source: trunk/samhainrc.netbsd@ 576

Last change on this file since 576 was 481, checked in by katerina, 9 years ago

Enhancements and fixes for tickets #374, #375, #376, #377, #378, and #379.

File size: 18.0 KB
RevLine 
[56]1#
2# From pkgsrc-wip, Author: Brian Seklecki
3#
4
5[Misc]
6RedefUser0=+INO, +SIZ, +RDEV, +CHK, -MOD, -MTM, -ATM, -CTM, -GRP, -USR
7
8# The new Samhain behavior is to check the checksum up the last-known size of
9# the file, but *yes*, the inode will change when it becomes rotated and the size
10# will get reset to a lesser value (in which case the check should know to passively
11# fail)
12RedefGrowingLogFiles=-INO, -SIZ, +CHK, -MTM, -ATM, -CTM
13
14#
15# --------- / --------------
16#
17
18[ReadOnly]
19dir = 99/
20
21# This covers the contents of / including: /boot, /bin, /sbin, /lib, /libexec,
22# /rescue, /root, /altroot, /usr, /var, /stand, /mnt, /tmp, /proc, /kern (Even
23# though /usr and /var will recieve overrides)
24
25[Attributes]
26file = /proc
27file = /kern
28
29[IgnoreAll]
30dir=-1/proc
31dir=-1/kern
32
33#
34# --------- /tmp -----------
35#
36[Attributes]
37file=/tmp
38[IgnoreAll]
39dir=-1/tmp
40
41
42
43#
44# --------- /root --------------
45#
46
47# Per section 5.4.2.1 of the manual, Rule #5, there are lock file written here
48# that changes the mtime/ctime of the dir, so we want to watch perms/ownership,
49# ignore ctime/mtime/size, etc., but still watch the critical files inside.
50# Note: in theory, /root should never change if you use sudo(8) w/o "-H"
51[ReadOnly]
52dir=/root/.gnupg
53[Attributes]
54file=/root/.gnupg
55file=/root/.gnupg/random_seed
56
57#
58# --------- /dev -----------
59#
60
61[Attributes]
62dir = 99/dev
63
64# User0 will be for /dev/tty* and other devices where Owner/Group/Mode can
65# change but the Inode/Size/Device/Checksum should not change.
66
67[User0]
68file=/dev/tty*
69file=/dev/pty*
70
71#
72# --------- /etc -----------
73#
74
75[ReadOnly]
76##
77## for these files, only access time is ignored
78##
79dir = 99/etc
80
81
82# If you're running dhclient(8), resolv.conf will get re-written at renewal
83# time so pray that he dhcpd(8) on your network doesn't get owned.
84# Crytpo-signed DHCP traffic would be too much to ask from ISC, but maybe
85# not from the OpenBSD hack
86
87[Attributes]
88file=/etc/dhclient.conf
89
90# If you run CUPS, /etc/printcap gets re-written if you have
91# "Browsing On" and "Printcap /etc/printcap" in cupsd.conf(5)
92[Attributes]
93file=/etc/printcap
94
95
96#
97# --------- /usr -----------
98#
99
100# note about the following two: this reduced the size
101# of the database greatly
102
103#
104# --------- /usr/pkgsrc -----------
105#
106
107# Leave this uncommented if you CVS update your pkgsrc
108# periodically/automatically. If you do not, comment it
109# out and you should be informed about any unauthorized
110# modifications to pkgsrc (which is an attack vector)
111
112[IgnoreAll]
113dir=-1/usr/pkgsrc
114
115#
116# --------- /usr/src -----------
117#
118
119# Leave this uncommented if you CVS update your src
120# periodically/automatically. If you do not, comment it
121# out and you should be informed about any unauthorized
122# modifications to src (which is an attack vector)
123
124
125[IgnoreAll]
126dir=-1/usr/src
127
128
129#
130# --------- /usr/home (/home) -----------
131#
132
133
134# /home may be a symlink to /usr/home on a stock system, but most admins cane
135# that shit. [Attributes] could be replaced here by [ReadOnly] if we wanted to
136# know about new users being added (on systems where there are no new users)
137
138[Attributes]
139file = /home
140[IgnoreAll]
141dir = -1/home
142
143#
144# --------- /usr/compat/linux/etc -----------
145#
146
147# You're basically compromising your system by enabling Linux emulation anyway
148
149[Attributes]
150file = /usr/compat/linux/etc
151file = /usr/compat/linux/etc/ld.so.cache
152
153#
154# --------- /usr/compat/linux/proc -----------
155#
156
157# Uncomment if you have Linux Emulation/Compat Installed/Setup/Mounted
158[Attributes]
159file=/emul/linux/proc
160[IgnoreAll]
161dir=-1/emul/linux/proc
162
163
164#
165# --------- /var/run -----------
166#
167
168# New PID files may come, and PID files may go (as services on a system change),
169# but then probably a database rebuild will occur. But at the time of the
170# database init, we should consider everything in here subject to change
171# (checksum, times, size) during a daemon restart, but everything else stays
172# the same.
173
174# If you have periodic scripts that HUP daemons, the PID should be unachanged.
175# However, force-restarts will be a new PID, so consider this
176
177[Attributes]
178dir=99/var/run
179
180[Misc]
181# Ignore sudo(8) TTY/PTY "Tickets" if you use sudo
182IgnoreMissing = /var/run/sudo/[[:alnum:]]{1,9}/(p|t)ty.*$
183IgnoreAdded = /var/run/sudo/[[:alnum:]]{1,9}/(p|t)ty.*$
184
185#
186# --------- /var/(spool|queue|etc.) -----------
187#
188
189[Attributes]
190file=/var/cron/tabs
191file=/var/spool/mqueue
192file=/var/spool/clientmqueue
193file=/var/mail
194file=/var/tmp
195
196#
197# --------- /var/at -----------
198#
199
200# As deep as /var/at/ will be watched by 99/
201
202[Attributes]
203file=/var/at/spool
204file=/var/at/jobs
205
206#
207# --------- /var/db -----------
208#
209
210# Some files are written directly into /var/db
211[Attributes]
212file=/var/db
213
214[Attributes]
215# Updatedb per /etc/periodic.d/weekly/310.locate (FreeBSD) or /etc/weekly (NetBSD)
216file=/var/db/locate.database
217
218[Misc]
219# this file comes and goes with portaudit(1)/portversion(1)/pkg_version(1)
220# Other is ISC DHCLIENT related
221IgnoreAdded=/var/db/(pkgdb.fixme|dhclient.leases.*)
222IgnoreMissing=/var/db/(pkgdb.fixme|dhclient.leases.*)
223
224
225#
226# --------- /var/db/mysql -----------
227#
228
229# The same for MySQL, except it's probably owned by the time you get done
230# installing it.
231
232[Attributes]
233file=/var/db/mysql
234[IgnoreAll]
235dir=-1/var/db/mysql
236
237####################################################################
238# The next three entries depend on your security paranoia policy about
239# SRC and PORTSs trees, etc. Remember, Ports is the only default attack
240# vector against FreeBSD machines.
241####################################################################
242
243
244#
245# --------- /var/db/pkg -----------
246#
247
248# This database directory gets updated if a cvsup(8)/cvs(8)/sup(8) update
249# occurs to a Pkgsrc source tree and then "pkgdb(8) -fu" is run.
250
251[Attributes]
252file=/var/db/pkg
253[IgnoreAll]
254dir=-1/var/db/pkg
255
256
257#
258# --------- /var/db/entropy -----------
259#
260[Attributes]
261file=/var/db/entropy
262[IgnoreAll]
263dir=-1/var/db/entropy
264
265#
266# --------- /var/msgs -----------
267#
268
269[Attributes]
270dir=-1/var/msgs
271
272#
273# --------- /var/backups -----------
274#
275
276# /etc/daily /etc/security write old revisions of system
277# critical files into here daily
278[Attributes]
279dir=-1/var/backups
280
281#
282# --------- /var/log -----------
283#
284
285# Keep this section in sync with:
286# * /etc/newsyslog.conf
287# * /etc/syslogd.conf OR:
288# * /usr/pkg/etc/syslog-ng/syslog-ng.conf
289
290# For these files, changes in signature, timestamps, and increase in size
291# are ignored, however:
292# Per discussion on the forum, this behavior change is needed due to the behavior
293# of newsyslog(8) rotation method File sizes will get smaller, inodes will change
294# as they rotate.
295
296# NOTES ON LOG ROTATION BEHAVIOR:
297# See comments about modifications to [GrowingLogFiles] to ignore INODE changes
298# As newsyslog(8)/newsyslog.conf(5) has the default behavior of:
299# - First move logfile.log to logfile.log.0
300# - then bzip2 -v9 logfile.log.0
301# - then touch(1) logfile.log
302# - then HUP if applicable & reopen the new file (new inode)
303# - Therefore, Ignore Singature, Size (if grow), and Inode changes
304# But also, there's [IgnoreMissing] regexp to account for log file pruing from
305# the filesystem, and [IgnoreAdded] for the first Nth rotations of the logfile
306# per newsyslog.conf(5)
307
308
309# NetBSD defaults
310[Misc]
311IgnoreAdded = /var/log/(cron|xferlog|messages|maillog|secure|pflog|sendmail\.st|kerberos\.log|authlog|aculog|wtmp|wtmpx)\.[0-9](\.bz2|\.gz)?$
312IgnoreMissing= /var/log/(cron|xferlog|messages|maillog|secure|pflog|sendmail\.st|kerberos\.log|authlog|aculog|wtmp|wtmpx)\.[0-9](\.bz2|\.gz)?$
313
314# Local services you may need to account for
315IgnoreAdded = /var/log/(snmpd\.log|postgresq\.log|samhain\.log|httpd-error\.log|httpd-access\.log|httpd-ssl_request\.log)\.[0-9](\.bz2|\.gz)?$
316IgnoreMissing = /var/log/(snmpd\.log|postgresq\.log|samhain\.log|httpd-error\.log|httpd-access\.log|httpd-ssl_request\.log)\.[0-9](\.bz2|\.gz)?$
317
318[Attributes]
319dir=99/var/log
320
321# NetBSD Stock Defaults
322[GrowingLogFiles]
323File = /var/log/aculog
324File = /var/log/authlog
325File = /var/log/cron
326File = /var/log/kerberos.log
327File = /var/log/lpd-errs
328File = /var/log/maillog
329File = /var/log/messages
330File = /var/log/secure
331File = /var/log/wtmp
332File = /var/log/wtmpx
333File = /var/log/xferlog
334File = /var/log/pflog
335
336[Attributes]
337# A binary-type logfile (Screw sendmail!)
338File = /var/log/sendmail.st
339
340# NetBSD gzip(1)'s by default but newsyslog.conf(5) has bzip2 support
341[Attributes]
342File = /var/log/*.[0-9].gz
343#File = /var/log/*.[0-9].bz2
344
345#
346# --------- makewhatis(8) -----------
347#
348
349# Account for updated whatis(8) database given manpath.conf(5)/man.conf(5)
350#and manpath(1)
351
352[Attributes]
353file=/usr/pkg/man/whatis.db
354file=/usr/pkg/man
355file=/usr/share/man/whatis.db
356file=/usr/share/man
357
358##############################################
359######## END FILE SECTION ####################
360##############################################
361
362[EventSeverity]
363
364SeverityReadOnly=crit
365SeverityLogFiles=crit
366SeverityGrowingLogs=crit
367SeverityIgnoreNone=crit
368SeverityAttributes=crit
369SeverityUser0=crit
370SeverityUser1=crit
371
372## We have a file in IgnoreAll that might or might not be present.
373## Setting the severity to 'info' prevents messages about deleted/new file.
374##
375# SeverityIgnoreAll=crit
376SeverityIgnoreAll=info
377
378## Files : file access problems
379SeverityFiles=info
380
381## Dirs : directory access problems
382SeverityDirs=info
383
384## Names : suspect (non-printable) characters in a pathname
385SeverityNames=crit
386
387[Log]
388## Values: debug, info, notice, warn, mark, err, crit, alert, none.
389## 'mark' is used for timestamps.
390##
391## Use 'none' to SWITCH OFF a log facility
392##
393## By default, everything equal to and above the threshold is logged.
394## The specifiers '*', '!', and '=' are interpreted as
395## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
396## at least on Linux). Examples:
397## MailSeverity=*
398## MailSeverity=!warn
399## MailSeverity==crit
400
401## E-mail
402##
403MailSeverity=warn
404
405## Console
406##
407PrintSeverity=notice
408
409## Logfile
410##
411LogSeverity=info
412
413## Syslog
414##
415# Syslog logging is redundant at this time
416#
417#SyslogSeverity=notice
418
419## Remote server (yule)
420##
421# ExportSeverity=none
422
423## External script or program
424##
425# ExternalSeverity = none
426
427## Logging to a database
428##
429# DatabaseSeverity = none
430
431## Logging to a Prelude-IDS
432##
433# PreludeSeverity = crit
434
435
436#####################################################
437#
438# Optional modules
439#
440#####################################################
441
442#[SuidCheck]
443##
444## --- Check the filesystem for SUID/SGID binaries
445##
446
447## Switch on
448#
449#SuidCheckActive = yes
450
451## Interval for check (seconds)
452#
453#SuidCheckInterval = 5400
454
455## Alternative: crontab-like schedule
456#
457#SuidCheckSchedule = NULL
458
459## Directory to exclude
460#
461# SuidCheckExclude = NULL
462
463## Limit on files per second (0 == no limit)
464#
465# SuidCheckFps = 0
466
467## Alternative: yield after every file
468#
469# SuidCheckYield = no
470
471## Severity of a detection
472#
473# SeveritySuidCheck = crit
474
475## Quarantine SUID/SGID files if found
476#
477# SuidCheckQuarantineFiles = yes
478
479## Method for Quarantining files:
480# 0 - Delete the file.
481# 1 - Remove SUID/SGID permissions from file.
482# 2 - Move SUID/SGID file to quarantine dir.
483#
484# SuidCheckQuarantineMethod = 0
485
486## For method 1 and 3, really delete instead of truncating
487#
488# SuidCheckQuarantineDelete = yes
489
490#[Mounts]
491#MountCheckActive=1
492#MountCheckInterval=7200
493#SeverityMountMissing=crit
494#SeverityOptionMissing=crit
495#
496#checkmount=/
497#checkmount=/dev
498#checkmount=/usr
499#checkmount=/var
500#checkmount=/var/log
501#checkmount=/opt
502#checkmount=/export
503#checkmount=/tmp
504
505
506
507 #[Utmp]
508##
509## --- Logging of login/logout events
510##
511
512## Switch on/off
513#
514#LoginCheckActive = True
515
516## Severity for logins, multiple logins, logouts
517#
518#SeverityLogin=info
519#SeverityLoginMulti=crit
520#SeverityLogout=info
521
522## Interval for login/logout checks
523#
524#LoginCheckInterval = 300
525
526
527# [Database]
528##
529## --- Logging to a relational database
530##
531
532## Database name
533#
534# SetDBName = samhain
535
536## Database table
537#
538# SetDBTable = log
539
540## Database user
541#
542# SetDBUser = samhain
543
544## Database password
545#
546# SetDBPassword = (default: none)
547
548## Database host
549#
550# SetDBHost = localhost
551
552## Log the server timestamp for received messages
553#
554# SetDBServerTstamp = True
555
556## Use a persistent connection
557#
558# UsePersistent = True
559
560
561# [External]
562##
563## Interface to call external scripts/programs for logging
564##
565
566## The absolute path to the command
567## - Each invocation of this directive will end the definition of the
568## preceding command, and start the definition of
569## an additional, new command
570#
571# OpenCommand = (no default)
572
573## Type (log or srv)
574## - log for log messages, srv for messages received by the server
575#
576# SetType = log
577
578## The command (full command line) to execute
579#
580# SetCommandLine = (no default)
581
582## The environment (KEY=value; repeat for more)
583#
584# SetEnviron = TZ=(your timezone)
585
586## The TIGERpkg checksum (optional)
587#
588# SetChecksum = (no default)
589
590## User who runs the command
591#
592# SetCredentials = (default: samhain process uid)
593
594## Words not allowed in message
595#
596# SetFilterNot = (none)
597
598## Words required (ALL of them)
599#
600# SetFilterAnd = (none)
601
602## Words required (at least one)
603#
604# SetFilterOr = (none)
605
606## Deadtime between consecutive calls
607#
608# SetDeadtime = 0
609
610## Add default environment (HOME, PATH, SHELL)
611#
612# SetDefault = no
613
614
615
616#####################################################
617#
618# Miscellaneous configuration options
619#
620#####################################################
621
622[Misc]
623
624## whether to become a daemon process
625## (this is not honoured on database initialisation)
626#
627# Daemon = no
628Daemon = yes
629
630# whether to test signature of files (init/check/none)
631# - if 'none', then we have to decide this on the command line -
632#
633# ChecksumTest = none
634ChecksumTest=check
635
636# Set nice level (-19 to 19, see 'man nice'),
637# and I/O limit (kilobytes per second; 0 == off)
638# to reduce load on host.
639#
640SetNiceLevel = 19
641# SetIOLimit = 0
642
643## The version string to embed in file signature databases
644#
645# VersionString = NULL
646
647## Interval between time stamp messages
648#
649# SetLoopTime = 60
650SetLoopTime = 7200
651
652## Interval between file checks
653#
654# SetFileCheckTime = 600
655SetFileCheckTime = 43200
656
657## Alternative: crontab-like schedule
658#
659# FileCheckScheduleOne = NULL
660
661## Alternative: crontab-like schedule(2)
662#
663# FileCheckScheduleTwo = NULL
664
[101]665## Report only once on modified files
[56]666## Setting this to 'FALSE' will generate a report for any policy
667## violation (old and new ones) each time the daemon checks the file system.
668#
669ReportOnlyOnce = True
670
671## Report in full detail
672#
673ReportFullDetail = True
674
675## Report file timestamps in local time rather than GMT
676#
677UseLocalTime = Yes
678
679## The console device (can also be a file or named pipe)
680## - There are two console devices. Accordingly, you can use
681## this directive a second time to set the second console device.
682## If you have not defined the second device at compile time,
683## and you don't want to use it, then:
684## setting it to /dev/null is less effective than just leaving
685## it alone (setting to /dev/null will waste time by opening
686## /dev/null and writing to it)
687#
688# SetConsole = /dev/console
689
690## Activate the SysV IPC message queue
691#
692# MessageQueueActive = False
693
694
695## If false, skip reverse lookup when connecting to a host known
696## by name rather than IP address (i.e. trust the DNS)
697#
698SetReverseLookup = True
699
700
701## --- E-Mail ---
702
703# Only highest-level (alert) reports will be mailed immediately,
704# others will be queued. Here you can define, when the queue will
705# be flushed (Note: the queue is automatically flushed after
706# completing a file check).
707#
708# SetMailTime = 86400
709
710## Maximum number of mails to queue
711#
712# SetMailNum = 10
713
714## Recipient (max. 8)
715#
716#SetMailAddress=infosec@noc.myorg.tld
717
718## Mail relay (IP address)
719#
720SetMailRelay = 127.0.0.1
721
722## Custom subject format
723#
724MailSubject = Synchrotone Samhain: %S
725SetMailSender = samhain@synchrotone.pgh.pub.collaborativefusion.com
726
727## --- end E-Mail ---
728
729
730## Path to the executable. If set, will be checksummed after startup
731## and before exit.
732#
733SamhainPath = /usr/pkg/sbin/samhain
734
735## The IP address of the log server
736#
737# SetLogServer = (default: compiled-in)
738
739## The IP address of the time server
740#
741# SetTimeServer = (default: compiled-in)
742
743## Trusted Users (comma delimited list of user names)
744#
745# TrustedUser = (no default; this adds to the compiled-in list)
746
747## Path to the file signature database
748#
749SetDatabasePath = /usr/pkg/var/samhain/samhain.db
750
751## Path to the log file
752#
753# SetLogfilePath = (default: compiled-in)
754
755## Path to the PID file
756#
[387]757# SetLockfilePath = (default: compiled-in)
[56]758
759
[59]760## The digest/checksum/hash algorithm (default: TIGER192; others: MD5, SHA1)
[56]761#
[59]762# DigestAlgo = TIGER192
[56]763
764
765## Custom format for message header.
766## CAREFUL if you use XML logfile format.
767##
768## %S severity
769## %T timestamp
770## %C class
771##
772## %F source file
773## %L source line
774#
775# MessageHeader="%S %T "
776
777
778## Don't log path to config/database file on startup
779#
780# HideSetup = False
781
782## The syslog facility, if you log to syslog
783#
784# SyslogFacility = LOG_AUTHPRIV
785SyslogFacility=LOG_LOCAL2
786
787## The message authentication method
788## - If you change this, you *must* change it
789## on client *and* server
790#
791# MACType = HMAC-TIGER
792
793
794## The Prelude-IDS profile to use for reporting
795## default value is "samhain"
796#
797# PreludeProfile = samhain
798
799## Map these samhain severities to impact severity 'info' severity
800#
801# PreludeMapToInfo =
802
803## Map these samhain severities to impact severity 'low' severity
804#
805# PreludeMapToLow = debug info
806
807## Map these samhain severities to impact severity 'medium' severity
808#
809# PreludeMapToMedium = notice warn err
810
811## Map these samhain severities to impact severity 'high' severity
812#
813# PreludeMapToHigh = crit alert
814
815# everything below is ignored
816[EOF]
817
818#####################################################################
819# This would be the proper syntax for parts that should only be
820# included for certain hosts.
821# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
822# result still has the proper syntax for the config file.
823# You may have any number of @HOSTNAME/@end brackets.
824# HOSTNAME should be the fully qualified 'official' name
825# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
826# No IP number - except if samhain cannot determine the
827# fully qualified hostname.
828#
829# @HOSTNAME
830# file=/foo/bar
831# @end
832#
833# These are two examples for conditional inclusion/exclusion
834# of a machine based on the output from 'uname -srm'
835# $Linux:2.*.7:i666
836# file=/foo/bar3
837# $end
838#
839# !$Linux:2.*.7:i686
840# file=/foo/bar2
841# $end
842#
843#####################################################################
Note: See TracBrowser for help on using the repository browser.