1 ############################################################################## 2 # ## 3############################################################################## # 4# # # 5# Generic Policy file # # 6# V1.2.0rh # # 7# August 9, 2001 # # 8# ## 9############################################################################## 10 11 12 ############################################################################## 13 # ## 14############################################################################## # 15# # # 16# This is the example Tripwire Policy file. It is intended as a place to # # 17# start creating your own custom Tripwire Policy file. Referring to it as # # 18# well as the Tripwire Policy Guide should give you enough information to # # 19# make a good custom Tripwire Policy file that better covers your # # 20# configuration and security needs. A text version of this policy file is # # 21# called twpol.txt. # # 22# # # 23# Note that this file is tuned to an 'everything' install of Red Hat Linux. # # 24# If run unmodified, this file should create no errors on database # # 25# creation, or violations on a subsiquent integrity check. However, it is # # 26# impossible for there to be one policy file for all machines, so this # # 27# existing one errs on the side of security. Your Linux configuration will # # 28# most likey differ from the one our policy file was tuned to, and will # # 29# therefore require some editing of the default Tripwire Policy file. # # 30# # # 31# The example policy file is best run with 'Loose Directory Checking' # # 32# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # # 33# file. # # 34# # # 35# Email support is not included and must be added to this file. # # 36# Add the 'emailto=' to the rule directive section of each rule (add a comma # # 37# after the 'severity=' line and add an 'emailto=' and include the email # # 38# addresses you want the violation reports to go to). Addresses are # # 39# semi-colon delimited. # # 40# ## 41############################################################################## 42 43 44 45 ############################################################################## 46 # ## 47############################################################################## # 48# # # 49# Global Variable Definitions # # 50# # # 51# These are defined at install time by the installation script. You may # # 52# Manually edit these if you are using this file directly and not from the # # 53# installation script itself. # # 54# ## 55############################################################################## 56 57@@section GLOBAL 58TWROOT=/usr/sbin; 59TWBIN=/usr/sbin; 60TWPOL="/etc/tripwire"; 61TWDB="/var/lib/tripwire"; 62TWSKEY="/etc/tripwire"; 63TWLKEY="/etc/tripwire"; 64TWREPORT="/var/lib/tripwire/report"; 65HOSTNAME=localhost; 66 67@@section FS 68SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change 69SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set 70SEC_BIN = $(ReadOnly) ; # Binaries that should not change 71SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often 72SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership 73SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership 74SIG_LOW = 33 ; # Non-critical files that are of minimal security impact 75SIG_MED = 66 ; # Non-critical files that are of significant security impact 76SIG_HI = 100 ; # Critical files that are significant points of vulnerability 77 78 79# Tripwire Binaries 80( 81 rulename = "Tripwire Binaries", 82 severity = $(SIG_HI) 83) 84{ 85 $(TWBIN)/siggen -> $(SEC_BIN) ; 86 $(TWBIN)/tripwire -> $(SEC_BIN) ; 87 $(TWBIN)/twadmin -> $(SEC_BIN) ; 88 $(TWBIN)/twprint -> $(SEC_BIN) ; 89} 90 91# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases 92( 93 rulename = "Tripwire Data Files", 94 severity = $(SIG_HI) 95) 96{ 97 # NOTE: We remove the inode attribute because when Tripwire creates a backup, 98 # it does so by renaming the old file and creating a new one (which will 99 # have a new inode number). Inode is left turned on for keys, which shouldn't 100 # ever change. 101 102 # NOTE: The first integrity check triggers this rule and each integrity check 103 # afterward triggers this rule until a database update is run, since the 104 # database file does not exist before that point. 105 106 $(TWDB) -> $(SEC_CONFIG) -i ; 107 $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; 108 $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; 109 $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; 110 $(TWSKEY)/site.key -> $(SEC_BIN) ; 111 112 #don't scan the individual reports 113 $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; 114} 115 116 117# Tripwire HQ Connector Binaries 118#( 119# rulename = "Tripwire HQ Connector Binaries", 120# severity = $(SIG_HI) 121#) 122#{ 123# $(TWBIN)/hqagent -> $(SEC_BIN) ; 124#} 125# 126# Tripwire HQ Connector - Configuration Files, Keys, and Logs 127 128 ############################################################################## 129 # ## 130############################################################################## # 131# # # 132# Note: File locations here are different than in a stock HQ Connector # # 133# installation. This is because Tripwire 2.3 uses a different path # # 134# structure than Tripwire 2.2.1. # # 135# # # 136# You may need to update your HQ Agent configuation file (or this policy # # 137# file) to correct the paths. We have attempted to support the FHS standard # # 138# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # # 139# places them. # # 140# ## 141############################################################################## 142 143#( 144# rulename = "Tripwire HQ Connector Data Files", 145# severity = $(SIG_HI) 146#) 147#{ 148# ############################################################################# 149# ############################################################################## 150# # NOTE: Removing the inode attribute because when Tripwire creates a backup ## 151# # it does so by renaming the old file and creating a new one (which will ## 152# # have a new inode number). Leaving inode turned on for keys, which ## 153# # shouldn't ever change. ## 154# ############################################################################# 155# 156# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; 157# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; 158# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; 159# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; 160# 161# # Uncomment if you have agent logging enabled. 162# #/var/log/tripwire/agent.log -> $(SEC_LOG) ; 163#} 164 165 166 167# Commonly accessed directories that should remain static with regards to owner and group 168( 169 rulename = "Invariant Directories", 170 severity = $(SIG_MED) 171) 172{ 173 / -> $(SEC_INVARIANT) (recurse = 0) ; 174 /home -> $(SEC_INVARIANT) (recurse = 0) ; 175 /etc -> $(SEC_INVARIANT) (recurse = 0) ; 176} 177 ################################################ 178 # ## 179################################################ # 180# # # 181# File System and Disk Administration Programs # # 182# ## 183################################################ 184 185( 186 rulename = "File System and Disk Administraton Programs", 187 severity = $(SIG_HI) 188) 189{ 190 /sbin/accton -> $(SEC_CRIT) ; 191 /sbin/badblocks -> $(SEC_CRIT) ; 192 /sbin/busybox -> $(SEC_CRIT) ; 193 /sbin/busybox.anaconda -> $(SEC_CRIT) ; 194 /sbin/convertquota -> $(SEC_CRIT) ; 195 /sbin/dosfsck -> $(SEC_CRIT) ; 196 /sbin/debugfs -> $(SEC_CRIT) ; 197 /sbin/debugreiserfs -> $(SEC_CRIT) ; 198 /sbin/dumpe2fs -> $(SEC_CRIT) ; 199 /sbin/dump -> $(SEC_CRIT) ; 200 /sbin/dump.static -> $(SEC_CRIT) ; 201 # /sbin/e2fsadm -> $(SEC_CRIT) ; tune2fs? 202 /sbin/e2fsck -> $(SEC_CRIT) ; 203 /sbin/e2label -> $(SEC_CRIT) ; 204 /sbin/fdisk -> $(SEC_CRIT) ; 205 /sbin/fsck -> $(SEC_CRIT) ; 206 /sbin/fsck.ext2 -> $(SEC_CRIT) ; 207 /sbin/fsck.ext3 -> $(SEC_CRIT) ; 208 /sbin/fsck.minix -> $(SEC_CRIT) ; 209 /sbin/fsck.msdos -> $(SEC_CRIT) ; 210 /sbin/fsck.vfat -> $(SEC_CRIT) ; 211 /sbin/ftl_check -> $(SEC_CRIT) ; 212 /sbin/ftl_format -> $(SEC_CRIT) ; 213 /sbin/hdparm -> $(SEC_CRIT) ; 214 #/sbin/lvchange -> $(SEC_CRIT) ; 215 #/sbin/lvcreate -> $(SEC_CRIT) ; 216 #/sbin/lvdisplay -> $(SEC_CRIT) ; 217 #/sbin/lvextend -> $(SEC_CRIT) ; 218 #/sbin/lvmchange -> $(SEC_CRIT) ; 219 #/sbin/lvmcreate_initrd -> $(SEC_CRIT) ; 220 #/sbin/lvmdiskscan -> $(SEC_CRIT) ; 221 #/sbin/lvmsadc -> $(SEC_CRIT) ; 222 #/sbin/lvmsar -> $(SEC_CRIT) ; 223 #/sbin/lvreduce -> $(SEC_CRIT) ; 224 #/sbin/lvremove -> $(SEC_CRIT) ; 225 #/sbin/lvrename -> $(SEC_CRIT) ; 226 #/sbin/lvscan -> $(SEC_CRIT) ; 227 /sbin/mkbootdisk -> $(SEC_CRIT) ; 228 /sbin/mkdosfs -> $(SEC_CRIT) ; 229 /sbin/mke2fs -> $(SEC_CRIT) ; 230 /sbin/mkfs -> $(SEC_CRIT) ; 231 /sbin/mkfs.bfs -> $(SEC_CRIT) ; 232 /sbin/mkfs.ext2 -> $(SEC_CRIT) ; 233 /sbin/mkfs.minix -> $(SEC_CRIT) ; 234 /sbin/mkfs.msdos -> $(SEC_CRIT) ; 235 /sbin/mkfs.vfat -> $(SEC_CRIT) ; 236 /sbin/mkinitrd -> $(SEC_CRIT) ; 237 #/sbin/mkpv -> $(SEC_CRIT) ; 238 /sbin/mkraid -> $(SEC_CRIT) ; 239 /sbin/mkreiserfs -> $(SEC_CRIT) ; 240 /sbin/mkswap -> $(SEC_CRIT) ; 241 #/sbin/mtx -> $(SEC_CRIT) ; 242 /sbin/pam_console_apply -> $(SEC_CRIT) ; 243 /sbin/parted -> $(SEC_CRIT) ; 244 /sbin/pcinitrd -> $(SEC_CRIT) ; 245 #/sbin/pvchange -> $(SEC_CRIT) ; 246 #/sbin/pvcreate -> $(SEC_CRIT) ; 247 #/sbin/pvdata -> $(SEC_CRIT) ; 248 #/sbin/pvdisplay -> $(SEC_CRIT) ; 249 #/sbin/pvmove -> $(SEC_CRIT) ; 250 #/sbin/pvscan -> $(SEC_CRIT) ; 251 /sbin/quotacheck -> $(SEC_CRIT) ; 252 /sbin/quotaon -> $(SEC_CRIT) ; 253 /sbin/raidstart -> $(SEC_CRIT) ; 254 /sbin/reiserfsck -> $(SEC_CRIT) ; 255 /sbin/resize2fs -> $(SEC_CRIT) ; 256 /sbin/resize_reiserfs -> $(SEC_CRIT) ; 257 /sbin/restore -> $(SEC_CRIT) ; 258 /sbin/restore.static -> $(SEC_CRIT) ; 259 /sbin/scsi_info -> $(SEC_CRIT) ; 260 /sbin/sfdisk -> $(SEC_CRIT) ; 261 /sbin/stinit -> $(SEC_CRIT) ; 262 #/sbin/tapeinfo -> $(SEC_CRIT) ; 263 /sbin/tune2fs -> $(SEC_CRIT) ; 264 /sbin/unpack -> $(SEC_CRIT) ; 265 /sbin/update -> $(SEC_CRIT) ; 266 #/sbin/vgcfgbackup -> $(SEC_CRIT) ; 267 #/sbin/vgcfgrestore -> $(SEC_CRIT) ; 268 #/sbin/vgchange -> $(SEC_CRIT) ; 269 #/sbin/vgck -> $(SEC_CRIT) ; 270 #/sbin/vgcreate -> $(SEC_CRIT) ; 271 #/sbin/vgdisplay -> $(SEC_CRIT) ; 272 #/sbin/vgexport -> $(SEC_CRIT) ; 273 #/sbin/vgextend -> $(SEC_CRIT) ; 274 #/sbin/vgimport -> $(SEC_CRIT) ; 275 #/sbin/vgmerge -> $(SEC_CRIT) ; 276 #/sbin/vgmknodes -> $(SEC_CRIT) ; 277 #/sbin/vgreduce -> $(SEC_CRIT) ; 278 #/sbin/vgremove -> $(SEC_CRIT) ; 279 #/sbin/vgrename -> $(SEC_CRIT) ; 280 #/sbin/vgscan -> $(SEC_CRIT) ; 281 #/sbin/vgsplit -> $(SEC_CRIT) ; 282 /bin/chgrp -> $(SEC_CRIT) ; 283 /bin/chmod -> $(SEC_CRIT) ; 284 /bin/chown -> $(SEC_CRIT) ; 285 /bin/cp -> $(SEC_CRIT) ; 286 /bin/cpio -> $(SEC_CRIT) ; 287 /bin/mount -> $(SEC_CRIT) ; 288 /bin/umount -> $(SEC_CRIT) ; 289 /bin/mkdir -> $(SEC_CRIT) ; 290 /bin/mknod -> $(SEC_CRIT) ; 291 /bin/mktemp -> $(SEC_CRIT) ; 292 /bin/rm -> $(SEC_CRIT) ; 293 /bin/rmdir -> $(SEC_CRIT) ; 294 /bin/touch -> $(SEC_CRIT) ; 295} 296 297 ################################## 298 # ## 299################################## # 300# # # 301# Kernel Administration Programs # # 302# ## 303################################## 304 305( 306 rulename = "Kernel Administration Programs", 307 severity = $(SIG_HI) 308) 309{ 310 /sbin/adjtimex -> $(SEC_CRIT) ; 311 /sbin/ctrlaltdel -> $(SEC_CRIT) ; 312 /sbin/depmod -> $(SEC_CRIT) ; 313 /sbin/insmod -> $(SEC_CRIT) ; 314 /sbin/insmod.static -> $(SEC_CRIT) ; 315 /sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ; 316 /sbin/klogd -> $(SEC_CRIT) ; 317 /sbin/ldconfig -> $(SEC_CRIT) ; 318 /sbin/minilogd -> $(SEC_CRIT) ; 319 /sbin/modinfo -> $(SEC_CRIT) ; 320 #/sbin/nuactlun -> $(SEC_CRIT) ; 321 #/sbin/nuscsitcpd -> $(SEC_CRIT) ; 322 /sbin/pivot_root -> $(SEC_CRIT) ; 323 /sbin/sndconfig -> $(SEC_CRIT) ; 324 /sbin/sysctl -> $(SEC_CRIT) ; 325} 326 327 ####################### 328 # ## 329####################### # 330# # # 331# Networking Programs # # 332# ## 333####################### 334 335( 336 rulename = "Networking Programs", 337 severity = $(SIG_HI) 338) 339{ 340 /etc/sysconfig/network-scripts/ifdown -> $(SEC_CRIT) ; 341 /etc/sysconfig/network-scripts/ifdown-cipcb -> $(SEC_CRIT) ; 342 /etc/sysconfig/network-scripts/ifdown-ippp -> $(SEC_CRIT) ; 343 /etc/sysconfig/network-scripts/ifdown-ipv6 -> $(SEC_CRIT) ; 344 /etc/sysconfig/network-scripts/ifdown-isdn -> $(SEC_CRIT) ; 345 /etc/sysconfig/network-scripts/ifdown-post -> $(SEC_CRIT) ; 346 /etc/sysconfig/network-scripts/ifdown-ppp -> $(SEC_CRIT) ; 347 /etc/sysconfig/network-scripts/ifdown-sit -> $(SEC_CRIT) ; 348 /etc/sysconfig/network-scripts/ifdown-sl -> $(SEC_CRIT) ; 349 /etc/sysconfig/network-scripts/ifup -> $(SEC_CRIT) ; 350 /etc/sysconfig/network-scripts/ifup-aliases -> $(SEC_CRIT) ; 351 /etc/sysconfig/network-scripts/ifup-cipcb -> $(SEC_CRIT) ; 352 /etc/sysconfig/network-scripts/ifup-ippp -> $(SEC_CRIT) ; 353 /etc/sysconfig/network-scripts/ifup-ipv6 -> $(SEC_CRIT) ; 354 /etc/sysconfig/network-scripts/ifup-isdn -> $(SEC_CRIT) ; 355 /etc/sysconfig/network-scripts/ifup-plip -> $(SEC_CRIT) ; 356 /etc/sysconfig/network-scripts/ifup-plusb -> $(SEC_CRIT) ; 357 /etc/sysconfig/network-scripts/ifup-post -> $(SEC_CRIT) ; 358 /etc/sysconfig/network-scripts/ifup-ppp -> $(SEC_CRIT) ; 359 /etc/sysconfig/network-scripts/ifup-routes -> $(SEC_CRIT) ; 360 /etc/sysconfig/network-scripts/ifup-sit -> $(SEC_CRIT) ; 361 /etc/sysconfig/network-scripts/ifup-sl -> $(SEC_CRIT) ; 362 /etc/sysconfig/network-scripts/ifup-wireless -> $(SEC_CRIT) ; 363 /etc/sysconfig/network-scripts/network-functions -> $(SEC_CRIT) ; 364 /etc/sysconfig/network-scripts/network-functions-ipv6 -> $(SEC_CRIT) ; 365 /bin/ping -> $(SEC_CRIT) ; 366 /sbin/agetty -> $(SEC_CRIT) ; 367 /sbin/arp -> $(SEC_CRIT) ; 368 /sbin/arping -> $(SEC_CRIT) ; 369 /sbin/dhcpcd -> $(SEC_CRIT) ; 370 /sbin/ether-wake -> $(SEC_CRIT) ; 371 #/sbin/getty -> $(SEC_CRIT) ; 372 /sbin/ifcfg -> $(SEC_CRIT) ; 373 /sbin/ifconfig -> $(SEC_CRIT) ; 374 /sbin/ifdown -> $(SEC_CRIT) ; 375 /sbin/ifenslave -> $(SEC_CRIT) ; 376 /sbin/ifport -> $(SEC_CRIT) ; 377 /sbin/ifup -> $(SEC_CRIT) ; 378 /sbin/ifuser -> $(SEC_CRIT) ; 379 /sbin/ip -> $(SEC_CRIT) ; 380 /sbin/ip6tables -> $(SEC_CRIT) ; 381 /sbin/ipchains -> $(SEC_CRIT) ; 382 /sbin/ipchains-restore -> $(SEC_CRIT) ; 383 /sbin/ipchains-save -> $(SEC_CRIT) ; 384 /sbin/ipfwadm -> $(SEC_CRIT) ; 385 /sbin/ipmaddr -> $(SEC_CRIT) ; 386 /sbin/iptables -> $(SEC_CRIT) ; 387 /sbin/iptables-restore -> $(SEC_CRIT) ; 388 /sbin/iptables-save -> $(SEC_CRIT) ; 389 /sbin/iptunnel -> $(SEC_CRIT) ; 390 #/sbin/ipvsadm -> $(SEC_CRIT) ; 391 #/sbin/ipvsadm-restore -> $(SEC_CRIT) ; 392 #/sbin/ipvsadm-save -> $(SEC_CRIT) ; 393 /sbin/ipx_configure -> $(SEC_CRIT) ; 394 /sbin/ipx_interface -> $(SEC_CRIT) ; 395 /sbin/ipx_internal_net -> $(SEC_CRIT) ; 396 /sbin/iwconfig -> $(SEC_CRIT) ; 397 /sbin/iwgetid -> $(SEC_CRIT) ; 398 /sbin/iwlist -> $(SEC_CRIT) ; 399 /sbin/iwpriv -> $(SEC_CRIT) ; 400 /sbin/iwspy -> $(SEC_CRIT) ; 401 /sbin/mgetty -> $(SEC_CRIT) ; 402 /sbin/mingetty -> $(SEC_CRIT) ; 403 /sbin/nameif -> $(SEC_CRIT) ; 404 /sbin/netreport -> $(SEC_CRIT) ; 405 /sbin/plipconfig -> $(SEC_CRIT) ; 406 /sbin/portmap -> $(SEC_CRIT) ; 407 /sbin/ppp-watch -> $(SEC_CRIT) ; 408 #/sbin/rarp -> $(SEC_CRIT) ; 409 /sbin/route -> $(SEC_CRIT) ; 410 /sbin/slattach -> $(SEC_CRIT) ; 411 /sbin/tc -> $(SEC_CRIT) ; 412 #/sbin/uugetty -> $(SEC_CRIT) ; 413 /sbin/vgetty -> $(SEC_CRIT) ; 414 /sbin/ypbind -> $(SEC_CRIT) ; 415} 416 417 ################################## 418 # ## 419################################## # 420# # # 421# System Administration Programs # # 422# ## 423################################## 424 425( 426 rulename = "System Administration Programs", 427 severity = $(SIG_HI) 428) 429{ 430 /sbin/chkconfig -> $(SEC_CRIT) ; 431 /sbin/fuser -> $(SEC_CRIT) ; 432 /sbin/halt -> $(SEC_CRIT) ; 433 /sbin/init -> $(SEC_CRIT) ; 434 /sbin/initlog -> $(SEC_CRIT) ; 435 /sbin/install-info -> $(SEC_CRIT) ; 436 /sbin/killall5 -> $(SEC_CRIT) ; 437 #/sbin/linuxconf -> $(SEC_CRIT) ; 438 #/sbin/linuxconf-auth -> $(SEC_CRIT) ; 439 /sbin/pam_tally -> $(SEC_CRIT) ; 440 /sbin/pwdb_chkpwd -> $(SEC_CRIT) ; 441 #/sbin/remadmin -> $(SEC_CRIT) ; 442 /sbin/rescuept -> $(SEC_CRIT) ; 443 /sbin/rmt -> $(SEC_CRIT) ; 444 /sbin/rpc.lockd -> $(SEC_CRIT) ; 445 /sbin/rpc.statd -> $(SEC_CRIT) ; 446 /sbin/rpcdebug -> $(SEC_CRIT) ; 447 /sbin/service -> $(SEC_CRIT) ; 448 /sbin/setsysfont -> $(SEC_CRIT) ; 449 /sbin/shutdown -> $(SEC_CRIT) ; 450 /sbin/sulogin -> $(SEC_CRIT) ; 451 /sbin/swapon -> $(SEC_CRIT) ; 452 /sbin/syslogd -> $(SEC_CRIT) ; 453 /sbin/unix_chkpwd -> $(SEC_CRIT) ; 454 /bin/pwd -> $(SEC_CRIT) ; 455 /bin/uname -> $(SEC_CRIT) ; 456} 457 458 ######################################## 459 # ## 460######################################## # 461# # # 462# Hardware and Device Control Programs # # 463# ## 464######################################## 465( 466 rulename = "Hardware and Device Control Programs", 467 severity = $(SIG_HI) 468) 469{ 470 /bin/setserial -> $(SEC_CRIT) ; 471 /bin/sfxload -> $(SEC_CRIT) ; 472 /sbin/blockdev -> $(SEC_CRIT) ; 473 /sbin/cardctl -> $(SEC_CRIT) ; 474 /sbin/cardmgr -> $(SEC_CRIT) ; 475 /sbin/cbq -> $(SEC_CRIT) ; 476 /sbin/dump_cis -> $(SEC_CRIT) ; 477 /sbin/elvtune -> $(SEC_CRIT) ; 478 /sbin/hotplug -> $(SEC_CRIT) ; 479 /sbin/hwclock -> $(SEC_CRIT) ; 480 /sbin/ide_info -> $(SEC_CRIT) ; 481 #/sbin/isapnp -> $(SEC_CRIT) ; 482 /sbin/kbdrate -> $(SEC_CRIT) ; 483 /sbin/losetup -> $(SEC_CRIT) ; 484 /sbin/lspci -> $(SEC_CRIT) ; 485 /sbin/lspnp -> $(SEC_CRIT) ; 486 /sbin/mii-tool -> $(SEC_CRIT) ; 487 /sbin/pack_cis -> $(SEC_CRIT) ; 488 #/sbin/pnpdump -> $(SEC_CRIT) ; 489 /sbin/probe -> $(SEC_CRIT) ; 490 /sbin/pump -> $(SEC_CRIT) ; 491 /sbin/setpci -> $(SEC_CRIT) ; 492 /sbin/shapecfg -> $(SEC_CRIT) ; 493} 494 495 ############################### 496 # ## 497############################### # 498# # # 499# System Information Programs # # 500# ## 501############################### 502( 503 rulename = "System Information Programs", 504 severity = $(SIG_HI) 505) 506{ 507 /sbin/consoletype -> $(SEC_CRIT) ; 508 /sbin/kernelversion -> $(SEC_CRIT) ; 509 /sbin/runlevel -> $(SEC_CRIT) ; 510} 511 512 #################################### 513 # ## 514#################################### # 515# # # 516# Application Information Programs # # 517# ## 518#################################### 519 520( 521 rulename = "Application Information Programs", 522 severity = $(SIG_HI) 523) 524{ 525 /sbin/genksyms -> $(SEC_CRIT) ; 526 #/sbin/genksyms.old -> $(SEC_CRIT) ; 527 /sbin/rtmon -> $(SEC_CRIT) ; 528} 529 530 ########################## 531 # ## 532########################## # 533# # # 534# Shell Related Programs # # 535# ## 536########################## 537( 538 rulename = "Shell Related Programs", 539 severity = $(SIG_HI) 540) 541{ 542 /sbin/getkey -> $(SEC_CRIT) ; 543 /sbin/nash -> $(SEC_CRIT) ; 544 /sbin/sash -> $(SEC_CRIT) ; 545} 546 547 548 ################ 549 # ## 550################ # 551# # # 552# OS Utilities # # 553# ## 554################ 555( 556 rulename = "Operating System Utilities", 557 severity = $(SIG_HI) 558) 559{ 560 /bin/arch -> $(SEC_CRIT) ; 561 /bin/ash -> $(SEC_CRIT) ; 562 /bin/ash.static -> $(SEC_CRIT) ; 563 /bin/aumix-minimal -> $(SEC_CRIT) ; 564 /bin/basename -> $(SEC_CRIT) ; 565 /bin/cat -> $(SEC_CRIT) ; 566 /bin/consolechars -> $(SEC_CRIT) ; 567 /bin/cut -> $(SEC_CRIT) ; 568 /bin/date -> $(SEC_CRIT) ; 569 /bin/dd -> $(SEC_CRIT) ; 570 /bin/df -> $(SEC_CRIT) ; 571 /bin/dmesg -> $(SEC_CRIT) ; 572 /bin/doexec -> $(SEC_CRIT) ; 573 /bin/echo -> $(SEC_CRIT) ; 574 /bin/ed -> $(SEC_CRIT) ; 575 /bin/egrep -> $(SEC_CRIT) ; 576 /bin/false -> $(SEC_CRIT) ; 577 /bin/fgrep -> $(SEC_CRIT) ; 578 /bin/gawk -> $(SEC_CRIT) ; 579 /bin/gawk-3.1.0 -> $(SEC_CRIT) ; 580 /bin/gettext -> $(SEC_CRIT) ; 581 /bin/grep -> $(SEC_CRIT) ; 582 /bin/gunzip -> $(SEC_CRIT) ; 583 /bin/gzip -> $(SEC_CRIT) ; 584 /bin/hostname -> $(SEC_CRIT) ; 585 /bin/igawk -> $(SEC_CRIT) ; 586 /bin/ipcalc -> $(SEC_CRIT) ; 587 /bin/kill -> $(SEC_CRIT) ; 588 /bin/ln -> $(SEC_CRIT) ; 589 /bin/loadkeys -> $(SEC_CRIT) ; 590 /bin/login -> $(SEC_CRIT) ; 591 /bin/ls -> $(SEC_CRIT) ; 592 /bin/mail -> $(SEC_CRIT) ; 593 /bin/more -> $(SEC_CRIT) ; 594 /bin/mt -> $(SEC_CRIT) ; 595 /bin/mv -> $(SEC_CRIT) ; 596 /bin/netstat -> $(SEC_CRIT) ; 597 /bin/nice -> $(SEC_CRIT) ; 598 /bin/pgawk -> $(SEC_CRIT) ; 599 /bin/ps -> $(SEC_CRIT) ; 600 /bin/rpm -> $(SEC_CRIT) ; 601 /bin/sed -> $(SEC_CRIT) ; 602 /bin/sleep -> $(SEC_CRIT) ; 603 /bin/sort -> $(SEC_CRIT) ; 604 /bin/stty -> $(SEC_CRIT) ; 605 /bin/su -> $(SEC_CRIT) ; 606 /bin/sync -> $(SEC_CRIT) ; 607 /bin/tar -> $(SEC_CRIT) ; 608 /bin/true -> $(SEC_CRIT) ; 609 /bin/usleep -> $(SEC_CRIT) ; 610 /bin/vi -> $(SEC_CRIT) ; 611 /bin/zcat -> $(SEC_CRIT) ; 612 /bin/zsh -> $(SEC_CRIT) ; 613 #/bin/zsh-4.0.2 -> $(SEC_CRIT) ; 614 /sbin/sln -> $(SEC_CRIT) ; 615 /usr/bin/vimtutor -> $(SEC_CRIT) ; 616} 617 618 ############################## 619 # ## 620############################## # 621# # # 622# Critical Utility Sym-Links # # 623# ## 624############################## 625( 626 rulename = "Critical Utility Sym-Links", 627 severity = $(SIG_HI) 628) 629{ 630 #/sbin/askrunlevel -> $(SEC_CRIT) ; 631 /sbin/clock -> $(SEC_CRIT) ; 632 #/sbin/fixperm -> $(SEC_CRIT) ; 633 /sbin/fsck.reiserfs -> $(SEC_CRIT) ; 634 #/sbin/fsconf -> $(SEC_CRIT) ; 635 /sbin/ipfwadm-wrapper -> $(SEC_CRIT) ; 636 /sbin/kallsyms -> $(SEC_CRIT) ; 637 /sbin/ksyms -> $(SEC_CRIT) ; 638 /sbin/lsmod -> $(SEC_CRIT) ; 639 #/sbin/mailconf -> $(SEC_CRIT) ; 640 /sbin/mkfs.reiserfs -> $(SEC_CRIT) ; 641 #/sbin/modemconf -> $(SEC_CRIT) ; 642 /sbin/modprobe -> $(SEC_CRIT) ; 643 /sbin/mount.ncp -> $(SEC_CRIT) ; 644 /sbin/mount.ncpfs -> $(SEC_CRIT) ; 645 /sbin/mount.smb -> $(SEC_CRIT) ; 646 /sbin/mount.smbfs -> $(SEC_CRIT) ; 647 #/sbin/netconf -> $(SEC_CRIT) ; 648 /sbin/pidof -> $(SEC_CRIT) ; 649 /sbin/poweroff -> $(SEC_CRIT) ; 650 /sbin/quotaoff -> $(SEC_CRIT) ; 651 /sbin/raid0run -> $(SEC_CRIT) ; 652 /sbin/raidhotadd -> $(SEC_CRIT) ; 653 /sbin/raidhotgenerateerror -> $(SEC_CRIT) ; 654 /sbin/raidhotremove -> $(SEC_CRIT) ; 655 /sbin/raidstop -> $(SEC_CRIT) ; 656 /sbin/rdump -> $(SEC_CRIT) ; 657 /sbin/rdump.static -> $(SEC_CRIT) ; 658 /sbin/reboot -> $(SEC_CRIT) ; 659 /sbin/rmmod -> $(SEC_CRIT) ; 660 /sbin/rrestore -> $(SEC_CRIT) ; 661 /sbin/rrestore.static -> $(SEC_CRIT) ; 662 /sbin/swapoff -> $(SEC_CRIT) ; 663 /sbin/telinit -> $(SEC_CRIT) ; 664 #/sbin/userconf -> $(SEC_CRIT) ; 665 #/sbin/uucpconf -> $(SEC_CRIT) ; 666 #/sbin/vregistry -> $(SEC_CRIT) ; 667 /bin/awk -> $(SEC_CRIT) ; 668 /bin/bash2 -> $(SEC_CRIT) ; 669 /bin/bsh -> $(SEC_CRIT) ; 670 /bin/csh -> $(SEC_CRIT) ; 671 /bin/dnsdomainname -> $(SEC_CRIT) ; 672 /bin/domainname -> $(SEC_CRIT) ; 673 /bin/ex -> $(SEC_CRIT) ; 674 /bin/gtar -> $(SEC_CRIT) ; 675 /bin/nisdomainname -> $(SEC_CRIT) ; 676 /bin/red -> $(SEC_CRIT) ; 677 /bin/rvi -> $(SEC_CRIT) ; 678 /bin/rview -> $(SEC_CRIT) ; 679 /bin/view -> $(SEC_CRIT) ; 680 /bin/ypdomainname -> $(SEC_CRIT) ; 681} 682 683 684 ######################### 685 # ## 686######################### # 687# # # 688# Temporary directories # # 689# ## 690######################### 691( 692 rulename = "Temporary directories", 693 recurse = false, 694 severity = $(SIG_LOW) 695) 696{ 697 /usr/tmp -> $(SEC_INVARIANT) ; 698 /var/tmp -> $(SEC_INVARIANT) ; 699 /tmp -> $(SEC_INVARIANT) ; 700} 701 702 ############### 703 # ## 704############### # 705# # # 706# Local files # # 707# ## 708############### 709( 710 rulename = "User binaries", 711 severity = $(SIG_MED) 712) 713{ 714 /sbin -> $(SEC_BIN) (recurse = 1) ; 715 /usr/bin -> $(SEC_BIN) (recurse = 1) ; 716 /usr/sbin -> $(SEC_BIN) (recurse = 1) ; 717 /usr/local/bin -> $(SEC_BIN) (recurse = 1) ; 718} 719 720( 721 rulename = "Shell Binaries", 722 severity = $(SIG_HI) 723) 724{ 725 /bin/bash -> $(SEC_BIN) ; 726 /bin/ksh -> $(SEC_BIN) ; 727 # /bin/psh -> $(SEC_BIN) ; # No longer used? 728 # /bin/Rsh -> $(SEC_BIN) ; # No longer used? 729 /bin/sh -> $(SEC_BIN) ; 730 # /bin/shell -> $(SEC_SUID) ; # No longer used? 731 # /bin/tsh -> $(SEC_BIN) ; # No longer used? 732 /bin/tcsh -> $(SEC_BIN) ; 733 /sbin/nologin -> $(SEC_BIN) ; 734} 735 736( 737 rulename = "Security Control", 738 severity = $(SIG_HI) 739) 740{ 741 /etc/group -> $(SEC_CRIT) ; 742 /etc/security -> $(SEC_CRIT) ; 743 #/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists 744} 745 746#( 747# rulename = "Boot Scripts", 748# severity = $(SIG_HI) 749#) 750#{ 751# /etc/rc -> $(SEC_CONFIG) ; 752# /etc/rc.bsdnet -> $(SEC_CONFIG) ; 753# /etc/rc.dt -> $(SEC_CONFIG) ; 754# /etc/rc.net -> $(SEC_CONFIG) ; 755# /etc/rc.net.serial -> $(SEC_CONFIG) ; 756# /etc/rc.nfs -> $(SEC_CONFIG) ; 757# /etc/rc.powerfail -> $(SEC_CONFIG) ; 758# /etc/rc.tcpip -> $(SEC_CONFIG) ; 759# /etc/trcfmt.Z -> $(SEC_CONFIG) ; 760#} 761 762( 763 rulename = "Login Scripts", 764 severity = $(SIG_HI) 765) 766{ 767 /etc/bashrc -> $(SEC_CONFIG) ; 768 /etc/csh.cshrc -> $(SEC_CONFIG) ; 769 /etc/csh.login -> $(SEC_CONFIG) ; 770 /etc/inputrc -> $(SEC_CONFIG) ; 771 # /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists 772 /etc/profile -> $(SEC_CONFIG) ; 773} 774 775# Libraries 776( 777 rulename = "Libraries", 778 severity = $(SIG_MED) 779) 780{ 781 /usr/lib -> $(SEC_BIN) ; 782 /usr/local/lib -> $(SEC_BIN) ; 783} 784 785 786 ###################################################### 787 # ## 788###################################################### # 789# # # 790# Critical System Boot Files # # 791# These files are critical to a correct system boot. # # 792# ## 793###################################################### 794 795( 796 rulename = "Critical system boot files", 797 severity = $(SIG_HI) 798) 799{ 800 /boot -> $(SEC_CRIT) ; 801 #/sbin/devfsd -> $(SEC_CRIT) ; 802 /sbin/grub -> $(SEC_CRIT) ; 803 /sbin/grub-install -> $(SEC_CRIT) ; 804 /sbin/grub-md5-crypt -> $(SEC_CRIT) ; 805 /sbin/installkernel -> $(SEC_CRIT) ; 806 /sbin/lilo -> $(SEC_CRIT) ; 807 /sbin/mkkerneldoth -> $(SEC_CRIT) ; 808 !/boot/System.map ; 809 !/boot/module-info ; 810 /usr/share/grub/i386-redhat/e2fs_stage1_5 -> $(SEC_CRIT) ; 811 /usr/share/grub/i386-redhat/fat_stage1_5 -> $(SEC_CRIT) ; 812 /usr/share/grub/i386-redhat/ffs_stage1_5 -> $(SEC_CRIT) ; 813 /usr/share/grub/i386-redhat/minix_stage1_5 -> $(SEC_CRIT) ; 814 /usr/share/grub/i386-redhat/reiserfs_stage1_5 -> $(SEC_CRIT) ; 815 /usr/share/grub/i386-redhat/stage1 -> $(SEC_CRIT) ; 816 /usr/share/grub/i386-redhat/stage2 -> $(SEC_CRIT) ; 817 /usr/share/grub/i386-redhat/vstafs_stage1_5 -> $(SEC_CRIT) ; 818 # other boot files may exist. Look for: 819 #/ufsboot -> $(SEC_CRIT) ; 820} 821 ################################################## 822 ################################################### 823 # These files change every time the system boots ## 824 ################################################## 825( 826 rulename = "System boot changes", 827 severity = $(SIG_HI) 828) 829{ 830 !/var/run/ftp.pids-all ; # Comes and goes on reboot. 831 !/root/.enlightenment ; 832 /dev/log -> $(SEC_CONFIG) ; 833 /dev/cua0 -> $(SEC_CONFIG) ; 834 # /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device 835 /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. 836 /dev/tty1 -> $(SEC_CONFIG) ; # tty devices 837 /dev/tty2 -> $(SEC_CONFIG) ; # tty devices 838 /dev/tty3 -> $(SEC_CONFIG) ; # are extremely 839 /dev/tty4 -> $(SEC_CONFIG) ; # variable 840 /dev/tty5 -> $(SEC_CONFIG) ; 841 /dev/tty6 -> $(SEC_CONFIG) ; 842 /dev/urandom -> $(SEC_CONFIG) ; 843 /dev/initctl -> $(SEC_CONFIG) ; 844 /var/lock/subsys -> $(SEC_CONFIG) ; 845 #/var/lock/subsys/amd -> $(SEC_CONFIG) ; 846 /var/lock/subsys/anacron -> $(SEC_CONFIG) ; 847 /var/lock/subsys/apmd -> $(SEC_CONFIG) ; 848 #/var/lock/subsys/arpwatch -> $(SEC_CONFIG) ; 849 /var/lock/subsys/atd -> $(SEC_CONFIG) ; 850 /var/lock/subsys/autofs -> $(SEC_CONFIG) ; 851 #/var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ; 852 #/var/lock/subsys/bgpd -> $(SEC_CONFIG) ; 853 #/var/lock/subsys/bootparamd -> $(SEC_CONFIG) ; 854 #/var/lock/subsys/canna -> $(SEC_CONFIG) ; 855 /var/lock/subsys/crond -> $(SEC_CONFIG) ; 856 #/var/lock/subsys/cWnn -> $(SEC_CONFIG) ; 857 #/var/lock/subsys/dhcpd -> $(SEC_CONFIG) ; 858 #/var/lock/subsys/firewall -> $(SEC_CONFIG) ; 859 #/var/lock/subsys/freeWnn -> $(SEC_CONFIG) ; 860 #/var/lock/subsys/gated -> $(SEC_CONFIG) ; 861 /var/lock/subsys/gpm -> $(SEC_CONFIG) ; 862 #/var/lock/subsys/httpd -> $(SEC_CONFIG) ; 863 #/var/lock/subsys/identd -> $(SEC_CONFIG) ; 864 #/var/lock/subsys/innd -> $(SEC_CONFIG) ; 865 /var/lock/subsys/ipchains -> $(SEC_CONFIG) ; 866 #/var/lock/subsys/iptables -> $(SEC_CONFIG) ; 867 #/var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ; 868 #/var/lock/subsys/irda -> $(SEC_CONFIG) ; 869 #/var/lock/subsys/iscsi -> $(SEC_CONFIG) ; 870 #/var/lock/subsys/isdn -> $(SEC_CONFIG) ; 871 #/var/lock/subsys/junkbuster -> $(SEC_CONFIG) ; 872 #/var/lock/subsys/kadmin -> $(SEC_CONFIG) ; 873 /var/lock/subsys/keytable -> $(SEC_CONFIG) ; 874 #/var/lock/subsys/kprop -> $(SEC_CONFIG) ; 875 #/var/lock/subsys/krb524 -> $(SEC_CONFIG) ; 876 #/var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ; 877 /var/lock/subsys/kudzu -> $(SEC_CONFIG) ; 878 #/var/lock/subsys/kWnn -> $(SEC_CONFIG) ; 879 #/var/lock/subsys/ldap -> $(SEC_CONFIG) ; 880 #/var/lock/subsys/linuxconf -> $(SEC_CONFIG) ; 881 #/var/lock/subsys/lpd -> $(SEC_CONFIG) ; 882 #/var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ; 883 #/var/lock/subsys/mcserv -> $(SEC_CONFIG) ; 884 #/var/lock/subsys/mysqld -> $(SEC_CONFIG) ; 885 #/var/lock/subsys/named -> $(SEC_CONFIG) ; 886 /var/lock/subsys/netfs -> $(SEC_CONFIG) ; 887 /var/lock/subsys/network -> $(SEC_CONFIG) ; 888 #/var/lock/subsys/nfs -> $(SEC_CONFIG) ; 889 /var/lock/subsys/nfslock -> $(SEC_CONFIG) ; 890 #/var/lock/subsys/nscd -> $(SEC_CONFIG) ; 891 #/var/lock/subsys/ntpd -> $(SEC_CONFIG) ; 892 #/var/lock/subsys/ospf6d -> $(SEC_CONFIG) ; 893 #/var/lock/subsys/ospfd -> $(SEC_CONFIG) ; 894 /var/lock/subsys/pcmcia -> $(SEC_CONFIG) ; 895 /var/lock/subsys/portmap -> $(SEC_CONFIG) ; 896 #/var/lock/subsys/postgresql -> $(SEC_CONFIG) ; 897 #/var/lock/subsys/pxe -> $(SEC_CONFIG) ; 898 #/var/lock/subsys/radvd -> $(SEC_CONFIG) ; 899 /var/lock/subsys/random -> $(SEC_CONFIG) ; 900 #/var/lock/subsys/rarpd -> $(SEC_CONFIG) ; 901 /var/lock/subsys/reconfig -> $(SEC_CONFIG) ; 902 /var/lock/subsys/rhnsd -> $(SEC_CONFIG) ; 903 #/var/lock/subsys/ripd -> $(SEC_CONFIG) ; 904 #/var/lock/subsys/ripngd -> $(SEC_CONFIG) ; 905 #/var/lock/subsys/routed -> $(SEC_CONFIG) ; 906 #/var/lock/subsys/rstatd -> $(SEC_CONFIG) ; 907 #/var/lock/subsys/rusersd -> $(SEC_CONFIG) ; 908 #/var/lock/subsys/rwalld -> $(SEC_CONFIG) ; 909 #/var/lock/subsys/rwhod -> $(SEC_CONFIG) ; 910 /var/lock/subsys/sendmail -> $(SEC_CONFIG) ; 911 #/var/lock/subsys/smb -> $(SEC_CONFIG) ; 912 #/var/lock/subsys/snmpd -> $(SEC_CONFIG) ; 913 #/var/lock/subsys/squid -> $(SEC_CONFIG) ; 914 /var/lock/subsys/sshd -> $(SEC_CONFIG) ; 915 /var/lock/subsys/syslog -> $(SEC_CONFIG) ; 916 #/var/lock/subsys/tux -> $(SEC_CONFIG) ; 917 #/var/lock/subsys/tWnn -> $(SEC_CONFIG) ; 918 #/var/lock/subsys/ups -> $(SEC_CONFIG) ; 919 #/var/lock/subsys/vncserver -> $(SEC_CONFIG) ; 920 #/var/lock/subsys/wine -> $(SEC_CONFIG) ; 921 /var/lock/subsys/xfs -> $(SEC_CONFIG) ; 922 /var/lock/subsys/xinetd -> $(SEC_CONFIG) ; 923 /var/lock/subsys/ypbind -> $(SEC_CONFIG) ; 924 #/var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ; 925 #/var/lock/subsys/ypserv -> $(SEC_CONFIG) ; 926 #/var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ; 927 #/var/lock/subsys/zebra -> $(SEC_CONFIG) ; 928 /var/run -> $(SEC_CONFIG) ; 929 /var/log -> $(SEC_CONFIG) ; 930 /etc/ioctl.save -> $(SEC_CONFIG) ; 931 /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes 932 /etc/issue -> $(SEC_CONFIG) ; 933 /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount 934 /lib/modules -> $(SEC_CONFIG) ; 935 /etc/.pwd.lock -> $(SEC_CONFIG) ; 936 # /lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists 937} 938 939# These files change the behavior of the root account 940( 941 rulename = "Root config files", 942 severity = 100 943) 944{ 945 /root -> $(SEC_CRIT) ; # Catch all additions to /root 946 #/root/.Xresources -> $(SEC_CONFIG) ; 947 /root/.bashrc -> $(SEC_CONFIG) ; 948 /root/.bash_profile -> $(SEC_CONFIG) ; 949 /root/.bash_logout -> $(SEC_CONFIG) ; 950 /root/.cshrc -> $(SEC_CONFIG) ; 951 /root/.tcshrc -> $(SEC_CONFIG) ; 952 /root/Mail -> $(SEC_CONFIG) ; 953 #/root/mail -> $(SEC_CONFIG) ; 954 #/root/.amandahosts -> $(SEC_CONFIG) ; 955 #/root/.addressbook.lu -> $(SEC_CONFIG) ; 956 #/root/.addressbook -> $(SEC_CONFIG) ; 957 /root/.bash_history -> $(SEC_CONFIG) ; 958 /root/.elm -> $(SEC_CONFIG) ; 959 #/root/.esd_auth -> $(SEC_CONFIG) ; 960 /root/.gnome_private -> $(SEC_CONFIG) ; 961 /root/.gnome-desktop -> $(SEC_CONFIG) ; 962 /root/.gnome -> $(SEC_CONFIG) ; 963 /root/.ICEauthority -> $(SEC_CONFIG) ; 964 #/root/.mc -> $(SEC_CONFIG) ; 965 #/root/.pinerc -> $(SEC_CONFIG) ; 966 /root/.sawfish -> $(SEC_CONFIG) ; 967 /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login 968 #/root/.xauth -> $(SEC_CONFIG) ; 969 /root/.xsession-errors -> $(SEC_CONFIG) ; 970} 971 972 ################################ 973 # ## 974################################ # 975# # # 976# Critical configuration files # # 977# ## 978################################ 979( 980 rulename = "Critical configuration files", 981 severity = $(SIG_HI) 982) 983{ 984 #/etc/conf.linuxconf -> $(SEC_BIN) ; 985 /etc/crontab -> $(SEC_BIN) ; 986 /etc/cron.hourly -> $(SEC_BIN) ; 987 /etc/cron.daily -> $(SEC_BIN) ; 988 /etc/cron.weekly -> $(SEC_BIN) ; 989 /etc/cron.monthly -> $(SEC_BIN) ; 990 /etc/default -> $(SEC_BIN) ; 991 /etc/fstab -> $(SEC_BIN) ; 992 /etc/exports -> $(SEC_BIN) ; 993 /etc/group- -> $(SEC_BIN) ; # changes should be infrequent 994 /etc/host.conf -> $(SEC_BIN) ; 995 /etc/hosts.allow -> $(SEC_BIN) ; 996 /etc/hosts.deny -> $(SEC_BIN) ; 997 /etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent 998 /etc/protocols -> $(SEC_BIN) ; 999 /etc/services -> $(SEC_BIN) ; 1000 /etc/rc.d/init.d -> $(SEC_BIN) ; 1001 /etc/rc.d -> $(SEC_BIN) ; 1002 /etc/mail.rc -> $(SEC_BIN) ; 1003 /etc/modules.conf -> $(SEC_BIN) ; 1004 /etc/motd -> $(SEC_BIN) ; 1005 /etc/named.conf -> $(SEC_BIN) ; 1006 /etc/passwd -> $(SEC_CONFIG) ; 1007 /etc/passwd- -> $(SEC_CONFIG) ; 1008 /etc/profile.d -> $(SEC_BIN) ; 1009 /var/lib/nfs/rmtab -> $(SEC_BIN) ; 1010 /usr/sbin/fixrmtab -> $(SEC_BIN) ; 1011 /etc/rpc -> $(SEC_BIN) ; 1012 /etc/sysconfig -> $(SEC_BIN) ; 1013 /etc/samba/smb.conf -> $(SEC_CONFIG) ; 1014 #/etc/gettydefs -> $(SEC_BIN) ; 1015 /etc/nsswitch.conf -> $(SEC_BIN) ; 1016 /etc/yp.conf -> $(SEC_BIN) ; 1017 /etc/hosts -> $(SEC_CONFIG) ; 1018 /etc/xinetd.conf -> $(SEC_CONFIG) ; 1019 /etc/inittab -> $(SEC_CONFIG) ; 1020 /etc/resolv.conf -> $(SEC_CONFIG) ; 1021 /etc/syslog.conf -> $(SEC_CONFIG) ; 1022} 1023 1024 #################### 1025 # ## 1026#################### # 1027# # # 1028# Critical devices # # 1029# ## 1030#################### 1031( 1032 rulename = "Critical devices", 1033 severity = $(SIG_HI), 1034 recurse = false 1035) 1036{ 1037 /dev/kmem -> $(Device) ; 1038 /dev/mem -> $(Device) ; 1039 /dev/null -> $(Device) ; 1040 /dev/zero -> $(Device) ; 1041 /proc/devices -> $(Device) ; 1042 /proc/net -> $(Device) ; 1043 /proc/sys -> $(Device) ; 1044 /proc/cpuinfo -> $(Device) ; 1045 /proc/modules -> $(Device) ; 1046 /proc/mounts -> $(Device) ; 1047 /proc/dma -> $(Device) ; 1048 /proc/filesystems -> $(Device) ; 1049 /proc/pci -> $(Device) ; 1050 /proc/interrupts -> $(Device) ; 1051 /proc/driver/rtc -> $(Device) ; 1052 /proc/ioports -> $(Device) ; 1053 #/proc/scsi -> $(Device) ; 1054 /proc/kcore -> $(Device) ; 1055 /proc/self -> $(Device) ; 1056 /proc/kmsg -> $(Device) ; 1057 /proc/stat -> $(Device) ; 1058 /proc/ksyms -> $(Device) ; 1059 /proc/loadavg -> $(Device) ; 1060 /proc/uptime -> $(Device) ; 1061 /proc/locks -> $(Device) ; 1062 /proc/version -> $(Device) ; 1063 /proc/mdstat -> $(Device) ; 1064 /proc/meminfo -> $(Device) ; 1065 /proc/cmdline -> $(Device) ; 1066 /proc/misc -> $(Device) ; 1067} 1068 1069# Rest of critical system binaries 1070( 1071 rulename = "OS executables and libraries", 1072 severity = $(SIG_HI) 1073) 1074{ 1075 /bin -> $(SEC_BIN) ; 1076 /lib -> $(SEC_BIN) ; 1077} 1078 1079#============================================================================= 1080# 1081# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, 1082# Inc. in the United States and other countries. All rights reserved. 1083# 1084# Linux is a registered trademark of Linus Torvalds. 1085# 1086# UNIX is a registered trademark of The Open Group. 1087# 1088#============================================================================= 1089# 1090# Permission is granted to make and distribute verbatim copies of this document 1091# provided the copyright notice and this permission notice are preserved on all 1092# copies. 1093# 1094# Permission is granted to copy and distribute modified versions of this 1095# document under the conditions for verbatim copying, provided that the entire 1096# resulting derived work is distributed under the terms of a permission notice 1097# identical to this one. 1098# 1099# Permission is granted to copy and distribute translations of this document 1100# into another language, under the above conditions for modified versions, 1101# except that this permission notice may be stated in a translation approved by 1102# Tripwire, Inc. 1103# 1104# DCM 1105# 1106# $Id: twpol-GENERIC.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $ 1107# 1108