source: trunk/samhainrc.linux@ 12

Last change on this file since 12 was 7, checked in by rainer, 19 years ago

update for default linux rc file

File size: 15.4 KB
Line 
1#####################################################################
2#
3# Configuration file template for samhain.
4#
5#####################################################################
6#
7# -- empty lines and lines starting with '#', ';' or '//' are ignored
8# -- boolean options can be Yes/No or True/False or 1/0
9# -- you can PGP clearsign this file -- samhain will check (if compiled
10# with support) or otherwise ignore the signature
11# -- CHECK mail address
12#
13# To each log facility, you can assign a threshold severity. Only
14# reports with at least the threshold severity will be logged
15# to the respective facility (even further below).
16#
17#####################################################################
18#
19# SETUP for file system checking:
20#
21# (i) There are several policies, each has its own section. Put files
22# into the section for the appropriate policy (see below).
23# (ii) Section [EventSeverity]:
24# To each policy, you can assign a severity (further below).
25# (iii) Section [Log]:
26# To each log facility, you can assign a threshold severity. Only
27# reports with at least the threshold severity will be logged
28# to the respective facility (even further below).
29#
30#####################################################################
31
32#####################################################################
33#
34# Files are defined with: file = /absolute/path
35#
36# Directories are defined with: dir = /absolute/path
37# or with an optional recursion depth (N <= 99): dir = N/absolute/path
38#
39# Directory inodes are checked. If you only want to check files
40# in a directory, but not the directory inode itself, use (e.g.):
41#
42# [ReadOnly]
43# dir = /some/directory
44# [IgnoreAll]
45# file = /some/directory
46#
47# You can use shell-style globbing patterns, like: file = /path/foo*
48#
49######################################################################
50
51[Misc]
52##
53## Add or subtract tests from the policies
54## - if you want to change their definitions,
55## you need to do that before using the policies
56##
57# RedefReadOnly = (no default)
58# RedefAttributes=(no default)
59# RedefLogFiles=(no default)
60# RedefGrowingLogFiles=(no default)
61# RedefIgnoreAll=(no default)
62# RedefIgnoreNone=(no default)
63
64# RedefUser0=(no default)
65# RedefUser1=(no default)
66
67#
68# --------- / --------------
69#
70
71[ReadOnly]
72dir = 0/
73
74#
75# --------- /etc -----------
76#
77
78[ReadOnly]
79##
80## for these files, only access time is ignored
81##
82dir = 99/etc
83
84[Attributes]
85##
86## check permission and ownership
87##
88file = /etc/mtab
89file = /etc/adjtime
90file = /etc/motd
91file = /etc/lvm/.cache
92
93# On Ubuntu, these are in /var/lib rather than /etc
94file = /etc/cups/certs
95file = /etc/cups/certs/0
96
97# managed by fstab-sync on Fedora Core
98file = /etc/fstab
99
100# modified when booting
101file = /etc/sysconfig/hwconf
102
103# There are files in /etc that might change, thus changing the directory
104# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
105
106file = /etc
107
108#
109# --------- /boot -----------
110#
111
112[ReadOnly]
113dir = 99/boot
114
115#
116# --------- /bin, /sbin -----------
117#
118
119[ReadOnly]
120dir = 99/bin
121dir = 99/sbin
122
123#
124# --------- /lib -----------
125#
126
127[ReadOnly]
128dir = 99/lib
129
130#
131# --------- /dev -----------
132#
133
134[Attributes]
135dir = 99/dev
136
137[IgnoreAll]
138##
139## pseudo terminals are created/removed as needed
140##
141dir = -1/dev/pts
142
143# dir = -1/dev/.udevdb
144
145file = /dev/ppp
146
147#
148# --------- /usr -----------
149#
150
151[ReadOnly]
152dir = 99/usr
153
154#
155# --------- /var -----------
156#
157
158[ReadOnly]
159dir = 99/var
160
161[IgnoreAll]
162dir = -1/var/cache
163dir = -1/var/backups
164dir = -1/var/games
165dir = -1/var/gdm
166dir = -1/var/lock
167dir = -1/var/mail
168dir = -1/var/run
169dir = -1/var/spool
170dir = -1/var/tmp
171dir = -1/var/lib/texmf
172
173[Attributes]
174
175dir = /var/lib/nfs
176dir = /var/lib/pcmcia
177
178# /var/lib/rpm changes if packets are installed;
179# /var/lib/rpm/__db.00[123] even more frequently
180file = /var/lib/rpm/__db.00?
181
182file = /var/lib/acpi-support/vbestate
183file = /var/lib/alsa/asound.state
184file = /var/lib/apt/lists/lock
185file = /var/lib/apt/lists/partial
186file = /var/lib/cups/certs
187file = /var/lib/cups/certs/0
188file = /var/lib/dpkg/lock
189file = /var/lib/gdm
190file = /var/lib/gdm/.cookie
191file = /var/lib/gdm/.gdmfifo
192file = /var/lib/gdm/:0.Xauth
193file = /var/lib/gdm/:0.Xservers
194file = /var/lib/logrotate/status
195file = /var/lib/mysql
196file = /var/lib/mysql/ib_logfile0
197file = /var/lib/mysql/ibdata1
198file = /var/lib/slocate
199file = /var/lib/slocate/slocate.db
200file = /var/lib/slocate/slocate.db.tmp
201file = /var/lib/urandom
202file = /var/lib/urandom/random-seed
203file = /var/lib/random-seed
204file = /var/lib/xkb
205
206
207[GrowingLogFiles]
208##
209## For these files, changes in signature, timestamps, and increase in size
210## are ignored. Logfile rotation will cause a report because of shrinking
211## size and different inode.
212##
213dir = 99/var/log
214
215[Attributes]
216#
217# rotated logs will change inode
218#
219file = /var/log/*.[0-9].gz
220file = /var/log/*.[0-9].log
221file = /var/log/*.[0-9]
222file = /var/log/*.old
223file = /var/log/*/*.[0-9].gz
224file = /var/log/*/*.log.[0-9]
225
226[Misc]
227#
228# Various naming schemes for rotated logs
229#
230IgnoreAdded = /var/log/.*\.[0-9]+$
231IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
232IgnoreAdded = /var/log/.*\.[0-9]+\.log$
233#
234# Subdirectories
235#
236IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$
237IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$
238IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$
239#
240IgnoreAdded = /var/lib/slocate/slocate.db.tmp
241IgnoreMissing = /var/lib/slocate/slocate.db.tmp
242
243#
244# --------- other policies -----------
245#
246
247[IgnoreNone]
248##
249## for these files, all modifications (even access time) are reported
250## - you may create some interesting-looking file (like /etc/safe_passwd),
251## just to watch whether someone will access it ...
252##
253
254[Prelink]
255##
256## Use for prelinked files or directories holding them
257##
258
259
260[User0]
261[User1]
262## User0 and User1 are sections for files/dirs with user-definable checking
263## (see the manual)
264
265
266
267[EventSeverity]
268##
269## Here you can assign severities to policy violations.
270## If this severity exceeds the treshold of a log facility (see below),
271## a policy violation will be logged to that facility.
272##
273## Severity for verification failures.
274##
275# SeverityReadOnly=crit
276# SeverityLogFiles=crit
277# SeverityGrowingLogs=crit
278# SeverityIgnoreNone=crit
279# SeverityAttributes=crit
280# SeverityUser0=crit
281# SeverityUser1=crit
282# SeverityIgnoreAll=crit
283
284
285## Files : file access problems
286# SeverityFiles=crit
287
288## Dirs : directory access problems
289# SeverityDirs=crit
290
291## Names : suspect (non-printable) characters in a pathname
292# SeverityNames=crit
293
294[Log]
295##
296## Switch on/OFF log facilities and set their threshold severity
297##
298## Values: debug, info, notice, warn, mark, err, crit, alert, none.
299## 'mark' is used for timestamps.
300##
301##
302## Use 'none' to SWITCH OFF a log facility
303##
304## By default, everything equal to and above the threshold is logged.
305## The specifiers '*', '!', and '=' are interpreted as
306## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
307## at least on Linux). Examples:
308## MailSeverity=*
309## MailSeverity=!warn
310## MailSeverity==crit
311
312## E-mail
313##
314# MailSeverity=none
315
316## Console
317##
318# PrintSeverity=info
319
320## Logfile
321##
322# LogSeverity=mark
323
324## Syslog
325##
326# SyslogSeverity=none
327
328## Remote server (yule)
329##
330# ExportSeverity=none
331
332## External script or program
333##
334# ExternalSeverity = none
335
336## Logging to a database
337##
338# DatabaseSeverity = none
339
340## Logging to a Prelude-IDS
341##
342# PreludeSeverity = crit
343
344
345
346#####################################################
347#
348# Optional modules
349#
350#####################################################
351
352# [SuidCheck]
353##
354## --- Check the filesystem for SUID/SGID binaries
355##
356
357## Switch on
358#
359# SuidCheckActive = yes
360
361## Interval for check (seconds)
362#
363# SuidCheckInterval = 7200
364
365## Alternative: crontab-like schedule
366#
367# SuidCheckSchedule = NULL
368
369## Directory to exclude
370#
371# SuidCheckExclude = NULL
372
373## Limit on files per second (0 == no limit)
374#
375# SuidCheckFps = 0
376
377## Alternative: yield after every file
378#
379# SuidCheckYield = no
380
381## Severity of a detection
382#
383# SeveritySuidCheck = crit
384
385## Quarantine SUID/SGID files if found
386#
387# SuidCheckQuarantineFiles = yes
388
389## Method for Quarantining files:
390# 0 - Delete or truncate the file.
391# 1 - Remove SUID/SGID permissions from file.
392# 2 - Move SUID/SGID file to quarantine dir.
393#
394# SuidCheckQuarantineMethod = 0
395
396## For method 1 and 3, really delete instead of truncating
397#
398# SuidCheckQuarantineDelete = yes
399
400#[Kernel]
401##
402## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
403##
404
405## Switch on/off
406#
407# KernelCheckActive = True
408
409## Check interval (seconds); btw., the check is VERY fast
410#
411# KernelCheckInterval = 300
412
413## Severity
414#
415# SeverityKernel = crit
416
417
418# [Utmp]
419##
420## --- Logging of login/logout events
421##
422
423## Switch on/off
424#
425# LoginCheckActive = True
426
427## Severity for logins, multiple logins, logouts
428#
429# SeverityLogin=info
430# SeverityLoginMulti=warn
431# SeverityLogout=info
432
433## Interval for login/logout checks
434#
435# LoginCheckInterval = 300
436
437
438# [Database]
439##
440## --- Logging to a relational database
441##
442
443## Database name
444#
445# SetDBName = samhain
446
447## Database table
448#
449# SetDBTable = log
450
451## Database user
452#
453# SetDBUser = samhain
454
455## Database password
456#
457# SetDBPassword = (default: none)
458
459## Database host
460#
461# SetDBHost = localhost
462
463## Log the server timestamp for received messages
464#
465# SetDBServerTstamp = True
466
467## Use a persistent connection
468#
469# UsePersistent = True
470
471# [External]
472##
473## Interface to call external scripts/programs for logging
474##
475
476## The absolute path to the command
477## - Each invocation of this directive will end the definition of the
478## preceding command, and start the definition of
479## an additional, new command
480#
481# OpenCommand = (no default)
482
483## Type (log or rv)
484## - log for log messages, srv for messages received by the server
485#
486# SetType = log
487
488## The command (full command line) to execute
489#
490# SetCommandLine = (no default)
491
492## The environment (KEY=value; repeat for more)
493#
494# SetEnviron = TZ=(your timezone)
495
496## The TIGER192 checksum (optional)
497#
498# SetChecksum = (no default)
499
500## User who runs the command
501#
502# SetCredentials = (default: samhain process uid)
503
504## Words not allowed in message
505#
506# SetFilterNot = (none)
507
508## Words required (ALL of them)
509#
510# SetFilterAnd = (none)
511
512## Words required (at least one)
513#
514# SetFilterOr = (none)
515
516## Deadtime between consecutive calls
517#
518# SetDeadtime = 0
519
520## Add default environment (HOME, PATH, SHELL)
521#
522# SetDefault = no
523
524
525#####################################################
526#
527# Miscellaneous configuration options
528#
529#####################################################
530
531[Misc]
532
533## whether to become a daemon process
534## (this is not honoured on database initialisation)
535#
536# Daemon = no
537Daemon = yes
538
539## whether to test signature of files (init/check/none)
540## - if 'none', then we have to decide this on the command line -
541#
542# ChecksumTest = none
543ChecksumTest=check
544
545## Set nice level (-19 to 19, see 'man nice'),
546## and I/O limit (kilobytes per second; 0 == off)
547## to reduce load on host.
548#
549# SetNiceLevel = 0
550# SetIOLimit = 0
551
552## The version string to embed in file signature databases
553#
554# VersionString = NULL
555
556## Interval between time stamp messages
557#
558# SetLoopTime = 60
559SetLoopTime = 600
560
561## Interval between file checks
562#
563# SetFileCheckTime = 600
564SetFileCheckTime = 7200
565
566## Alternative: crontab-like schedule
567#
568# FileCheckScheduleOne = NULL
569
570## Alternative: crontab-like schedule(2)
571#
572# FileCheckScheduleTwo = NULL
573
574## Report only once on modified fles
575## Setting this to 'FALSE' will generate a report for any policy
576## violation (old and new ones) each time the daemon checks the file system.
577#
578# ReportOnlyOnce = True
579
580## Report in full detail
581#
582# ReportFullDetail = False
583
584## Report file timestamps in local time rather than GMT
585#
586# UseLocalTime = No
587
588## The console device (can also be a file or named pipe)
589## - There are two console devices. Accordingly, you can use
590## this directive a second time to set the second console device.
591## If you have not defined the second device at compile time,
592## and you don't want to use it, then:
593## setting it to /dev/null is less effective than just leaving
594## it alone (setting to /dev/null will waste time by opening
595## /dev/null and writing to it)
596#
597# SetConsole = /dev/console
598
599## Activate the SysV IPC message queue
600#
601# MessageQueueActive = False
602
603
604## If false, skip reverse lookup when connecting to a host known
605## by name rather than IP address (i.e. trust the DNS)
606#
607# SetReverseLookup = True
608
609## --- E-Mail ---
610
611# Only highest-level (alert) reports will be mailed immediately,
612# others will be queued. Here you can define, when the queue will
613# be flushed (Note: the queue is automatically flushed after
614# completing a file check).
615#
616# SetMailTime = 86400
617
618## Maximum number of mails to queue
619#
620# SetMailNum = 10
621
622## Recipient (max. 8)
623#
624# SetMailAddress=root@localhost
625
626## Mail relay (IP address)
627#
628# SetMailRelay = NULL
629
630## Custom subject format
631#
632# MailSubject = NULL
633
634## --- end E-Mail ---
635
636## Path to the prelink executable
637#
638# SetPrelinkPath = /usr/sbin/prelink
639
640## TIGER192 checksum of the prelink executable
641#
642# SetPrelinkChecksum = (no default)
643
644
645## Path to the executable. If set, will be checksummed after startup
646## and before exit.
647#
648# SamhainPath = (no default)
649
650
651## The IP address of the log server
652#
653# SetLogServer = (default: compiled-in)
654
655## The IP address of the time server
656#
657# SetTimeServer = (default: compiled-in)
658
659## Trusted Users (comma delimited list of user names)
660#
661# TrustedUser = (no default; this adds to the compiled-in list)
662
663## Path to the file signature database
664#
665# SetDatabasePath = (default: compiled-in)
666
667## Path to the log file
668#
669# SetLogfilePath = (default: compiled-in)
670
671## Path to the PID file
672#
673# SetLockPath = (default: compiled-in)
674
675
676## The digest/checksum/hash algorithm
677#
678# DigestAlgo = TIGER192
679
680
681## Custom format for message header.
682## CAREFUL if you use XML logfile format.
683##
684## %S severity
685## %T timestamp
686## %C class
687##
688## %F source file
689## %L source line
690#
691# MessageHeader="%S %T "
692
693
694## Don't log path to config/database file on startup
695#
696# HideSetup = False
697
698## The syslog facility, if you log to syslog
699#
700# SyslogFacility = LOG_AUTHPRIV
701SyslogFacility=LOG_LOCAL2
702
703## The message authentication method
704## - If you change this, you *must* change it
705## on client *and* server
706#
707# MACType = HMAC-TIGER
708
709
710## The Prelude-IDS profile to use for reporting
711## default value is "samhain"
712#
713# PreludeProfile = samhain
714
715## Map these samhain severities to impact severity 'info' severity
716#
717# PreludeMapToInfo =
718
719## Map these samhain severities to impact severity 'low' severity
720#
721# PreludeMapToLow = debug info
722
723## Map these samhain severities to impact severity 'medium' severity
724#
725# PreludeMapToMedium = notice warn err
726
727## Map these samhain severities to impact severity 'high' severity
728#
729# PreludeMapToHigh = crit alert
730
731
732## everything below is ignored
733[EOF]
734
735#####################################################################
736# This would be the proper syntax for parts that should only be
737# included for certain hosts.
738# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
739# result still has the proper syntax for the config file.
740# You may have any number of @HOSTNAME/@end brackets.
741# HOSTNAME should be the fully qualified 'official' name
742# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
743# No IP number - except if samhain cannot determine the
744# fully qualified hostname.
745#
746# @HOSTNAME
747# file=/foo/bar
748# @end
749#
750# These are two examples for conditional inclusion/exclusion
751# of a machine based on the output from 'uname -srm'
752# $Linux:2.*.7:i666
753# file=/foo/bar3
754# $end
755#
756# !$Linux:2.*.7:i686
757# file=/foo/bar2
758# $end
759#
760#####################################################################
Note: See TracBrowser for help on using the repository browser.