source: trunk/test/testrc_1@ 581

Last change on this file since 581 was 581, checked in by katerina, 3 months ago

Fix for ticket #469 (regression in log monitoring code).

File size: 6.6 KB
RevLine 
[1]1#####################################################################
2#
3# Configuration file template for samhain.
4#
5#####################################################################
6#
7# -- empty lines and lines starting with '#' are ignored
8# -- you can PGP clearsign this file -- samhain will check (if compiled
9# with support) or otherwise ignore the signature
10# -- CHECK mail address
11#
12# To each log facility, you can assign a threshold severity. Only
13# reports with at least the threshold severity will be logged
14# to the respective facility (even further below).
15#
16#####################################################################
17#
18# SETUP for file system checking:
19#
20# (i) There are several policies, each has its own section. Put files
21# into the section for the appropriate policy (see below).
22# (ii) To each policy, you can assign a severity (further below).
23# (iii) To each log facility, you can assign a threshold severity. Only
24# reports with at least the threshold severity will be logged
25# to the respective facility (even further below).
26#
27#####################################################################
28
29
30[Misc]
31RedefUser0=-ATM
32
33[Attributes]
34#
35# for these files, only changes in permissions and ownership are checked
36#
[19]37#file=/etc/mtab
[1]38#file=/etc/ssh_random_seed
39#file=/etc/asound.conf
40#file=/etc/resolv.conf
41#file=/etc/localtime
42#file=/etc/ioctl.save
43#file=/etc/passwd.backup
44#file=/etc/shadow.backup
45
46
47#
48# There are files in /etc that might change (see above),
49# thus changing the timestamps on the directory special file.
50# Put it here as 'file', and in the ReadOnly section as 'dir'.
51#
52file=/etc
53
54[GrowingLogFiles]
55#
56# for these files, changes in signature, timestamps, and increase in size
57# are ignored
58#
59# Example for shell-style wildcard pattern
60#
61#file=/var/log/n*
62
63[IgnoreAll]
64#dir=-1/etc
65
66[IgnoreNone]
67#dir=-1/etc
68
69[Attributes]
70# dir=/opt/gnome/bin/
71# file=/usr/bin/ssh
72
73
74[ReadOnly]
75#
76# for these files, only access time is ignored
77#
78#dir=/dev
79# dir=/usr/bin
80
[19]81#dir=/usr/bin
[1]82#dir=/lib
83#dir=/usr/lib
84
85#dir=/lib
86#dir=3/etc
87#dir=/tmp
88# file=/usr/bin/ssh
89# dir=1/home/rainer
90
[581]91[SuidCheck]
92SuidCheckActive=false
[19]93#SuidCheckExclude=/home
[1]94
[581]95[ProcessCheck]
96#
97# Activate (default is on)
98#
99ProcessCheckActive = no
100
101[PortCheck]
102#
103# Activate (default is on)
104#
105PortCheckActive = no
106
107
108[Logmon]
109
110#
111# Switch on the module
112#
113LogmonActive = yes
114
115# Check every second
116#
117LogmonInterval = 1
118
119# Strip PIDs from syslog messages
120#
121Logmonhidepid = true
122
123# Define a queue with severity 'crit'.
124# This is a 'report' queue, hence 'interval' (10)
125# will be ignored.
126#
127LogmonQueue = q1:10:report:crit
128
129# Monitor disks to check for full /dev/sda1
130#
131LogmonWatch = SHELL:df -h
132
133# Warn about disk /dev/sda1 nearly full (80% or more. Use a
134# non-capturing subexpression [the (?:8|9)] for the percentage full.
135#
136LogmonRule = q1:/dev/nvme1n1p4\s+[0-9GM.]+\s+[0-9GM.]+\s+[0-9GM.]+\s+(?:8|9).%.*
137
138LogmonDeadtime = 120
139LogmonRule = trash:.*
140
141
[1]142[EventSeverity]
143#
144# Here you can assign severities to policy violations.
145# If this severity exceeds the treshold of a log facility (see below),
146# a policy violation will be logged to that facility.
147#
148# Severity for verification failures.
149#
150SeverityUser0=crit
151SeverityUser1=crit
152SeverityReadOnly=crit
153SeverityLogFiles=crit
154SeverityGrowingLogs=crit
155SeverityIgnoreNone=crit
156SeverityAttributes=crit
157#
158# We have a file in IgnoreAll that might or might not be present.
159# Setting the severity to 'info' prevents messages about deleted/new file.
160#
161SeverityIgnoreAll=warn
162
163#
164# Files : file access problems
165# Dirs : directory access problems
166# Names : suspect (non-printable) characters in a pathname
167#
168SeverityFiles=notice
169SeverityDirs=info
170SeverityNames=warn
171
172[Log]
173#
174# Set threshold severity for log facilities
175# Values: debug, info, notice, warn, mark, err, crit, alert, none.
176# 'mark' is used for timestamps.
177#
178# By default, everything equal to and above the threshold is logged.
179# The specifiers '*', '!', and '=' are interpreted as
180# 'all', 'all but', and 'only', respectively (like syslogd(8) does,
181# at least on Linux).
182#
183# MailSeverity=*
184# MailSeverity=!warn
185# MailSeverity==crit
186#
187MailSeverity=none
188LogSeverity=warn
189SyslogSeverity=none
190#ExportSeverity=none
191PrintSeverity=info
192# Restrict to certain classes of messages
193# MailClass = RUN
[19]194#PreludeSeverity = err
[1]195
196# Which system calls to log (execve, utime, unlink, dup, chdir, open, kill,
197# exit, fork, setuid, setgid, pipe)
198#
199# LogCalls = open
200
201
202#[Kernel]
203#
204# Setings this to 1/true/yes will activate the check for loadable
205# kernel module rootkits (Linux only)
206#
207#KernelCheckActive=1
208#KernelCheckInterval = 20
209
[19]210#[Utmp]
[1]211#
212# 0 to switch off, 1 to activate
213#
[19]214#LoginCheckActive=1
[1]215
216# Severity for logins, multiple logins, logouts
217#
[19]218#SeverityLogin=info
219#SeverityLoginMulti=warn
220#SeverityLogout=info
[1]221
222# interval for login/logout checks
223#
[19]224#LoginCheckInterval=60
[1]225
226[Misc]
227#
228# whether to become a daemon process
229Daemon=no
230
231# Custom format for message header
232#
233# %S severity
234# %T timestamp
235# %C class
236#
237# %F source file
238# %L source line
239#
240# MessageHeader="%S %T - %F - %L "
241# MessageHeader="<log sev="%S" time="%T" "
242
243# the maximum time between client messages (seconds)
244# (this is a log server-only option; the default is 86400 sec = 1 day
245#
246# SetClientTimeLimit=1800
247
248# time till next file check (seconds)
249SetFilecheckTime=120
250
251# DigestAlgo=MD5
252
253# Only highest-level (alert) reports will be mailed immediately,
254# others will be queued. Here you can define, when the queue will
255# be flushed (Note: the queue is automatically flushed after
256# completing a file check).
257#
258# maximum time till next mail (seconds)
259SetMailTime=86400
260
261# maximum number of queued mails
262SetMailNum=10
263
264# where to send mail to
265SetMailAddress=root@localhost
266# MailSubject=* body %H # %M
267
[19]268#TrustedUser=uucp,fax,fnet
[1]269
270# Watch syslog port
271#
272# SetUDPActive = yes
273
274# mail relay host
275# SetMailRelay=localhost
276
277# The binary. Setting the path will allow
278# samhain to check for modifications between
279# startup and exit.
280#
281# SamhainPath=/usr/local/bin/samhain
282
283# where to get time from
284# SetTimeServer=www.yourdomain.de
285
286# where to export logs to
287# SetLogServer=localhost
288
289SetRecursionLevel=10
290
291#setdatabasepath=AUTO
292#setlogfilepath=AUTO
293#setlockfilepath=AUTO
294
295# timer for time stamps
296SetLoopTime=60
297
298# report in full detail on modified files
299#
300ReportFullDetail = no
301
302# trusted users (root and the effective user are always trusted)
303# TrustedUser=bin
304
305# whether to test signature of files (init/check/none)
306# - if 'none', then we have to decide this on the command line -
307#
308ChecksumTest=check
309
310# Set the facility for syslog
311#
312# SyslogFacility=LOG_MAIL
313
314# Don't log names of configuration/database files on startup
315#
316# HideSetup=yes
317
318
319# everything below is ignored
320[EOF]
Note: See TracBrowser for help on using the repository browser.