source: trunk/samhainrc.linux@ 16

Last change on this file since 16 was 14, checked in by rainer, 19 years ago

update for default config files

File size: 15.5 KB
Line 
1#####################################################################
2#
3# Configuration file template for samhain.
4#
5#####################################################################
6#
7# -- empty lines and lines starting with '#', ';' or '//' are ignored
8# -- boolean options can be Yes/No or True/False or 1/0
9# -- you can PGP clearsign this file -- samhain will check (if compiled
10# with support) or otherwise ignore the signature
11# -- CHECK mail address
12#
13# To each log facility, you can assign a threshold severity. Only
14# reports with at least the threshold severity will be logged
15# to the respective facility (even further below).
16#
17#####################################################################
18#
19# SETUP for file system checking:
20#
21# (i) There are several policies, each has its own section. Put files
22# into the section for the appropriate policy (see below).
23# (ii) Section [EventSeverity]:
24# To each policy, you can assign a severity (further below).
25# (iii) Section [Log]:
26# To each log facility, you can assign a threshold severity. Only
27# reports with at least the threshold severity will be logged
28# to the respective facility (even further below).
29#
30#####################################################################
31
32#####################################################################
33#
34# Files are defined with: file = /absolute/path
35#
36# Directories are defined with: dir = /absolute/path
37# or with an optional recursion depth (N <= 99): dir = N/absolute/path
38#
39# Directory inodes are checked. If you only want to check files
40# in a directory, but not the directory inode itself, use (e.g.):
41#
42# [ReadOnly]
43# dir = /some/directory
44# [IgnoreAll]
45# file = /some/directory
46#
47# You can use shell-style globbing patterns, like: file = /path/foo*
48#
49######################################################################
50
51[Misc]
52##
53## Add or subtract tests from the policies
54## - if you want to change their definitions,
55## you need to do that before using the policies
56##
57# RedefReadOnly = (no default)
58# RedefAttributes=(no default)
59# RedefLogFiles=(no default)
60# RedefGrowingLogFiles=(no default)
61# RedefIgnoreAll=(no default)
62# RedefIgnoreNone=(no default)
63
64# RedefUser0=(no default)
65# RedefUser1=(no default)
66
67#
68# --------- / --------------
69#
70
71[ReadOnly]
72dir = 0/
73
74[Attributes]
75file = /tmp
76file = /dev
77file = /media
78file = /proc
79file = /sys
80
81#
82# --------- /etc -----------
83#
84
85[ReadOnly]
86##
87## for these files, only access time is ignored
88##
89dir = 99/etc
90
91[Attributes]
92##
93## check permission and ownership
94##
95file = /etc/mtab
96file = /etc/adjtime
97file = /etc/motd
98file = /etc/lvm/.cache
99
100# On Ubuntu, these are in /var/lib rather than /etc
101file = /etc/cups/certs
102file = /etc/cups/certs/0
103
104# managed by fstab-sync on Fedora Core
105file = /etc/fstab
106
107# modified when booting
108file = /etc/sysconfig/hwconf
109
110# There are files in /etc that might change, thus changing the directory
111# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
112
113file = /etc
114
115#
116# --------- /boot -----------
117#
118
119[ReadOnly]
120dir = 99/boot
121
122#
123# --------- /bin, /sbin -----------
124#
125
126[ReadOnly]
127dir = 99/bin
128dir = 99/sbin
129
130#
131# --------- /lib -----------
132#
133
134[ReadOnly]
135dir = 99/lib
136
137#
138# --------- /dev -----------
139#
140
141[Attributes]
142dir = 99/dev
143
144[IgnoreAll]
145##
146## pseudo terminals are created/removed as needed
147##
148dir = -1/dev/pts
149
150# dir = -1/dev/.udevdb
151
152file = /dev/ppp
153
154#
155# --------- /usr -----------
156#
157
158[ReadOnly]
159dir = 99/usr
160
161#
162# --------- /var -----------
163#
164
165[ReadOnly]
166dir = 99/var
167
168[IgnoreAll]
169dir = -1/var/cache
170dir = -1/var/backups
171dir = -1/var/games
172dir = -1/var/gdm
173dir = -1/var/lock
174dir = -1/var/mail
175dir = -1/var/run
176dir = -1/var/spool
177dir = -1/var/tmp
178dir = -1/var/lib/texmf
179
180[Attributes]
181
182dir = /var/lib/nfs
183dir = /var/lib/pcmcia
184
185# /var/lib/rpm changes if packets are installed;
186# /var/lib/rpm/__db.00[123] even more frequently
187file = /var/lib/rpm/__db.00?
188
189file = /var/lib/acpi-support/vbestate
190file = /var/lib/alsa/asound.state
191file = /var/lib/apt/lists/lock
192file = /var/lib/apt/lists/partial
193file = /var/lib/cups/certs
194file = /var/lib/cups/certs/0
195file = /var/lib/dpkg/lock
196file = /var/lib/gdm
197file = /var/lib/gdm/.cookie
198file = /var/lib/gdm/.gdmfifo
199file = /var/lib/gdm/:0.Xauth
200file = /var/lib/gdm/:0.Xservers
201file = /var/lib/logrotate/status
202file = /var/lib/mysql
203file = /var/lib/mysql/ib_logfile0
204file = /var/lib/mysql/ibdata1
205file = /var/lib/slocate
206file = /var/lib/slocate/slocate.db
207file = /var/lib/slocate/slocate.db.tmp
208file = /var/lib/urandom
209file = /var/lib/urandom/random-seed
210file = /var/lib/random-seed
211file = /var/lib/xkb
212
213
214[GrowingLogFiles]
215##
216## For these files, changes in signature, timestamps, and increase in size
217## are ignored. Logfile rotation will cause a report because of shrinking
218## size and different inode.
219##
220dir = 99/var/log
221
222[Attributes]
223#
224# rotated logs will change inode
225#
226file = /var/log/*.[0-9].gz
227file = /var/log/*.[0-9].log
228file = /var/log/*.[0-9]
229file = /var/log/*.old
230file = /var/log/*/*.[0-9].gz
231file = /var/log/*/*.log.[0-9]
232
233[Misc]
234#
235# Various naming schemes for rotated logs
236#
237IgnoreAdded = /var/log/.*\.[0-9]+$
238IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
239IgnoreAdded = /var/log/.*\.[0-9]+\.log$
240#
241# Subdirectories
242#
243IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$
244IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$
245IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$
246#
247IgnoreAdded = /var/lib/slocate/slocate.db.tmp
248IgnoreMissing = /var/lib/slocate/slocate.db.tmp
249
250#
251# --------- other policies -----------
252#
253
254[IgnoreNone]
255##
256## for these files, all modifications (even access time) are reported
257## - you may create some interesting-looking file (like /etc/safe_passwd),
258## just to watch whether someone will access it ...
259##
260
261[Prelink]
262##
263## Use for prelinked files or directories holding them
264##
265
266
267[User0]
268[User1]
269## User0 and User1 are sections for files/dirs with user-definable checking
270## (see the manual)
271
272
273
274[EventSeverity]
275##
276## Here you can assign severities to policy violations.
277## If this severity exceeds the treshold of a log facility (see below),
278## a policy violation will be logged to that facility.
279##
280## Severity for verification failures.
281##
282# SeverityReadOnly=crit
283# SeverityLogFiles=crit
284# SeverityGrowingLogs=crit
285# SeverityIgnoreNone=crit
286# SeverityAttributes=crit
287# SeverityUser0=crit
288# SeverityUser1=crit
289# SeverityIgnoreAll=crit
290
291
292## Files : file access problems
293# SeverityFiles=crit
294
295## Dirs : directory access problems
296# SeverityDirs=crit
297
298## Names : suspect (non-printable) characters in a pathname
299# SeverityNames=crit
300
301[Log]
302##
303## Switch on/OFF log facilities and set their threshold severity
304##
305## Values: debug, info, notice, warn, mark, err, crit, alert, none.
306## 'mark' is used for timestamps.
307##
308##
309## Use 'none' to SWITCH OFF a log facility
310##
311## By default, everything equal to and above the threshold is logged.
312## The specifiers '*', '!', and '=' are interpreted as
313## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
314## at least on Linux). Examples:
315## MailSeverity=*
316## MailSeverity=!warn
317## MailSeverity==crit
318
319## E-mail
320##
321# MailSeverity=none
322
323## Console
324##
325# PrintSeverity=info
326
327## Logfile
328##
329# LogSeverity=mark
330
331## Syslog
332##
333# SyslogSeverity=none
334
335## Remote server (yule)
336##
337# ExportSeverity=none
338
339## External script or program
340##
341# ExternalSeverity = none
342
343## Logging to a database
344##
345# DatabaseSeverity = none
346
347## Logging to a Prelude-IDS
348##
349# PreludeSeverity = crit
350
351
352
353#####################################################
354#
355# Optional modules
356#
357#####################################################
358
359# [SuidCheck]
360##
361## --- Check the filesystem for SUID/SGID binaries
362##
363
364## Switch on
365#
366# SuidCheckActive = yes
367
368## Interval for check (seconds)
369#
370# SuidCheckInterval = 7200
371
372## Alternative: crontab-like schedule
373#
374# SuidCheckSchedule = NULL
375
376## Directory to exclude
377#
378# SuidCheckExclude = NULL
379
380## Limit on files per second (0 == no limit)
381#
382# SuidCheckFps = 0
383
384## Alternative: yield after every file
385#
386# SuidCheckYield = no
387
388## Severity of a detection
389#
390# SeveritySuidCheck = crit
391
392## Quarantine SUID/SGID files if found
393#
394# SuidCheckQuarantineFiles = yes
395
396## Method for Quarantining files:
397# 0 - Delete or truncate the file.
398# 1 - Remove SUID/SGID permissions from file.
399# 2 - Move SUID/SGID file to quarantine dir.
400#
401# SuidCheckQuarantineMethod = 0
402
403## For method 1 and 3, really delete instead of truncating
404#
405# SuidCheckQuarantineDelete = yes
406
407#[Kernel]
408##
409## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
410##
411
412## Switch on/off
413#
414# KernelCheckActive = True
415
416## Check interval (seconds); btw., the check is VERY fast
417#
418# KernelCheckInterval = 300
419
420## Severity
421#
422# SeverityKernel = crit
423
424
425# [Utmp]
426##
427## --- Logging of login/logout events
428##
429
430## Switch on/off
431#
432# LoginCheckActive = True
433
434## Severity for logins, multiple logins, logouts
435#
436# SeverityLogin=info
437# SeverityLoginMulti=warn
438# SeverityLogout=info
439
440## Interval for login/logout checks
441#
442# LoginCheckInterval = 300
443
444
445# [Database]
446##
447## --- Logging to a relational database
448##
449
450## Database name
451#
452# SetDBName = samhain
453
454## Database table
455#
456# SetDBTable = log
457
458## Database user
459#
460# SetDBUser = samhain
461
462## Database password
463#
464# SetDBPassword = (default: none)
465
466## Database host
467#
468# SetDBHost = localhost
469
470## Log the server timestamp for received messages
471#
472# SetDBServerTstamp = True
473
474## Use a persistent connection
475#
476# UsePersistent = True
477
478# [External]
479##
480## Interface to call external scripts/programs for logging
481##
482
483## The absolute path to the command
484## - Each invocation of this directive will end the definition of the
485## preceding command, and start the definition of
486## an additional, new command
487#
488# OpenCommand = (no default)
489
490## Type (log or rv)
491## - log for log messages, srv for messages received by the server
492#
493# SetType = log
494
495## The command (full command line) to execute
496#
497# SetCommandLine = (no default)
498
499## The environment (KEY=value; repeat for more)
500#
501# SetEnviron = TZ=(your timezone)
502
503## The TIGER192 checksum (optional)
504#
505# SetChecksum = (no default)
506
507## User who runs the command
508#
509# SetCredentials = (default: samhain process uid)
510
511## Words not allowed in message
512#
513# SetFilterNot = (none)
514
515## Words required (ALL of them)
516#
517# SetFilterAnd = (none)
518
519## Words required (at least one)
520#
521# SetFilterOr = (none)
522
523## Deadtime between consecutive calls
524#
525# SetDeadtime = 0
526
527## Add default environment (HOME, PATH, SHELL)
528#
529# SetDefault = no
530
531
532#####################################################
533#
534# Miscellaneous configuration options
535#
536#####################################################
537
538[Misc]
539
540## whether to become a daemon process
541## (this is not honoured on database initialisation)
542#
543# Daemon = no
544Daemon = yes
545
546## whether to test signature of files (init/check/none)
547## - if 'none', then we have to decide this on the command line -
548#
549# ChecksumTest = none
550ChecksumTest=check
551
552## Set nice level (-19 to 19, see 'man nice'),
553## and I/O limit (kilobytes per second; 0 == off)
554## to reduce load on host.
555#
556# SetNiceLevel = 0
557# SetIOLimit = 0
558
559## The version string to embed in file signature databases
560#
561# VersionString = NULL
562
563## Interval between time stamp messages
564#
565# SetLoopTime = 60
566SetLoopTime = 600
567
568## Interval between file checks
569#
570# SetFileCheckTime = 600
571SetFileCheckTime = 7200
572
573## Alternative: crontab-like schedule
574#
575# FileCheckScheduleOne = NULL
576
577## Alternative: crontab-like schedule(2)
578#
579# FileCheckScheduleTwo = NULL
580
581## Report only once on modified fles
582## Setting this to 'FALSE' will generate a report for any policy
583## violation (old and new ones) each time the daemon checks the file system.
584#
585# ReportOnlyOnce = True
586
587## Report in full detail
588#
589# ReportFullDetail = False
590
591## Report file timestamps in local time rather than GMT
592#
593# UseLocalTime = No
594
595## The console device (can also be a file or named pipe)
596## - There are two console devices. Accordingly, you can use
597## this directive a second time to set the second console device.
598## If you have not defined the second device at compile time,
599## and you don't want to use it, then:
600## setting it to /dev/null is less effective than just leaving
601## it alone (setting to /dev/null will waste time by opening
602## /dev/null and writing to it)
603#
604# SetConsole = /dev/console
605
606## Activate the SysV IPC message queue
607#
608# MessageQueueActive = False
609
610
611## If false, skip reverse lookup when connecting to a host known
612## by name rather than IP address (i.e. trust the DNS)
613#
614# SetReverseLookup = True
615
616## --- E-Mail ---
617
618# Only highest-level (alert) reports will be mailed immediately,
619# others will be queued. Here you can define, when the queue will
620# be flushed (Note: the queue is automatically flushed after
621# completing a file check).
622#
623# SetMailTime = 86400
624
625## Maximum number of mails to queue
626#
627# SetMailNum = 10
628
629## Recipient (max. 8)
630#
631# SetMailAddress=root@localhost
632
633## Mail relay (IP address)
634#
635# SetMailRelay = NULL
636
637## Custom subject format
638#
639# MailSubject = NULL
640
641## --- end E-Mail ---
642
643## Path to the prelink executable
644#
645# SetPrelinkPath = /usr/sbin/prelink
646
647## TIGER192 checksum of the prelink executable
648#
649# SetPrelinkChecksum = (no default)
650
651
652## Path to the executable. If set, will be checksummed after startup
653## and before exit.
654#
655# SamhainPath = (no default)
656
657
658## The IP address of the log server
659#
660# SetLogServer = (default: compiled-in)
661
662## The IP address of the time server
663#
664# SetTimeServer = (default: compiled-in)
665
666## Trusted Users (comma delimited list of user names)
667#
668# TrustedUser = (no default; this adds to the compiled-in list)
669
670## Path to the file signature database
671#
672# SetDatabasePath = (default: compiled-in)
673
674## Path to the log file
675#
676# SetLogfilePath = (default: compiled-in)
677
678## Path to the PID file
679#
680# SetLockPath = (default: compiled-in)
681
682
683## The digest/checksum/hash algorithm
684#
685# DigestAlgo = TIGER192
686
687
688## Custom format for message header.
689## CAREFUL if you use XML logfile format.
690##
691## %S severity
692## %T timestamp
693## %C class
694##
695## %F source file
696## %L source line
697#
698# MessageHeader="%S %T "
699
700
701## Don't log path to config/database file on startup
702#
703# HideSetup = False
704
705## The syslog facility, if you log to syslog
706#
707# SyslogFacility = LOG_AUTHPRIV
708SyslogFacility=LOG_LOCAL2
709
710## The message authentication method
711## - If you change this, you *must* change it
712## on client *and* server
713#
714# MACType = HMAC-TIGER
715
716
717## The Prelude-IDS profile to use for reporting
718## default value is "samhain"
719#
720# PreludeProfile = samhain
721
722## Map these samhain severities to impact severity 'info' severity
723#
724# PreludeMapToInfo =
725
726## Map these samhain severities to impact severity 'low' severity
727#
728# PreludeMapToLow = debug info
729
730## Map these samhain severities to impact severity 'medium' severity
731#
732# PreludeMapToMedium = notice warn err
733
734## Map these samhain severities to impact severity 'high' severity
735#
736# PreludeMapToHigh = crit alert
737
738
739## everything below is ignored
740[EOF]
741
742#####################################################################
743# This would be the proper syntax for parts that should only be
744# included for certain hosts.
745# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
746# result still has the proper syntax for the config file.
747# You may have any number of @HOSTNAME/@end brackets.
748# HOSTNAME should be the fully qualified 'official' name
749# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
750# No IP number - except if samhain cannot determine the
751# fully qualified hostname.
752#
753# @HOSTNAME
754# file=/foo/bar
755# @end
756#
757# These are two examples for conditional inclusion/exclusion
758# of a machine based on the output from 'uname -srm'
759# $Linux:2.*.7:i666
760# file=/foo/bar3
761# $end
762#
763# !$Linux:2.*.7:i686
764# file=/foo/bar2
765# $end
766#
767#####################################################################
Note: See TracBrowser for help on using the repository browser.