apiVersion: v1 kind: ConfigMap metadata: name: samhain-config namespace: fim labels: app.kubernetes.io/instance: samhain-config-map app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: samhain-config data: samhainrc: | ## ## ----- General Settings ----- ## [Misc] UseHardlinkCheck = no SyslogFacility = LOG_LOCAL2 # Make samhain require setting the action at the command line. # e.g. samhain -t check # Effectively stops scan at host reboot ChecksumTest = none # Has caused issues in the past if not added, as syslog is # set as group owner for the /var/log directory TrustedUser = syslog # Redefine policy to ignore unneccesary attributes RedefIgnoreNone = -INO,-MTM,-ATM,-HLN RedefUser0 = -INO,-MTM,-ATM,-CTM,-HLN,-MOD,-USR,-GRP # Ignore modified directory inodes size and timestamps # Reduces large amounts of false positives after mounting squashfs LooseDirCheck = true # Drop checksummed files from cache # SetDropCache = true # Low priority SetNiceLevel = 19 # Crontab schedule FileCheckScheduleOne=0 19 * * * # Report only once on modified files # Setting this to 'false' reports modifications each time scan runs in Daemon Mode # ReportOnlyOnce = false # Report full detail # ReportFullDetail = False [Inotify] InotifyActive = yes [EventSeverity] SeverityIgnoreNone = crit # Lower level for unknown usr/grp ids. # This will cause many false positives if left on the default setting, # and does not give us much benefit to keep. SeverityNames=info [Log] LogSeverity = mark ## ## ----- Directories To Monitor ----- ## ## ----- /ien_fs/usr/bin/ ----- [IgnoreNone] dir = 99/ien_fs/usr/bin/ ## ----- /ien_fs/usr/lib/ ----- [IgnoreNone] dir = 99/ien_fs/usr/lib/ [IgnoreAll] dir = -1/ien_fs/usr/lib/firmware/ ## ----- /ien_fs/usr/sbin/ ----- [IgnoreNone] dir = 99/ien_fs/usr/sbin/ ## ----- /build/image ----- [User0] file = /ien_fs/boot/live/vmlinuz file = /ien_fs/boot/live/initrd [EOF]