#  Tripwire policy file $$version
#  $$title
#  Security level: $$security
#  by $$author, $$date
#
#  Policy file for Rock Linux generated by:
#    $$progn
#
#  This file should contain all the file instructions you want 
#  tripwire to follow. The variables with the syntax '\$\$example' are 
#  expanded by the mktrippol.pl script for your live Linux setup.
#
#  For more info see Tripwire's share/policyguide.txt. 
#
#  20010506  Initial scripted version by Pjotr - based on policy 
#            file by Chris Hamilton.
#
#  $Id: rockbasepolicy.txt,v 1.5 2001/05/16 09:28:16 wrk Exp $

#
# Global Variable Definitions
#

@@section GLOBAL
TWDOCS="$$twdocs";
TWBIN="$$twbin";
TWPOL="$$twetc";
TWDB="$$twdb";
TWSKEY=$$twetc;
TWLKEY=$$twetc;
TWREPORT="$$twreport";
HOSTNAME=$$hostname;

@@section FS
SEC_CRIT      = $(IgnoreNone)-SHa ;  # Critical files that cannot change
SEC_SUID      = $(IgnoreNone)-SHa ;  # Binaries with the SUID or SGID flags set
SEC_BIN       = $(ReadOnly) ;        # Binaries that should not change
SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed infrequently but accessed often
SEC_LOG       = $(Growing) ;         # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ;              # Directories that should never change permission or ownership
SIG_LOW       = 33 ;                 # Non-critical files that are of minimal security impact
SIG_MED       = 66 ;                 # Non-critical files that are of significant security impact
SIG_HI        = 100 ;                # Critical files that are significant points of vulnerability

# ---- Tripwire related files ----------------------------------------

# Tripwire Binaries
(
  rulename = "Tripwire Binaries",
  severity = $(SIG_HI)
)
{
  $$list_tripwire                      -> $(SEC_BIN) ;
}

# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(
  rulename = "Tripwire Data Files",
  severity = $(SIG_HI)
)
{
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.

  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
 
  $(TWDB)                              -> $(SEC_CONFIG) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_BIN) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_BIN) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_BIN) ;
  $(TWSKEY)/site.key                   -> $(SEC_BIN) ;
    
  #don't scan the individual reports
  # $(TWREPORT)                          -> $(SEC_CONFIG) (recurse=0) ;
} 
 
# Tripwire HQ Connector Binaries
#(
#  rulename = "Tripwire HQ Connector Binaries",
#  severity = $(SIG_HI)
#)
#{
#  $(TWBIN)/hqagent                     -> $(SEC_BIN) ;
#}
#

# ---- Directories ---------------------------------------------------

# Commonly accessed directories that should remain static with regards 
# to owner and group
(
  rulename = "Invariant Directories",
  severity = $(SIG_MED)
)
{
  /                                    -> $(SEC_INVARIANT) (recurse = 0) ;
  /home                                -> $(SEC_INVARIANT) (recurse = 0) ;
  /etc                                 -> $(SEC_INVARIANT) (recurse = 0) ;
}

# ---- Critical system files -----------------------------------------

(
  rulename = "Suid files",
  severity = $(SIG_HI)
) 
{ 
  $$list_suid                          -> $(SEC_SUID) ;
} 

(
  rulename = "File System and Disk Administration Programs",
  severity = $(SIG_HI)
) 
{
  $$list_filesysadmin                   -> $(SEC_CRIT) ;
}

# ---- Kernel files --------------------------------------------------

(
  rulename = "Kernel Administration Programs",
  severity = $(SIG_HI)
) 
{
  $$list_kerneladmin                   -> $(SEC_CRIT) ;
}

# ---- Networking ----------------------------------------------------

(
  rulename = "Networking Programs",
  severity = $(SIG_HI)
) 
{
  $$list_networkadmin                  -> $(SEC_CRIT) ;
}

# ---- Devices -------------------------------------------------------

(
  rulename = "Hardware and Device control",
  severity = $(SIG_HI)
) 
{
  $$list_deviceadmin                   -> $(SEC_CRIT) ;
}

# ---- System administration -----------------------------------------

( 
  rulename = "System Administration Programs",
  severity = $(SIG_HI)
) 
{ 
  $$list_sbin_other                    -> $(SEC_CRIT) ;
}

# ---- Very important files ------------------------------------------
(
  rulename = "Important files",
  severity = $(SIG_HI)
) 
{ 
  $$list_important                     -> $(SEC_CRIT) ;
} 

(
  rulename = "Critical system boot files",
  severity = $(SIG_HI)
)
{
  $$list_boot                          -> $(SEC_CRIT) ;
}

(
  rulename = "Important configuration files",
  severity = $(SIG_HI)
)
{
  # !/etc/mtab ;
  # !/etc/ld.so.cache ;
  $$list_config                        -> $(SEC_CONFIG) ;
}


# ---- Rest ----------------------------------------------------------

( 
  rulename = "Operating System Utilities",
  severity = $(SIG_HI)
) 
{ 
  $$list_bin                           -> $(SEC_CRIT) ;
}

(
  rulename = "Temporary directories",
  recurse = false,
  severity = $(SIG_LOW)
) 
{ 
  $$list_tmp                           -> $(SEC_INVARIANT) ;
} 

(
  rulename = "User binaries",
  severity = $(SIG_MED)
) 
{ 
  $$list_usr                           -> $(SEC_BIN) ;
} 


# Rest of critical system binaries
(
  rulename = "OS executables and libraries",
  severity = $(SIG_HI)
)
{
  /lib                                 -> $(SEC_BIN) ;
  /usr/lib                             -> $(SEC_BIN) ;
}

(
  rulename = "ROCK base",
  severity = $(SIG_MED)
) 
{ 
  $$list_rock_base_bin                 -> $(SEC_BIN) ;
  $$list_rock_base_lib                 -> $(SEC_BIN) ;
  $$list_rock_base_etc                 -> $(SEC_CONFIG) ;
} 

(
  rulename = "ROCK ext",
  severity = $(SIG_MED)
) 
{ 
  $$list_rock_ext_bin                  -> $(SEC_BIN) ;
  $$list_rock_ext_lib                  -> $(SEC_BIN) ;
  $$list_rock_ext_etc                  -> $(SEC_CONFIG) ;
} 

(
  rulename = "Opt (ext)",
  severity = $(SIG_MED)
) 
{ 
  $$list_opt_bin                       -> $(SEC_BIN) ;
  $$list_opt_lib                       -> $(SEC_BIN) ;
  $$list_opt_etc                       -> $(SEC_CONFIG) ;
} 

(
  rulename = "Root config files",
  severity = $(SIG_HI)
)
{
  # !/root/.bash_history ;
  # !/root/.vim_info ;
  /root                                -> $(SEC_CRIT) ; # Catch all additions to
  $$list_root                          -> $(SEC_CONFIG) ;
}

(
  rulename = "Critical devices",
  severity = $(SIG_HI),
  recurse = false
) 
{ 
  $$list_proc                          -> $(Device) ;
}

(
  rulename = "All other libraries",
  severity = $(SIG_LOW),
  recurse  = true
)
{
  # /lib				       -> $(SEC_BIN) ; 
  # /lib/modules			       -> $(SEC_BIN) ; 
  # /usr/lib			       -> $(SEC_BIN) ; 
  /usr/X11/lib			       -> $(SEC_BIN) ;
}

(
  rulename = "All other significant files",
  severity = $(SIG_LOW),
  recurse  = true
)
{
  $$list_significant_bin               -> $(SEC_BIN) ;
  $$list_significant_log               -> $(SEC_LOG) ;
}


# --- EOF