1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
|
#####################################################################
#
# Configuration file template for samhain.
#
#####################################################################
#
# -- empty lines and lines starting with '#', ';' or '//' are ignored
# -- boolean options can be Yes/No or True/False or 1/0
# -- you can PGP clearsign this file -- samhain will check (if compiled
# with support) or otherwise ignore the signature
# -- CHECK mail address
#
# To each log facility, you can assign a threshold severity. Only
# reports with at least the threshold severity will be logged
# to the respective facility (even further below).
#
#####################################################################
#
# SETUP for file system checking:
#
# (i) There are several policies, each has its own section. Put files
# into the section for the appropriate policy (see below).
# (ii) Section [EventSeverity]:
# To each policy, you can assign a severity (further below).
# (iii) Section [Log]:
# To each log facility, you can assign a threshold severity. Only
# reports with at least the threshold severity will be logged
# to the respective facility (even further below).
#
#####################################################################
#####################################################################
#
# Files are defined with: file = /absolute/path
#
# Directories are defined with: dir = /absolute/path
# or with an optional recursion depth (N <= 99): dir = N/absolute/path
#
# Directory inodes are checked. If you only want to check files
# in a directory, but not the directory inode itself, use (e.g.):
#
# [ReadOnly]
# dir = /some/directory
# [IgnoreAll]
# file = /some/directory
#
# You can use shell-style globbing patterns, like: file = /path/foo*
#
######################################################################
[Misc]
##
## Add or subtract tests from the policies
## - if you want to change their definitions,
## you need to do that before using the policies
##
# RedefReadOnly = (no default)
# RedefAttributes=(no default)
# RedefLogFiles=(no default)
# RedefGrowingLogFiles=(no default)
# RedefIgnoreAll=(no default)
# RedefIgnoreNone=(no default)
# RedefUser0=(no default)
# RedefUser1=(no default)
FileNamesAreUTF8 = yes
[Attributes]
##
## for these files, only changes in permissions and ownership are checked
##
file=/etc/mtab
#file=/etc/ssh_random_seed
#file=/etc/asound.conf
file=/etc/resolv.conf
file=/etc/localtime
#file=/etc/ioctl.save
#file=/etc/passwd.backup
#file=/etc/shadow.backup
#file=/etc/postfix/prng_exch
#file=/etc/adjtime
file=/etc/network/run/ifstate
#file=/etc/lvm/.cache
file=/etc/ld.so.cache
#
# There are files in /etc that might change, thus changing the directory
# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
#
file=/etc
[LogFiles]
##
## for these files, changes in signature, timestamps, and size are ignored
##
file=/var/run/utmp
file=/etc/motd
#####################################################################
#
# This would be the proper syntax for parts that should only be
# included for certain hosts.
# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
# result still has the proper syntax for the config file.
# You may have any number of @HOSTNAME/@end brackets.
# HOSTNAME should be the fully qualified 'official' name
# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
# No IP number - except if samhain cannot determine the
# fully qualified hostname.
#
# @HOSTNAME
# file=/foo/bar
# @end
#
# These are two examples for conditional inclusion/exclusion
# of a machine based on the output from 'uname -srm'
#
# $Linux:2.*.7:i666
# file=/foo/bar3
# $end
#
# !$Linux:2.*.7:i686
# file=/foo/bar2
# $end
#
#####################################################################
[GrowingLogFiles]
##
## for these files, changes in signature, timestamps, and increase in size
## are ignored
##
file=/var/log/warn
file=/var/log/messages
file=/var/log/wtmp
file=/var/log/faillog
file=/var/log/auth.log
file=/var/log/daemon.log
file=/var/log/user.log
file=/var/log/kern.log
file=/var/log/syslog
[IgnoreAll]
##
## for these files, no modifications are reported
##
## This file might be created or removed by the system sometimes.
##
file=/etc/resolv.conf.pcmcia.save
file=/etc/nologin
file=/etc/network/run
file=/etc/.etckeeper
dir=-1/etc/.git
[IgnoreNone]
##
## for these files, all modifications (even access time) are reported
## - you may create some interesting-looking file (like /etc/safe_passwd),
## just to watch whether someone will access it ...
##
[Prelink]
##
## Use for prelinked files or directories holding them
##
[ReadOnly]
##
## for these files, only access time is ignored
##
dir=/usr/bin
dir=/bin
dir=/boot
#
# SuSE (old) has the boot init scripts in /sbin/init.d/*,
# so we go 3 levels deep
#
dir=3/sbin
dir=/usr/sbin
dir=/lib
#
# RedHat and Debian have the bootinit scripts in /etc/init.d/* or /etc/rc.d/*,
# so we go 3 levels deep there too
#
dir=3/etc
# Various directories / files that may include / be SUID/SGID binaries
#
#
file=/usr/lib/pt_chown
# X11, in Debian X7 this is now a symlink
#dir=/usr/X11R6/bin
#dir=/usr/X11R6/lib/X11/xmcd/bin
# Apache:
#file=/usr/lib/apache/suexec
#file=/usr/lib/apache/suexec.disabled
# Extra directories:
#dir=/opt/gnome/bin
#dir=/opt/kde/bin
[User0]
[User1]
## User0 and User1 are sections for files/dirs with user-definable checking
## (see the manual)
[EventSeverity]
##
## Here you can assign severities to policy violations.
## If this severity exceeds the treshold of a log facility (see below),
## a policy violation will be logged to that facility.
##
## Severity for verification failures.
##
# SeverityReadOnly=crit
# SeverityLogFiles=crit
# SeverityGrowingLogs=crit
# SeverityIgnoreNone=crit
# SeverityAttributes=crit
# SeverityUser0=crit
# SeverityUser1=crit
# Default behaviour
SeverityReadOnly=crit
SeverityLogFiles=crit
SeverityGrowingLogs=warn
SeverityIgnoreNone=crit
SeverityAttributes=crit
##
## We have a file in IgnoreAll that might or might not be present.
## Setting the severity to 'info' prevents messages about deleted/new file.
##
# SeverityIgnoreAll=crit
SeverityIgnoreAll=info
## Files : file access problems
# SeverityFiles=crit
## Dirs : directory access problems
# SeverityDirs=crit
## Names : suspect (non-printable) characters in a pathname
# SeverityNames=crit
# Default behaviour
SeverityFiles=crit
SeverityDirs=crit
SeverityNames=warn
[Log]
##
## Switch on/OFF log facilities and set their threshold severity
##
## Values: debug, info, notice, warn, mark, err, crit, alert, none.
## 'mark' is used for timestamps.
##
##
## Use 'none' to SWITCH OFF a log facility
##
## By default, everything equal to and above the threshold is logged.
## The specifiers '*', '!', and '=' are interpreted as
## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
## at least on Linux). Examples:
## MailSeverity=*
## MailSeverity=!warn
## MailSeverity==crit
## E-mail
##
MailSeverity=crit
## Console
##
PrintSeverity=none
## Logfile
##
LogSeverity=warn
## Syslog
##
SyslogSeverity=alert
## Remote server (yule)
##
# ExportSeverity=none
## External script or program
##
# ExternalSeverity = none
## Logging to a database
##
# DatabaseSeverity = none
#####################################################
#
# Optional modules
#
#####################################################
# [SuidCheck]
##
## --- Check the filesystem for SUID/SGID binaries
##
## Switch on
#
# SuidCheckActive = yes
## Interval for check (seconds)
#
# SuidCheckInterval = 7200
## Alternative: crontab-like schedule
#
# SuidCheckSchedule = NULL
## Directory to exclude
#
# SuidCheckExclude = NULL
## Limit on files per second (0 == no limit)
#
# SuidCheckFps = 0
## Alternative: yield after every file
#
# SuidCheckYield = no
## Severity of a detection
#
# SeveritySuidCheck = crit
## Quarantine SUID/SGID files if found
#
# SuidCheckQuarantineFiles = yes
## Method for Quarantining files:
# 0 - Delete or truncate the file.
# 1 - Remove SUID/SGID permissions from file.
# 2 - Move SUID/SGID file to quarantine dir.
#
# SuidCheckQuarantineMethod = 0
## For method 1 and 3, really delete instead of truncating
#
# SuidCheckQuarantineDelete = yes
# [Kernel]
##
## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
##
## Switch on/off
#
# KernelCheckActive = True
## Check interval (seconds); btw., the check is VERY fast
#
# KernelCheckInterval = 300
## Severity
#
# SeverityKernel = crit
# [Utmp]
##
## --- Logging of login/logout events
##
## Switch on/off
#
# LoginCheckActive = True
## Severity for logins, multiple logins, logouts
#
# SeverityLogin=info
# SeverityLoginMulti=warn
# SeverityLogout=info
## Interval for login/logout checks
#
# LoginCheckInterval = 300
# [Database]
##
## --- Logging to a relational database
##
## Database name
#
# SetDBName = samhain
## Database table
#
# SetDBTable = log
## Database user
#
# SetDBUser = samhain
## Database password
#
# SetDBPassword = (default: none)
## Database host
#
# SetDBHost = localhost
## Log the server timestamp for received messages
#
# SetDBServerTstamp = True
## Use a persistent connection
#
# UsePersistent = True
# [External]
##
## Interface to call external scripts/programs for logging
##
## The absolute path to the command
## - Each invocation of this directive will end the definition of the
## preceding command, and start the definition of
## an additional, new command
#
# OpenCommand = (no default)
## Type (log or rv)
## - log for log messages, srv for messages received by the server
#
# SetType = log
## The command (full command line) to execute
#
# SetCommandLine = (no default)
## The environment (KEY=value; repeat for more)
#
# SetEnviron = TZ=(your timezone)
## The TIGER192 checksum (optional)
#
# SetChecksum = (no default)
## User who runs the command
#
# SetCredentials = (default: samhain process uid)
## Words not allowed in message
#
# SetFilterNot = (none)
## Words required (ALL of them)
#
# SetFilterAnd = (none)
## Words required (at least one)
#
# SetFilterOr = (none)
## Deadtime between consecutive calls
#
# SetDeadtime = 0
## Add default environment (HOME, PATH, SHELL)
#
# SetDefault = no
#####################################################
#
# Miscellaneous configuration options
#
#####################################################
[Misc]
## whether to become a daemon process
## (this is not honoured on database initialisation)
#
# Daemon = no
Daemon = yes
## whether to test signature of files (init/check/none)
## - if 'none', then we have to decide this on the command line -
#
# ChecksumTest = none
ChecksumTest=check
## whether to drop linux capabilities that are not required
## - will make a root process a 'mere mortal' in many respects
#
# UseCaps = yes
## Set nice level (-19 to 19, see 'man nice'),
## and I/O limit (kilobytes per second; 0 == off)
## to reduce load on host.
#
# SetNiceLevel = 0
# SetIOLimit = 0
## The version string to embed in file signature databases
#
# VersionString = NULL
## Interval between time stamp messages
#
# SetLoopTime = 60
SetLoopTime = 600
## Interval between file checks
#
# SetFileCheckTime = 600
SetFileCheckTime = 7200
## Alternative: crontab-like schedule
#
# FileCheckScheduleOne = NULL
## Alternative: crontab-like schedule(2)
#
# FileCheckScheduleTwo = NULL
## Report only once on modified fles
## Setting this to 'FALSE' will generate a report for any policy
## violation (old and new ones) each time the daemon checks the file system.
#
# ReportOnlyOnce = True
## Report in full detail
#
# ReportFullDetail = False
## Report file timestamps in local time rather than GMT
#
# UseLocalTime = No
## The console device (can also be a file or named pipe)
## - There are two console devices. Accordingly, you can use
## this directive a second time to set the second console device.
## If you have not defined the second device at compile time,
## and you don't want to use it, then:
## setting it to /dev/null is less effective than just leaving
## it alone (setting to /dev/null will waste time by opening
## /dev/null and writing to it)
#
# SetConsole = /dev/console
## Activate the SysV IPC message queue
#
# MessageQueueActive = False
## If false, skip reverse lookup when connecting to a host known
## by name rather than IP address (i.e. trust the DNS)
#
# SetReverseLookup = True
## --- E-Mail ---
# Only highest-level (alert) reports will be mailed immediately,
# others will be queued. Here you can define, when the queue will
# be flushed (Note: the queue is automatically flushed after
# completing a file check).
#
SetMailTime = 86400
## Maximum number of mails to queue
#
SetMailNum = 10
## Recipient (max. 8)
#
SetMailAddress = admin@fripost.org
## Mail relay (IP address)
#
SetMailRelay = 127.0.0.1
## Custom subject format
#
MailSubject = [Samhain at %H] %T: %S
## --- end E-Mail ---
## Path to the prelink executable
#
# SetPrelinkPath = /usr/sbin/prelink
## TIGER192 checksum of the prelink executable
#
# SetPrelinkChecksum = (no default)
## Path to the executable. If set, will be checksummed after startup
## and before exit.
#
# SamhainPath = (no default)
## The IP address of the log server
#
# SetLogServer = (default: compiled-in)
## The IP address of the time server
#
# SetTimeServer = (default: compiled-in)
## Trusted Users (comma delimited list of user names)
#
# TrustedUser = (no default; this adds to the compiled-in list)
## Path to the file signature database
#
# SetDatabasePath = (default: compiled-in)
## Path to the log file
#
# SetLogfilePath = (default: compiled-in)
## Path to the PID file
#
# SetLockPath = (default: compiled-in)
## The digest/checksum/hash algorithm
#
# DigestAlgo = TIGER192
## Custom format for message header.
## CAREFUL if you use XML logfile format.
##
## %S severity
## %T timestamp
## %C class
##
## %F source file
## %L source line
#
# MessageHeader="%S %T "
## Don't log path to config/database file on startup
#
# HideSetup = False
## The syslog facility, if you log to syslog
#
# SyslogFacility = LOG_AUTHPRIV
SyslogFacility=LOG_LOCAL2
## The message authentication method
## - If you change this, you *must* change it
## on client *and* server
#
# MACType = HMAC-TIGER
## everything below is ignored
[EOF]
#####################################################################
# This would be the proper syntax for parts that should only be
# included for certain hosts.
# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
# result still has the proper syntax for the config file.
# You may have any number of @HOSTNAME/@end brackets.
# HOSTNAME should be the fully qualified 'official' name
# (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
# No IP number - except if samhain cannot determine the
# fully qualified hostname.
#
# @HOSTNAME
# file=/foo/bar
# @end
#
# These are two examples for conditional inclusion/exclusion
# of a machine based on the output from 'uname -srm'
# $Linux:2.*.7:i666
# file=/foo/bar3
# $end
#
# !$Linux:2.*.7:i686
# file=/foo/bar2
# $end
#
#####################################################################
|