##################################################################### # # Configuration file template for samhain. # ##################################################################### # # -- empty lines and lines starting with '#' are ignored # -- you can PGP clearsign this file -- samhain will check (if compiled # with support) or otherwise ignore the signature # -- CHECK mail address # # To each log facility, you can assign a threshold severity. Only # reports with at least the threshold severity will be logged # to the respective facility (even further below). # ##################################################################### # # SETUP for file system checking: # # (i) There are several policies, each has its own section. Put files # into the section for the appropriate policy (see below). # (ii) To each policy, you can assign a severity (further below). # (iii) To each log facility, you can assign a threshold severity. Only # reports with at least the threshold severity will be logged # to the respective facility (even further below). # ##################################################################### [Attributes] # # for these files, only changes in permissions and ownership are checked # file=/etc/mtab #file=/etc/ssh_random_seed #file=/etc/asound.conf #file=/etc/resolv.conf file=/etc/localtime #file=/etc/ioctl.save #file=/etc/passwd.backup #file=/etc/shadow.backup # # There are files in /etc that might change, thus changing the directory # timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'. # file=/etc [GrowingLogFiles] # # for these files, changes in signature, timestamps, and increase in size # are ignored # file=/var/log/messages [ReadOnly] # # for these files, only access time is ignored # dir=/usr/bin #dir=/bin [EventSeverity] # # Here you can assign severities to policy violations. # If this severity exceeds the treshold of a log facility (see below), # a policy violation will be logged to that facility. # # Severity for verification failures. # SeverityReadOnly=crit SeverityLogFiles=crit SeverityGrowingLogs=crit SeverityIgnoreNone=crit SeverityAttributes=crit # # We have a file in IgnoreAll that might or might not be present. # Setting the severity to 'info' prevents messages about deleted/new file. # SeverityIgnoreAll=info # # Files : file access problems # Dirs : directory access problems # Names : suspect (non-printable) characters in a pathname # SeverityFiles=crit SeverityDirs=crit SeverityNames=warn [Log] # # Set threshold severity for log facilities # Values: debug, info, notice, warn, mark, err, crit, alert, none. # 'mark' is used for timestamps. # # By default, everything equal to and above the threshold is logged. # The specifiers '*', '!', and '=' are interpreted as # 'all', 'all but', and 'only', respectively (like syslogd(8) does, # at least on Linux). # # MailSeverity=* # MailSeverity=!warn # MailSeverity==crit # MailSeverity=none PrintSeverity=info #PRINTClass = "RUN FIL STAMP" LogSeverity=none SyslogSeverity=none ExportSeverity=none DatabaseSeverity=info #databaseseverity=info [Database] # setdbname=samhain # setdbtable=log setdbuser=samhain setdbpassword=samhain #AddToDBHash=log_msg # AddToDBHash=log_host [Utmp] # # 0 to switch off, 1 to activate # LoginCheckActive=1 # Severity for logins, multiple logins, logouts # SeverityLogin=info SeverityLoginMulti=warn SeverityLogout=info # interval for login/logout checks # LoginCheckInterval=60 [Misc] # # whether to become a daemon process Daemon=no SetOutgoingIP=127.0.0.1 UseSeparateLogs=yes SetUseSocket = yes #SetClientFromAccept = yes SetUdpActive=no # the maximum time between client messages (seconds) # (this is a log server-only option; the default is 86400 sec = 1 day # # SetClientTimeLimit=1800 UseClientSeverity = yes UseClientClass = yes # Format for message headers # # MessageHeader="%S %T %F %L " # priority for peer != address as notified by client # (lookup may fail on firewalled client) # # SeverityLookup = warn # time till next file check (seconds) SetFilecheckTime=600 # Only highest-level (alert) reports will be mailed immediately, # others will be queued. Here you can define, when the queue will # be flushed (Note: the queue is automatically flushed after # completing a file check). # # maximum time till next mail (seconds) SetMailTime=86400 # maximum number of queued mails SetMailNum=10 # where to send mail to SetMailAddress=root@localhost # mail relay host # SetMailRelay=relay.yourdomain.de # The binary. Setting the path will allow # samhain to check for modifications between # startup and exit. # # SamhainPath=/usr/local/bin/samhain # where to get time from # SetTimeServer=www.yourdomain.de # where to export logs to SetLogServer=localhost # timer for time stamps SetLoopTime=30 # trusted users (root and the effective user are always trusted) # TrustedUser=bin # whether to test signature of files (init/check/none) # - if 'none', then we have to decide this on the command line - # ChecksumTest=check [Clients]