[1] | 1 | #####################################################################
|
---|
| 2 | #
|
---|
| 3 | # Configuration file template for yule.
|
---|
| 4 | #
|
---|
| 5 | #####################################################################
|
---|
| 6 | #
|
---|
| 7 | # NOTE: This is a log server-only configuration file TEMPLATE.
|
---|
| 8 | #
|
---|
| 9 | # NOTE: The log server ('yule') will look for THAT configuration file
|
---|
| 10 | # that has been defined at compile time with the configure option
|
---|
| 11 | # ./configure --with-config-file=FILE
|
---|
| 12 | # The default is "/usr/local/etc/.samhainrc" (NOT "yulerc").
|
---|
| 13 | #
|
---|
| 14 | #####################################################################
|
---|
| 15 | #
|
---|
| 16 | # -- empty lines and lines starting with '#', ';' or '//' are ignored
|
---|
| 17 | # -- you can PGP clearsign this file -- samhain will check (if compiled
|
---|
| 18 | # with support) or otherwise ignore the signature
|
---|
| 19 | # -- CHECK mail address
|
---|
| 20 | #
|
---|
| 21 | # To each log facility, you can assign a threshold severity. Only
|
---|
| 22 | # reports with at least the threshold severity will be logged
|
---|
| 23 | # to the respective facility (even further below).
|
---|
| 24 | #
|
---|
| 25 | #####################################################################
|
---|
| 26 |
|
---|
| 27 |
|
---|
| 28 | [Log]
|
---|
| 29 | ##
|
---|
| 30 | ## Switch on/OFF log facilities and set their threshold severity
|
---|
| 31 | ##
|
---|
| 32 | ## Values: debug, info, notice, warn, mark, err, crit, alert, none.
|
---|
| 33 | ## 'mark' is used for timestamps.
|
---|
| 34 | ##
|
---|
| 35 | ##
|
---|
| 36 | ## Use 'none' to SWITCH OFF a log facility
|
---|
| 37 | ##
|
---|
| 38 | ## By default, everything equal to and above the threshold is logged.
|
---|
| 39 | ## The specifiers '*', '!', and '=' are interpreted as
|
---|
| 40 | ## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
|
---|
| 41 | ## at least on Linux). Examples:
|
---|
| 42 | ## MailSeverity=*
|
---|
| 43 | ## MailSeverity=!warn
|
---|
| 44 | ## MailSeverity==crit
|
---|
| 45 |
|
---|
| 46 | ## E-mail
|
---|
| 47 | ##
|
---|
| 48 | # MailSeverity=none
|
---|
| 49 |
|
---|
| 50 | ## Console
|
---|
| 51 | ##
|
---|
[415] | 52 | PrintSeverity=none
|
---|
[1] | 53 |
|
---|
| 54 | ## Logfile
|
---|
| 55 | ##
|
---|
[415] | 56 | LogSeverity = warn
|
---|
[1] | 57 |
|
---|
| 58 | ## Syslog
|
---|
| 59 | ##
|
---|
| 60 | # SyslogSeverity=none
|
---|
| 61 |
|
---|
| 62 | ## External script or program
|
---|
| 63 | ##
|
---|
| 64 | # ExternalSeverity = none
|
---|
| 65 |
|
---|
| 66 | ## Logging to a database
|
---|
| 67 | ##
|
---|
| 68 | # DatabaseSeverity = none
|
---|
| 69 |
|
---|
| 70 |
|
---|
| 71 | # [Database]
|
---|
| 72 | ##
|
---|
| 73 | ## --- Logging to a relational database
|
---|
| 74 | ##
|
---|
| 75 |
|
---|
| 76 | ## Database name
|
---|
| 77 | #
|
---|
| 78 | # SetDBName = samhain
|
---|
| 79 |
|
---|
| 80 | ## Database table
|
---|
| 81 | #
|
---|
| 82 | # SetDBTable = log
|
---|
| 83 |
|
---|
| 84 | ## Database user
|
---|
| 85 | #
|
---|
| 86 | # SetDBUser = samhain
|
---|
| 87 |
|
---|
| 88 | ## Database password
|
---|
| 89 | #
|
---|
| 90 | # SetDBPassword = (default: none)
|
---|
| 91 |
|
---|
| 92 | ## Database host
|
---|
| 93 | #
|
---|
| 94 | # SetDBHost = localhost
|
---|
| 95 |
|
---|
| 96 | ## Log the server timestamp for received messages
|
---|
| 97 | #
|
---|
[415] | 98 | # SetDBServerTstamp = True
|
---|
[1] | 99 |
|
---|
| 100 | ## Use a persistent connection
|
---|
| 101 | #
|
---|
[415] | 102 | # UsePersistent = True
|
---|
[1] | 103 |
|
---|
| 104 |
|
---|
| 105 |
|
---|
| 106 | # [External]
|
---|
| 107 | ##
|
---|
| 108 | ## Interface to call external scripts/programs for logging
|
---|
| 109 | ##
|
---|
| 110 |
|
---|
| 111 | ## The absolute path to the command
|
---|
| 112 | ## - Each invocation of this directive will end the definition of the
|
---|
| 113 | ## preceding command, and start the definition of
|
---|
| 114 | ## an additional, new command
|
---|
| 115 | #
|
---|
| 116 | # OpenCommand = (no default)
|
---|
| 117 |
|
---|
| 118 | ## Type (log or rv)
|
---|
| 119 | ## - log for log messages, srv for messages received by the server
|
---|
| 120 | #
|
---|
| 121 | # SetType = log
|
---|
| 122 |
|
---|
| 123 | ## The command (full command line) to execute
|
---|
| 124 | #
|
---|
| 125 | # SetCommandLine = (no default)
|
---|
| 126 |
|
---|
| 127 | ## The environment (KEY=value; repeat for more)
|
---|
| 128 | #
|
---|
| 129 | # SetEnviron = TZ=(your timezone)
|
---|
| 130 |
|
---|
| 131 | ## The TIGER192 checksum (optional)
|
---|
| 132 | #
|
---|
| 133 | # SetChecksum = (no default)
|
---|
| 134 |
|
---|
| 135 | ## User who runs the command
|
---|
| 136 | #
|
---|
| 137 | # SetCredentials = (default: samhain process uid)
|
---|
| 138 |
|
---|
| 139 | ## Words not allowed in message
|
---|
| 140 | #
|
---|
| 141 | # SetFilterNot = (none)
|
---|
| 142 |
|
---|
| 143 | ## Words required (ALL of them)
|
---|
| 144 | #
|
---|
| 145 | # SetFilterAnd = (none)
|
---|
| 146 |
|
---|
| 147 | ## Words required (at least one)
|
---|
| 148 | #
|
---|
| 149 | # SetFilterOr = (none)
|
---|
| 150 |
|
---|
| 151 | ## Deadtime between consecutive calls
|
---|
| 152 | #
|
---|
| 153 | # SetDeadtime = 0
|
---|
| 154 |
|
---|
| 155 | ## Add default environment (HOME, PATH, SHELL)
|
---|
| 156 | #
|
---|
| 157 | # SetDefault = no
|
---|
| 158 |
|
---|
| 159 |
|
---|
| 160 | #####################################################
|
---|
| 161 | #
|
---|
| 162 | # Miscellaneous configuration options
|
---|
| 163 | #
|
---|
| 164 | #####################################################
|
---|
| 165 |
|
---|
| 166 |
|
---|
| 167 | [Misc]
|
---|
| 168 | # whether to become a daemon process
|
---|
| 169 | Daemon=yes
|
---|
| 170 |
|
---|
| 171 | ## Interval between time stamp messages
|
---|
| 172 | #
|
---|
| 173 | # SetLoopTime = 60
|
---|
| 174 | SetLoopTime = 600
|
---|
| 175 |
|
---|
[30] | 176 | ## Normally, client messages are regarded as data within a
|
---|
| 177 | ## server message of fixed severity. The following two
|
---|
| 178 | ## options cause the server to use the original severity/class
|
---|
| 179 | ## of client messages for logging.
|
---|
| 180 | #
|
---|
| 181 | # UseClientSeverity = False
|
---|
| 182 | # UseClientClass = False
|
---|
| 183 |
|
---|
[1] | 184 | ## The maximum time between client messages (seconds)
|
---|
| 185 | ## This allows the server to flag clients that have exceeded
|
---|
| 186 | ## the timeout limits; i.e. might have died for some reason.
|
---|
| 187 | #
|
---|
| 188 | # SetClientTimeLimit = 86400
|
---|
| 189 |
|
---|
| 190 | ## Use client address as known to the communication layer (might be
|
---|
| 191 | ## incorrect if the client is behind NAT). The default is to use
|
---|
| 192 | ## the client name as claimed by the client, and verify it against
|
---|
| 193 | ## the former (might be incorrect if the client has several
|
---|
| 194 | ## interfaces, and its hostname resolves to the wrong interface).
|
---|
| 195 | #
|
---|
| 196 | # SetClientFromAccept = False
|
---|
| 197 |
|
---|
| 198 | ## If SetClientFromAccept is False (default), severity of a
|
---|
| 199 | ## failure to resolve the hostname claimed by the client
|
---|
| 200 | ## to the IP address of the socket peer.
|
---|
| 201 | #
|
---|
| 202 | # SeverityLookup = crit
|
---|
| 203 |
|
---|
| 204 | ## The console device (can also be a file or named pipe)
|
---|
| 205 | ## - There are two console devices. Accordingly, you can use
|
---|
| 206 | ## this directive a second time to set the second console device.
|
---|
| 207 | ## If you have not defined the second device at compile time,
|
---|
| 208 | ## and you don't want to use it, then:
|
---|
| 209 | ## setting it to /dev/null is less effective than just leaving
|
---|
| 210 | ## it alone (setting to /dev/null will waste time by opening
|
---|
| 211 | ## /dev/null and writing to it)
|
---|
| 212 | #
|
---|
| 213 | # SetConsole = /dev/console
|
---|
| 214 |
|
---|
| 215 | ## Use separate logfiles for individual clients
|
---|
| 216 | #
|
---|
| 217 | # UseSeparateLogs = False
|
---|
| 218 |
|
---|
| 219 | ## Enable listening on port 514/udp for logging of remote syslog
|
---|
| 220 | ## messages (if optionally compiled with support for this)
|
---|
| 221 | #
|
---|
| 222 | # SetUDPActive = False
|
---|
| 223 |
|
---|
| 224 |
|
---|
| 225 | ## Activate the SysV IPC message queue
|
---|
| 226 | #
|
---|
| 227 | # MessageQueueActive = False
|
---|
| 228 |
|
---|
| 229 |
|
---|
| 230 | ## If false, skip reverse lookup when connecting to a host known
|
---|
| 231 | ## by name rather than IP address (i.e. trust the DNS)
|
---|
| 232 | #
|
---|
| 233 | # SetReverseLookup = True
|
---|
| 234 |
|
---|
| 235 | ## If true, open a Unix domain socket to listen for commands that should
|
---|
| 236 | ## be passed to clients upon next connection. Only works on systems
|
---|
| 237 | ## that support passing of peer credentials (for authentication) via sockets.
|
---|
| 238 | ## Use yulectl to access the socket.
|
---|
| 239 | #
|
---|
| 240 | # SetUseSocket = False
|
---|
| 241 |
|
---|
| 242 | ## The UID of the user that is allowed to pass commands to the server
|
---|
| 243 | ## via the Unix domain socket.
|
---|
| 244 | #
|
---|
| 245 | # SetSocketAllowUid = 0
|
---|
| 246 |
|
---|
| 247 | ## --- E-Mail ---
|
---|
| 248 |
|
---|
| 249 | # Only highest-level (alert) reports will be mailed immediately,
|
---|
| 250 | # others will be queued. Here you can define, when the queue will
|
---|
| 251 | # be flushed (Note: the queue is automatically flushed after
|
---|
| 252 | # completing a file check).
|
---|
| 253 | #
|
---|
| 254 | # SetMailTime = 86400
|
---|
| 255 |
|
---|
| 256 | ## Maximum number of mails to queue
|
---|
| 257 | #
|
---|
| 258 | # SetMailNum = 10
|
---|
| 259 |
|
---|
| 260 | ## Recipient (max. 8)
|
---|
| 261 | #
|
---|
| 262 | # SetMailAddress=root@localhost
|
---|
| 263 |
|
---|
| 264 | ## Mail relay (IP address)
|
---|
| 265 | #
|
---|
| 266 | # SetMailRelay = NULL
|
---|
| 267 |
|
---|
| 268 | ## Custom subject format
|
---|
| 269 | #
|
---|
| 270 | # MailSubject = NULL
|
---|
| 271 |
|
---|
| 272 | ## --- end E-Mail ---
|
---|
| 273 |
|
---|
| 274 | # The binary. Setting the path will allow
|
---|
| 275 | # samhain to check for modifications between
|
---|
| 276 | # startup and exit.
|
---|
| 277 | #
|
---|
| 278 | # SamhainPath=/usr/local/bin/yule
|
---|
| 279 |
|
---|
| 280 | ## The IP address of the time server
|
---|
| 281 | #
|
---|
| 282 | # SetTimeServer = (default: compiled-in)
|
---|
| 283 |
|
---|
| 284 | ## Trusted Users (comma delimited list of user names)
|
---|
| 285 | #
|
---|
| 286 | # TrustedUser = (no default; this adds to the compiled-in list)
|
---|
| 287 |
|
---|
| 288 | ## Custom format for message header.
|
---|
| 289 | ## CAREFUL if you use XML logfile format.
|
---|
| 290 | ##
|
---|
| 291 | ## %S severity
|
---|
| 292 | ## %T timestamp
|
---|
| 293 | ## %C class
|
---|
| 294 | ##
|
---|
| 295 | ## %F source file
|
---|
| 296 | ## %L source line
|
---|
| 297 | #
|
---|
| 298 | # MessageHeader="%S %T "
|
---|
| 299 |
|
---|
| 300 |
|
---|
| 301 | ## Don't log path to config/database file on startup
|
---|
| 302 | #
|
---|
| 303 | # HideSetup = False
|
---|
| 304 |
|
---|
| 305 | ## The syslog facility, if you log to syslog
|
---|
| 306 | #
|
---|
| 307 | # SyslogFacility = LOG_AUTHPRIV
|
---|
| 308 |
|
---|
| 309 |
|
---|
| 310 | ## The message authentication method
|
---|
| 311 | ## - If you change this, you *must* change it
|
---|
| 312 | ## on client *and* server
|
---|
| 313 | #
|
---|
| 314 | # MACType = HMAC-TIGER
|
---|
| 315 |
|
---|
| 316 |
|
---|
| 317 | [Clients]
|
---|
| 318 | ##
|
---|
| 319 | ## This is a sample registry entry for a client at host 'HOSTNAME'. This entry
|
---|
| 320 | ## is valid for the default password.
|
---|
| 321 | ## You are STRONGLY ADVISED to reset te password (see the README) and
|
---|
| 322 | ## compute your own entries using 'samhain -P <password>'
|
---|
| 323 | ##
|
---|
| 324 | ## Usually, HOSTNAME should be a fully qualified hostname,
|
---|
| 325 | ## no numerical address.
|
---|
| 326 | ## -- exception: if the client (samhain) cannot determine the
|
---|
| 327 | ## fully qualified hostname of its host,
|
---|
| 328 | ## the numerical address may be required.
|
---|
| 329 | ## You will know if you get a message like:
|
---|
| 330 | ## 'Invalid connection attempt: Not in
|
---|
| 331 | ## client list what.ever.it.is'
|
---|
| 332 | ##
|
---|
| 333 | ## First entry is for challenge/response, second one for SRP authentication.
|
---|
| 334 | #
|
---|
| 335 | # Client=HOSTNAME@00000000@C39F0EEFBC64E4A8BBF72349637CC07577F714B420B62882
|
---|
| 336 | # Client=HOSTNAME@8F81BA58956F8F42@8932D08C49CA76BD843C51EDD1D6640510FA032A7A2403E572BBDA2E5C6B753991CF7E091141D20A2499C5CD3E14C1639D17482E14E1548E5246ACF4E7193D524CDDAC9C9D6A9A36C596B4ECC68BEB0C5BB7082224946FC98E3ADE214EA1343E2DA8DF4229D4D8572AD8679228928A787B6E5390D3A713102FFCC9D0B2188C92
|
---|