# default config file for samhain
# signature checking with the setup below takes 110 seconds on a 500MHz Celeron
#
# -- empty lines and lines starting with '#' are ignored 
# -- you can PGP clearsign this file -- samhain will check (if compiled
#    with support) or otherwise ignore the signature
# -- CHECK mail address, log server IP address (if remote logging)
# 
# (i)   There are several policies, each has its own section. Put files
#       into the section for the appropriate policy (see below).
# (ii)  To each policy, you can assign a severity (further below).
# (iii) To each log facility, you can assign a threshold severity. Only
#       reports with at least the threshold severity will be logged
#       to the respective facility (even further below).

[Attributes]
#
# for these files, only changes in permissions and ownership are checked
#
file=/etc/mtab
file=/etc/ssh_random_seed
file=/etc/asound.conf
file=/etc/resolv.conf
file=/etc/localtime
file=/etc/ioctl.save
file=/etc

[LogFiles]
#
# for these files, changes in signature, timestamps, and size are ignored 
#
file=/var/run/utmp
file=/etc/motd

#
# This would be the proper syntax for parts that should only be
#    included for certain hosts.
# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
#    result still has the proper syntax for the config file.
# You may have any number of @HOSTNAME/@end brackets.
# HOSTNAME should be the fully qualified 'official' name 
#    (e.g. 'nixon.watergate.com', not 'nixon'). No aliases. No IP number.
#
@HOSTNAME
file=/foo/bar
@end

[GrowingLogFiles]
#
# for these files, changes in signature, timestamps, and increase in size
#                  are ignored 
#
file=/var/log/warn
file=/var/log/messages
file=/var/log/wtmp
file=/var/log/faillog

[IgnoreAll]
#
# for these files, no modifications are reported
#
file=/etc/resolv.conf.pcmcia.save


[IgnoreNone]
#
# for these files, all modifications (even access time) are reported
#    - you may create some interesting-looking file (like /etc/safe_passwd),
#      just to watch whether someone will access it ...
#

[ReadOnly]
#
# for these files, only access time is ignored
#
dir=/usr/bin
dir=/bin
dir=/sbin
dir=/usr/sbin
dir=/lib
dir=3/etc
dir=/boot

[EventSeverity]
#
# Here you can assign severities to policy violations
# if this severity exceeds the treshold of a log facility (see below),
# a policy violation will be logged to that facility
#
# severity for verification failures
#
SeverityReadOnly=crit
SeverityLogFiles=crit
SeverityGrowingLogs=crit
SeverityIgnoreNone=crit
SeverityAttributes=crit
#
#
SeverityIgnoreAll=info
#
# Files : file access problems
# Dirs  : directory access problems
# Names : suspect (non-printable) characters in a pathname
#
SeverityFiles=crit
SeverityDirs=crit
SeverityNames=warn

[Log]
# set threshold severity for log facilities
# values: debug, info, notice, warn, mark, err, crit, alert, none.
# 'mark' is used for timestamps.
#
# By default, everything equal to and above the threshold is logged.
# The specifiers '*', '!', and '=' are interpreted as  
# 'all', 'all but', and 'only', respectively (like syslogd(8) does, 
# at least on Linux). 
# 
# MailSeverity=*
# MailSeverity=!warn
# MailSeverity==crit
#
MailSeverity=none
PrintSeverity=none
LogSeverity=none
SyslogSeverity=none
ExportSeverity=warn


[Utmp]
# 0 to switch off, 1 to activate
#
LoginCheckActive=0

# Severity for logins, mltiple logins, logouts
# 
SeverityLogin=info
SeverityLoginMulti=warn
SeverityLogout=info

# interval for login/logout checks
#
LoginCheckInterval=60

[Misc]
# whether to become a daemon process
Daemon=yes

# the maximum time between client messages (seconds)
# (this is a log server-only option; the default is 86400 sec = 1 day
#
# SetClientTimeLimit=1800

# time till next file check (seconds)
SetFilecheckTime=600

# Only highest-level (alert) reports will be mailed immediately,
# others will be queued. Here you can define, when the queue will
# be flushed (Note: the queue is automatically flushed after
# completing a file check).
#
# maximum time till next mail (seconds)
SetMailTime=86400

# maximum number of pending mails
SetMailNum=10

# where to send mail to
SetMailAddress=root@localhost

# mail relay host
# SetMailRelay=relay.yourdomain.de

# The binary. Setting the path will allow
# samhain to check for modifications between
# startup and exit.
#
# SamhainPath=/usr/local/bin/samhain

# where to get time from
# SetTimeServer=localhost

# where to export logs to
# SetLogServer=localhost

# timer for time stamps
SetLoopTime=60

# trusted users (root and the effective user are always trusted)
# TrustedUser=bin

# whether to test signature of files
# - if 'none', then we have to decide this on the command line -
#
ChecksumTest=check


# everything below is ignored
[EOF]
