# sample rc for process monitoring using nabou.
# run with "nabou -D -c psrc"

usemail	1

check_nabou	0
check_proc	1

pidfile		/var/run/nabou.pid

<mail>
        rcpt            you@somewhere
        cc              you@anotherhost
        alert           you@somewhere
        from            root
        subject         process report from nabou
</mail>

<bin>
	sendmail	/usr/sbin/sendmail
</bin>

<proc>
	# how nabou appears in "ps" listing as, kind of hiding :)
	argv		(kfsiod)
	
	chk_uid		1	# different ruid/euid
	chk_gid		1	# different rigd/egid
	chk_argv	1	# not matching argv/exe
	chk_rundet	1	# running detached process
	
	chk_custom	test    # a scriptlet usage sample, see <script> below!

	report_old	15	# repeat report if still running after minutes
	refresh		20	# seek /proc every seconds
	
	# kind of information to be reported
	#report		pid, uid, euid, tty, exe, cmdline, cwd, fd
	report		pid, exe, cmdline, fd
	#report		ps	# report a "ps" like output
	#noreason	1	# don't print the reason why it's matched
	

	# dump process tables to dir. Be warned: This can become huge stuff!
	# dumps can be analyzed with nabou --inspect
	dump_proc       /var/log/psdumps


        # sample processes that should be ignored (which you trust)
	# create the neccessary MD5 checksums using md5sum(1). 
	<exclude /usr/local/quake/q3ded>
		# our quake server
		cmdline	/usr/local/quake/q3ded +set dedicated 2 \
				        +set net_ip 192.168.2.5 \
					+set net_port 27960
		md5	61d6d3f62a14c27db8d62e3555a1907c
		uid	550
	</exclude>
	
	<exclude /usr/local/bin/snort>
		# intrusion detection daemon
		cmdline	/usr/local/bin/snort -i eth0 -c /etc/snort.conf -D -v
		md5	d65460b7f00877d3d8e4be131764f458
		uid	0
	</exclude>
	
	<exclude /bin/bash>
		# login shells
		cmdline	-bash
		# a shell script we trust
		cmdline /root/bin/oracle_mon.sh
		md5	c36b467680f96a6c63053df2c0df379e
	</exclude>
	
	<exclude /usr/X11R6/bin/xterm>
		# xterm's
		cmdline	xterm -vb
		# or anything which begins with "xterm"
		cmdline ^xterm.*
		md5	0ad97e3b78a37bffa09d21b129c44544
	</exclude>
	
	# special. if no value for executable is known, then
	# it is probably a kernel process. But you may also not
	# have permission to read the link /proc/PID/exe.
	<exclude "">
		# ignore any commandline
		cmdline .*
	</exclude>
</proc>


<script>
	test <<EOF
		my($prc, $match) = @_;
		if($prc->cmdline =~ /(eggdrop|bitchx)/) {
			return "irc bot running!\n";
		}
		else {
			return "";
		}
	EOF
</script>






