[56] | 1 | #
|
---|
| 2 | # From pkgsrc-wip, Author: Brian Seklecki
|
---|
| 3 | #
|
---|
| 4 |
|
---|
| 5 | [Misc]
|
---|
| 6 | RedefUser0=+INO, +SIZ, +RDEV, +CHK, -MOD, -MTM, -ATM, -CTM, -GRP, -USR
|
---|
| 7 |
|
---|
| 8 | # The new Samhain behavior is to check the checksum up the last-known size of
|
---|
| 9 | # the file, but *yes*, the inode will change when it becomes rotated and the size
|
---|
| 10 | # will get reset to a lesser value (in which case the check should know to passively
|
---|
| 11 | # fail)
|
---|
| 12 | RedefGrowingLogFiles=-INO, -SIZ, +CHK, -MTM, -ATM, -CTM
|
---|
| 13 |
|
---|
| 14 | #
|
---|
| 15 | # --------- / --------------
|
---|
| 16 | #
|
---|
| 17 |
|
---|
| 18 | [ReadOnly]
|
---|
| 19 | dir = 99/
|
---|
| 20 |
|
---|
| 21 | # This covers the contents of / including: /boot, /bin, /sbin, /lib, /libexec,
|
---|
| 22 | # /rescue, /root, /altroot, /usr, /var, /stand, /mnt, /tmp, /proc, /kern (Even
|
---|
| 23 | # though /usr and /var will recieve overrides)
|
---|
| 24 |
|
---|
| 25 | [Attributes]
|
---|
| 26 | file = /proc
|
---|
| 27 | file = /kern
|
---|
| 28 |
|
---|
| 29 | [IgnoreAll]
|
---|
| 30 | dir=-1/proc
|
---|
| 31 | dir=-1/kern
|
---|
| 32 |
|
---|
| 33 | #
|
---|
| 34 | # --------- /tmp -----------
|
---|
| 35 | #
|
---|
| 36 | [Attributes]
|
---|
| 37 | file=/tmp
|
---|
| 38 | [IgnoreAll]
|
---|
| 39 | dir=-1/tmp
|
---|
| 40 |
|
---|
| 41 |
|
---|
| 42 |
|
---|
| 43 | #
|
---|
| 44 | # --------- /root --------------
|
---|
| 45 | #
|
---|
| 46 |
|
---|
| 47 | # Per section 5.4.2.1 of the manual, Rule #5, there are lock file written here
|
---|
| 48 | # that changes the mtime/ctime of the dir, so we want to watch perms/ownership,
|
---|
| 49 | # ignore ctime/mtime/size, etc., but still watch the critical files inside.
|
---|
| 50 | # Note: in theory, /root should never change if you use sudo(8) w/o "-H"
|
---|
| 51 | [ReadOnly]
|
---|
| 52 | dir=/root/.gnupg
|
---|
| 53 | [Attributes]
|
---|
| 54 | file=/root/.gnupg
|
---|
| 55 | file=/root/.gnupg/random_seed
|
---|
| 56 |
|
---|
| 57 | #
|
---|
| 58 | # --------- /dev -----------
|
---|
| 59 | #
|
---|
| 60 |
|
---|
| 61 | [Attributes]
|
---|
| 62 | dir = 99/dev
|
---|
| 63 |
|
---|
| 64 | # User0 will be for /dev/tty* and other devices where Owner/Group/Mode can
|
---|
| 65 | # change but the Inode/Size/Device/Checksum should not change.
|
---|
| 66 |
|
---|
| 67 | [User0]
|
---|
| 68 | file=/dev/tty*
|
---|
| 69 | file=/dev/pty*
|
---|
| 70 |
|
---|
| 71 | #
|
---|
| 72 | # --------- /etc -----------
|
---|
| 73 | #
|
---|
| 74 |
|
---|
| 75 | [ReadOnly]
|
---|
| 76 | ##
|
---|
| 77 | ## for these files, only access time is ignored
|
---|
| 78 | ##
|
---|
| 79 | dir = 99/etc
|
---|
| 80 |
|
---|
| 81 |
|
---|
| 82 | # If you're running dhclient(8), resolv.conf will get re-written at renewal
|
---|
| 83 | # time so pray that he dhcpd(8) on your network doesn't get owned.
|
---|
| 84 | # Crytpo-signed DHCP traffic would be too much to ask from ISC, but maybe
|
---|
| 85 | # not from the OpenBSD hack
|
---|
| 86 |
|
---|
| 87 | [Attributes]
|
---|
| 88 | file=/etc/dhclient.conf
|
---|
| 89 |
|
---|
| 90 | # If you run CUPS, /etc/printcap gets re-written if you have
|
---|
| 91 | # "Browsing On" and "Printcap /etc/printcap" in cupsd.conf(5)
|
---|
| 92 | [Attributes]
|
---|
| 93 | file=/etc/printcap
|
---|
| 94 |
|
---|
| 95 |
|
---|
| 96 | #
|
---|
| 97 | # --------- /usr -----------
|
---|
| 98 | #
|
---|
| 99 |
|
---|
| 100 | # note about the following two: this reduced the size
|
---|
| 101 | # of the database greatly
|
---|
| 102 |
|
---|
| 103 | #
|
---|
| 104 | # --------- /usr/pkgsrc -----------
|
---|
| 105 | #
|
---|
| 106 |
|
---|
| 107 | # Leave this uncommented if you CVS update your pkgsrc
|
---|
| 108 | # periodically/automatically. If you do not, comment it
|
---|
| 109 | # out and you should be informed about any unauthorized
|
---|
| 110 | # modifications to pkgsrc (which is an attack vector)
|
---|
| 111 |
|
---|
| 112 | [IgnoreAll]
|
---|
| 113 | dir=-1/usr/pkgsrc
|
---|
| 114 |
|
---|
| 115 | #
|
---|
| 116 | # --------- /usr/src -----------
|
---|
| 117 | #
|
---|
| 118 |
|
---|
| 119 | # Leave this uncommented if you CVS update your src
|
---|
| 120 | # periodically/automatically. If you do not, comment it
|
---|
| 121 | # out and you should be informed about any unauthorized
|
---|
| 122 | # modifications to src (which is an attack vector)
|
---|
| 123 |
|
---|
| 124 |
|
---|
| 125 | [IgnoreAll]
|
---|
| 126 | dir=-1/usr/src
|
---|
| 127 |
|
---|
| 128 |
|
---|
| 129 | #
|
---|
| 130 | # --------- /usr/home (/home) -----------
|
---|
| 131 | #
|
---|
| 132 |
|
---|
| 133 |
|
---|
| 134 | # /home may be a symlink to /usr/home on a stock system, but most admins cane
|
---|
| 135 | # that shit. [Attributes] could be replaced here by [ReadOnly] if we wanted to
|
---|
| 136 | # know about new users being added (on systems where there are no new users)
|
---|
| 137 |
|
---|
| 138 | [Attributes]
|
---|
| 139 | file = /home
|
---|
| 140 | [IgnoreAll]
|
---|
| 141 | dir = -1/home
|
---|
| 142 |
|
---|
| 143 | #
|
---|
| 144 | # --------- /usr/compat/linux/etc -----------
|
---|
| 145 | #
|
---|
| 146 |
|
---|
| 147 | # You're basically compromising your system by enabling Linux emulation anyway
|
---|
| 148 |
|
---|
| 149 | [Attributes]
|
---|
| 150 | file = /usr/compat/linux/etc
|
---|
| 151 | file = /usr/compat/linux/etc/ld.so.cache
|
---|
| 152 |
|
---|
| 153 | #
|
---|
| 154 | # --------- /usr/compat/linux/proc -----------
|
---|
| 155 | #
|
---|
| 156 |
|
---|
| 157 | # Uncomment if you have Linux Emulation/Compat Installed/Setup/Mounted
|
---|
| 158 | [Attributes]
|
---|
| 159 | file=/emul/linux/proc
|
---|
| 160 | [IgnoreAll]
|
---|
| 161 | dir=-1/emul/linux/proc
|
---|
| 162 |
|
---|
| 163 |
|
---|
| 164 | #
|
---|
| 165 | # --------- /var/run -----------
|
---|
| 166 | #
|
---|
| 167 |
|
---|
| 168 | # New PID files may come, and PID files may go (as services on a system change),
|
---|
| 169 | # but then probably a database rebuild will occur. But at the time of the
|
---|
| 170 | # database init, we should consider everything in here subject to change
|
---|
| 171 | # (checksum, times, size) during a daemon restart, but everything else stays
|
---|
| 172 | # the same.
|
---|
| 173 |
|
---|
| 174 | # If you have periodic scripts that HUP daemons, the PID should be unachanged.
|
---|
| 175 | # However, force-restarts will be a new PID, so consider this
|
---|
| 176 |
|
---|
| 177 | [Attributes]
|
---|
| 178 | dir=99/var/run
|
---|
| 179 |
|
---|
| 180 | [Misc]
|
---|
| 181 | # Ignore sudo(8) TTY/PTY "Tickets" if you use sudo
|
---|
| 182 | IgnoreMissing = /var/run/sudo/[[:alnum:]]{1,9}/(p|t)ty.*$
|
---|
| 183 | IgnoreAdded = /var/run/sudo/[[:alnum:]]{1,9}/(p|t)ty.*$
|
---|
| 184 |
|
---|
| 185 | #
|
---|
| 186 | # --------- /var/(spool|queue|etc.) -----------
|
---|
| 187 | #
|
---|
| 188 |
|
---|
| 189 | [Attributes]
|
---|
| 190 | file=/var/cron/tabs
|
---|
| 191 | file=/var/spool/mqueue
|
---|
| 192 | file=/var/spool/clientmqueue
|
---|
| 193 | file=/var/mail
|
---|
| 194 | file=/var/tmp
|
---|
| 195 |
|
---|
| 196 | #
|
---|
| 197 | # --------- /var/at -----------
|
---|
| 198 | #
|
---|
| 199 |
|
---|
| 200 | # As deep as /var/at/ will be watched by 99/
|
---|
| 201 |
|
---|
| 202 | [Attributes]
|
---|
| 203 | file=/var/at/spool
|
---|
| 204 | file=/var/at/jobs
|
---|
| 205 |
|
---|
| 206 | #
|
---|
| 207 | # --------- /var/db -----------
|
---|
| 208 | #
|
---|
| 209 |
|
---|
| 210 | # Some files are written directly into /var/db
|
---|
| 211 | [Attributes]
|
---|
| 212 | file=/var/db
|
---|
| 213 |
|
---|
| 214 | [Attributes]
|
---|
| 215 | # Updatedb per /etc/periodic.d/weekly/310.locate (FreeBSD) or /etc/weekly (NetBSD)
|
---|
| 216 | file=/var/db/locate.database
|
---|
| 217 |
|
---|
| 218 | [Misc]
|
---|
| 219 | # this file comes and goes with portaudit(1)/portversion(1)/pkg_version(1)
|
---|
| 220 | # Other is ISC DHCLIENT related
|
---|
| 221 | IgnoreAdded=/var/db/(pkgdb.fixme|dhclient.leases.*)
|
---|
| 222 | IgnoreMissing=/var/db/(pkgdb.fixme|dhclient.leases.*)
|
---|
| 223 |
|
---|
| 224 |
|
---|
| 225 | #
|
---|
| 226 | # --------- /var/db/mysql -----------
|
---|
| 227 | #
|
---|
| 228 |
|
---|
| 229 | # The same for MySQL, except it's probably owned by the time you get done
|
---|
| 230 | # installing it.
|
---|
| 231 |
|
---|
| 232 | [Attributes]
|
---|
| 233 | file=/var/db/mysql
|
---|
| 234 | [IgnoreAll]
|
---|
| 235 | dir=-1/var/db/mysql
|
---|
| 236 |
|
---|
| 237 | ####################################################################
|
---|
| 238 | # The next three entries depend on your security paranoia policy about
|
---|
| 239 | # SRC and PORTSs trees, etc. Remember, Ports is the only default attack
|
---|
| 240 | # vector against FreeBSD machines.
|
---|
| 241 | ####################################################################
|
---|
| 242 |
|
---|
| 243 |
|
---|
| 244 | #
|
---|
| 245 | # --------- /var/db/pkg -----------
|
---|
| 246 | #
|
---|
| 247 |
|
---|
| 248 | # This database directory gets updated if a cvsup(8)/cvs(8)/sup(8) update
|
---|
| 249 | # occurs to a Pkgsrc source tree and then "pkgdb(8) -fu" is run.
|
---|
| 250 |
|
---|
| 251 | [Attributes]
|
---|
| 252 | file=/var/db/pkg
|
---|
| 253 | [IgnoreAll]
|
---|
| 254 | dir=-1/var/db/pkg
|
---|
| 255 |
|
---|
| 256 |
|
---|
| 257 | #
|
---|
| 258 | # --------- /var/db/entropy -----------
|
---|
| 259 | #
|
---|
| 260 | [Attributes]
|
---|
| 261 | file=/var/db/entropy
|
---|
| 262 | [IgnoreAll]
|
---|
| 263 | dir=-1/var/db/entropy
|
---|
| 264 |
|
---|
| 265 | #
|
---|
| 266 | # --------- /var/msgs -----------
|
---|
| 267 | #
|
---|
| 268 |
|
---|
| 269 | [Attributes]
|
---|
| 270 | dir=-1/var/msgs
|
---|
| 271 |
|
---|
| 272 | #
|
---|
| 273 | # --------- /var/backups -----------
|
---|
| 274 | #
|
---|
| 275 |
|
---|
| 276 | # /etc/daily /etc/security write old revisions of system
|
---|
| 277 | # critical files into here daily
|
---|
| 278 | [Attributes]
|
---|
| 279 | dir=-1/var/backups
|
---|
| 280 |
|
---|
| 281 | #
|
---|
| 282 | # --------- /var/log -----------
|
---|
| 283 | #
|
---|
| 284 |
|
---|
| 285 | # Keep this section in sync with:
|
---|
| 286 | # * /etc/newsyslog.conf
|
---|
| 287 | # * /etc/syslogd.conf OR:
|
---|
| 288 | # * /usr/pkg/etc/syslog-ng/syslog-ng.conf
|
---|
| 289 |
|
---|
| 290 | # For these files, changes in signature, timestamps, and increase in size
|
---|
| 291 | # are ignored, however:
|
---|
| 292 | # Per discussion on the forum, this behavior change is needed due to the behavior
|
---|
| 293 | # of newsyslog(8) rotation method File sizes will get smaller, inodes will change
|
---|
| 294 | # as they rotate.
|
---|
| 295 |
|
---|
| 296 | # NOTES ON LOG ROTATION BEHAVIOR:
|
---|
| 297 | # See comments about modifications to [GrowingLogFiles] to ignore INODE changes
|
---|
| 298 | # As newsyslog(8)/newsyslog.conf(5) has the default behavior of:
|
---|
| 299 | # - First move logfile.log to logfile.log.0
|
---|
| 300 | # - then bzip2 -v9 logfile.log.0
|
---|
| 301 | # - then touch(1) logfile.log
|
---|
| 302 | # - then HUP if applicable & reopen the new file (new inode)
|
---|
| 303 | # - Therefore, Ignore Singature, Size (if grow), and Inode changes
|
---|
| 304 | # But also, there's [IgnoreMissing] regexp to account for log file pruing from
|
---|
| 305 | # the filesystem, and [IgnoreAdded] for the first Nth rotations of the logfile
|
---|
| 306 | # per newsyslog.conf(5)
|
---|
| 307 |
|
---|
| 308 |
|
---|
| 309 | # NetBSD defaults
|
---|
| 310 | [Misc]
|
---|
| 311 | IgnoreAdded = /var/log/(cron|xferlog|messages|maillog|secure|pflog|sendmail\.st|kerberos\.log|authlog|aculog|wtmp|wtmpx)\.[0-9](\.bz2|\.gz)?$
|
---|
| 312 | IgnoreMissing= /var/log/(cron|xferlog|messages|maillog|secure|pflog|sendmail\.st|kerberos\.log|authlog|aculog|wtmp|wtmpx)\.[0-9](\.bz2|\.gz)?$
|
---|
| 313 |
|
---|
| 314 | # Local services you may need to account for
|
---|
| 315 | IgnoreAdded = /var/log/(snmpd\.log|postgresq\.log|samhain\.log|httpd-error\.log|httpd-access\.log|httpd-ssl_request\.log)\.[0-9](\.bz2|\.gz)?$
|
---|
| 316 | IgnoreMissing = /var/log/(snmpd\.log|postgresq\.log|samhain\.log|httpd-error\.log|httpd-access\.log|httpd-ssl_request\.log)\.[0-9](\.bz2|\.gz)?$
|
---|
| 317 |
|
---|
| 318 | [Attributes]
|
---|
| 319 | dir=99/var/log
|
---|
| 320 |
|
---|
| 321 | # NetBSD Stock Defaults
|
---|
| 322 | [GrowingLogFiles]
|
---|
| 323 | File = /var/log/aculog
|
---|
| 324 | File = /var/log/authlog
|
---|
| 325 | File = /var/log/cron
|
---|
| 326 | File = /var/log/kerberos.log
|
---|
| 327 | File = /var/log/lpd-errs
|
---|
| 328 | File = /var/log/maillog
|
---|
| 329 | File = /var/log/messages
|
---|
| 330 | File = /var/log/secure
|
---|
| 331 | File = /var/log/wtmp
|
---|
| 332 | File = /var/log/wtmpx
|
---|
| 333 | File = /var/log/xferlog
|
---|
| 334 | File = /var/log/pflog
|
---|
| 335 |
|
---|
| 336 | [Attributes]
|
---|
| 337 | # A binary-type logfile (Screw sendmail!)
|
---|
| 338 | File = /var/log/sendmail.st
|
---|
| 339 |
|
---|
| 340 | # NetBSD gzip(1)'s by default but newsyslog.conf(5) has bzip2 support
|
---|
| 341 | [Attributes]
|
---|
| 342 | File = /var/log/*.[0-9].gz
|
---|
| 343 | #File = /var/log/*.[0-9].bz2
|
---|
| 344 |
|
---|
| 345 | #
|
---|
| 346 | # --------- makewhatis(8) -----------
|
---|
| 347 | #
|
---|
| 348 |
|
---|
| 349 | # Account for updated whatis(8) database given manpath.conf(5)/man.conf(5)
|
---|
| 350 | #and manpath(1)
|
---|
| 351 |
|
---|
| 352 | [Attributes]
|
---|
| 353 | file=/usr/pkg/man/whatis.db
|
---|
| 354 | file=/usr/pkg/man
|
---|
| 355 | file=/usr/share/man/whatis.db
|
---|
| 356 | file=/usr/share/man
|
---|
| 357 |
|
---|
| 358 | ##############################################
|
---|
| 359 | ######## END FILE SECTION ####################
|
---|
| 360 | ##############################################
|
---|
| 361 |
|
---|
| 362 | [EventSeverity]
|
---|
| 363 |
|
---|
| 364 | SeverityReadOnly=crit
|
---|
| 365 | SeverityLogFiles=crit
|
---|
| 366 | SeverityGrowingLogs=crit
|
---|
| 367 | SeverityIgnoreNone=crit
|
---|
| 368 | SeverityAttributes=crit
|
---|
| 369 | SeverityUser0=crit
|
---|
| 370 | SeverityUser1=crit
|
---|
| 371 |
|
---|
| 372 | ## We have a file in IgnoreAll that might or might not be present.
|
---|
| 373 | ## Setting the severity to 'info' prevents messages about deleted/new file.
|
---|
| 374 | ##
|
---|
| 375 | # SeverityIgnoreAll=crit
|
---|
| 376 | SeverityIgnoreAll=info
|
---|
| 377 |
|
---|
| 378 | ## Files : file access problems
|
---|
| 379 | SeverityFiles=info
|
---|
| 380 |
|
---|
| 381 | ## Dirs : directory access problems
|
---|
| 382 | SeverityDirs=info
|
---|
| 383 |
|
---|
| 384 | ## Names : suspect (non-printable) characters in a pathname
|
---|
| 385 | SeverityNames=crit
|
---|
| 386 |
|
---|
| 387 | [Log]
|
---|
| 388 | ## Values: debug, info, notice, warn, mark, err, crit, alert, none.
|
---|
| 389 | ## 'mark' is used for timestamps.
|
---|
| 390 | ##
|
---|
| 391 | ## Use 'none' to SWITCH OFF a log facility
|
---|
| 392 | ##
|
---|
| 393 | ## By default, everything equal to and above the threshold is logged.
|
---|
| 394 | ## The specifiers '*', '!', and '=' are interpreted as
|
---|
| 395 | ## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
|
---|
| 396 | ## at least on Linux). Examples:
|
---|
| 397 | ## MailSeverity=*
|
---|
| 398 | ## MailSeverity=!warn
|
---|
| 399 | ## MailSeverity==crit
|
---|
| 400 |
|
---|
| 401 | ## E-mail
|
---|
| 402 | ##
|
---|
| 403 | MailSeverity=warn
|
---|
| 404 |
|
---|
| 405 | ## Console
|
---|
| 406 | ##
|
---|
| 407 | PrintSeverity=notice
|
---|
| 408 |
|
---|
| 409 | ## Logfile
|
---|
| 410 | ##
|
---|
| 411 | LogSeverity=info
|
---|
| 412 |
|
---|
| 413 | ## Syslog
|
---|
| 414 | ##
|
---|
| 415 | # Syslog logging is redundant at this time
|
---|
| 416 | #
|
---|
| 417 | #SyslogSeverity=notice
|
---|
| 418 |
|
---|
| 419 | ## Remote server (yule)
|
---|
| 420 | ##
|
---|
| 421 | # ExportSeverity=none
|
---|
| 422 |
|
---|
| 423 | ## External script or program
|
---|
| 424 | ##
|
---|
| 425 | # ExternalSeverity = none
|
---|
| 426 |
|
---|
| 427 | ## Logging to a database
|
---|
| 428 | ##
|
---|
| 429 | # DatabaseSeverity = none
|
---|
| 430 |
|
---|
| 431 | ## Logging to a Prelude-IDS
|
---|
| 432 | ##
|
---|
| 433 | # PreludeSeverity = crit
|
---|
| 434 |
|
---|
| 435 |
|
---|
| 436 | #####################################################
|
---|
| 437 | #
|
---|
| 438 | # Optional modules
|
---|
| 439 | #
|
---|
| 440 | #####################################################
|
---|
| 441 |
|
---|
| 442 | #[SuidCheck]
|
---|
| 443 | ##
|
---|
| 444 | ## --- Check the filesystem for SUID/SGID binaries
|
---|
| 445 | ##
|
---|
| 446 |
|
---|
| 447 | ## Switch on
|
---|
| 448 | #
|
---|
| 449 | #SuidCheckActive = yes
|
---|
| 450 |
|
---|
| 451 | ## Interval for check (seconds)
|
---|
| 452 | #
|
---|
| 453 | #SuidCheckInterval = 5400
|
---|
| 454 |
|
---|
| 455 | ## Alternative: crontab-like schedule
|
---|
| 456 | #
|
---|
| 457 | #SuidCheckSchedule = NULL
|
---|
| 458 |
|
---|
| 459 | ## Directory to exclude
|
---|
| 460 | #
|
---|
| 461 | # SuidCheckExclude = NULL
|
---|
| 462 |
|
---|
| 463 | ## Limit on files per second (0 == no limit)
|
---|
| 464 | #
|
---|
| 465 | # SuidCheckFps = 0
|
---|
| 466 |
|
---|
| 467 | ## Alternative: yield after every file
|
---|
| 468 | #
|
---|
| 469 | # SuidCheckYield = no
|
---|
| 470 |
|
---|
| 471 | ## Severity of a detection
|
---|
| 472 | #
|
---|
| 473 | # SeveritySuidCheck = crit
|
---|
| 474 |
|
---|
| 475 | ## Quarantine SUID/SGID files if found
|
---|
| 476 | #
|
---|
| 477 | # SuidCheckQuarantineFiles = yes
|
---|
| 478 |
|
---|
| 479 | ## Method for Quarantining files:
|
---|
| 480 | # 0 - Delete the file.
|
---|
| 481 | # 1 - Remove SUID/SGID permissions from file.
|
---|
| 482 | # 2 - Move SUID/SGID file to quarantine dir.
|
---|
| 483 | #
|
---|
| 484 | # SuidCheckQuarantineMethod = 0
|
---|
| 485 |
|
---|
| 486 | ## For method 1 and 3, really delete instead of truncating
|
---|
| 487 | #
|
---|
| 488 | # SuidCheckQuarantineDelete = yes
|
---|
| 489 |
|
---|
| 490 | #[Mounts]
|
---|
| 491 | #MountCheckActive=1
|
---|
| 492 | #MountCheckInterval=7200
|
---|
| 493 | #SeverityMountMissing=crit
|
---|
| 494 | #SeverityOptionMissing=crit
|
---|
| 495 | #
|
---|
| 496 | #checkmount=/
|
---|
| 497 | #checkmount=/dev
|
---|
| 498 | #checkmount=/usr
|
---|
| 499 | #checkmount=/var
|
---|
| 500 | #checkmount=/var/log
|
---|
| 501 | #checkmount=/opt
|
---|
| 502 | #checkmount=/export
|
---|
| 503 | #checkmount=/tmp
|
---|
| 504 |
|
---|
| 505 |
|
---|
| 506 |
|
---|
| 507 | #[Utmp]
|
---|
| 508 | ##
|
---|
| 509 | ## --- Logging of login/logout events
|
---|
| 510 | ##
|
---|
| 511 |
|
---|
| 512 | ## Switch on/off
|
---|
| 513 | #
|
---|
| 514 | #LoginCheckActive = True
|
---|
| 515 |
|
---|
| 516 | ## Severity for logins, multiple logins, logouts
|
---|
| 517 | #
|
---|
| 518 | #SeverityLogin=info
|
---|
| 519 | #SeverityLoginMulti=crit
|
---|
| 520 | #SeverityLogout=info
|
---|
| 521 |
|
---|
| 522 | ## Interval for login/logout checks
|
---|
| 523 | #
|
---|
| 524 | #LoginCheckInterval = 300
|
---|
| 525 |
|
---|
| 526 |
|
---|
| 527 | # [Database]
|
---|
| 528 | ##
|
---|
| 529 | ## --- Logging to a relational database
|
---|
| 530 | ##
|
---|
| 531 |
|
---|
| 532 | ## Database name
|
---|
| 533 | #
|
---|
| 534 | # SetDBName = samhain
|
---|
| 535 |
|
---|
| 536 | ## Database table
|
---|
| 537 | #
|
---|
| 538 | # SetDBTable = log
|
---|
| 539 |
|
---|
| 540 | ## Database user
|
---|
| 541 | #
|
---|
| 542 | # SetDBUser = samhain
|
---|
| 543 |
|
---|
| 544 | ## Database password
|
---|
| 545 | #
|
---|
| 546 | # SetDBPassword = (default: none)
|
---|
| 547 |
|
---|
| 548 | ## Database host
|
---|
| 549 | #
|
---|
| 550 | # SetDBHost = localhost
|
---|
| 551 |
|
---|
| 552 | ## Log the server timestamp for received messages
|
---|
| 553 | #
|
---|
| 554 | # SetDBServerTstamp = True
|
---|
| 555 |
|
---|
| 556 | ## Use a persistent connection
|
---|
| 557 | #
|
---|
| 558 | # UsePersistent = True
|
---|
| 559 |
|
---|
| 560 |
|
---|
| 561 | # [External]
|
---|
| 562 | ##
|
---|
| 563 | ## Interface to call external scripts/programs for logging
|
---|
| 564 | ##
|
---|
| 565 |
|
---|
| 566 | ## The absolute path to the command
|
---|
| 567 | ## - Each invocation of this directive will end the definition of the
|
---|
| 568 | ## preceding command, and start the definition of
|
---|
| 569 | ## an additional, new command
|
---|
| 570 | #
|
---|
| 571 | # OpenCommand = (no default)
|
---|
| 572 |
|
---|
| 573 | ## Type (log or srv)
|
---|
| 574 | ## - log for log messages, srv for messages received by the server
|
---|
| 575 | #
|
---|
| 576 | # SetType = log
|
---|
| 577 |
|
---|
| 578 | ## The command (full command line) to execute
|
---|
| 579 | #
|
---|
| 580 | # SetCommandLine = (no default)
|
---|
| 581 |
|
---|
| 582 | ## The environment (KEY=value; repeat for more)
|
---|
| 583 | #
|
---|
| 584 | # SetEnviron = TZ=(your timezone)
|
---|
| 585 |
|
---|
| 586 | ## The TIGERpkg checksum (optional)
|
---|
| 587 | #
|
---|
| 588 | # SetChecksum = (no default)
|
---|
| 589 |
|
---|
| 590 | ## User who runs the command
|
---|
| 591 | #
|
---|
| 592 | # SetCredentials = (default: samhain process uid)
|
---|
| 593 |
|
---|
| 594 | ## Words not allowed in message
|
---|
| 595 | #
|
---|
| 596 | # SetFilterNot = (none)
|
---|
| 597 |
|
---|
| 598 | ## Words required (ALL of them)
|
---|
| 599 | #
|
---|
| 600 | # SetFilterAnd = (none)
|
---|
| 601 |
|
---|
| 602 | ## Words required (at least one)
|
---|
| 603 | #
|
---|
| 604 | # SetFilterOr = (none)
|
---|
| 605 |
|
---|
| 606 | ## Deadtime between consecutive calls
|
---|
| 607 | #
|
---|
| 608 | # SetDeadtime = 0
|
---|
| 609 |
|
---|
| 610 | ## Add default environment (HOME, PATH, SHELL)
|
---|
| 611 | #
|
---|
| 612 | # SetDefault = no
|
---|
| 613 |
|
---|
| 614 |
|
---|
| 615 |
|
---|
| 616 | #####################################################
|
---|
| 617 | #
|
---|
| 618 | # Miscellaneous configuration options
|
---|
| 619 | #
|
---|
| 620 | #####################################################
|
---|
| 621 |
|
---|
| 622 | [Misc]
|
---|
| 623 |
|
---|
| 624 | ## whether to become a daemon process
|
---|
| 625 | ## (this is not honoured on database initialisation)
|
---|
| 626 | #
|
---|
| 627 | # Daemon = no
|
---|
| 628 | Daemon = yes
|
---|
| 629 |
|
---|
| 630 | # whether to test signature of files (init/check/none)
|
---|
| 631 | # - if 'none', then we have to decide this on the command line -
|
---|
| 632 | #
|
---|
| 633 | # ChecksumTest = none
|
---|
| 634 | ChecksumTest=check
|
---|
| 635 |
|
---|
| 636 | # Set nice level (-19 to 19, see 'man nice'),
|
---|
| 637 | # and I/O limit (kilobytes per second; 0 == off)
|
---|
| 638 | # to reduce load on host.
|
---|
| 639 | #
|
---|
| 640 | SetNiceLevel = 19
|
---|
| 641 | # SetIOLimit = 0
|
---|
| 642 |
|
---|
| 643 | ## The version string to embed in file signature databases
|
---|
| 644 | #
|
---|
| 645 | # VersionString = NULL
|
---|
| 646 |
|
---|
| 647 | ## Interval between time stamp messages
|
---|
| 648 | #
|
---|
| 649 | # SetLoopTime = 60
|
---|
| 650 | SetLoopTime = 7200
|
---|
| 651 |
|
---|
| 652 | ## Interval between file checks
|
---|
| 653 | #
|
---|
| 654 | # SetFileCheckTime = 600
|
---|
| 655 | SetFileCheckTime = 43200
|
---|
| 656 |
|
---|
| 657 | ## Alternative: crontab-like schedule
|
---|
| 658 | #
|
---|
| 659 | # FileCheckScheduleOne = NULL
|
---|
| 660 |
|
---|
| 661 | ## Alternative: crontab-like schedule(2)
|
---|
| 662 | #
|
---|
| 663 | # FileCheckScheduleTwo = NULL
|
---|
| 664 |
|
---|
[101] | 665 | ## Report only once on modified files
|
---|
[56] | 666 | ## Setting this to 'FALSE' will generate a report for any policy
|
---|
| 667 | ## violation (old and new ones) each time the daemon checks the file system.
|
---|
| 668 | #
|
---|
| 669 | ReportOnlyOnce = True
|
---|
| 670 |
|
---|
| 671 | ## Report in full detail
|
---|
| 672 | #
|
---|
| 673 | ReportFullDetail = True
|
---|
| 674 |
|
---|
| 675 | ## Report file timestamps in local time rather than GMT
|
---|
| 676 | #
|
---|
| 677 | UseLocalTime = Yes
|
---|
| 678 |
|
---|
| 679 | ## The console device (can also be a file or named pipe)
|
---|
| 680 | ## - There are two console devices. Accordingly, you can use
|
---|
| 681 | ## this directive a second time to set the second console device.
|
---|
| 682 | ## If you have not defined the second device at compile time,
|
---|
| 683 | ## and you don't want to use it, then:
|
---|
| 684 | ## setting it to /dev/null is less effective than just leaving
|
---|
| 685 | ## it alone (setting to /dev/null will waste time by opening
|
---|
| 686 | ## /dev/null and writing to it)
|
---|
| 687 | #
|
---|
| 688 | # SetConsole = /dev/console
|
---|
| 689 |
|
---|
| 690 | ## Activate the SysV IPC message queue
|
---|
| 691 | #
|
---|
| 692 | # MessageQueueActive = False
|
---|
| 693 |
|
---|
| 694 |
|
---|
| 695 | ## If false, skip reverse lookup when connecting to a host known
|
---|
| 696 | ## by name rather than IP address (i.e. trust the DNS)
|
---|
| 697 | #
|
---|
| 698 | SetReverseLookup = True
|
---|
| 699 |
|
---|
| 700 |
|
---|
| 701 | ## --- E-Mail ---
|
---|
| 702 |
|
---|
| 703 | # Only highest-level (alert) reports will be mailed immediately,
|
---|
| 704 | # others will be queued. Here you can define, when the queue will
|
---|
| 705 | # be flushed (Note: the queue is automatically flushed after
|
---|
| 706 | # completing a file check).
|
---|
| 707 | #
|
---|
| 708 | # SetMailTime = 86400
|
---|
| 709 |
|
---|
| 710 | ## Maximum number of mails to queue
|
---|
| 711 | #
|
---|
| 712 | # SetMailNum = 10
|
---|
| 713 |
|
---|
| 714 | ## Recipient (max. 8)
|
---|
| 715 | #
|
---|
| 716 | #SetMailAddress=infosec@noc.myorg.tld
|
---|
| 717 |
|
---|
| 718 | ## Mail relay (IP address)
|
---|
| 719 | #
|
---|
| 720 | SetMailRelay = 127.0.0.1
|
---|
| 721 |
|
---|
| 722 | ## Custom subject format
|
---|
| 723 | #
|
---|
| 724 | MailSubject = Synchrotone Samhain: %S
|
---|
| 725 | SetMailSender = samhain@synchrotone.pgh.pub.collaborativefusion.com
|
---|
| 726 |
|
---|
| 727 | ## --- end E-Mail ---
|
---|
| 728 |
|
---|
| 729 |
|
---|
| 730 | ## Path to the executable. If set, will be checksummed after startup
|
---|
| 731 | ## and before exit.
|
---|
| 732 | #
|
---|
| 733 | SamhainPath = /usr/pkg/sbin/samhain
|
---|
| 734 |
|
---|
| 735 | ## The IP address of the log server
|
---|
| 736 | #
|
---|
| 737 | # SetLogServer = (default: compiled-in)
|
---|
| 738 |
|
---|
| 739 | ## The IP address of the time server
|
---|
| 740 | #
|
---|
| 741 | # SetTimeServer = (default: compiled-in)
|
---|
| 742 |
|
---|
| 743 | ## Trusted Users (comma delimited list of user names)
|
---|
| 744 | #
|
---|
| 745 | # TrustedUser = (no default; this adds to the compiled-in list)
|
---|
| 746 |
|
---|
| 747 | ## Path to the file signature database
|
---|
| 748 | #
|
---|
| 749 | SetDatabasePath = /usr/pkg/var/samhain/samhain.db
|
---|
| 750 |
|
---|
| 751 | ## Path to the log file
|
---|
| 752 | #
|
---|
| 753 | # SetLogfilePath = (default: compiled-in)
|
---|
| 754 |
|
---|
| 755 | ## Path to the PID file
|
---|
| 756 | #
|
---|
[387] | 757 | # SetLockfilePath = (default: compiled-in)
|
---|
[56] | 758 |
|
---|
| 759 |
|
---|
[59] | 760 | ## The digest/checksum/hash algorithm (default: TIGER192; others: MD5, SHA1)
|
---|
[56] | 761 | #
|
---|
[59] | 762 | # DigestAlgo = TIGER192
|
---|
[56] | 763 |
|
---|
| 764 |
|
---|
| 765 | ## Custom format for message header.
|
---|
| 766 | ## CAREFUL if you use XML logfile format.
|
---|
| 767 | ##
|
---|
| 768 | ## %S severity
|
---|
| 769 | ## %T timestamp
|
---|
| 770 | ## %C class
|
---|
| 771 | ##
|
---|
| 772 | ## %F source file
|
---|
| 773 | ## %L source line
|
---|
| 774 | #
|
---|
| 775 | # MessageHeader="%S %T "
|
---|
| 776 |
|
---|
| 777 |
|
---|
| 778 | ## Don't log path to config/database file on startup
|
---|
| 779 | #
|
---|
| 780 | # HideSetup = False
|
---|
| 781 |
|
---|
| 782 | ## The syslog facility, if you log to syslog
|
---|
| 783 | #
|
---|
| 784 | # SyslogFacility = LOG_AUTHPRIV
|
---|
| 785 | SyslogFacility=LOG_LOCAL2
|
---|
| 786 |
|
---|
| 787 | ## The message authentication method
|
---|
| 788 | ## - If you change this, you *must* change it
|
---|
| 789 | ## on client *and* server
|
---|
| 790 | #
|
---|
| 791 | # MACType = HMAC-TIGER
|
---|
| 792 |
|
---|
| 793 |
|
---|
| 794 | ## The Prelude-IDS profile to use for reporting
|
---|
| 795 | ## default value is "samhain"
|
---|
| 796 | #
|
---|
| 797 | # PreludeProfile = samhain
|
---|
| 798 |
|
---|
| 799 | ## Map these samhain severities to impact severity 'info' severity
|
---|
| 800 | #
|
---|
| 801 | # PreludeMapToInfo =
|
---|
| 802 |
|
---|
| 803 | ## Map these samhain severities to impact severity 'low' severity
|
---|
| 804 | #
|
---|
| 805 | # PreludeMapToLow = debug info
|
---|
| 806 |
|
---|
| 807 | ## Map these samhain severities to impact severity 'medium' severity
|
---|
| 808 | #
|
---|
| 809 | # PreludeMapToMedium = notice warn err
|
---|
| 810 |
|
---|
| 811 | ## Map these samhain severities to impact severity 'high' severity
|
---|
| 812 | #
|
---|
| 813 | # PreludeMapToHigh = crit alert
|
---|
| 814 |
|
---|
| 815 | # everything below is ignored
|
---|
| 816 | [EOF]
|
---|
| 817 |
|
---|
| 818 | #####################################################################
|
---|
| 819 | # This would be the proper syntax for parts that should only be
|
---|
| 820 | # included for certain hosts.
|
---|
| 821 | # You may enclose anything in a @HOSTNAME/@end bracket, as long as the
|
---|
| 822 | # result still has the proper syntax for the config file.
|
---|
| 823 | # You may have any number of @HOSTNAME/@end brackets.
|
---|
| 824 | # HOSTNAME should be the fully qualified 'official' name
|
---|
| 825 | # (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
|
---|
| 826 | # No IP number - except if samhain cannot determine the
|
---|
| 827 | # fully qualified hostname.
|
---|
| 828 | #
|
---|
| 829 | # @HOSTNAME
|
---|
| 830 | # file=/foo/bar
|
---|
| 831 | # @end
|
---|
| 832 | #
|
---|
| 833 | # These are two examples for conditional inclusion/exclusion
|
---|
| 834 | # of a machine based on the output from 'uname -srm'
|
---|
| 835 | # $Linux:2.*.7:i666
|
---|
| 836 | # file=/foo/bar3
|
---|
| 837 | # $end
|
---|
| 838 | #
|
---|
| 839 | # !$Linux:2.*.7:i686
|
---|
| 840 | # file=/foo/bar2
|
---|
| 841 | # $end
|
---|
| 842 | #
|
---|
| 843 | #####################################################################
|
---|