source: trunk/samhainrc.linux@ 521

Last change on this file since 521 was 481, checked in by katerina, 9 years ago

Enhancements and fixes for tickets #374, #375, #376, #377, #378, and #379.

File size: 15.3 KB
RevLine 
[1]1#####################################################################
2#
3# Configuration file template for samhain.
4#
5#####################################################################
6#
7# -- empty lines and lines starting with '#', ';' or '//' are ignored
8# -- boolean options can be Yes/No or True/False or 1/0
9# -- you can PGP clearsign this file -- samhain will check (if compiled
10# with support) or otherwise ignore the signature
11# -- CHECK mail address
12#
13# To each log facility, you can assign a threshold severity. Only
14# reports with at least the threshold severity will be logged
15# to the respective facility (even further below).
16#
17#####################################################################
18#
19# SETUP for file system checking:
20#
21# (i) There are several policies, each has its own section. Put files
22# into the section for the appropriate policy (see below).
23# (ii) Section [EventSeverity]:
24# To each policy, you can assign a severity (further below).
25# (iii) Section [Log]:
26# To each log facility, you can assign a threshold severity. Only
27# reports with at least the threshold severity will be logged
28# to the respective facility (even further below).
29#
30#####################################################################
31
32#####################################################################
33#
34# Files are defined with: file = /absolute/path
35#
36# Directories are defined with: dir = /absolute/path
37# or with an optional recursion depth (N <= 99): dir = N/absolute/path
38#
39# Directory inodes are checked. If you only want to check files
40# in a directory, but not the directory inode itself, use (e.g.):
41#
42# [ReadOnly]
43# dir = /some/directory
44# [IgnoreAll]
45# file = /some/directory
46#
47# You can use shell-style globbing patterns, like: file = /path/foo*
48#
49######################################################################
50
51[Misc]
52##
53## Add or subtract tests from the policies
54## - if you want to change their definitions,
55## you need to do that before using the policies
56##
57# RedefReadOnly = (no default)
58# RedefAttributes=(no default)
59# RedefLogFiles=(no default)
60# RedefGrowingLogFiles=(no default)
61# RedefIgnoreAll=(no default)
62# RedefIgnoreNone=(no default)
[7]63
[1]64# RedefUser0=(no default)
65# RedefUser1=(no default)
66
[7]67#
68# --------- / --------------
69#
70
71[ReadOnly]
72dir = 0/
73
[14]74[Attributes]
75file = /tmp
76file = /dev
77file = /media
78file = /proc
79file = /sys
80
[7]81#
82# --------- /etc -----------
83#
84
85[ReadOnly]
86##
87## for these files, only access time is ignored
88##
89dir = 99/etc
90
[1]91[Attributes]
92##
[7]93## check permission and ownership
[1]94##
[7]95file = /etc/mtab
96file = /etc/adjtime
97file = /etc/motd
98file = /etc/lvm/.cache
[1]99
[7]100# On Ubuntu, these are in /var/lib rather than /etc
101file = /etc/cups/certs
102file = /etc/cups/certs/0
103
104# managed by fstab-sync on Fedora Core
105file = /etc/fstab
106
107# modified when booting
108file = /etc/sysconfig/hwconf
109
[1]110# There are files in /etc that might change, thus changing the directory
111# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
112
[7]113file = /etc
[1]114
[7]115#
116# --------- /boot -----------
117#
[1]118
[7]119[ReadOnly]
120dir = 99/boot
[1]121
122#
[7]123# --------- /bin, /sbin -----------
[1]124#
[7]125
126[ReadOnly]
127dir = 99/bin
128dir = 99/sbin
129
[1]130#
[7]131# --------- /lib -----------
[1]132#
[7]133
134[ReadOnly]
135dir = 99/lib
136
[1]137#
[7]138# --------- /dev -----------
[1]139#
140
[7]141[Attributes]
142dir = 99/dev
143
144[IgnoreAll]
[1]145##
[7]146## pseudo terminals are created/removed as needed
[1]147##
[7]148dir = -1/dev/pts
[1]149
[7]150# dir = -1/dev/.udevdb
151
152file = /dev/ppp
153
154#
155# --------- /usr -----------
156#
157
158[ReadOnly]
159dir = 99/usr
160
161#
162# --------- /var -----------
163#
164
165[ReadOnly]
166dir = 99/var
167
[1]168[IgnoreAll]
[7]169dir = -1/var/cache
170dir = -1/var/backups
171dir = -1/var/games
172dir = -1/var/gdm
173dir = -1/var/lock
174dir = -1/var/mail
175dir = -1/var/run
176dir = -1/var/spool
177dir = -1/var/tmp
178dir = -1/var/lib/texmf
[18]179dir = -1/var/lib/scrollkeeper
[7]180
[18]181
[7]182[Attributes]
183
184dir = /var/lib/nfs
185dir = /var/lib/pcmcia
186
187# /var/lib/rpm changes if packets are installed;
188# /var/lib/rpm/__db.00[123] even more frequently
189file = /var/lib/rpm/__db.00?
190
191file = /var/lib/acpi-support/vbestate
192file = /var/lib/alsa/asound.state
193file = /var/lib/apt/lists/lock
194file = /var/lib/apt/lists/partial
195file = /var/lib/cups/certs
196file = /var/lib/cups/certs/0
197file = /var/lib/dpkg/lock
198file = /var/lib/gdm
199file = /var/lib/gdm/.cookie
200file = /var/lib/gdm/.gdmfifo
201file = /var/lib/gdm/:0.Xauth
202file = /var/lib/gdm/:0.Xservers
203file = /var/lib/logrotate/status
204file = /var/lib/mysql
205file = /var/lib/mysql/ib_logfile0
206file = /var/lib/mysql/ibdata1
207file = /var/lib/slocate
208file = /var/lib/slocate/slocate.db
209file = /var/lib/slocate/slocate.db.tmp
210file = /var/lib/urandom
211file = /var/lib/urandom/random-seed
212file = /var/lib/random-seed
213file = /var/lib/xkb
214
215
216[GrowingLogFiles]
[1]217##
[7]218## For these files, changes in signature, timestamps, and increase in size
219## are ignored. Logfile rotation will cause a report because of shrinking
220## size and different inode.
[1]221##
[7]222dir = 99/var/log
[1]223
[7]224[Attributes]
225#
226# rotated logs will change inode
227#
228file = /var/log/*.[0-9].gz
229file = /var/log/*.[0-9].log
230file = /var/log/*.[0-9]
231file = /var/log/*.old
232file = /var/log/*/*.[0-9].gz
[18]233file = /var/log/*/*.[0-9][0-9].gz
[7]234file = /var/log/*/*.log.[0-9]
[1]235
[7]236[Misc]
237#
238# Various naming schemes for rotated logs
239#
240IgnoreAdded = /var/log/.*\.[0-9]+$
241IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
242IgnoreAdded = /var/log/.*\.[0-9]+\.log$
243#
244# Subdirectories
245#
246IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$
247IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$
248IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$
249#
250IgnoreAdded = /var/lib/slocate/slocate.db.tmp
251IgnoreMissing = /var/lib/slocate/slocate.db.tmp
252
253#
254# --------- other policies -----------
255#
256
[1]257[IgnoreNone]
258##
259## for these files, all modifications (even access time) are reported
260## - you may create some interesting-looking file (like /etc/safe_passwd),
261## just to watch whether someone will access it ...
262##
263
264[Prelink]
265##
266## Use for prelinked files or directories holding them
267##
268
269
270[User0]
271[User1]
272## User0 and User1 are sections for files/dirs with user-definable checking
273## (see the manual)
274
275
[7]276
[1]277[EventSeverity]
278##
279## Here you can assign severities to policy violations.
280## If this severity exceeds the treshold of a log facility (see below),
281## a policy violation will be logged to that facility.
282##
283## Severity for verification failures.
284##
285# SeverityReadOnly=crit
286# SeverityLogFiles=crit
287# SeverityGrowingLogs=crit
288# SeverityIgnoreNone=crit
289# SeverityAttributes=crit
290# SeverityUser0=crit
291# SeverityUser1=crit
292# SeverityIgnoreAll=crit
293
[7]294
[1]295## Files : file access problems
296# SeverityFiles=crit
297
298## Dirs : directory access problems
299# SeverityDirs=crit
300
301## Names : suspect (non-printable) characters in a pathname
302# SeverityNames=crit
303
304[Log]
305##
306## Switch on/OFF log facilities and set their threshold severity
307##
308## Values: debug, info, notice, warn, mark, err, crit, alert, none.
309## 'mark' is used for timestamps.
310##
311##
312## Use 'none' to SWITCH OFF a log facility
313##
314## By default, everything equal to and above the threshold is logged.
315## The specifiers '*', '!', and '=' are interpreted as
316## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
317## at least on Linux). Examples:
318## MailSeverity=*
319## MailSeverity=!warn
320## MailSeverity==crit
321
322## E-mail
323##
324# MailSeverity=none
325
326## Console
327##
328# PrintSeverity=info
329
330## Logfile
331##
332# LogSeverity=mark
333
334## Syslog
335##
336# SyslogSeverity=none
337
338## Remote server (yule)
339##
340# ExportSeverity=none
341
342## External script or program
343##
344# ExternalSeverity = none
345
346## Logging to a database
347##
348# DatabaseSeverity = none
349
350## Logging to a Prelude-IDS
351##
352# PreludeSeverity = crit
353
354
355
356#####################################################
357#
358# Optional modules
359#
360#####################################################
361
362# [SuidCheck]
363##
364## --- Check the filesystem for SUID/SGID binaries
365##
366
367## Switch on
368#
369# SuidCheckActive = yes
370
371## Interval for check (seconds)
372#
373# SuidCheckInterval = 7200
374
375## Alternative: crontab-like schedule
376#
377# SuidCheckSchedule = NULL
378
379## Directory to exclude
380#
381# SuidCheckExclude = NULL
382
383## Limit on files per second (0 == no limit)
384#
385# SuidCheckFps = 0
386
387## Alternative: yield after every file
388#
389# SuidCheckYield = no
390
391## Severity of a detection
392#
393# SeveritySuidCheck = crit
394
395## Quarantine SUID/SGID files if found
396#
397# SuidCheckQuarantineFiles = yes
398
399## Method for Quarantining files:
400# 0 - Delete or truncate the file.
401# 1 - Remove SUID/SGID permissions from file.
402# 2 - Move SUID/SGID file to quarantine dir.
403#
404# SuidCheckQuarantineMethod = 0
405
406## For method 1 and 3, really delete instead of truncating
407#
408# SuidCheckQuarantineDelete = yes
409
410
411# [Utmp]
412##
413## --- Logging of login/logout events
414##
415
416## Switch on/off
417#
418# LoginCheckActive = True
419
420## Severity for logins, multiple logins, logouts
421#
422# SeverityLogin=info
423# SeverityLoginMulti=warn
424# SeverityLogout=info
425
426## Interval for login/logout checks
427#
428# LoginCheckInterval = 300
429
430
431# [Database]
432##
433## --- Logging to a relational database
434##
435
436## Database name
437#
438# SetDBName = samhain
439
440## Database table
441#
442# SetDBTable = log
443
444## Database user
445#
446# SetDBUser = samhain
447
448## Database password
449#
450# SetDBPassword = (default: none)
451
452## Database host
453#
454# SetDBHost = localhost
455
456## Log the server timestamp for received messages
457#
458# SetDBServerTstamp = True
459
460## Use a persistent connection
461#
462# UsePersistent = True
463
464# [External]
465##
466## Interface to call external scripts/programs for logging
467##
468
469## The absolute path to the command
470## - Each invocation of this directive will end the definition of the
471## preceding command, and start the definition of
472## an additional, new command
473#
474# OpenCommand = (no default)
475
476## Type (log or rv)
477## - log for log messages, srv for messages received by the server
478#
479# SetType = log
480
481## The command (full command line) to execute
482#
483# SetCommandLine = (no default)
484
485## The environment (KEY=value; repeat for more)
486#
487# SetEnviron = TZ=(your timezone)
488
489## The TIGER192 checksum (optional)
490#
491# SetChecksum = (no default)
492
493## User who runs the command
494#
495# SetCredentials = (default: samhain process uid)
496
497## Words not allowed in message
498#
499# SetFilterNot = (none)
500
501## Words required (ALL of them)
502#
503# SetFilterAnd = (none)
504
505## Words required (at least one)
506#
507# SetFilterOr = (none)
508
509## Deadtime between consecutive calls
510#
511# SetDeadtime = 0
512
513## Add default environment (HOME, PATH, SHELL)
514#
515# SetDefault = no
516
517
518#####################################################
519#
520# Miscellaneous configuration options
521#
522#####################################################
523
524[Misc]
525
526## whether to become a daemon process
527## (this is not honoured on database initialisation)
528#
529# Daemon = no
530Daemon = yes
531
532## whether to test signature of files (init/check/none)
533## - if 'none', then we have to decide this on the command line -
534#
535# ChecksumTest = none
536ChecksumTest=check
537
538## Set nice level (-19 to 19, see 'man nice'),
539## and I/O limit (kilobytes per second; 0 == off)
540## to reduce load on host.
541#
542# SetNiceLevel = 0
543# SetIOLimit = 0
544
545## The version string to embed in file signature databases
546#
547# VersionString = NULL
548
549## Interval between time stamp messages
550#
551# SetLoopTime = 60
552SetLoopTime = 600
553
554## Interval between file checks
555#
556# SetFileCheckTime = 600
557SetFileCheckTime = 7200
558
559## Alternative: crontab-like schedule
560#
561# FileCheckScheduleOne = NULL
562
563## Alternative: crontab-like schedule(2)
564#
565# FileCheckScheduleTwo = NULL
566
[101]567## Report only once on modified files
[1]568## Setting this to 'FALSE' will generate a report for any policy
569## violation (old and new ones) each time the daemon checks the file system.
570#
571# ReportOnlyOnce = True
572
573## Report in full detail
574#
575# ReportFullDetail = False
576
577## Report file timestamps in local time rather than GMT
578#
579# UseLocalTime = No
580
581## The console device (can also be a file or named pipe)
582## - There are two console devices. Accordingly, you can use
583## this directive a second time to set the second console device.
584## If you have not defined the second device at compile time,
585## and you don't want to use it, then:
586## setting it to /dev/null is less effective than just leaving
587## it alone (setting to /dev/null will waste time by opening
588## /dev/null and writing to it)
589#
590# SetConsole = /dev/console
591
592## Activate the SysV IPC message queue
593#
594# MessageQueueActive = False
595
596
597## If false, skip reverse lookup when connecting to a host known
598## by name rather than IP address (i.e. trust the DNS)
599#
600# SetReverseLookup = True
601
602## --- E-Mail ---
603
604# Only highest-level (alert) reports will be mailed immediately,
605# others will be queued. Here you can define, when the queue will
606# be flushed (Note: the queue is automatically flushed after
607# completing a file check).
608#
609# SetMailTime = 86400
610
611## Maximum number of mails to queue
612#
613# SetMailNum = 10
614
615## Recipient (max. 8)
616#
617# SetMailAddress=root@localhost
618
619## Mail relay (IP address)
620#
621# SetMailRelay = NULL
622
623## Custom subject format
624#
625# MailSubject = NULL
626
627## --- end E-Mail ---
628
629## Path to the prelink executable
630#
631# SetPrelinkPath = /usr/sbin/prelink
632
633## TIGER192 checksum of the prelink executable
634#
635# SetPrelinkChecksum = (no default)
636
637
638## Path to the executable. If set, will be checksummed after startup
639## and before exit.
640#
641# SamhainPath = (no default)
642
643
644## The IP address of the log server
645#
646# SetLogServer = (default: compiled-in)
647
648## The IP address of the time server
649#
650# SetTimeServer = (default: compiled-in)
651
652## Trusted Users (comma delimited list of user names)
653#
654# TrustedUser = (no default; this adds to the compiled-in list)
655
656## Path to the file signature database
657#
658# SetDatabasePath = (default: compiled-in)
659
660## Path to the log file
661#
662# SetLogfilePath = (default: compiled-in)
663
664## Path to the PID file
665#
[387]666# SetLockfilePath = (default: compiled-in)
[1]667
668
669## The digest/checksum/hash algorithm
670#
671# DigestAlgo = TIGER192
672
673
674## Custom format for message header.
675## CAREFUL if you use XML logfile format.
676##
677## %S severity
678## %T timestamp
679## %C class
680##
681## %F source file
682## %L source line
683#
684# MessageHeader="%S %T "
685
686
687## Don't log path to config/database file on startup
688#
689# HideSetup = False
690
691## The syslog facility, if you log to syslog
692#
693# SyslogFacility = LOG_AUTHPRIV
694SyslogFacility=LOG_LOCAL2
695
696## The message authentication method
697## - If you change this, you *must* change it
698## on client *and* server
699#
700# MACType = HMAC-TIGER
701
702
703## The Prelude-IDS profile to use for reporting
704## default value is "samhain"
705#
706# PreludeProfile = samhain
707
708## Map these samhain severities to impact severity 'info' severity
709#
710# PreludeMapToInfo =
711
712## Map these samhain severities to impact severity 'low' severity
713#
714# PreludeMapToLow = debug info
715
716## Map these samhain severities to impact severity 'medium' severity
717#
718# PreludeMapToMedium = notice warn err
719
720## Map these samhain severities to impact severity 'high' severity
721#
722# PreludeMapToHigh = crit alert
723
724
725## everything below is ignored
726[EOF]
727
728#####################################################################
729# This would be the proper syntax for parts that should only be
730# included for certain hosts.
731# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
732# result still has the proper syntax for the config file.
733# You may have any number of @HOSTNAME/@end brackets.
734# HOSTNAME should be the fully qualified 'official' name
735# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
736# No IP number - except if samhain cannot determine the
737# fully qualified hostname.
738#
739# @HOSTNAME
740# file=/foo/bar
741# @end
742#
743# These are two examples for conditional inclusion/exclusion
744# of a machine based on the output from 'uname -srm'
745# $Linux:2.*.7:i666
746# file=/foo/bar3
747# $end
748#
749# !$Linux:2.*.7:i686
750# file=/foo/bar2
751# $end
752#
753#####################################################################
Note: See TracBrowser for help on using the repository browser.