1 | #
|
---|
2 | # From pkgsrc-wip, Author: Brian Seklecki
|
---|
3 | #
|
---|
4 |
|
---|
5 | [Misc]
|
---|
6 | RedefUser0=+INO, +SIZ, +RDEV, +CHK, -MOD, -MTM, -ATM, -CTM, -GRP, -USR
|
---|
7 |
|
---|
8 | # The new Samhain behavior is to check the checksum up the last-known size of
|
---|
9 | # the file, but *yes*, the inode will change when it becomes rotated and the size
|
---|
10 | # will get reset to a lesser value (in which case the check should know to passively
|
---|
11 | # fail)
|
---|
12 | RedefGrowingLogFiles=-INO, -SIZ, +CHK, -MTM, -ATM, -CTM
|
---|
13 |
|
---|
14 | #
|
---|
15 | # --------- / --------------
|
---|
16 | #
|
---|
17 |
|
---|
18 | [ReadOnly]
|
---|
19 | dir = 99/
|
---|
20 |
|
---|
21 | # This covers the contents of / including: /boot, /bin, /sbin, /lib, /libexec,
|
---|
22 | # /rescue, /root, /altroot, /usr, /var, /stand, /mnt, /tmp, /proc, /kern (Even
|
---|
23 | # though /usr and /var will recieve overrides)
|
---|
24 |
|
---|
25 | [Attributes]
|
---|
26 | file = /proc
|
---|
27 | file = /kern
|
---|
28 |
|
---|
29 | [IgnoreAll]
|
---|
30 | dir=-1/proc
|
---|
31 | dir=-1/kern
|
---|
32 |
|
---|
33 | #
|
---|
34 | # --------- /tmp -----------
|
---|
35 | #
|
---|
36 | [Attributes]
|
---|
37 | file=/tmp
|
---|
38 | [IgnoreAll]
|
---|
39 | dir=-1/tmp
|
---|
40 |
|
---|
41 |
|
---|
42 |
|
---|
43 | #
|
---|
44 | # --------- /root --------------
|
---|
45 | #
|
---|
46 |
|
---|
47 | # Per section 5.4.2.1 of the manual, Rule #5, there are lock file written here
|
---|
48 | # that changes the mtime/ctime of the dir, so we want to watch perms/ownership,
|
---|
49 | # ignore ctime/mtime/size, etc., but still watch the critical files inside.
|
---|
50 | # Note: in theory, /root should never change if you use sudo(8) w/o "-H"
|
---|
51 | [ReadOnly]
|
---|
52 | dir=/root/.gnupg
|
---|
53 | [Attributes]
|
---|
54 | file=/root/.gnupg
|
---|
55 | file=/root/.gnupg/random_seed
|
---|
56 |
|
---|
57 | #
|
---|
58 | # --------- /dev -----------
|
---|
59 | #
|
---|
60 |
|
---|
61 | [Attributes]
|
---|
62 | dir = 99/dev
|
---|
63 |
|
---|
64 | # User0 will be for /dev/tty* and other devices where Owner/Group/Mode can
|
---|
65 | # change but the Inode/Size/Device/Checksum should not change.
|
---|
66 |
|
---|
67 | [User0]
|
---|
68 | file=/dev/tty*
|
---|
69 | file=/dev/pty*
|
---|
70 |
|
---|
71 | #
|
---|
72 | # --------- /etc -----------
|
---|
73 | #
|
---|
74 |
|
---|
75 | [ReadOnly]
|
---|
76 | ##
|
---|
77 | ## for these files, only access time is ignored
|
---|
78 | ##
|
---|
79 | dir = 99/etc
|
---|
80 |
|
---|
81 |
|
---|
82 | # If you're running dhclient(8), resolv.conf will get re-written at renewal
|
---|
83 | # time so pray that he dhcpd(8) on your network doesn't get owned.
|
---|
84 | # Crytpo-signed DHCP traffic would be too much to ask from ISC, but maybe
|
---|
85 | # not from the OpenBSD hack
|
---|
86 |
|
---|
87 | [Attributes]
|
---|
88 | file=/etc/dhclient.conf
|
---|
89 |
|
---|
90 | # If you run CUPS, /etc/printcap gets re-written if you have
|
---|
91 | # "Browsing On" and "Printcap /etc/printcap" in cupsd.conf(5)
|
---|
92 | [Attributes]
|
---|
93 | file=/etc/printcap
|
---|
94 |
|
---|
95 |
|
---|
96 | #
|
---|
97 | # --------- /usr -----------
|
---|
98 | #
|
---|
99 |
|
---|
100 | # note about the following two: this reduced the size
|
---|
101 | # of the database greatly
|
---|
102 |
|
---|
103 | #
|
---|
104 | # --------- /usr/pkgsrc -----------
|
---|
105 | #
|
---|
106 |
|
---|
107 | # Leave this uncommented if you CVS update your pkgsrc
|
---|
108 | # periodically/automatically. If you do not, comment it
|
---|
109 | # out and you should be informed about any unauthorized
|
---|
110 | # modifications to pkgsrc (which is an attack vector)
|
---|
111 |
|
---|
112 | [IgnoreAll]
|
---|
113 | dir=-1/usr/pkgsrc
|
---|
114 |
|
---|
115 | #
|
---|
116 | # --------- /usr/src -----------
|
---|
117 | #
|
---|
118 |
|
---|
119 | # Leave this uncommented if you CVS update your src
|
---|
120 | # periodically/automatically. If you do not, comment it
|
---|
121 | # out and you should be informed about any unauthorized
|
---|
122 | # modifications to src (which is an attack vector)
|
---|
123 |
|
---|
124 |
|
---|
125 | [IgnoreAll]
|
---|
126 | dir=-1/usr/src
|
---|
127 |
|
---|
128 |
|
---|
129 | #
|
---|
130 | # --------- /usr/home (/home) -----------
|
---|
131 | #
|
---|
132 |
|
---|
133 |
|
---|
134 | # /home may be a symlink to /usr/home on a stock system, but most admins cane
|
---|
135 | # that shit. [Attributes] could be replaced here by [ReadOnly] if we wanted to
|
---|
136 | # know about new users being added (on systems where there are no new users)
|
---|
137 |
|
---|
138 | [Attributes]
|
---|
139 | file = /home
|
---|
140 | [IgnoreAll]
|
---|
141 | dir = -1/home
|
---|
142 |
|
---|
143 | #
|
---|
144 | # --------- /usr/compat/linux/etc -----------
|
---|
145 | #
|
---|
146 |
|
---|
147 | # You're basically compromising your system by enabling Linux emulation anyway
|
---|
148 |
|
---|
149 | [Attributes]
|
---|
150 | file = /usr/compat/linux/etc
|
---|
151 | file = /usr/compat/linux/etc/ld.so.cache
|
---|
152 |
|
---|
153 | #
|
---|
154 | # --------- /usr/compat/linux/proc -----------
|
---|
155 | #
|
---|
156 |
|
---|
157 | # Uncomment if you have Linux Emulation/Compat Installed/Setup/Mounted
|
---|
158 | [Attributes]
|
---|
159 | file=/emul/linux/proc
|
---|
160 | [IgnoreAll]
|
---|
161 | dir=-1/emul/linux/proc
|
---|
162 |
|
---|
163 |
|
---|
164 | #
|
---|
165 | # --------- /var/run -----------
|
---|
166 | #
|
---|
167 |
|
---|
168 | # New PID files may come, and PID files may go (as services on a system change),
|
---|
169 | # but then probably a database rebuild will occur. But at the time of the
|
---|
170 | # database init, we should consider everything in here subject to change
|
---|
171 | # (checksum, times, size) during a daemon restart, but everything else stays
|
---|
172 | # the same.
|
---|
173 |
|
---|
174 | # If you have periodic scripts that HUP daemons, the PID should be unachanged.
|
---|
175 | # However, force-restarts will be a new PID, so consider this
|
---|
176 |
|
---|
177 | [Attributes]
|
---|
178 | dir=99/var/run
|
---|
179 |
|
---|
180 | [Misc]
|
---|
181 | # Ignore sudo(8) TTY/PTY "Tickets" if you use sudo
|
---|
182 | IgnoreMissing = /var/run/sudo/[[:alnum:]]{1,9}/(p|t)ty.*$
|
---|
183 | IgnoreAdded = /var/run/sudo/[[:alnum:]]{1,9}/(p|t)ty.*$
|
---|
184 |
|
---|
185 | #
|
---|
186 | # --------- /var/(spool|queue|etc.) -----------
|
---|
187 | #
|
---|
188 |
|
---|
189 | [Attributes]
|
---|
190 | file=/var/cron/tabs
|
---|
191 | file=/var/spool/mqueue
|
---|
192 | file=/var/spool/clientmqueue
|
---|
193 | file=/var/mail
|
---|
194 | file=/var/tmp
|
---|
195 |
|
---|
196 | #
|
---|
197 | # --------- /var/at -----------
|
---|
198 | #
|
---|
199 |
|
---|
200 | # As deep as /var/at/ will be watched by 99/
|
---|
201 |
|
---|
202 | [Attributes]
|
---|
203 | file=/var/at/spool
|
---|
204 | file=/var/at/jobs
|
---|
205 |
|
---|
206 | #
|
---|
207 | # --------- /var/db -----------
|
---|
208 | #
|
---|
209 |
|
---|
210 | # Some files are written directly into /var/db
|
---|
211 | [Attributes]
|
---|
212 | file=/var/db
|
---|
213 |
|
---|
214 | [Attributes]
|
---|
215 | # Updatedb per /etc/periodic.d/weekly/310.locate (FreeBSD) or /etc/weekly (NetBSD)
|
---|
216 | file=/var/db/locate.database
|
---|
217 |
|
---|
218 | [Misc]
|
---|
219 | # this file comes and goes with portaudit(1)/portversion(1)/pkg_version(1)
|
---|
220 | # Other is ISC DHCLIENT related
|
---|
221 | IgnoreAdded=/var/db/(pkgdb.fixme|dhclient.leases.*)
|
---|
222 | IgnoreMissing=/var/db/(pkgdb.fixme|dhclient.leases.*)
|
---|
223 |
|
---|
224 |
|
---|
225 | #
|
---|
226 | # --------- /var/db/mysql -----------
|
---|
227 | #
|
---|
228 |
|
---|
229 | # The same for MySQL, except it's probably owned by the time you get done
|
---|
230 | # installing it.
|
---|
231 |
|
---|
232 | [Attributes]
|
---|
233 | file=/var/db/mysql
|
---|
234 | [IgnoreAll]
|
---|
235 | dir=-1/var/db/mysql
|
---|
236 |
|
---|
237 | ####################################################################
|
---|
238 | # The next three entries depend on your security paranoia policy about
|
---|
239 | # SRC and PORTSs trees, etc. Remember, Ports is the only default attack
|
---|
240 | # vector against FreeBSD machines.
|
---|
241 | ####################################################################
|
---|
242 |
|
---|
243 |
|
---|
244 | #
|
---|
245 | # --------- /var/db/pkg -----------
|
---|
246 | #
|
---|
247 |
|
---|
248 | # This database directory gets updated if a cvsup(8)/cvs(8)/sup(8) update
|
---|
249 | # occurs to a Pkgsrc source tree and then "pkgdb(8) -fu" is run.
|
---|
250 |
|
---|
251 | [Attributes]
|
---|
252 | file=/var/db/pkg
|
---|
253 | [IgnoreAll]
|
---|
254 | dir=-1/var/db/pkg
|
---|
255 |
|
---|
256 |
|
---|
257 | #
|
---|
258 | # --------- /var/db/entropy -----------
|
---|
259 | #
|
---|
260 | [Attributes]
|
---|
261 | file=/var/db/entropy
|
---|
262 | [IgnoreAll]
|
---|
263 | dir=-1/var/db/entropy
|
---|
264 |
|
---|
265 | #
|
---|
266 | # --------- /var/msgs -----------
|
---|
267 | #
|
---|
268 |
|
---|
269 | [Attributes]
|
---|
270 | dir=-1/var/msgs
|
---|
271 |
|
---|
272 | #
|
---|
273 | # --------- /var/backups -----------
|
---|
274 | #
|
---|
275 |
|
---|
276 | # /etc/daily /etc/security write old revisions of system
|
---|
277 | # critical files into here daily
|
---|
278 | [Attributes]
|
---|
279 | dir=-1/var/backups
|
---|
280 |
|
---|
281 | #
|
---|
282 | # --------- /var/log -----------
|
---|
283 | #
|
---|
284 |
|
---|
285 | # Keep this section in sync with:
|
---|
286 | # * /etc/newsyslog.conf
|
---|
287 | # * /etc/syslogd.conf OR:
|
---|
288 | # * /usr/pkg/etc/syslog-ng/syslog-ng.conf
|
---|
289 |
|
---|
290 | # For these files, changes in signature, timestamps, and increase in size
|
---|
291 | # are ignored, however:
|
---|
292 | # Per discussion on the forum, this behavior change is needed due to the behavior
|
---|
293 | # of newsyslog(8) rotation method File sizes will get smaller, inodes will change
|
---|
294 | # as they rotate.
|
---|
295 |
|
---|
296 | # NOTES ON LOG ROTATION BEHAVIOR:
|
---|
297 | # See comments about modifications to [GrowingLogFiles] to ignore INODE changes
|
---|
298 | # As newsyslog(8)/newsyslog.conf(5) has the default behavior of:
|
---|
299 | # - First move logfile.log to logfile.log.0
|
---|
300 | # - then bzip2 -v9 logfile.log.0
|
---|
301 | # - then touch(1) logfile.log
|
---|
302 | # - then HUP if applicable & reopen the new file (new inode)
|
---|
303 | # - Therefore, Ignore Singature, Size (if grow), and Inode changes
|
---|
304 | # But also, there's [IgnoreMissing] regexp to account for log file pruing from
|
---|
305 | # the filesystem, and [IgnoreAdded] for the first Nth rotations of the logfile
|
---|
306 | # per newsyslog.conf(5)
|
---|
307 |
|
---|
308 |
|
---|
309 | # NetBSD defaults
|
---|
310 | [Misc]
|
---|
311 | IgnoreAdded = /var/log/(cron|xferlog|messages|maillog|secure|pflog|sendmail\.st|kerberos\.log|authlog|aculog|wtmp|wtmpx)\.[0-9](\.bz2|\.gz)?$
|
---|
312 | IgnoreMissing= /var/log/(cron|xferlog|messages|maillog|secure|pflog|sendmail\.st|kerberos\.log|authlog|aculog|wtmp|wtmpx)\.[0-9](\.bz2|\.gz)?$
|
---|
313 |
|
---|
314 | # Local services you may need to account for
|
---|
315 | IgnoreAdded = /var/log/(snmpd\.log|postgresq\.log|samhain\.log|httpd-error\.log|httpd-access\.log|httpd-ssl_request\.log)\.[0-9](\.bz2|\.gz)?$
|
---|
316 | IgnoreMissing = /var/log/(snmpd\.log|postgresq\.log|samhain\.log|httpd-error\.log|httpd-access\.log|httpd-ssl_request\.log)\.[0-9](\.bz2|\.gz)?$
|
---|
317 |
|
---|
318 | [Attributes]
|
---|
319 | dir=99/var/log
|
---|
320 |
|
---|
321 | # NetBSD Stock Defaults
|
---|
322 | [GrowingLogFiles]
|
---|
323 | File = /var/log/aculog
|
---|
324 | File = /var/log/authlog
|
---|
325 | File = /var/log/cron
|
---|
326 | File = /var/log/kerberos.log
|
---|
327 | File = /var/log/lpd-errs
|
---|
328 | File = /var/log/maillog
|
---|
329 | File = /var/log/messages
|
---|
330 | File = /var/log/secure
|
---|
331 | File = /var/log/wtmp
|
---|
332 | File = /var/log/wtmpx
|
---|
333 | File = /var/log/xferlog
|
---|
334 | File = /var/log/pflog
|
---|
335 |
|
---|
336 | [Attributes]
|
---|
337 | # A binary-type logfile (Screw sendmail!)
|
---|
338 | File = /var/log/sendmail.st
|
---|
339 |
|
---|
340 | # NetBSD gzip(1)'s by default but newsyslog.conf(5) has bzip2 support
|
---|
341 | [Attributes]
|
---|
342 | File = /var/log/*.[0-9].gz
|
---|
343 | #File = /var/log/*.[0-9].bz2
|
---|
344 |
|
---|
345 | #
|
---|
346 | # --------- makewhatis(8) -----------
|
---|
347 | #
|
---|
348 |
|
---|
349 | # Account for updated whatis(8) database given manpath.conf(5)/man.conf(5)
|
---|
350 | #and manpath(1)
|
---|
351 |
|
---|
352 | [Attributes]
|
---|
353 | file=/usr/pkg/man/whatis.db
|
---|
354 | file=/usr/pkg/man
|
---|
355 | file=/usr/share/man/whatis.db
|
---|
356 | file=/usr/share/man
|
---|
357 |
|
---|
358 | ##############################################
|
---|
359 | ######## END FILE SECTION ####################
|
---|
360 | ##############################################
|
---|
361 |
|
---|
362 | [EventSeverity]
|
---|
363 |
|
---|
364 | SeverityReadOnly=crit
|
---|
365 | SeverityLogFiles=crit
|
---|
366 | SeverityGrowingLogs=crit
|
---|
367 | SeverityIgnoreNone=crit
|
---|
368 | SeverityAttributes=crit
|
---|
369 | SeverityUser0=crit
|
---|
370 | SeverityUser1=crit
|
---|
371 |
|
---|
372 | ## We have a file in IgnoreAll that might or might not be present.
|
---|
373 | ## Setting the severity to 'info' prevents messages about deleted/new file.
|
---|
374 | ##
|
---|
375 | # SeverityIgnoreAll=crit
|
---|
376 | SeverityIgnoreAll=info
|
---|
377 |
|
---|
378 | ## Files : file access problems
|
---|
379 | SeverityFiles=info
|
---|
380 |
|
---|
381 | ## Dirs : directory access problems
|
---|
382 | SeverityDirs=info
|
---|
383 |
|
---|
384 | ## Names : suspect (non-printable) characters in a pathname
|
---|
385 | SeverityNames=crit
|
---|
386 |
|
---|
387 | [Log]
|
---|
388 | ## Values: debug, info, notice, warn, mark, err, crit, alert, none.
|
---|
389 | ## 'mark' is used for timestamps.
|
---|
390 | ##
|
---|
391 | ## Use 'none' to SWITCH OFF a log facility
|
---|
392 | ##
|
---|
393 | ## By default, everything equal to and above the threshold is logged.
|
---|
394 | ## The specifiers '*', '!', and '=' are interpreted as
|
---|
395 | ## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
|
---|
396 | ## at least on Linux). Examples:
|
---|
397 | ## MailSeverity=*
|
---|
398 | ## MailSeverity=!warn
|
---|
399 | ## MailSeverity==crit
|
---|
400 |
|
---|
401 | ## E-mail
|
---|
402 | ##
|
---|
403 | MailSeverity=warn
|
---|
404 |
|
---|
405 | ## Console
|
---|
406 | ##
|
---|
407 | PrintSeverity=notice
|
---|
408 |
|
---|
409 | ## Logfile
|
---|
410 | ##
|
---|
411 | LogSeverity=info
|
---|
412 |
|
---|
413 | ## Syslog
|
---|
414 | ##
|
---|
415 | # Syslog logging is redundant at this time
|
---|
416 | #
|
---|
417 | #SyslogSeverity=notice
|
---|
418 |
|
---|
419 | ## Remote server (yule)
|
---|
420 | ##
|
---|
421 | # ExportSeverity=none
|
---|
422 |
|
---|
423 | ## External script or program
|
---|
424 | ##
|
---|
425 | # ExternalSeverity = none
|
---|
426 |
|
---|
427 | ## Logging to a database
|
---|
428 | ##
|
---|
429 | # DatabaseSeverity = none
|
---|
430 |
|
---|
431 | ## Logging to a Prelude-IDS
|
---|
432 | ##
|
---|
433 | # PreludeSeverity = crit
|
---|
434 |
|
---|
435 |
|
---|
436 | #####################################################
|
---|
437 | #
|
---|
438 | # Optional modules
|
---|
439 | #
|
---|
440 | #####################################################
|
---|
441 |
|
---|
442 | #[SuidCheck]
|
---|
443 | ##
|
---|
444 | ## --- Check the filesystem for SUID/SGID binaries
|
---|
445 | ##
|
---|
446 |
|
---|
447 | ## Switch on
|
---|
448 | #
|
---|
449 | #SuidCheckActive = yes
|
---|
450 |
|
---|
451 | ## Interval for check (seconds)
|
---|
452 | #
|
---|
453 | #SuidCheckInterval = 5400
|
---|
454 |
|
---|
455 | ## Alternative: crontab-like schedule
|
---|
456 | #
|
---|
457 | #SuidCheckSchedule = NULL
|
---|
458 |
|
---|
459 | ## Directory to exclude
|
---|
460 | #
|
---|
461 | # SuidCheckExclude = NULL
|
---|
462 |
|
---|
463 | ## Limit on files per second (0 == no limit)
|
---|
464 | #
|
---|
465 | # SuidCheckFps = 0
|
---|
466 |
|
---|
467 | ## Alternative: yield after every file
|
---|
468 | #
|
---|
469 | # SuidCheckYield = no
|
---|
470 |
|
---|
471 | ## Severity of a detection
|
---|
472 | #
|
---|
473 | # SeveritySuidCheck = crit
|
---|
474 |
|
---|
475 | ## Quarantine SUID/SGID files if found
|
---|
476 | #
|
---|
477 | # SuidCheckQuarantineFiles = yes
|
---|
478 |
|
---|
479 | ## Method for Quarantining files:
|
---|
480 | # 0 - Delete the file.
|
---|
481 | # 1 - Remove SUID/SGID permissions from file.
|
---|
482 | # 2 - Move SUID/SGID file to quarantine dir.
|
---|
483 | #
|
---|
484 | # SuidCheckQuarantineMethod = 0
|
---|
485 |
|
---|
486 | ## For method 1 and 3, really delete instead of truncating
|
---|
487 | #
|
---|
488 | # SuidCheckQuarantineDelete = yes
|
---|
489 |
|
---|
490 | #[Mounts]
|
---|
491 | #MountCheckActive=1
|
---|
492 | #MountCheckInterval=7200
|
---|
493 | #SeverityMountMissing=crit
|
---|
494 | #SeverityOptionMissing=crit
|
---|
495 | #
|
---|
496 | #checkmount=/
|
---|
497 | #checkmount=/dev
|
---|
498 | #checkmount=/usr
|
---|
499 | #checkmount=/var
|
---|
500 | #checkmount=/var/log
|
---|
501 | #checkmount=/opt
|
---|
502 | #checkmount=/export
|
---|
503 | #checkmount=/tmp
|
---|
504 |
|
---|
505 | #[Kernel]
|
---|
506 | ##
|
---|
507 | ## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
|
---|
508 | ##
|
---|
509 |
|
---|
510 | ## Switch on/off
|
---|
511 | #
|
---|
512 | #KernelCheckActive = True
|
---|
513 |
|
---|
514 | ## Check interval (seconds); btw., the check is VERY fast
|
---|
515 | #
|
---|
516 | #KernelCheckInterval = 300
|
---|
517 |
|
---|
518 | ## Severity
|
---|
519 | #
|
---|
520 | #SeverityKernel = crit
|
---|
521 |
|
---|
522 |
|
---|
523 | #[Utmp]
|
---|
524 | ##
|
---|
525 | ## --- Logging of login/logout events
|
---|
526 | ##
|
---|
527 |
|
---|
528 | ## Switch on/off
|
---|
529 | #
|
---|
530 | #LoginCheckActive = True
|
---|
531 |
|
---|
532 | ## Severity for logins, multiple logins, logouts
|
---|
533 | #
|
---|
534 | #SeverityLogin=info
|
---|
535 | #SeverityLoginMulti=crit
|
---|
536 | #SeverityLogout=info
|
---|
537 |
|
---|
538 | ## Interval for login/logout checks
|
---|
539 | #
|
---|
540 | #LoginCheckInterval = 300
|
---|
541 |
|
---|
542 |
|
---|
543 | # [Database]
|
---|
544 | ##
|
---|
545 | ## --- Logging to a relational database
|
---|
546 | ##
|
---|
547 |
|
---|
548 | ## Database name
|
---|
549 | #
|
---|
550 | # SetDBName = samhain
|
---|
551 |
|
---|
552 | ## Database table
|
---|
553 | #
|
---|
554 | # SetDBTable = log
|
---|
555 |
|
---|
556 | ## Database user
|
---|
557 | #
|
---|
558 | # SetDBUser = samhain
|
---|
559 |
|
---|
560 | ## Database password
|
---|
561 | #
|
---|
562 | # SetDBPassword = (default: none)
|
---|
563 |
|
---|
564 | ## Database host
|
---|
565 | #
|
---|
566 | # SetDBHost = localhost
|
---|
567 |
|
---|
568 | ## Log the server timestamp for received messages
|
---|
569 | #
|
---|
570 | # SetDBServerTstamp = True
|
---|
571 |
|
---|
572 | ## Use a persistent connection
|
---|
573 | #
|
---|
574 | # UsePersistent = True
|
---|
575 |
|
---|
576 |
|
---|
577 | # [External]
|
---|
578 | ##
|
---|
579 | ## Interface to call external scripts/programs for logging
|
---|
580 | ##
|
---|
581 |
|
---|
582 | ## The absolute path to the command
|
---|
583 | ## - Each invocation of this directive will end the definition of the
|
---|
584 | ## preceding command, and start the definition of
|
---|
585 | ## an additional, new command
|
---|
586 | #
|
---|
587 | # OpenCommand = (no default)
|
---|
588 |
|
---|
589 | ## Type (log or srv)
|
---|
590 | ## - log for log messages, srv for messages received by the server
|
---|
591 | #
|
---|
592 | # SetType = log
|
---|
593 |
|
---|
594 | ## The command (full command line) to execute
|
---|
595 | #
|
---|
596 | # SetCommandLine = (no default)
|
---|
597 |
|
---|
598 | ## The environment (KEY=value; repeat for more)
|
---|
599 | #
|
---|
600 | # SetEnviron = TZ=(your timezone)
|
---|
601 |
|
---|
602 | ## The TIGERpkg checksum (optional)
|
---|
603 | #
|
---|
604 | # SetChecksum = (no default)
|
---|
605 |
|
---|
606 | ## User who runs the command
|
---|
607 | #
|
---|
608 | # SetCredentials = (default: samhain process uid)
|
---|
609 |
|
---|
610 | ## Words not allowed in message
|
---|
611 | #
|
---|
612 | # SetFilterNot = (none)
|
---|
613 |
|
---|
614 | ## Words required (ALL of them)
|
---|
615 | #
|
---|
616 | # SetFilterAnd = (none)
|
---|
617 |
|
---|
618 | ## Words required (at least one)
|
---|
619 | #
|
---|
620 | # SetFilterOr = (none)
|
---|
621 |
|
---|
622 | ## Deadtime between consecutive calls
|
---|
623 | #
|
---|
624 | # SetDeadtime = 0
|
---|
625 |
|
---|
626 | ## Add default environment (HOME, PATH, SHELL)
|
---|
627 | #
|
---|
628 | # SetDefault = no
|
---|
629 |
|
---|
630 |
|
---|
631 |
|
---|
632 | #####################################################
|
---|
633 | #
|
---|
634 | # Miscellaneous configuration options
|
---|
635 | #
|
---|
636 | #####################################################
|
---|
637 |
|
---|
638 | [Misc]
|
---|
639 |
|
---|
640 | ## whether to become a daemon process
|
---|
641 | ## (this is not honoured on database initialisation)
|
---|
642 | #
|
---|
643 | # Daemon = no
|
---|
644 | Daemon = yes
|
---|
645 |
|
---|
646 | # whether to test signature of files (init/check/none)
|
---|
647 | # - if 'none', then we have to decide this on the command line -
|
---|
648 | #
|
---|
649 | # ChecksumTest = none
|
---|
650 | ChecksumTest=check
|
---|
651 |
|
---|
652 | # Set nice level (-19 to 19, see 'man nice'),
|
---|
653 | # and I/O limit (kilobytes per second; 0 == off)
|
---|
654 | # to reduce load on host.
|
---|
655 | #
|
---|
656 | SetNiceLevel = 19
|
---|
657 | # SetIOLimit = 0
|
---|
658 |
|
---|
659 | ## The version string to embed in file signature databases
|
---|
660 | #
|
---|
661 | # VersionString = NULL
|
---|
662 |
|
---|
663 | ## Interval between time stamp messages
|
---|
664 | #
|
---|
665 | # SetLoopTime = 60
|
---|
666 | SetLoopTime = 7200
|
---|
667 |
|
---|
668 | ## Interval between file checks
|
---|
669 | #
|
---|
670 | # SetFileCheckTime = 600
|
---|
671 | SetFileCheckTime = 43200
|
---|
672 |
|
---|
673 | ## Alternative: crontab-like schedule
|
---|
674 | #
|
---|
675 | # FileCheckScheduleOne = NULL
|
---|
676 |
|
---|
677 | ## Alternative: crontab-like schedule(2)
|
---|
678 | #
|
---|
679 | # FileCheckScheduleTwo = NULL
|
---|
680 |
|
---|
681 | ## Report only once on modified fles
|
---|
682 | ## Setting this to 'FALSE' will generate a report for any policy
|
---|
683 | ## violation (old and new ones) each time the daemon checks the file system.
|
---|
684 | #
|
---|
685 | ReportOnlyOnce = True
|
---|
686 |
|
---|
687 | ## Report in full detail
|
---|
688 | #
|
---|
689 | ReportFullDetail = True
|
---|
690 |
|
---|
691 | ## Report file timestamps in local time rather than GMT
|
---|
692 | #
|
---|
693 | UseLocalTime = Yes
|
---|
694 |
|
---|
695 | ## The console device (can also be a file or named pipe)
|
---|
696 | ## - There are two console devices. Accordingly, you can use
|
---|
697 | ## this directive a second time to set the second console device.
|
---|
698 | ## If you have not defined the second device at compile time,
|
---|
699 | ## and you don't want to use it, then:
|
---|
700 | ## setting it to /dev/null is less effective than just leaving
|
---|
701 | ## it alone (setting to /dev/null will waste time by opening
|
---|
702 | ## /dev/null and writing to it)
|
---|
703 | #
|
---|
704 | # SetConsole = /dev/console
|
---|
705 |
|
---|
706 | ## Activate the SysV IPC message queue
|
---|
707 | #
|
---|
708 | # MessageQueueActive = False
|
---|
709 |
|
---|
710 |
|
---|
711 | ## If false, skip reverse lookup when connecting to a host known
|
---|
712 | ## by name rather than IP address (i.e. trust the DNS)
|
---|
713 | #
|
---|
714 | SetReverseLookup = True
|
---|
715 |
|
---|
716 |
|
---|
717 | ## --- E-Mail ---
|
---|
718 |
|
---|
719 | # Only highest-level (alert) reports will be mailed immediately,
|
---|
720 | # others will be queued. Here you can define, when the queue will
|
---|
721 | # be flushed (Note: the queue is automatically flushed after
|
---|
722 | # completing a file check).
|
---|
723 | #
|
---|
724 | # SetMailTime = 86400
|
---|
725 |
|
---|
726 | ## Maximum number of mails to queue
|
---|
727 | #
|
---|
728 | # SetMailNum = 10
|
---|
729 |
|
---|
730 | ## Recipient (max. 8)
|
---|
731 | #
|
---|
732 | #SetMailAddress=infosec@noc.myorg.tld
|
---|
733 |
|
---|
734 | ## Mail relay (IP address)
|
---|
735 | #
|
---|
736 | SetMailRelay = 127.0.0.1
|
---|
737 |
|
---|
738 | ## Custom subject format
|
---|
739 | #
|
---|
740 | MailSubject = Synchrotone Samhain: %S
|
---|
741 | SetMailSender = samhain@synchrotone.pgh.pub.collaborativefusion.com
|
---|
742 |
|
---|
743 | ## --- end E-Mail ---
|
---|
744 |
|
---|
745 |
|
---|
746 | ## Path to the executable. If set, will be checksummed after startup
|
---|
747 | ## and before exit.
|
---|
748 | #
|
---|
749 | SamhainPath = /usr/pkg/sbin/samhain
|
---|
750 |
|
---|
751 | ## The IP address of the log server
|
---|
752 | #
|
---|
753 | # SetLogServer = (default: compiled-in)
|
---|
754 |
|
---|
755 | ## The IP address of the time server
|
---|
756 | #
|
---|
757 | # SetTimeServer = (default: compiled-in)
|
---|
758 |
|
---|
759 | ## Trusted Users (comma delimited list of user names)
|
---|
760 | #
|
---|
761 | # TrustedUser = (no default; this adds to the compiled-in list)
|
---|
762 |
|
---|
763 | ## Path to the file signature database
|
---|
764 | #
|
---|
765 | SetDatabasePath = /usr/pkg/var/samhain/samhain.db
|
---|
766 |
|
---|
767 | ## Path to the log file
|
---|
768 | #
|
---|
769 | # SetLogfilePath = (default: compiled-in)
|
---|
770 |
|
---|
771 | ## Path to the PID file
|
---|
772 | #
|
---|
773 | # SetLockPath = (default: compiled-in)
|
---|
774 |
|
---|
775 |
|
---|
776 | ## The digest/checksum/hash algorithm
|
---|
777 | #
|
---|
778 | DigestAlgo = MD5
|
---|
779 |
|
---|
780 |
|
---|
781 | ## Custom format for message header.
|
---|
782 | ## CAREFUL if you use XML logfile format.
|
---|
783 | ##
|
---|
784 | ## %S severity
|
---|
785 | ## %T timestamp
|
---|
786 | ## %C class
|
---|
787 | ##
|
---|
788 | ## %F source file
|
---|
789 | ## %L source line
|
---|
790 | #
|
---|
791 | # MessageHeader="%S %T "
|
---|
792 |
|
---|
793 |
|
---|
794 | ## Don't log path to config/database file on startup
|
---|
795 | #
|
---|
796 | # HideSetup = False
|
---|
797 |
|
---|
798 | ## The syslog facility, if you log to syslog
|
---|
799 | #
|
---|
800 | # SyslogFacility = LOG_AUTHPRIV
|
---|
801 | SyslogFacility=LOG_LOCAL2
|
---|
802 |
|
---|
803 | ## The message authentication method
|
---|
804 | ## - If you change this, you *must* change it
|
---|
805 | ## on client *and* server
|
---|
806 | #
|
---|
807 | # MACType = HMAC-TIGER
|
---|
808 |
|
---|
809 |
|
---|
810 | ## The Prelude-IDS profile to use for reporting
|
---|
811 | ## default value is "samhain"
|
---|
812 | #
|
---|
813 | # PreludeProfile = samhain
|
---|
814 |
|
---|
815 | ## Map these samhain severities to impact severity 'info' severity
|
---|
816 | #
|
---|
817 | # PreludeMapToInfo =
|
---|
818 |
|
---|
819 | ## Map these samhain severities to impact severity 'low' severity
|
---|
820 | #
|
---|
821 | # PreludeMapToLow = debug info
|
---|
822 |
|
---|
823 | ## Map these samhain severities to impact severity 'medium' severity
|
---|
824 | #
|
---|
825 | # PreludeMapToMedium = notice warn err
|
---|
826 |
|
---|
827 | ## Map these samhain severities to impact severity 'high' severity
|
---|
828 | #
|
---|
829 | # PreludeMapToHigh = crit alert
|
---|
830 |
|
---|
831 | # everything below is ignored
|
---|
832 | [EOF]
|
---|
833 |
|
---|
834 | #####################################################################
|
---|
835 | # This would be the proper syntax for parts that should only be
|
---|
836 | # included for certain hosts.
|
---|
837 | # You may enclose anything in a @HOSTNAME/@end bracket, as long as the
|
---|
838 | # result still has the proper syntax for the config file.
|
---|
839 | # You may have any number of @HOSTNAME/@end brackets.
|
---|
840 | # HOSTNAME should be the fully qualified 'official' name
|
---|
841 | # (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
|
---|
842 | # No IP number - except if samhain cannot determine the
|
---|
843 | # fully qualified hostname.
|
---|
844 | #
|
---|
845 | # @HOSTNAME
|
---|
846 | # file=/foo/bar
|
---|
847 | # @end
|
---|
848 | #
|
---|
849 | # These are two examples for conditional inclusion/exclusion
|
---|
850 | # of a machine based on the output from 'uname -srm'
|
---|
851 | # $Linux:2.*.7:i666
|
---|
852 | # file=/foo/bar3
|
---|
853 | # $end
|
---|
854 | #
|
---|
855 | # !$Linux:2.*.7:i686
|
---|
856 | # file=/foo/bar2
|
---|
857 | # $end
|
---|
858 | #
|
---|
859 | #####################################################################
|
---|