1##################################################################### 2# 3# FreeBSD Configuration file for samhain. 4# 5##################################################################### 6# 7# -- empty lines and lines starting with '#', ';' or '//' are ignored 8# -- boolean options can be Yes/No or True/False or 1/0 9# -- you can PGP clearsign this file -- samhain will check (if compiled 10# with support) or otherwise ignore the signature 11# -- CHECK mail address 12# 13# To each log facility, you can assign a threshold severity. Only 14# reports with at least the threshold severity will be logged 15# to the respective facility (even further below). 16# 17##################################################################### 18# SETUP for file system checking: 19# (i) There are several policies, each has its own section. Put files 20# into the section for the appropriate policy (see below). 21# (ii) Section [EventSeverity]: 22# To each policy, you can assign a severity (further below). 23# (iii) Section [Log]: 24# To each log facility, you can assign a threshold severity. Only 25# reports with at least the threshold severity will be logged 26# to the respective facility (even further below). 27##################################################################### 28 29##################################################################### 30# 31# Files are defined with: file = /absolute/path 32# 33# Directories are defined with: dir = /absolute/path 34# or with an optional recursion depth (N <= 99): dir = N/absolute/path 35# 36# Directory inodes are checked. If you only want to check files 37# in a directory, but not the directory inode itself, use (e.g.): 38# 39# [ReadOnly] 40# dir = /some/directory 41# [IgnoreAll] 42# file = /some/directory 43# 44# You can use shell-style globbing patterns, like: file = /path/foo* 45# 46###################################################################### 47 48[Misc] 49## 50## Add or subtract tests from the policies 51## - if you want to change their definitions, 52## you need to do that before using the policies 53## 54# RedefReadOnly = (no default) 55# RedefAttributes=(no default) 56# RedefLogFiles=(no default) 57# RedefGrowingLogFiles=(no default) 58# RedefIgnoreAll=(no default) 59# RedefIgnoreNone=(no default) 60# RedefUser0=(no default) 61# RedefUser1=(no default) 62 63# 64# --------- / -------------- 65# 66 67[ReadOnly] 68dir = 0/ 69 70[Attributes] 71file = / 72file = /proc 73file = /entropy 74file = /tmp 75file = /var 76 77# 78# --------- /dev ----------- 79# 80 81[Attributes] 82dir = 99/dev 83 84[IgnoreAll] 85file = /dev/ttyp? 86 87[Misc] 88## 89## pseudo terminals are created/removed as needed 90## 91IgnoreAdded = /dev/(p|t)typ.* 92IgnoreMissing = /dev/(p|t)typ.* 93 94 95# 96# --------- /etc ----------- 97# 98 99[ReadOnly] 100## 101## for these files, only access time is ignored 102## 103dir = 99/etc 104 105 106# 107# --------- /boot ----------- 108# 109 110[ReadOnly] 111dir = 99/boot 112 113# 114# --------- /bin, /sbin ----------- 115# 116 117[ReadOnly] 118dir = 99/bin 119dir = 99/sbin 120 121# 122# --------- /lib ----------- 123# 124 125[ReadOnly] 126dir = 99/lib 127 128# 129# --------- /libexec ----------- 130# 131 132[ReadOnly] 133dir = 99/libexec 134 135# 136# --------- /rescue ----------- 137# 138 139[ReadOnly] 140dir = 99/rescue 141 142# 143# --------- /root ----------- 144# 145 146[Attributes] 147## 148## for these files, only changes in permissions and ownership are checked 149## 150dir = 99/root 151 152# 153# --------- /stand ----------- 154# 155 156[ReadOnly] 157dir = 99/stand 158 159# 160# --------- /usr ----------- 161# 162 163[ReadOnly] 164dir = 99/usr 165 166[Attributes] 167dir = /usr/.snap 168dir = /usr/share/man/cat? 169file = /usr/compat/linux/etc 170file = /usr/compat/linux/etc/ld.so.cache 171 172[IgnoreAll] 173dir = -1/usr/home 174 175# 176# --------- /var ----------- 177# 178 179[Attributes] 180 181dir = 0/var 182 183[LogFiles] 184## 185## for these files, changes in signature, timestamps, and size are ignored 186## 187 188file=/var/run/utmp 189 190[GrowingLogFiles] 191## 192## For these files, changes in signature, timestamps, and increase in size 193## are ignored. Logfile rotation will cause a report because of shrinking 194## size and different inode. 195## 196dir = 99/var/log 197 198[Attributes] 199# 200# rotated logs will change inode 201# 202file = /var/log/*.[0-9].bz2 203file = /var/log/*.[0-9].log 204file = /var/log/*.[0-9] 205file = /var/log/*.[0-9][0-9] 206file = /var/log/*.old 207 208file = /var/log/sendmail.st 209 210 211[Misc] 212# 213# Various naming schemes for rotated logs 214# 215IgnoreAdded = /var/log/.*\.[0-9]+$ 216IgnoreAdded = /var/log/.*\.[0-9]+\.gz$ 217IgnoreAdded = /var/log/.*\.[0-9]+\.bz2$ 218IgnoreAdded = /var/log/.*\.[0-9]+\.log$ 219 220 221[IgnoreNone] 222## 223## for these files, all modifications (even access time) are reported 224## - you may create some interesting-looking file (like /etc/safe_passwd), 225## just to watch whether someone will access it ... 226## 227 228 229 230[User0] 231[User1] 232## User0 and User1 are sections for files/dirs with user-definable checking 233## (see the manual) 234 235[EventSeverity] 236## 237## Here you can assign severities to policy violations. 238## If this severity exceeds the treshold of a log facility (see below), 239## a policy violation will be logged to that facility. 240## 241 242# 243# Severity for verification failures. 244# 245# SeverityReadOnly=crit 246# SeverityLogFiles=crit 247# SeverityGrowingLogs=crit 248# SeverityIgnoreNone=crit 249# SeverityAttributes=crit 250# SeverityUser0=crit 251# SeverityUser1=crit 252 253## We have a file in IgnoreAll that might or might not be present. 254## Setting the severity to 'info' prevents messages about deleted/new file. 255## 256# SeverityIgnoreAll=crit 257SeverityIgnoreAll=info 258 259## Files : file access problems 260# SeverityFiles=crit 261 262## Dirs : directory access problems 263# SeverityDirs=crit 264 265## Names : suspect (non-printable) characters in a pathname 266# SeverityNames=crit 267 268[Log] 269## 270## Switch on/OFF log facilities and set their threshold severity 271## 272## Values: debug, info, notice, warn, mark, err, crit, alert, none. 273## 'mark' is used for timestamps. 274## 275## Use 'none' to SWITCH OFF a log facility 276## 277## By default, everything equal to and above the threshold is logged. 278## The specifiers '*', '!', and '=' are interpreted as 279## 'all', 'all but', and 'only', respectively (like syslogd(8) does, 280## at least on Linux). Examples: 281## MailSeverity=* 282## MailSeverity=!warn 283## MailSeverity==crit 284 285## E-mail 286## 287# MailSeverity=none 288 289## Console 290## 291# PrintSeverity=info 292 293## Logfile 294## 295# LogSeverity=mark 296 297## Syslog 298## 299# SyslogSeverity=none 300 301## Remote server (yule) 302## 303# ExportSeverity=none 304 305## External script or program 306## 307# ExternalSeverity = none 308 309## Logging to a database 310## 311# DatabaseSeverity = none 312 313## Logging to a Prelude-IDS 314## 315# PreludeSeverity = crit 316 317 318##################################################### 319# 320# Optional modules 321# 322##################################################### 323 324# [SuidCheck] 325## 326## --- Check the filesystem for SUID/SGID binaries 327## 328 329## Switch on 330# 331# SuidCheckActive = yes 332 333## Interval for check (seconds) 334# 335# SuidCheckInterval = 7200 336 337## Alternative: crontab-like schedule 338# 339# SuidCheckSchedule = NULL 340 341## Directory to exclude 342# 343# SuidCheckExclude = NULL 344 345## Limit on files per second (0 == no limit) 346# 347# SuidCheckFps = 0 348 349## Alternative: yield after every file 350# 351# SuidCheckYield = no 352 353## Severity of a detection 354# 355# SeveritySuidCheck = crit 356 357## Quarantine SUID/SGID files if found 358# 359# SuidCheckQuarantineFiles = yes 360 361## Method for Quarantining files: 362# 0 - Delete the file. 363# 1 - Remove SUID/SGID permissions from file. 364# 2 - Move SUID/SGID file to quarantine dir. 365# 366# SuidCheckQuarantineMethod = 0 367 368## For method 1 and 3, really delete instead of truncating 369# 370# SuidCheckQuarantineDelete = yes 371 372 373# [Utmp] 374## 375## --- Logging of login/logout events 376## 377 378## Switch on/off 379# 380# LoginCheckActive = True 381 382## Severity for logins, multiple logins, logouts 383# 384# SeverityLogin=info 385# SeverityLoginMulti=warn 386# SeverityLogout=info 387 388## Interval for login/logout checks 389# 390# LoginCheckInterval = 300 391 392 393# [Database] 394## 395## --- Logging to a relational database 396## 397 398## Database name 399# 400# SetDBName = samhain 401 402## Database table 403# 404# SetDBTable = log 405 406## Database user 407# 408# SetDBUser = samhain 409 410## Database password 411# 412# SetDBPassword = (default: none) 413 414## Database host 415# 416# SetDBHost = localhost 417 418## Log the server timestamp for received messages 419# 420# SetDBServerTstamp = True 421 422## Use a persistent connection 423# 424# UsePersistent = True 425 426 427# [External] 428## 429## Interface to call external scripts/programs for logging 430## 431 432## The absolute path to the command 433## - Each invocation of this directive will end the definition of the 434## preceding command, and start the definition of 435## an additional, new command 436# 437# OpenCommand = (no default) 438 439## Type (log or srv) 440## - log for log messages, srv for messages received by the server 441# 442# SetType = log 443 444## The command (full command line) to execute 445# 446# SetCommandLine = (no default) 447 448## The environment (KEY=value; repeat for more) 449# 450# SetEnviron = TZ=(your timezone) 451 452## The TIGER192 checksum (optional) 453# 454# SetChecksum = (no default) 455 456## User who runs the command 457# 458# SetCredentials = (default: samhain process uid) 459 460## Words not allowed in message 461# 462# SetFilterNot = (none) 463 464## Words required (ALL of them) 465# 466# SetFilterAnd = (none) 467 468## Words required (at least one) 469# 470# SetFilterOr = (none) 471 472## Deadtime between consecutive calls 473# 474# SetDeadtime = 0 475 476## Add default environment (HOME, PATH, SHELL) 477# 478# SetDefault = no 479 480 481 482##################################################### 483# 484# Miscellaneous configuration options 485# 486##################################################### 487 488[Misc] 489 490## whether to become a daemon process 491## (this is not honoured on database initialisation) 492# 493# Daemon = no 494Daemon = yes 495 496# whether to test signature of files (init/check/none) 497# - if 'none', then we have to decide this on the command line - 498# 499# ChecksumTest = none 500ChecksumTest=check 501 502# Set nice level (-19 to 19, see 'man nice'), 503# and I/O limit (kilobytes per second; 0 == off) 504# to reduce load on host. 505# 506# SetNiceLevel = 0 507# SetIOLimit = 0 508 509## The version string to embed in file signature databases 510# 511# VersionString = NULL 512 513## Interval between time stamp messages 514# 515# SetLoopTime = 60 516SetLoopTime = 600 517 518## Interval between file checks 519# 520# SetFileCheckTime = 600 521SetFileCheckTime = 7200 522 523## Alternative: crontab-like schedule 524# 525# FileCheckScheduleOne = NULL 526 527## Alternative: crontab-like schedule(2) 528# 529# FileCheckScheduleTwo = NULL 530 531## Report only once on modified files 532## Setting this to 'FALSE' will generate a report for any policy 533## violation (old and new ones) each time the daemon checks the file system. 534# 535# ReportOnlyOnce = True 536 537## Report in full detail 538# 539# ReportFullDetail = False 540 541## Report file timestamps in local time rather than GMT 542# 543# UseLocalTime = No 544 545## The console device (can also be a file or named pipe) 546## - There are two console devices. Accordingly, you can use 547## this directive a second time to set the second console device. 548## If you have not defined the second device at compile time, 549## and you don't want to use it, then: 550## setting it to /dev/null is less effective than just leaving 551## it alone (setting to /dev/null will waste time by opening 552## /dev/null and writing to it) 553# 554# SetConsole = /dev/console 555 556## Activate the SysV IPC message queue 557# 558# MessageQueueActive = False 559 560 561## If false, skip reverse lookup when connecting to a host known 562## by name rather than IP address (i.e. trust the DNS) 563# 564# SetReverseLookup = True 565 566 567## --- E-Mail --- 568 569# Only highest-level (alert) reports will be mailed immediately, 570# others will be queued. Here you can define, when the queue will 571# be flushed (Note: the queue is automatically flushed after 572# completing a file check). 573# 574# SetMailTime = 86400 575 576## Maximum number of mails to queue 577# 578# SetMailNum = 10 579 580## Recipient (max. 8) 581# 582# SetMailAddress=root@localhost 583 584## Mail relay (IP address) 585# 586# SetMailRelay = NULL 587 588## Custom subject format 589# 590# MailSubject = NULL 591 592## --- end E-Mail --- 593 594 595## Path to the executable. If set, will be checksummed after startup 596## and before exit. 597# 598# SamhainPath = (no default) 599 600 601## The IP address of the log server 602# 603# SetLogServer = (default: compiled-in) 604 605## The IP address of the time server 606# 607# SetTimeServer = (default: compiled-in) 608 609## Trusted Users (comma delimited list of user names) 610# 611# TrustedUser = (no default; this adds to the compiled-in list) 612 613## Path to the file signature database 614# 615# SetDatabasePath = (default: compiled-in) 616 617## Path to the log file 618# 619# SetLogfilePath = (default: compiled-in) 620 621## Path to the PID file 622# 623# SetLockfilePath = (default: compiled-in) 624 625 626## The digest/checksum/hash algorithm 627# 628# DigestAlgo = TIGER192 629 630 631## Custom format for message header. 632## CAREFUL if you use XML logfile format. 633## 634## %S severity 635## %T timestamp 636## %C class 637## 638## %F source file 639## %L source line 640# 641# MessageHeader="%S %T " 642 643 644## Don't log path to config/database file on startup 645# 646# HideSetup = False 647 648## The syslog facility, if you log to syslog 649# 650# SyslogFacility = LOG_AUTHPRIV 651SyslogFacility=LOG_LOCAL2 652 653## The message authentication method 654## - If you change this, you *must* change it 655## on client *and* server 656# 657# MACType = HMAC-TIGER 658 659 660## The Prelude-IDS profile to use for reporting 661## default value is "samhain" 662# 663# PreludeProfile = samhain 664 665## Map these samhain severities to impact severity 'info' severity 666# 667# PreludeMapToInfo = 668 669## Map these samhain severities to impact severity 'low' severity 670# 671# PreludeMapToLow = debug info 672 673## Map these samhain severities to impact severity 'medium' severity 674# 675# PreludeMapToMedium = notice warn err 676 677## Map these samhain severities to impact severity 'high' severity 678# 679# PreludeMapToHigh = crit alert 680 681# everything below is ignored 682[EOF] 683 684##################################################################### 685# This would be the proper syntax for parts that should only be 686# included for certain hosts. 687# You may enclose anything in a @HOSTNAME/@end bracket, as long as the 688# result still has the proper syntax for the config file. 689# You may have any number of @HOSTNAME/@end brackets. 690# HOSTNAME should be the fully qualified 'official' name 691# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases. 692# No IP number - except if samhain cannot determine the 693# fully qualified hostname. 694# 695# @HOSTNAME 696# file=/foo/bar 697# @end 698# 699# These are two examples for conditional inclusion/exclusion 700# of a machine based on the output from 'uname -srm' 701# $Linux:2.*.7:i666 702# file=/foo/bar3 703# $end 704# 705# !$Linux:2.*.7:i686 706# file=/foo/bar2 707# $end 708# 709##################################################################### 710