samhainrc.aix5.2.0

#####################################################################
#
# 		AIX 5.2.0 configuration file for Samhain. 
#
####################################################################
#	
# Date    : 23.10.2003
# Author  : Christoph Kiefer (chkiefer@intergga.ch) 
# Comment : Samhain client configuration file. Should work
#           for AIX 5.1.0. The Samhain version is 1.7.12
#		This configuration fits MY needs, YOU will
#		probably have to modify it.
#
# Changes : Date          Name    			Remarks
#           23.10.2003    Christoph Kiefer     	Initial Version
#
#####################################################################
# 
# -- empty lines and lines starting with '#', ';' or '//' are ignored
# -- boolean options can be Yes/No or True/False or 1/0 
# -- you can PGP clearsign this file -- samhain will check (if compiled
#    with support) or otherwise ignore the signature
# -- CHECK mail address
#
# To each log facility, you can assign a threshold severity. Only
# reports with at least the threshold severity will be logged
# to the respective facility (even further below).
#
#####################################################################
# SETUP for file system checking:
# (i)   There are several policies, each has its own section. Put files
#       into the section for the appropriate policy (see below).
# (ii)  Section [EventSeverity]: 
#       To each policy, you can assign a severity (further below).
# (iii) Section [Log]: 
#       To each log facility, you can assign a threshold severity. Only
#       reports with at least the threshold severity will be logged
#       to the respective facility (even further below).
#####################################################################

#####################################################################
#
# Files are defined with: file = /absolute/path
#
# Directories are defined with:                  dir = /absolute/path
# or with an optional recursion depth (N <= 99): dir = N/absolute/path
#
# Directory inodes are checked. If you only want to check files
# in a directory, but not the directory inode itself, use (e.g.):
#
# [ReadOnly]
# dir = /some/directory
# [IgnoreAll]
# file = /some/directory
#
# You can use shell-style globbing patterns, like: file = /path/foo*
# 
######################################################################

[Misc]
MessageHeader=""
RedefLogFiles=-INO
SetFilecheckTime=3600
SetLoopTime=3600
SetRecursionLevel=99
DigestAlgo=SHA1
ChecksumTest=check
SetTimeServer=localhost
ReportFullDetail=no
Daemon=yes
HideSetup=yes
ReportOnlyOnce=yes
UseLocalTime=yes

## The Prelude-IDS profile to use for reporting
## default value is "samhain"
#
# PreludeProfile = samhain

## Map these samhain severities to impact severity 'info' severity
#
# PreludeMapToInfo =

## Map these samhain severities to impact severity 'low' severity
#
# PreludeMapToLow = debug info

## Map these samhain severities to impact severity 'medium' severity
#
# PreludeMapToMedium = notice warn err

## Map these samhain severities to impact severity 'high' severity
#
# PreludeMapToHigh = crit alert

[IgnoreAll]
dir=-1/etc/objrepos
dir=-1/etc/vg
dir=-1/dev/.SRC-unix
dir=-1/dev/pts
dir=-1/opt
dir=-1/tmp
dir=-1/usr/share/lib/objrepos
dir=-1/usr/share/man
dir=-1/var/adm/cron
dir=-1/var/tmp
file=/dev/log*

[Attributes]
file=/etc/lpp/diagnostics/data/*
file=/audit/auditb
file=/dev
# file=/etc/bootpd.dump
file=/etc/bootptab
file=/etc/inittab
file=/etc/xtab
dir=/dev
dir=/usr/dt
dir=/usr/lib/instl
dir=/usr/lib/lpd
dir=/usr/lib/mh
dir=/usr/lib/sa
dir=/usr/lpp

[LogFiles]
file=/etc/rmtab
file=/etc/security/failedlogin
file=/etc/security/lastlog
file=/etc/security/portlog
file=/etc/utmp
# file=/smit.log
file=/var/adm/*log*
file=/var/adm/ras/*log*
file=/var/adm/wtmp
file=/var/log/*log*

[IgnoreNone]
file=/etc/tsh_profile

[ReadOnly]
dir=/etc/security/ldap
file=/etc/*.cnf
file=/etc/*conf*
file=/etc/aliases
file=/etc/dumpdates
file=/etc/environment
file=/etc/exports
file=/etc/filesystems
file=/etc/ftpusers
file=/etc/group
file=/etc/hosts*
file=/etc/motd
file=/etc/passwd
file=/etc/profile
file=/etc/protocols
file=/etc/publickey
file=/etc/rc.*
file=/etc/rpc
file=/etc/security/acl
file=/etc/security/environ
file=/etc/security/group
file=/etc/security/limits
file=/etc/security/login.cfg
file=/etc/security/passwd
file=/etc/security/roles
file=/etc/security/smitacl.*
file=/etc/security/user*
file=/etc/sendmail.cf
file=/etc/services
file=/etc/sudoers
file=/etc/swapspaces
file=/etc/vfs
# file=/smit.script
dir=/etc/mail
dir=/etc/rc.d
dir=/etc/security/audit
dir=/home/root
dir=/sbin
dir=/usr/X11R6
dir=/usr/bin
dir=/usr/ccs
dir=/usr/etc
dir=/usr/include
dir=/usr/lib/boot
dir=/usr/lib/methods
dir=/usr/lib/microcode
dir=/usr/lib/security
dir=/usr/lib/smit
dir=/usr/local/bin
dir=/usr/sbin
dir=/usr/share
dir=/usr/ucb

[EventSeverity]
SeverityAttributes=crit
SeverityDirs=err
SeverityFiles=err
SeverityGrowingLogs=warn
SeverityIgnoreNone=crit
SeverityLogFiles=crit
SeverityReadOnly=crit
SeverityIgnoreAll=info
SeverityNames=info

[Log]
ExportClass=RUN FIL PANIC ERR ENET EINPUT
LogSeverity=none
MailSeverity=none
PrintSeverity=none
ExportSeverity=warn
SyslogSeverity=warn

## Logging to a Prelude-IDS
##
# PreludeSeverity = crit

[SuidCheck]
SuidCheckExclude=/proc
SuidCheckActive=1
SuidCheckInterval=1800
SuidCheckFps=250
#SuidCheckYield=no
SeveritySuidCheck=alert
#SuidCheckQuarantineFiles=yes
#SuidCheckQuarantineMethod=0
# SuidCheckQuarantineDelete = yes


[Utmp]
LoginCheckActive=1
LoginCheckInterval=30
SeverityLogin=info
SeverityLogout=info
SeverityLoginMulti=warn

[EOF]