1# 2# From pkgsrc-wip, Author: Brian Seklecki 3# 4 5[Misc] 6RedefUser0=+INO, +SIZ, +RDEV, +CHK, -MOD, -MTM, -ATM, -CTM, -GRP, -USR 7 8# The new Samhain behavior is to check the checksum up the last-known size of 9# the file, but *yes*, the inode will change when it becomes rotated and the size 10# will get reset to a lesser value (in which case the check should know to passively 11# fail) 12RedefGrowingLogFiles=-INO, -SIZ, +CHK, -MTM, -ATM, -CTM 13 14# 15# --------- / -------------- 16# 17 18[ReadOnly] 19dir = 99/ 20 21# This covers the contents of / including: /boot, /bin, /sbin, /lib, /libexec, 22# /rescue, /root, /altroot, /usr, /var, /stand, /mnt, /tmp, /proc, /kern (Even 23# though /usr and /var will recieve overrides) 24 25[Attributes] 26file = /proc 27file = /kern 28 29[IgnoreAll] 30dir=-1/proc 31dir=-1/kern 32 33# 34# --------- /tmp ----------- 35# 36[Attributes] 37file=/tmp 38[IgnoreAll] 39dir=-1/tmp 40 41 42 43# 44# --------- /root -------------- 45# 46 47# Per section 5.4.2.1 of the manual, Rule #5, there are lock file written here 48# that changes the mtime/ctime of the dir, so we want to watch perms/ownership, 49# ignore ctime/mtime/size, etc., but still watch the critical files inside. 50# Note: in theory, /root should never change if you use sudo(8) w/o "-H" 51[ReadOnly] 52dir=/root/.gnupg 53[Attributes] 54file=/root/.gnupg 55file=/root/.gnupg/random_seed 56 57# 58# --------- /dev ----------- 59# 60 61[Attributes] 62dir = 99/dev 63 64# User0 will be for /dev/tty* and other devices where Owner/Group/Mode can 65# change but the Inode/Size/Device/Checksum should not change. 66 67[User0] 68file=/dev/tty* 69file=/dev/pty* 70 71# 72# --------- /etc ----------- 73# 74 75[ReadOnly] 76## 77## for these files, only access time is ignored 78## 79dir = 99/etc 80 81 82# If you're running dhclient(8), resolv.conf will get re-written at renewal 83# time so pray that he dhcpd(8) on your network doesn't get owned. 84# Crytpo-signed DHCP traffic would be too much to ask from ISC, but maybe 85# not from the OpenBSD hack 86 87[Attributes] 88file=/etc/dhclient.conf 89 90# If you run CUPS, /etc/printcap gets re-written if you have 91# "Browsing On" and "Printcap /etc/printcap" in cupsd.conf(5) 92[Attributes] 93file=/etc/printcap 94 95 96# 97# --------- /usr ----------- 98# 99 100# note about the following two: this reduced the size 101# of the database greatly 102 103# 104# --------- /usr/pkgsrc ----------- 105# 106 107# Leave this uncommented if you CVS update your pkgsrc 108# periodically/automatically. If you do not, comment it 109# out and you should be informed about any unauthorized 110# modifications to pkgsrc (which is an attack vector) 111 112[IgnoreAll] 113dir=-1/usr/pkgsrc 114 115# 116# --------- /usr/src ----------- 117# 118 119# Leave this uncommented if you CVS update your src 120# periodically/automatically. If you do not, comment it 121# out and you should be informed about any unauthorized 122# modifications to src (which is an attack vector) 123 124 125[IgnoreAll] 126dir=-1/usr/src 127 128 129# 130# --------- /usr/home (/home) ----------- 131# 132 133 134# /home may be a symlink to /usr/home on a stock system, but most admins cane 135# that shit. [Attributes] could be replaced here by [ReadOnly] if we wanted to 136# know about new users being added (on systems where there are no new users) 137 138[Attributes] 139file = /home 140[IgnoreAll] 141dir = -1/home 142 143# 144# --------- /usr/compat/linux/etc ----------- 145# 146 147# You're basically compromising your system by enabling Linux emulation anyway 148 149[Attributes] 150file = /usr/compat/linux/etc 151file = /usr/compat/linux/etc/ld.so.cache 152 153# 154# --------- /usr/compat/linux/proc ----------- 155# 156 157# Uncomment if you have Linux Emulation/Compat Installed/Setup/Mounted 158[Attributes] 159file=/emul/linux/proc 160[IgnoreAll] 161dir=-1/emul/linux/proc 162 163 164# 165# --------- /var/run ----------- 166# 167 168# New PID files may come, and PID files may go (as services on a system change), 169# but then probably a database rebuild will occur. But at the time of the 170# database init, we should consider everything in here subject to change 171# (checksum, times, size) during a daemon restart, but everything else stays 172# the same. 173 174# If you have periodic scripts that HUP daemons, the PID should be unachanged. 175# However, force-restarts will be a new PID, so consider this 176 177[Attributes] 178dir=99/var/run 179 180[Misc] 181# Ignore sudo(8) TTY/PTY "Tickets" if you use sudo 182IgnoreMissing = /var/run/sudo/[[:alnum:]]{1,9}/(p|t)ty.*$ 183IgnoreAdded = /var/run/sudo/[[:alnum:]]{1,9}/(p|t)ty.*$ 184 185# 186# --------- /var/(spool|queue|etc.) ----------- 187# 188 189[Attributes] 190file=/var/cron/tabs 191file=/var/spool/mqueue 192file=/var/spool/clientmqueue 193file=/var/mail 194file=/var/tmp 195 196# 197# --------- /var/at ----------- 198# 199 200# As deep as /var/at/ will be watched by 99/ 201 202[Attributes] 203file=/var/at/spool 204file=/var/at/jobs 205 206# 207# --------- /var/db ----------- 208# 209 210# Some files are written directly into /var/db 211[Attributes] 212file=/var/db 213 214[Attributes] 215# Updatedb per /etc/periodic.d/weekly/310.locate (FreeBSD) or /etc/weekly (NetBSD) 216file=/var/db/locate.database 217 218[Misc] 219# this file comes and goes with portaudit(1)/portversion(1)/pkg_version(1) 220# Other is ISC DHCLIENT related 221IgnoreAdded=/var/db/(pkgdb.fixme|dhclient.leases.*) 222IgnoreMissing=/var/db/(pkgdb.fixme|dhclient.leases.*) 223 224 225# 226# --------- /var/db/mysql ----------- 227# 228 229# The same for MySQL, except it's probably owned by the time you get done 230# installing it. 231 232[Attributes] 233file=/var/db/mysql 234[IgnoreAll] 235dir=-1/var/db/mysql 236 237#################################################################### 238# The next three entries depend on your security paranoia policy about 239# SRC and PORTSs trees, etc. Remember, Ports is the only default attack 240# vector against FreeBSD machines. 241#################################################################### 242 243 244# 245# --------- /var/db/pkg ----------- 246# 247 248# This database directory gets updated if a cvsup(8)/cvs(8)/sup(8) update 249# occurs to a Pkgsrc source tree and then "pkgdb(8) -fu" is run. 250 251[Attributes] 252file=/var/db/pkg 253[IgnoreAll] 254dir=-1/var/db/pkg 255 256 257# 258# --------- /var/db/entropy ----------- 259# 260[Attributes] 261file=/var/db/entropy 262[IgnoreAll] 263dir=-1/var/db/entropy 264 265# 266# --------- /var/msgs ----------- 267# 268 269[Attributes] 270dir=-1/var/msgs 271 272# 273# --------- /var/backups ----------- 274# 275 276# /etc/daily /etc/security write old revisions of system 277# critical files into here daily 278[Attributes] 279dir=-1/var/backups 280 281# 282# --------- /var/log ----------- 283# 284 285# Keep this section in sync with: 286# * /etc/newsyslog.conf 287# * /etc/syslogd.conf OR: 288# * /usr/pkg/etc/syslog-ng/syslog-ng.conf 289 290# For these files, changes in signature, timestamps, and increase in size 291# are ignored, however: 292# Per discussion on the forum, this behavior change is needed due to the behavior 293# of newsyslog(8) rotation method File sizes will get smaller, inodes will change 294# as they rotate. 295 296# NOTES ON LOG ROTATION BEHAVIOR: 297# See comments about modifications to [GrowingLogFiles] to ignore INODE changes 298# As newsyslog(8)/newsyslog.conf(5) has the default behavior of: 299# - First move logfile.log to logfile.log.0 300# - then bzip2 -v9 logfile.log.0 301# - then touch(1) logfile.log 302# - then HUP if applicable & reopen the new file (new inode) 303# - Therefore, Ignore Singature, Size (if grow), and Inode changes 304# But also, there's [IgnoreMissing] regexp to account for log file pruing from 305# the filesystem, and [IgnoreAdded] for the first Nth rotations of the logfile 306# per newsyslog.conf(5) 307 308 309# NetBSD defaults 310[Misc] 311IgnoreAdded = /var/log/(cron|xferlog|messages|maillog|secure|pflog|sendmail\.st|kerberos\.log|authlog|aculog|wtmp|wtmpx)\.[0-9](\.bz2|\.gz)?$ 312IgnoreMissing= /var/log/(cron|xferlog|messages|maillog|secure|pflog|sendmail\.st|kerberos\.log|authlog|aculog|wtmp|wtmpx)\.[0-9](\.bz2|\.gz)?$ 313 314# Local services you may need to account for 315IgnoreAdded = /var/log/(snmpd\.log|postgresq\.log|samhain\.log|httpd-error\.log|httpd-access\.log|httpd-ssl_request\.log)\.[0-9](\.bz2|\.gz)?$ 316IgnoreMissing = /var/log/(snmpd\.log|postgresq\.log|samhain\.log|httpd-error\.log|httpd-access\.log|httpd-ssl_request\.log)\.[0-9](\.bz2|\.gz)?$ 317 318[Attributes] 319dir=99/var/log 320 321# NetBSD Stock Defaults 322[GrowingLogFiles] 323File = /var/log/aculog 324File = /var/log/authlog 325File = /var/log/cron 326File = /var/log/kerberos.log 327File = /var/log/lpd-errs 328File = /var/log/maillog 329File = /var/log/messages 330File = /var/log/secure 331File = /var/log/wtmp 332File = /var/log/wtmpx 333File = /var/log/xferlog 334File = /var/log/pflog 335 336[Attributes] 337# A binary-type logfile (Screw sendmail!) 338File = /var/log/sendmail.st 339 340# NetBSD gzip(1)'s by default but newsyslog.conf(5) has bzip2 support 341[Attributes] 342File = /var/log/*.[0-9].gz 343#File = /var/log/*.[0-9].bz2 344 345# 346# --------- makewhatis(8) ----------- 347# 348 349# Account for updated whatis(8) database given manpath.conf(5)/man.conf(5) 350#and manpath(1) 351 352[Attributes] 353file=/usr/pkg/man/whatis.db 354file=/usr/pkg/man 355file=/usr/share/man/whatis.db 356file=/usr/share/man 357 358############################################## 359######## END FILE SECTION #################### 360############################################## 361 362[EventSeverity] 363 364SeverityReadOnly=crit 365SeverityLogFiles=crit 366SeverityGrowingLogs=crit 367SeverityIgnoreNone=crit 368SeverityAttributes=crit 369SeverityUser0=crit 370SeverityUser1=crit 371 372## We have a file in IgnoreAll that might or might not be present. 373## Setting the severity to 'info' prevents messages about deleted/new file. 374## 375# SeverityIgnoreAll=crit 376SeverityIgnoreAll=info 377 378## Files : file access problems 379SeverityFiles=info 380 381## Dirs : directory access problems 382SeverityDirs=info 383 384## Names : suspect (non-printable) characters in a pathname 385SeverityNames=crit 386 387[Log] 388## Values: debug, info, notice, warn, mark, err, crit, alert, none. 389## 'mark' is used for timestamps. 390## 391## Use 'none' to SWITCH OFF a log facility 392## 393## By default, everything equal to and above the threshold is logged. 394## The specifiers '*', '!', and '=' are interpreted as 395## 'all', 'all but', and 'only', respectively (like syslogd(8) does, 396## at least on Linux). Examples: 397## MailSeverity=* 398## MailSeverity=!warn 399## MailSeverity==crit 400 401## E-mail 402## 403MailSeverity=warn 404 405## Console 406## 407PrintSeverity=notice 408 409## Logfile 410## 411LogSeverity=info 412 413## Syslog 414## 415# Syslog logging is redundant at this time 416# 417#SyslogSeverity=notice 418 419## Remote server (yule) 420## 421# ExportSeverity=none 422 423## External script or program 424## 425# ExternalSeverity = none 426 427## Logging to a database 428## 429# DatabaseSeverity = none 430 431## Logging to a Prelude-IDS 432## 433# PreludeSeverity = crit 434 435 436##################################################### 437# 438# Optional modules 439# 440##################################################### 441 442#[SuidCheck] 443## 444## --- Check the filesystem for SUID/SGID binaries 445## 446 447## Switch on 448# 449#SuidCheckActive = yes 450 451## Interval for check (seconds) 452# 453#SuidCheckInterval = 5400 454 455## Alternative: crontab-like schedule 456# 457#SuidCheckSchedule = NULL 458 459## Directory to exclude 460# 461# SuidCheckExclude = NULL 462 463## Limit on files per second (0 == no limit) 464# 465# SuidCheckFps = 0 466 467## Alternative: yield after every file 468# 469# SuidCheckYield = no 470 471## Severity of a detection 472# 473# SeveritySuidCheck = crit 474 475## Quarantine SUID/SGID files if found 476# 477# SuidCheckQuarantineFiles = yes 478 479## Method for Quarantining files: 480# 0 - Delete the file. 481# 1 - Remove SUID/SGID permissions from file. 482# 2 - Move SUID/SGID file to quarantine dir. 483# 484# SuidCheckQuarantineMethod = 0 485 486## For method 1 and 3, really delete instead of truncating 487# 488# SuidCheckQuarantineDelete = yes 489 490#[Mounts] 491#MountCheckActive=1 492#MountCheckInterval=7200 493#SeverityMountMissing=crit 494#SeverityOptionMissing=crit 495# 496#checkmount=/ 497#checkmount=/dev 498#checkmount=/usr 499#checkmount=/var 500#checkmount=/var/log 501#checkmount=/opt 502#checkmount=/export 503#checkmount=/tmp 504 505 506 507 #[Utmp] 508## 509## --- Logging of login/logout events 510## 511 512## Switch on/off 513# 514#LoginCheckActive = True 515 516## Severity for logins, multiple logins, logouts 517# 518#SeverityLogin=info 519#SeverityLoginMulti=crit 520#SeverityLogout=info 521 522## Interval for login/logout checks 523# 524#LoginCheckInterval = 300 525 526 527# [Database] 528## 529## --- Logging to a relational database 530## 531 532## Database name 533# 534# SetDBName = samhain 535 536## Database table 537# 538# SetDBTable = log 539 540## Database user 541# 542# SetDBUser = samhain 543 544## Database password 545# 546# SetDBPassword = (default: none) 547 548## Database host 549# 550# SetDBHost = localhost 551 552## Log the server timestamp for received messages 553# 554# SetDBServerTstamp = True 555 556## Use a persistent connection 557# 558# UsePersistent = True 559 560 561# [External] 562## 563## Interface to call external scripts/programs for logging 564## 565 566## The absolute path to the command 567## - Each invocation of this directive will end the definition of the 568## preceding command, and start the definition of 569## an additional, new command 570# 571# OpenCommand = (no default) 572 573## Type (log or srv) 574## - log for log messages, srv for messages received by the server 575# 576# SetType = log 577 578## The command (full command line) to execute 579# 580# SetCommandLine = (no default) 581 582## The environment (KEY=value; repeat for more) 583# 584# SetEnviron = TZ=(your timezone) 585 586## The TIGERpkg checksum (optional) 587# 588# SetChecksum = (no default) 589 590## User who runs the command 591# 592# SetCredentials = (default: samhain process uid) 593 594## Words not allowed in message 595# 596# SetFilterNot = (none) 597 598## Words required (ALL of them) 599# 600# SetFilterAnd = (none) 601 602## Words required (at least one) 603# 604# SetFilterOr = (none) 605 606## Deadtime between consecutive calls 607# 608# SetDeadtime = 0 609 610## Add default environment (HOME, PATH, SHELL) 611# 612# SetDefault = no 613 614 615 616##################################################### 617# 618# Miscellaneous configuration options 619# 620##################################################### 621 622[Misc] 623 624## whether to become a daemon process 625## (this is not honoured on database initialisation) 626# 627# Daemon = no 628Daemon = yes 629 630# whether to test signature of files (init/check/none) 631# - if 'none', then we have to decide this on the command line - 632# 633# ChecksumTest = none 634ChecksumTest=check 635 636# Set nice level (-19 to 19, see 'man nice'), 637# and I/O limit (kilobytes per second; 0 == off) 638# to reduce load on host. 639# 640SetNiceLevel = 19 641# SetIOLimit = 0 642 643## The version string to embed in file signature databases 644# 645# VersionString = NULL 646 647## Interval between time stamp messages 648# 649# SetLoopTime = 60 650SetLoopTime = 7200 651 652## Interval between file checks 653# 654# SetFileCheckTime = 600 655SetFileCheckTime = 43200 656 657## Alternative: crontab-like schedule 658# 659# FileCheckScheduleOne = NULL 660 661## Alternative: crontab-like schedule(2) 662# 663# FileCheckScheduleTwo = NULL 664 665## Report only once on modified files 666## Setting this to 'FALSE' will generate a report for any policy 667## violation (old and new ones) each time the daemon checks the file system. 668# 669ReportOnlyOnce = True 670 671## Report in full detail 672# 673ReportFullDetail = True 674 675## Report file timestamps in local time rather than GMT 676# 677UseLocalTime = Yes 678 679## The console device (can also be a file or named pipe) 680## - There are two console devices. Accordingly, you can use 681## this directive a second time to set the second console device. 682## If you have not defined the second device at compile time, 683## and you don't want to use it, then: 684## setting it to /dev/null is less effective than just leaving 685## it alone (setting to /dev/null will waste time by opening 686## /dev/null and writing to it) 687# 688# SetConsole = /dev/console 689 690## Activate the SysV IPC message queue 691# 692# MessageQueueActive = False 693 694 695## If false, skip reverse lookup when connecting to a host known 696## by name rather than IP address (i.e. trust the DNS) 697# 698SetReverseLookup = True 699 700 701## --- E-Mail --- 702 703# Only highest-level (alert) reports will be mailed immediately, 704# others will be queued. Here you can define, when the queue will 705# be flushed (Note: the queue is automatically flushed after 706# completing a file check). 707# 708# SetMailTime = 86400 709 710## Maximum number of mails to queue 711# 712# SetMailNum = 10 713 714## Recipient (max. 8) 715# 716#SetMailAddress=infosec@noc.myorg.tld 717 718## Mail relay (IP address) 719# 720SetMailRelay = 127.0.0.1 721 722## Custom subject format 723# 724MailSubject = Synchrotone Samhain: %S 725SetMailSender = samhain@synchrotone.pgh.pub.collaborativefusion.com 726 727## --- end E-Mail --- 728 729 730## Path to the executable. If set, will be checksummed after startup 731## and before exit. 732# 733SamhainPath = /usr/pkg/sbin/samhain 734 735## The IP address of the log server 736# 737# SetLogServer = (default: compiled-in) 738 739## The IP address of the time server 740# 741# SetTimeServer = (default: compiled-in) 742 743## Trusted Users (comma delimited list of user names) 744# 745# TrustedUser = (no default; this adds to the compiled-in list) 746 747## Path to the file signature database 748# 749SetDatabasePath = /usr/pkg/var/samhain/samhain.db 750 751## Path to the log file 752# 753# SetLogfilePath = (default: compiled-in) 754 755## Path to the PID file 756# 757# SetLockfilePath = (default: compiled-in) 758 759 760## The digest/checksum/hash algorithm (default: TIGER192; others: MD5, SHA1) 761# 762# DigestAlgo = TIGER192 763 764 765## Custom format for message header. 766## CAREFUL if you use XML logfile format. 767## 768## %S severity 769## %T timestamp 770## %C class 771## 772## %F source file 773## %L source line 774# 775# MessageHeader="%S %T " 776 777 778## Don't log path to config/database file on startup 779# 780# HideSetup = False 781 782## The syslog facility, if you log to syslog 783# 784# SyslogFacility = LOG_AUTHPRIV 785SyslogFacility=LOG_LOCAL2 786 787## The message authentication method 788## - If you change this, you *must* change it 789## on client *and* server 790# 791# MACType = HMAC-TIGER 792 793 794## The Prelude-IDS profile to use for reporting 795## default value is "samhain" 796# 797# PreludeProfile = samhain 798 799## Map these samhain severities to impact severity 'info' severity 800# 801# PreludeMapToInfo = 802 803## Map these samhain severities to impact severity 'low' severity 804# 805# PreludeMapToLow = debug info 806 807## Map these samhain severities to impact severity 'medium' severity 808# 809# PreludeMapToMedium = notice warn err 810 811## Map these samhain severities to impact severity 'high' severity 812# 813# PreludeMapToHigh = crit alert 814 815# everything below is ignored 816[EOF] 817 818##################################################################### 819# This would be the proper syntax for parts that should only be 820# included for certain hosts. 821# You may enclose anything in a @HOSTNAME/@end bracket, as long as the 822# result still has the proper syntax for the config file. 823# You may have any number of @HOSTNAME/@end brackets. 824# HOSTNAME should be the fully qualified 'official' name 825# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases. 826# No IP number - except if samhain cannot determine the 827# fully qualified hostname. 828# 829# @HOSTNAME 830# file=/foo/bar 831# @end 832# 833# These are two examples for conditional inclusion/exclusion 834# of a machine based on the output from 'uname -srm' 835# $Linux:2.*.7:i666 836# file=/foo/bar3 837# $end 838# 839# !$Linux:2.*.7:i686 840# file=/foo/bar2 841# $end 842# 843##################################################################### 844