Ticket #42535: samhainrc

File samhainrc, 21.3 KB (added by jul_bsd@…, 11 years ago)
Line 
1#####################################################################
2#
3# Configuration file template for samhain.
4#
5#####################################################################
6#
7# -- empty lines and lines starting with '#', ';' or '//' are ignored
8# -- boolean options can be Yes/No or True/False or 1/0
9# -- you can PGP clearsign this file -- samhain will check (if compiled
10#    with support) or otherwise ignore the signature
11# -- CHECK mail address
12#
13# To each log facility, you can assign a threshold severity. Only
14# reports with at least the threshold severity will be logged
15# to the respective facility (even further below).
16#
17#####################################################################
18#
19# SETUP for file system checking:
20#
21# (i)   There are several policies, each has its own section. Put files
22#       into the section for the appropriate policy (see below).
23# (ii)  Section [EventSeverity]:
24#       To each policy, you can assign a severity (further below).
25# (iii) Section [Log]:
26#       To each log facility, you can assign a threshold severity. Only
27#       reports with at least the threshold severity will be logged
28#       to the respective facility (even further below).
29#
30#####################################################################
31
32#####################################################################
33#
34# Files are defined with: file = /absolute/path
35#
36# Directories are defined with:                  dir = /absolute/path
37# or with an optional recursion depth (N <= 99): dir = N/absolute/path
38#
39# Directory inodes are checked. If you only want to check files
40# in a directory, but not the directory inode itself, use (e.g.):
41#
42# [ReadOnly]
43# dir = /some/directory
44# [IgnoreAll]
45# file = /some/directory
46#
47# You can use shell-style globbing patterns, like: file = /path/foo*
48#
49######################################################################
50
51[Misc]
52##
53## Add or subtract tests from the policies
54## - if you want to change their definitions,
55##   you need to do that before using the policies
56##
57# RedefReadOnly = (no default)
58# RedefAttributes=(no default)
59# RedefLogFiles=(no default)
60# RedefGrowingLogFiles=(no default)
61# RedefIgnoreAll=(no default)
62# RedefIgnoreNone=(no default)
63
64# RedefUser0=(no default)
65# RedefUser1=(no default)
66
67#
68# --------- / --------------
69#
70
71[ReadOnly]
72dir = 0/
73
74[Attributes]
75file = /home
76dir = /tmp
77dir = /private
78dir = /private/var/root
79dir = /private/tftpboot
80dir = /private/tmp
81dir = /Library
82dir = /Network
83dir = /System
84dir = /Trash
85dir = /Users
86dir = /Users/Shared
87dir = /net
88dir = /opt
89dir = /cores
90
91#
92# --------- /etc -----------
93#
94
95[ReadOnly]
96##
97## for these files, only access time is ignored
98##
99#dir = 99/etc
100dir = 99/private/etc
101dir = 99/opt/local/etc
102dir = 99/Library/Preferences
103
104## Startup items
105dir = /System/Library/LaunchDaemons
106dir = /System/Library/LaunchAgents
107dir = /Library/LaunchDaemons
108dir = /Library/LaunchAgents
109file = /Library/Preferences/com.apple.loginwindow.plist
110#dir = /Users/*/Library/LaunchDaemons
111dir = /Users/*/Library/LaunchAgents
112
113[Attributes]
114##
115## check permission and ownership
116##
117#file = /etc/mtab
118#file = /etc/adjtime
119#file = /etc/motd
120
121file = /private/etc/cups/certs
122#file = /etc/cups/certs/0
123
124file = /private/etc/fstab.hd
125
126# modified when booting
127#file = /etc/sysconfig/hwconf
128
129# There are files in /etc that might change, thus changing the directory
130# timestamps. Put it here as 'file', and in the ReadOnly section as 'dir'.
131
132#
133# --------- /bin, /sbin -----------
134#
135
136[ReadOnly]
137dir = 99/bin
138dir = 99/sbin
139dir = 99/usr/bin
140dir = 99/usr/sbin
141dir = 99/usr/local/bin
142dir = 99/usr/local/sbin
143dir = 99/opt/local/bin
144dir = 99/opt/local/sbin
145dir = 99/Applications
146dir = 99/Developer
147
148#
149# --------- /dev -----------
150#
151
152[Attributes]
153dir = 99/dev
154
155[IgnoreAll]
156##
157## pseudo terminals are created/removed as needed
158##
159dir = -1/dev/pt*
160dir = -1/dev/fd
161
162#
163# --------- /usr -----------
164#
165
166[ReadOnly]
167dir = 99/usr
168
169#
170# --------- /var -----------
171#
172
173[ReadOnly]
174dir = 99/private/var
175
176## Web server
177dir = /Library/WebServer/Documents
178dir = /opt/local/www
179
180[IgnoreAll]
181dir = -1/private/var/cache
182dir = -1/private/var/backups
183dir = -1/private/var/games
184dir = -1/private/var/gdm
185#dir = -1/private/var/lock
186dir = -1/private/var/mail
187dir = -1/private/var/run
188dir = -1/private/var/spool
189dir = -1/private/var/tmp
190#dir = -1/private/var/lib/texmf
191#dir = -1/private/var/lib/scrollkeeper
192#
193dir = -1/private/var/folders
194dir = -1/System/Library/Caches
195dir = -1/Library/Caches
196dir = -1/Users/*/Library/Caches
197dir = -1/Volumes
198
199
200
201[Attributes]
202
203#dir = /private/var/lib/nfs
204#dir = /private/var/lib/pcmcia
205
206#file = /private/var/lib/acpi-support/vbestate
207#file = /private/var/lib/alsa/asound.state
208#file = /private/var/lib/apt/lists/lock
209#file = /private/var/lib/apt/lists/partial
210#file = /private/var/lib/cups/certs
211#file = /private/var/lib/cups/certs/0
212#file = /private/var/lib/dpkg/lock
213#file = /private/var/lib/gdm
214#file = /private/var/lib/gdm/.cookie
215#file = /private/var/lib/gdm/.gdmfifo
216#file = /private/var/lib/gdm/:0.Xauth
217#file = /private/var/lib/gdm/:0.Xservers
218#file = /private/var/lib/logrotate/status
219#file = /private/var/lib/mysql
220#file = /private/var/lib/mysql/ib_logfile0
221#file = /private/var/lib/mysql/ibdata1
222#file = /private/var/lib/slocate
223#file = /private/var/lib/slocate/slocate.db
224#file = /private/var/lib/slocate/slocate.db.tmp
225#file = /private/var/lib/urandom
226#file = /private/var/lib/urandom/random-seed
227#file = /private/var/lib/random-seed
228#file = /private/var/lib/xkb
229
230
231[GrowingLogFiles]
232##
233## For these files, changes in signature, timestamps, and increase in size
234## are ignored. Logfile rotation will cause a report because of shrinking
235## size and different inode.
236##
237dir = 99/private/var/log
238
239[Attributes]
240#
241# rotated logs will change inode
242#
243file = /private/var/log/*.log.[0-9].gz
244file = /private/var/log/*.log.[0-9]
245#file = /private/var/log/*.[0-9]
246#file = /private/var/log/*.old
247file = /private/var/log/*/*.log.[0-9]
248## Doesn't seem to have gz in those subdirs
249#file = /private/var/log/*/*.[0-9].gz
250#file = /private/var/log/*/*.[0-9][0-9].gz
251
252[Misc]
253#
254# Various naming schemes for rotated logs
255#
256#IgnoreAdded = /private/var/log/.*\.[0-9]+$
257#IgnoreAdded = /private/var/log/.*\.log\.[0-9]+\.gz$
258#IgnoreAdded = /private/var/log/.*\.log\.[0-9]+$
259#
260# Subdirectories
261#
262#IgnoreAdded = /private/var/log/[[:alnum:]]+/.*\.[0-9]+$
263#IgnoreAdded = /private/var/log/[[:alnum:]]+/.*\.[0-9]+\.gz$
264#IgnoreAdded = /private/var/log/[[:alnum:]]+/.*\.[0-9]+\.log$
265#
266
267#
268# --------- other policies -----------
269#
270
271[IgnoreNone]
272##
273## for these files, all modifications (even access time) are reported
274##    - you may create some interesting-looking file (like /etc/safe_passwd),
275##      just to watch whether someone will access it ...
276##
277
278[Prelink]
279##
280## Use for prelinked files or directories holding them
281##
282
283
284[User0]
285[User1]
286## User0 and User1 are sections for files/dirs with user-definable checking
287## (see the manual)
288
289
290
291[EventSeverity]
292##
293## Here you can assign severities to policy violations.
294## If this severity exceeds the treshold of a log facility (see below),
295## a policy violation will be logged to that facility.
296##
297## Severity for verification failures.
298##
299# SeverityReadOnly=crit
300# SeverityLogFiles=crit
301# SeverityGrowingLogs=crit
302# SeverityIgnoreNone=crit
303# SeverityAttributes=crit
304# SeverityUser0=crit
305# SeverityUser1=crit
306# SeverityIgnoreAll=crit
307
308
309## Files : file access problems
310# SeverityFiles=crit
311
312## Dirs  : directory access problems
313# SeverityDirs=crit
314
315## Names : suspect (non-printable) characters in a pathname
316# SeverityNames=crit
317
318[Log]
319##
320## Switch on/OFF log facilities and set their threshold severity
321##
322## Values: debug, info, notice, warn, mark, err, crit, alert, none.
323## 'mark' is used for timestamps.
324##
325##
326## Use 'none' to SWITCH OFF a log facility
327##
328## By default, everything equal to and above the threshold is logged.
329## The specifiers '*', '!', and '=' are interpreted as 
330## 'all', 'all but', and 'only', respectively (like syslogd(8) does,
331## at least on Linux). Examples:
332## MailSeverity=*
333## MailSeverity=!warn
334## MailSeverity==crit
335
336## E-mail
337##
338# MailSeverity=none
339
340## Console
341##
342# PrintSeverity=info
343
344## Logfile
345##
346# LogSeverity=mark
347
348## Syslog
349##
350# SyslogSeverity=none
351
352## Remote server (yule)
353##
354# ExportSeverity=none
355
356## External script or program
357##
358# ExternalSeverity = none
359
360## Logging to a database
361##
362# DatabaseSeverity = none
363
364## Logging to a Prelude-IDS
365##
366# PreludeSeverity = crit
367
368
369
370#####################################################
371#
372# Optional modules
373#
374#####################################################
375
376# [SuidCheck]
377## Note: NEED a configure/build option
378##
379## --- Check the filesystem for SUID/SGID binaries
380##
381
382## Switch on
383#
384# SuidCheckActive = yes
385
386## Interval for check (seconds)
387#
388# SuidCheckInterval = 7200
389
390## Alternative: crontab-like schedule
391#
392# SuidCheckSchedule = NULL
393 
394## Directory to exclude
395#
396# SuidCheckExclude = NULL
397
398## Limit on files per second (0 == no limit)
399#
400# SuidCheckFps = 0
401
402## Alternative: yield after every file
403#
404# SuidCheckYield = no
405
406## Severity of a detection
407#
408# SeveritySuidCheck = crit
409
410## Quarantine SUID/SGID files if found
411#
412# SuidCheckQuarantineFiles = yes
413
414## Method for Quarantining files:
415#  0 - Delete or truncate the file.
416#  1 - Remove SUID/SGID permissions from file.
417#  2 - Move SUID/SGID file to quarantine dir.
418#
419# SuidCheckQuarantineMethod = 0
420
421## For method 1 and 3, really delete instead of truncating
422#
423# SuidCheckQuarantineDelete = yes
424
425#[Kernel]
426##
427## --- Check for loadable kernel module rootkits (Linux/FreeBSD only)
428##
429
430## Switch on/off
431#
432# KernelCheckActive = True
433
434## Check interval (seconds); btw., the check is VERY fast
435#
436# KernelCheckInterval = 300
437
438## Severity
439#
440# SeverityKernel = crit
441
442
443# [Utmp]
444##
445## --- Logging of login/logout events
446##
447
448## Switch on/off
449#
450# LoginCheckActive = True
451
452## Severity for logins, multiple logins, logouts
453#
454# SeverityLogin=info
455# SeverityLoginMulti=warn
456# SeverityLogout=info
457
458## Interval for login/logout checks
459#
460# LoginCheckInterval = 300
461
462
463# [Database]
464##
465## --- Logging to a relational database
466##
467
468## Database name
469#
470# SetDBName = samhain
471
472## Database table
473#
474# SetDBTable = log
475
476## Database user
477#
478# SetDBUser = samhain
479
480## Database password
481#
482# SetDBPassword = (default: none)
483
484## Database host
485#
486# SetDBHost = localhost
487
488## Log the server timestamp for received messages
489#
490# SetDBServerTstamp = True
491
492## Use a persistent connection
493#
494# UsePersistent = True
495
496# [External]
497##
498## Interface to call external scripts/programs for logging
499##
500
501## The absolute path to the command
502## - Each invocation of this directive will end the definition of the
503##   preceding command, and start the definition of
504##   an additional, new command
505#
506# OpenCommand = (no default)
507
508## Type (log or rv)
509## - log for log messages, srv for messages received by the server
510#
511# SetType = log
512
513## The command (full command line) to execute
514#
515# SetCommandLine = (no default)
516
517## The environment (KEY=value; repeat for more)
518#
519# SetEnviron = TZ=(your timezone)
520
521## The TIGER192 checksum (optional)
522#
523# SetChecksum = (no default)
524
525## User who runs the command
526#
527# SetCredentials = (default: samhain process uid)
528
529## Words not allowed in message
530#
531# SetFilterNot = (none)
532
533## Words required (ALL of them)
534#
535# SetFilterAnd = (none)
536
537## Words required (at least one)
538#
539# SetFilterOr = (none)
540
541## Deadtime between consecutive calls
542#
543# SetDeadtime = 0
544
545## Add default environment (HOME, PATH, SHELL)
546#
547# SetDefault = no
548
549
550#####################################################
551#
552# Miscellaneous configuration options
553#
554#####################################################
555
556[Misc]
557
558## whether to become a daemon process
559## (this is not honoured on database initialisation)
560#
561# Daemon = no
562Daemon = yes
563
564## whether to test signature of files (init/check/none)
565## - if 'none', then we have to decide this on the command line -
566#
567# ChecksumTest = none
568ChecksumTest=check
569
570## Set nice level (-19 to 19, see 'man nice'),
571## and I/O limit (kilobytes per second; 0 == off)
572## to reduce load on host.
573#
574# SetNiceLevel = 0
575# SetIOLimit = 0
576
577## The version string to embed in file signature databases
578#
579# VersionString = NULL
580
581## Interval between time stamp messages
582#
583# SetLoopTime = 60
584SetLoopTime = 600
585
586## Interval between file checks
587#
588# SetFileCheckTime = 600
589SetFileCheckTime = 7200
590
591## Alternative: crontab-like schedule
592#
593# FileCheckScheduleOne = NULL
594
595## Alternative: crontab-like schedule(2)
596#
597# FileCheckScheduleTwo = NULL
598
599## Report only once on modified files
600## Setting this to 'FALSE' will generate a report for any policy
601## violation (old and new ones) each time the daemon checks the file system.
602#
603# ReportOnlyOnce = True
604
605## Report in full detail
606#
607# ReportFullDetail = False
608
609## Report file timestamps in local time rather than GMT
610#
611# UseLocalTime = No
612
613## The console device (can also be a file or named pipe)
614## - There are two console devices. Accordingly, you can use
615##   this directive a second time to set the second console device.
616##   If you have not defined the second device at compile time,
617##   and you don't want to use it, then:
618##   setting it to /dev/null is less effective than just leaving
619##   it alone (setting to /dev/null will waste time by opening
620##   /dev/null and writing to it)
621#
622# SetConsole = /dev/console
623
624## Activate the SysV IPC message queue
625#
626# MessageQueueActive = False
627
628
629## If false, skip reverse lookup when connecting to a host known
630## by name rather than IP address (i.e. trust the DNS)
631#
632# SetReverseLookup = True
633
634## --- E-Mail ---
635
636# Only highest-level (alert) reports will be mailed immediately,
637# others will be queued. Here you can define, when the queue will
638# be flushed (Note: the queue is automatically flushed after
639# completing a file check).
640#
641# SetMailTime = 86400
642
643## Maximum number of mails to queue
644#
645# SetMailNum = 10
646
647## Recipient (max. 8)
648#
649# SetMailAddress=root@localhost
650
651## Mail relay (IP address)
652#
653# SetMailRelay = NULL
654
655## Custom subject format
656#
657# MailSubject = NULL
658
659## --- end E-Mail ---
660
661## Path to the prelink executable
662#
663# SetPrelinkPath = /usr/sbin/prelink
664
665## TIGER192 checksum of the prelink executable
666#
667# SetPrelinkChecksum = (no default)
668
669
670## Path to the executable. If set, will be checksummed after startup
671## and before exit.
672#
673# SamhainPath = (no default)
674
675
676## The IP address of the log server
677#
678# SetLogServer = (default: compiled-in)
679
680## The IP address of the time server
681#
682# SetTimeServer = (default: compiled-in)
683
684## Trusted Users (comma delimited list of user names)
685#
686# TrustedUser = (no default; this adds to the compiled-in list)
687
688## Path to the file signature database
689#
690# SetDatabasePath = (default: compiled-in)
691
692## Path to the log file
693#
694# SetLogfilePath = (default: compiled-in)
695
696## Path to the PID file
697#
698# SetLockfilePath = (default: compiled-in)
699
700
701## The digest/checksum/hash algorithm
702#
703# DigestAlgo = TIGER192
704
705
706## Custom format for message header.
707## CAREFUL if you use XML logfile format.
708##
709## %S severity
710## %T timestamp
711## %C class
712##
713## %F source file
714## %L source line
715#
716# MessageHeader="%S %T "
717
718
719## Don't log path to config/database file on startup
720#
721# HideSetup = False
722
723## The syslog facility, if you log to syslog
724#
725# SyslogFacility = LOG_AUTHPRIV
726SyslogFacility=LOG_LOCAL2
727
728## The message authentication method
729## - If you change this, you *must* change it
730##   on client *and* server
731#
732# MACType = HMAC-TIGER
733
734
735## The Prelude-IDS profile to use for reporting
736## default value is "samhain"
737#
738# PreludeProfile = samhain
739
740## Map these samhain severities to impact severity 'info' severity
741#
742# PreludeMapToInfo =
743
744## Map these samhain severities to impact severity 'low' severity
745#
746# PreludeMapToLow = debug info
747
748## Map these samhain severities to impact severity 'medium' severity
749#
750# PreludeMapToMedium = notice warn err
751
752## Map these samhain severities to impact severity 'high' severity
753#
754# PreludeMapToHigh = crit alert
755
756## --- UserFiles --- (need configure option)
757
758[UserFiles]
759#
760# Activate (0 is off).
761#
762UserfilesActive=1
763
764#
765# Files to check for under each $HOME
766# A specific level can be specified.
767# The allowed values are:
768# allignore
769# attributes
770# logfiles
771# loggrow
772# noignore
773# readonly
774# user0
775# user1
776# user2
777# user3
778# user4
779#
780# The default is noignore
781#
782UserfilesName=.login noignore
783UserfilesName=.profile readonly
784UserfilesName=.ssh/authorized_keys
785#
786# A list of UIDs where we want to check.
787# The default is all.
788# IF THERE IS AN OPEN RANGE, IT MUST BE LAST
789#
790UserfilesCheckUids=0,100-500,1000-
791
792### --- ProcessCheck --- (need configure option)
793#
794#[ProcessCheck]
795##
796## Activate (default is on)
797##
798#ProcessCheckActive = no
799#
800## The severity of reports: debug/info/notice/warn/err/crit/alert
801## (default is crit)
802##
803#SeverityProcessCheck = crit
804#
805## The PID range (default is 0 to 32767)
806##
807#ProcessCheckMinPID = 0
808#ProcessCheckMaxPID = 32767
809#
810## The interval (in seconds) for process checks (default is 300 sec)
811##
812#ProcessCheckInterval = 360
813#
814## Specify a process that is required to run. The argument
815## must be a POSIX regular expression that matches the
816## output of ps (samhain will check whether the PID in the
817## output of 'ps' actually runs). You can use this option
818## multiple times. Note that each matching substring in a line
819## from the 'ps' output is considered a successful match.
820##
821#ProcessCheckExists = syslogd
822#
823## The 'configure' script determines automatically
824## the location of 'ps' as well as whether it is
825## Posix or BSD style. Therefore, these options may
826## not be required. For 'ProcesscheckPSArg', note
827## that the first column must be the PID, except on
828## Linux, where the format 'PID SPID ...' is expected
829## (spid = thread id), as shown by 'ps -eT'
830##
831## ProcessCheckPSPath = /usr/bin/ps
832## ProcessCheckPSArg = -e
833#
834## --- PortCheck --- (need configure option)
835
836[PortCheck]
837#
838# Activate (default is on)
839#
840PortCheckActive = yes
841
842# The severity of reports: debug/info/notice/warn/err/crit/alert
843# (default is crit)
844#
845SeverityPortCheck = crit
846
847# These are the defaults
848#
849PortCheckMinPort = 0
850PortCheckMaxPort = 65535
851 
852# Services that are required. This example specifies ssl (22/tcp),
853# smtp (25/tcp), http (80/tcp), and portmapper.
854#
855PortCheckRequired = 22/tcp,25/tcp,80/tcp,portmapper/tcp,portmapper/udp
856
857# Services that are optional. This example specifies
858# mysql (3306/tcp).
859#
860PortCheckOptional = 3306/tcp
861
862# Additional interfaces to scan. This example presumes that
863# the 'official hostname' corresponds to 192.168.1.128, and
864# that the machine has three more interfaces.
865# 127.0.0.1 (localhost) is not listed, hence not scanned.
866#
867PortCheckInterface = $( /sbin/ifconfig | awk '/inet / { print $2 }' )
868
869# The interval (in seconds) for port checks (default is 300 sec)
870#
871PortCheckInterval = 300
872
873# By default, UDP ports are checked as well as TCP ports.
874#
875PortCheckUDP = yes
876
877## --- LogMon --- (need configure option)
878
879[Logmon]
880
881#
882# Switch on the module
883#
884LogmonActive = yes
885
886# Check every second
887#
888LogmonInterval = 1
889
890# Strip PIDs from syslog messages
891#
892Logmonhidepid = true
893
894# Define a queue with severity 'crit'.
895# This is a 'report' queue, hence 'interval' (10)
896# will be ignored.
897#
898LogmonQueue = q1:10:report:crit
899
900# Define a second queue with severity 'alert'
901#
902LogmonQueue = q2:10:report:alert
903
904# Monitor /var/log/messages, which is a syslog file
905#
906LogmonWatch = SYSLOG:/var/log/system.log
907
908# Monitor /var/log/samba/log.nmbd, which is a samba
909# logfile
910#
911#LogmonWatch = SAMBA:/var/log/samba/log.nmbd
912
913# Monitor /var/log/apache2/access.log, which is
914# an Apache logfile in 'combined' format
915#
916#LogmonWatch = APACHE:/var/log/apache2/access.log:combined
917
918# Monitor disks to check for full /dev/sda1
919#
920LogmonWatch = SHELL:df -h
921
922# Syslog messages for the pppd deamon
923#
924LogmonGroup = g1:pppd.*
925#
926# Rules in this group
927#
928LogmonRule     = q1:pppd:\s+primary.*
929LogmonRule     = q1:pppd:\s+secondary.*
930#
931LogmonEndGroup
932
933# Warn about disk /dev/sda1 nearly full (80% or more. Use a
934# non-capturing subexpression [the (?:8|9)] for the percentage full.
935#
936LogmonRule     = q1:/dev/sda1\s+[0-9GM.]+\s+[0-9GM.]+\s+[0-9GM.]+\s+(?:8|9).%.*
937
938# Messages starting with WARNING (some samba stuff)
939#
940LogmonGroup = g2:WARNING.*
941LogmonRule     = q2:.*interfaces.*
942LogmonEndGroup
943
944# Report on these events if happening within 120 seconds.
945# Set LogmonDeadtime to 120 seconds to avoid multiple reports.
946# Use the 'trash' queue for the keep rules to avoid reports on
947#   the individual events.
948#
949LogmonRule = KEEP(120,event1):trash:sshd: Accepted publickey for root.*
950LogmonRule = KEEP(120,event2):trash:sshd: pam_unix\(sshd:session\).*
951LogmonRule = CORRELATE(root_login):q1:(event1.*event2)|(event2.*event1)
952
953LogmonDeadtime = 120
954
955# Throw away all non-matching entries. This amounts
956# to a blacklist policy (only report known bad).
957#
958# Usually considered bad practice!!! Use whitelisting!
959#
960# 'trash' is a built in queue, no definition needed.
961#
962LogmonRule = trash:.*
963
964
965## everything below is ignored
966[EOF]
967
968#####################################################################
969# This would be the proper syntax for parts that should only be
970#    included for certain hosts.
971# You may enclose anything in a @HOSTNAME/@end bracket, as long as the
972#    result still has the proper syntax for the config file.
973# You may have any number of @HOSTNAME/@end brackets.
974# HOSTNAME should be the fully qualified 'official' name
975#    (e.g. 'nixon.watergate.com', not 'nixon'), no aliases.
976#    No IP number - except if samhain cannot determine the
977#    fully qualified hostname.
978#
979# @HOSTNAME
980# file=/foo/bar
981# @end
982#
983# These are two examples for conditional inclusion/exclusion
984# of a machine based on the output from 'uname -srm'
985# $Linux:2.*.7:i666
986# file=/foo/bar3
987# $end
988#
989# !$Linux:2.*.7:i686
990# file=/foo/bar2
991# $end
992#
993#####################################################################