
[ReadOnly]
## for these files, only access time is ignored
    file = /usr/bin/dca
    
[Inotify]
    InotifyActive = yes
    InotifyWatches = 1048576

[ProcessCheck]
    ProcessCheckActive = yes
    SeverityProcessCheck = crit
    ProcessCheckMinPID = 1
    ProcessCheckMaxPID = 25
    ProcessCheckInterval = 900

    ProcessCheckWhiteList = agetty
    ProcessCheckWhiteList = ata_sff
    ProcessCheckWhiteList = authservice
    ProcessCheckWhiteList = bdi-default
    ProcessCheckWhiteList = cat
    ProcessCheckWhiteList = crond
    ProcessCheckWhiteList = crypto
    ProcessCheckWhiteList = curl
    ProcessCheckWhiteList = dbus-daemon
    ProcessCheckWhiteList = dbus-daemon-launch-helper
    ProcessCheckWhiteList = deviceUpdateMgrMain
    ProcessCheckWhiteList = dnsmasq
    ProcessCheckWhiteList = dropbear
    ProcessCheckWhiteList = dsMgrMain
    ProcessCheckWhiteList = flush
    ProcessCheckWhiteList = fsnotify
    ProcessCheckWhiteList = IARMDaemonMain
    ProcessCheckWhiteList = ipMgrMain
    ProcessCheckWhiteList = irMgrMain
    ProcessCheckWhiteList = kblockd
    ProcessCheckWhiteList = kdevtmpfs
    ProcessCheckWhiteList = khelper
    ProcessCheckWhiteList = khubd
    ProcessCheckWhiteList = klogd
    ProcessCheckWhiteList = ksoftirqd
    ProcessCheckWhiteList = kswapd
    ProcessCheckWhiteList = kthreadd
    ProcessCheckWhiteList = kworker
    ProcessCheckWhiteList = lighttpd
    ProcessCheckWhiteList = login
    ProcessCheckWhiteList = netns
    ProcessCheckWhiteList = nfsiod
    ProcessCheckWhiteList = ps
    ProcessCheckWhiteList = pwr-state-monitor
    ProcessCheckWhiteList = pwrMgrMain
    ProcessCheckWhiteList = Receiver
    ProcessCheckWhiteList = rf4ceMgr
    ProcessCheckWhiteList = rmfStreamer
    ProcessCheckWhiteList = rpciod
    ProcessCheckWhiteList = runPod
    ProcessCheckWhiteList = runSnmp
    ProcessCheckWhiteList = runXRE
    ProcessCheckWhiteList = samhain
    ProcessCheckWhiteList = scsi_eh
    ProcessCheckWhiteList = sh
    ProcessCheckWhiteList = sleep
    ProcessCheckWhiteList = snmpd
    ProcessCheckWhiteList = srv
    ProcessCheckWhiteList = storageMgrMain
    ProcessCheckWhiteList = syslogd
    ProcessCheckWhiteList = sysMgrMain
    ProcessCheckWhiteList = syssnmpagent
    ProcessCheckWhiteList = systemd
    ProcessCheckWhiteList = systemd-journald
    ProcessCheckWhiteList = systemd-logind
    ProcessCheckWhiteList = systemd-udevd
    ProcessCheckWhiteList = tr69BusMain
    ProcessCheckWhiteList = TRMMgr
    ProcessCheckWhiteList = udhcpc
    ProcessCheckWhiteList = udpsvd
    ProcessCheckWhiteList = upload2splunk
    ProcessCheckWhiteList = vodClientApp
    ProcessCheckWhiteList = websocket-trm-proxy
    ProcessCheckWhiteList = xcal-device
    ProcessCheckWhiteList = xdiscovery
    ProcessCheckWhiteList = xfs_mru_cache
    ProcessCheckWhiteList = xfslogd
    ProcessCheckWhiteList = fogcli
    ProcessCheckWhiteList = tenableHDCP
    ProcessCheckWhiteList = busybox.nosuid
    ProcessCheckWhiteList = busybox.suid
    ProcessCheckWhiteList = mke2fs
    ProcessCheckWhiteList = journalctl
    ProcessCheckWhiteList = mfrMgrMain
    ProcessCheckWhiteList = nxserver
    ProcessCheckWhiteList = socprovisioning
    ProcessCheckWhiteList = mocad
    ProcessCheckWhiteList = lxc-autostart
    ProcessCheckWhiteList = dibbler-client
    ProcessCheckWhiteList = ntpd
    ProcessCheckWhiteList = rbiDaemon
    ProcessCheckWhiteList = arping
    ProcessCheckWhiteList = tcpdump
    ProcessCheckWhiteList = nrdPluginApp
    ProcessCheckWhiteList = sdvAgent
    ProcessCheckWhiteList = ecryptfsd
    ProcessCheckWhiteList = tr69hostif
    ProcessCheckWhiteList = webpavideo
    ProcessCheckWhiteList = audiocapturemgr
    ProcessCheckWhiteList = rtrmfplayer
    ProcessCheckWhiteList = rdkbrowser2
    ProcessCheckWhiteList = hwselftest
    ProcessCheckWhiteList = wpa_supplicant
    ProcessCheckWhiteList = stunnel
    ProcessCheckWhiteList = controlMgr
    ProcessCheckWhiteList = parodus
    ProcessCheckWhiteList = rpcbind
    ProcessCheckWhiteList = playreadyCDMiService
    ProcessCheckWhiteList = WPEWebProcess
    ProcessCheckWhiteList = WPENetworkProcess
    ProcessCheckWhiteList = nlmon
    ProcessCheckWhiteList = rdnssd
    ProcessCheckWhiteList = logbackup
    ProcessCheckWhiteList = TTSEngine

[PortCheck]
    PortCheckActive = yes
    SeverityPortCheck = crit
    PortCheckInterval = 1024

    PortCheckMinPort = 1
    PortCheckMaxPort = 40

    PortCheckInterface = 0.0.0.0
    PortCheckSkip = 0.0.0.0:22/tcp

[Mounts]
    MountCheckActive=1
    MountCheckInterval=1024

    SeverityMountMissing=crit
    SeverityOptionMissing=crit

    checkmount=/
    checkmount=/dev
    checkmount=/sys
    checkmount=/proc
    checkmount=/mnt/memory
    checkmount=/etc/xupnp
    checkmount=/etc/hosts
    checkmount=/etc/resolv.dnsmasq
    checkmount=/etc/resolv.conf
    checkmount=/var/spool/cron
    checkmount=/etc/hostname
    checkmount=/var/volatile
    checkmount=/sys/fs/fuse/connections
    checkmount=/etc/snmp/snmpd.conf
    checkmount=/etc/udhcpc.vendor_specific
    checkmount=/tmp
    checkmount=/etc/samhainrc
    checkmount=/var/samhain
    checkmount=/sys/kernel/debug
    checkmount=/dev/mqueue
    checkmount=/etc/machine-id
    checkmount=/sys/fs/cgroup/blkio
    checkmount=/sys/fs/cgroup/freezer
    checkmount=/sys/fs/cgroup/memory
    checkmount=/sys/fs/cgroup/devices
    checkmount=/sys/fs/cgroup/cpu,cpuacct
    checkmount=/sys/fs/cgroup/debug
    checkmount=/sys/fs/cgroup/cpuset
    checkmount=/sys/fs/cgroup/systemd
    checkmount=/run
    checkmount=/sys/fs/cgroup
    checkmount=/dev/shm
    checkmount=/dev/pts
    checkmount=/www


[EventSeverity]
    SeverityReadOnly=crit
    SeverityLogFiles=warn
    SeverityGrowingLogs=info
    SeverityIgnoreNone=crit
    SeverityAttributes=crit

 [IgnoreAll]                            
    file = /usr/bin/dca
    
[Log]

PrintSeverity=crit
LogSeverity=crit
ExternalSeverity=crit

[Logmon]
LogmonActive = yes
LogmonSaveDir = /tmp/samhain
LogmonQueue = q1:10:report:crit
LogmonInterval = 60
LogmonBurstThreshold = 2

LogmonWatch = APACHE:/opt/logs/dropbear.log:RE{^(\S+\s*\S+)*}
LogmonRule = q1:.*Pubkey auth succeeded.*
LogmonRule = q1:Started SSH Per-Connection Server
LogmonRule = q1:Stopped SSH Per-Connection Server

LogmonWatch = APACHE:/opt/logs/messages.txt:RE{^(\S+\s*\S+)*}
LogmonRule = q1:.*SNMP ACCEPT CONNECTION.*|.*DROP.*

LogmonWatch = APACHE:/opt/logs/snmpd.log:RE{^(\S+\s*\S+)*}
LogmonRule = q1:^(?=.*Received SNMP packet.*)(?!.*127\.0\.0\.1).*
LogmonRule = q1:Started Simple Network Management Protocol (SNMP) Daemon
LogmonRule = q1:Stopped Simple Network Management Protocol (SNMP) Daemon

LogmonWatch = APACHE:/opt/logs/tr69hostif.log:RE{^(\S+\s*\S+)*}
LogmonRule = q1:.*Request:.*
LogmonRule = q1:Started webpa video Daemon
LogmonRule = q1:Stopped webpa video Daemon

LogmonWatch = APACHE:/opt/logs/tr69agent_SoapDebug.log:RE{^(\S+\s*\S+)*}
LogmonRule = q1:.*Accept socket.*
LogmonRule = q1:Started TR69 Host Interface Daemon
LogmonRule = q1:Stopped TR69 Host Interface Daemon
LogmonRule = trash:.*

[External]
OpenCommand = /usr/sbin/upload2splunk.sh
SetType = log
SetEnviron = PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin
CloseCommand

[Misc]
Daemon = no

## whether to test signature of files (init/check/none)
ChecksumTest=check
SetNiceLevel = 19
SetLoopTime = 600
#SetFileCheckTime = 3600
# kilobytes per second
#SetIOLimit=1000
LooseDirCheck = True
AvoidBlock=true
ReportOnlyOnce = true
SetReverseLookup = false
ReportCheckflags = false
UseHardlinkCheck = false

SetDatabasePath = /opt/samhain_file
SetLogfilePath = /dev/null

MessageHeader="%F"

SyslogFacility=LOG_LOCAL2

MACType = SHA-256


[EOF]
