source: trunk/samhainrc.solaris@ 511

Last change on this file since 511 was 387, checked in by katerina, 13 years ago

Fix for ticket #284 (Non-existent directive in config file template).

File size: 14.8 KB
RevLine 
[1]1#####################################################################
2#
3# SOLARIS Configuration file for samhain.
4#
5# Based on a contribution by Sean Boran (sean [at] boran d.o.t com)
6#
7# HISTORY:
8# 16.Aug.03 rw add plenty of comments
9# 24.Jun.02 rw remove linux stuff, clean up a bit
10# 06.Jun.02 sb <3>, add LOTS more Solaris stuff. Also and comment at bottom
11# of this file.
12# 03.Jun.02 sb Separate Linux & Solaris
13# 24.Apr.02 sb Use Samhain v.15 template and tune for Solaris.
14#
15# To do: logs /var/adm/messages and /var/cron/log are
16# pruned weekly.
17#####################################################################
18#
19# -- empty lines and lines starting with '#', ';' or '//' are ignored
20# -- boolean options can be Yes/No or True/False or 1/0
21# -- you can PGP clearsign this file -- samhain will check (if compiled
22# with support) or otherwise ignore the signature
23# -- CHECK mail address
24#
25# To each log facility, you can assign a threshold severity. Only
26# reports with at least the threshold severity will be logged
27# to the respective facility (even further below).
28#
29#####################################################################
30# SETUP for file system checking:
31# (i) There are several policies, each has its own section. Put files
32# into the section for the appropriate policy (see below).
33# (ii) Section [EventSeverity]:
34# To each policy, you can assign a severity (further below).
35# (iii) Section [Log]:
36# To each log facility, you can assign a threshold severity. Only
37# reports with at least the threshold severity will be logged
38# to the respective facility (even further below).
39#####################################################################
40
41#####################################################################
42#
43# Files are defined with: file = /absolute/path
44#
45# Directories are defined with: dir = /absolute/path
46# or with an optional recursion depth (N <= 99): dir = N/absolute/path
47#
48# Directory inodes are checked. If you only want to check files
49# in a directory, but not the directory inode itself, use (e.g.):
50#
51# [ReadOnly]
52# dir = /some/directory
53# [IgnoreAll]
54# file = /some/directory
55#
56# You can use shell-style globbing patterns, like: file = /path/foo*
57#
58######################################################################
59
60[Misc]
61##
62## Add or subtract tests from the policies
63## - if you want to change their definitions,
64## you need to do that before using the policies
65##
66# RedefReadOnly = (no default)
67# RedefAttributes=(no default)
68# RedefLogFiles=(no default)
69# RedefGrowingLogFiles=(no default)
70# RedefIgnoreAll=(no default)
71# RedefIgnoreNone=(no default)
72# RedefUser0=(no default)
73# RedefUser1=(no default)
74
75
76[Attributes]
77##
78## for these files, only changes in permissions and ownership are checked
79##
80
81file=/etc/ssh/ssh_random_seed
82file=/etc/resolv.conf
83# There are files in /etc that might change, thus changing the directory
84# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
85file=/etc
86
87file=/etc/skip/randseed
88file=/etc/cron.d/FIFO
89file=/etc/devlink.tab
90file=/etc/.syslog_door
91file=/etc/syslog.pid
92file=/etc/.name_service_door
93file=/etc/mnttab
94file=/etc/cron.d
95file=/etc/mail
96file=/etc/inet
97dir=/secure/tmp
98dir=/etc/sysevent
99dir=/usr/local/imap/spool/user
100dir=/usr/local/imap/proc
101dir=/usr/local/imap/quota
102dir=/usr/local/qmail/queue
103dir=/usr/local/qmail/alias/Mailbox
104dir=/usr/tmp
105dir=/usr/aset/tmp
106dir=/usr/oasys/tmp
107dir=/var/spool/lp/tmp
108dir=/var/tmp
109dir=/var/dt/tmp
110dir=/tmp
111dir=/etc/osa
112
113[LogFiles]
114##
115## for these files, changes in signature, timestamps, and size are ignored
116##
117#file=/var/run/utmp
118file=/etc/motd
119file=/var/cron/log
120file=/var/adm/wtmpx
121file=/var/adm/wtmp
122file=/var/adm/utmpx
123file=/var/adm/lastlog
124
125[GrowingLogFiles]
126##
127## for these files, changes in signature, timestamps, and increase in size
128## are ignored
129##
130
131file=/var/adm/messages
132
133
134
135[IgnoreAll]
136##
137## for these files, no modifications are reported
138##
139
140file=/etc/utmppipe
141file=/usr/dt/bin/ttsnoop
142file=/dev/mem
143dir=/etc/saf
144# dir=/secure/tmp
145dir=/usr/share/man
146dir=/usr/share/lib/terminfo
147dir=/usr/demo
148dir=/usr/lib/adb
149dir=/usr/local/man
150dir=/usr/local/doc
151dir=/usr/dt/share/man
152dir=/usr/openwin/lib/locale
153dir=/usr/openwin/share/man
154dir=/usr/openwin/share/src
155dir=/usr/openwin/lib/X11/fonts
156dir=/var/snort
157dir=/var/log/snort
158dir=/etc/snort/rules
159dir=/opt/oracle/doc
160dir=/usr/dt/share/examples
161dir=/opt/SUNWebnfs/javadoc
162dir=/usr/local/mysql/var
163dir=/jumpstart/Flash
164dir=/jumpstart/OS
165dir=/jumpstart/Patches
166dir=/etc/opt/SUNWicg/SunScreen/.active
167dir=/etc/opt/SUNWicg/SunScreen/.old
168
169
170[IgnoreNone]
171##
172## for these files, all modifications (even access time) are reported
173## - you may create some interesting-looking file (like /etc/safe_passwd),
174## just to watch whether someone will access it ...
175##
176
177
178[ReadOnly]
179##
180## for these files, only access time is ignored
181##
182dir=/usr/bin
183dir=/usr/sbin
184dir=/usr/lib
185
186# SuSE (old) has the boot init scripts in /sbin/init.d/*,
187# so we go 3 levels deep
188dir=3/sbin
189
190# RedHat and Debian have the bootinit scripts in /etc/init.d/* or /etc/rc.d/*,
191# so we go 3 levels deep there too
192dir=3/etc
193
194# Various directories / files that may include / be SUID/SGID binaries
195#
196dir=/usr/openwin/bin
197dir=/usr/dt/bin
198#dir=/opt/install
199dir=/opt/OBSDssh
200
201
202dir=/root
203
204# Critical devices
205
206file=/dev/dsk
207file=/dev/rdsk
208file=/dev/null
209file=/dev/zero
210
211[User0]
212[User1]
213## User0 and User1 are sections for files/dirs with user-definable checking
214## (see the manual)
215
216[EventSeverity]
217##
218## Here you can assign severities to policy violations.
219## If this severity exceeds the treshold of a log facility (see below),
220## a policy violation will be logged to that facility.
221
222# Severity for verification failures.
223#
224# SeverityReadOnly=crit
225# SeverityLogFiles=crit
226# SeverityGrowingLogs=crit
227# SeverityIgnoreNone=crit
228# SeverityAttributes=crit
229# SeverityUser0=crit
230# SeverityUser1=crit
231
232# We have a file in IgnoreAll that might or might not be present.
233# Setting the severity to 'info' prevents messages about deleted/new file.
234#
235# SeverityIgnoreAll=crit
236SeverityIgnoreAll=info
237
238# Files : file access problems
239# SeverityFiles=crit
240
241# Dirs : directory access problems
242# SeverityDirs=crit
243
244# Names : suspect (non-printable) characters in a pathname
245# SeverityNames=crit
246
247[Log]
248##
249## Switch on/OFF log facilities and set their threshold severity
250##
251## Values: debug, info, notice, warn, mark, err, crit, alert, none.
252## 'mark' is used for timestamps.
253##
254## Use 'none' to SWITCH OFF a log facility
255##
256## By default, everything equal to and above the threshold is logged.
257## The specifiers '*', '!', and '=' are interpreted as
258## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
259## at least on Linux). Examples:
260## MailSeverity=*
261## MailSeverity=!warn
262## MailSeverity==crit
263
264## E-mail
265##
266# MailSeverity=none
267
268## Console
269##
270# PrintSeverity=info
271
272## Logfile
273##
274# LogSeverity=mark
275
276## Syslog
277##
278# SyslogSeverity=none
279
280## Remote server (yule)
281##
282# ExportSeverity=none
283
284## External script or program
285##
286# ExternalSeverity = none
287
288## Logging to a database
289##
290# DatabaseSeverity = none
291
292## Logging to a Prelude-IDS
293##
294# PreludeSeverity = crit
295
296
297#####################################################
298#
299# Optional modules
300#
301#####################################################
302
303# [SuidCheck]
304##
305## --- Check the filesystem for SUID/SGID binaries
306##
307
308## Switch on
309#
310# SuidCheckActive = yes
311
312## Interval for check (seconds)
313#
314# SuidCheckInterval = 7200
315
316## Alternative: crontab-like schedule
317#
318# SuidCheckSchedule = NULL
319
320## Directory to exclude
321#
322# SuidCheckExclude = NULL
323
324## Limit on files per second (0 == no limit)
325#
326# SuidCheckFps = 0
327
328## Alternative: yield after every file
329#
330# SuidCheckYield = no
331
332## Severity of a detection
333#
334# SeveritySuidCheck = crit
335
336## Quarantine SUID/SGID files if found
337#
338# SuidCheckQuarantineFiles = yes
339
340## Method for Quarantining files:
341# 0 - Delete the file.
342# 1 - Remove SUID/SGID permissions from file.
343# 2 - Move SUID/SGID file to quarantine dir.
344#
345# SuidCheckQuarantineMethod = 0
346
347## For method 1 and 3, really delete instead of truncating
348#
349
350# [Utmp]
351##
352## --- Logging of login/logout events
353##
354
355## Switch on/off
356#
357# LoginCheckActive = True
358
359## Severity for logins, multiple logins, logouts
360#
361# SeverityLogin=info
362# SeverityLoginMulti=warn
363# SeverityLogout=info
364
365## Interval for login/logout checks
366#
367# LoginCheckInterval = 300
368
369
370# [Database]
371##
372## --- Logging to a relational database
373##
374
375## Database name
376#
377# SetDBName = samhain
378
379## Database table
380#
381# SetDBTable = log
382
383## Database user
384#
385# SetDBUser = samhain
386
387## Database password
388#
389# SetDBPassword = (default: none)
390
391## Database host
392#
393# SetDBHost = localhost
394
395## Log the server timestamp for received messages
396#
397# SetDBServerTstamp = True
398
399## Use a persistent connection
400#
401# UsePersistent = True
402
403# [External]
404##
405## Interface to call external scripts/programs for logging
406##
407
408## The absolute path to the command
409## - Each invocation of this directive will end the definition of the
410## preceding command, and start the definition of
411## an additional, new command
412#
413# OpenCommand = (no default)
414
415## Type (log or rv)
416## - log for log messages, srv for messages received by the server
417#
418# SetType = log
419
420## The command (full command line) to execute
421#
422# SetCommandLine = (no default)
423
424## The environment (KEY=value; repeat for more)
425#
426# SetEnviron = TZ=(your timezone)
427
428## The TIGER192 checksum (optional)
429#
430# SetChecksum = (no default)
431
432## User who runs the command
433#
434# SetCredentials = (default: samhain process uid)
435
436## Words not allowed in message
437#
438# SetFilterNot = (none)
439
440## Words required (ALL of them)
441#
442# SetFilterAnd = (none)
443
444## Words required (at least one)
445#
446# SetFilterOr = (none)
447
448## Deadtime between consecutive calls
449#
450# SetDeadtime = 0
451
452## Add default environment (HOME, PATH, SHELL)
453#
454# SetDefault = no
455
456
457
458
459#####################################################
460#
461# Miscellaneous configuration options
462#
463#####################################################
464
465[Misc]
466
467## whether to become a daemon process
468## (this is not honoured on database initialisation)
469#
470# Daemon = no
471Daemon = yes
472
473## whether to test signature of files (init/check/none)
474## - if 'none', then we have to decide this on the command line -
475#
476# ChecksumTest = none
477ChecksumTest=check
478
479## Set nice level (-19 to 19, see 'man nice'),
480## and I/O limit (kilobytes per second; 0 == off)
481## to reduce load on host.
482#
483# SetNiceLevel = 0
484# SetIOLimit = 0
485
486## The version string to embed in file signature databases
487#
488# VersionString = NULL
489
490## Interval between time stamp messages
491#
492# SetLoopTime = 60
493SetLoopTime = 600
494
495## Interval between file checks
496#
497# SetFileCheckTime = 600
498SetFileCheckTime = 7200
499
500## Alternative: crontab-like schedule
501#
502# FileCheckScheduleOne = NULL
503
504## Alternative: crontab-like schedule(2)
505#
506# FileCheckScheduleTwo = NULL
507
[101]508## Report only once on modified files
[1]509## Setting this to 'FALSE' will generate a report for any policy
510## violation (old and new ones) each time the daemon checks the file system.
511#
512# ReportOnlyOnce = True
513
514## Report in full detail
515#
516# ReportFullDetail = False
517
518## Report file timestamps in local time rather than GMT
519#
520# UseLocalTime = No
521
522## The console device (can also be a file or named pipe)
523## - There are two console devices. Accordingly, you can use
524## this directive a second time to set the second console device.
525## If you have not defined the second device at compile time,
526## and you don't want to use it, then:
527## setting it to /dev/null is less effective than just leaving
528## it alone (setting to /dev/null will waste time by opening
529## /dev/null and writing to it)
530#
531# SetConsole = /dev/console
532
533## Activate the SysV IPC message queue
534#
535# MessageQueueActive = False
536
537
538## If false, skip reverse lookup when connecting to a host known
539## by name rather than IP address (i.e. trust the DNS)
540#
541# SetReverseLookup = True
542
543## --- E-Mail ---
544
545# Only highest-level (alert) reports will be mailed immediately,
546# others will be queued. Here you can define, when the queue will
547# be flushed (Note: the queue is automatically flushed after
548# completing a file check).
549#
550# SetMailTime = 86400
551
552## Maximum number of mails to queue
553#
554# SetMailNum = 10
555
556## Recipient (max. 8)
557#
558# SetMailAddress=root@localhost
559
560## Mail relay (IP address)
561#
562# SetMailRelay = NULL
563
564## Custom subject format
565#
566# MailSubject = NULL
567
568## --- end E-Mail ---
569
570
571## Path to the executable. If set, will be checksummed after startup
572## and before exit.
573#
574# SamhainPath = (no default)
575
576
577## The IP address of the log server
578#
579# SetLogServer = (default: compiled-in)
580
581## The IP address of the time server
582#
583# SetTimeServer = (default: compiled-in)
584
585## Trusted Users (comma delimited list of user names)
586#
587# TrustedUser = (no default; this adds to the compiled-in list)
588
589## Path to the file signature database
590#
591# SetDatabasePath = (default: compiled-in)
592
593## Path to the log file
594#
595# SetLogfilePath = (default: compiled-in)
596
597## Path to the PID file
598#
[387]599# SetLockfilePath = (default: compiled-in)
[1]600
601
602## The digest/checksum/hash algorithm
603#
604# DigestAlgo = TIGER192
605
606
607## Custom format for message header.
608## CAREFUL if you use XML logfile format.
609##
610## %S severity
611## %T timestamp
612## %C class
613##
614## %F source file
615## %L source line
616#
617# MessageHeader="%S %T "
618
619
620## Don't log path to config/database file on startup
621#
622# HideSetup = False
623
624## The syslog facility, if you log to syslog
625#
626# SyslogFacility = LOG_AUTHPRIV
627SyslogFacility=LOG_LOCAL2
628
629## The message authentication method
630## - If you change this, you *must* change it
631## on client *and* server
632#
633# MACType = HMAC-TIGER
634
635## The Prelude-IDS profile to use for reporting
636## default value is "samhain"
637#
638# PreludeProfile = samhain
639
640## Map these samhain severities to impact severity 'info' severity
641#
642# PreludeMapToInfo =
643
644## Map these samhain severities to impact severity 'low' severity
645#
646# PreludeMapToLow = debug info
647
648## Map these samhain severities to impact severity 'medium' severity
649#
650# PreludeMapToMedium = notice warn err
651
652## Map these samhain severities to impact severity 'high' severity
653#
654# PreludeMapToHigh = crit alert
655
656# everything below is ignored
657[EOF]
658
659#####################################################################
660# This would be the proper syntax for parts that should only be
661# included for certain hosts.
662# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
663# result still has the proper syntax for the config file.
664# You may have any number of @HOSTNAME/@end brackets.
665# HOSTNAME should be the fully qualified 'official' name
666# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
667# No IP number - except if samhain cannot determine the
668# fully qualified hostname.
669#
670# @HOSTNAME
671# file=/foo/bar
672# @end
673#
674# These are two examples for conditional inclusion/exclusion
675# of a machine based on the output from 'uname -srm'
676# $Linux:2.*.7:i666
677# file=/foo/bar3
678# $end
679#
680# !$Linux:2.*.7:i686
681# file=/foo/bar2
682# $end
683#
684#####################################################################
Note: See TracBrowser for help on using the repository browser.