Index: /trunk/samhainrc.linux
===================================================================
--- /trunk/samhainrc.linux	(revision 6)
+++ /trunk/samhainrc.linux	(revision 7)
@@ -61,82 +61,187 @@
 # RedefIgnoreAll=(no default)
 # RedefIgnoreNone=(no default)
+
 # RedefUser0=(no default)
 # RedefUser1=(no default)
 
+#
+# --------- / --------------
+#
+
+[ReadOnly]
+dir = 0/
+
+#
+# --------- /etc -----------
+#
+
+[ReadOnly]
+##
+## for these files, only access time is ignored
+##
+dir = 99/etc
+
 [Attributes]
 ##
-## for these files, only changes in permissions and ownership are checked
-##
-file=/etc/mtab
-file=/etc/ssh_random_seed
-file=/etc/asound.conf
-file=/etc/resolv.conf
-file=/etc/localtime
-file=/etc/ioctl.save
-file=/etc/passwd.backup
-file=/etc/shadow.backup
-
-#
+## check permission and ownership
+##
+file = /etc/mtab
+file = /etc/adjtime
+file = /etc/motd
+file = /etc/lvm/.cache
+
+# On Ubuntu, these are in /var/lib rather than /etc
+file = /etc/cups/certs
+file = /etc/cups/certs/0
+
+# managed by fstab-sync on Fedora Core
+file = /etc/fstab
+
+# modified when booting 
+file = /etc/sysconfig/hwconf
+
 # There are files in /etc that might change, thus changing the directory
 # timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
-#
-file=/etc
-
-[LogFiles]
-##
-## for these files, changes in signature, timestamps, and size are ignored 
-##
-file=/var/run/utmp
-file=/etc/motd
-
-
-
-#####################################################################
-#
-# This would be the proper syntax for parts that should only be
-#    included for certain hosts.
-# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
-#    result still has the proper syntax for the config file.
-# You may have any number of @HOSTNAME/@end brackets.
-# HOSTNAME should be the fully qualified 'official' name 
-#    (e.g. 'nixon.watergate.com', not 'nixon'), no aliases. 
-#    No IP number - except if samhain cannot determine the 
-#    fully qualified hostname.
-#
-# @HOSTNAME
-# file=/foo/bar
-# @end
-#
-# These are two examples for conditional inclusion/exclusion
-# of a machine based on the output from 'uname -srm'
-#
-# $Linux:2.*.7:i666
-# file=/foo/bar3
-# $end
-#
-# !$Linux:2.*.7:i686
-# file=/foo/bar2
-# $end
-#
-#####################################################################
+
+file = /etc
+
+#
+# --------- /boot -----------
+#
+
+[ReadOnly]
+dir = 99/boot
+
+#
+# --------- /bin, /sbin -----------
+#
+
+[ReadOnly]
+dir = 99/bin
+dir = 99/sbin
+
+#
+# --------- /lib -----------
+#
+
+[ReadOnly]
+dir = 99/lib
+
+#
+# --------- /dev -----------
+#
+
+[Attributes]
+dir = 99/dev
+
+[IgnoreAll]
+##
+## pseudo terminals are created/removed as needed
+##
+dir = -1/dev/pts
+
+# dir = -1/dev/.udevdb
+
+file = /dev/ppp
+
+#
+# --------- /usr -----------
+#
+
+[ReadOnly]
+dir = 99/usr
+
+#
+# --------- /var -----------
+#
+
+[ReadOnly]
+dir = 99/var
+
+[IgnoreAll]
+dir = -1/var/cache
+dir = -1/var/backups
+dir = -1/var/games
+dir = -1/var/gdm
+dir = -1/var/lock
+dir = -1/var/mail
+dir = -1/var/run
+dir = -1/var/spool
+dir = -1/var/tmp
+dir = -1/var/lib/texmf
+
+[Attributes]
+
+dir = /var/lib/nfs
+dir = /var/lib/pcmcia
+
+# /var/lib/rpm changes if packets are installed;
+# /var/lib/rpm/__db.00[123] even more frequently
+file = /var/lib/rpm/__db.00?
+
+file = /var/lib/acpi-support/vbestate
+file = /var/lib/alsa/asound.state
+file = /var/lib/apt/lists/lock
+file = /var/lib/apt/lists/partial
+file = /var/lib/cups/certs
+file = /var/lib/cups/certs/0
+file = /var/lib/dpkg/lock
+file = /var/lib/gdm
+file = /var/lib/gdm/.cookie
+file = /var/lib/gdm/.gdmfifo
+file = /var/lib/gdm/:0.Xauth
+file = /var/lib/gdm/:0.Xservers
+file = /var/lib/logrotate/status
+file = /var/lib/mysql
+file = /var/lib/mysql/ib_logfile0
+file = /var/lib/mysql/ibdata1
+file = /var/lib/slocate
+file = /var/lib/slocate/slocate.db
+file = /var/lib/slocate/slocate.db.tmp
+file = /var/lib/urandom
+file = /var/lib/urandom/random-seed
+file = /var/lib/random-seed
+file = /var/lib/xkb
+
 
 [GrowingLogFiles]
 ##
-## for these files, changes in signature, timestamps, and increase in size
-##                  are ignored 
-##
-file=/var/log/warn
-file=/var/log/messages
-file=/var/log/wtmp
-file=/var/log/faillog
-
-[IgnoreAll]
-##
-## for these files, no modifications are reported
-##
-## This file might be created or removed by the system sometimes.
-##
-file=/etc/resolv.conf.pcmcia.save
-
+## For these files, changes in signature, timestamps, and increase in size
+## are ignored. Logfile rotation will cause a report because of shrinking
+## size and different inode. 
+##
+dir = 99/var/log
+
+[Attributes]
+#
+# rotated logs will change inode
+#
+file = /var/log/*.[0-9].gz
+file = /var/log/*.[0-9].log
+file = /var/log/*.[0-9]
+file = /var/log/*.old
+file = /var/log/*/*.[0-9].gz
+file = /var/log/*/*.log.[0-9]
+
+[Misc]
+#
+# Various naming schemes for rotated logs
+#
+IgnoreAdded = /var/log/.*\.[0-9]+$
+IgnoreAdded = /var/log/.*\.[0-9]+\.gz$
+IgnoreAdded = /var/log/.*\.[0-9]+\.log$
+#
+# Subdirectories
+#
+IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$
+IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$
+IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$
+#
+IgnoreAdded = /var/lib/slocate/slocate.db.tmp
+IgnoreMissing = /var/lib/slocate/slocate.db.tmp
+
+#
+# --------- other policies -----------
+#
 
 [IgnoreNone]
@@ -152,33 +257,4 @@
 ##
 
-
-[ReadOnly]
-##
-## for these files, only access time is ignored
-##
-dir=/usr/bin
-dir=/bin
-dir=/boot
-#
-# SuSE (old) has the boot init scripts in /sbin/init.d/*, 
-# so we go 3 levels deep
-#
-dir=3/sbin
-dir=/usr/sbin
-dir=/lib
-#
-# RedHat and Debian have the bootinit scripts in /etc/init.d/* or /etc/rc.d/*, 
-#        so we go 3 levels deep there too
-#
-dir=3/etc
-
-# Various directories / files that may include / be SUID/SGID binaries
-#
-#
-dir=/usr/X11R6/bin
-dir=/usr/X11R6/lib/X11/xmcd/bin
-file=/usr/lib/pt_chown
-dir=/opt/gnome/bin
-dir=/opt/kde/bin
 
 [User0]
@@ -186,4 +262,5 @@
 ## User0 and User1 are sections for files/dirs with user-definable checking
 ## (see the manual) 
+
 
 
@@ -203,11 +280,6 @@
 # SeverityUser0=crit
 # SeverityUser1=crit
-
-##
-## We have a file in IgnoreAll that might or might not be present.
-## Setting the severity to 'info' prevents messages about deleted/new file.
-##
 # SeverityIgnoreAll=crit
-SeverityIgnoreAll=info
+
 
 ## Files : file access problems
@@ -470,9 +542,4 @@
 # ChecksumTest = none
 ChecksumTest=check
-
-## whether to drop linux capabilities that are not required
-## - will make a root process a 'mere mortal' in many respects
-#
-# UseCaps = yes
 
 ## Set nice level (-19 to 19, see 'man nice'),