View previous topic :: View next topic |
Author |
Message |
squirrel n00b
Joined: 26 Jul 2002 Posts: 20
|
Posted: Sat Nov 29, 2003 12:02 am Post subject: lazy tripwire user |
|
|
I recently emerged tripwire for use on my internet facing server at home. Using the sample policy file, I came up with 298 File system errors (cases of the policy specifying files that don't exist on my sytem, or exist in a different place)
Now of course, being lazy, I really don't want to verify / change 298 things in my twpol.txt. Soo.... I was wondering if anyone would be willing to post a twpol.txt that had been tailored to a base Gentoo system, to which I could add things later.
Am I too lazy? Should I suck it up and start going through my twpol.txt ? |
|
Back to top |
|
|
jesterspet Apprentice
Joined: 05 Feb 2003 Posts: 215 Location: Atlanta
|
Posted: Fri Jan 09, 2004 2:10 am Post subject: |
|
|
I just installed Tripwire as well, however, I used the output & sed to edit my policy to remove the file entrys that don't exist.
However, I have not updated it to include the packages I have installed.
I would suggest you:
- copy your output into a file.
- grep the file for Filename: and output that to a file. e.g.$grep 'Filename:' $FILENAME >> results
- run $sed -e 's/Filename: //' $FILENAME to get a listing of the paths & files that the current policy could not find.
Since the sample file is based on RedHat, it will look for files in different places, than Gentoo stores them.- Correct any paths to files that do exist on your computer.
- Remove or comment out the entries for files that do not exist on your computer, in the /etc/tripwire/twpol.txt file.
- Double check your work in the previous two steps.
- Run $tripwire -m p -Z low /etc/tripwire/twpol.txt to update your policy.
- Run $tripwire --check to ensure that your changes have had the desired effect.
You should now have a base policy for your Gentoo instalation.
Now the really hard part comes. Look at the policy file you just edited, add the missing files that do exist on your system to the policy with the appropiate codes. This is the part I am currently performing. _________________ (X) Yes! I am a brain damaged lemur on crack, and would like to buy your software package for $499.95 |
|
Back to top |
|
|
squirrel n00b
Joined: 26 Jul 2002 Posts: 20
|
Posted: Wed Jan 28, 2004 2:05 pm Post subject: |
|
|
Thanks, using sed is a much better way of resolving this than my method (manual edit). I have much to learn |
|
Back to top |
|
|
mbjr Guru
Joined: 17 Jan 2004 Posts: 531 Location: Budapest/Hungary
|
Posted: Mon Mar 22, 2004 9:41 pm Post subject: |
|
|
Hi,
Come on guys, would you make the results available for the public? I'm another lazy one I'd suggest to send the results to tripwire.org as well to make them able to share it with whoever. Please ;P That's what opensource is about _________________ mb |
|
Back to top |
|
|
squirrel n00b
Joined: 26 Jul 2002 Posts: 20
|
Posted: Tue Mar 23, 2004 5:58 pm Post subject: |
|
|
I did post an edited twpol.txt on the bug report I did, but neglected to post in forum. Oops.
Bug report:
https://bugs.gentoo.org/show_bug.cgi?id=34662
Here's my edited file.
Code: |
##############################################################################
# ##
############################################################################## #
# # #
# Policy file for Red Hat Linux # #
# V1.2.0rh # #
# August 9, 2001 # #
# ##
##############################################################################
##############################################################################
# ##
############################################################################## #
# # #
# This is the example Tripwire Policy file. It is intended as a place to # #
# start creating your own custom Tripwire Policy file. Referring to it as # #
# well as the Tripwire Policy Guide should give you enough information to # #
# make a good custom Tripwire Policy file that better covers your # #
# configuration and security needs. A text version of this policy file is # #
# called twpol.txt. # #
# # #
# Note that this file is tuned to an 'everything' install of Red Hat Linux. # #
# If run unmodified, this file should create no errors on database # #
# creation, or violations on a subsiquent integrity check. However, it is # #
# impossible for there to be one policy file for all machines, so this # #
# existing one errs on the side of security. Your Linux configuration will # #
# most likey differ from the one our policy file was tuned to, and will # #
# therefore require some editing of the default Tripwire Policy file. # #
# # #
# The example policy file is best run with 'Loose Directory Checking' # #
# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # #
# file. # #
# # #
# Email support is not included and must be added to this file. # #
# Add the 'emailto=' to the rule directive section of each rule (add a comma # #
# after the 'severity=' line and add an 'emailto=' and include the email # #
# addresses you want the violation reports to go to). Addresses are # #
# semi-colon delimited. # #
# ##
##############################################################################
##############################################################################
# ##
############################################################################## #
# # #
# Global Variable Definitions # #
# # #
# These are defined at install time by the installation script. You may # #
# Manually edit these if you are using this file directly and not from the # #
# installation script itself. # #
# ##
##############################################################################
@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL="/etc/tripwire";
TWDB="/var/lib/tripwire";
TWSKEY="/etc/tripwire";
TWLKEY="/etc/tripwire";
TWREPORT="/var/lib/tripwire/report";
HOSTNAME=localhost;
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability
# Tripwire Binaries
(
rulename = "Tripwire Binaries",
severity = $(SIG_HI)
)
{
$(TWBIN)/siggen -> $(SEC_BIN) ;
$(TWBIN)/tripwire -> $(SEC_BIN) ;
$(TWBIN)/twadmin -> $(SEC_BIN) ;
$(TWBIN)/twprint -> $(SEC_BIN) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(
rulename = "Tripwire Data Files",
severity = $(SIG_HI)
)
{
# NOTE: We remove the inode attribute because when Tripwire creates a backup,
# it does so by renaming the old file and creating a new one (which will
# have a new inode number). Inode is left turned on for keys, which shouldn't
# ever change.
# NOTE: The first integrity check triggers this rule and each integrity check
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(SEC_CONFIG) -i ;
$(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
$(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWSKEY)/site.key -> $(SEC_BIN) ;
#don't scan the individual reports
$(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
}
# Tripwire HQ Connector Binaries
#(
# rulename = "Tripwire HQ Connector Binaries",
# severity = $(SIG_HI)
#)
#{
# $(TWBIN)/hqagent -> $(SEC_BIN) ;
#}
#
# Tripwire HQ Connector - Configuration Files, Keys, and Logs
##############################################################################
# ##
############################################################################## #
# # #
# Note: File locations here are different than in a stock HQ Connector # #
# installation. This is because Tripwire 2.3 uses a different path # #
# structure than Tripwire 2.2.1. # #
# # #
# You may need to update your HQ Agent configuation file (or this policy # #
# file) to correct the paths. We have attempted to support the FHS standard # #
# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # #
# places them. # #
# ##
##############################################################################
#(
# rulename = "Tripwire HQ Connector Data Files",
# severity = $(SIG_HI)
#)
#{
# #############################################################################
# ##############################################################################
# # NOTE: Removing the inode attribute because when Tripwire creates a backup ##
# # it does so by renaming the old file and creating a new one (which will ##
# # have a new inode number). Leaving inode turned on for keys, which ##
# # shouldn't ever change. ##
# #############################################################################
#
# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ;
# $(TWLKEY)/authentication.key -> $(SEC_BIN) ;
# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ;
# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ;
#
# # Uncomment if you have agent logging enabled.
# #/var/log/tripwire/agent.log -> $(SEC_LOG) ;
#}
# Commonly accessed directories that should remain static with regards to owner and group
(
rulename = "Invariant Directories",
severity = $(SIG_MED)
)
{
/ -> $(SEC_INVARIANT) (recurse = 0) ;
/home -> $(SEC_INVARIANT) (recurse = 0) ;
/etc -> $(SEC_INVARIANT) (recurse = 0) ;
}
################################################
# ##
################################################ #
# # #
# File System and Disk Administration Programs # #
# ##
################################################
(
rulename = "File System and Disk Administraton Programs",
severity = $(SIG_HI)
)
{
# /sbin/accton -> $(SEC_CRIT) ;
/sbin/badblocks -> $(SEC_CRIT) ;
# /sbin/busybox -> $(SEC_CRIT) ;
# /sbin/busybox.anaconda -> $(SEC_CRIT) ;
# /sbin/convertquota -> $(SEC_CRIT) ;
# /sbin/dosfsck -> $(SEC_CRIT) ;
/sbin/debugfs -> $(SEC_CRIT) ;
# /sbin/debugreiserfs -> $(SEC_CRIT) ;
/sbin/dumpe2fs -> $(SEC_CRIT) ;
# /sbin/dump -> $(SEC_CRIT) ;
# /sbin/dump.static -> $(SEC_CRIT) ;
# /sbin/e2fsadm -> $(SEC_CRIT) ; tune2fs?
/sbin/e2fsck -> $(SEC_CRIT) ;
/sbin/e2label -> $(SEC_CRIT) ;
/sbin/fdisk -> $(SEC_CRIT) ;
/sbin/fsck -> $(SEC_CRIT) ;
/sbin/fsck.ext2 -> $(SEC_CRIT) ;
/sbin/fsck.ext3 -> $(SEC_CRIT) ;
/sbin/fsck.minix -> $(SEC_CRIT) ;
# /sbin/fsck.msdos -> $(SEC_CRIT) ;
# /sbin/fsck.vfat -> $(SEC_CRIT) ;
# /sbin/ftl_check -> $(SEC_CRIT) ;
# /sbin/ftl_format -> $(SEC_CRIT) ;
/sbin/hdparm -> $(SEC_CRIT) ;
#/sbin/lvchange -> $(SEC_CRIT) ;
#/sbin/lvcreate -> $(SEC_CRIT) ;
#/sbin/lvdisplay -> $(SEC_CRIT) ;
#/sbin/lvextend -> $(SEC_CRIT) ;
#/sbin/lvmchange -> $(SEC_CRIT) ;
#/sbin/lvmcreate_initrd -> $(SEC_CRIT) ;
#/sbin/lvmdiskscan -> $(SEC_CRIT) ;
#/sbin/lvmsadc -> $(SEC_CRIT) ;
#/sbin/lvmsar -> $(SEC_CRIT) ;
#/sbin/lvreduce -> $(SEC_CRIT) ;
#/sbin/lvremove -> $(SEC_CRIT) ;
#/sbin/lvrename -> $(SEC_CRIT) ;
#/sbin/lvscan -> $(SEC_CRIT) ;
# /sbin/mkbootdisk -> $(SEC_CRIT) ;
# /sbin/mkdosfs -> $(SEC_CRIT) ;
/sbin/mke2fs -> $(SEC_CRIT) ;
/sbin/mkfs -> $(SEC_CRIT) ;
/sbin/mkfs.bfs -> $(SEC_CRIT) ;
/sbin/mkfs.ext2 -> $(SEC_CRIT) ;
/sbin/mkfs.minix -> $(SEC_CRIT) ;
# /sbin/mkfs.msdos -> $(SEC_CRIT) ;
# /sbin/mkfs.vfat -> $(SEC_CRIT) ;
# /sbin/mkinitrd -> $(SEC_CRIT) ;
#/sbin/mkpv -> $(SEC_CRIT) ;
# /sbin/mkraid -> $(SEC_CRIT) ;
# /sbin/mkreiserfs -> $(SEC_CRIT) ;
/sbin/mkswap -> $(SEC_CRIT) ;
#/sbin/mtx -> $(SEC_CRIT) ;
# /sbin/pam_console_apply -> $(SEC_CRIT) ;
# /sbin/parted -> $(SEC_CRIT) ;
# /sbin/pcinitrd -> $(SEC_CRIT) ;
#/sbin/pvchange -> $(SEC_CRIT) ;
#/sbin/pvcreate -> $(SEC_CRIT) ;
#/sbin/pvdata -> $(SEC_CRIT) ;
#/sbin/pvdisplay -> $(SEC_CRIT) ;
#/sbin/pvmove -> $(SEC_CRIT) ;
#/sbin/pvscan -> $(SEC_CRIT) ;
# /sbin/quotacheck -> $(SEC_CRIT) ;
# /sbin/quotaon -> $(SEC_CRIT) ;
# /sbin/raidstart -> $(SEC_CRIT) ;
# /sbin/reiserfsck -> $(SEC_CRIT) ;
/sbin/resize2fs -> $(SEC_CRIT) ;
# /sbin/resize_reiserfs -> $(SEC_CRIT) ;
# /sbin/restore -> $(SEC_CRIT) ;
# /sbin/restore.static -> $(SEC_CRIT) ;
# /sbin/scsi_info -> $(SEC_CRIT) ;
/sbin/sfdisk -> $(SEC_CRIT) ;
/usr/sbin/stinit -> $(SEC_CRIT) ;
#/sbin/tapeinfo -> $(SEC_CRIT) ;
/sbin/tune2fs -> $(SEC_CRIT) ;
# /sbin/unpack -> $(SEC_CRIT) ;
# /sbin/update -> $(SEC_CRIT) ;
#/sbin/vgcfgbackup -> $(SEC_CRIT) ;
#/sbin/vgcfgrestore -> $(SEC_CRIT) ;
#/sbin/vgchange -> $(SEC_CRIT) ;
#/sbin/vgck -> $(SEC_CRIT) ;
#/sbin/vgcreate -> $(SEC_CRIT) ;
#/sbin/vgdisplay -> $(SEC_CRIT) ;
#/sbin/vgexport -> $(SEC_CRIT) ;
#/sbin/vgextend -> $(SEC_CRIT) ;
#/sbin/vgimport -> $(SEC_CRIT) ;
#/sbin/vgmerge -> $(SEC_CRIT) ;
#/sbin/vgmknodes -> $(SEC_CRIT) ;
#/sbin/vgreduce -> $(SEC_CRIT) ;
#/sbin/vgremove -> $(SEC_CRIT) ;
#/sbin/vgrename -> $(SEC_CRIT) ;
#/sbin/vgscan -> $(SEC_CRIT) ;
#/sbin/vgsplit -> $(SEC_CRIT) ;
/bin/chgrp -> $(SEC_CRIT) ;
/bin/chmod -> $(SEC_CRIT) ;
/bin/chown -> $(SEC_CRIT) ;
/bin/cp -> $(SEC_CRIT) ;
# /bin/cpio -> $(SEC_CRIT) ;
/bin/mount -> $(SEC_CRIT) ;
/bin/umount -> $(SEC_CRIT) ;
/bin/mkdir -> $(SEC_CRIT) ;
/bin/mknod -> $(SEC_CRIT) ;
/bin/mktemp -> $(SEC_CRIT) ;
/bin/rm -> $(SEC_CRIT) ;
/bin/rmdir -> $(SEC_CRIT) ;
/bin/touch -> $(SEC_CRIT) ;
}
##################################
# ##
################################## #
# # #
# Kernel Administration Programs # #
# ##
##################################
(
rulename = "Kernel Administration Programs",
severity = $(SIG_HI)
)
{
# /sbin/adjtimex -> $(SEC_CRIT) ;
/sbin/ctrlaltdel -> $(SEC_CRIT) ;
/sbin/depmod -> $(SEC_CRIT) ;
/sbin/insmod -> $(SEC_CRIT) ;
/sbin/insmod.static -> $(SEC_CRIT) ;
/sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ;
# /sbin/klogd -> $(SEC_CRIT) ;
/sbin/ldconfig -> $(SEC_CRIT) ;
# /sbin/minilogd -> $(SEC_CRIT) ;
/sbin/modinfo -> $(SEC_CRIT) ;
#/sbin/nuactlun -> $(SEC_CRIT) ;
#/sbin/nuscsitcpd -> $(SEC_CRIT) ;
/sbin/pivot_root -> $(SEC_CRIT) ;
# /sbin/sndconfig -> $(SEC_CRIT) ;
/sbin/sysctl -> $(SEC_CRIT) ;
}
#######################
# ##
####################### #
# # #
# Networking Programs # #
# ##
#######################
(
rulename = "Networking Programs",
severity = $(SIG_HI)
)
{
# /etc/sysconfig/network-scripts/ifdown -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifdown-cipcb -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifdown-ippp -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifdown-ipv6 -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifdown-isdn -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifdown-post -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifdown-ppp -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifdown-sit -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifdown-sl -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifup -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifup-aliases -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifup-cipcb -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifup-ippp -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifup-ipv6 -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifup-isdn -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifup-plip -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifup-plusb -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifup-post -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifup-ppp -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifup-routes -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifup-sit -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifup-sl -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/ifup-wireless -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/network-functions -> $(SEC_CRIT) ;
# /etc/sysconfig/network-scripts/network-functions-ipv6 -> $(SEC_CRIT) ;
/bin/ping -> $(SEC_CRIT) ;
/sbin/agetty -> $(SEC_CRIT) ;
/sbin/arp -> $(SEC_CRIT) ;
/sbin/arping -> $(SEC_CRIT) ;
/sbin/dhcpcd -> $(SEC_CRIT) ;
/usr/sbin/ether-wake -> $(SEC_CRIT) ;
#/sbin/getty -> $(SEC_CRIT) ;
# /sbin/ifcfg -> $(SEC_CRIT) ;
/sbin/ifconfig -> $(SEC_CRIT) ;
# /sbin/ifdown -> $(SEC_CRIT) ;
# /sbin/ifenslave -> $(SEC_CRIT) ;
# /sbin/ifport -> $(SEC_CRIT) ;
# /sbin/ifup -> $(SEC_CRIT) ;
# /sbin/ifuser -> $(SEC_CRIT) ;
# /sbin/ip -> $(SEC_CRIT) ;
/sbin/ip6tables -> $(SEC_CRIT) ;
# /sbin/ipchains -> $(SEC_CRIT) ;
# /sbin/ipchains-restore -> $(SEC_CRIT) ;
# /sbin/ipchains-save -> $(SEC_CRIT) ;
# /sbin/ipfwadm -> $(SEC_CRIT) ;
/sbin/ipmaddr -> $(SEC_CRIT) ;
/sbin/iptables -> $(SEC_CRIT) ;
/sbin/iptables-restore -> $(SEC_CRIT) ;
/sbin/iptables-save -> $(SEC_CRIT) ;
/sbin/iptunnel -> $(SEC_CRIT) ;
# /sbin/ipvsadm -> $(SEC_CRIT) ;
# /sbin/ipvsadm-restore -> $(SEC_CRIT) ;
# /sbin/ipvsadm-save -> $(SEC_CRIT) ;
# /sbin/ipx_configure -> $(SEC_CRIT) ;
# /sbin/ipx_interface -> $(SEC_CRIT) ;
# /sbin/ipx_internal_net -> $(SEC_CRIT) ;
# /sbin/iwconfig -> $(SEC_CRIT) ;
# /sbin/iwgetid -> $(SEC_CRIT) ;
# /sbin/iwlist -> $(SEC_CRIT) ;
# /sbin/iwpriv -> $(SEC_CRIT) ;
# /sbin/iwspy -> $(SEC_CRIT) ;
# /sbin/mgetty -> $(SEC_CRIT) ;
# /sbin/mingetty -> $(SEC_CRIT) ;
/sbin/nameif -> $(SEC_CRIT) ;
# /sbin/netreport -> $(SEC_CRIT) ;
/sbin/plipconfig -> $(SEC_CRIT) ;
# /sbin/portmap -> $(SEC_CRIT) ;
# /sbin/ppp-watch -> $(SEC_CRIT) ;
#/sbin/rarp -> $(SEC_CRIT) ;
/sbin/route -> $(SEC_CRIT) ;
/sbin/slattach -> $(SEC_CRIT) ;
# /sbin/tc -> $(SEC_CRIT) ;
#/sbin/uugetty -> $(SEC_CRIT) ;
# /sbin/vgetty -> $(SEC_CRIT) ;
# /sbin/ypbind -> $(SEC_CRIT) ;
}
##################################
# ##
################################## #
# # #
# System Administration Programs # #
# ##
##################################
(
rulename = "System Administration Programs",
severity = $(SIG_HI)
)
{
# /sbin/chkconfig -> $(SEC_CRIT) ;
/bin/fuser -> $(SEC_CRIT) ;
/sbin/halt -> $(SEC_CRIT) ;
/sbin/init -> $(SEC_CRIT) ;
# /sbin/initlog -> $(SEC_CRIT) ;
/usr/bin/install-info -> $(SEC_CRIT) ;
/sbin/killall5 -> $(SEC_CRIT) ;
#/sbin/linuxconf -> $(SEC_CRIT) ;
#/sbin/linuxconf-auth -> $(SEC_CRIT) ;
/usr/sbin/pam_tally -> $(SEC_CRIT) ;
/usr/sbin/pwdb_chkpwd -> $(SEC_CRIT) ;
#/sbin/remadmin -> $(SEC_CRIT) ;
# /sbin/rescuept -> $(SEC_CRIT) ;
/usr/sbin/rmt -> $(SEC_CRIT) ;
# /sbin/rpc.lockd -> $(SEC_CRIT) ;
# /sbin/rpc.statd -> $(SEC_CRIT) ;
# /sbin/rpcdebug -> $(SEC_CRIT) ;
# /sbin/service -> $(SEC_CRIT) ;
# /sbin/setsysfont -> $(SEC_CRIT) ;
/sbin/shutdown -> $(SEC_CRIT) ;
/sbin/sulogin -> $(SEC_CRIT) ;
/sbin/swapon -> $(SEC_CRIT) ;
# /sbin/syslogd -> $(SEC_CRIT) ;
# /sbin/unix_chkpwd -> $(SEC_CRIT) ;
/bin/pwd -> $(SEC_CRIT) ;
/bin/uname -> $(SEC_CRIT) ;
}
########################################
# ##
######################################## #
# # #
# Hardware and Device Control Programs # #
# ##
########################################
(
rulename = "Hardware and Device Control Programs",
severity = $(SIG_HI)
)
{
/bin/setserial -> $(SEC_CRIT) ;
# /bin/sfxload -> $(SEC_CRIT) ;
/sbin/blockdev -> $(SEC_CRIT) ;
# /sbin/cardctl -> $(SEC_CRIT) ;
# /sbin/cardmgr -> $(SEC_CRIT) ;
# /sbin/cbq -> $(SEC_CRIT) ;
# /sbin/dump_cis -> $(SEC_CRIT) ;
/sbin/elvtune -> $(SEC_CRIT) ;
# /sbin/hotplug -> $(SEC_CRIT) ;
/sbin/hwclock -> $(SEC_CRIT) ;
# /sbin/ide_info -> $(SEC_CRIT) ;
#/sbin/isapnp -> $(SEC_CRIT) ;
#/sbin/kbdrate -> $(SEC_CRIT) ;
/sbin/losetup -> $(SEC_CRIT) ;
# /sbin/lspci -> $(SEC_CRIT) ;
# /sbin/lspnp -> $(SEC_CRIT) ;
/sbin/mii-tool -> $(SEC_CRIT) ;
# /sbin/pack_cis -> $(SEC_CRIT) ;
#/sbin/pnpdump -> $(SEC_CRIT) ;
# /sbin/probe -> $(SEC_CRIT) ;
#/sbin/pump -> $(SEC_CRIT) ;
# /sbin/setpci -> $(SEC_CRIT) ;
# /sbin/shapecfg -> $(SEC_CRIT) ;
}
###############################
# ##
############################### #
# # #
# System Information Programs # #
# ##
###############################
(
rulename = "System Information Programs",
severity = $(SIG_HI)
)
{
/sbin/consoletype -> $(SEC_CRIT) ;
/sbin/kernelversion -> $(SEC_CRIT) ;
/sbin/runlevel -> $(SEC_CRIT) ;
}
####################################
# ##
#################################### #
# # #
# Application Information Programs # #
# ##
####################################
(
rulename = "Application Information Programs",
severity = $(SIG_HI)
)
{
/sbin/genksyms -> $(SEC_CRIT) ;
#/sbin/genksyms.old -> $(SEC_CRIT) ;
# /sbin/rtmon -> $(SEC_CRIT) ;
}
##########################
# ##
########################## #
# # #
# Shell Related Programs # #
# ##
##########################
(
rulename = "Shell Related Programs",
severity = $(SIG_HI)
)
{
# /sbin/getkey -> $(SEC_CRIT) ;
# /sbin/nash -> $(SEC_CRIT) ;
/bin/sash -> $(SEC_CRIT) ;
}
################
# ##
################ #
# # #
# OS Utilities # #
# ##
################
(
rulename = "Operating System Utilities",
severity = $(SIG_HI)
)
{
/bin/arch -> $(SEC_CRIT) ;
# /bin/ash -> $(SEC_CRIT) ;
# /bin/ash.static -> $(SEC_CRIT) ;
# /bin/aumix-minimal -> $(SEC_CRIT) ;
/bin/basename -> $(SEC_CRIT) ;
/bin/cat -> $(SEC_CRIT) ;
#/bin/consolechars -> $(SEC_CRIT) ;
/bin/cut -> $(SEC_CRIT) ;
/bin/date -> $(SEC_CRIT) ;
/bin/dd -> $(SEC_CRIT) ;
/bin/df -> $(SEC_CRIT) ;
/bin/dmesg -> $(SEC_CRIT) ;
# /bin/doexec -> $(SEC_CRIT) ;
/bin/echo -> $(SEC_CRIT) ;
/bin/ed -> $(SEC_CRIT) ;
/bin/egrep -> $(SEC_CRIT) ;
/bin/false -> $(SEC_CRIT) ;
/bin/fgrep -> $(SEC_CRIT) ;
/bin/gawk -> $(SEC_CRIT) ;
# /bin/gawk-3.1.0 -> $(SEC_CRIT) ;
# /bin/gettext -> $(SEC_CRIT) ;
/bin/grep -> $(SEC_CRIT) ;
/bin/gunzip -> $(SEC_CRIT) ;
/bin/gzip -> $(SEC_CRIT) ;
/bin/hostname -> $(SEC_CRIT) ;
/bin/igawk -> $(SEC_CRIT) ;
# /bin/ipcalc -> $(SEC_CRIT) ;
/bin/kill -> $(SEC_CRIT) ;
/bin/ln -> $(SEC_CRIT) ;
/bin/loadkeys -> $(SEC_CRIT) ;
/bin/login -> $(SEC_CRIT) ;
/bin/ls -> $(SEC_CRIT) ;
# /bin/mail -> $(SEC_CRIT) ;
/bin/more -> $(SEC_CRIT) ;
# /bin/mt -> $(SEC_CRIT) ;
/bin/mv -> $(SEC_CRIT) ;
/bin/netstat -> $(SEC_CRIT) ;
/bin/nice -> $(SEC_CRIT) ;
/bin/pgawk -> $(SEC_CRIT) ;
/bin/ps -> $(SEC_CRIT) ;
# /bin/rpm -> $(SEC_CRIT) ;
/bin/sed -> $(SEC_CRIT) ;
/bin/sleep -> $(SEC_CRIT) ;
/bin/sort -> $(SEC_CRIT) ;
/bin/stty -> $(SEC_CRIT) ;
/bin/su -> $(SEC_CRIT) ;
/bin/sync -> $(SEC_CRIT) ;
/bin/tar -> $(SEC_CRIT) ;
/bin/true -> $(SEC_CRIT) ;
# /bin/usleep -> $(SEC_CRIT) ;
# /bin/vi -> $(SEC_CRIT) ;
/bin/zcat -> $(SEC_CRIT) ;
# /bin/zsh -> $(SEC_CRIT) ;
# /bin/zsh-4.0.2 -> $(SEC_CRIT) ;
/sbin/sln -> $(SEC_CRIT) ;
# /usr/bin/vimtutor -> $(SEC_CRIT) ;
}
##############################
# ##
############################## #
# # #
# Critical Utility Sym-Links # #
# ##
##############################
(
rulename = "Critical Utility Sym-Links",
severity = $(SIG_HI)
)
{
#/sbin/askrunlevel -> $(SEC_CRIT) ;
# /sbin/clock -> $(SEC_CRIT) ;
#/sbin/fixperm -> $(SEC_CRIT) ;
# /sbin/fsck.reiserfs -> $(SEC_CRIT) ;
#/sbin/fsconf -> $(SEC_CRIT) ;
# /sbin/ipfwadm-wrapper -> $(SEC_CRIT) ;
/sbin/kallsyms -> $(SEC_CRIT) ;
/sbin/ksyms -> $(SEC_CRIT) ;
/sbin/lsmod -> $(SEC_CRIT) ;
#/sbin/mailconf -> $(SEC_CRIT) ;
# /sbin/mkfs.reiserfs -> $(SEC_CRIT) ;
#/sbin/modemconf -> $(SEC_CRIT) ;
/sbin/modprobe -> $(SEC_CRIT) ;
# /sbin/mount.ncp -> $(SEC_CRIT) ;
# /sbin/mount.ncpfs -> $(SEC_CRIT) ;
# /sbin/mount.smb -> $(SEC_CRIT) ;
# /sbin/mount.smbfs -> $(SEC_CRIT) ;
#/sbin/netconf -> $(SEC_CRIT) ;
/sbin/pidof -> $(SEC_CRIT) ;
/sbin/poweroff -> $(SEC_CRIT) ;
# /sbin/quotaoff -> $(SEC_CRIT) ;
# /sbin/raid0run -> $(SEC_CRIT) ;
# /sbin/raidhotadd -> $(SEC_CRIT) ;
# /sbin/raidhotgenerateerror -> $(SEC_CRIT) ;
# /sbin/raidhotremove -> $(SEC_CRIT) ;
# /sbin/raidstop -> $(SEC_CRIT) ;
# /sbin/rdump -> $(SEC_CRIT) ;
# /sbin/rdump.static -> $(SEC_CRIT) ;
/sbin/reboot -> $(SEC_CRIT) ;
/sbin/rmmod -> $(SEC_CRIT) ;
# /sbin/rrestore -> $(SEC_CRIT) ;
# /sbin/rrestore.static -> $(SEC_CRIT) ;
/sbin/swapoff -> $(SEC_CRIT) ;
/sbin/telinit -> $(SEC_CRIT) ;
#/sbin/userconf -> $(SEC_CRIT) ;
#/sbin/uucpconf -> $(SEC_CRIT) ;
#/sbin/vregistry -> $(SEC_CRIT) ;
/bin/awk -> $(SEC_CRIT) ;
# /bin/bash2 -> $(SEC_CRIT) ;
# /bin/bsh -> $(SEC_CRIT) ;
# /bin/csh -> $(SEC_CRIT) ;
/bin/dnsdomainname -> $(SEC_CRIT) ;
/bin/domainname -> $(SEC_CRIT) ;
# /bin/ex -> $(SEC_CRIT) ;
# /bin/gtar -> $(SEC_CRIT) ;
/bin/nisdomainname -> $(SEC_CRIT) ;
/bin/red -> $(SEC_CRIT) ;
# /bin/rvi -> $(SEC_CRIT) ;
# /bin/rview -> $(SEC_CRIT) ;
# /bin/view -> $(SEC_CRIT) ;
/bin/ypdomainname -> $(SEC_CRIT) ;
}
#########################
# ##
######################### #
# # #
# Temporary directories # #
# ##
#########################
(
rulename = "Temporary directories",
recurse = false,
severity = $(SIG_LOW)
)
{
/usr/tmp -> $(SEC_INVARIANT) ;
/var/tmp -> $(SEC_INVARIANT) ;
/tmp -> $(SEC_INVARIANT) ;
}
###############
# ##
############### #
# # #
# Local files # #
# ##
###############
(
rulename = "User binaries",
severity = $(SIG_MED)
)
{
/sbin -> $(SEC_BIN) (recurse = 1) ;
/usr/bin -> $(SEC_BIN) (recurse = 1) ;
/usr/sbin -> $(SEC_BIN) (recurse = 1) ;
/usr/local/bin -> $(SEC_BIN) (recurse = 1) ;
}
(
rulename = "Shell Binaries",
severity = $(SIG_HI)
)
{
/bin/bash -> $(SEC_BIN) ;
# /bin/ksh -> $(SEC_BIN) ;
# /bin/psh -> $(SEC_BIN) ; # No longer used?
# /bin/Rsh -> $(SEC_BIN) ; # No longer used?
/bin/sh -> $(SEC_BIN) ;
# /bin/shell -> $(SEC_SUID) ; # No longer used?
# /bin/tsh -> $(SEC_BIN) ; # No longer used?
# /bin/tcsh -> $(SEC_BIN) ;
# /sbin/nologin -> $(SEC_BIN) ;
}
(
rulename = "Security Control",
severity = $(SIG_HI)
)
{
/etc/group -> $(SEC_CRIT) ;
/etc/security -> $(SEC_CRIT) ;
#/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists
}
#(
# rulename = "Boot Scripts",
# severity = $(SIG_HI)
#)
#{
# /etc/rc -> $(SEC_CONFIG) ;
# /etc/rc.bsdnet -> $(SEC_CONFIG) ;
# /etc/rc.dt -> $(SEC_CONFIG) ;
# /etc/rc.net -> $(SEC_CONFIG) ;
# /etc/rc.net.serial -> $(SEC_CONFIG) ;
# /etc/rc.nfs -> $(SEC_CONFIG) ;
# /etc/rc.powerfail -> $(SEC_CONFIG) ;
# /etc/rc.tcpip -> $(SEC_CONFIG) ;
# /etc/trcfmt.Z -> $(SEC_CONFIG) ;
#}
(
rulename = "Login Scripts",
severity = $(SIG_HI)
)
{
# /etc/bashrc -> $(SEC_CONFIG) ;
# /etc/csh.cshrc -> $(SEC_CONFIG) ;
# /etc/csh.login -> $(SEC_CONFIG) ;
/etc/inputrc -> $(SEC_CONFIG) ;
# /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists
/etc/profile -> $(SEC_CONFIG) ;
}
# Libraries
(
rulename = "Libraries",
severity = $(SIG_MED)
)
{
/usr/lib -> $(SEC_BIN) ;
/usr/local/lib -> $(SEC_BIN) ;
}
######################################################
# ##
###################################################### #
# # #
# Critical System Boot Files # #
# These files are critical to a correct system boot. # #
# ##
######################################################
(
rulename = "Critical system boot files",
severity = $(SIG_HI)
)
{
/boot -> $(SEC_CRIT) ;
#/sbin/devfsd -> $(SEC_CRIT) ;
/sbin/grub -> $(SEC_CRIT) ;
/sbin/grub-install -> $(SEC_CRIT) ;
/sbin/grub-md5-crypt -> $(SEC_CRIT) ;
/sbin/installkernel -> $(SEC_CRIT) ;
# /sbin/lilo -> $(SEC_CRIT) ;
# /sbin/mkkerneldoth -> $(SEC_CRIT) ;
!/boot/System.map ;
!/boot/module-info ;
/usr/share/grub/i386-pc/e2fs_stage1_5 -> $(SEC_CRIT) ;
/usr/share/grub/i386-pc/fat_stage1_5 -> $(SEC_CRIT) ;
/usr/share/grub/i386-pc/ffs_stage1_5 -> $(SEC_CRIT) ;
/usr/share/grub/i386-pc/minix_stage1_5 -> $(SEC_CRIT) ;
/usr/share/grub/i386-pc/reiserfs_stage1_5 -> $(SEC_CRIT) ;
/usr/share/grub/i386-pc/stage1 -> $(SEC_CRIT) ;
/usr/share/grub/i386-pc/stage2 -> $(SEC_CRIT) ;
/usr/share/grub/i386-pc/vstafs_stage1_5 -> $(SEC_CRIT) ;
# other boot files may exist. Look for:
#/ufsboot -> $(SEC_CRIT) ;
}
##################################################
###################################################
# These files change every time the system boots ##
##################################################
(
rulename = "System boot changes",
severity = $(SIG_HI)
)
{
!/var/run/ftp.pids-all ; # Comes and goes on reboot.
!/root/.enlightenment ;
/dev/log -> $(SEC_CONFIG) ;
/dev/cua0 -> $(SEC_CONFIG) ;
# /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device
/dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.
/dev/tty1 -> $(SEC_CONFIG) ; # tty devices
/dev/tty2 -> $(SEC_CONFIG) ; # tty devices
/dev/tty3 -> $(SEC_CONFIG) ; # are extremely
/dev/tty4 -> $(SEC_CONFIG) ; # variable
/dev/tty5 -> $(SEC_CONFIG) ;
/dev/tty6 -> $(SEC_CONFIG) ;
/dev/urandom -> $(SEC_CONFIG) ;
/dev/initctl -> $(SEC_CONFIG) ;
/var/lock/subsys -> $(SEC_CONFIG) ;
# /var/lock/subsys/amd -> $(SEC_CONFIG) ;
# /var/lock/subsys/anacron -> $(SEC_CONFIG) ;
# /var/lock/subsys/apmd -> $(SEC_CONFIG) ;
# /var/lock/subsys/arpwatch -> $(SEC_CONFIG) ;
# /var/lock/subsys/atd -> $(SEC_CONFIG) ;
# /var/lock/subsys/autofs -> $(SEC_CONFIG) ;
# /var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ;
# /var/lock/subsys/bgpd -> $(SEC_CONFIG) ;
# /var/lock/subsys/bootparamd -> $(SEC_CONFIG) ;
# /var/lock/subsys/canna -> $(SEC_CONFIG) ;
# /var/lock/subsys/crond -> $(SEC_CONFIG) ;
# /var/lock/subsys/cWnn -> $(SEC_CONFIG) ;
# /var/lock/subsys/dhcpd -> $(SEC_CONFIG) ;
# /var/lock/subsys/firewall -> $(SEC_CONFIG) ;
# /var/lock/subsys/freeWnn -> $(SEC_CONFIG) ;
# /var/lock/subsys/gated -> $(SEC_CONFIG) ;
# /var/lock/subsys/gpm -> $(SEC_CONFIG) ;
# /var/lock/subsys/httpd -> $(SEC_CONFIG) ;
# /var/lock/subsys/identd -> $(SEC_CONFIG) ;
# /var/lock/subsys/innd -> $(SEC_CONFIG) ;
# /var/lock/subsys/ipchains -> $(SEC_CONFIG) ;
# /var/lock/subsys/iptables -> $(SEC_CONFIG) ;
# /var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ;
# /var/lock/subsys/irda -> $(SEC_CONFIG) ;
# /var/lock/subsys/iscsi -> $(SEC_CONFIG) ;
# /var/lock/subsys/isdn -> $(SEC_CONFIG) ;
# /var/lock/subsys/junkbuster -> $(SEC_CONFIG) ;
# /var/lock/subsys/kadmin -> $(SEC_CONFIG) ;
# /var/lock/subsys/keytable -> $(SEC_CONFIG) ;
# /var/lock/subsys/kprop -> $(SEC_CONFIG) ;
# /var/lock/subsys/krb524 -> $(SEC_CONFIG) ;
# /var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ;
# /var/lock/subsys/kudzu -> $(SEC_CONFIG) ;
# /var/lock/subsys/kWnn -> $(SEC_CONFIG) ;
# /var/lock/subsys/ldap -> $(SEC_CONFIG) ;
# /var/lock/subsys/linuxconf -> $(SEC_CONFIG) ;
# /var/lock/subsys/lpd -> $(SEC_CONFIG) ;
# /var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ;
# /var/lock/subsys/mcserv -> $(SEC_CONFIG) ;
# /var/lock/subsys/mysqld -> $(SEC_CONFIG) ;
# /var/lock/subsys/named -> $(SEC_CONFIG) ;
# /var/lock/subsys/netfs -> $(SEC_CONFIG) ;
# /var/lock/subsys/network -> $(SEC_CONFIG) ;
# /var/lock/subsys/nfs -> $(SEC_CONFIG) ;
# /var/lock/subsys/nfslock -> $(SEC_CONFIG) ;
# /var/lock/subsys/nscd -> $(SEC_CONFIG) ;
# /var/lock/subsys/ntpd -> $(SEC_CONFIG) ;
# /var/lock/subsys/ospf6d -> $(SEC_CONFIG) ;
# /var/lock/subsys/ospfd -> $(SEC_CONFIG) ;
# /var/lock/subsys/pcmcia -> $(SEC_CONFIG) ;
# /var/lock/subsys/portmap -> $(SEC_CONFIG) ;
# /var/lock/subsys/postgresql -> $(SEC_CONFIG) ;
# /var/lock/subsys/pxe -> $(SEC_CONFIG) ;
# /var/lock/subsys/radvd -> $(SEC_CONFIG) ;
# /var/lock/subsys/random -> $(SEC_CONFIG) ;
# /var/lock/subsys/rarpd -> $(SEC_CONFIG) ;
# /var/lock/subsys/reconfig -> $(SEC_CONFIG) ;
# /var/lock/subsys/rhnsd -> $(SEC_CONFIG) ;
# /var/lock/subsys/ripd -> $(SEC_CONFIG) ;
# /var/lock/subsys/ripngd -> $(SEC_CONFIG) ;
# /var/lock/subsys/routed -> $(SEC_CONFIG) ;
# /var/lock/subsys/rstatd -> $(SEC_CONFIG) ;
# /var/lock/subsys/rusersd -> $(SEC_CONFIG) ;
# /var/lock/subsys/rwalld -> $(SEC_CONFIG) ;
# /var/lock/subsys/rwhod -> $(SEC_CONFIG) ;
# /var/lock/subsys/sendmail -> $(SEC_CONFIG) ;
# /var/lock/subsys/smb -> $(SEC_CONFIG) ;
# /var/lock/subsys/snmpd -> $(SEC_CONFIG) ;
# /var/lock/subsys/squid -> $(SEC_CONFIG) ;
# /var/lock/subsys/sshd -> $(SEC_CONFIG) ;
# /var/lock/subsys/syslog -> $(SEC_CONFIG) ;
# /var/lock/subsys/tux -> $(SEC_CONFIG) ;
# /var/lock/subsys/tWnn -> $(SEC_CONFIG) ;
# /var/lock/subsys/ups -> $(SEC_CONFIG) ;
# /var/lock/subsys/vncserver -> $(SEC_CONFIG) ;
# /var/lock/subsys/wine -> $(SEC_CONFIG) ;
# /var/lock/subsys/xfs -> $(SEC_CONFIG) ;
# /var/lock/subsys/xinetd -> $(SEC_CONFIG) ;
# /var/lock/subsys/ypbind -> $(SEC_CONFIG) ;
# /var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ;
# /var/lock/subsys/ypserv -> $(SEC_CONFIG) ;
# /var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ;
# /var/lock/subsys/zebra -> $(SEC_CONFIG) ;
/var/run -> $(SEC_CONFIG) ;
/var/log -> $(SEC_CONFIG) ;
/etc/ioctl.save -> $(SEC_CONFIG) ;
# /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes
/etc/issue -> $(SEC_CONFIG) ;
/etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount
/lib/modules -> $(SEC_CONFIG) ;
/etc/.pwd.lock -> $(SEC_CONFIG) ;
# /lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists
}
# These files change the behavior of the root account
(
rulename = "Root config files",
severity = 100
)
{
/root -> $(SEC_CRIT) ; # Catch all additions to /root
# /root/.Xresources -> $(SEC_CONFIG) ;
# /root/.bashrc -> $(SEC_CONFIG) ;
# /root/.bash_profile -> $(SEC_CONFIG) ;
# /root/.bash_logout -> $(SEC_CONFIG) ;
# /root/.cshrc -> $(SEC_CONFIG) ;
# /root/.tcshrc -> $(SEC_CONFIG) ;
#/root/Mail -> $(SEC_CONFIG) ;
#/root/mail -> $(SEC_CONFIG) ;
#/root/.amandahosts -> $(SEC_CONFIG) ;
#/root/.addressbook.lu -> $(SEC_CONFIG) ;
#/root/.addressbook -> $(SEC_CONFIG) ;
/root/.bash_history -> $(SEC_CONFIG) ;
#/root/.elm -> $(SEC_CONFIG) ;
# /root/.esd_auth -> $(SEC_CONFIG) ;
# /root/.gnome_private -> $(SEC_CONFIG) ;
# /root/.gnome-desktop -> $(SEC_CONFIG) ;
# /root/.gnome -> $(SEC_CONFIG) ;
# /root/.ICEauthority -> $(SEC_CONFIG) ;
#/root/.mc -> $(SEC_CONFIG) ;
#/root/.pinerc -> $(SEC_CONFIG) ;
#/root/.sawfish -> $(SEC_CONFIG) ;
# /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
#/root/.xauth -> $(SEC_CONFIG) ;
#/root/.xsession-errors -> $(SEC_CONFIG) ;
}
################################
# ##
################################ #
# # #
# Critical configuration files # #
# ##
################################
(
rulename = "Critical configuration files",
severity = $(SIG_HI)
)
{
#/etc/conf.linuxconf -> $(SEC_BIN) ;
/etc/crontab -> $(SEC_BIN) ;
/etc/cron.hourly -> $(SEC_BIN) ;
/etc/cron.daily -> $(SEC_BIN) ;
/etc/cron.weekly -> $(SEC_BIN) ;
/etc/cron.monthly -> $(SEC_BIN) ;
/etc/default -> $(SEC_BIN) ;
/etc/fstab -> $(SEC_BIN) ;
# /etc/exports -> $(SEC_BIN) ;
/etc/group- -> $(SEC_BIN) ; # changes should be infrequent
# /etc/host.conf -> $(SEC_BIN) ;
# /etc/hosts.allow -> $(SEC_BIN) ;
# /etc/hosts.deny -> $(SEC_BIN) ;
# /etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent
/etc/protocols -> $(SEC_BIN) ;
/etc/services -> $(SEC_BIN) ;
/etc/init.d -> $(SEC_BIN) ;
# /etc/rc.d -> $(SEC_BIN) ;
# /etc/mail.rc -> $(SEC_BIN) ;
/etc/modules.conf -> $(SEC_BIN) ;
# /etc/motd -> $(SEC_BIN) ;
# /etc/named.conf -> $(SEC_BIN) ;
/etc/passwd -> $(SEC_CONFIG) ;
/etc/passwd- -> $(SEC_CONFIG) ;
# /etc/profile.d -> $(SEC_BIN) ;
# /var/lib/nfs/rmtab -> $(SEC_BIN) ;
# /usr/sbin/fixrmtab -> $(SEC_BIN) ;
/etc/rpc -> $(SEC_BIN) ;
# /etc/sysconfig -> $(SEC_BIN) ;
# /etc/samba/smb.conf -> $(SEC_CONFIG) ;
#/etc/gettydefs -> $(SEC_BIN) ;
/etc/nsswitch.conf -> $(SEC_BIN) ;
/etc/yp.conf -> $(SEC_BIN) ;
/etc/hosts -> $(SEC_CONFIG) ;
/etc/xinetd.conf -> $(SEC_CONFIG) ;
/etc/inittab -> $(SEC_CONFIG) ;
/etc/resolv.conf -> $(SEC_CONFIG) ;
# /etc/syslog.conf -> $(SEC_CONFIG) ;
}
####################
# ##
#################### #
# # #
# Critical devices # #
# ##
####################
(
rulename = "Critical devices",
severity = $(SIG_HI),
recurse = false
)
{
/dev/kmem -> $(Device) ;
/dev/mem -> $(Device) ;
/dev/null -> $(Device) ;
/dev/zero -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/mounts -> $(Device) ;
/proc/dma -> $(Device) ;
/proc/filesystems -> $(Device) ;
/proc/pci -> $(Device) ;
/proc/interrupts -> $(Device) ;
# /proc/driver/rtc -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/scsi -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/self -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/stat -> $(Device) ;
/proc/ksyms -> $(Device) ;
/proc/loadavg -> $(Device) ;
/proc/uptime -> $(Device) ;
/proc/locks -> $(Device) ;
/proc/version -> $(Device) ;
# /proc/mdstat -> $(Device) ;
/proc/meminfo -> $(Device) ;
/proc/cmdline -> $(Device) ;
/proc/misc -> $(Device) ;
}
# Rest of critical system binaries
(
rulename = "OS executables and libraries",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_BIN) ;
/lib -> $(SEC_BIN) ;
}
#=============================================================================
#
# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
# Inc. in the United States and other countries. All rights reserved.
#
# Linux is a registered trademark of Linus Torvalds.
#
# UNIX is a registered trademark of The Open Group.
#
#=============================================================================
#
# Permission is granted to make and distribute verbatim copies of this document
# provided the copyright notice and this permission notice are preserved on all
# copies.
#
# Permission is granted to copy and distribute modified versions of this
# document under the conditions for verbatim copying, provided that the entire
# resulting derived work is distributed under the terms of a permission notice
# identical to this one.
#
# Permission is granted to copy and distribute translations of this document
# into another language, under the above conditions for modified versions,
# except that this permission notice may be stated in a translation approved by
# Tripwire, Inc.
#
# DCM
|
This config file runs tripwire without errors on my system, but I may very well have neglected some important things. Your mileage may vary, no guarantees expressed or implied, bla-bla-bla |
|
Back to top |
|
|
mbjr Guru
Joined: 17 Jan 2004 Posts: 531 Location: Budapest/Hungary
|
Posted: Tue Mar 23, 2004 9:10 pm Post subject: |
|
|
Thankyou Well, I'm not that lazy though, so I'm spending time with writing a shell script that generates your twpol from the system it runs on. I'll post it here when I'll have time to finish it _________________ mb |
|
Back to top |
|
|
puke Tux's lil' helper
Joined: 05 Oct 2002 Posts: 128
|
Posted: Sat Apr 03, 2004 3:09 pm Post subject: |
|
|
mbjr wrote: | Thankyou Well, I'm not that lazy though, so I'm spending time with writing a shell script that generates your twpol from the system it runs on. I'll post it here when I'll have time to finish it |
Is this based on output from qpkg? Please post your script!
PS Nice avatar |
|
Back to top |
|
|
mbjr Guru
Joined: 17 Jan 2004 Posts: 531 Location: Budapest/Hungary
|
Posted: Sat Apr 03, 2004 11:10 pm Post subject: |
|
|
it is. not done yet, didn't have time to finish it up I'm sorry. I'll post it as soon as it gets done _________________ mb |
|
Back to top |
|
|
mbjr Guru
Joined: 17 Jan 2004 Posts: 531 Location: Budapest/Hungary
|
Posted: Fri Aug 27, 2004 7:10 am Post subject: |
|
|
Guys,
This is a much biger project than I've ever thought. I think I better do a feature req to the tripwire team, since there're some issues can't be determined and completed by a "small shell script".
This means I'll not be able to do the "confmaker" for you I'm sorry. _________________ mb |
|
Back to top |
|
|
nielchiano Veteran
Joined: 11 Nov 2003 Posts: 1287 Location: 50N 3E
|
Posted: Mon Jan 10, 2005 11:01 am Post subject: |
|
|
I just imported your policy, but have this strange result:
Tripwire complains about /usr/sbin/siggen not existing. I just remerged the tripwire-ebuild and, yes, there is no siggen file merged. IS THIS NORMAL? or is someone already on my machine (unlikely, but possible)
strange thing is: the siggen.8 man page IS installed, but no binary
PS: I emerged app-admin/tripwire-2.3.1.2-r1 |
|
Back to top |
|
|
eldo21 n00b
Joined: 20 Oct 2004 Posts: 6
|
Posted: Tue Apr 19, 2005 9:41 pm Post subject: |
|
|
I too am missing the siggen app... Anyone know why? Do I need to install it seperate from tripwire?
Thanks Chad |
|
Back to top |
|
|
andrewchou n00b
Joined: 12 Dec 2004 Posts: 1
|
|
Back to top |
|
|
anoland Tux's lil' helper
Joined: 27 May 2003 Posts: 86
|
Posted: Sat Jun 11, 2005 12:30 am Post subject: This should have more exposure |
|
|
I found a script at Red Hat forums which comments out the missing files. I just exported the mail message from pine to tw-list.txt and ran this script which I modified to put the comments in a sensible place.
Code: |
#! /bin/bash
#
# twhelp.sh
#
#############################################################
# #
# Christopher Cuevas #
# fclcac nersp nerdc ufl edu #
# Nov. 13th 2002 #
# Florida Center for Library Automation #
# http://www.fcla.edu #
# #
# twhelp will comment out lines from a twpol.txt file when #
# supplied with a twreport_file and the path to twpol.txt #
# and create a twpol.txt.fixed file #
# #
# usage: twhelp twreport_file path_to_twpol.txt #
# #
#############################################################
E_NOARGS=65
E_ARGERROR=66
if [ $# -eq 0 ]
then
echo "Usage: `basename $0` twreport_file path/to/twpol.txt" >&2
# Error message to stderr
exit $E_ARGERROR
fi
# Test for correct file type
type=`eval file $1 | awk '{ print $2 }'`
# "file $1" echos file type...
# then awk removes all but the second field
# the result is fed into the variable "type" and compared to "correct_type"
correct_type="ASCII"
if [ "$type" != "$correct_type" ]
then
echo
echo "This script only works on non executable ascii files."
echo
fi
# awk through the twreport file and create a tmp.fix1 file
# with all paths to files that are not on the system
cat "$1" | grep Filename: | awk -F: '{ print $2 }' > tmp.fix1
# add a \ in front of the path so sed will comment it out correctly
# output this to tmp.fix2
sed 's/\//\\\//g' tmp.fix1 > tmp.fix2
# create a list of substitutions for sed to perform
for line in `cat tmp.fix2`
do
echo "s/.*$line/# &/" >> tmp.fix3
done
# comment out lines from twpol.txt and create twpol.txt.fixed
sed -f tmp.fix3 "$2" > twpol.txt.fixed
# clean up the tmp.fix files
rm -rf tmp.fix*
exit 0
|
I still had to comment out siggen and changed my host name to the correct name instead of localhost for the key. Now all is well and everything checks out ok. |
|
Back to top |
|
|
Skyr n00b
Joined: 16 Mar 2005 Posts: 8
|
Posted: Thu Nov 10, 2005 1:18 pm Post subject: Re: Maybe this one is what yours want. |
|
|
I suppose the tripwire siggen is a tool for creating a signature (i.e. hash) of files for later comparison.
The script mentioned above creates signatures for emails - I'm pretty sure tripwire doesn't need that one |
|
Back to top |
|
|
cboldt Veteran
Joined: 24 Aug 2005 Posts: 1046
|
Posted: Fri Oct 18, 2013 12:16 pm Post subject: |
|
|
mbjr wrote: | Guys,
This is a much biger project than I've ever thought. I think I better do a feature req to the tripwire team, since there're some issues can't be determined and completed by a "small shell script".
This means I'll not be able to do the "confmaker" for you I'm sorry. |
A bash script for generating tripwire policy from installed packages is now available in the "mktwpol" package. It is masked (~x86, etc.), but has been around for a few years.
mktwpol is pulled in by emerging tripwire, if the user hasn't set "-tools" as a USE flag for tripwire. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|