities to impact severity 'info' severity
686#
687# PreludeMapToInfo =
688
689## Map these samhain severities to impact severity 'low' severity
690#
691# PreludeMapToLow = debug info
692
693## Map these samhain severities to impact severity 'medium' severity
694#
695# PreludeMapToMedium = notice warn err
696
697## Map these samhain severities to impact severity 'high' severity
698#
699# PreludeMapToHigh = crit alert
700
701# everything below is ignored
702[EOF]
703
704#####################################################################
705# This would be the proper syntax for parts that should only be
706# included for certain hosts.
707# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
708# result still has the proper syntax for the config file.
709# You may have any number of @HOSTNAME/@end brackets.
710# HOSTNAME should be the fully qualified 'official' name
711# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
712# No IP number - except if samhain cannot determine the
713# fully qualified hostname.
714#
715# @HOSTNAME
716# file=/foo/bar
717# @end
718#
719# These are two examples for conditional inclusion/exclusion
720# of a machine based on the output from 'uname -srm'
721# $Linux:2.*.7:i666
722# file=/foo/bar3
723# $end
724#
725# !$Linux:2.*.7:i686
726# file=/foo/bar2
727# $end
728#
729#####################################################################
Note: See TracBrowser for help on using the repository browser.