#
# nabou config for a linux system
#
# short installation instructions:
# 1. copy this file to /etc/nabourc
# 2. review/edit the file if neccessary
# 3. create the db-directory:
#      root@host # mkdir -p /var/nabou/db
#      root@host # chmod 700 /var/nabou/db
# 4. initialize the database (may take a LONG time!)
#      root@host # script /var/nabou/init.log
#      root@host # nabou --config /etc/nabourc --init
#      root@host # exit
# 5. review the log created by script(1)
#      root@host # less /var/nabou/init.log
# 6. install the following cronjob in /etc/crontab
#      30 01 * * * root /usr/local/sbin/nabou > /var/nabou/syslog.log 2>&1
# 7. Reload crond
#      root@host # /etc/init.d/crond restart
# 8. Read your mails every day from now on
#      
# Read the manual page nabou(1) or visit the nabou homepage
# at http://www.nabou.org/ for more details.
#
#
# NABOU INTRUSION DETECTION SYSTEM
#
# Copyright (c) 2000-2001 by Thomas Linden <tom@daemon.de>
#
# NABOU may be used and distributed under the terms of the
# GNU General Public License. All other brand and product
# names are trademarks, registered trademarks or service
# marks of their respective holders.
#


#
# turn on/off the features we want to use
#
useshadow	1       # check the shado file too
usemail		1	# send the report via email
use_algo	MD5
use_ls          1       # print also a ls -l alike line for matching files
use_temp_sum    0       # do not use a temporary dbm file for check results

#
# file locations
#
passwd	/etc/passwd
shadow	/etc/shadow
shells	/etc/shells


#
# turn on/off monitors
#
check_cron	1	# monitor cronjob changes
check_suid	1	# monitor setuid programs
check_files	1	# monitor files on a per directory basis
check_root	1	# report uid/gid root accounts
check_user	1	# monitor user account changes
check_diskusage 1	# monitor disk usage, per directory
check_ports     1       # monitor listening internet ports (set to "all" for listing of all listeners)
check_symlinks  0       # ignore symlinks

#
# database configuration
#
<db>
	basedir		 /var/lib/nabou   # the dir where the databases resides
	readonly	 1
</db>

#
# mail configuration
#
<mail>
	rcpt		root
	alert		root
	from		root ids monitor
	subject		report from nabou
</mail>

#
# external programs used by nabou
#
<bin>
     	sendmail	/usr/sbin/sendmail
	crontab		/usr/bin/crontab
	who	 	/usr/bin/who
	lsof            /usr/sbin/lsof
</bin>





# check blocks, the following list of checks is available:
#
# chk_md5       checksum
# chk_size      size
# chk_shrink	file shrink
# chk_grow      file grow
# chk_mtime	modification time
# chk_atime	access time
# chk_ctime	inode change time
# chk_uid       owner
# chk_gid	group
# chk_nlinks	number of links
# chk_mode      file mode (i.e: 0755)
# chk_ino       inode
# chk_dev	device number
# chk_blocks	block number allocated on filesystem
# du_increase   disk usage increases (percent declaration)
# du_decrease   disk usage decreases (percent declaration)
#
# special flags:
#
# recursive     recurse in directories
# exclude       exclude this file (relative or absolute file/dir-name allowed)
# include	include this file
#
# you may also define your own ones "chk_custom NAME" see nabou(1).



#
# suid/sgid check block, defines which file properties of
# a suid/sgid file should be monitored beside of additions/removals
#
<suid>
	chk_md5		1
	chk_mode	1
	chk_size	1
	chk_uid         1
	chk_gid         1
</suid>



#
# definitions of custom check templates, we will use them later
#

# definition for single logfiles
# alert if mode/uid/gid changes or the file size shrinks
<define chk_logfile>
       chk_shrink       1
       chk_mode         1
       chk_uid          1
       chk_gid          1
</define>

# definition for log directories
# alert if mode/uid/gid changes, or disk usage increases >= 30%, recursive
<define chk_logdir>
       recursive        1
       chk_mode         1
       chk_uid          1
       chk_gid          1
       du_increase	30
       <exclude>
                /var/log/XFree86.0.log  # relative path's are not allowed here
       		/var/log/boot.log
       		/var/log/dmesg
       		/var/log/xdm-errors
       		/var/log/xfs.errors
       </exclude>
</define>

# definition for system binaries
# alert if most attributes changes, recursive
<define chk_sysbin>
       recursive        1
       chk_mode		1
       chk_md5          1
       chk_size		1
       chk_mtime	1
       chk_uid          1
       chk_gid		1
</define>

# definition for subdirs
# alert if mode/uid/gid changes (and new files/dirs are created)
<define chk_subdir>
       chk_mode         1
       chk_uid		1
       chk_gid		1
</define>

#
# here we use the above pre-defined checks on some directories.
#
<check chk_logdir>
       /var/log
</check>

<check chk_logfile>
       /var/log/messages
       /var/log/maillog
       /var/log/wtmp
       /var/log/faillog
       /var/log/lastlog
       /var/log/kernel
       /var/log/firewall
       /var/log/secure
</check>

<check chk_sysbin>
       /usr
       /boot
       /lib
       /opt
       /root
       /bin
       /sbin
       /var/lib
       /var/yp
</check>

<check chk_subdir>
       /home
       /home/users
       /
</check>


#
# handle /etc in a special way
#
<directory /etc>
        # ignore these files:
	<exclude>
		sshd_random   # this means /etc/sshd_ramdom
		ntp.drift
		mtab
		passwd  # check_user is turned on anyway!
		shadow
		motd
	</exclude>
       	recursive	1	# watch also files within subdirs under /etc
	chk_size	1	# size in bytes
	chk_mtime	1	# modification time
	chk_md5		1	# checksum
</directory>




# end of config file
#
# thanks for choosing nabou. may the source be with you, luke!
#
# Thomas Linden <tom@daemon.de> 2001
