# sample rc for process monitoring using nabou.
# run with "nabou -D -c psrc"

use_mail	1

check_nabou	0
check_proc	1

pidfile		/var/run/nabou.pid

<mail>
        rcpt            you@somewhere
        cc              you@anotherhost
        alert           you@somewhere
        from            root
        subject         process report from nabou
</mail>


<proc>
	# how nabou appears in "ps" listing as, kind of hiding :)
	argv		(kfsiod)
	
	chk_uid		1	# different ruid/euid
	chk_gid		1	# different rigd/egid
	chk_argv	1	# not matching argv/exe
	chk_rundet	1	# running detached process
	
	chk_custom	test    # a scriptlet usage sample, see <script> below!

	report_old	15	# repeat report if still running after minutes
	refresh		20	# seek /proc every seconds
	
	# kind of information to be reported
	report		pid, uid, euid, tty, exe, cmdline, cwd
	
        # sample processes that should be ignored (which you trust)
	# create the neccessary MD5 checksums using md5sum(1). 
	<exclude /usr/local/quake/q3ded>
		# our quake server
		cmdline	/usr/local/quake/q3ded +set dedicated 2 \
				        +set net_ip 192.168.2.5 \
					+set net_port 27960
		md5	61d6d3f62a14c27db8d62e3555a1907c
		uid	550
	</exclude>
	
	<exclude /usr/local/bin/snort>
		# intrusion detection daemon
		cmdline	/usr/local/bin/snort -i eth0 -c /etc/snort.conf -D -v
		md5	d65460b7f00877d3d8e4be131764f458
		uid	0
	</exclude>
	
	<exclude /bin/bash>
		# login shells
		cmdline	-bash
		md5	c36b467680f96a6c63053df2c0df379e
	</exclude>
	
	<exclude /usr/X11R6/bin/xterm>
		# xterm's
		cmdline	xterm -vb
		md5	0ad97e3b78a37bffa09d21b129c44544
	</exclude>
</proc>


<script>
	test <<EOF
		my($prc) = @_;
		return "PID ist: " . $prc->pid . "\n";
	EOF
</script>