Index: trunk/samhainrc.freebsd =================================================================== --- trunk/samhainrc.freebsd (revision 591) +++ trunk/samhainrc.freebsd (revision 1) @@ -61,160 +61,50 @@ # RedefUser1=(no default) -# -# --------- / -------------- -# - -[ReadOnly] -dir = 0/ - [Attributes] -file = / -file = /proc -file = /entropy -file = /tmp -file = /var - -# -# --------- /dev ----------- -# - -[Attributes] -dir = 99/dev +## +## for these files, only changes in permissions and ownership are checked +## + +file=/usr/compat/linux/etc +file=/usr/compat/linux/etc/ld.so.cache + +dir=/var/mail +dir=/var/spool/lp/tmp +dir=/var/tmp +# dir=/var/dt/tmp +dir=/tmp + + +[LogFiles] +## +## for these files, changes in signature, timestamps, and size are ignored +## + +file=/var/run/utmp + + +[GrowingLogFiles] +## +## for these files, changes in signature, timestamps, and increase in size +## are ignored +## + +file=/var/log/wtmp +file=/var/log/messages +file=/var/log/maillog +file=/var/log/lastlog +file=/var/log/cron +file=/var/log/auth.log + [IgnoreAll] -file = /dev/ttyp? - -[Misc] -## -## pseudo terminals are created/removed as needed -## -IgnoreAdded = /dev/(p|t)typ.* -IgnoreMissing = /dev/(p|t)typ.* - - -# -# --------- /etc ----------- -# - -[ReadOnly] -## -## for these files, only access time is ignored -## -dir = 99/etc - - -# -# --------- /boot ----------- -# - -[ReadOnly] -dir = 99/boot - -# -# --------- /bin, /sbin ----------- -# - -[ReadOnly] -dir = 99/bin -dir = 99/sbin - -# -# --------- /lib ----------- -# - -[ReadOnly] -dir = 99/lib - -# -# --------- /libexec ----------- -# - -[ReadOnly] -dir = 99/libexec - -# -# --------- /rescue ----------- -# - -[ReadOnly] -dir = 99/rescue - -# -# --------- /root ----------- -# - -[Attributes] -## -## for these files, only changes in permissions and ownership are checked -## -dir = 99/root - -# -# --------- /stand ----------- -# - -[ReadOnly] -dir = 99/stand - -# -# --------- /usr ----------- -# - -[ReadOnly] -dir = 99/usr - -[Attributes] -dir = /usr/.snap -dir = /usr/share/man/cat? -file = /usr/compat/linux/etc -file = /usr/compat/linux/etc/ld.so.cache - -[IgnoreAll] -dir = -1/usr/home - -# -# --------- /var ----------- -# - -[Attributes] - -dir = 0/var - -[LogFiles] -## -## for these files, changes in signature, timestamps, and size are ignored -## - -file=/var/run/utmp - -[GrowingLogFiles] -## -## For these files, changes in signature, timestamps, and increase in size -## are ignored. Logfile rotation will cause a report because of shrinking -## size and different inode. -## -dir = 99/var/log - -[Attributes] -# -# rotated logs will change inode -# -file = /var/log/*.[0-9].bz2 -file = /var/log/*.[0-9].log -file = /var/log/*.[0-9] -file = /var/log/*.[0-9][0-9] -file = /var/log/*.old - -file = /var/log/sendmail.st - - -[Misc] -# -# Various naming schemes for rotated logs -# -IgnoreAdded = /var/log/.*\.[0-9]+$ -IgnoreAdded = /var/log/.*\.[0-9]+\.gz$ -IgnoreAdded = /var/log/.*\.[0-9]+\.bz2$ -IgnoreAdded = /var/log/.*\.[0-9]+\.log$ +## +## for these files, no modifications are reported +## + +dir=/usr/share/man +dir=/usr/share/games +dir=/usr/share/misc +dir=/usr/X11R6/man @@ -227,4 +117,21 @@ +[ReadOnly] +## +## for these files, only access time is ignored +## + +dir=/bin +dir=/boot +dir=3/etc +dir=/sbin +dir=1/stand +dir=/stand/etc +dir=/stand/modules +dir=/usr +dir=2/var/cron + +file=/kernel +dir=/modules [User0] @@ -370,4 +277,21 @@ # SuidCheckQuarantineDelete = yes +# [Kernel] +## +## --- Check for loadable kernel module rootkits (Linux/FreeBSD only) +## + +## Switch on/off +# +# KernelCheckActive = True + +## Check interval (seconds); btw., the check is VERY fast +# +# KernelCheckInterval = 300 + +## Severity +# +# SeverityKernel = crit + # [Utmp] @@ -529,5 +453,5 @@ # FileCheckScheduleTwo = NULL -## Report only once on modified files +## Report only once on modified fles ## Setting this to 'FALSE' will generate a report for any policy ## violation (old and new ones) each time the daemon checks the file system. @@ -621,5 +545,5 @@ ## Path to the PID file # -# SetLockfilePath = (default: compiled-in) +# SetLockPath = (default: compiled-in)