{"id":1496,"date":"2018-10-12T12:09:57","date_gmt":"2018-10-12T10:09:57","guid":{"rendered":"http:\/\/clark.tipistrani.it\/?p=1496"},"modified":"2018-10-16T12:16:09","modified_gmt":"2018-10-16T10:16:09","slug":"samhainrc","status":"publish","type":"post","link":"http:\/\/clark.tipistrani.it\/?p=1496","title":{"rendered":"samhainrc"},"content":{"rendered":"

Questo e il file di configurazione di samhain nella nuova versione e fa riferimento a questo vecchio articolo<\/a><\/p>\n

#####################################################################
\n#
\n# Configuration file template for samhain.
\n#
\n#####################################################################
\n#
\n# — empty lines and lines starting with ‘#’, ‘;’ or ‘\/\/’ are ignored
\n# — boolean options can be Yes\/No or True\/False or 1\/0
\n# — you can PGP clearsign this file — samhain will check (if compiled
\n# with support) or otherwise ignore the signature
\n# — CHECK mail address
\n#
\n# To each log facility, you can assign a threshold severity. Only
\n# reports with at least the threshold severity will be logged
\n# to the respective facility (even further below).
\n#
\n#####################################################################
\n#
\n# SETUP for file system checking:
\n#
\n# (i) There are several policies, each has its own section. Put files
\n# into the section for the appropriate policy (see below).
\n# (ii) Section [EventSeverity]:
\n# To each policy, you can assign a severity (further below).
\n# (iii) Section [Log]:
\n# To each log facility, you can assign a threshold severity. Only
\n# reports with at least the threshold severity will be logged
\n# to the respective facility (even further below).
\n#
\n#####################################################################<\/p>\n

#####################################################################
\n#
\n# Files are defined with: file = \/absolute\/path
\n#
\n# Directories are defined with: dir = \/absolute\/path
\n# or with an optional recursion depth (N <= 99): dir = N\/absolute\/path
\n#
\n# Directory inodes are checked. If you only want to check files
\n# in a directory, but not the directory inode itself, use (e.g.):
\n#
\n# [ReadOnly]
\n# dir = \/some\/directory
\n# [IgnoreAll]
\n# file = \/some\/directory
\n#
\n# You can use shell-style globbing patterns, like: file = \/path\/foo*
\n#
\n######################################################################<\/p>\n

[Misc]
\n##
\n## Add or subtract tests from the policies
\n## – if you want to change their definitions,
\n## you need to do that before using the policies
\n##
\n# RedefReadOnly = (no default)
\n# RedefAttributes=(no default)
\n# RedefLogFiles=(no default)
\n# RedefGrowingLogFiles=(no default)
\n# RedefIgnoreAll=(no default)
\n# RedefIgnoreNone=(no default)
\n# RedefUser0=(no default)
\n# RedefUser1=(no default)<\/p>\n

[Attributes]
\n##
\n## for these files, only changes in permissions and ownership are checked
\n##
\nfile=\/etc\/mtab
\nfile=\/etc\/ssh_random_seed
\n#file=\/etc\/asound.conf
\nfile=\/etc\/resolv.conf
\nfile=\/etc\/localtime
\n#file=\/etc\/ioctl.save
\nfile=\/etc\/passwd.backup
\nfile=\/etc\/shadow.backup
\n#file=\/etc\/postfix\/prng_exch
\nfile=\/etc\/adjtime
\nfile=\/etc\/network\/run\/ifstate
\n#file=\/etc\/lvm\/.cache
\nfile=\/etc\/ld.so.cache<\/p>\n

#
\n# There are files in \/etc that might change, thus changing the directory
\n# timestamps. Put it here as ‘file’, and in the ReadOnly section as ‘dir’.
\n#
\nfile=\/etc<\/p>\n

[LogFiles]
\n##
\n## for these files, changes in signature, timestamps, and size are ignored
\n##
\nfile=\/var\/run\/utmp
\nfile=\/etc\/motd<\/p>\n

#####################################################################
\n#
\n# This would be the proper syntax for parts that should only be
\n# included for certain hosts.
\n# You may enclose anything in a @HOSTNAME\/@end bracket, as long as the
\n# result still has the proper syntax for the config file.
\n# You may have any number of @HOSTNAME\/@end brackets.
\n# HOSTNAME should be the fully qualified ‘official’ name
\n# (e.g. ‘nixon.watergate.com’, not ‘nixon’), no aliases.
\n# No IP number – except if samhain cannot determine the
\n# fully qualified hostname.
\n#
\n# @HOSTNAME
\n# file=\/foo\/bar
\n# @end
\n#
\n# These are two examples for conditional inclusion\/exclusion
\n# of a machine based on the output from ‘uname -srm’
\n#
\n# $Linux:2.*.7:i666
\n# file=\/foo\/bar3
\n# $end
\n#
\n# !$Linux:2.*.7:i686
\n# file=\/foo\/bar2
\n# $end
\n#
\n#####################################################################<\/p>\n

[GrowingLogFiles]
\n##
\n## for these files, changes in signature, timestamps, and increase in size
\n## are ignored
\n##
\n#file=\/var\/log\/warn
\nfile=\/var\/log\/messages
\nfile=\/var\/log\/wtmp
\nfile=\/var\/log\/faillog
\nfile=\/var\/log\/auth.log
\nfile=\/var\/log\/daemon.log
\nfile=\/var\/log\/user.log
\nfile=\/var\/log\/kern.log
\nfile=\/var\/log\/syslog<\/p>\n

[IgnoreAll]
\n##
\n## for these files, no modifications are reported
\n##
\n## This file might be created or removed by the system sometimes.
\n##
\nfile=\/etc\/resolv.conf.pcmcia.save
\nfile=\/etc\/nologin
\nfile=\/etc\/network\/run<\/p>\n

[IgnoreNone]
\n##
\n## for these files, all modifications (even access time) are reported
\n## – you may create some interesting-looking file (like \/etc\/safe_passwd),
\n## just to watch whether someone will access it …
\n##<\/p>\n

[Prelink]
\n##
\n## Use for prelinked files or directories holding them
\n##<\/p>\n

[ReadOnly]
\n##
\n## for these files, only access time is ignored
\n##
\ndir=\/usr\/bin
\ndir=\/bin
\ndir=\/boot
\n#
\n# SuSE (old) has the boot init scripts in \/sbin\/init.d\/*,
\n# so we go 3 levels deep
\n#
\ndir=3\/sbin
\ndir=\/usr\/sbin
\ndir=\/lib
\n#
\n# RedHat and Debian have the bootinit scripts in \/etc\/init.d\/* or \/etc\/rc.d\/*,
\n# so we go 3 levels deep there too
\n#
\ndir=3\/etc<\/p>\n

# Various directories \/ files that may include \/ be SUID\/SGID binaries
\n#
\n#
\n#file=\/usr\/lib\/pt_chown
\n# X11, in Debian X7 this is now a symlink
\n#dir=\/usr\/X11R6\/bin
\n#dir=\/usr\/X11R6\/lib\/X11\/xmcd\/bin
\n# Apache:
\n#file=\/usr\/lib\/apache\/suexec
\n#file=\/usr\/lib\/apache\/suexec.disabled
\n# Extra directories:
\n#dir=\/opt\/gnome\/bin
\n#dir=\/opt\/kde\/bin<\/p>\n

[User0]
\n[User1]
\n## User0 and User1 are sections for files\/dirs with user-definable checking
\n## (see the manual)<\/p>\n

[EventSeverity]
\n##
\n## Here you can assign severities to policy violations.
\n## If this severity exceeds the treshold of a log facility (see below),
\n## a policy violation will be logged to that facility.
\n##
\n## Severity for verification failures.
\n##
\n# SeverityReadOnly=crit
\n# SeverityLogFiles=crit
\n# SeverityGrowingLogs=crit
\n# SeverityIgnoreNone=crit
\n# SeverityAttributes=crit
\n# SeverityUser0=crit
\n# SeverityUser1=crit<\/p>\n

# Default behaviour
\nSeverityReadOnly=crit
\nSeverityLogFiles=crit
\nSeverityGrowingLogs=warn
\nSeverityIgnoreNone=crit
\nSeverityAttributes=crit<\/p>\n

##
\n## We have a file in IgnoreAll that might or might not be present.
\n## Setting the severity to ‘info’ prevents messages about deleted\/new file.
\n##
\n# SeverityIgnoreAll=crit
\nSeverityIgnoreAll=info<\/p>\n

## Files : file access problems
\n# SeverityFiles=crit<\/p>\n

## Dirs : directory access problems
\n# SeverityDirs=crit<\/p>\n

## Names : suspect (non-printable) characters in a pathname
\n# SeverityNames=crit<\/p>\n

# Default behaviour
\nSeverityFiles=crit
\nSeverityDirs=crit
\nSeverityNames=warn<\/p>\n

[Log]
\n##
\n## Switch on\/OFF log facilities and set their threshold severity
\n##
\n## Values: debug, info, notice, warn, mark, err, crit, alert, none.
\n## ‘mark’ is used for timestamps.
\n##
\n##
\n## Use ‘none’ to SWITCH OFF a log facility
\n##
\n## By default, everything equal to and above the threshold is logged.
\n## The specifiers ‘*’, ‘!’, and ‘=’ are interpreted as
\n## ‘all’, ‘all but’, and ‘only’, respectively (like syslogd(8) does,
\n## at least on Linux). Examples:
\n## MailSeverity=*
\n## MailSeverity=!warn
\n## MailSeverity==crit<\/p>\n

## E-mail
\n##
\n# MailSeverity=none<\/p>\n

## Console
\n##
\n# PrintSeverity=info<\/p>\n

## Logfile
\n##
\n# LogSeverity=mark<\/p>\n

## Syslog
\n##
\n# SyslogSeverity=none<\/p>\n

## Remote server (yule)
\n##
\n# ExportSeverity=none<\/p>\n

## External script or program
\n##
\n# ExternalSeverity = none<\/p>\n

## Logging to a database
\n##
\n# DatabaseSeverity = none<\/p>\n

# Default behaviour
\nMailSeverity=crit
\nPrintSeverity=none
\nLogSeverity=info
\nSyslogSeverity=alert
\nExportSeverity=none<\/p>\n

#####################################################
\n#
\n# Optional modules
\n#
\n#####################################################<\/p>\n

# [SuidCheck]
\n##
\n## — Check the filesystem for SUID\/SGID binaries
\n##<\/p>\n

## Switch on
\n#
\n# SuidCheckActive = yes<\/p>\n

## Interval for check (seconds)
\n#
\n# SuidCheckInterval = 7200<\/p>\n

## Alternative: crontab-like schedule
\n#
\n# SuidCheckSchedule = NULL<\/p>\n

## Directory to exclude
\n#
\n# SuidCheckExclude = NULL<\/p>\n

## Limit on files per second (0 == no limit)
\n#
\n# SuidCheckFps = 0<\/p>\n

## Alternative: yield after every file
\n#
\n# SuidCheckYield = no<\/p>\n

## Severity of a detection
\n#
\n# SeveritySuidCheck = crit<\/p>\n

## Quarantine SUID\/SGID files if found
\n#
\n# SuidCheckQuarantineFiles = yes<\/p>\n

## Method for Quarantining files:
\n# 0 – Delete or truncate the file.
\n# 1 – Remove SUID\/SGID permissions from file.
\n# 2 – Move SUID\/SGID file to quarantine dir.
\n#
\n# SuidCheckQuarantineMethod = 0<\/p>\n

## For method 1 and 3, really delete instead of truncating
\n#
\n# SuidCheckQuarantineDelete = yes<\/p>\n

# [Kernel]
\n##
\n## — Check for loadable kernel module rootkits (Linux\/FreeBSD only)
\n##<\/p>\n

## Switch on\/off
\n#
\n# KernelCheckActive = True<\/p>\n

## Check interval (seconds); btw., the check is VERY fast
\n#
\n# KernelCheckInterval = 300<\/p>\n

## Severity
\n#
\n# SeverityKernel = crit<\/p>\n

# [Utmp]
\n##
\n## — Logging of login\/logout events
\n##<\/p>\n

## Switch on\/off
\n#
\n# LoginCheckActive = True<\/p>\n

## Severity for logins, multiple logins, logouts
\n#
\n# SeverityLogin=info
\n# SeverityLoginMulti=warn
\n# SeverityLogout=info<\/p>\n

## Interval for login\/logout checks
\n#
\n# LoginCheckInterval = 300<\/p>\n

# [Database]
\n##
\n## — Logging to a relational database
\n##<\/p>\n

## Database name
\n#
\n# SetDBName = samhain<\/p>\n

## Database table
\n#
\n# SetDBTable = log<\/p>\n

## Database user
\n#
\n# SetDBUser = samhain<\/p>\n

## Database password
\n#
\n# SetDBPassword = (default: none)<\/p>\n

## Database host
\n#
\n# SetDBHost = localhost<\/p>\n

## Log the server timestamp for received messages
\n#
\n# SetDBServerTstamp = True<\/p>\n

## Use a persistent connection
\n#
\n# UsePersistent = True<\/p>\n

# [External]
\n##
\n## Interface to call external scripts\/programs for logging
\n##<\/p>\n

## The absolute path to the command
\n## – Each invocation of this directive will end the definition of the
\n## preceding command, and start the definition of
\n## an additional, new command
\n#
\n# OpenCommand = (no default)<\/p>\n

## Type (log or rv)
\n## – log for log messages, srv for messages received by the server
\n#
\n# SetType = log<\/p>\n

## The command (full command line) to execute
\n#
\n# SetCommandLine = (no default)<\/p>\n

## The environment (KEY=value; repeat for more)
\n#
\n# SetEnviron = TZ=(your timezone)<\/p>\n

## The TIGER192 checksum (optional)
\n#
\n# SetChecksum = (no default)<\/p>\n

## User who runs the command
\n#
\n# SetCredentials = (default: samhain process uid)<\/p>\n

## Words not allowed in message
\n#
\n# SetFilterNot = (none)<\/p>\n

## Words required (ALL of them)
\n#
\n# SetFilterAnd = (none)<\/p>\n

## Words required (at least one)
\n#
\n# SetFilterOr = (none)<\/p>\n

## Deadtime between consecutive calls
\n#
\n# SetDeadtime = 0<\/p>\n

## Add default environment (HOME, PATH, SHELL)
\n#
\n# SetDefault = no<\/p>\n

#####################################################
\n#
\n# Miscellaneous configuration options
\n#
\n#####################################################<\/p>\n

[Misc]<\/p>\n

## whether to become a daemon process
\n## (this is not honoured on database initialisation)
\n#
\n# Daemon = no
\nDaemon = yes<\/p>\n

## whether to test signature of files (init\/check\/none)
\n## – if ‘none’, then we have to decide this on the command line –
\n#
\n# ChecksumTest = none
\nChecksumTest=check<\/p>\n

## whether to drop linux capabilities that are not required
\n## – will make a root process a ‘mere mortal’ in many respects
\n#
\n# UseCaps = yes<\/p>\n

## Set nice level (-19 to 19, see ‘man nice’),
\n## and I\/O limit (kilobytes per second; 0 == off)
\n## to reduce load on host.
\n#
\n# SetNiceLevel = 0
\n# SetIOLimit = 0<\/p>\n

## The version string to embed in file signature databases
\n#
\n# VersionString = NULL<\/p>\n

## Interval between time stamp messages
\n#
\n# SetLoopTime = 60
\nSetLoopTime = 600<\/p>\n

## Interval between file checks
\n#
\n# SetFileCheckTime = 600
\nSetFileCheckTime = 7200<\/p>\n

## Alternative: crontab-like schedule
\n#
\n# FileCheckScheduleOne = NULL<\/p>\n

## Alternative: crontab-like schedule(2)
\n#
\n# FileCheckScheduleTwo = NULL<\/p>\n

## Report only once on modified fles
\n## Setting this to ‘FALSE’ will generate a report for any policy
\n## violation (old and new ones) each time the daemon checks the file system.
\n#
\n# ReportOnlyOnce = True<\/p>\n

## Report in full detail
\n#
\n# ReportFullDetail = False<\/p>\n

## Report file timestamps in local time rather than GMT
\n#
\n# UseLocalTime = No<\/p>\n

## The console device (can also be a file or named pipe)
\n## – There are two console devices. Accordingly, you can use
\n## this directive a second time to set the second console device.
\n## If you have not defined the second device at compile time,
\n## and you don’t want to use it, then:
\n## setting it to \/dev\/null is less effective than just leaving
\n## it alone (setting to \/dev\/null will waste time by opening
\n## \/dev\/null and writing to it)
\n#
\n# SetConsole = \/dev\/console<\/p>\n

## Activate the SysV IPC message queue
\n#
\n# MessageQueueActive = False<\/p>\n

## If false, skip reverse lookup when connecting to a host known
\n## by name rather than IP address (i.e. trust the DNS)
\n#
\n# SetReverseLookup = True<\/p>\n

## — E-Mail —<\/p>\n

# Only highest-level (alert) reports will be mailed immediately,
\n# others will be queued. Here you can define, when the queue will
\n# be flushed (Note: the queue is automatically flushed after
\n# completing a file check).
\n#
\nSetMailTime = 86400<\/p>\n

## Maximum number of mails to queue
\n#
\nSetMailNum = 10<\/p>\n

## Recipient (max. 8)
\n#
\nSetMailAddress=root@localhost<\/p>\n

## Mail relay (IP address)
\n#
\nSetMailRelay = localhost<\/p>\n

## Custom subject format
\n#
\nMailSubject = [Samhain at %H] %T: %S<\/p>\n

## — end E-Mail —<\/p>\n

## Path to the prelink executable
\n#
\n# SetPrelinkPath = \/usr\/sbin\/prelink<\/p>\n

## TIGER192 checksum of the prelink executable
\n#
\n# SetPrelinkChecksum = (no default)<\/p>\n

## Path to the executable. If set, will be checksummed after startup
\n## and before exit.
\n#
\n# SamhainPath = (no default)<\/p>\n

## The IP address of the log server
\n#
\n# SetLogServer = (default: compiled-in)<\/p>\n

## The IP address of the time server
\n#
\n# SetTimeServer = (default: compiled-in)<\/p>\n

## Trusted Users (comma delimited list of user names)
\n#
\n# TrustedUser = (no default; this adds to the compiled-in list)<\/p>\n

## Path to the file signature database
\n#
\n# SetDatabasePath = (default: compiled-in)<\/p>\n

## Path to the log file
\n#
\n# SetLogfilePath = (default: compiled-in)<\/p>\n

## Path to the PID file
\n#
\n# SetLockPath = (default: compiled-in)<\/p>\n

## The digest\/checksum\/hash algorithm
\n#
\n# DigestAlgo = TIGER192<\/p>\n

## Custom format for message header.
\n## CAREFUL if you use XML logfile format.
\n##
\n## %S severity
\n## %T timestamp
\n## %C class
\n##
\n## %F source file
\n## %L source line
\n#
\n# MessageHeader=”%S %T ”<\/p>\n

## Don’t log path to config\/database file on startup
\n#
\n# HideSetup = False<\/p>\n

## The syslog facility, if you log to syslog
\n#
\n# SyslogFacility = LOG_AUTHPRIV
\nSyslogFacility=LOG_LOCAL2<\/p>\n

## The message authentication method
\n## – If you change this, you *must* change it
\n## on client *and* server
\n#
\n# MACType = HMAC-TIGER<\/p>\n

## everything below is ignored
\n[EOF]<\/p>\n

#####################################################################
\n# This would be the proper syntax for parts that should only be
\n# included for certain hosts.
\n# You may enclose anything in a @HOSTNAME\/@end bracket, as long as the
\n# result still has the proper syntax for the config file.
\n# You may have any number of @HOSTNAME\/@end brackets.
\n# HOSTNAME should be the fully qualified ‘official’ name
\n# (e.g. ‘nixon.watergate.com’, not ‘nixon’), no aliases.
\n# No IP number – except if samhain cannot determine the
\n# fully qualified hostname.
\n#
\n# @HOSTNAME
\n# file=\/foo\/bar
\n# @end
\n#
\n# These are two examples for conditional inclusion\/exclusion
\n# of a machine based on the output from ‘uname -srm’
\n# $Linux:2.*.7:i666
\n# file=\/foo\/bar3
\n# $end
\n#
\n# !$Linux:2.*.7:i686
\n# file=\/foo\/bar2
\n# $end
\n#
\n#####################################################################<\/p>\n","protected":false},"excerpt":{"rendered":"

Questo e il file di configurazione di samhain nella nuova versione e fa riferimento a questo vecchio articolo ##################################################################### # # Configuration file template for samhain. # ##################################################################### # # — empty lines and lines starting with ‘#’, ‘;’ or ‘\/\/’ are ignored # — boolean options can be Yes\/No or True\/False or 1\/0 # […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[110,8,14,7,6],"tags":[112,137],"class_list":["post-1496","post","type-post","status-publish","format-standard","hentry","category-ids","category-linux","category-networking","category-sistemi-operativi","category-work","tag-ids","tag-samahin"],"_links":{"self":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1496","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1496"}],"version-history":[{"count":4,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1496\/revisions"}],"predecessor-version":[{"id":1499,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1496\/revisions\/1499"}],"wp:attachment":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1496"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1496"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1496"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}