1##################################################################### 2# 3# AIX 5.2.0 configuration file for Samhain. 4# 5#################################################################### 6# 7# Date : 23.10.2003 8# Author : Christoph Kiefer (chkiefer@intergga.ch) 9# Comment : Samhain client configuration file. Should work 10# for AIX 5.1.0. The Samhain version is 1.7.12 11# This configuration fits MY needs, YOU will 12# probably have to modify it. 13# 14# Changes : Date Name Remarks 15# 23.10.2003 Christoph Kiefer Initial Version 16# 17##################################################################### 18# 19# -- empty lines and lines starting with '#', ';' or '//' are ignored 20# -- boolean options can be Yes/No or True/False or 1/0 21# -- you can PGP clearsign this file -- samhain will check (if compiled 22# with support) or otherwise ignore the signature 23# -- CHECK mail address 24# 25# To each log facility, you can assign a threshold severity. Only 26# reports with at least the threshold severity will be logged 27# to the respective facility (even further below). 28# 29##################################################################### 30# SETUP for file system checking: 31# (i) There are several policies, each has its own section. Put files 32# into the section for the appropriate policy (see below). 33# (ii) Section [EventSeverity]: 34# To each policy, you can assign a severity (further below). 35# (iii) Section [Log]: 36# To each log facility, you can assign a threshold severity. Only 37# reports with at least the threshold severity will be logged 38# to the respective facility (even further below). 39##################################################################### 40 41##################################################################### 42# 43# Files are defined with: file = /absolute/path 44# 45# Directories are defined with: dir = /absolute/path 46# or with an optional recursion depth (N <= 99): dir = N/absolute/path 47# 48# Directory inodes are checked. If you only want to check files 49# in a directory, but not the directory inode itself, use (e.g.): 50# 51# [ReadOnly] 52# dir = /some/directory 53# [IgnoreAll] 54# file = /some/directory 55# 56# You can use shell-style globbing patterns, like: file = /path/foo* 57# 58###################################################################### 59 60[Misc] 61MessageHeader="" 62RedefLogFiles=-INO 63SetFilecheckTime=3600 64SetLoopTime=3600 65SetRecursionLevel=99 66DigestAlgo=SHA1 67ChecksumTest=check 68SetTimeServer=localhost 69ReportFullDetail=no 70Daemon=yes 71HideSetup=yes 72ReportOnlyOnce=yes 73UseLocalTime=yes 74 75## The Prelude-IDS profile to use for reporting 76## default value is "samhain" 77# 78# PreludeProfile = samhain 79 80## Map these samhain severities to impact severity 'info' severity 81# 82# PreludeMapToInfo = 83 84## Map these samhain severities to impact severity 'low' severity 85# 86# PreludeMapToLow = debug info 87 88## Map these samhain severities to impact severity 'medium' severity 89# 90# PreludeMapToMedium = notice warn err 91 92## Map these samhain severities to impact severity 'high' severity 93# 94# PreludeMapToHigh = crit alert 95 96[IgnoreAll] 97dir=-1/etc/objrepos 98dir=-1/etc/vg 99dir=-1/dev/.SRC-unix 100dir=-1/dev/pts 101dir=-1/opt 102dir=-1/tmp 103dir=-1/usr/share/lib/objrepos 104dir=-1/usr/share/man 105dir=-1/var/adm/cron 106dir=-1/var/tmp 107file=/dev/log* 108 109[Attributes] 110file=/etc/lpp/diagnostics/data/* 111file=/audit/auditb 112file=/dev 113# file=/etc/bootpd.dump 114file=/etc/bootptab 115file=/etc/inittab 116file=/etc/xtab 117dir=/dev 118dir=/usr/dt 119dir=/usr/lib/instl 120dir=/usr/lib/lpd 121dir=/usr/lib/mh 122dir=/usr/lib/sa 123dir=/usr/lpp 124 125[LogFiles] 126file=/etc/rmtab 127file=/etc/security/failedlogin 128file=/etc/security/lastlog 129file=/etc/security/portlog 130file=/etc/utmp 131# file=/smit.log 132file=/var/adm/*log* 133file=/var/adm/ras/*log* 134file=/var/adm/wtmp 135file=/var/log/*log* 136 137[IgnoreNone] 138file=/etc/tsh_profile 139 140[ReadOnly] 141dir=/etc/security/ldap 142file=/etc/*.cnf 143file=/etc/*conf* 144file=/etc/aliases 145file=/etc/dumpdates 146file=/etc/environment 147file=/etc/exports 148file=/etc/filesystems 149file=/etc/ftpusers 150file=/etc/group 151file=/etc/hosts* 152file=/etc/motd 153file=/etc/passwd 154file=/etc/profile 155file=/etc/protocols 156file=/etc/publickey 157file=/etc/rc.* 158file=/etc/rpc 159file=/etc/security/acl 160file=/etc/security/environ 161file=/etc/security/group 162file=/etc/security/limits 163file=/etc/security/login.cfg 164file=/etc/security/passwd 165file=/etc/security/roles 166file=/etc/security/smitacl.* 167file=/etc/security/user* 168file=/etc/sendmail.cf 169file=/etc/services 170file=/etc/sudoers 171file=/etc/swapspaces 172file=/etc/vfs 173# file=/smit.script 174dir=/etc/mail 175dir=/etc/rc.d 176dir=/etc/security/audit 177dir=/home/root 178dir=/sbin 179dir=/usr/X11R6 180dir=/usr/bin 181dir=/usr/ccs 182dir=/usr/etc 183dir=/usr/include 184dir=/usr/lib/boot 185dir=/usr/lib/methods 186dir=/usr/lib/microcode 187dir=/usr/lib/security 188dir=/usr/lib/smit 189dir=/usr/local/bin 190dir=/usr/sbin 191dir=/usr/share 192dir=/usr/ucb 193 194[EventSeverity] 195SeverityAttributes=crit 196SeverityDirs=err 197SeverityFiles=err 198SeverityGrowingLogs=warn 199SeverityIgnoreNone=crit 200SeverityLogFiles=crit 201SeverityReadOnly=crit 202SeverityIgnoreAll=info 203SeverityNames=info 204 205[Log] 206ExportClass=RUN FIL PANIC ERR ENET EINPUT 207LogSeverity=none 208MailSeverity=none 209PrintSeverity=none 210ExportSeverity=warn 211SyslogSeverity=warn 212 213## Logging to a Prelude-IDS 214## 215# PreludeSeverity = crit 216 217[SuidCheck] 218SuidCheckExclude=/proc 219SuidCheckActive=1 220SuidCheckInterval=1800 221SuidCheckFps=250 222#SuidCheckYield=no 223SeveritySuidCheck=alert 224#SuidCheckQuarantineFiles=yes 225#SuidCheckQuarantineMethod=0 226# SuidCheckQuarantineDelete = yes 227 228 229[Utmp] 230LoginCheckActive=1 231LoginCheckInterval=30 232SeverityLogin=info 233SeverityLogout=info 234SeverityLoginMulti=warn 235 236[EOF] 237