source: trunk/samhainrc.linux@ 250

Last change on this file since 250 was 101, checked in by rainer, 18 years ago

Fix compile bug with --with-kcheck

File size: 15.5 KB
Line 
1#####################################################################
2#
3# Configuration file template for samhain.
4#
5#####################################################################
6#
7# -- empty lines and lines starting with '#', ';' or '//' are ignored
8# -- boolean options can be Yes/No or True/False or 1/0
9# -- you can PGP clearsign this file -- samhain will check (if compiled
10# with support) or otherwise ignore the signature
11# -- CHECK mail address
12#
13# To each log facility, you can assign a threshold severity. Only
14# reports with at least the threshold severity will be logged
15# to the respective facility (even further below).
16#
17#####################################################################
18#
19# SETUP for file system checking:
20#
21# (i) There are several policies, each has its own section. Put files
22# into the section for the appropriate policy (see below).
23# (ii) Section [EventSeverity]:
24# To each policy, you can assign a severity (further below).
25# (iii) Section [Log]:
26# To each log facility, you can assign a threshold severity. Only
27# reports with at least the threshold severity will be logged
28# to the respective facility (even further below).
29#
30#####################################################################
31
32#####################################################################
33#
34# Files are defined with: file = /absolute/path
35#
36# Directories are defined with: dir = /absolute/path
37# or with an optional recursion depth (N <= 99): dir = N/absolute/path
38#
39# Directory inodes are checked. If you only want to check files
40# in a directory, but not the directory inode itself, use (e.g.):
41#
42# [ReadOnly]
43# dir = /some/directory
44# [IgnoreAll]
45# file = /some/directory
46#
47# You can use shell-style globbing patterns, like: file = /path/foo*
48#
49######################################################################
50
51[Misc]
52##
53## Add or subtract tests from the policies
54## - if you want to change their definitions,
55## you need to do that before using the policies
56##
57# RedefReadOnly = (no default)
58# RedefAttributes=(no default)
59# RedefLogFiles=(no default)
60# RedefGrowingLogFiles=(no default)
61# RedefIgnoreAll=(no default)
62# RedefIgnoreNone=(no default)
63
64# RedefUser0=(no default)
65# RedefUser1=(no default)
66
67#
68# --------- / --------------
69#
70
71[ReadOnly]
72dir = 0/
73
74[Attributes]
75file = /tmp
76file = /dev
77file = /media
78file = /proc
79file = /sys
80
81#
82# --------- /etc -----------
83#
84
85[ReadOnly]
86##
87## for these files, only access time is ignored
88##
89dir = 99/etc
90
91[Attributes]
92##
93## check permission and ownership
94##
95file = /etc/mtab
96file = /etc/adjtime
97file = /etc/motd
98file = /etc/lvm/.cache
99
100# On Ubuntu, these are in /var/lib rather than /etc
101file = /etc/cups/certs
102file = /etc/cups/certs/0
103
104# managed by fstab-sync on Fedora Core
105file = /etc/fstab
106
107# modified when booting
108file = /etc/sysconfig/hwconf
109
110# There are files in /etc that might change, thus changing the directory
111# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
112
113file = /etc
114
115#
116# --------- /boot -----------
117#
118
119[ReadOnly]
120dir = 99/boot
121
122#
123# --------- /bin, /sbin -----------
124#
125
126[ReadOnly]
127dir = 99/bin
128dir = 99/sbin
129
130#
131# --------- /lib -----------
132#
133
134[ReadOnly]
135dir = 99/lib
136
137#
138# --------- /dev -----------
139#
140
141[Attributes]
142dir = 99/dev
143
144[IgnoreAll]
145##
146## pseudo terminals are created/removed as needed
147##
148dir = -1/dev/pts
149
150# dir = -1/dev/.udevdb
151
152file = /dev/ppp
153
154#
155# --------- /usr -----------
156#
157
158[ReadOnly]
159dir = 99/usr
160
161#
162# --------- /var -----------
163#
164
165[ReadOnly]
166dir = 99/var
167
168[IgnoreAll]
169dir = -1/var/cache
170dir = -1/var/backups
171dir = -1/var/games
172dir = -1/var/gdm
173dir = -1/var/lock
174dir = -1/var/mail
175dir = -1/var/run
176dir = -1/var/spool
177dir = -1/var/tmp
178dir = -1/var/lib/texmf
179dir = -1/var/lib/scrollkeeper
180
181
182[Attributes]
183
184dir = /var/lib/nfs
185dir = /var/lib/pcmcia
186
187# /var/lib/rpm changes if packets are installed;
188# /var/lib/rpm/__db.00[123] even more frequently
189file = /var/lib/rpm/__db.00?
190
191file = /var/lib/acpi-support/vbestate
192file = /var/lib/alsa/asound.state
193file = /var/lib/apt/lists/lock
194file = /var/lib/apt/lists/partial
195file = /var/lib/cups/certs
196file = /var/lib/cups/certs/0
197file = /var/lib/dpkg/lock
198file = /var/lib/gdm
199file = /var/lib/gdm/.cookie
200file = /var/lib/gdm/.gdmfifo
201file = /var/lib/gdm/:0.Xauth
202file = /var/lib/gdm/:0.Xservers
203file = /var/lib/logrotate/status
204file = /var/lib/mysql
205file = /var/lib/mysql/ib_logfile0
206file = /var/lib/mysql/ibdata1
207file = /var/lib/slocate
208file = /var/lib/slocate/slocate.db
209file = /var/lib/slocate/slocate.db.tmp
210file = /var/lib/urandom
211file = /var/lib/urandom/random-seed
212file = /var/lib/random-seed
213file = /var/lib/xkb
214
215
216[GrowingLogFiles]
217##
218## For these files, changes in signature, timestamps, and increase in size
219## are ignored. Logfile rotation will cause a report because of shrinking
220## size and different inode.
221##
222dir = 99/var/log
223
224[Attributes]
225#
226# rotated logs will change inode
227#
228file = /var/log/*.[0-9].gz
229file = /var/log/*.[0-9].log
230file = /var/log/*.[0-9]
231file = /var/log/*.old
232file = /var/log/*/*.[0-9].gz
233file = /var/log/*/*.[0-9][0-9].gz
234file = /var/log/*/*.log.[0-9]
235
236[Misc]
237#
238# Various naming schemes for rotated logs
239#
240IgnoreAdded = /var/log/.*\.[0-9]+$
241IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
242IgnoreAdded = /var/log/.*\.[0-9]+\.log$
243#
244# Subdirectories
245#
246IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$
247IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$
248IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$
249#
250IgnoreAdded = /var/lib/slocate/slocate.db.tmp
251IgnoreMissing = /var/lib/slocate/slocate.db.tmp
252
253#
254# --------- other policies -----------
255#
256
257[IgnoreNone]
258##
259## for these files, all modifications (even access time) are reported
260## - you may create some interesting-looking file (like /etc/safe_passwd),
261## just to watch whether someone will access it ...
262##
263
264[Prelink]
265##
266## Use for prelinked files or directories holding them
267##
268
269
270[User0]
271[User1]
272## User0 and User1 are sections for files/dirs with user-definable checking
273## (see the manual)
274
275
276
277[EventSeverity]
278##
279## Here you can assign severities to policy violations.
280## If this severity exceeds the treshold of a log facility (see below),
281## a policy violation will be logged to that facility.
282##
283## Severity for verification failures.
284##
285# SeverityReadOnly=crit
286# SeverityLogFiles=crit
287# SeverityGrowingLogs=crit
288# SeverityIgnoreNone=crit
289# SeverityAttributes=crit
290# SeverityUser0=crit
291# SeverityUser1=crit
292# SeverityIgnoreAll=crit
293
294
295## Files : file access problems
296# SeverityFiles=crit
297
298## Dirs : directory access problems
299# SeverityDirs=crit
300
301## Names : suspect (non-printable) characters in a pathname
302# SeverityNames=crit
303
304[Log]
305##
306## Switch on/OFF log facilities and set their threshold severity
307##
308## Values: debug, info, notice, warn, mark, err, crit, alert, none.
309## 'mark' is used for timestamps.
310##
311##
312## Use 'none' to SWITCH OFF a log facility
313##
314## By default, everything equal to and above the threshold is logged.
315## The specifiers '*', '!', and '=' are interpreted as
316## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
317## at least on Linux). Examples:
318## MailSeverity=*
319## MailSeverity=!warn
320## MailSeverity==crit
321
322## E-mail
323##
324# MailSeverity=none
325
326## Console
327##
328# PrintSeverity=info
329
330## Logfile
331##
332# LogSeverity=mark
333
334## Syslog
335##
336# SyslogSeverity=none
337
338## Remote server (yule)
339##
340# ExportSeverity=none
341
342## External script or program
343##
344# ExternalSeverity = none
345
346## Logging to a database
347##
348# DatabaseSeverity = none
349
350## Logging to a Prelude-IDS
351##
352# PreludeSeverity = crit
353
354
355
356#####################################################
357#
358# Optional modules
359#
360#####################################################
361
362# [SuidCheck]
363##
364## --- Check the filesystem for SUID/SGID binaries
365##
366
367## Switch on
368#
369# SuidCheckActive = yes
370
371## Interval for check (seconds)
372#
373# SuidCheckInterval = 7200
374
375## Alternative: crontab-like schedule
376#
377# SuidCheckSchedule = NULL
378
379## Directory to exclude
380#
381# SuidCheckExclude = NULL
382
383## Limit on files per second (0 == no limit)
384#
385# SuidCheckFps = 0
386
387## Alternative: yield after every file
388#
389# SuidCheckYield = no
390
391## Severity of a detection
392#
393# SeveritySuidCheck = crit
394
395## Quarantine SUID/SGID files if found
396#
397# SuidCheckQuarantineFiles = yes
398
399## Method for Quarantining files:
400# 0 - Delete or truncate the file.
401# 1 - Remove SUID/SGID permissions from file.
402# 2 - Move SUID/SGID file to quarantine dir.
403#
404# SuidCheckQuarantineMethod = 0
405
406## For method 1 and 3, really delete instead of truncating
407#
408# SuidCheckQuarantineDelete = yes
409
410#[Kernel]
411##
412## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
413##
414
415## Switch on/off
416#
417# KernelCheckActive = True
418
419## Check interval (seconds); btw., the check is VERY fast
420#
421# KernelCheckInterval = 300
422
423## Severity
424#
425# SeverityKernel = crit
426
427
428# [Utmp]
429##
430## --- Logging of login/logout events
431##
432
433## Switch on/off
434#
435# LoginCheckActive = True
436
437## Severity for logins, multiple logins, logouts
438#
439# SeverityLogin=info
440# SeverityLoginMulti=warn
441# SeverityLogout=info
442
443## Interval for login/logout checks
444#
445# LoginCheckInterval = 300
446
447
448# [Database]
449##
450## --- Logging to a relational database
451##
452
453## Database name
454#
455# SetDBName = samhain
456
457## Database table
458#
459# SetDBTable = log
460
461## Database user
462#
463# SetDBUser = samhain
464
465## Database password
466#
467# SetDBPassword = (default: none)
468
469## Database host
470#
471# SetDBHost = localhost
472
473## Log the server timestamp for received messages
474#
475# SetDBServerTstamp = True
476
477## Use a persistent connection
478#
479# UsePersistent = True
480
481# [External]
482##
483## Interface to call external scripts/programs for logging
484##
485
486## The absolute path to the command
487## - Each invocation of this directive will end the definition of the
488## preceding command, and start the definition of
489## an additional, new command
490#
491# OpenCommand = (no default)
492
493## Type (log or rv)
494## - log for log messages, srv for messages received by the server
495#
496# SetType = log
497
498## The command (full command line) to execute
499#
500# SetCommandLine = (no default)
501
502## The environment (KEY=value; repeat for more)
503#
504# SetEnviron = TZ=(your timezone)
505
506## The TIGER192 checksum (optional)
507#
508# SetChecksum = (no default)
509
510## User who runs the command
511#
512# SetCredentials = (default: samhain process uid)
513
514## Words not allowed in message
515#
516# SetFilterNot = (none)
517
518## Words required (ALL of them)
519#
520# SetFilterAnd = (none)
521
522## Words required (at least one)
523#
524# SetFilterOr = (none)
525
526## Deadtime between consecutive calls
527#
528# SetDeadtime = 0
529
530## Add default environment (HOME, PATH, SHELL)
531#
532# SetDefault = no
533
534
535#####################################################
536#
537# Miscellaneous configuration options
538#
539#####################################################
540
541[Misc]
542
543## whether to become a daemon process
544## (this is not honoured on database initialisation)
545#
546# Daemon = no
547Daemon = yes
548
549## whether to test signature of files (init/check/none)
550## - if 'none', then we have to decide this on the command line -
551#
552# ChecksumTest = none
553ChecksumTest=check
554
555## Set nice level (-19 to 19, see 'man nice'),
556## and I/O limit (kilobytes per second; 0 == off)
557## to reduce load on host.
558#
559# SetNiceLevel = 0
560# SetIOLimit = 0
561
562## The version string to embed in file signature databases
563#
564# VersionString = NULL
565
566## Interval between time stamp messages
567#
568# SetLoopTime = 60
569SetLoopTime = 600
570
571## Interval between file checks
572#
573# SetFileCheckTime = 600
574SetFileCheckTime = 7200
575
576## Alternative: crontab-like schedule
577#
578# FileCheckScheduleOne = NULL
579
580## Alternative: crontab-like schedule(2)
581#
582# FileCheckScheduleTwo = NULL
583
584## Report only once on modified files
585## Setting this to 'FALSE' will generate a report for any policy
586## violation (old and new ones) each time the daemon checks the file system.
587#
588# ReportOnlyOnce = True
589
590## Report in full detail
591#
592# ReportFullDetail = False
593
594## Report file timestamps in local time rather than GMT
595#
596# UseLocalTime = No
597
598## The console device (can also be a file or named pipe)
599## - There are two console devices. Accordingly, you can use
600## this directive a second time to set the second console device.
601## If you have not defined the second device at compile time,
602## and you don't want to use it, then:
603## setting it to /dev/null is less effective than just leaving
604## it alone (setting to /dev/null will waste time by opening
605## /dev/null and writing to it)
606#
607# SetConsole = /dev/console
608
609## Activate the SysV IPC message queue
610#
611# MessageQueueActive = False
612
613
614## If false, skip reverse lookup when connecting to a host known
615## by name rather than IP address (i.e. trust the DNS)
616#
617# SetReverseLookup = True
618
619## --- E-Mail ---
620
621# Only highest-level (alert) reports will be mailed immediately,
622# others will be queued. Here you can define, when the queue will
623# be flushed (Note: the queue is automatically flushed after
624# completing a file check).
625#
626# SetMailTime = 86400
627
628## Maximum number of mails to queue
629#
630# SetMailNum = 10
631
632## Recipient (max. 8)
633#
634# SetMailAddress=root@localhost
635
636## Mail relay (IP address)
637#
638# SetMailRelay = NULL
639
640## Custom subject format
641#
642# MailSubject = NULL
643
644## --- end E-Mail ---
645
646## Path to the prelink executable
647#
648# SetPrelinkPath = /usr/sbin/prelink
649
650## TIGER192 checksum of the prelink executable
651#
652# SetPrelinkChecksum = (no default)
653
654
655## Path to the executable. If set, will be checksummed after startup
656## and before exit.
657#
658# SamhainPath = (no default)
659
660
661## The IP address of the log server
662#
663# SetLogServer = (default: compiled-in)
664
665## The IP address of the time server
666#
667# SetTimeServer = (default: compiled-in)
668
669## Trusted Users (comma delimited list of user names)
670#
671# TrustedUser = (no default; this adds to the compiled-in list)
672
673## Path to the file signature database
674#
675# SetDatabasePath = (default: compiled-in)
676
677## Path to the log file
678#
679# SetLogfilePath = (default: compiled-in)
680
681## Path to the PID file
682#
683# SetLockPath = (default: compiled-in)
684
685
686## The digest/checksum/hash algorithm
687#
688# DigestAlgo = TIGER192
689
690
691## Custom format for message header.
692## CAREFUL if you use XML logfile format.
693##
694## %S severity
695## %T timestamp
696## %C class
697##
698## %F source file
699## %L source line
700#
701# MessageHeader="%S %T "
702
703
704## Don't log path to config/database file on startup
705#
706# HideSetup = False
707
708## The syslog facility, if you log to syslog
709#
710# SyslogFacility = LOG_AUTHPRIV
711SyslogFacility=LOG_LOCAL2
712
713## The message authentication method
714## - If you change this, you *must* change it
715## on client *and* server
716#
717# MACType = HMAC-TIGER
718
719
720## The Prelude-IDS profile to use for reporting
721## default value is "samhain"
722#
723# PreludeProfile = samhain
724
725## Map these samhain severities to impact severity 'info' severity
726#
727# PreludeMapToInfo =
728
729## Map these samhain severities to impact severity 'low' severity
730#
731# PreludeMapToLow = debug info
732
733## Map these samhain severities to impact severity 'medium' severity
734#
735# PreludeMapToMedium = notice warn err
736
737## Map these samhain severities to impact severity 'high' severity
738#
739# PreludeMapToHigh = crit alert
740
741
742## everything below is ignored
743[EOF]
744
745#####################################################################
746# This would be the proper syntax for parts that should only be
747# included for certain hosts.
748# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
749# result still has the proper syntax for the config file.
750# You may have any number of @HOSTNAME/@end brackets.
751# HOSTNAME should be the fully qualified 'official' name
752# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
753# No IP number - except if samhain cannot determine the
754# fully qualified hostname.
755#
756# @HOSTNAME
757# file=/foo/bar
758# @end
759#
760# These are two examples for conditional inclusion/exclusion
761# of a machine based on the output from 'uname -srm'
762# $Linux:2.*.7:i666
763# file=/foo/bar3
764# $end
765#
766# !$Linux:2.*.7:i686
767# file=/foo/bar2
768# $end
769#
770#####################################################################
Note: See TracBrowser for help on using the repository browser.