samhain: disable SUID/SGID checks

[mirror/dsa-puppet.git] / modules / samhain / templates / samhainrc.erb

##
## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
##

#####################################################################
#
# Configuration file template for samhain.
#
#####################################################################
# 
# -- empty lines and lines starting with '#', ';' or '//' are ignored
# -- boolean options can be Yes/No or True/False or 1/0 
# -- you can PGP clearsign this file -- samhain will check (if compiled
#    with support) or otherwise ignore the signature
# -- CHECK mail address
#
# To each log facility, you can assign a threshold severity. Only
# reports with at least the threshold severity will be logged
# to the respective facility (even further below).
#
#####################################################################
#
# SETUP for file system checking:
# 
# (i)   There are several policies, each has its own section. Put files
#       into the section for the appropriate policy (see below).
# (ii)  Section [EventSeverity]: 
#       To each policy, you can assign a severity (further below).
# (iii) Section [Log]: 
#       To each log facility, you can assign a threshold severity. Only
#       reports with at least the threshold severity will be logged
#       to the respective facility (even further below).
#
#####################################################################

#####################################################################
#
# Files are defined with: file = /absolute/path
#
# Directories are defined with:                  dir = /absolute/path
# or with an optional recursion depth (N <= 99): dir = N/absolute/path
#
# Directory inodes are checked. If you only want to check files
# in a directory, but not the directory inode itself, use (e.g.):
#
# [ReadOnly]
# dir = /some/directory
# [IgnoreAll]
# file = /some/directory
#
# You can use shell-style globbing patterns, like: file = /path/foo*
# 
######################################################################

[Misc]
##
## Add or subtract tests from the policies
## - if you want to change their definitions,
##   you need to do that before using the policies
##
# RedefReadOnly = (no default)
# RedefAttributes=(no default)
# RedefLogFiles=(no default)
# RedefGrowingLogFiles=(no default)
# RedefIgnoreAll=(no default)
# RedefIgnoreNone=(no default)
# RedefUser0=(no default)
# RedefUser1=(no default)
IgnoreMissing=/etc/lvm/archive/.*.vg

[Attributes]
##
## for these files, only changes in permissions and ownership are checked
##
file=/etc/mtab
file=/etc/ssh_random_seed
file=/etc/asound.conf
file=/etc/bacula/bacula-fd.conf
file=/etc/localtime
file=/etc/ioctl.save
file=/etc/passwd.backup
file=/etc/shadow.backup
file=/etc/postfix/prng_exch
file=/etc/adjtime
file=/etc/lvm/.cache
file=/etc/lvm/cache
file=/etc/lvm/cache/.cache
file=/etc/network/run/ifstate
file=/var/state/samhain/samhain_file
file=/etc/bind/zones/db.debian.net
file=/etc/exim4/bsmtp
file=/etc/fake-hwclock.data
<% if classes.include?("named::geodns") -%>
file=/etc/bind
file=/etc/bind/named.conf.acl
file=/etc/bind/named.conf.local
file=/etc/bind/geodns/named.conf.geo
file=/etc/bind/geodns/recvconf.files
<% end -%>
<% if classes.include?("named") -%>
file=/etc/bind/named.conf.options
<% end -%>
file=/etc/apache2/conf.d/puppet-builddlist
<% if classes.include?("roles::static_mirror") -%>
file=/etc/apache2/sites-available/static-vhosts-simple
file=/etc/static-clients.conf
<% elsif classes.include?("roles::static_master") -%>
file=/etc/static-clients.conf
<% elsif classes.include?("roles::static_source") -%>
file=/etc/static-clients.conf
<% end -%>
<% if classes.include?("apache2") -%>
file=/etc/apache2/conf-available/puppet-ssl-key-pins.conf
<% end -%>
file=/etc/multipath/wwids

#
# There are files in /etc that might change, thus changing the directory
# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
#
file=/etc
file=/etc/ssh
file=/etc/network/run
file=/etc/bind/zones
file=/etc/spamassassin/sa-update-keys
file=/etc/init.d/.depend.boot
file=/etc/init.d/.depend.start
file=/etc/init.d/.depend.stop

# These are the directories for the files we handle with puppet
<% if classes.include?("apache2") -%>
file=/etc/apache2/conf-available
files=/etc/apache2/mods-enabled
files=/etc/apache2/sites-available
<% end -%>
file=/etc/bacula
file=/etc/samhain
file=/etc/munin
file=/etc/munin/plugins
file=/etc/munin/plugin-conf.d
file=/etc/munin/munin-conf.d
file=/etc/exim4
file=/etc/exim4/ssl
file=/etc/apt
file=/etc/apt/apt.conf.d
file=/etc/apt/sources.list.d
file=/etc/apt/preferences.d
file=/etc/default
file=/etc/logrotate.d
file=/etc/nagios
file=/etc/nagios/nrpe.d
file=/etc/nagios/obsolete-packages-ignore.d
file=/etc/bind/geodns
<% if scope.function_has_role(['nagiosmaster']) -%>
file=/etc/nagios3/puppetconf.d
<% end -%>
file=/etc/puppet
file=/etc/cron.d
file=/etc/cron.weekly
file=/usr/lib/nagios/plugins
file=/usr/sbin
file=/etc/monit
file=/etc/monit/monit.d
file=/etc/pam.d
file=/etc/schroot/default
file=/etc/schroot/setup.d
file=/etc/sysctl.d
file=/etc/syslog-ng
file=/etc/stunnel
file=/etc/ferm/
file=/etc/ferm/conf.d
file=/etc/ferm/dsa.d
file=/etc/rc.local
file=/etc/unbound
file=/etc/dsa
file=/etc/rabbitmq
<% if scope.function_has_role(['static_mirror']) or scope.function_has_role(['static_source']) or scope.function_has_role(['static_master']) -%>
file=/etc/ssh/userkeys
file=/etc/ssh/userkeys/staticsync
<% end -%>
file=/etc/rsyncd
<%- if @hostname == "sibelius" then -%>
file=/etc/tsm
file=/etc/tsm/TSM.PWD
<% end -%>
file=/etc/ssl/private


[LogFiles]
##
## for these files, changes in signature, timestamps, and size are ignored 
##
file=/etc/motd

# is on tmpfs, ignore.
#file=/var/run/utmp


#####################################################################
#
# This would be the proper syntax for parts that should only be
#    included for certain hosts.
# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
#    result still has the proper syntax for the config file.
# You may have any number of @HOSTNAME/@end brackets.
# HOSTNAME should be the fully qualified 'official' name 
#    (e.g. 'nixon.watergate.com', not 'nixon'), no aliases. 
#    No IP number - except if samhain cannot determine the 
#    fully qualified hostname.
#
# @HOSTNAME
# file=/foo/bar
# @end
#
# These are two examples for conditional inclusion/exclusion
# of a machine based on the output from 'uname -srm'
#
# $Linux:2.*.7:i666
# file=/foo/bar3
# $end
#
# !$Linux:2.*.7:i686
# file=/foo/bar2
# $end
#
#####################################################################

[GrowingLogFiles]
##
## for these files, changes in signature, timestamps, and increase in size
##                  are ignored 
##
file=/var/log/warn
file=/var/log/messages
file=/var/log/wtmp
file=/var/log/faillog
file=/var/log/auth.log
file=/var/log/daemon.log
file=/var/log/user.log
file=/var/log/kern.log
file=/var/log/syslog


[IgnoreAll]
dir=-1/srv
##
## for these files, no modifications are reported
##
## This file might be created or removed by the system sometimes.
##
file=/etc/resolv.conf
<% if scope.lookupvar('site::nodeinfo')['buildd'] -%>
file=/etc/dupload.conf
file=/etc/buildd/buildd.conf
file=/etc/sbuild/sbuild.conf
<% end -%>
file=/etc/resolv.conf.pcmcia.save
file=/etc/nologin
file=/etc/postfix/debian.db
file=/etc/postfix/debian
file=/etc/ssh/ssh_known_hosts
file=/etc/ssh/ssh-rsa-shadow
file=/var/lib/misc/ssh-rsa-shadow
file=/etc/.da-backup.trace
file=/etc/postfix/debianhosts
file=/etc/postfix/debianhosts.db
file=/etc/blkid.tab
file=/etc/blkid.tab.old
file=/etc/resolv.conf.dhclient-new

# We handle these files with puppet - please to not be bothering us
file=/etc/dsa/pubsub.conf
file=/etc/nsswitch.conf
file=/etc/timezone
file=/etc/motd.tail
file=/etc/update-motd.d/
file=/etc/update-motd.d/puppet-motd
file=/etc/ntp.conf
file=/etc/samhain/samhainrc
file=/etc/munin/munin-node.conf
file=/etc/munin/plugin-conf.d/munin-node
dir=2/etc/munin/munin-conf.d
file=/etc/userdir-ldap.confc
file=/etc/exim4/blacklist
file=/etc/exim4/host_blacklist
file=/etc/exim4/callout_users
file=/etc/exim4/exim4.conf
file=/etc/exim4/grey_users
file=/etc/exim4/helo-check
file=/etc/exim4/locals
file=/etc/exim4/localusers
file=/etc/exim4/manualroute
file=/etc/exim4/rbllist
file=/etc/exim4/rhsbllist
file=/etc/exim4/submission-domains
file=/etc/exim4/virtualdomains
file=/etc/exim4/email-virtualdomains
file=/etc/exim4/whitelist
file=/etc/exim4/local-settings.conf
file=/etc/exim4/ssl/ca.crt
file=/etc/exim4/ssl/ca.crl
file=/etc/exim4/ssl/thishost.crt
file=/etc/exim4/ssl/thishost.key
dir=3/etc/exim4/email-virtualdomains
file=/etc/ssh/ssh_config
file=/etc/ssh/sshd_config
file=/etc/dsa/cron.ignore.dsa-puppet-stuff
file=/etc/vsftpd.conf
file=/etc/aliases
file=/etc/multipath.conf
file=/etc/static-components.conf
file=/etc/rabbitmq/rabbitmq.config
file=/etc/rabbitmq/enabled_plugins
dir=/etc/bacula/storages-list.d
dir=/etc/bacula/storage-conf.d
dir=/etc/bacula/conf.d
<%=
out=""
if scope.lookupvar('site::nodeinfo')['heavy_exim']
  out = '
file=/etc/exim4/surbl_whitelist.txt
file=/etc/exim4/exim_surbl.pl
file=/etc/exim4/ccTLD.txt
file=/etc/clamav-unofficial-sigs.conf
file=/etc/clamav-unofficial-sigs.dsa.conf
'
end
out
%>
file=/etc/munin/plugins/bind
file=/etc/munin/plugins/bind_views
file=/etc/munin/plugins/cpu
file=/etc/munin/plugins/df
file=/etc/munin/plugins/df_abs
file=/etc/munin/plugins/df_inode
file=/etc/munin/plugins/entropy
file=/etc/munin/plugins/forks
file=/etc/munin/plugins/interrupts
file=/etc/munin/plugins/iostat
file=/etc/munin/plugins/irqstats
file=/etc/munin/plugins/load
file=/etc/munin/plugins/memory
file=/etc/munin/plugins/ntp_offset
file=/etc/munin/plugins/ntp_states
file=/etc/munin/plugins/open_files
file=/etc/munin/plugins/open_inodes
file=/etc/munin/plugins/processes
file=/etc/munin/plugins/ps_apache2
file=/etc/munin/plugins/ps_exim4
file=/etc/munin/plugins/ps_vsftpd
file=/etc/munin/plugins/spamassassin
file=/etc/munin/plugins/swap
file=/etc/munin/plugins/uptime
file=/etc/munin/plugins/vmstat
file=/etc/munin/plugins/vfstpd
file=/etc/munin/plugins/apache_accesses
file=/etc/munin/plugins/apache_processes
file=/etc/munin/plugins/apache_volume
file=/etc/munin/plugins/apache_servers
file=/etc/munin/plugins/exim_mailqueue
file=/etc/munin/plugins/exim_mailstats
file=/etc/munin/plugins/postfix_mailqueue
file=/etc/munin/plugins/postfix_mailvolume
file=/etc/apache2/conf.d/resource-limits
file=/etc/apache2/mods-enabled/info.conf
file=/etc/apache2/mods-enabled/info.load
file=/etc/apache2/mods-enabled/server.conf
file=/etc/apache2/mods-enabled/server.load
file=/etc/apache2/conf.d/server-status
file=/etc/apache2/conf.d/local-serverinfo
file=/etc/apache2/sites-available/www.debian.org
file=/etc/apt/preferences
file=/etc/apt/sources.list.d/volatile.list
file=/etc/apt/sources.list.d/security.list
file=/etc/apt/sources.list.d/buildd.list
file=/etc/apt/sources.list.d/buildd.debian.org.list
file=/etc/apt/sources.list.d/buildd.debian.org-proposed.list
file=/etc/apt/sources.list.d/buildd.debian.org-experimental.list
file=/etc/apt/sources.list.d/geoip.list
file=/etc/apt/sources.list.d/backports.debian.org.list
file=/etc/apt/sources.list.d/debian.org.list
file=/etc/apt/sources.list.d/db.debian.org.list
file=/etc/apt/sources.list.d/debian.restricted.list
file=/etc/apt/sources.list.d/debian.list
file=/etc/apt/sources.list.d/backports.org.list
file=/etc/apt/apt.conf.d/local-compression
file=/etc/apt/apt.conf.d/local-recommends
file=/etc/apt/apt.conf.d/local-pdiffs
file=/etc/apt/apt.conf.d/local-ssl-ca-global
file=/etc/apt/preferences.d/buildd
file=/etc/puppet/puppet.conf
file=/etc/default/puppet
file=/etc/default/postgrey
file=/etc/default/syslog-ng
file=/etc/logrotate.d/exim4-paniclog
file=/etc/logrotate.d/exim4-base
file=/etc/logrotate.d/syslog-ng
file=/etc/syslog-ng/syslog-ng.conf
file=/usr/sbin/dsa-update-apt-status
file=/usr/sbin/dsa-update-samhain-status
file=/etc/nagios/nrpe.d/nrpe_dsa.cfg
file=/etc/nagios/nrpe.d/debianorg.cfg
file=/etc/nagios/obsolete-packages-ignore
file=/etc/nagios/obsolete-packages-ignore.d/hostspecific
file=/etc/nagios/check-libs.conf
file=/usr/lib/nagios/plugins/dsa-check-packages
file=/usr/lib/nagios/plugins/dsa-check-soas
file=/usr/lib/nagios/plugins/dsa-check-mirrorsync
file=/usr/lib/nagios/plugins/dsa-check-samhain
file=/usr/lib/nagios/plugins/dsa-check-statusfile
file=/usr/lib/nagios/plugins/dsa-check-dabackup-server
file=/usr/lib/nagios/plugins/dsa-check-config
file=/usr/lib/nagios/plugins/dsa-check-hpacucli
file=/usr/lib/nagios/plugins/dsa-check-raid-mpt
file=/usr/lib/nagios/plugins/dsa-check-puppet
file=/usr/lib/nagios/plugins/dsa-check-running-kernel
file=/usr/lib/nagios/plugins/dsa-check-raid-3ware
file=/usr/lib/nagios/plugins/dsa-check-dabackup
file=/usr/lib/nagios/plugins/dsa-check-raid-dac960
file=/usr/lib/nagios/plugins/dsa-check-udldap-freshness
file=/usr/lib/nagios/plugins/dsa-check-raid-areca
file=/usr/lib/nagios/plugins/dsa-check-raid-sw
file=/usr/lib/nagios/plugins/dsa-update-samhain-status
file=/etc/sudoers
file=/etc/stunnel/puppet-ekeyd-peer.pem
file=/etc/stunnel/puppet-ekeyd.conf
file=/etc/pam.d/sudo
file=/etc/monit/monitrc
file=/etc/monit/monit.d/01puppet
file=/etc/monit/monit.d/00debian.org
file=/etc/cron.d/dsa-puppet-stuff
file=/etc/cron.d/dsa-buildd
file=/etc/cron.d/puppet-nagios-wraps
file=/etc/cron.weekly/stunnel-ekey-restart
file=/etc/default/schroot
file=/etc/schroot/default/nssdatabases
file=/etc/schroot/setup.d/99builddsourceslist
file=/etc/schroot/setup.d/99porterbox-extra-sources
file=/etc/schroot/setup.d/99porterbox-extra-apt-options
file=/etc/openvswitch/conf.db

<% if scope.function_has_role(['nagiosmaster']) -%>
file=/etc/nagios3/puppetconf.d/auto-hostgroups.cfg
file=/etc/nagios3/puppetconf.d/auto-hosts.cfg
file=/etc/nagios3/puppetconf.d/auto-services.cfg
file=/etc/nagios3/puppetconf.d/auto-dependencies.cfg
file=/etc/nagios3/puppetconf.d/auto-hostextinfo.cfg
file=/etc/nagios3/puppetconf.d/auto-serviceextinfo.cfg
file=/etc/nagios3/puppetconf.d/auto-servicegroups.cfg
file=/etc/nagios3/puppetconf.d/contacts.cfg
<% end -%>
<% if scope.function_has_role(['muninmaster']) -%>
file=/etc/munin/munin.conf
<% end -%>
<% if scope.function_has_role(['puppetmaster']) -%>
dir=8/etc/puppet
<% end -%>  
<% if classes.include?('named::geodns') -%>
dir=1/etc/bind/geodns
<% end -%>
<% if classes.include?('named::authoritative') -%>
dir=1/etc/bind
file=/etc/bind/named.conf.debian-zones
<% end -%>
dir=3/etc/lvm/archive
dir=3/etc/lvm/backup
dir=1/etc/ferm/dsa.d
dir=1/etc/ferm/conf.d
dir=3/etc/facter
file=/etc/ferm/conf.d/me.conf
file=/etc/ferm/conf.d/defs.conf
file=/etc/ferm/ferm.conf
file=/etc/ssl/README
dir=2/etc/ssl/debian
dir=1/etc/ssl/certs
dir=1/etc/ssl/ca-debian
dir=1/etc/ssl/ca-global
file=/etc/ca-certificates.conf
file=/etc/ca-certificates-debian.conf
file=/etc/ca-certificates-global.conf
file=/etc/ssl/private/ssl-cert-snakeoil.key
file=/etc/unbound/unbound.conf
<% if scope.lookupvar('::fqdn') == "draghi.debian.org" -%>
file=/etc/openvpn/deb-mgmt-clients.pool
<% end -%>
file=/etc/rsyncd/debian.secrets


<% if scope.function_has_role(['puppetmaster']) %>

# Damn you rails apps and your shoddy packaging
file=/usr/share/puppet-dashboard/public/stylesheets
file=/usr/share/puppet-dashboard/public/javascripts
file=/usr/share/puppet-dashboard/public/stylesheets/all.css
file=/usr/share/puppet-dashboard/public/javascripts/all.js
dir=1/usr/share/puppet-dashboard/tmp/pids
<% end -%>

<% if classes.include?("porterbox") %>
file=/etc/cron.weekly/puppet-mail-big-homedirs
<% end -%>
file=/etc/ssl/private/*.key-certchain

[IgnoreNone]
##
## for these files, all modifications (even access time) are reported
##    - you may create some interesting-looking file (like /etc/safe_passwd),
##      just to watch whether someone will access it ...
##

[Prelink]
##
## Use for prelinked files or directories holding them
##


[ReadOnly]
##
## for these files, only access time is ignored
##
dir=/usr/bin
dir=/bin
dir=/boot
#
# SuSE (old) has the boot init scripts in /sbin/init.d/*, 
# so we go 3 levels deep
#
dir=3/sbin
dir=/usr/sbin
dir=/lib
dir=3/usr/lib
dir=3/usr/share
#
# RedHat and Debian have the bootinit scripts in /etc/init.d/* or /etc/rc.d/*, 
#        so we go 3 levels deep there too
#
dir=3/etc

# Various directories / files that may include / be SUID/SGID binaries
#
#
file=/usr/lib/pt_chown
# X11, in Debian X7 this is now a symlink
#dir=/usr/X11R6/bin
#dir=/usr/X11R6/lib/X11/xmcd/bin
# Apache:
#file=/usr/lib/apache/suexec
#file=/usr/lib/apache/suexec.disabled
# Extra directories:
#dir=/opt/gnome/bin
#dir=/opt/kde/bin

[User0]
[User1]
## User0 and User1 are sections for files/dirs with user-definable checking
## (see the manual) 


[EventSeverity]
##
## Here you can assign severities to policy violations.
## If this severity exceeds the treshold of a log facility (see below),
## a policy violation will be logged to that facility.
##
## Severity for verification failures.
##
# SeverityReadOnly=crit
# SeverityLogFiles=crit
# SeverityGrowingLogs=crit
# SeverityIgnoreNone=crit
# SeverityAttributes=crit
# SeverityUser0=crit
# SeverityUser1=crit

# Default behaviour
SeverityReadOnly=crit
SeverityLogFiles=crit
SeverityGrowingLogs=warn
SeverityIgnoreNone=crit
SeverityAttributes=crit


##
## We have a file in IgnoreAll that might or might not be present.
## Setting the severity to 'info' prevents messages about deleted/new file.
##
# SeverityIgnoreAll=crit
SeverityIgnoreAll=info

## Files : file access problems
# SeverityFiles=crit

## Dirs  : directory access problems
# SeverityDirs=crit

## Names : suspect (non-printable) characters in a pathname
# SeverityNames=crit

# Default behaviour
SeverityFiles=crit
SeverityDirs=crit
SeverityNames=warn


[Log]
##
## Switch on/OFF log facilities and set their threshold severity
##
## Values: debug, info, notice, warn, mark, err, crit, alert, none.
## 'mark' is used for timestamps.
##
##
## Use 'none' to SWITCH OFF a log facility
## 
## By default, everything equal to and above the threshold is logged.
## The specifiers '*', '!', and '=' are interpreted as  
## 'all', 'all but', and 'only', respectively (like syslogd(8) does, 
## at least on Linux). Examples:
## MailSeverity=*
## MailSeverity=!warn
## MailSeverity==crit

## E-mail
##
# MailSeverity=none

## Console
##
# PrintSeverity=info

## Logfile
##
# LogSeverity=mark

## Syslog
##
# SyslogSeverity=none

## Remote server (yule)
##
# ExportSeverity=none

## External script or program
##
# ExternalSeverity = none

## Logging to a database
##
# DatabaseSeverity = none

# Default behaviour
MailSeverity=crit
PrintSeverity=none
LogSeverity=info
SyslogSeverity=alert
#ExportSeverity=none





#####################################################
#
# Optional modules
#
#####################################################

[SuidCheck]
##
## --- Check the filesystem for SUID/SGID binaries
## 

## Switch off
#
SuidCheckActive = 0

## Interval for check (seconds)
#
# SuidCheckInterval = 7200

## Alternative: crontab-like schedule
#
# SuidCheckSchedule = NULL
 
## Directory to exclude 
#
# SuidCheckExclude = NULL

## Limit on files per second (0 == no limit)
#
# SuidCheckFps = 0

## Alternative: yield after every file
#
# SuidCheckYield = no

## Severity of a detection
#
# SeveritySuidCheck = crit

## Quarantine SUID/SGID files if found
#
# SuidCheckQuarantineFiles = yes

## Method for Quarantining files:
#  0 - Delete or truncate the file.
#  1 - Remove SUID/SGID permissions from file.
#  2 - Move SUID/SGID file to quarantine dir.
#
# SuidCheckQuarantineMethod = 0

## For method 1 and 3, really delete instead of truncating
# 
# SuidCheckQuarantineDelete = yes

# [Kernel]
##
## --- Check for loadable kernel module rootkits (Linux/FreeBSD only) 
##

## Switch on/off
#
#KernelCheckActive = True

## Check interval (seconds); btw., the check is VERY fast
#
# KernelCheckInterval = 300

## Severity
#
# SeverityKernel = crit


# [Utmp]
##
## --- Logging of login/logout events
##

## Switch on/off
#
# LoginCheckActive = True

## Severity for logins, multiple logins, logouts
# 
# SeverityLogin=info
# SeverityLoginMulti=warn
# SeverityLogout=info

## Interval for login/logout checks
#
# LoginCheckInterval = 300


# [Database]
##
## --- Logging to a relational database
##

## Database name
#
# SetDBName = samhain

## Database table
#
# SetDBTable = log

## Database user
#
# SetDBUser = samhain

## Database password
#
# SetDBPassword = (default: none)

## Database host
#
# SetDBHost = localhost

## Log the server timestamp for received messages
#
# SetDBServerTstamp = True

## Use a persistent connection
#
# UsePersistent = True

# [External]
##
## Interface to call external scripts/programs for logging
##

## The absolute path to the command
## - Each invocation of this directive will end the definition of the
##   preceding command, and start the definition of 
##   an additional, new command
#
# OpenCommand = (no default)

## Type (log or rv)
## - log for log messages, srv for messages received by the server
#
# SetType = log

## The command (full command line) to execute
#
# SetCommandLine = (no default)

## The environment (KEY=value; repeat for more)
#
# SetEnviron = TZ=(your timezone)

## The TIGER192 checksum (optional)
#
# SetChecksum = (no default)

## User who runs the command
#
# SetCredentials = (default: samhain process uid)

## Words not allowed in message
#
# SetFilterNot = (none)

## Words required (ALL of them)
#
# SetFilterAnd = (none)

## Words required (at least one)
#
# SetFilterOr = (none)

## Deadtime between consecutive calls
#
# SetDeadtime = 0

## Add default environment (HOME, PATH, SHELL)
#
# SetDefault = no

<% if scope.call_function('versioncmp', [@lsbmajdistrelease, '9']) >= 0 -%>
[PortCheck]
PortCheckActive=0
<% end -%>


#####################################################
#
# Miscellaneous configuration options
#
#####################################################

[Misc]

## whether to become a daemon process
## (this is not honoured on database initialisation)
#
# Daemon = no
Daemon = yes

## whether to test signature of files (init/check/none)
## - if 'none', then we have to decide this on the command line -
#
# ChecksumTest = none
ChecksumTest=check

## whether to drop linux capabilities that are not required
## - will make a root process a 'mere mortal' in many respects
#
# UseCaps = yes

## Set nice level (-19 to 19, see 'man nice'),
## and I/O limit (kilobytes per second; 0 == off)
## to reduce load on host.
#
# SetNiceLevel = 0
# SetIOLimit = 0

## The version string to embed in file signature databases
#
# VersionString = NULL

## Interval between time stamp messages
#
# SetLoopTime = 60
SetLoopTime = 600

## Interval between file checks 
#
# SetFileCheckTime = 600
SetFileCheckTime = 7200

## Alternative: crontab-like schedule
#
# FileCheckScheduleOne = NULL

## Alternative: crontab-like schedule(2)
#
# FileCheckScheduleTwo = NULL

## Report only once on modified fles 
## Setting this to 'FALSE' will generate a report for any policy 
## violation (old and new ones) each time the daemon checks the file system.
#
# ReportOnlyOnce = True

## Report in full detail
#
# ReportFullDetail = False

## Report file timestamps in local time rather than GMT
#
# UseLocalTime = No

## The console device (can also be a file or named pipe)
## - There are two console devices. Accordingly, you can use
##   this directive a second time to set the second console device.
##   If you have not defined the second device at compile time,
##   and you don't want to use it, then:
##   setting it to /dev/null is less effective than just leaving
##   it alone (setting to /dev/null will waste time by opening
##   /dev/null and writing to it)
#
# SetConsole = /dev/console

## Activate the SysV IPC message queue
#
# MessageQueueActive = False


## If false, skip reverse lookup when connecting to a host known 
## by name rather than IP address (i.e. trust the DNS)
#
# SetReverseLookup = True

## --- E-Mail ---

# Only highest-level (alert) reports will be mailed immediately,
# others will be queued. Here you can define, when the queue will
# be flushed (Note: the queue is automatically flushed after
# completing a file check).
#
SetMailTime = 86400

## Maximum number of mails to queue
#
SetMailNum = 10

## Recipient (max. 8)
#
SetMailAddress=samhain-reports@<%= @fqdn -%>

SetMailRelay = localhost

## Custom subject format
#
MailSubject = [Samhain at %H] %T: %S

## --- end E-Mail ---

## Path to the prelink executable
#
# SetPrelinkPath = /usr/sbin/prelink

## TIGER192 checksum of the prelink executable
#
# SetPrelinkChecksum = (no default)


## Path to the executable. If set, will be checksummed after startup
## and before exit.
#
# SamhainPath = (no default)


## The IP address of the log server
#
# SetLogServer = (default: compiled-in)

## The IP address of the time server
#
# SetTimeServer = (default: compiled-in)

## Trusted Users (comma delimited list of user names) 
#
# TrustedUser = (no default; this adds to the compiled-in list)

## Path to the file signature database
#
# SetDatabasePath = (default: compiled-in)

## Path to the log file
#
# SetLogfilePath = (default: compiled-in)

## Path to the PID file
#
# SetLockPath = (default: compiled-in)


## The digest/checksum/hash algorithm
#
# DigestAlgo = TIGER192


## Custom format for message header. 
## CAREFUL if you use XML logfile format.
##
## %S severity
## %T timestamp
## %C class
##
## %F source file
## %L source line
#
# MessageHeader="%S %T "


## Don't log path to config/database file on startup
#
# HideSetup = False

## The syslog facility, if you log to syslog
#
# SyslogFacility = LOG_AUTHPRIV
SyslogFacility=LOG_LOCAL2

## The message authentication method
## - If you change this, you *must* change it
##   on client *and* server
#
# MACType = HMAC-TIGER


## everything below is ignored
[EOF]

#####################################################################
# This would be the proper syntax for parts that should only be
#    included for certain hosts.
# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
#    result still has the proper syntax for the config file.
# You may have any number of @HOSTNAME/@end brackets.
# HOSTNAME should be the fully qualified 'official' name 
#    (e.g. 'nixon.watergate.com', not 'nixon'), no aliases. 
#    No IP number - except if samhain cannot determine the 
#    fully qualified hostname.
#
# @HOSTNAME
# file=/foo/bar
# @end
#
# These are two examples for conditional inclusion/exclusion
# of a machine based on the output from 'uname -srm'
# $Linux:2.*.7:i666
# file=/foo/bar3
# $end
#
# !$Linux:2.*.7:i686
# file=/foo/bar2
# $end
#
#####################################################################