#####################################################################
#
# Configuration file template for samhain.
#
#####################################################################
# 
# -- empty lines and lines starting with '#' are ignored 
# -- you can PGP clearsign this file -- samhain will check (if compiled
#    with support) or otherwise ignore the signature
# -- CHECK mail address
#
# To each log facility, you can assign a threshold severity. Only
# reports with at least the threshold severity will be logged
# to the respective facility (even further below).
#
#####################################################################
#
# SETUP for file system checking:
# 
# (i)   There are several policies, each has its own section. Put files
#       into the section for the appropriate policy (see below).
# (ii)  To each policy, you can assign a severity (further below).
# (iii) To each log facility, you can assign a threshold severity. Only
#       reports with at least the threshold severity will be logged
#       to the respective facility (even further below).
#
#####################################################################


[Misc]
RedefUser0=-ATM

[Attributes]
#
# for these files, only changes in permissions and ownership are checked
#
#file=/etc/mtab
#file=/etc/ssh_random_seed
#file=/etc/asound.conf
#file=/etc/resolv.conf
#file=/etc/localtime
#file=/etc/ioctl.save
#file=/etc/passwd.backup
#file=/etc/shadow.backup


#
# There are files in /etc that might change (see above), 
# thus changing the timestamps on the directory special file.
# Put it here as 'file', and in the ReadOnly section as 'dir'.
#
file=/etc

[GrowingLogFiles]
#
# for these files, changes in signature, timestamps, and increase in size
#                  are ignored 
#
# Example for shell-style wildcard pattern
#
#file=/var/log/n*

[IgnoreAll]
#dir=-1/etc

[IgnoreNone]
#dir=-1/etc

[Attributes]
# dir=/opt/gnome/bin/
# file=/usr/bin/ssh


[ReadOnly]
#
# for these files, only access time is ignored
#
#dir=/dev
# dir=/usr/bin

#dir=/usr/bin
#dir=/lib
#dir=/usr/lib

#dir=/lib
#dir=3/etc
#dir=/tmp
# file=/usr/bin/ssh
# dir=1/home/rainer

[SuidCheck]
SuidCheckActive=false
#SuidCheckExclude=/home

[ProcessCheck]
#
# Activate (default is on)
#
ProcessCheckActive = no
	  
[PortCheck]
#
# Activate (default is on)
#
PortCheckActive = no


[Logmon]
	  
#
# Switch on the module
#
LogmonActive = yes

# Check every second
#
LogmonInterval = 1

# Strip PIDs from syslog messages
#
Logmonhidepid = true

# Define a queue with severity 'crit'.
# This is a 'report' queue, hence 'interval' (10)
# will be ignored.
#
LogmonQueue = q1:10:report:crit

# Monitor disks to check for full /dev/sda1
#
LogmonWatch = SHELL:df -h

# Warn about disk /dev/sda1 nearly full (80% or more. Use a 
# non-capturing subexpression [the (?:8|9)] for the percentage full.
#
LogmonRule = q1:/dev/nvme1n1p4\s+[0-9GM.]+\s+[0-9GM.]+\s+[0-9GM.]+\s+(?:8|9).%.*

LogmonDeadtime = 120
LogmonRule = trash:.*


[EventSeverity]
#
# Here you can assign severities to policy violations.
# If this severity exceeds the treshold of a log facility (see below),
# a policy violation will be logged to that facility.
#
# Severity for verification failures.
#
SeverityUser0=crit
SeverityUser1=crit
SeverityReadOnly=crit
SeverityLogFiles=crit
SeverityGrowingLogs=crit
SeverityIgnoreNone=crit
SeverityAttributes=crit
#
# We have a file in IgnoreAll that might or might not be present.
# Setting the severity to 'info' prevents messages about deleted/new file.
#
SeverityIgnoreAll=warn

#
# Files : file access problems
# Dirs  : directory access problems
# Names : suspect (non-printable) characters in a pathname
#
SeverityFiles=notice
SeverityDirs=info
SeverityNames=warn

[Log]
#
# Set threshold severity for log facilities
# Values: debug, info, notice, warn, mark, err, crit, alert, none.
# 'mark' is used for timestamps.
#
# By default, everything equal to and above the threshold is logged.
# The specifiers '*', '!', and '=' are interpreted as  
# 'all', 'all but', and 'only', respectively (like syslogd(8) does, 
# at least on Linux). 
# 
# MailSeverity=*
# MailSeverity=!warn
# MailSeverity==crit
#
MailSeverity=none
LogSeverity=warn
SyslogSeverity=none
#ExportSeverity=none
PrintSeverity=info
# Restrict to certain classes of messages
# MailClass = RUN
#PreludeSeverity = err

# Which system calls to log (execve, utime, unlink, dup, chdir, open, kill,
#  exit, fork, setuid, setgid, pipe)
#
# LogCalls = open


#[Kernel]
#
# Setings this to 1/true/yes will activate the check for loadable
# kernel module rootkits (Linux only) 
#
#KernelCheckActive=1
#KernelCheckInterval = 20

#[Utmp]
#
# 0 to switch off, 1 to activate
#
#LoginCheckActive=1

# Severity for logins, multiple logins, logouts
# 
#SeverityLogin=info
#SeverityLoginMulti=warn
#SeverityLogout=info

# interval for login/logout checks
#
#LoginCheckInterval=60

[Misc]
#
# whether to become a daemon process
Daemon=no

# Custom format for message header
#
# %S severity
# %T timestamp
# %C class
#
# %F source file
# %L source line
#
# MessageHeader="%S %T - %F - %L  "
# MessageHeader="<log sev="%S" time="%T" "

# the maximum time between client messages (seconds)
# (this is a log server-only option; the default is 86400 sec = 1 day
#
# SetClientTimeLimit=1800

# time till next file check (seconds)
SetFilecheckTime=120

# DigestAlgo=MD5

# Only highest-level (alert) reports will be mailed immediately,
# others will be queued. Here you can define, when the queue will
# be flushed (Note: the queue is automatically flushed after
# completing a file check).
#
# maximum time till next mail (seconds)
SetMailTime=86400

# maximum number of queued mails
SetMailNum=10

# where to send mail to
SetMailAddress=root@localhost
# MailSubject=* body %H # %M

#TrustedUser=uucp,fax,fnet

# Watch syslog port
#
# SetUDPActive = yes

# mail relay host
# SetMailRelay=localhost

# The binary. Setting the path will allow
# samhain to check for modifications between
# startup and exit.
#
# SamhainPath=/usr/local/bin/samhain

# where to get time from
# SetTimeServer=www.yourdomain.de

# where to export logs to
# SetLogServer=localhost

SetRecursionLevel=10

#setdatabasepath=AUTO
#setlogfilepath=AUTO
#setlockfilepath=AUTO

# timer for time stamps
SetLoopTime=60

# report in full detail on modified files
#
ReportFullDetail = no

# trusted users (root and the effective user are always trusted)
# TrustedUser=bin

# whether to test signature of files (init/check/none)
# - if 'none', then we have to decide this on the command line -
#
ChecksumTest=check

# Set the facility for syslog
#
# SyslogFacility=LOG_MAIL

# Don't log names of configuration/database files on startup
#
# HideSetup=yes


# everything below is ignored
[EOF]
