# sample nabourc
# see detailed instructions in the file README!

use_shadow	1	# use /etc/shadow (readonly!)
use_mail		1	# send the report via email
use_algo	MD5	# also possible: SHA1 or MD2
use_ls          1       # print also a ls -l alike line for matching files
use_temp_sum    0       # do not use a temporary dbm file for check results

passwd	/etc/passwd	# the location of the passwd file
shadow	/etc/shadow	# dito
shells	/etc/shells	# dito

check_cron	1	# monitor cronjob changes
check_suid	1	# monitor setuid programs
check_files	1	# monitor files on a per directory basis
check_root	1	# report uid/gid root accounts
check_user	1	# monitor user account changes
check_diskusage 1	# monitor disk usage, per directory
check_ports     1       # monitor listening internet ports (set to "all" for listing of all listeners)
check_symlinks  0       # ignore symlinks

# database configuration
<db>
	# the dir where the databases resides
	basedir		 /var/nabou
	sign		 0		# database protection, implies readonly=1
	readonly	 0 		# do not update db's from cronjob
	cipher           Blowfish       # algorithm, also: Blowfish, DES or Twofish
</db>


# mail configuration
<mail>
	rcpt		you@somewhere	    # default: root
	cc		you@anotherhost	    # one or more Cc., comma-separated
	alert		you@somewhere	    # email address for fatal alert mails
	from		root		    # who is nabou
	subject		report from nabou   # the subject line of the report mail
</mail>


# external programs used by nabou
<bin>
     	sendmail	/usr/sbin/sendmail  # if use_mail == 1
	crontab		/usr/bin/crontab    # if check_cron == 1	
	who             /usr/bin/who
	lsof            /usr/sbin/lsof      # for check_ports
</bin>



# suid/sgid check block, defines which file properties of
# a suid/sgid file should be monitored beside of additions/removals
<suid>
	chk_md5		1	# checksum
	chk_mode	1	# file mode, i.e. "4775"
	chk_size	1	# size in bytes
</suid>



# directory block, defines which file properties of a file should 
# be monitored beside of additions/removals
<directory /etc>
	exclude		sshd_random	# ignore this file under /etc
       	recursive	1	# watch also files within subdirs under /etc
	chk_size	1	# size in bytes
	chk_mtime	1	# modification time
	chk_md5		1	# checksum
	du_increase     5	# disk increase more than 5%
	du_decrease	5	# disk decrease less than 5%
	chk_custom	diff	# use the scriptlet "diff", which is defined below
</directory>



# another directoy block
<directory /bin>
	<exclude>
		# exclude can also be used as block statement
		aaa
		bbb
	</exclude>
	recursive 	1
	chk_mode	1
	chk_md5		1
</directory>


# this block inherits all definitions from the /bin block
# above, thus, /sbin will be checked for the checksums, the
# file mode and it will be watched recursively.
<directory /sbin>
	inherit		/bin
</directory>



# you can also pre-define sets of checks which you can
# use on a couple of files/dirs within one config block:
<define chk_log>
       # a cutom check definition for logfiles
       recursive 	1
       chk_decrease     1
       chk_mode         1
</define>

# here we use the above pre-defined check on some
# directories. This block cannot contain anything other
# than file or directory names.
<check chk_log>
       /var/log
       /var/adm
       /usr/local/apache/logs
</check>




# scriptlet sample, "diff" is used in the directory block "/etc"
<script>
   diff <<EOFdiff
        my($file, $dir, $lastmatch) = @_;
	my $filename   = $file->filename;
	my $filesingle = $filename;
	$filesingle =~ s/.*\///; # remove the directory part
	$filesingle = "$my{DiffDir}/$filesingle";
	if(-e $filesingle) {
	  my $c = "diff -c  $filename $filesingle";
	  my $diff = `$c`;
	  return "diff:\n" . $diff . "\n" if($diff);
	}
	else {
	  system("cp", $filename, $filesingle) and die "Could not copy $filename to $filesingle!\n";
	  if($lastmatch) {
	    return "file $filesingle added to diff repository\n";
	  }
	}
        ;
   EOFdiff

   BEGIN <<EOFbegin
   	# this will be executed only once at startup
	# Define a global variable in the %my Hash
	# which is used by the scriptlet above.
	$my{DiffDir} = "$config{db}->{basedir}/diff_storage";
   EOFbegin

   END <<EOFend
   	# this will be executed only once at end of run
	# namespace main::
	# unused in the example.
   EOFend
</script>



# some additional config feature domonstrations:
/*
 * this is a C-Style comment.
 *

You can define multiline options using here documents, like the
scriptlet does:
<myblock>
	signature <<END
		Carl Robert <carl@dev.null.net>
		Art Director, SigSeg Creations.
	END
</myblock>

You can also break long lines using the backslash notation:
<mail>
	subject this is a custom report of nabou \
		as of november 2000 which is sent \
		to you via email
</mail>
	

You can define one block in different files!

Assume the following file:

--- db.rc ---
<db>
	basedir	/var/log/nabou
</db>
-------------

and another one:
--- do.rc ---
<<include db.rc>>
<db>
	csumDB	blahblubber
</db>
-------------

in the above example the 2nd config includes the first one, db.rc.
The resulting config is the same as if you wrote:
<db>
	basedir	/var/log/nabou
	csumDB	blahblubber
</db>



 * this is the end of the C-Style comment
 *
 * Thank you for choosing nabou. keep the world secure!
 *
 */
