# sample nabourc
# see detailed instructions in the file README!

useshadow	1	# use /etc/shadow (readonly!)
usemail		1	# send the report via email
use_algo	MD5	# also possible: SHA1 or MD2
use_ls          1       # print also a ls -l alike line for matching files
use_temp_sum    0       # do not use a temporary dbm file for check results

passwd	/etc/passwd	# the location of the passwd file
shadow	/etc/shadow	# dito
shells	/etc/shells	# dito

check_cron	1	# monitor cronjob changes
check_suid	1	# monitor setuid programs
check_files	1	# monitor files on a per directory basis
check_root	1	# report uid/gid root accounts
check_user	1	# monitor user account changes
check_diskusage 1	# monitor disk usage, per directory


# database configuration
<db>
	# the dir where the databases resides
	basedir		 /var/log/nabou/db
	protected	 1	# password protection, implies readonly=1
	readonly	 0 	# do not update db's from cronjob
	cipher		 IDEA	# algorithm, also: Blowfish, DES or Twofish 
	# filenames
	pwdDB   	 pwd	# user db	
	sugidDB 	 sugid	# setuid/setgid db
	csumDB  	 csum	# file checksum db
	cronDB  	 cron	# cron db
	miscDB  	 misc	# nabou internals
	diskusageDB	 du	# diskusage db
</db>


# mail configuration
<mail>
	rcpt		you@somewhere	    # default: root
	cc		you@anotherhost	    # one or more Cc., comma-separated
	alert		you@somewhere	    # email address for fatal alert mails
	from		root		    # who is nabou
	subject		report from nabou   # the subject line of the report mail
</mail>


# external programs used by nabou
<bin>
     	sendmail	/usr/sbin/sendmail  # if use_mail == 1
	crontab		/usr/bin/crontab    # if check_cron == 1	
</bin>



# suid/sgid check block, defines which file properties of
# a suid/sgid file should be monitored beside of additions/removals
<suid>
	chk_md5		1	# checksum
	chk_mode	1	# file mode, i.e. "4775"
	chk_size	1	# size in bytes
</suid>



# directory block, defines which file properties of a file should 
# be monitored beside of additions/removals
<directory /etc>
	exclude		sshd_random	# ignore this file under /etc
       	recursive	1	# watch also files within subdirs under /etc
	chk_size	1	# size in bytes
	chk_mtime	1	# modification time
	chk_md5		1	# checksum
	du_increase     5	# disk increase more than 5%
	du_decrease	5	# disk decrease less than 5%
	chk_custom	diff	# use the scriptlet "diff", which is defined below
</directory>



# another directoy block
<directory /bin>
	<exclude>
		# exclude can also be used as block statement
		aaa
		bbb
	</exclude>
	recursive 	1
	chk_mode	1
	chk_md5		1
</directory>


# this block inherits all definitions from the /bin block
# above, thus, /sbin will be checked for the checksums, the
# file mode and it will be watched recursively.
<directory /sbin>
	inherit		/bin
</directory>



# you can also pre-define sets of checks which you can
# use on a couple of files/dirs within one config block:
<define chk_log>
       # a cutom check definition for logfiles
       recursive 	1
       chk_decrease     1
       chk_mode         1
</define>

# here we use the above pre-defined check on some
# directories. This block cannot contain anything other
# than file or directory names.
<check chk_log>
       /var/log
       /var/adm
       /usr/local/apache/logs
</check>




# scriptlet sample, "diff" is used in the directory block "/etc"
<script>
   diff <<EOF
        my($file, $dir, $lastmatch) = @_;
        my $diff 
	= `diff -c $file->filename $config{db}->{basedir}/$DiffDir/$file->filename`;
        `cp $file->filename $config{db}->{basedir}/$file->filename`;
	return "diff:\n" . $diff . "\n" if($diff);
        1;
   EOF

   BEGIN <<EOF
   	# this will be executed only once at startup
	# namespace main::
	$DiffDir = "diff_storage"; # used in the scriptlet above.
   EOF

   END <<EOF
   	# this will be executed only once at end of run
	# namespace main::
	# unused in thei example.
   EOF 
</script>



# some additional config feature domonstrations:
/*
 * this is a C-Style comment. everything between /* and the next */
 * will be ignored by nabou!
 *

You can define multiline options using here documents, like the
scriptlet does:
<myblock>
	signature <<END
		Carl Robert <carl@dev.null.net>
		Art Director, SigSeg Creations.
	END
</myblock>

You can also break long lines using the backslash notation:
<mail>
	subject this is a custom report of nabou \
		as of november 2000 which is sent \
		to you via email
</mail>
	

You can define one block in different files!

Assume the following file:

--- db.rc ---
<db>
	basedir	/var/log/nabou
</db>
-------------

and another one:
--- do.rc ---
<<include db.rc>>
<db>
	csumDB	blahblubber
</db>
-------------

in the above example the 2nd config includes the first one, db.rc.
The resulting config is the same as if you wrote:
<db>
	basedir	/var/log/nabou
	csumDB	blahblubber
</db>



 * this is the end of the C-Style comment
 *
 * Thank you for choosing nabou. keep the world secure!
 *
 */
