13. Checking sensitive files owned by users

13. Checking sensitive files owned by users
Prev	Chapter 5. Configuring samhain, the host integrity monitor	Next

13. Checking sensitive files owned by users

To compile with support for this option, use the configure option

./configure --enable-userfiles

samhain can be compiled to support checking of files that are specified as being relative to the a user's home directory. It is intended to detect interference with files that influence process behaviour such as .profile It simply adds the appropriate file entries to the main samhain list, at the specified alerting level.

	[UserFiles]
	#
	# Activate (0 is off).
	#
	UserfilesActive=1
	
	#
	# Files to check for under each $HOME
	# A specific level can be specified.
	# The allowed values are:
	# allignore
	# attributes
	# logfiles
	# loggrow
	# noignore
	# readonly
	# user0
	# user1
	# user2
	# user3
	# user4
	# 
	# The default is noignore
	#
	UserfilesName=.login noignore
	UserfilesName=.profile readonly
	UserfilesName=.ssh/authorized_keys
	#
	# A list of UIDs where we want to check. 
	# The default is all.
	# IF THERE IS AN OPEN RANGE, IT MUST BE LAST
	#
	UserfilesCheckUids=0,100-500,1000-

This module by the eircom.net Computer Incident Response Team.

Prev	Up	Next
12. Checking mounted filesystem policies	Home	14. Checking for hidden/fake/missing processes