# Tripwire policy file $$version # $$title # Security level: $$security # by $$author, $$date # # Policy file for Rock Linux generated by: # $$progn # # This file should contain all the file instructions you want # tripwire to follow. The variables with the syntax '\$\$example' are # expanded by the mktrippol.pl script for your live Linux setup. # # For more info see Tripwire's share/policyguide.txt. # # 20010506 Initial scripted version by Pjotr - based on policy # file by Chris Hamilton. # # $Id: rockbasepolicy.txt,v 1.5 2001/05/16 09:28:16 wrk Exp $ # # Global Variable Definitions # @@section GLOBAL TWDOCS="$$twdocs"; TWBIN="$$twbin"; TWPOL="$$twetc"; TWDB="$$twdb"; TWSKEY=$$twetc; TWLKEY=$$twetc; TWREPORT="$$twreport"; HOSTNAME=$$hostname; @@section FS SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership SIG_LOW = 33 ; # Non-critical files that are of minimal security impact SIG_MED = 66 ; # Non-critical files that are of significant security impact SIG_HI = 100 ; # Critical files that are significant points of vulnerability # ---- Tripwire related files ---------------------------------------- # Tripwire Binaries ( rulename = "Tripwire Binaries", severity = $(SIG_HI) ) { $$list_tripwire -> $(SEC_BIN) ; } # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases ( rulename = "Tripwire Data Files", severity = $(SIG_HI) ) { # NOTE: We remove the inode attribute because when Tripwire creates a backup, # it does so by renaming the old file and creating a new one (which will # have a new inode number). Inode is left turned on for keys, which shouldn't # ever change. # NOTE: The first integrity check triggers this rule and each integrity check # afterward triggers this rule until a database update is run, since the # database file does not exist before that point. $(TWDB) -> $(SEC_CONFIG) -i ; $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; $(TWSKEY)/site.key -> $(SEC_BIN) ; #don't scan the individual reports # $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; } # Tripwire HQ Connector Binaries #( # rulename = "Tripwire HQ Connector Binaries", # severity = $(SIG_HI) #) #{ # $(TWBIN)/hqagent -> $(SEC_BIN) ; #} # # ---- Directories --------------------------------------------------- # Commonly accessed directories that should remain static with regards # to owner and group ( rulename = "Invariant Directories", severity = $(SIG_MED) ) { / -> $(SEC_INVARIANT) (recurse = 0) ; /home -> $(SEC_INVARIANT) (recurse = 0) ; /etc -> $(SEC_INVARIANT) (recurse = 0) ; } # ---- Critical system files ----------------------------------------- ( rulename = "Suid files", severity = $(SIG_HI) ) { $$list_suid -> $(SEC_SUID) ; } ( rulename = "File System and Disk Administration Programs", severity = $(SIG_HI) ) { $$list_filesysadmin -> $(SEC_CRIT) ; } # ---- Kernel files -------------------------------------------------- ( rulename = "Kernel Administration Programs", severity = $(SIG_HI) ) { $$list_kerneladmin -> $(SEC_CRIT) ; } # ---- Networking ---------------------------------------------------- ( rulename = "Networking Programs", severity = $(SIG_HI) ) { $$list_networkadmin -> $(SEC_CRIT) ; } # ---- Devices ------------------------------------------------------- ( rulename = "Hardware and Device control", severity = $(SIG_HI) ) { $$list_deviceadmin -> $(SEC_CRIT) ; } # ---- System administration ----------------------------------------- ( rulename = "System Administration Programs", severity = $(SIG_HI) ) { $$list_sbin_other -> $(SEC_CRIT) ; } # ---- Very important files ------------------------------------------ ( rulename = "Important files", severity = $(SIG_HI) ) { $$list_important -> $(SEC_CRIT) ; } ( rulename = "Critical system boot files", severity = $(SIG_HI) ) { $$list_boot -> $(SEC_CRIT) ; } ( rulename = "Important configuration files", severity = $(SIG_HI) ) { # !/etc/mtab ; # !/etc/ld.so.cache ; $$list_config -> $(SEC_CONFIG) ; } # ---- Rest ---------------------------------------------------------- ( rulename = "Operating System Utilities", severity = $(SIG_HI) ) { $$list_bin -> $(SEC_CRIT) ; } ( rulename = "Temporary directories", recurse = false, severity = $(SIG_LOW) ) { $$list_tmp -> $(SEC_INVARIANT) ; } ( rulename = "User binaries", severity = $(SIG_MED) ) { $$list_usr -> $(SEC_BIN) ; } # Rest of critical system binaries ( rulename = "OS executables and libraries", severity = $(SIG_HI) ) { /lib -> $(SEC_BIN) ; /usr/lib -> $(SEC_BIN) ; } ( rulename = "ROCK base", severity = $(SIG_MED) ) { $$list_rock_base_bin -> $(SEC_BIN) ; $$list_rock_base_lib -> $(SEC_BIN) ; $$list_rock_base_etc -> $(SEC_CONFIG) ; } ( rulename = "ROCK ext", severity = $(SIG_MED) ) { $$list_rock_ext_bin -> $(SEC_BIN) ; $$list_rock_ext_lib -> $(SEC_BIN) ; $$list_rock_ext_etc -> $(SEC_CONFIG) ; } ( rulename = "Opt (ext)", severity = $(SIG_MED) ) { $$list_opt_bin -> $(SEC_BIN) ; $$list_opt_lib -> $(SEC_BIN) ; $$list_opt_etc -> $(SEC_CONFIG) ; } ( rulename = "Root config files", severity = $(SIG_HI) ) { # !/root/.bash_history ; # !/root/.vim_info ; /root -> $(SEC_CRIT) ; # Catch all additions to $$list_root -> $(SEC_CONFIG) ; } ( rulename = "Critical devices", severity = $(SIG_HI), recurse = false ) { $$list_proc -> $(Device) ; } ( rulename = "All other libraries", severity = $(SIG_LOW), recurse = true ) { # /lib -> $(SEC_BIN) ; # /lib/modules -> $(SEC_BIN) ; # /usr/lib -> $(SEC_BIN) ; /usr/X11/lib -> $(SEC_BIN) ; } ( rulename = "All other significant files", severity = $(SIG_LOW), recurse = true ) { $$list_significant_bin -> $(SEC_BIN) ; $$list_significant_log -> $(SEC_LOG) ; } # --- EOF