# Tripwire policy file $$version
# $$title
# Security level: $$security
# by $$author, $$date
#
# Policy file for Rock Linux generated by:
# $$progn
#
# This file should contain all the file instructions you want
# tripwire to follow. The variables with the syntax '\$\$example' are
# expanded by the mktrippol.pl script for your live Linux setup.
#
# For more info see Tripwire's share/policyguide.txt.
#
# 20010506 Initial scripted version by Pjotr - based on policy
# file by Chris Hamilton.
#
# $Id: rockbasepolicy.txt,v 1.5 2001/05/16 09:28:16 wrk Exp $
#
# Global Variable Definitions
#
@@section GLOBAL
TWDOCS="$$twdocs";
TWBIN="$$twbin";
TWPOL="$$twetc";
TWDB="$$twdb";
TWSKEY=$$twetc;
TWLKEY=$$twetc;
TWREPORT="$$twreport";
HOSTNAME=$$hostname;
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability
# ---- Tripwire related files ----------------------------------------
# Tripwire Binaries
(
rulename = "Tripwire Binaries",
severity = $(SIG_HI)
)
{
$$list_tripwire -> $(SEC_BIN) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(
rulename = "Tripwire Data Files",
severity = $(SIG_HI)
)
{
# NOTE: We remove the inode attribute because when Tripwire creates a backup,
# it does so by renaming the old file and creating a new one (which will
# have a new inode number). Inode is left turned on for keys, which shouldn't
# ever change.
# NOTE: The first integrity check triggers this rule and each integrity check
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(SEC_CONFIG) -i ;
$(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
$(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWSKEY)/site.key -> $(SEC_BIN) ;
#don't scan the individual reports
# $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
}
# Tripwire HQ Connector Binaries
#(
# rulename = "Tripwire HQ Connector Binaries",
# severity = $(SIG_HI)
#)
#{
# $(TWBIN)/hqagent -> $(SEC_BIN) ;
#}
#
# ---- Directories ---------------------------------------------------
# Commonly accessed directories that should remain static with regards
# to owner and group
(
rulename = "Invariant Directories",
severity = $(SIG_MED)
)
{
/ -> $(SEC_INVARIANT) (recurse = 0) ;
/home -> $(SEC_INVARIANT) (recurse = 0) ;
/etc -> $(SEC_INVARIANT) (recurse = 0) ;
}
# ---- Critical system files -----------------------------------------
(
rulename = "Suid files",
severity = $(SIG_HI)
)
{
$$list_suid -> $(SEC_SUID) ;
}
(
rulename = "File System and Disk Administration Programs",
severity = $(SIG_HI)
)
{
$$list_filesysadmin -> $(SEC_CRIT) ;
}
# ---- Kernel files --------------------------------------------------
(
rulename = "Kernel Administration Programs",
severity = $(SIG_HI)
)
{
$$list_kerneladmin -> $(SEC_CRIT) ;
}
# ---- Networking ----------------------------------------------------
(
rulename = "Networking Programs",
severity = $(SIG_HI)
)
{
$$list_networkadmin -> $(SEC_CRIT) ;
}
# ---- Devices -------------------------------------------------------
(
rulename = "Hardware and Device control",
severity = $(SIG_HI)
)
{
$$list_deviceadmin -> $(SEC_CRIT) ;
}
# ---- System administration -----------------------------------------
(
rulename = "System Administration Programs",
severity = $(SIG_HI)
)
{
$$list_sbin_other -> $(SEC_CRIT) ;
}
# ---- Very important files ------------------------------------------
(
rulename = "Important files",
severity = $(SIG_HI)
)
{
$$list_important -> $(SEC_CRIT) ;
}
(
rulename = "Critical system boot files",
severity = $(SIG_HI)
)
{
$$list_boot -> $(SEC_CRIT) ;
}
(
rulename = "Important configuration files",
severity = $(SIG_HI)
)
{
# !/etc/mtab ;
# !/etc/ld.so.cache ;
$$list_config -> $(SEC_CONFIG) ;
}
# ---- Rest ----------------------------------------------------------
(
rulename = "Operating System Utilities",
severity = $(SIG_HI)
)
{
$$list_bin -> $(SEC_CRIT) ;
}
(
rulename = "Temporary directories",
recurse = false,
severity = $(SIG_LOW)
)
{
$$list_tmp -> $(SEC_INVARIANT) ;
}
(
rulename = "User binaries",
severity = $(SIG_MED)
)
{
$$list_usr -> $(SEC_BIN) ;
}
# Rest of critical system binaries
(
rulename = "OS executables and libraries",
severity = $(SIG_HI)
)
{
/lib -> $(SEC_BIN) ;
/usr/lib -> $(SEC_BIN) ;
}
(
rulename = "ROCK base",
severity = $(SIG_MED)
)
{
$$list_rock_base_bin -> $(SEC_BIN) ;
$$list_rock_base_lib -> $(SEC_BIN) ;
$$list_rock_base_etc -> $(SEC_CONFIG) ;
}
(
rulename = "ROCK ext",
severity = $(SIG_MED)
)
{
$$list_rock_ext_bin -> $(SEC_BIN) ;
$$list_rock_ext_lib -> $(SEC_BIN) ;
$$list_rock_ext_etc -> $(SEC_CONFIG) ;
}
(
rulename = "Opt (ext)",
severity = $(SIG_MED)
)
{
$$list_opt_bin -> $(SEC_BIN) ;
$$list_opt_lib -> $(SEC_BIN) ;
$$list_opt_etc -> $(SEC_CONFIG) ;
}
(
rulename = "Root config files",
severity = $(SIG_HI)
)
{
# !/root/.bash_history ;
# !/root/.vim_info ;
/root -> $(SEC_CRIT) ; # Catch all additions to
$$list_root -> $(SEC_CONFIG) ;
}
(
rulename = "Critical devices",
severity = $(SIG_HI),
recurse = false
)
{
$$list_proc -> $(Device) ;
}
(
rulename = "All other libraries",
severity = $(SIG_LOW),
recurse = true
)
{
# /lib -> $(SEC_BIN) ;
# /lib/modules -> $(SEC_BIN) ;
# /usr/lib -> $(SEC_BIN) ;
/usr/X11/lib -> $(SEC_BIN) ;
}
(
rulename = "All other significant files",
severity = $(SIG_LOW),
recurse = true
)
{
$$list_significant_bin -> $(SEC_BIN) ;
$$list_significant_log -> $(SEC_LOG) ;
}
# --- EOF