source: trunk/samhainrc.linux@ 6

Last change on this file since 6 was 1, checked in by katerina, 19 years ago

Initial import

File size: 14.9 KB
Line 
1#####################################################################
2#
3# Configuration file template for samhain.
4#
5#####################################################################
6#
7# -- empty lines and lines starting with '#', ';' or '//' are ignored
8# -- boolean options can be Yes/No or True/False or 1/0
9# -- you can PGP clearsign this file -- samhain will check (if compiled
10# with support) or otherwise ignore the signature
11# -- CHECK mail address
12#
13# To each log facility, you can assign a threshold severity. Only
14# reports with at least the threshold severity will be logged
15# to the respective facility (even further below).
16#
17#####################################################################
18#
19# SETUP for file system checking:
20#
21# (i) There are several policies, each has its own section. Put files
22# into the section for the appropriate policy (see below).
23# (ii) Section [EventSeverity]:
24# To each policy, you can assign a severity (further below).
25# (iii) Section [Log]:
26# To each log facility, you can assign a threshold severity. Only
27# reports with at least the threshold severity will be logged
28# to the respective facility (even further below).
29#
30#####################################################################
31
32#####################################################################
33#
34# Files are defined with: file = /absolute/path
35#
36# Directories are defined with: dir = /absolute/path
37# or with an optional recursion depth (N <= 99): dir = N/absolute/path
38#
39# Directory inodes are checked. If you only want to check files
40# in a directory, but not the directory inode itself, use (e.g.):
41#
42# [ReadOnly]
43# dir = /some/directory
44# [IgnoreAll]
45# file = /some/directory
46#
47# You can use shell-style globbing patterns, like: file = /path/foo*
48#
49######################################################################
50
51[Misc]
52##
53## Add or subtract tests from the policies
54## - if you want to change their definitions,
55## you need to do that before using the policies
56##
57# RedefReadOnly = (no default)
58# RedefAttributes=(no default)
59# RedefLogFiles=(no default)
60# RedefGrowingLogFiles=(no default)
61# RedefIgnoreAll=(no default)
62# RedefIgnoreNone=(no default)
63# RedefUser0=(no default)
64# RedefUser1=(no default)
65
66[Attributes]
67##
68## for these files, only changes in permissions and ownership are checked
69##
70file=/etc/mtab
71file=/etc/ssh_random_seed
72file=/etc/asound.conf
73file=/etc/resolv.conf
74file=/etc/localtime
75file=/etc/ioctl.save
76file=/etc/passwd.backup
77file=/etc/shadow.backup
78
79#
80# There are files in /etc that might change, thus changing the directory
81# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
82#
83file=/etc
84
85[LogFiles]
86##
87## for these files, changes in signature, timestamps, and size are ignored
88##
89file=/var/run/utmp
90file=/etc/motd
91
92
93
94#####################################################################
95#
96# This would be the proper syntax for parts that should only be
97# included for certain hosts.
98# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
99# result still has the proper syntax for the config file.
100# You may have any number of @HOSTNAME/@end brackets.
101# HOSTNAME should be the fully qualified 'official' name
102# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
103# No IP number - except if samhain cannot determine the
104# fully qualified hostname.
105#
106# @HOSTNAME
107# file=/foo/bar
108# @end
109#
110# These are two examples for conditional inclusion/exclusion
111# of a machine based on the output from 'uname -srm'
112#
113# $Linux:2.*.7:i666
114# file=/foo/bar3
115# $end
116#
117# !$Linux:2.*.7:i686
118# file=/foo/bar2
119# $end
120#
121#####################################################################
122
123[GrowingLogFiles]
124##
125## for these files, changes in signature, timestamps, and increase in size
126## are ignored
127##
128file=/var/log/warn
129file=/var/log/messages
130file=/var/log/wtmp
131file=/var/log/faillog
132
133[IgnoreAll]
134##
135## for these files, no modifications are reported
136##
137## This file might be created or removed by the system sometimes.
138##
139file=/etc/resolv.conf.pcmcia.save
140
141
142[IgnoreNone]
143##
144## for these files, all modifications (even access time) are reported
145## - you may create some interesting-looking file (like /etc/safe_passwd),
146## just to watch whether someone will access it ...
147##
148
149[Prelink]
150##
151## Use for prelinked files or directories holding them
152##
153
154
155[ReadOnly]
156##
157## for these files, only access time is ignored
158##
159dir=/usr/bin
160dir=/bin
161dir=/boot
162#
163# SuSE (old) has the boot init scripts in /sbin/init.d/*,
164# so we go 3 levels deep
165#
166dir=3/sbin
167dir=/usr/sbin
168dir=/lib
169#
170# RedHat and Debian have the bootinit scripts in /etc/init.d/* or /etc/rc.d/*,
171# so we go 3 levels deep there too
172#
173dir=3/etc
174
175# Various directories / files that may include / be SUID/SGID binaries
176#
177#
178dir=/usr/X11R6/bin
179dir=/usr/X11R6/lib/X11/xmcd/bin
180file=/usr/lib/pt_chown
181dir=/opt/gnome/bin
182dir=/opt/kde/bin
183
184[User0]
185[User1]
186## User0 and User1 are sections for files/dirs with user-definable checking
187## (see the manual)
188
189
190[EventSeverity]
191##
192## Here you can assign severities to policy violations.
193## If this severity exceeds the treshold of a log facility (see below),
194## a policy violation will be logged to that facility.
195##
196## Severity for verification failures.
197##
198# SeverityReadOnly=crit
199# SeverityLogFiles=crit
200# SeverityGrowingLogs=crit
201# SeverityIgnoreNone=crit
202# SeverityAttributes=crit
203# SeverityUser0=crit
204# SeverityUser1=crit
205
206##
207## We have a file in IgnoreAll that might or might not be present.
208## Setting the severity to 'info' prevents messages about deleted/new file.
209##
210# SeverityIgnoreAll=crit
211SeverityIgnoreAll=info
212
213## Files : file access problems
214# SeverityFiles=crit
215
216## Dirs : directory access problems
217# SeverityDirs=crit
218
219## Names : suspect (non-printable) characters in a pathname
220# SeverityNames=crit
221
222[Log]
223##
224## Switch on/OFF log facilities and set their threshold severity
225##
226## Values: debug, info, notice, warn, mark, err, crit, alert, none.
227## 'mark' is used for timestamps.
228##
229##
230## Use 'none' to SWITCH OFF a log facility
231##
232## By default, everything equal to and above the threshold is logged.
233## The specifiers '*', '!', and '=' are interpreted as
234## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
235## at least on Linux). Examples:
236## MailSeverity=*
237## MailSeverity=!warn
238## MailSeverity==crit
239
240## E-mail
241##
242# MailSeverity=none
243
244## Console
245##
246# PrintSeverity=info
247
248## Logfile
249##
250# LogSeverity=mark
251
252## Syslog
253##
254# SyslogSeverity=none
255
256## Remote server (yule)
257##
258# ExportSeverity=none
259
260## External script or program
261##
262# ExternalSeverity = none
263
264## Logging to a database
265##
266# DatabaseSeverity = none
267
268## Logging to a Prelude-IDS
269##
270# PreludeSeverity = crit
271
272
273
274#####################################################
275#
276# Optional modules
277#
278#####################################################
279
280# [SuidCheck]
281##
282## --- Check the filesystem for SUID/SGID binaries
283##
284
285## Switch on
286#
287# SuidCheckActive = yes
288
289## Interval for check (seconds)
290#
291# SuidCheckInterval = 7200
292
293## Alternative: crontab-like schedule
294#
295# SuidCheckSchedule = NULL
296
297## Directory to exclude
298#
299# SuidCheckExclude = NULL
300
301## Limit on files per second (0 == no limit)
302#
303# SuidCheckFps = 0
304
305## Alternative: yield after every file
306#
307# SuidCheckYield = no
308
309## Severity of a detection
310#
311# SeveritySuidCheck = crit
312
313## Quarantine SUID/SGID files if found
314#
315# SuidCheckQuarantineFiles = yes
316
317## Method for Quarantining files:
318# 0 - Delete or truncate the file.
319# 1 - Remove SUID/SGID permissions from file.
320# 2 - Move SUID/SGID file to quarantine dir.
321#
322# SuidCheckQuarantineMethod = 0
323
324## For method 1 and 3, really delete instead of truncating
325#
326# SuidCheckQuarantineDelete = yes
327
328#[Kernel]
329##
330## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
331##
332
333## Switch on/off
334#
335# KernelCheckActive = True
336
337## Check interval (seconds); btw., the check is VERY fast
338#
339# KernelCheckInterval = 300
340
341## Severity
342#
343# SeverityKernel = crit
344
345
346# [Utmp]
347##
348## --- Logging of login/logout events
349##
350
351## Switch on/off
352#
353# LoginCheckActive = True
354
355## Severity for logins, multiple logins, logouts
356#
357# SeverityLogin=info
358# SeverityLoginMulti=warn
359# SeverityLogout=info
360
361## Interval for login/logout checks
362#
363# LoginCheckInterval = 300
364
365
366# [Database]
367##
368## --- Logging to a relational database
369##
370
371## Database name
372#
373# SetDBName = samhain
374
375## Database table
376#
377# SetDBTable = log
378
379## Database user
380#
381# SetDBUser = samhain
382
383## Database password
384#
385# SetDBPassword = (default: none)
386
387## Database host
388#
389# SetDBHost = localhost
390
391## Log the server timestamp for received messages
392#
393# SetDBServerTstamp = True
394
395## Use a persistent connection
396#
397# UsePersistent = True
398
399# [External]
400##
401## Interface to call external scripts/programs for logging
402##
403
404## The absolute path to the command
405## - Each invocation of this directive will end the definition of the
406## preceding command, and start the definition of
407## an additional, new command
408#
409# OpenCommand = (no default)
410
411## Type (log or rv)
412## - log for log messages, srv for messages received by the server
413#
414# SetType = log
415
416## The command (full command line) to execute
417#
418# SetCommandLine = (no default)
419
420## The environment (KEY=value; repeat for more)
421#
422# SetEnviron = TZ=(your timezone)
423
424## The TIGER192 checksum (optional)
425#
426# SetChecksum = (no default)
427
428## User who runs the command
429#
430# SetCredentials = (default: samhain process uid)
431
432## Words not allowed in message
433#
434# SetFilterNot = (none)
435
436## Words required (ALL of them)
437#
438# SetFilterAnd = (none)
439
440## Words required (at least one)
441#
442# SetFilterOr = (none)
443
444## Deadtime between consecutive calls
445#
446# SetDeadtime = 0
447
448## Add default environment (HOME, PATH, SHELL)
449#
450# SetDefault = no
451
452
453#####################################################
454#
455# Miscellaneous configuration options
456#
457#####################################################
458
459[Misc]
460
461## whether to become a daemon process
462## (this is not honoured on database initialisation)
463#
464# Daemon = no
465Daemon = yes
466
467## whether to test signature of files (init/check/none)
468## - if 'none', then we have to decide this on the command line -
469#
470# ChecksumTest = none
471ChecksumTest=check
472
473## whether to drop linux capabilities that are not required
474## - will make a root process a 'mere mortal' in many respects
475#
476# UseCaps = yes
477
478## Set nice level (-19 to 19, see 'man nice'),
479## and I/O limit (kilobytes per second; 0 == off)
480## to reduce load on host.
481#
482# SetNiceLevel = 0
483# SetIOLimit = 0
484
485## The version string to embed in file signature databases
486#
487# VersionString = NULL
488
489## Interval between time stamp messages
490#
491# SetLoopTime = 60
492SetLoopTime = 600
493
494## Interval between file checks
495#
496# SetFileCheckTime = 600
497SetFileCheckTime = 7200
498
499## Alternative: crontab-like schedule
500#
501# FileCheckScheduleOne = NULL
502
503## Alternative: crontab-like schedule(2)
504#
505# FileCheckScheduleTwo = NULL
506
507## Report only once on modified fles
508## Setting this to 'FALSE' will generate a report for any policy
509## violation (old and new ones) each time the daemon checks the file system.
510#
511# ReportOnlyOnce = True
512
513## Report in full detail
514#
515# ReportFullDetail = False
516
517## Report file timestamps in local time rather than GMT
518#
519# UseLocalTime = No
520
521## The console device (can also be a file or named pipe)
522## - There are two console devices. Accordingly, you can use
523## this directive a second time to set the second console device.
524## If you have not defined the second device at compile time,
525## and you don't want to use it, then:
526## setting it to /dev/null is less effective than just leaving
527## it alone (setting to /dev/null will waste time by opening
528## /dev/null and writing to it)
529#
530# SetConsole = /dev/console
531
532## Activate the SysV IPC message queue
533#
534# MessageQueueActive = False
535
536
537## If false, skip reverse lookup when connecting to a host known
538## by name rather than IP address (i.e. trust the DNS)
539#
540# SetReverseLookup = True
541
542## --- E-Mail ---
543
544# Only highest-level (alert) reports will be mailed immediately,
545# others will be queued. Here you can define, when the queue will
546# be flushed (Note: the queue is automatically flushed after
547# completing a file check).
548#
549# SetMailTime = 86400
550
551## Maximum number of mails to queue
552#
553# SetMailNum = 10
554
555## Recipient (max. 8)
556#
557# SetMailAddress=root@localhost
558
559## Mail relay (IP address)
560#
561# SetMailRelay = NULL
562
563## Custom subject format
564#
565# MailSubject = NULL
566
567## --- end E-Mail ---
568
569## Path to the prelink executable
570#
571# SetPrelinkPath = /usr/sbin/prelink
572
573## TIGER192 checksum of the prelink executable
574#
575# SetPrelinkChecksum = (no default)
576
577
578## Path to the executable. If set, will be checksummed after startup
579## and before exit.
580#
581# SamhainPath = (no default)
582
583
584## The IP address of the log server
585#
586# SetLogServer = (default: compiled-in)
587
588## The IP address of the time server
589#
590# SetTimeServer = (default: compiled-in)
591
592## Trusted Users (comma delimited list of user names)
593#
594# TrustedUser = (no default; this adds to the compiled-in list)
595
596## Path to the file signature database
597#
598# SetDatabasePath = (default: compiled-in)
599
600## Path to the log file
601#
602# SetLogfilePath = (default: compiled-in)
603
604## Path to the PID file
605#
606# SetLockPath = (default: compiled-in)
607
608
609## The digest/checksum/hash algorithm
610#
611# DigestAlgo = TIGER192
612
613
614## Custom format for message header.
615## CAREFUL if you use XML logfile format.
616##
617## %S severity
618## %T timestamp
619## %C class
620##
621## %F source file
622## %L source line
623#
624# MessageHeader="%S %T "
625
626
627## Don't log path to config/database file on startup
628#
629# HideSetup = False
630
631## The syslog facility, if you log to syslog
632#
633# SyslogFacility = LOG_AUTHPRIV
634SyslogFacility=LOG_LOCAL2
635
636## The message authentication method
637## - If you change this, you *must* change it
638## on client *and* server
639#
640# MACType = HMAC-TIGER
641
642
643## The Prelude-IDS profile to use for reporting
644## default value is "samhain"
645#
646# PreludeProfile = samhain
647
648## Map these samhain severities to impact severity 'info' severity
649#
650# PreludeMapToInfo =
651
652## Map these samhain severities to impact severity 'low' severity
653#
654# PreludeMapToLow = debug info
655
656## Map these samhain severities to impact severity 'medium' severity
657#
658# PreludeMapToMedium = notice warn err
659
660## Map these samhain severities to impact severity 'high' severity
661#
662# PreludeMapToHigh = crit alert
663
664
665## everything below is ignored
666[EOF]
667
668#####################################################################
669# This would be the proper syntax for parts that should only be
670# included for certain hosts.
671# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
672# result still has the proper syntax for the config file.
673# You may have any number of @HOSTNAME/@end brackets.
674# HOSTNAME should be the fully qualified 'official' name
675# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
676# No IP number - except if samhain cannot determine the
677# fully qualified hostname.
678#
679# @HOSTNAME
680# file=/foo/bar
681# @end
682#
683# These are two examples for conditional inclusion/exclusion
684# of a machine based on the output from 'uname -srm'
685# $Linux:2.*.7:i666
686# file=/foo/bar3
687# $end
688#
689# !$Linux:2.*.7:i686
690# file=/foo/bar2
691# $end
692#
693#####################################################################
Note: See TracBrowser for help on using the repository browser.