Changeset 7 for trunk


Ignore:
Timestamp:
Dec 31, 2005, 1:53:37 PM (19 years ago)
Author:
rainer
Message:

update for default linux rc file

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/samhainrc.linux

    r1 r7  
    6161# RedefIgnoreAll=(no default)
    6262# RedefIgnoreNone=(no default)
     63
    6364# RedefUser0=(no default)
    6465# RedefUser1=(no default)
    6566
     67#
     68# --------- / --------------
     69#
     70
     71[ReadOnly]
     72dir = 0/
     73
     74#
     75# --------- /etc -----------
     76#
     77
     78[ReadOnly]
     79##
     80## for these files, only access time is ignored
     81##
     82dir = 99/etc
     83
    6684[Attributes]
    6785##
    68 ## for these files, only changes in permissions and ownership are checked
    69 ##
    70 file=/etc/mtab
    71 file=/etc/ssh_random_seed
    72 file=/etc/asound.conf
    73 file=/etc/resolv.conf
    74 file=/etc/localtime
    75 file=/etc/ioctl.save
    76 file=/etc/passwd.backup
    77 file=/etc/shadow.backup
    78 
    79 #
     86## check permission and ownership
     87##
     88file = /etc/mtab
     89file = /etc/adjtime
     90file = /etc/motd
     91file = /etc/lvm/.cache
     92
     93# On Ubuntu, these are in /var/lib rather than /etc
     94file = /etc/cups/certs
     95file = /etc/cups/certs/0
     96
     97# managed by fstab-sync on Fedora Core
     98file = /etc/fstab
     99
     100# modified when booting
     101file = /etc/sysconfig/hwconf
     102
    80103# There are files in /etc that might change, thus changing the directory
    81104# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
    82 #
    83 file=/etc
    84 
    85 [LogFiles]
    86 ##
    87 ## for these files, changes in signature, timestamps, and size are ignored
    88 ##
    89 file=/var/run/utmp
    90 file=/etc/motd
    91 
    92 
    93 
    94 #####################################################################
    95 #
    96 # This would be the proper syntax for parts that should only be
    97 #    included for certain hosts.
    98 # You may enclose anything in a @HOSTNAME/@end bracket, as long as the
    99 #    result still has the proper syntax for the config file.
    100 # You may have any number of @HOSTNAME/@end brackets.
    101 # HOSTNAME should be the fully qualified 'official' name
    102 #    (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
    103 #    No IP number - except if samhain cannot determine the
    104 #    fully qualified hostname.
    105 #
    106 # @HOSTNAME
    107 # file=/foo/bar
    108 # @end
    109 #
    110 # These are two examples for conditional inclusion/exclusion
    111 # of a machine based on the output from 'uname -srm'
    112 #
    113 # $Linux:2.*.7:i666
    114 # file=/foo/bar3
    115 # $end
    116 #
    117 # !$Linux:2.*.7:i686
    118 # file=/foo/bar2
    119 # $end
    120 #
    121 #####################################################################
     105
     106file = /etc
     107
     108#
     109# --------- /boot -----------
     110#
     111
     112[ReadOnly]
     113dir = 99/boot
     114
     115#
     116# --------- /bin, /sbin -----------
     117#
     118
     119[ReadOnly]
     120dir = 99/bin
     121dir = 99/sbin
     122
     123#
     124# --------- /lib -----------
     125#
     126
     127[ReadOnly]
     128dir = 99/lib
     129
     130#
     131# --------- /dev -----------
     132#
     133
     134[Attributes]
     135dir = 99/dev
     136
     137[IgnoreAll]
     138##
     139## pseudo terminals are created/removed as needed
     140##
     141dir = -1/dev/pts
     142
     143# dir = -1/dev/.udevdb
     144
     145file = /dev/ppp
     146
     147#
     148# --------- /usr -----------
     149#
     150
     151[ReadOnly]
     152dir = 99/usr
     153
     154#
     155# --------- /var -----------
     156#
     157
     158[ReadOnly]
     159dir = 99/var
     160
     161[IgnoreAll]
     162dir = -1/var/cache
     163dir = -1/var/backups
     164dir = -1/var/games
     165dir = -1/var/gdm
     166dir = -1/var/lock
     167dir = -1/var/mail
     168dir = -1/var/run
     169dir = -1/var/spool
     170dir = -1/var/tmp
     171dir = -1/var/lib/texmf
     172
     173[Attributes]
     174
     175dir = /var/lib/nfs
     176dir = /var/lib/pcmcia
     177
     178# /var/lib/rpm changes if packets are installed;
     179# /var/lib/rpm/__db.00[123] even more frequently
     180file = /var/lib/rpm/__db.00?
     181
     182file = /var/lib/acpi-support/vbestate
     183file = /var/lib/alsa/asound.state
     184file = /var/lib/apt/lists/lock
     185file = /var/lib/apt/lists/partial
     186file = /var/lib/cups/certs
     187file = /var/lib/cups/certs/0
     188file = /var/lib/dpkg/lock
     189file = /var/lib/gdm
     190file = /var/lib/gdm/.cookie
     191file = /var/lib/gdm/.gdmfifo
     192file = /var/lib/gdm/:0.Xauth
     193file = /var/lib/gdm/:0.Xservers
     194file = /var/lib/logrotate/status
     195file = /var/lib/mysql
     196file = /var/lib/mysql/ib_logfile0
     197file = /var/lib/mysql/ibdata1
     198file = /var/lib/slocate
     199file = /var/lib/slocate/slocate.db
     200file = /var/lib/slocate/slocate.db.tmp
     201file = /var/lib/urandom
     202file = /var/lib/urandom/random-seed
     203file = /var/lib/random-seed
     204file = /var/lib/xkb
     205
    122206
    123207[GrowingLogFiles]
    124208##
    125 ## for these files, changes in signature, timestamps, and increase in size
    126 ##                  are ignored
    127 ##
    128 file=/var/log/warn
    129 file=/var/log/messages
    130 file=/var/log/wtmp
    131 file=/var/log/faillog
    132 
    133 [IgnoreAll]
    134 ##
    135 ## for these files, no modifications are reported
    136 ##
    137 ## This file might be created or removed by the system sometimes.
    138 ##
    139 file=/etc/resolv.conf.pcmcia.save
    140 
     209## For these files, changes in signature, timestamps, and increase in size
     210## are ignored. Logfile rotation will cause a report because of shrinking
     211## size and different inode.
     212##
     213dir = 99/var/log
     214
     215[Attributes]
     216#
     217# rotated logs will change inode
     218#
     219file = /var/log/*.[0-9].gz
     220file = /var/log/*.[0-9].log
     221file = /var/log/*.[0-9]
     222file = /var/log/*.old
     223file = /var/log/*/*.[0-9].gz
     224file = /var/log/*/*.log.[0-9]
     225
     226[Misc]
     227#
     228# Various naming schemes for rotated logs
     229#
     230IgnoreAdded = /var/log/.*\.[0-9]+$
     231IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
     232IgnoreAdded = /var/log/.*\.[0-9]+\.log$
     233#
     234# Subdirectories
     235#
     236IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$
     237IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$
     238IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$
     239#
     240IgnoreAdded = /var/lib/slocate/slocate.db.tmp
     241IgnoreMissing = /var/lib/slocate/slocate.db.tmp
     242
     243#
     244# --------- other policies -----------
     245#
    141246
    142247[IgnoreNone]
     
    152257##
    153258
    154 
    155 [ReadOnly]
    156 ##
    157 ## for these files, only access time is ignored
    158 ##
    159 dir=/usr/bin
    160 dir=/bin
    161 dir=/boot
    162 #
    163 # SuSE (old) has the boot init scripts in /sbin/init.d/*,
    164 # so we go 3 levels deep
    165 #
    166 dir=3/sbin
    167 dir=/usr/sbin
    168 dir=/lib
    169 #
    170 # RedHat and Debian have the bootinit scripts in /etc/init.d/* or /etc/rc.d/*,
    171 #        so we go 3 levels deep there too
    172 #
    173 dir=3/etc
    174 
    175 # Various directories / files that may include / be SUID/SGID binaries
    176 #
    177 #
    178 dir=/usr/X11R6/bin
    179 dir=/usr/X11R6/lib/X11/xmcd/bin
    180 file=/usr/lib/pt_chown
    181 dir=/opt/gnome/bin
    182 dir=/opt/kde/bin
    183259
    184260[User0]
     
    186262## User0 and User1 are sections for files/dirs with user-definable checking
    187263## (see the manual)
     264
    188265
    189266
     
    203280# SeverityUser0=crit
    204281# SeverityUser1=crit
    205 
    206 ##
    207 ## We have a file in IgnoreAll that might or might not be present.
    208 ## Setting the severity to 'info' prevents messages about deleted/new file.
    209 ##
    210282# SeverityIgnoreAll=crit
    211 SeverityIgnoreAll=info
     283
    212284
    213285## Files : file access problems
     
    470542# ChecksumTest = none
    471543ChecksumTest=check
    472 
    473 ## whether to drop linux capabilities that are not required
    474 ## - will make a root process a 'mere mortal' in many respects
    475 #
    476 # UseCaps = yes
    477544
    478545## Set nice level (-19 to 19, see 'man nice'),
Note: See TracChangeset for help on using the changeset viewer.