- Timestamp:
- Dec 31, 2005, 1:53:37 PM (19 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/samhainrc.linux
r1 r7 61 61 # RedefIgnoreAll=(no default) 62 62 # RedefIgnoreNone=(no default) 63 63 64 # RedefUser0=(no default) 64 65 # RedefUser1=(no default) 65 66 67 # 68 # --------- / -------------- 69 # 70 71 [ReadOnly] 72 dir = 0/ 73 74 # 75 # --------- /etc ----------- 76 # 77 78 [ReadOnly] 79 ## 80 ## for these files, only access time is ignored 81 ## 82 dir = 99/etc 83 66 84 [Attributes] 67 85 ## 68 ## for these files, only changes in permissions and ownership are checked 69 ## 70 file=/etc/mtab 71 file=/etc/ssh_random_seed 72 file=/etc/asound.conf 73 file=/etc/resolv.conf 74 file=/etc/localtime 75 file=/etc/ioctl.save 76 file=/etc/passwd.backup 77 file=/etc/shadow.backup 78 79 # 86 ## check permission and ownership 87 ## 88 file = /etc/mtab 89 file = /etc/adjtime 90 file = /etc/motd 91 file = /etc/lvm/.cache 92 93 # On Ubuntu, these are in /var/lib rather than /etc 94 file = /etc/cups/certs 95 file = /etc/cups/certs/0 96 97 # managed by fstab-sync on Fedora Core 98 file = /etc/fstab 99 100 # modified when booting 101 file = /etc/sysconfig/hwconf 102 80 103 # There are files in /etc that might change, thus changing the directory 81 104 # timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'. 82 # 83 file=/etc 84 85 [LogFiles] 86 ## 87 ## for these files, changes in signature, timestamps, and size are ignored 88 ## 89 file=/var/run/utmp 90 file=/etc/motd 91 92 93 94 ##################################################################### 95 # 96 # This would be the proper syntax for parts that should only be 97 # included for certain hosts. 98 # You may enclose anything in a @HOSTNAME/@end bracket, as long as the 99 # result still has the proper syntax for the config file. 100 # You may have any number of @HOSTNAME/@end brackets. 101 # HOSTNAME should be the fully qualified 'official' name 102 # (e.g. 'nixon.watergate.com', not 'nixon'), no aliases. 103 # No IP number - except if samhain cannot determine the 104 # fully qualified hostname. 105 # 106 # @HOSTNAME 107 # file=/foo/bar 108 # @end 109 # 110 # These are two examples for conditional inclusion/exclusion 111 # of a machine based on the output from 'uname -srm' 112 # 113 # $Linux:2.*.7:i666 114 # file=/foo/bar3 115 # $end 116 # 117 # !$Linux:2.*.7:i686 118 # file=/foo/bar2 119 # $end 120 # 121 ##################################################################### 105 106 file = /etc 107 108 # 109 # --------- /boot ----------- 110 # 111 112 [ReadOnly] 113 dir = 99/boot 114 115 # 116 # --------- /bin, /sbin ----------- 117 # 118 119 [ReadOnly] 120 dir = 99/bin 121 dir = 99/sbin 122 123 # 124 # --------- /lib ----------- 125 # 126 127 [ReadOnly] 128 dir = 99/lib 129 130 # 131 # --------- /dev ----------- 132 # 133 134 [Attributes] 135 dir = 99/dev 136 137 [IgnoreAll] 138 ## 139 ## pseudo terminals are created/removed as needed 140 ## 141 dir = -1/dev/pts 142 143 # dir = -1/dev/.udevdb 144 145 file = /dev/ppp 146 147 # 148 # --------- /usr ----------- 149 # 150 151 [ReadOnly] 152 dir = 99/usr 153 154 # 155 # --------- /var ----------- 156 # 157 158 [ReadOnly] 159 dir = 99/var 160 161 [IgnoreAll] 162 dir = -1/var/cache 163 dir = -1/var/backups 164 dir = -1/var/games 165 dir = -1/var/gdm 166 dir = -1/var/lock 167 dir = -1/var/mail 168 dir = -1/var/run 169 dir = -1/var/spool 170 dir = -1/var/tmp 171 dir = -1/var/lib/texmf 172 173 [Attributes] 174 175 dir = /var/lib/nfs 176 dir = /var/lib/pcmcia 177 178 # /var/lib/rpm changes if packets are installed; 179 # /var/lib/rpm/__db.00[123] even more frequently 180 file = /var/lib/rpm/__db.00? 181 182 file = /var/lib/acpi-support/vbestate 183 file = /var/lib/alsa/asound.state 184 file = /var/lib/apt/lists/lock 185 file = /var/lib/apt/lists/partial 186 file = /var/lib/cups/certs 187 file = /var/lib/cups/certs/0 188 file = /var/lib/dpkg/lock 189 file = /var/lib/gdm 190 file = /var/lib/gdm/.cookie 191 file = /var/lib/gdm/.gdmfifo 192 file = /var/lib/gdm/:0.Xauth 193 file = /var/lib/gdm/:0.Xservers 194 file = /var/lib/logrotate/status 195 file = /var/lib/mysql 196 file = /var/lib/mysql/ib_logfile0 197 file = /var/lib/mysql/ibdata1 198 file = /var/lib/slocate 199 file = /var/lib/slocate/slocate.db 200 file = /var/lib/slocate/slocate.db.tmp 201 file = /var/lib/urandom 202 file = /var/lib/urandom/random-seed 203 file = /var/lib/random-seed 204 file = /var/lib/xkb 205 122 206 123 207 [GrowingLogFiles] 124 208 ## 125 ## for these files, changes in signature, timestamps, and increase in size 126 ## are ignored 127 ## 128 file=/var/log/warn 129 file=/var/log/messages 130 file=/var/log/wtmp 131 file=/var/log/faillog 132 133 [IgnoreAll] 134 ## 135 ## for these files, no modifications are reported 136 ## 137 ## This file might be created or removed by the system sometimes. 138 ## 139 file=/etc/resolv.conf.pcmcia.save 140 209 ## For these files, changes in signature, timestamps, and increase in size 210 ## are ignored. Logfile rotation will cause a report because of shrinking 211 ## size and different inode. 212 ## 213 dir = 99/var/log 214 215 [Attributes] 216 # 217 # rotated logs will change inode 218 # 219 file = /var/log/*.[0-9].gz 220 file = /var/log/*.[0-9].log 221 file = /var/log/*.[0-9] 222 file = /var/log/*.old 223 file = /var/log/*/*.[0-9].gz 224 file = /var/log/*/*.log.[0-9] 225 226 [Misc] 227 # 228 # Various naming schemes for rotated logs 229 # 230 IgnoreAdded = /var/log/.*\.[0-9]+$ 231 IgnoreAdded = /var/log/.*\.[0-9]+\.gz$ 232 IgnoreAdded = /var/log/.*\.[0-9]+\.log$ 233 # 234 # Subdirectories 235 # 236 IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$ 237 IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$ 238 IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$ 239 # 240 IgnoreAdded = /var/lib/slocate/slocate.db.tmp 241 IgnoreMissing = /var/lib/slocate/slocate.db.tmp 242 243 # 244 # --------- other policies ----------- 245 # 141 246 142 247 [IgnoreNone] … … 152 257 ## 153 258 154 155 [ReadOnly]156 ##157 ## for these files, only access time is ignored158 ##159 dir=/usr/bin160 dir=/bin161 dir=/boot162 #163 # SuSE (old) has the boot init scripts in /sbin/init.d/*,164 # so we go 3 levels deep165 #166 dir=3/sbin167 dir=/usr/sbin168 dir=/lib169 #170 # RedHat and Debian have the bootinit scripts in /etc/init.d/* or /etc/rc.d/*,171 # so we go 3 levels deep there too172 #173 dir=3/etc174 175 # Various directories / files that may include / be SUID/SGID binaries176 #177 #178 dir=/usr/X11R6/bin179 dir=/usr/X11R6/lib/X11/xmcd/bin180 file=/usr/lib/pt_chown181 dir=/opt/gnome/bin182 dir=/opt/kde/bin183 259 184 260 [User0] … … 186 262 ## User0 and User1 are sections for files/dirs with user-definable checking 187 263 ## (see the manual) 264 188 265 189 266 … … 203 280 # SeverityUser0=crit 204 281 # SeverityUser1=crit 205 206 ##207 ## We have a file in IgnoreAll that might or might not be present.208 ## Setting the severity to 'info' prevents messages about deleted/new file.209 ##210 282 # SeverityIgnoreAll=crit 211 SeverityIgnoreAll=info 283 212 284 213 285 ## Files : file access problems … … 470 542 # ChecksumTest = none 471 543 ChecksumTest=check 472 473 ## whether to drop linux capabilities that are not required474 ## - will make a root process a 'mere mortal' in many respects475 #476 # UseCaps = yes477 544 478 545 ## Set nice level (-19 to 19, see 'man nice'),
Note:
See TracChangeset
for help on using the changeset viewer.