[1] | 1 | #####################################################################
|
---|
| 2 | #
|
---|
| 3 | # Configuration file template for samhain.
|
---|
| 4 | #
|
---|
| 5 | #####################################################################
|
---|
| 6 | #
|
---|
| 7 | # -- empty lines and lines starting with '#', ';' or '//' are ignored
|
---|
| 8 | # -- boolean options can be Yes/No or True/False or 1/0
|
---|
| 9 | # -- you can PGP clearsign this file -- samhain will check (if compiled
|
---|
| 10 | # with support) or otherwise ignore the signature
|
---|
| 11 | # -- CHECK mail address
|
---|
| 12 | #
|
---|
| 13 | # To each log facility, you can assign a threshold severity. Only
|
---|
| 14 | # reports with at least the threshold severity will be logged
|
---|
| 15 | # to the respective facility (even further below).
|
---|
| 16 | #
|
---|
| 17 | #####################################################################
|
---|
| 18 | #
|
---|
| 19 | # SETUP for file system checking:
|
---|
| 20 | #
|
---|
| 21 | # (i) There are several policies, each has its own section. Put files
|
---|
| 22 | # into the section for the appropriate policy (see below).
|
---|
| 23 | # (ii) Section [EventSeverity]:
|
---|
| 24 | # To each policy, you can assign a severity (further below).
|
---|
| 25 | # (iii) Section [Log]:
|
---|
| 26 | # To each log facility, you can assign a threshold severity. Only
|
---|
| 27 | # reports with at least the threshold severity will be logged
|
---|
| 28 | # to the respective facility (even further below).
|
---|
| 29 | #
|
---|
| 30 | #####################################################################
|
---|
| 31 |
|
---|
| 32 | #####################################################################
|
---|
| 33 | #
|
---|
| 34 | # Files are defined with: file = /absolute/path
|
---|
| 35 | #
|
---|
| 36 | # Directories are defined with: dir = /absolute/path
|
---|
| 37 | # or with an optional recursion depth (N <= 99): dir = N/absolute/path
|
---|
| 38 | #
|
---|
| 39 | # Directory inodes are checked. If you only want to check files
|
---|
| 40 | # in a directory, but not the directory inode itself, use (e.g.):
|
---|
| 41 | #
|
---|
| 42 | # [ReadOnly]
|
---|
| 43 | # dir = /some/directory
|
---|
| 44 | # [IgnoreAll]
|
---|
| 45 | # file = /some/directory
|
---|
| 46 | #
|
---|
| 47 | # You can use shell-style globbing patterns, like: file = /path/foo*
|
---|
| 48 | #
|
---|
| 49 | ######################################################################
|
---|
| 50 |
|
---|
| 51 | [Misc]
|
---|
| 52 | ##
|
---|
| 53 | ## Add or subtract tests from the policies
|
---|
| 54 | ## - if you want to change their definitions,
|
---|
| 55 | ## you need to do that before using the policies
|
---|
| 56 | ##
|
---|
| 57 | # RedefReadOnly = (no default)
|
---|
| 58 | # RedefAttributes=(no default)
|
---|
| 59 | # RedefLogFiles=(no default)
|
---|
| 60 | # RedefGrowingLogFiles=(no default)
|
---|
| 61 | # RedefIgnoreAll=(no default)
|
---|
| 62 | # RedefIgnoreNone=(no default)
|
---|
[7] | 63 |
|
---|
[1] | 64 | # RedefUser0=(no default)
|
---|
| 65 | # RedefUser1=(no default)
|
---|
| 66 |
|
---|
[7] | 67 | #
|
---|
| 68 | # --------- / --------------
|
---|
| 69 | #
|
---|
| 70 |
|
---|
| 71 | [ReadOnly]
|
---|
| 72 | dir = 0/
|
---|
| 73 |
|
---|
[14] | 74 | [Attributes]
|
---|
| 75 | file = /tmp
|
---|
| 76 | file = /dev
|
---|
| 77 | file = /media
|
---|
| 78 | file = /proc
|
---|
| 79 | file = /sys
|
---|
| 80 |
|
---|
[7] | 81 | #
|
---|
| 82 | # --------- /etc -----------
|
---|
| 83 | #
|
---|
| 84 |
|
---|
| 85 | [ReadOnly]
|
---|
| 86 | ##
|
---|
| 87 | ## for these files, only access time is ignored
|
---|
| 88 | ##
|
---|
| 89 | dir = 99/etc
|
---|
| 90 |
|
---|
[1] | 91 | [Attributes]
|
---|
| 92 | ##
|
---|
[7] | 93 | ## check permission and ownership
|
---|
[1] | 94 | ##
|
---|
[7] | 95 | file = /etc/mtab
|
---|
| 96 | file = /etc/adjtime
|
---|
| 97 | file = /etc/motd
|
---|
| 98 | file = /etc/lvm/.cache
|
---|
[1] | 99 |
|
---|
[7] | 100 | # On Ubuntu, these are in /var/lib rather than /etc
|
---|
| 101 | file = /etc/cups/certs
|
---|
| 102 | file = /etc/cups/certs/0
|
---|
| 103 |
|
---|
| 104 | # managed by fstab-sync on Fedora Core
|
---|
| 105 | file = /etc/fstab
|
---|
| 106 |
|
---|
| 107 | # modified when booting
|
---|
| 108 | file = /etc/sysconfig/hwconf
|
---|
| 109 |
|
---|
[1] | 110 | # There are files in /etc that might change, thus changing the directory
|
---|
| 111 | # timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
|
---|
| 112 |
|
---|
[7] | 113 | file = /etc
|
---|
[1] | 114 |
|
---|
[7] | 115 | #
|
---|
| 116 | # --------- /boot -----------
|
---|
| 117 | #
|
---|
[1] | 118 |
|
---|
[7] | 119 | [ReadOnly]
|
---|
| 120 | dir = 99/boot
|
---|
[1] | 121 |
|
---|
| 122 | #
|
---|
[7] | 123 | # --------- /bin, /sbin -----------
|
---|
[1] | 124 | #
|
---|
[7] | 125 |
|
---|
| 126 | [ReadOnly]
|
---|
| 127 | dir = 99/bin
|
---|
| 128 | dir = 99/sbin
|
---|
| 129 |
|
---|
[1] | 130 | #
|
---|
[7] | 131 | # --------- /lib -----------
|
---|
[1] | 132 | #
|
---|
[7] | 133 |
|
---|
| 134 | [ReadOnly]
|
---|
| 135 | dir = 99/lib
|
---|
| 136 |
|
---|
[1] | 137 | #
|
---|
[7] | 138 | # --------- /dev -----------
|
---|
[1] | 139 | #
|
---|
| 140 |
|
---|
[7] | 141 | [Attributes]
|
---|
| 142 | dir = 99/dev
|
---|
| 143 |
|
---|
| 144 | [IgnoreAll]
|
---|
[1] | 145 | ##
|
---|
[7] | 146 | ## pseudo terminals are created/removed as needed
|
---|
[1] | 147 | ##
|
---|
[7] | 148 | dir = -1/dev/pts
|
---|
[1] | 149 |
|
---|
[7] | 150 | # dir = -1/dev/.udevdb
|
---|
| 151 |
|
---|
| 152 | file = /dev/ppp
|
---|
| 153 |
|
---|
| 154 | #
|
---|
| 155 | # --------- /usr -----------
|
---|
| 156 | #
|
---|
| 157 |
|
---|
| 158 | [ReadOnly]
|
---|
| 159 | dir = 99/usr
|
---|
| 160 |
|
---|
| 161 | #
|
---|
| 162 | # --------- /var -----------
|
---|
| 163 | #
|
---|
| 164 |
|
---|
| 165 | [ReadOnly]
|
---|
| 166 | dir = 99/var
|
---|
| 167 |
|
---|
[1] | 168 | [IgnoreAll]
|
---|
[7] | 169 | dir = -1/var/cache
|
---|
| 170 | dir = -1/var/backups
|
---|
| 171 | dir = -1/var/games
|
---|
| 172 | dir = -1/var/gdm
|
---|
| 173 | dir = -1/var/lock
|
---|
| 174 | dir = -1/var/mail
|
---|
| 175 | dir = -1/var/run
|
---|
| 176 | dir = -1/var/spool
|
---|
| 177 | dir = -1/var/tmp
|
---|
| 178 | dir = -1/var/lib/texmf
|
---|
[18] | 179 | dir = -1/var/lib/scrollkeeper
|
---|
[7] | 180 |
|
---|
[18] | 181 |
|
---|
[7] | 182 | [Attributes]
|
---|
| 183 |
|
---|
| 184 | dir = /var/lib/nfs
|
---|
| 185 | dir = /var/lib/pcmcia
|
---|
| 186 |
|
---|
| 187 | # /var/lib/rpm changes if packets are installed;
|
---|
| 188 | # /var/lib/rpm/__db.00[123] even more frequently
|
---|
| 189 | file = /var/lib/rpm/__db.00?
|
---|
| 190 |
|
---|
| 191 | file = /var/lib/acpi-support/vbestate
|
---|
| 192 | file = /var/lib/alsa/asound.state
|
---|
| 193 | file = /var/lib/apt/lists/lock
|
---|
| 194 | file = /var/lib/apt/lists/partial
|
---|
| 195 | file = /var/lib/cups/certs
|
---|
| 196 | file = /var/lib/cups/certs/0
|
---|
| 197 | file = /var/lib/dpkg/lock
|
---|
| 198 | file = /var/lib/gdm
|
---|
| 199 | file = /var/lib/gdm/.cookie
|
---|
| 200 | file = /var/lib/gdm/.gdmfifo
|
---|
| 201 | file = /var/lib/gdm/:0.Xauth
|
---|
| 202 | file = /var/lib/gdm/:0.Xservers
|
---|
| 203 | file = /var/lib/logrotate/status
|
---|
| 204 | file = /var/lib/mysql
|
---|
| 205 | file = /var/lib/mysql/ib_logfile0
|
---|
| 206 | file = /var/lib/mysql/ibdata1
|
---|
| 207 | file = /var/lib/slocate
|
---|
| 208 | file = /var/lib/slocate/slocate.db
|
---|
| 209 | file = /var/lib/slocate/slocate.db.tmp
|
---|
| 210 | file = /var/lib/urandom
|
---|
| 211 | file = /var/lib/urandom/random-seed
|
---|
| 212 | file = /var/lib/random-seed
|
---|
| 213 | file = /var/lib/xkb
|
---|
| 214 |
|
---|
| 215 |
|
---|
| 216 | [GrowingLogFiles]
|
---|
[1] | 217 | ##
|
---|
[7] | 218 | ## For these files, changes in signature, timestamps, and increase in size
|
---|
| 219 | ## are ignored. Logfile rotation will cause a report because of shrinking
|
---|
| 220 | ## size and different inode.
|
---|
[1] | 221 | ##
|
---|
[7] | 222 | dir = 99/var/log
|
---|
[1] | 223 |
|
---|
[7] | 224 | [Attributes]
|
---|
| 225 | #
|
---|
| 226 | # rotated logs will change inode
|
---|
| 227 | #
|
---|
| 228 | file = /var/log/*.[0-9].gz
|
---|
| 229 | file = /var/log/*.[0-9].log
|
---|
| 230 | file = /var/log/*.[0-9]
|
---|
| 231 | file = /var/log/*.old
|
---|
| 232 | file = /var/log/*/*.[0-9].gz
|
---|
[18] | 233 | file = /var/log/*/*.[0-9][0-9].gz
|
---|
[7] | 234 | file = /var/log/*/*.log.[0-9]
|
---|
[1] | 235 |
|
---|
[7] | 236 | [Misc]
|
---|
| 237 | #
|
---|
| 238 | # Various naming schemes for rotated logs
|
---|
| 239 | #
|
---|
| 240 | IgnoreAdded = /var/log/.*\.[0-9]+$
|
---|
| 241 | IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
|
---|
| 242 | IgnoreAdded = /var/log/.*\.[0-9]+\.log$
|
---|
| 243 | #
|
---|
| 244 | # Subdirectories
|
---|
| 245 | #
|
---|
| 246 | IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$
|
---|
| 247 | IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$
|
---|
| 248 | IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$
|
---|
| 249 | #
|
---|
| 250 | IgnoreAdded = /var/lib/slocate/slocate.db.tmp
|
---|
| 251 | IgnoreMissing = /var/lib/slocate/slocate.db.tmp
|
---|
| 252 |
|
---|
| 253 | #
|
---|
| 254 | # --------- other policies -----------
|
---|
| 255 | #
|
---|
| 256 |
|
---|
[1] | 257 | [IgnoreNone]
|
---|
| 258 | ##
|
---|
| 259 | ## for these files, all modifications (even access time) are reported
|
---|
| 260 | ## - you may create some interesting-looking file (like /etc/safe_passwd),
|
---|
| 261 | ## just to watch whether someone will access it ...
|
---|
| 262 | ##
|
---|
| 263 |
|
---|
| 264 | [Prelink]
|
---|
| 265 | ##
|
---|
| 266 | ## Use for prelinked files or directories holding them
|
---|
| 267 | ##
|
---|
| 268 |
|
---|
| 269 |
|
---|
| 270 | [User0]
|
---|
| 271 | [User1]
|
---|
| 272 | ## User0 and User1 are sections for files/dirs with user-definable checking
|
---|
| 273 | ## (see the manual)
|
---|
| 274 |
|
---|
| 275 |
|
---|
[7] | 276 |
|
---|
[1] | 277 | [EventSeverity]
|
---|
| 278 | ##
|
---|
| 279 | ## Here you can assign severities to policy violations.
|
---|
| 280 | ## If this severity exceeds the treshold of a log facility (see below),
|
---|
| 281 | ## a policy violation will be logged to that facility.
|
---|
| 282 | ##
|
---|
| 283 | ## Severity for verification failures.
|
---|
| 284 | ##
|
---|
| 285 | # SeverityReadOnly=crit
|
---|
| 286 | # SeverityLogFiles=crit
|
---|
| 287 | # SeverityGrowingLogs=crit
|
---|
| 288 | # SeverityIgnoreNone=crit
|
---|
| 289 | # SeverityAttributes=crit
|
---|
| 290 | # SeverityUser0=crit
|
---|
| 291 | # SeverityUser1=crit
|
---|
| 292 | # SeverityIgnoreAll=crit
|
---|
| 293 |
|
---|
[7] | 294 |
|
---|
[1] | 295 | ## Files : file access problems
|
---|
| 296 | # SeverityFiles=crit
|
---|
| 297 |
|
---|
| 298 | ## Dirs : directory access problems
|
---|
| 299 | # SeverityDirs=crit
|
---|
| 300 |
|
---|
| 301 | ## Names : suspect (non-printable) characters in a pathname
|
---|
| 302 | # SeverityNames=crit
|
---|
| 303 |
|
---|
| 304 | [Log]
|
---|
| 305 | ##
|
---|
| 306 | ## Switch on/OFF log facilities and set their threshold severity
|
---|
| 307 | ##
|
---|
| 308 | ## Values: debug, info, notice, warn, mark, err, crit, alert, none.
|
---|
| 309 | ## 'mark' is used for timestamps.
|
---|
| 310 | ##
|
---|
| 311 | ##
|
---|
| 312 | ## Use 'none' to SWITCH OFF a log facility
|
---|
| 313 | ##
|
---|
| 314 | ## By default, everything equal to and above the threshold is logged.
|
---|
| 315 | ## The specifiers '*', '!', and '=' are interpreted as
|
---|
| 316 | ## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
|
---|
| 317 | ## at least on Linux). Examples:
|
---|
| 318 | ## MailSeverity=*
|
---|
| 319 | ## MailSeverity=!warn
|
---|
| 320 | ## MailSeverity==crit
|
---|
| 321 |
|
---|
| 322 | ## E-mail
|
---|
| 323 | ##
|
---|
| 324 | # MailSeverity=none
|
---|
| 325 |
|
---|
| 326 | ## Console
|
---|
| 327 | ##
|
---|
| 328 | # PrintSeverity=info
|
---|
| 329 |
|
---|
| 330 | ## Logfile
|
---|
| 331 | ##
|
---|
| 332 | # LogSeverity=mark
|
---|
| 333 |
|
---|
| 334 | ## Syslog
|
---|
| 335 | ##
|
---|
| 336 | # SyslogSeverity=none
|
---|
| 337 |
|
---|
| 338 | ## Remote server (yule)
|
---|
| 339 | ##
|
---|
| 340 | # ExportSeverity=none
|
---|
| 341 |
|
---|
| 342 | ## External script or program
|
---|
| 343 | ##
|
---|
| 344 | # ExternalSeverity = none
|
---|
| 345 |
|
---|
| 346 | ## Logging to a database
|
---|
| 347 | ##
|
---|
| 348 | # DatabaseSeverity = none
|
---|
| 349 |
|
---|
| 350 | ## Logging to a Prelude-IDS
|
---|
| 351 | ##
|
---|
| 352 | # PreludeSeverity = crit
|
---|
| 353 |
|
---|
| 354 |
|
---|
| 355 |
|
---|
| 356 | #####################################################
|
---|
| 357 | #
|
---|
| 358 | # Optional modules
|
---|
| 359 | #
|
---|
| 360 | #####################################################
|
---|
| 361 |
|
---|
| 362 | # [SuidCheck]
|
---|
| 363 | ##
|
---|
| 364 | ## --- Check the filesystem for SUID/SGID binaries
|
---|
| 365 | ##
|
---|
| 366 |
|
---|
| 367 | ## Switch on
|
---|
| 368 | #
|
---|
| 369 | # SuidCheckActive = yes
|
---|
| 370 |
|
---|
| 371 | ## Interval for check (seconds)
|
---|
| 372 | #
|
---|
| 373 | # SuidCheckInterval = 7200
|
---|
| 374 |
|
---|
| 375 | ## Alternative: crontab-like schedule
|
---|
| 376 | #
|
---|
| 377 | # SuidCheckSchedule = NULL
|
---|
| 378 |
|
---|
| 379 | ## Directory to exclude
|
---|
| 380 | #
|
---|
| 381 | # SuidCheckExclude = NULL
|
---|
| 382 |
|
---|
| 383 | ## Limit on files per second (0 == no limit)
|
---|
| 384 | #
|
---|
| 385 | # SuidCheckFps = 0
|
---|
| 386 |
|
---|
| 387 | ## Alternative: yield after every file
|
---|
| 388 | #
|
---|
| 389 | # SuidCheckYield = no
|
---|
| 390 |
|
---|
| 391 | ## Severity of a detection
|
---|
| 392 | #
|
---|
| 393 | # SeveritySuidCheck = crit
|
---|
| 394 |
|
---|
| 395 | ## Quarantine SUID/SGID files if found
|
---|
| 396 | #
|
---|
| 397 | # SuidCheckQuarantineFiles = yes
|
---|
| 398 |
|
---|
| 399 | ## Method for Quarantining files:
|
---|
| 400 | # 0 - Delete or truncate the file.
|
---|
| 401 | # 1 - Remove SUID/SGID permissions from file.
|
---|
| 402 | # 2 - Move SUID/SGID file to quarantine dir.
|
---|
| 403 | #
|
---|
| 404 | # SuidCheckQuarantineMethod = 0
|
---|
| 405 |
|
---|
| 406 | ## For method 1 and 3, really delete instead of truncating
|
---|
| 407 | #
|
---|
| 408 | # SuidCheckQuarantineDelete = yes
|
---|
| 409 |
|
---|
| 410 | #[Kernel]
|
---|
| 411 | ##
|
---|
| 412 | ## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
|
---|
| 413 | ##
|
---|
| 414 |
|
---|
| 415 | ## Switch on/off
|
---|
| 416 | #
|
---|
| 417 | # KernelCheckActive = True
|
---|
| 418 |
|
---|
| 419 | ## Check interval (seconds); btw., the check is VERY fast
|
---|
| 420 | #
|
---|
| 421 | # KernelCheckInterval = 300
|
---|
| 422 |
|
---|
| 423 | ## Severity
|
---|
| 424 | #
|
---|
| 425 | # SeverityKernel = crit
|
---|
| 426 |
|
---|
| 427 |
|
---|
| 428 | # [Utmp]
|
---|
| 429 | ##
|
---|
| 430 | ## --- Logging of login/logout events
|
---|
| 431 | ##
|
---|
| 432 |
|
---|
| 433 | ## Switch on/off
|
---|
| 434 | #
|
---|
| 435 | # LoginCheckActive = True
|
---|
| 436 |
|
---|
| 437 | ## Severity for logins, multiple logins, logouts
|
---|
| 438 | #
|
---|
| 439 | # SeverityLogin=info
|
---|
| 440 | # SeverityLoginMulti=warn
|
---|
| 441 | # SeverityLogout=info
|
---|
| 442 |
|
---|
| 443 | ## Interval for login/logout checks
|
---|
| 444 | #
|
---|
| 445 | # LoginCheckInterval = 300
|
---|
| 446 |
|
---|
| 447 |
|
---|
| 448 | # [Database]
|
---|
| 449 | ##
|
---|
| 450 | ## --- Logging to a relational database
|
---|
| 451 | ##
|
---|
| 452 |
|
---|
| 453 | ## Database name
|
---|
| 454 | #
|
---|
| 455 | # SetDBName = samhain
|
---|
| 456 |
|
---|
| 457 | ## Database table
|
---|
| 458 | #
|
---|
| 459 | # SetDBTable = log
|
---|
| 460 |
|
---|
| 461 | ## Database user
|
---|
| 462 | #
|
---|
| 463 | # SetDBUser = samhain
|
---|
| 464 |
|
---|
| 465 | ## Database password
|
---|
| 466 | #
|
---|
| 467 | # SetDBPassword = (default: none)
|
---|
| 468 |
|
---|
| 469 | ## Database host
|
---|
| 470 | #
|
---|
| 471 | # SetDBHost = localhost
|
---|
| 472 |
|
---|
| 473 | ## Log the server timestamp for received messages
|
---|
| 474 | #
|
---|
| 475 | # SetDBServerTstamp = True
|
---|
| 476 |
|
---|
| 477 | ## Use a persistent connection
|
---|
| 478 | #
|
---|
| 479 | # UsePersistent = True
|
---|
| 480 |
|
---|
| 481 | # [External]
|
---|
| 482 | ##
|
---|
| 483 | ## Interface to call external scripts/programs for logging
|
---|
| 484 | ##
|
---|
| 485 |
|
---|
| 486 | ## The absolute path to the command
|
---|
| 487 | ## - Each invocation of this directive will end the definition of the
|
---|
| 488 | ## preceding command, and start the definition of
|
---|
| 489 | ## an additional, new command
|
---|
| 490 | #
|
---|
| 491 | # OpenCommand = (no default)
|
---|
| 492 |
|
---|
| 493 | ## Type (log or rv)
|
---|
| 494 | ## - log for log messages, srv for messages received by the server
|
---|
| 495 | #
|
---|
| 496 | # SetType = log
|
---|
| 497 |
|
---|
| 498 | ## The command (full command line) to execute
|
---|
| 499 | #
|
---|
| 500 | # SetCommandLine = (no default)
|
---|
| 501 |
|
---|
| 502 | ## The environment (KEY=value; repeat for more)
|
---|
| 503 | #
|
---|
| 504 | # SetEnviron = TZ=(your timezone)
|
---|
| 505 |
|
---|
| 506 | ## The TIGER192 checksum (optional)
|
---|
| 507 | #
|
---|
| 508 | # SetChecksum = (no default)
|
---|
| 509 |
|
---|
| 510 | ## User who runs the command
|
---|
| 511 | #
|
---|
| 512 | # SetCredentials = (default: samhain process uid)
|
---|
| 513 |
|
---|
| 514 | ## Words not allowed in message
|
---|
| 515 | #
|
---|
| 516 | # SetFilterNot = (none)
|
---|
| 517 |
|
---|
| 518 | ## Words required (ALL of them)
|
---|
| 519 | #
|
---|
| 520 | # SetFilterAnd = (none)
|
---|
| 521 |
|
---|
| 522 | ## Words required (at least one)
|
---|
| 523 | #
|
---|
| 524 | # SetFilterOr = (none)
|
---|
| 525 |
|
---|
| 526 | ## Deadtime between consecutive calls
|
---|
| 527 | #
|
---|
| 528 | # SetDeadtime = 0
|
---|
| 529 |
|
---|
| 530 | ## Add default environment (HOME, PATH, SHELL)
|
---|
| 531 | #
|
---|
| 532 | # SetDefault = no
|
---|
| 533 |
|
---|
| 534 |
|
---|
| 535 | #####################################################
|
---|
| 536 | #
|
---|
| 537 | # Miscellaneous configuration options
|
---|
| 538 | #
|
---|
| 539 | #####################################################
|
---|
| 540 |
|
---|
| 541 | [Misc]
|
---|
| 542 |
|
---|
| 543 | ## whether to become a daemon process
|
---|
| 544 | ## (this is not honoured on database initialisation)
|
---|
| 545 | #
|
---|
| 546 | # Daemon = no
|
---|
| 547 | Daemon = yes
|
---|
| 548 |
|
---|
| 549 | ## whether to test signature of files (init/check/none)
|
---|
| 550 | ## - if 'none', then we have to decide this on the command line -
|
---|
| 551 | #
|
---|
| 552 | # ChecksumTest = none
|
---|
| 553 | ChecksumTest=check
|
---|
| 554 |
|
---|
| 555 | ## Set nice level (-19 to 19, see 'man nice'),
|
---|
| 556 | ## and I/O limit (kilobytes per second; 0 == off)
|
---|
| 557 | ## to reduce load on host.
|
---|
| 558 | #
|
---|
| 559 | # SetNiceLevel = 0
|
---|
| 560 | # SetIOLimit = 0
|
---|
| 561 |
|
---|
| 562 | ## The version string to embed in file signature databases
|
---|
| 563 | #
|
---|
| 564 | # VersionString = NULL
|
---|
| 565 |
|
---|
| 566 | ## Interval between time stamp messages
|
---|
| 567 | #
|
---|
| 568 | # SetLoopTime = 60
|
---|
| 569 | SetLoopTime = 600
|
---|
| 570 |
|
---|
| 571 | ## Interval between file checks
|
---|
| 572 | #
|
---|
| 573 | # SetFileCheckTime = 600
|
---|
| 574 | SetFileCheckTime = 7200
|
---|
| 575 |
|
---|
| 576 | ## Alternative: crontab-like schedule
|
---|
| 577 | #
|
---|
| 578 | # FileCheckScheduleOne = NULL
|
---|
| 579 |
|
---|
| 580 | ## Alternative: crontab-like schedule(2)
|
---|
| 581 | #
|
---|
| 582 | # FileCheckScheduleTwo = NULL
|
---|
| 583 |
|
---|
[101] | 584 | ## Report only once on modified files
|
---|
[1] | 585 | ## Setting this to 'FALSE' will generate a report for any policy
|
---|
| 586 | ## violation (old and new ones) each time the daemon checks the file system.
|
---|
| 587 | #
|
---|
| 588 | # ReportOnlyOnce = True
|
---|
| 589 |
|
---|
| 590 | ## Report in full detail
|
---|
| 591 | #
|
---|
| 592 | # ReportFullDetail = False
|
---|
| 593 |
|
---|
| 594 | ## Report file timestamps in local time rather than GMT
|
---|
| 595 | #
|
---|
| 596 | # UseLocalTime = No
|
---|
| 597 |
|
---|
| 598 | ## The console device (can also be a file or named pipe)
|
---|
| 599 | ## - There are two console devices. Accordingly, you can use
|
---|
| 600 | ## this directive a second time to set the second console device.
|
---|
| 601 | ## If you have not defined the second device at compile time,
|
---|
| 602 | ## and you don't want to use it, then:
|
---|
| 603 | ## setting it to /dev/null is less effective than just leaving
|
---|
| 604 | ## it alone (setting to /dev/null will waste time by opening
|
---|
| 605 | ## /dev/null and writing to it)
|
---|
| 606 | #
|
---|
| 607 | # SetConsole = /dev/console
|
---|
| 608 |
|
---|
| 609 | ## Activate the SysV IPC message queue
|
---|
| 610 | #
|
---|
| 611 | # MessageQueueActive = False
|
---|
| 612 |
|
---|
| 613 |
|
---|
| 614 | ## If false, skip reverse lookup when connecting to a host known
|
---|
| 615 | ## by name rather than IP address (i.e. trust the DNS)
|
---|
| 616 | #
|
---|
| 617 | # SetReverseLookup = True
|
---|
| 618 |
|
---|
| 619 | ## --- E-Mail ---
|
---|
| 620 |
|
---|
| 621 | # Only highest-level (alert) reports will be mailed immediately,
|
---|
| 622 | # others will be queued. Here you can define, when the queue will
|
---|
| 623 | # be flushed (Note: the queue is automatically flushed after
|
---|
| 624 | # completing a file check).
|
---|
| 625 | #
|
---|
| 626 | # SetMailTime = 86400
|
---|
| 627 |
|
---|
| 628 | ## Maximum number of mails to queue
|
---|
| 629 | #
|
---|
| 630 | # SetMailNum = 10
|
---|
| 631 |
|
---|
| 632 | ## Recipient (max. 8)
|
---|
| 633 | #
|
---|
| 634 | # SetMailAddress=root@localhost
|
---|
| 635 |
|
---|
| 636 | ## Mail relay (IP address)
|
---|
| 637 | #
|
---|
| 638 | # SetMailRelay = NULL
|
---|
| 639 |
|
---|
| 640 | ## Custom subject format
|
---|
| 641 | #
|
---|
| 642 | # MailSubject = NULL
|
---|
| 643 |
|
---|
| 644 | ## --- end E-Mail ---
|
---|
| 645 |
|
---|
| 646 | ## Path to the prelink executable
|
---|
| 647 | #
|
---|
| 648 | # SetPrelinkPath = /usr/sbin/prelink
|
---|
| 649 |
|
---|
| 650 | ## TIGER192 checksum of the prelink executable
|
---|
| 651 | #
|
---|
| 652 | # SetPrelinkChecksum = (no default)
|
---|
| 653 |
|
---|
| 654 |
|
---|
| 655 | ## Path to the executable. If set, will be checksummed after startup
|
---|
| 656 | ## and before exit.
|
---|
| 657 | #
|
---|
| 658 | # SamhainPath = (no default)
|
---|
| 659 |
|
---|
| 660 |
|
---|
| 661 | ## The IP address of the log server
|
---|
| 662 | #
|
---|
| 663 | # SetLogServer = (default: compiled-in)
|
---|
| 664 |
|
---|
| 665 | ## The IP address of the time server
|
---|
| 666 | #
|
---|
| 667 | # SetTimeServer = (default: compiled-in)
|
---|
| 668 |
|
---|
| 669 | ## Trusted Users (comma delimited list of user names)
|
---|
| 670 | #
|
---|
| 671 | # TrustedUser = (no default; this adds to the compiled-in list)
|
---|
| 672 |
|
---|
| 673 | ## Path to the file signature database
|
---|
| 674 | #
|
---|
| 675 | # SetDatabasePath = (default: compiled-in)
|
---|
| 676 |
|
---|
| 677 | ## Path to the log file
|
---|
| 678 | #
|
---|
| 679 | # SetLogfilePath = (default: compiled-in)
|
---|
| 680 |
|
---|
| 681 | ## Path to the PID file
|
---|
| 682 | #
|
---|
| 683 | # SetLockPath = (default: compiled-in)
|
---|
| 684 |
|
---|
| 685 |
|
---|
| 686 | ## The digest/checksum/hash algorithm
|
---|
| 687 | #
|
---|
| 688 | # DigestAlgo = TIGER192
|
---|
| 689 |
|
---|
| 690 |
|
---|
| 691 | ## Custom format for message header.
|
---|
| 692 | ## CAREFUL if you use XML logfile format.
|
---|
| 693 | ##
|
---|
| 694 | ## %S severity
|
---|
| 695 | ## %T timestamp
|
---|
| 696 | ## %C class
|
---|
| 697 | ##
|
---|
| 698 | ## %F source file
|
---|
| 699 | ## %L source line
|
---|
| 700 | #
|
---|
| 701 | # MessageHeader="%S %T "
|
---|
| 702 |
|
---|
| 703 |
|
---|
| 704 | ## Don't log path to config/database file on startup
|
---|
| 705 | #
|
---|
| 706 | # HideSetup = False
|
---|
| 707 |
|
---|
| 708 | ## The syslog facility, if you log to syslog
|
---|
| 709 | #
|
---|
| 710 | # SyslogFacility = LOG_AUTHPRIV
|
---|
| 711 | SyslogFacility=LOG_LOCAL2
|
---|
| 712 |
|
---|
| 713 | ## The message authentication method
|
---|
| 714 | ## - If you change this, you *must* change it
|
---|
| 715 | ## on client *and* server
|
---|
| 716 | #
|
---|
| 717 | # MACType = HMAC-TIGER
|
---|
| 718 |
|
---|
| 719 |
|
---|
| 720 | ## The Prelude-IDS profile to use for reporting
|
---|
| 721 | ## default value is "samhain"
|
---|
| 722 | #
|
---|
| 723 | # PreludeProfile = samhain
|
---|
| 724 |
|
---|
| 725 | ## Map these samhain severities to impact severity 'info' severity
|
---|
| 726 | #
|
---|
| 727 | # PreludeMapToInfo =
|
---|
| 728 |
|
---|
| 729 | ## Map these samhain severities to impact severity 'low' severity
|
---|
| 730 | #
|
---|
| 731 | # PreludeMapToLow = debug info
|
---|
| 732 |
|
---|
| 733 | ## Map these samhain severities to impact severity 'medium' severity
|
---|
| 734 | #
|
---|
| 735 | # PreludeMapToMedium = notice warn err
|
---|
| 736 |
|
---|
| 737 | ## Map these samhain severities to impact severity 'high' severity
|
---|
| 738 | #
|
---|
| 739 | # PreludeMapToHigh = crit alert
|
---|
| 740 |
|
---|
| 741 |
|
---|
| 742 | ## everything below is ignored
|
---|
| 743 | [EOF]
|
---|
| 744 |
|
---|
| 745 | #####################################################################
|
---|
| 746 | # This would be the proper syntax for parts that should only be
|
---|
| 747 | # included for certain hosts.
|
---|
| 748 | # You may enclose anything in a @HOSTNAME/@end bracket, as long as the
|
---|
| 749 | # result still has the proper syntax for the config file.
|
---|
| 750 | # You may have any number of @HOSTNAME/@end brackets.
|
---|
| 751 | # HOSTNAME should be the fully qualified 'official' name
|
---|
| 752 | # (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
|
---|
| 753 | # No IP number - except if samhain cannot determine the
|
---|
| 754 | # fully qualified hostname.
|
---|
| 755 | #
|
---|
| 756 | # @HOSTNAME
|
---|
| 757 | # file=/foo/bar
|
---|
| 758 | # @end
|
---|
| 759 | #
|
---|
| 760 | # These are two examples for conditional inclusion/exclusion
|
---|
| 761 | # of a machine based on the output from 'uname -srm'
|
---|
| 762 | # $Linux:2.*.7:i666
|
---|
| 763 | # file=/foo/bar3
|
---|
| 764 | # $end
|
---|
| 765 | #
|
---|
| 766 | # !$Linux:2.*.7:i686
|
---|
| 767 | # file=/foo/bar2
|
---|
| 768 | # $end
|
---|
| 769 | #
|
---|
| 770 | #####################################################################
|
---|