[1] | 1 | #####################################################################
|
---|
| 2 | #
|
---|
| 3 | # Configuration file template for yule.
|
---|
| 4 | #
|
---|
| 5 | #####################################################################
|
---|
| 6 | #
|
---|
| 7 | # NOTE: This is a log server-only configuration file TEMPLATE.
|
---|
| 8 | #
|
---|
| 9 | # NOTE: The log server ('yule') will look for THAT configuration file
|
---|
| 10 | # that has been defined at compile time with the configure option
|
---|
| 11 | # ./configure --with-config-file=FILE
|
---|
| 12 | # The default is "/usr/local/etc/.samhainrc" (NOT "yulerc").
|
---|
| 13 | #
|
---|
| 14 | #####################################################################
|
---|
| 15 | #
|
---|
| 16 | # -- empty lines and lines starting with '#', ';' or '//' are ignored
|
---|
| 17 | # -- you can PGP clearsign this file -- samhain will check (if compiled
|
---|
| 18 | # with support) or otherwise ignore the signature
|
---|
| 19 | # -- CHECK mail address
|
---|
| 20 | #
|
---|
| 21 | # To each log facility, you can assign a threshold severity. Only
|
---|
| 22 | # reports with at least the threshold severity will be logged
|
---|
| 23 | # to the respective facility (even further below).
|
---|
| 24 | #
|
---|
| 25 | #####################################################################
|
---|
| 26 |
|
---|
| 27 |
|
---|
| 28 | [Log]
|
---|
| 29 | ##
|
---|
| 30 | ## Switch on/OFF log facilities and set their threshold severity
|
---|
| 31 | ##
|
---|
| 32 | ## Values: debug, info, notice, warn, mark, err, crit, alert, none.
|
---|
| 33 | ## 'mark' is used for timestamps.
|
---|
| 34 | ##
|
---|
| 35 | ##
|
---|
| 36 | ## Use 'none' to SWITCH OFF a log facility
|
---|
| 37 | ##
|
---|
| 38 | ## By default, everything equal to and above the threshold is logged.
|
---|
| 39 | ## The specifiers '*', '!', and '=' are interpreted as
|
---|
| 40 | ## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
|
---|
| 41 | ## at least on Linux). Examples:
|
---|
| 42 | ## MailSeverity=*
|
---|
| 43 | ## MailSeverity=!warn
|
---|
| 44 | ## MailSeverity==crit
|
---|
| 45 |
|
---|
| 46 | ## E-mail
|
---|
| 47 | ##
|
---|
| 48 | # MailSeverity=none
|
---|
| 49 | MailSeverity=crit
|
---|
| 50 |
|
---|
| 51 | ## Console
|
---|
| 52 | ##
|
---|
| 53 | # PrintSeverity=info
|
---|
| 54 |
|
---|
| 55 | ## Logfile
|
---|
| 56 | ##
|
---|
| 57 | # LogSeverity=none
|
---|
| 58 |
|
---|
| 59 | ## Syslog
|
---|
| 60 | ##
|
---|
| 61 | # SyslogSeverity=none
|
---|
| 62 |
|
---|
| 63 | ## External script or program
|
---|
| 64 | ##
|
---|
| 65 | # ExternalSeverity = none
|
---|
| 66 |
|
---|
| 67 | ## Logging to a database
|
---|
| 68 | ##
|
---|
| 69 | # DatabaseSeverity = none
|
---|
| 70 |
|
---|
| 71 |
|
---|
| 72 | # [Database]
|
---|
| 73 | ##
|
---|
| 74 | ## --- Logging to a relational database
|
---|
| 75 | ##
|
---|
| 76 |
|
---|
| 77 | ## Database name
|
---|
| 78 | #
|
---|
| 79 | # SetDBName = samhain
|
---|
| 80 |
|
---|
| 81 | ## Database table
|
---|
| 82 | #
|
---|
| 83 | # SetDBTable = log
|
---|
| 84 |
|
---|
| 85 | ## Database user
|
---|
| 86 | #
|
---|
| 87 | # SetDBUser = samhain
|
---|
| 88 |
|
---|
| 89 | ## Database password
|
---|
| 90 | #
|
---|
| 91 | # SetDBPassword = (default: none)
|
---|
| 92 |
|
---|
| 93 | ## Database host
|
---|
| 94 | #
|
---|
| 95 | # SetDBHost = localhost
|
---|
| 96 |
|
---|
| 97 | ## Log the server timestamp for received messages
|
---|
| 98 | #
|
---|
| 99 | SetDBServerTstamp = True
|
---|
| 100 |
|
---|
| 101 | ## Use a persistent connection
|
---|
| 102 | #
|
---|
| 103 | UsePersistent = True
|
---|
| 104 |
|
---|
| 105 |
|
---|
| 106 |
|
---|
| 107 | # [External]
|
---|
| 108 | ##
|
---|
| 109 | ## Interface to call external scripts/programs for logging
|
---|
| 110 | ##
|
---|
| 111 |
|
---|
| 112 | ## The absolute path to the command
|
---|
| 113 | ## - Each invocation of this directive will end the definition of the
|
---|
| 114 | ## preceding command, and start the definition of
|
---|
| 115 | ## an additional, new command
|
---|
| 116 | #
|
---|
| 117 | # OpenCommand = (no default)
|
---|
| 118 |
|
---|
| 119 | ## Type (log or rv)
|
---|
| 120 | ## - log for log messages, srv for messages received by the server
|
---|
| 121 | #
|
---|
| 122 | # SetType = log
|
---|
| 123 |
|
---|
| 124 | ## The command (full command line) to execute
|
---|
| 125 | #
|
---|
| 126 | # SetCommandLine = (no default)
|
---|
| 127 |
|
---|
| 128 | ## The environment (KEY=value; repeat for more)
|
---|
| 129 | #
|
---|
| 130 | # SetEnviron = TZ=(your timezone)
|
---|
| 131 |
|
---|
| 132 | ## The TIGER192 checksum (optional)
|
---|
| 133 | #
|
---|
| 134 | # SetChecksum = (no default)
|
---|
| 135 |
|
---|
| 136 | ## User who runs the command
|
---|
| 137 | #
|
---|
| 138 | # SetCredentials = (default: samhain process uid)
|
---|
| 139 |
|
---|
| 140 | ## Words not allowed in message
|
---|
| 141 | #
|
---|
| 142 | # SetFilterNot = (none)
|
---|
| 143 |
|
---|
| 144 | ## Words required (ALL of them)
|
---|
| 145 | #
|
---|
| 146 | # SetFilterAnd = (none)
|
---|
| 147 |
|
---|
| 148 | ## Words required (at least one)
|
---|
| 149 | #
|
---|
| 150 | # SetFilterOr = (none)
|
---|
| 151 |
|
---|
| 152 | ## Deadtime between consecutive calls
|
---|
| 153 | #
|
---|
| 154 | # SetDeadtime = 0
|
---|
| 155 |
|
---|
| 156 | ## Add default environment (HOME, PATH, SHELL)
|
---|
| 157 | #
|
---|
| 158 | # SetDefault = no
|
---|
| 159 |
|
---|
| 160 |
|
---|
| 161 | #####################################################
|
---|
| 162 | #
|
---|
| 163 | # Miscellaneous configuration options
|
---|
| 164 | #
|
---|
| 165 | #####################################################
|
---|
| 166 |
|
---|
| 167 | [Misc]
|
---|
| 168 |
|
---|
| 169 | ## whether to become a daemon process
|
---|
| 170 | ## (this is not honoured on database initialisation)
|
---|
| 171 | #
|
---|
| 172 | # Daemon = no
|
---|
| 173 | Daemon = yes
|
---|
| 174 |
|
---|
| 175 |
|
---|
| 176 |
|
---|
| 177 | [Misc]
|
---|
| 178 | # whether to become a daemon process
|
---|
| 179 | Daemon=yes
|
---|
| 180 |
|
---|
| 181 | ## Interval between time stamp messages
|
---|
| 182 | #
|
---|
| 183 | # SetLoopTime = 60
|
---|
| 184 | SetLoopTime = 600
|
---|
| 185 |
|
---|
| 186 | ## The maximum time between client messages (seconds)
|
---|
| 187 | ## This allows the server to flag clients that have exceeded
|
---|
| 188 | ## the timeout limits; i.e. might have died for some reason.
|
---|
| 189 | #
|
---|
| 190 | # SetClientTimeLimit = 86400
|
---|
| 191 |
|
---|
| 192 | ## Use client address as known to the communication layer (might be
|
---|
| 193 | ## incorrect if the client is behind NAT). The default is to use
|
---|
| 194 | ## the client name as claimed by the client, and verify it against
|
---|
| 195 | ## the former (might be incorrect if the client has several
|
---|
| 196 | ## interfaces, and its hostname resolves to the wrong interface).
|
---|
| 197 | #
|
---|
| 198 | # SetClientFromAccept = False
|
---|
| 199 |
|
---|
| 200 | ## If SetClientFromAccept is False (default), severity of a
|
---|
| 201 | ## failure to resolve the hostname claimed by the client
|
---|
| 202 | ## to the IP address of the socket peer.
|
---|
| 203 | #
|
---|
| 204 | # SeverityLookup = crit
|
---|
| 205 |
|
---|
| 206 | ## The console device (can also be a file or named pipe)
|
---|
| 207 | ## - There are two console devices. Accordingly, you can use
|
---|
| 208 | ## this directive a second time to set the second console device.
|
---|
| 209 | ## If you have not defined the second device at compile time,
|
---|
| 210 | ## and you don't want to use it, then:
|
---|
| 211 | ## setting it to /dev/null is less effective than just leaving
|
---|
| 212 | ## it alone (setting to /dev/null will waste time by opening
|
---|
| 213 | ## /dev/null and writing to it)
|
---|
| 214 | #
|
---|
| 215 | # SetConsole = /dev/console
|
---|
| 216 |
|
---|
| 217 | ## Use separate logfiles for individual clients
|
---|
| 218 | #
|
---|
| 219 | # UseSeparateLogs = False
|
---|
| 220 |
|
---|
| 221 | ## Enable listening on port 514/udp for logging of remote syslog
|
---|
| 222 | ## messages (if optionally compiled with support for this)
|
---|
| 223 | #
|
---|
| 224 | # SetUDPActive = False
|
---|
| 225 |
|
---|
| 226 |
|
---|
| 227 | ## Activate the SysV IPC message queue
|
---|
| 228 | #
|
---|
| 229 | # MessageQueueActive = False
|
---|
| 230 |
|
---|
| 231 |
|
---|
| 232 | ## If false, skip reverse lookup when connecting to a host known
|
---|
| 233 | ## by name rather than IP address (i.e. trust the DNS)
|
---|
| 234 | #
|
---|
| 235 | # SetReverseLookup = True
|
---|
| 236 |
|
---|
| 237 | ## If true, open a Unix domain socket to listen for commands that should
|
---|
| 238 | ## be passed to clients upon next connection. Only works on systems
|
---|
| 239 | ## that support passing of peer credentials (for authentication) via sockets.
|
---|
| 240 | ## Use yulectl to access the socket.
|
---|
| 241 | #
|
---|
| 242 | # SetUseSocket = False
|
---|
| 243 |
|
---|
| 244 | ## The UID of the user that is allowed to pass commands to the server
|
---|
| 245 | ## via the Unix domain socket.
|
---|
| 246 | #
|
---|
| 247 | # SetSocketAllowUid = 0
|
---|
| 248 |
|
---|
| 249 | ## --- E-Mail ---
|
---|
| 250 |
|
---|
| 251 | # Only highest-level (alert) reports will be mailed immediately,
|
---|
| 252 | # others will be queued. Here you can define, when the queue will
|
---|
| 253 | # be flushed (Note: the queue is automatically flushed after
|
---|
| 254 | # completing a file check).
|
---|
| 255 | #
|
---|
| 256 | # SetMailTime = 86400
|
---|
| 257 |
|
---|
| 258 | ## Maximum number of mails to queue
|
---|
| 259 | #
|
---|
| 260 | # SetMailNum = 10
|
---|
| 261 |
|
---|
| 262 | ## Recipient (max. 8)
|
---|
| 263 | #
|
---|
| 264 | # SetMailAddress=root@localhost
|
---|
| 265 |
|
---|
| 266 | ## Mail relay (IP address)
|
---|
| 267 | #
|
---|
| 268 | # SetMailRelay = NULL
|
---|
| 269 |
|
---|
| 270 | ## Custom subject format
|
---|
| 271 | #
|
---|
| 272 | # MailSubject = NULL
|
---|
| 273 |
|
---|
| 274 | ## --- end E-Mail ---
|
---|
| 275 |
|
---|
| 276 | # The binary. Setting the path will allow
|
---|
| 277 | # samhain to check for modifications between
|
---|
| 278 | # startup and exit.
|
---|
| 279 | #
|
---|
| 280 | # SamhainPath=/usr/local/bin/yule
|
---|
| 281 |
|
---|
| 282 | ## The IP address of the time server
|
---|
| 283 | #
|
---|
| 284 | # SetTimeServer = (default: compiled-in)
|
---|
| 285 |
|
---|
| 286 | ## Trusted Users (comma delimited list of user names)
|
---|
| 287 | #
|
---|
| 288 | # TrustedUser = (no default; this adds to the compiled-in list)
|
---|
| 289 |
|
---|
| 290 | ## Custom format for message header.
|
---|
| 291 | ## CAREFUL if you use XML logfile format.
|
---|
| 292 | ##
|
---|
| 293 | ## %S severity
|
---|
| 294 | ## %T timestamp
|
---|
| 295 | ## %C class
|
---|
| 296 | ##
|
---|
| 297 | ## %F source file
|
---|
| 298 | ## %L source line
|
---|
| 299 | #
|
---|
| 300 | # MessageHeader="%S %T "
|
---|
| 301 |
|
---|
| 302 |
|
---|
| 303 | ## Don't log path to config/database file on startup
|
---|
| 304 | #
|
---|
| 305 | # HideSetup = False
|
---|
| 306 |
|
---|
| 307 | ## The syslog facility, if you log to syslog
|
---|
| 308 | #
|
---|
| 309 | # SyslogFacility = LOG_AUTHPRIV
|
---|
| 310 |
|
---|
| 311 |
|
---|
| 312 | ## The message authentication method
|
---|
| 313 | ## - If you change this, you *must* change it
|
---|
| 314 | ## on client *and* server
|
---|
| 315 | #
|
---|
| 316 | # MACType = HMAC-TIGER
|
---|
| 317 |
|
---|
| 318 |
|
---|
| 319 | [Clients]
|
---|
| 320 | ##
|
---|
| 321 | ## This is a sample registry entry for a client at host 'HOSTNAME'. This entry
|
---|
| 322 | ## is valid for the default password.
|
---|
| 323 | ## You are STRONGLY ADVISED to reset te password (see the README) and
|
---|
| 324 | ## compute your own entries using 'samhain -P <password>'
|
---|
| 325 | ##
|
---|
| 326 | ## Usually, HOSTNAME should be a fully qualified hostname,
|
---|
| 327 | ## no numerical address.
|
---|
| 328 | ## -- exception: if the client (samhain) cannot determine the
|
---|
| 329 | ## fully qualified hostname of its host,
|
---|
| 330 | ## the numerical address may be required.
|
---|
| 331 | ## You will know if you get a message like:
|
---|
| 332 | ## 'Invalid connection attempt: Not in
|
---|
| 333 | ## client list what.ever.it.is'
|
---|
| 334 | ##
|
---|
| 335 | ## First entry is for challenge/response, second one for SRP authentication.
|
---|
| 336 | #
|
---|
| 337 | # Client=HOSTNAME@00000000@C39F0EEFBC64E4A8BBF72349637CC07577F714B420B62882
|
---|
| 338 | # Client=HOSTNAME@8F81BA58956F8F42@8932D08C49CA76BD843C51EDD1D6640510FA032A7A2403E572BBDA2E5C6B753991CF7E091141D20A2499C5CD3E14C1639D17482E14E1548E5246ACF4E7193D524CDDAC9C9D6A9A36C596B4ECC68BEB0C5BB7082224946FC98E3ADE214EA1343E2DA8DF4229D4D8572AD8679228928A787B6E5390D3A713102FFCC9D0B2188C92
|
---|