source: trunk/samhainrc.netbsd@ 219

Last change on this file since 219 was 101, checked in by rainer, 18 years ago

Fix compile bug with --with-kcheck

File size: 18.3 KB
Line 
1#
2# From pkgsrc-wip, Author: Brian Seklecki
3#
4
5[Misc]
6RedefUser0=+INO, +SIZ, +RDEV, +CHK, -MOD, -MTM, -ATM, -CTM, -GRP, -USR
7
8# The new Samhain behavior is to check the checksum up the last-known size of
9# the file, but *yes*, the inode will change when it becomes rotated and the size
10# will get reset to a lesser value (in which case the check should know to passively
11# fail)
12RedefGrowingLogFiles=-INO, -SIZ, +CHK, -MTM, -ATM, -CTM
13
14#
15# --------- / --------------
16#
17
18[ReadOnly]
19dir = 99/
20
21# This covers the contents of / including: /boot, /bin, /sbin, /lib, /libexec,
22# /rescue, /root, /altroot, /usr, /var, /stand, /mnt, /tmp, /proc, /kern (Even
23# though /usr and /var will recieve overrides)
24
25[Attributes]
26file = /proc
27file = /kern
28
29[IgnoreAll]
30dir=-1/proc
31dir=-1/kern
32
33#
34# --------- /tmp -----------
35#
36[Attributes]
37file=/tmp
38[IgnoreAll]
39dir=-1/tmp
40
41
42
43#
44# --------- /root --------------
45#
46
47# Per section 5.4.2.1 of the manual, Rule #5, there are lock file written here
48# that changes the mtime/ctime of the dir, so we want to watch perms/ownership,
49# ignore ctime/mtime/size, etc., but still watch the critical files inside.
50# Note: in theory, /root should never change if you use sudo(8) w/o "-H"
51[ReadOnly]
52dir=/root/.gnupg
53[Attributes]
54file=/root/.gnupg
55file=/root/.gnupg/random_seed
56
57#
58# --------- /dev -----------
59#
60
61[Attributes]
62dir = 99/dev
63
64# User0 will be for /dev/tty* and other devices where Owner/Group/Mode can
65# change but the Inode/Size/Device/Checksum should not change.
66
67[User0]
68file=/dev/tty*
69file=/dev/pty*
70
71#
72# --------- /etc -----------
73#
74
75[ReadOnly]
76##
77## for these files, only access time is ignored
78##
79dir = 99/etc
80
81
82# If you're running dhclient(8), resolv.conf will get re-written at renewal
83# time so pray that he dhcpd(8) on your network doesn't get owned.
84# Crytpo-signed DHCP traffic would be too much to ask from ISC, but maybe
85# not from the OpenBSD hack
86
87[Attributes]
88file=/etc/dhclient.conf
89
90# If you run CUPS, /etc/printcap gets re-written if you have
91# "Browsing On" and "Printcap /etc/printcap" in cupsd.conf(5)
92[Attributes]
93file=/etc/printcap
94
95
96#
97# --------- /usr -----------
98#
99
100# note about the following two: this reduced the size
101# of the database greatly
102
103#
104# --------- /usr/pkgsrc -----------
105#
106
107# Leave this uncommented if you CVS update your pkgsrc
108# periodically/automatically. If you do not, comment it
109# out and you should be informed about any unauthorized
110# modifications to pkgsrc (which is an attack vector)
111
112[IgnoreAll]
113dir=-1/usr/pkgsrc
114
115#
116# --------- /usr/src -----------
117#
118
119# Leave this uncommented if you CVS update your src
120# periodically/automatically. If you do not, comment it
121# out and you should be informed about any unauthorized
122# modifications to src (which is an attack vector)
123
124
125[IgnoreAll]
126dir=-1/usr/src
127
128
129#
130# --------- /usr/home (/home) -----------
131#
132
133
134# /home may be a symlink to /usr/home on a stock system, but most admins cane
135# that shit. [Attributes] could be replaced here by [ReadOnly] if we wanted to
136# know about new users being added (on systems where there are no new users)
137
138[Attributes]
139file = /home
140[IgnoreAll]
141dir = -1/home
142
143#
144# --------- /usr/compat/linux/etc -----------
145#
146
147# You're basically compromising your system by enabling Linux emulation anyway
148
149[Attributes]
150file = /usr/compat/linux/etc
151file = /usr/compat/linux/etc/ld.so.cache
152
153#
154# --------- /usr/compat/linux/proc -----------
155#
156
157# Uncomment if you have Linux Emulation/Compat Installed/Setup/Mounted
158[Attributes]
159file=/emul/linux/proc
160[IgnoreAll]
161dir=-1/emul/linux/proc
162
163
164#
165# --------- /var/run -----------
166#
167
168# New PID files may come, and PID files may go (as services on a system change),
169# but then probably a database rebuild will occur. But at the time of the
170# database init, we should consider everything in here subject to change
171# (checksum, times, size) during a daemon restart, but everything else stays
172# the same.
173
174# If you have periodic scripts that HUP daemons, the PID should be unachanged.
175# However, force-restarts will be a new PID, so consider this
176
177[Attributes]
178dir=99/var/run
179
180[Misc]
181# Ignore sudo(8) TTY/PTY "Tickets" if you use sudo
182IgnoreMissing = /var/run/sudo/[[:alnum:]]{1,9}/(p|t)ty.*$
183IgnoreAdded = /var/run/sudo/[[:alnum:]]{1,9}/(p|t)ty.*$
184
185#
186# --------- /var/(spool|queue|etc.) -----------
187#
188
189[Attributes]
190file=/var/cron/tabs
191file=/var/spool/mqueue
192file=/var/spool/clientmqueue
193file=/var/mail
194file=/var/tmp
195
196#
197# --------- /var/at -----------
198#
199
200# As deep as /var/at/ will be watched by 99/
201
202[Attributes]
203file=/var/at/spool
204file=/var/at/jobs
205
206#
207# --------- /var/db -----------
208#
209
210# Some files are written directly into /var/db
211[Attributes]
212file=/var/db
213
214[Attributes]
215# Updatedb per /etc/periodic.d/weekly/310.locate (FreeBSD) or /etc/weekly (NetBSD)
216file=/var/db/locate.database
217
218[Misc]
219# this file comes and goes with portaudit(1)/portversion(1)/pkg_version(1)
220# Other is ISC DHCLIENT related
221IgnoreAdded=/var/db/(pkgdb.fixme|dhclient.leases.*)
222IgnoreMissing=/var/db/(pkgdb.fixme|dhclient.leases.*)
223
224
225#
226# --------- /var/db/mysql -----------
227#
228
229# The same for MySQL, except it's probably owned by the time you get done
230# installing it.
231
232[Attributes]
233file=/var/db/mysql
234[IgnoreAll]
235dir=-1/var/db/mysql
236
237####################################################################
238# The next three entries depend on your security paranoia policy about
239# SRC and PORTSs trees, etc. Remember, Ports is the only default attack
240# vector against FreeBSD machines.
241####################################################################
242
243
244#
245# --------- /var/db/pkg -----------
246#
247
248# This database directory gets updated if a cvsup(8)/cvs(8)/sup(8) update
249# occurs to a Pkgsrc source tree and then "pkgdb(8) -fu" is run.
250
251[Attributes]
252file=/var/db/pkg
253[IgnoreAll]
254dir=-1/var/db/pkg
255
256
257#
258# --------- /var/db/entropy -----------
259#
260[Attributes]
261file=/var/db/entropy
262[IgnoreAll]
263dir=-1/var/db/entropy
264
265#
266# --------- /var/msgs -----------
267#
268
269[Attributes]
270dir=-1/var/msgs
271
272#
273# --------- /var/backups -----------
274#
275
276# /etc/daily /etc/security write old revisions of system
277# critical files into here daily
278[Attributes]
279dir=-1/var/backups
280
281#
282# --------- /var/log -----------
283#
284
285# Keep this section in sync with:
286# * /etc/newsyslog.conf
287# * /etc/syslogd.conf OR:
288# * /usr/pkg/etc/syslog-ng/syslog-ng.conf
289
290# For these files, changes in signature, timestamps, and increase in size
291# are ignored, however:
292# Per discussion on the forum, this behavior change is needed due to the behavior
293# of newsyslog(8) rotation method File sizes will get smaller, inodes will change
294# as they rotate.
295
296# NOTES ON LOG ROTATION BEHAVIOR:
297# See comments about modifications to [GrowingLogFiles] to ignore INODE changes
298# As newsyslog(8)/newsyslog.conf(5) has the default behavior of:
299# - First move logfile.log to logfile.log.0
300# - then bzip2 -v9 logfile.log.0
301# - then touch(1) logfile.log
302# - then HUP if applicable & reopen the new file (new inode)
303# - Therefore, Ignore Singature, Size (if grow), and Inode changes
304# But also, there's [IgnoreMissing] regexp to account for log file pruing from
305# the filesystem, and [IgnoreAdded] for the first Nth rotations of the logfile
306# per newsyslog.conf(5)
307
308
309# NetBSD defaults
310[Misc]
311IgnoreAdded = /var/log/(cron|xferlog|messages|maillog|secure|pflog|sendmail\.st|kerberos\.log|authlog|aculog|wtmp|wtmpx)\.[0-9](\.bz2|\.gz)?$
312IgnoreMissing= /var/log/(cron|xferlog|messages|maillog|secure|pflog|sendmail\.st|kerberos\.log|authlog|aculog|wtmp|wtmpx)\.[0-9](\.bz2|\.gz)?$
313
314# Local services you may need to account for
315IgnoreAdded = /var/log/(snmpd\.log|postgresq\.log|samhain\.log|httpd-error\.log|httpd-access\.log|httpd-ssl_request\.log)\.[0-9](\.bz2|\.gz)?$
316IgnoreMissing = /var/log/(snmpd\.log|postgresq\.log|samhain\.log|httpd-error\.log|httpd-access\.log|httpd-ssl_request\.log)\.[0-9](\.bz2|\.gz)?$
317
318[Attributes]
319dir=99/var/log
320
321# NetBSD Stock Defaults
322[GrowingLogFiles]
323File = /var/log/aculog
324File = /var/log/authlog
325File = /var/log/cron
326File = /var/log/kerberos.log
327File = /var/log/lpd-errs
328File = /var/log/maillog
329File = /var/log/messages
330File = /var/log/secure
331File = /var/log/wtmp
332File = /var/log/wtmpx
333File = /var/log/xferlog
334File = /var/log/pflog
335
336[Attributes]
337# A binary-type logfile (Screw sendmail!)
338File = /var/log/sendmail.st
339
340# NetBSD gzip(1)'s by default but newsyslog.conf(5) has bzip2 support
341[Attributes]
342File = /var/log/*.[0-9].gz
343#File = /var/log/*.[0-9].bz2
344
345#
346# --------- makewhatis(8) -----------
347#
348
349# Account for updated whatis(8) database given manpath.conf(5)/man.conf(5)
350#and manpath(1)
351
352[Attributes]
353file=/usr/pkg/man/whatis.db
354file=/usr/pkg/man
355file=/usr/share/man/whatis.db
356file=/usr/share/man
357
358##############################################
359######## END FILE SECTION ####################
360##############################################
361
362[EventSeverity]
363
364SeverityReadOnly=crit
365SeverityLogFiles=crit
366SeverityGrowingLogs=crit
367SeverityIgnoreNone=crit
368SeverityAttributes=crit
369SeverityUser0=crit
370SeverityUser1=crit
371
372## We have a file in IgnoreAll that might or might not be present.
373## Setting the severity to 'info' prevents messages about deleted/new file.
374##
375# SeverityIgnoreAll=crit
376SeverityIgnoreAll=info
377
378## Files : file access problems
379SeverityFiles=info
380
381## Dirs : directory access problems
382SeverityDirs=info
383
384## Names : suspect (non-printable) characters in a pathname
385SeverityNames=crit
386
387[Log]
388## Values: debug, info, notice, warn, mark, err, crit, alert, none.
389## 'mark' is used for timestamps.
390##
391## Use 'none' to SWITCH OFF a log facility
392##
393## By default, everything equal to and above the threshold is logged.
394## The specifiers '*', '!', and '=' are interpreted as
395## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
396## at least on Linux). Examples:
397## MailSeverity=*
398## MailSeverity=!warn
399## MailSeverity==crit
400
401## E-mail
402##
403MailSeverity=warn
404
405## Console
406##
407PrintSeverity=notice
408
409## Logfile
410##
411LogSeverity=info
412
413## Syslog
414##
415# Syslog logging is redundant at this time
416#
417#SyslogSeverity=notice
418
419## Remote server (yule)
420##
421# ExportSeverity=none
422
423## External script or program
424##
425# ExternalSeverity = none
426
427## Logging to a database
428##
429# DatabaseSeverity = none
430
431## Logging to a Prelude-IDS
432##
433# PreludeSeverity = crit
434
435
436#####################################################
437#
438# Optional modules
439#
440#####################################################
441
442#[SuidCheck]
443##
444## --- Check the filesystem for SUID/SGID binaries
445##
446
447## Switch on
448#
449#SuidCheckActive = yes
450
451## Interval for check (seconds)
452#
453#SuidCheckInterval = 5400
454
455## Alternative: crontab-like schedule
456#
457#SuidCheckSchedule = NULL
458
459## Directory to exclude
460#
461# SuidCheckExclude = NULL
462
463## Limit on files per second (0 == no limit)
464#
465# SuidCheckFps = 0
466
467## Alternative: yield after every file
468#
469# SuidCheckYield = no
470
471## Severity of a detection
472#
473# SeveritySuidCheck = crit
474
475## Quarantine SUID/SGID files if found
476#
477# SuidCheckQuarantineFiles = yes
478
479## Method for Quarantining files:
480# 0 - Delete the file.
481# 1 - Remove SUID/SGID permissions from file.
482# 2 - Move SUID/SGID file to quarantine dir.
483#
484# SuidCheckQuarantineMethod = 0
485
486## For method 1 and 3, really delete instead of truncating
487#
488# SuidCheckQuarantineDelete = yes
489
490#[Mounts]
491#MountCheckActive=1
492#MountCheckInterval=7200
493#SeverityMountMissing=crit
494#SeverityOptionMissing=crit
495#
496#checkmount=/
497#checkmount=/dev
498#checkmount=/usr
499#checkmount=/var
500#checkmount=/var/log
501#checkmount=/opt
502#checkmount=/export
503#checkmount=/tmp
504
505#[Kernel]
506##
507## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
508##
509
510## Switch on/off
511#
512#KernelCheckActive = True
513
514## Check interval (seconds); btw., the check is VERY fast
515#
516#KernelCheckInterval = 300
517
518## Severity
519#
520#SeverityKernel = crit
521
522
523 #[Utmp]
524##
525## --- Logging of login/logout events
526##
527
528## Switch on/off
529#
530#LoginCheckActive = True
531
532## Severity for logins, multiple logins, logouts
533#
534#SeverityLogin=info
535#SeverityLoginMulti=crit
536#SeverityLogout=info
537
538## Interval for login/logout checks
539#
540#LoginCheckInterval = 300
541
542
543# [Database]
544##
545## --- Logging to a relational database
546##
547
548## Database name
549#
550# SetDBName = samhain
551
552## Database table
553#
554# SetDBTable = log
555
556## Database user
557#
558# SetDBUser = samhain
559
560## Database password
561#
562# SetDBPassword = (default: none)
563
564## Database host
565#
566# SetDBHost = localhost
567
568## Log the server timestamp for received messages
569#
570# SetDBServerTstamp = True
571
572## Use a persistent connection
573#
574# UsePersistent = True
575
576
577# [External]
578##
579## Interface to call external scripts/programs for logging
580##
581
582## The absolute path to the command
583## - Each invocation of this directive will end the definition of the
584## preceding command, and start the definition of
585## an additional, new command
586#
587# OpenCommand = (no default)
588
589## Type (log or srv)
590## - log for log messages, srv for messages received by the server
591#
592# SetType = log
593
594## The command (full command line) to execute
595#
596# SetCommandLine = (no default)
597
598## The environment (KEY=value; repeat for more)
599#
600# SetEnviron = TZ=(your timezone)
601
602## The TIGERpkg checksum (optional)
603#
604# SetChecksum = (no default)
605
606## User who runs the command
607#
608# SetCredentials = (default: samhain process uid)
609
610## Words not allowed in message
611#
612# SetFilterNot = (none)
613
614## Words required (ALL of them)
615#
616# SetFilterAnd = (none)
617
618## Words required (at least one)
619#
620# SetFilterOr = (none)
621
622## Deadtime between consecutive calls
623#
624# SetDeadtime = 0
625
626## Add default environment (HOME, PATH, SHELL)
627#
628# SetDefault = no
629
630
631
632#####################################################
633#
634# Miscellaneous configuration options
635#
636#####################################################
637
638[Misc]
639
640## whether to become a daemon process
641## (this is not honoured on database initialisation)
642#
643# Daemon = no
644Daemon = yes
645
646# whether to test signature of files (init/check/none)
647# - if 'none', then we have to decide this on the command line -
648#
649# ChecksumTest = none
650ChecksumTest=check
651
652# Set nice level (-19 to 19, see 'man nice'),
653# and I/O limit (kilobytes per second; 0 == off)
654# to reduce load on host.
655#
656SetNiceLevel = 19
657# SetIOLimit = 0
658
659## The version string to embed in file signature databases
660#
661# VersionString = NULL
662
663## Interval between time stamp messages
664#
665# SetLoopTime = 60
666SetLoopTime = 7200
667
668## Interval between file checks
669#
670# SetFileCheckTime = 600
671SetFileCheckTime = 43200
672
673## Alternative: crontab-like schedule
674#
675# FileCheckScheduleOne = NULL
676
677## Alternative: crontab-like schedule(2)
678#
679# FileCheckScheduleTwo = NULL
680
681## Report only once on modified files
682## Setting this to 'FALSE' will generate a report for any policy
683## violation (old and new ones) each time the daemon checks the file system.
684#
685ReportOnlyOnce = True
686
687## Report in full detail
688#
689ReportFullDetail = True
690
691## Report file timestamps in local time rather than GMT
692#
693UseLocalTime = Yes
694
695## The console device (can also be a file or named pipe)
696## - There are two console devices. Accordingly, you can use
697## this directive a second time to set the second console device.
698## If you have not defined the second device at compile time,
699## and you don't want to use it, then:
700## setting it to /dev/null is less effective than just leaving
701## it alone (setting to /dev/null will waste time by opening
702## /dev/null and writing to it)
703#
704# SetConsole = /dev/console
705
706## Activate the SysV IPC message queue
707#
708# MessageQueueActive = False
709
710
711## If false, skip reverse lookup when connecting to a host known
712## by name rather than IP address (i.e. trust the DNS)
713#
714SetReverseLookup = True
715
716
717## --- E-Mail ---
718
719# Only highest-level (alert) reports will be mailed immediately,
720# others will be queued. Here you can define, when the queue will
721# be flushed (Note: the queue is automatically flushed after
722# completing a file check).
723#
724# SetMailTime = 86400
725
726## Maximum number of mails to queue
727#
728# SetMailNum = 10
729
730## Recipient (max. 8)
731#
732#SetMailAddress=infosec@noc.myorg.tld
733
734## Mail relay (IP address)
735#
736SetMailRelay = 127.0.0.1
737
738## Custom subject format
739#
740MailSubject = Synchrotone Samhain: %S
741SetMailSender = samhain@synchrotone.pgh.pub.collaborativefusion.com
742
743## --- end E-Mail ---
744
745
746## Path to the executable. If set, will be checksummed after startup
747## and before exit.
748#
749SamhainPath = /usr/pkg/sbin/samhain
750
751## The IP address of the log server
752#
753# SetLogServer = (default: compiled-in)
754
755## The IP address of the time server
756#
757# SetTimeServer = (default: compiled-in)
758
759## Trusted Users (comma delimited list of user names)
760#
761# TrustedUser = (no default; this adds to the compiled-in list)
762
763## Path to the file signature database
764#
765SetDatabasePath = /usr/pkg/var/samhain/samhain.db
766
767## Path to the log file
768#
769# SetLogfilePath = (default: compiled-in)
770
771## Path to the PID file
772#
773# SetLockPath = (default: compiled-in)
774
775
776## The digest/checksum/hash algorithm (default: TIGER192; others: MD5, SHA1)
777#
778# DigestAlgo = TIGER192
779
780
781## Custom format for message header.
782## CAREFUL if you use XML logfile format.
783##
784## %S severity
785## %T timestamp
786## %C class
787##
788## %F source file
789## %L source line
790#
791# MessageHeader="%S %T "
792
793
794## Don't log path to config/database file on startup
795#
796# HideSetup = False
797
798## The syslog facility, if you log to syslog
799#
800# SyslogFacility = LOG_AUTHPRIV
801SyslogFacility=LOG_LOCAL2
802
803## The message authentication method
804## - If you change this, you *must* change it
805## on client *and* server
806#
807# MACType = HMAC-TIGER
808
809
810## The Prelude-IDS profile to use for reporting
811## default value is "samhain"
812#
813# PreludeProfile = samhain
814
815## Map these samhain severities to impact severity 'info' severity
816#
817# PreludeMapToInfo =
818
819## Map these samhain severities to impact severity 'low' severity
820#
821# PreludeMapToLow = debug info
822
823## Map these samhain severities to impact severity 'medium' severity
824#
825# PreludeMapToMedium = notice warn err
826
827## Map these samhain severities to impact severity 'high' severity
828#
829# PreludeMapToHigh = crit alert
830
831# everything below is ignored
832[EOF]
833
834#####################################################################
835# This would be the proper syntax for parts that should only be
836# included for certain hosts.
837# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
838# result still has the proper syntax for the config file.
839# You may have any number of @HOSTNAME/@end brackets.
840# HOSTNAME should be the fully qualified 'official' name
841# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
842# No IP number - except if samhain cannot determine the
843# fully qualified hostname.
844#
845# @HOSTNAME
846# file=/foo/bar
847# @end
848#
849# These are two examples for conditional inclusion/exclusion
850# of a machine based on the output from 'uname -srm'
851# $Linux:2.*.7:i666
852# file=/foo/bar3
853# $end
854#
855# !$Linux:2.*.7:i686
856# file=/foo/bar2
857# $end
858#
859#####################################################################
Note: See TracBrowser for help on using the repository browser.