######### example of /etc/samhainrc file for an openSUSE system ########

[Misc]
# Inscrire ici les Redef* si besoin

# RedefUser0=(no default)
# RedefUser1=(no default)

# --------- / --------------
[ReadOnly]
dir = 0/

[Attributes]
file = /tmp
file = /dev
file = /media
file = /proc
file = /root
file = /sys

# --------- /etc -----------
[ReadOnly]
## for these files, only access time is ignored
dir = 99/etc

[Attributes]
## check permission and ownership
file = /etc/mtab
file = /etc/adjtime
file = /etc/motd
file = /etc/lvm/.cache

# On Ubuntu, these are in /var/lib rather than /etc
file = /etc/cups/certs
file = /etc/cups/certs/0

# managed by fstab-sync on Fedora Core
file = /etc/fstab

# There are files in /etc that might change, thus changing the directory
# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.

file = /etc

# --------- /boot -----------
[ReadOnly]
dir = 99/boot

# --------- /bin, /sbin -----------
[ReadOnly]
dir = 99/bin
dir = 99/sbin

# --------- /lib -----------
[ReadOnly]
dir = 99/lib

# --------- /dev -----------
[Attributes]
dir = 99/dev

[IgnoreAll]
## pseudo terminals are created/removed as needed
dir = -1/dev/pts

# dir = -1/dev/.udevdb

file = /dev/ppp

# --------- /usr -----------
[ReadOnly]
dir = 99/usr

# --------- /var -----------
[ReadOnly]
dir = 99/var

[IgnoreAll]
dir = -1/var/adm/backup
dir = -1/var/cache
dir = -1/var/games
dir = -1/var/lock
dir = -1/var/mail
dir = -1/var/run
dir = -1/var/spool
dir = -1/var/tmp
# quand ntp est actif il a un dossier similaire a /proc
# qui change en permenance
dir = -1/var/lib/ntp/proc
file = /var/adm/mount

[Attributes]

dir = /var/lib/nfs
# pour les pcs portables ?
# dir = /var/lib/pcmcia

# /var/lib/rpm changes if packets are installed;
file = /var/lib/rpm/*

# file = /var/lib/acpi-support/vbestate
file = /var/lib/alsa/asound.state
# Je n'utilise pas CUPS
# file = /var/lib/cups/certs
# file = /var/lib/cups/certs/0
file = /var/lib/logrotate.status
file = /var/lib/mysql
file = /var/lib/mysql/ib_logfile0
file = /var/lib/mysql/ibdata1
file = /var/lib/PackageKit
file = /var/lib/PackageKit/*.db
file = /var/lib/locatedb
file = /var/lib/smartmontools
file = /var/lib/smartmontools/attrlog.*.csv
file = /var/lib/smartmontools/smartd.*.state*
file = /var/lib/xkb
file = /var/lib/zypp/*
file = /var/lib
# bases de signature de ClamAV
file = /var/lib/clamav/mirrors.dat
file = /var/lib/clamav/daily.cld
file = /var/lib/clamav
# fichier pour ntp qui change regulirement aussi
file = /var/lib/ntp/drift/ntp.drift
file = /var/lib/ntp/drift


[GrowingLogFiles]
## For these files, changes in signature, timestamps, and increase in size
## are ignored. Logfile rotation will cause a report because of shrinking
## size and different inode. 
dir = 99/var/log

[Attributes]
# rotated logs will change inode
file = /var/log/*.old
file = /var/log/YaST2/y2log-[0-9].gz

[Misc]
# Various naming schemes for rotated logs
# Sous openSUSE les anciens logs sont compresses avec bzip2
IgnoreAdded = /var/log/.*\.[0-9]+$
IgnoreAdded = /var/log/[a-z\.]+-[0-9]+\.bz2$
IgnoreAdded = /var/log/.*\.[0-9]+\.log$
#
# Subdirectories
IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+$
IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$
IgnoreAdded = /var/log/[[:alnum:]]+/.*\.[0-9]+\.log$

# --------- other policies -----------

[IgnoreNone]
## for these files, all modifications (even access time) are reported

[Prelink]
## Use for prelinked files or directories holding them

[User0]
[User1]
## User0 and User1 are sections for files/dirs with user-definable checking

[EventSeverity]
# SeverityReadOnly=crit
# SeverityLogFiles=crit
# SeverityGrowingLogs=crit
# SeverityIgnoreNone=crit
# SeverityAttributes=crit
# SeverityUser0=crit
# SeverityUser1=crit
# SeverityIgnoreAll=crit

## Files : file access problems
# SeverityFiles=crit

## Dirs  : directory access problems
# SeverityDirs=crit

## Names : suspect (non-printable) characters in a pathname
# SeverityNames=crit

[Log]
## Values: debug, info, notice, warn, mark, err, crit, alert, none.
## 'mark' is used for timestamps.
##
## Use 'none' to SWITCH OFF a log facility
## 
## By default, everything equal to and above the threshold is logged.
## The specifiers '*', '!', and '=' are interpreted as  
## 'all', 'all but', and 'only', respectively (like syslogd(8) does, 
## at least on Linux). Examples:
## MailSeverity=*
## MailSeverity=!warn
## MailSeverity==crit

## E-mail
# MailSeverity=none

## Console
# On desactive car sinon impossible d'utiliser correctement le mode terminal
PrintSeverity=none

## Logfile
# LogSeverity=mark

## Syslog
# SyslogSeverity=none

## Remote server (yule)
# ExportSeverity=none

## External script or program
# ExternalSeverity = none

## Logging to a database
# DatabaseSeverity = none

## Logging to a Prelude-IDS
# PreludeSeverity = crit

#####################################################
# Optional modules
#####################################################

[SuidCheck]
SuidCheckActive = yes

## Interval for check (seconds)
# SuidCheckInterval = 7200

## Alternative: crontab-like schedule
# SuidCheckSchedule = NULL
 
## Directory to exclude 
# SuidCheckExclude = NULL

## Limit on files per second (0 == no limit)
# SuidCheckFps = 100

## Alternative: yield after every file
# SuidCheckYield = no

## Severity of a detection
# SeveritySuidCheck = crit

## Quarantine SUID/SGID files if found
# SuidCheckQuarantineFiles = yes

## Method for Quarantining files:
#  0 - Delete or truncate the file.
#  1 - Remove SUID/SGID permissions from file.
#  2 - Move SUID/SGID file to quarantine dir.
# SuidCheckQuarantineMethod = 0

## For method 1 and 3, really delete instead of truncating
# SuidCheckQuarantineDelete = yes

#[Kernel]
# KernelCheckActive = True
# KernelCheckInterval = 300
# SeverityKernel = crit

[PortCheck]
PortCheckActive = yes
# ports NTP
PortCheckRequired=192.168.1.3:123/udp
PortCheckRequired=127.0.0.1:123/udp
# Kippo configure sur le port 2222 TCP
# Tor Controller ecoute sur le port 9050
PortCheckSkip=192.168.1.3:2222/tcp,9050/tcp
# Je recommande la desactivation du demon avahi qui
# ouvre des ports aleatoires non configurables

[Utmp]
LoginCheckActive = True

## Severity for logins, multiple logins, logouts
# SeverityLogin=info
# SeverityLoginMulti=warn
# SeverityLogout=info

## Interval for login/logout checks
# LoginCheckInterval = 300

[ProcessCheck]
ProcessCheckActive = yes

#####################################################
# Miscellaneous configuration options
#####################################################

[Misc]
Daemon = yes

FileNamesAreUTF8=yes
## whether to test signature of files (init/check/none)
## - if 'none', then we have to decide this on the command line -
ChecksumTest=check

## Set nice level (-19 to 19, see 'man nice'),
## and I/O limit (kilobytes per second; 0 == off)
SetNiceLevel = 10
SetIOLimit = 10000

## The version string to embed in file signature databases
# VersionString = NULL

## Interval between time stamp messages
SetLoopTime = 600

## Interval between file checks 
SetFileCheckTime = 7200

## Alternative: crontab-like schedule
# FileCheckScheduleOne = NULL

## Alternative: crontab-like schedule(2)
# FileCheckScheduleTwo = NULL

## Report only once on modified files 
## Setting this to 'FALSE' will generate a report for any policy 
## violation (old and new ones) each time the daemon checks the file system.
# ReportOnlyOnce = True

## Report in full detail
# ReportFullDetail = False

## Report file timestamps in local time rather than GMT
# UseLocalTime = No

## The console device (can also be a file or named pipe)
# SetConsole = /dev/console

## Activate the SysV IPC message queue
# MessageQueueActive = False

## If false, skip reverse lookup when connecting to a host known 
## by name rather than IP address (i.e. trust the DNS)
# SetReverseLookup = True

## Path to the prelink executable
# SetPrelinkPath = /usr/sbin/prelink

## TIGER192 checksum of the prelink executable
# SetPrelinkChecksum = (no default)


## Path to the executable. If set, will be checksummed after startup
## and before exit.
# SamhainPath = (no default)

## The IP address of the log server
# SetLogServer = (default: compiled-in)

## The IP address of the time server
# SetTimeServer = (default: compiled-in)

## Trusted Users (comma delimited list of user names) 
# TrustedUser = (no default; this adds to the compiled-in list)

## Path to the file signature database
# SetDatabasePath = (default: compiled-in)

## Path to the log file
# SetLogfilePath = (default: compiled-in)

## Path to the PID file
# SetLockPath = (default: compiled-in)

## The digest/checksum/hash algorithm
# DigestAlgo = TIGER192


## Custom format for message header. 
## CAREFUL if you use XML logfile format.
##
## %S severity
## %T timestamp
## %C class
##
## %F source file
## %L source line
#
# MessageHeader="%S %T "

## Don't log path to config/database file on startup
# HideSetup = False

## The syslog facility, if you log to syslog
# SyslogFacility = LOG_AUTHPRIV
SyslogFacility=LOG_LOCAL2

## The message authentication method
# MACType = HMAC-TIGER

## everything below is ignored
[EOF]