Scribd Logo
Carica

Benvenuto in Scribd!

  • A

    Caricato da

    Edwin Ramirez Ventura
    15 visualizzazioni16 pagine
    This is an example Tripwire Policy input file. It is intended as the starting point to creating your own custom Tripwire Policy. The example policy file is tuned to an "everything" install of Fedora Linux.

    Descrizione originale:

    Titolo originale

    a

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    TXT, PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    This is an example Tripwire Policy input file. It is intended as the starting point to creating your own custom Tripwire Policy. The example policy file is tuned to an "everything" install of Fedora Linux.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    15 visualizzazioni16 pagine

    A

    Caricato da

    Edwin Ramirez Ventura
    This is an example Tripwire Policy input file. It is intended as the starting point to creating your own custom Tripwire Policy. The example policy file is tuned to an "everything" install of Fedora Linux.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato TXT, PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 16

    # identifier: # host: # version: # maintainer: o.

    uk> # validator: # date: # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

    tripwire IDS policy input file Fedora Core release 1 (Yarrow) 2.3.1-19.fdr.1 Keith G. Robertson-Turner <tripwire-devel[AT]genesis-x.nildram.c unvalidated Tue Jun 15 17:09:21 BST 2004

    description: This is an example Tripwire Policy input file. It is intended as the starting point to creating your own custom Tripwire Policy. Referring to it, as well as the Tripwire Policy Guide, should give you enough information to make a good custom Tripwire Policy that better fits your configuration and security needs. This text version will be used by tripwire as input to create a proprietary type of file called a Tripwire Policy file, which will then be signed for further security. It is recommended that once you complete the creation of the Policy file, you move this plaintext version to a secure location (possibly on removable media) or encrypt the file using a tool such as GPG. You should also do this for the Tripwire plaintext configuration file (twcfg.txt) once you have finished setting up the Policy. Note that this file is tuned to an "everything" install of Fedora Linux. If run unmodified, this file should create no errors on database creation, or violations on a subsequent integrity check. However, it is impossible for there to be one policy file for all machines, so this existing one errs on the side of security. Your Linux configuration will most likely differ from the one our policy file was tuned to, and will therefore require some editing of the default Tripwire Policy file. The example policy file is best run with "Loose Directory Checking" enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration file. Note - legacy entries (which are commented out) are included for historical reasons only, and are overdue for removal. They will likely disappear from future releases. The following info is only really useful for non-RPM distributions: Email support is not included and must be added to this file. Add the "emailto=" to the rule directive section of each rule (add a comma after the "severity=" line and add an "emailto=" and include the email addresses you want the violation reports to go to). Addresses are semi-colon delimited. If you installed from the Fedora RPM, a cron job has already been set up for you. Tripwire will perform an integrity check once every day, and the generated report will be emailed to root. In this case, you do not need to perform the steps in the previous paragraph.

    # policy: # Global Variable Definitions @@section GLOBAL TWROOT=/usr/sbin; TWBIN=/usr/sbin; TWPOL="/etc/tripwire";

    TWDB="/var/lib/tripwire"; TWSKEY="/etc/tripwire"; TWLKEY="/etc/tripwire"; TWREPORT="/var/lib/tripwire/report"; HOSTNAME=Fedora; @@section FS SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequentl y but accessed often SEC_LOG = $(Growing) ; # Files that grow, but that should never ch ange ownership SEC_INVARIANT = +tpug ; # Directories that should never change perm ission or ownership SIG_LOW = 33 ; # Non-critical files that are of minimal se curity impact SIG_MED = 66 ; # Non-critical files that are of significan t security impact SIG_HI = 100 ; # Critical files that are significant point s of vulnerability # Tripwire Binaries ( rulename = "Tripwire Binaries", severity = $(SIG_HI) ) { $(TWBIN)/siggen $(TWBIN)/tripwire $(TWBIN)/twadmin $(TWBIN)/twprint } # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databa ses ( rulename = "Tripwire Data Files", severity = $(SIG_HI) ) { # # # # NOTE: We remove the inode attribute because when Tripwire creates a backup, it does so by renaming the old file and creating a new one (which will have a new inode number). Inode is left turned on for keys, which shouldn't ever change. -> -> -> -> $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) ; ; ; ;

    # NOTE: The first integrity check triggers this rule and each integrity check # afterward triggers this rule until a database update is run, since the # database file does not exist before that point. $(TWDB) $(TWPOL)/tw.pol $(TWPOL)/tw.cfg $(TWLKEY)/$(HOSTNAME)-local.key $(TWSKEY)/site.key -> -> -> -> -> $(SEC_CONFIG) -i ; $(SEC_BIN) -i ; $(SEC_BIN) -i ; $(SEC_BIN) ; $(SEC_BIN) ;

    #don't scan the individual reports $(TWREPORT) }

    -> $(SEC_CONFIG) (recurse=0) ;

    # Tripwire HQ Connector Binaries # # This commercial product has been phased out and is no longer # supported. This section will disappear from future releases. # #( # rulename = "Tripwire HQ Connector Binaries", # severity = $(SIG_HI) #) #{ # $(TWBIN)/hqagent -> $(SEC_BIN) ; #} # # Tripwire HQ Connector - Configuration Files, Keys, and Logs # # # # # # # # Note: File locations here are different than in a stock HQ Connector installation. This is because Tripwire 2.3 uses a different path structure than Tripwire 2.2.1. You may need policy file) FHS standard Tripwire 2.3 to update your HQ Agent configuation file (or this to correct the paths. We have attempted to support the here by placing the HQ Agent files similarly to the way places them.

    #( # rulename = "Tripwire HQ Connector Data Files", # severity = $(SIG_HI) #) #{ # NOTE: Removing the inode attribute because when Tripwire creates a # backup it does so by renaming the old file and creating a new one # (which will have a new inode number). Leaving inode turned on for # keys, which shouldn't ever change. # # $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; # legacy # $(TWLKEY)/authentication.key -> $(SEC_BIN) ; # legacy # $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; # legacy # $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; # legacy # # Uncomment if you have agent logging enabled. #/var/log/tripwire/agent.log -> $(SEC_LOG) ; # legacy #} # Commonly accessed directories that should remain static with regards # to owner and group. ( rulename = "Invariant Directories", severity = $(SIG_MED) ) { / /home -> $(SEC_INVARIANT) (recurse = 0) ; -> $(SEC_INVARIANT) (recurse = 0) ;

    /etc }

    -> $(SEC_INVARIANT) (recurse = 0) ;

    # File System and Disk Administration Programs. ( rulename = "File System and Disk Administraton Programs", severity = $(SIG_HI) ) { /var/www/html /sbin/badblocks /sbin/busybox /sbin/busybox.anaconda /sbin/convertquota } # Kernel Administration Programs. ( rulename = "Kernel Administration Programs", severity = $(SIG_HI) ) { /sbin/adjtimex /sbin/ctrlaltdel /sbin/depmod /sbin/insmod /sbin/insmod.static /sbin/insmod_ksymoops_clean /sbin/klogd /sbin/ldconfig /sbin/minilogd /sbin/modinfo #/sbin/nuactlun #/sbin/nuscsitcpd /sbin/pivot_root /sbin/sndconfig /sbin/sysctl } # Networking Programs. ( rulename = "Networking Programs", severity = $(SIG_HI) ) { /etc/sysconfig/network-scripts/ifdown /etc/sysconfig/network-scripts/ifdown-cipcb /etc/sysconfig/network-scripts/ifdown-ippp /etc/sysconfig/network-scripts/ifdown-ipv6 /etc/sysconfig/network-scripts/ifdown-isdn /etc/sysconfig/network-scripts/ifdown-post /etc/sysconfig/network-scripts/ifdown-ppp /etc/sysconfig/network-scripts/ifdown-sit /etc/sysconfig/network-scripts/ifdown-sl -> -> -> -> -> -> -> -> -> $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) ; ; ; ; ; ; ; ; ; -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; -> $(SEC_CRIT) ; -> $(SEC_CRIT) ; -> $(SEC_CRIT) ; -> $(SEC_CRIT) ; -> $(SEC_CRIT) ;

    /etc/sysconfig/network-scripts/ifup /etc/sysconfig/network-scripts/ifup-aliases /etc/sysconfig/network-scripts/ifup-cipcb /etc/sysconfig/network-scripts/ifup-ippp /etc/sysconfig/network-scripts/ifup-ipv6 /etc/sysconfig/network-scripts/ifup-isdn /etc/sysconfig/network-scripts/ifup-plip /etc/sysconfig/network-scripts/ifup-plusb /etc/sysconfig/network-scripts/ifup-post /etc/sysconfig/network-scripts/ifup-ppp /etc/sysconfig/network-scripts/ifup-routes /etc/sysconfig/network-scripts/ifup-sit /etc/sysconfig/network-scripts/ifup-sl /etc/sysconfig/network-scripts/ifup-wireless /etc/sysconfig/network-scripts/network-functions /etc/sysconfig/network-scripts/network-functions-ipv6 /bin/ping -> $(SEC_CRIT) ; /sbin/agetty -> $(SEC_CRIT) ; /sbin/arp -> $(SEC_CRIT) ; /sbin/arping -> $(SEC_CRIT) ; /sbin/dhclient -> $(SEC_CRIT) ; /sbin/ether-wake -> $(SEC_CRIT) ; #/sbin/getty -> $(SEC_CRIT) ; /sbin/ifcfg -> $(SEC_CRIT) ; /sbin/ifconfig -> $(SEC_CRIT) ; /sbin/ifdown -> $(SEC_CRIT) ; /sbin/ifenslave -> $(SEC_CRIT) ; /sbin/ifport -> $(SEC_CRIT) ; /sbin/ifup -> $(SEC_CRIT) ; /sbin/ifuser -> $(SEC_CRIT) ; /sbin/ip -> $(SEC_CRIT) ; /sbin/ip6tables -> $(SEC_CRIT) ; #/sbin/ipchains -> $(SEC_CRIT) ; #/sbin/ipchains-restore -> $(SEC_CRIT) ; #/sbin/ipchains-save -> $(SEC_CRIT) ; #/sbin/ipfwadm -> $(SEC_CRIT) ; /sbin/ipmaddr -> $(SEC_CRIT) ; /sbin/iptables -> $(SEC_CRIT) ; /sbin/iptables-restore -> $(SEC_CRIT) ; /sbin/iptables-save -> $(SEC_CRIT) ; /sbin/iptunnel -> $(SEC_CRIT) ; #/sbin/ipvsadm -> $(SEC_CRIT) ; #/sbin/ipvsadm-restore -> $(SEC_CRIT) ; #/sbin/ipvsadm-save -> $(SEC_CRIT) ; /sbin/ipx_configure -> $(SEC_CRIT) ; /sbin/ipx_interface -> $(SEC_CRIT) ; /sbin/ipx_internal_net -> $(SEC_CRIT) ; /sbin/iwconfig -> $(SEC_CRIT) ; /sbin/iwgetid -> $(SEC_CRIT) ; /sbin/iwlist -> $(SEC_CRIT) ; /sbin/iwpriv -> $(SEC_CRIT) ; /sbin/iwspy -> $(SEC_CRIT) ; /sbin/mgetty -> $(SEC_CRIT) ; /sbin/mingetty -> $(SEC_CRIT) ; /sbin/nameif -> $(SEC_CRIT) ; /sbin/netreport -> $(SEC_CRIT) ; /sbin/plipconfig -> $(SEC_CRIT) ; /sbin/portmap -> $(SEC_CRIT) ; /sbin/ppp-watch -> $(SEC_CRIT) ; #/sbin/rarp -> $(SEC_CRIT) ;

    -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> ->

    $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT)

    ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

    # legacy # legacy # legacy

    /sbin/route /sbin/slattach /sbin/tc #/sbin/uugetty /sbin/vgetty /sbin/ypbind } # System Administration Programs. (

    -> -> -> -> -> ->

    $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT)

    ; ; ; ; ; ;

    rulename = "System Administration Programs", severity = $(SIG_HI) ) { /sbin/chkconfig /sbin/fuser /sbin/halt /sbin/init /sbin/initlog /sbin/install-info /sbin/killall5 #/sbin/linuxconf #/sbin/linuxconf-auth /sbin/pam_tally /sbin/pwdb_chkpwd #/sbin/remadmin /sbin/rescuept /sbin/rmt /sbin/rpc.lockd /sbin/rpc.statd /sbin/rpcdebug /sbin/service /sbin/setsysfont /sbin/shutdown /sbin/sulogin /sbin/swapon /sbin/syslogd /sbin/unix_chkpwd /bin/pwd /bin/uname } # Hardware and Device Control Programs. ( rulename = "Hardware and Device Control Programs", severity = $(SIG_HI) ) { /bin/setserial /bin/sfxload /sbin/blockdev /sbin/cardctl /sbin/cardmgr /sbin/cbq /sbin/dump_cis /sbin/elvtune -> -> -> -> -> -> -> -> $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) ; ; ; ; ; ; ; ; -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) ; ; ; ; ; ; ; ; # legacy ; # legacy ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

    /sbin/hotplug /sbin/hwclock /sbin/ide_info #/sbin/isapnp #/sbin/kbdrate /sbin/losetup /sbin/lspci /sbin/lspnp /sbin/mii-tool /sbin/pack_cis #/sbin/pnpdump /sbin/probe #/sbin/pump /sbin/setpci /sbin/shapecfg } # System Information Programs. (

    -> -> -> -> -> -> -> -> -> -> -> -> -> -> ->

    $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT)

    ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

    rulename = "System Information Programs", severity = $(SIG_HI) ) { /sbin/consoletype /sbin/kernelversion /sbin/runlevel } # Application Information Programs. ( rulename = "Application Information Programs", severity = $(SIG_HI) ) { /sbin/genksyms #/sbin/genksyms.old /sbin/rtmon } # Shell Related Programs. ( rulename = "Shell Related Programs", severity = $(SIG_HI) ) { /sbin/getkey /sbin/nash /sbin/sash } # OS Utilities. ( -> $(SEC_CRIT) ; -> $(SEC_CRIT) ; -> $(SEC_CRIT) ; -> $(SEC_CRIT) ; -> $(SEC_CRIT) ; -> $(SEC_CRIT) ; -> $(SEC_CRIT) ; -> $(SEC_CRIT) ; -> $(SEC_CRIT) ;

    rulename = "Operating System Utilities", severity = $(SIG_HI) ) { /bin/arch /bin/ash /bin/ash.static /bin/aumix-minimal /bin/basename /bin/cat #/bin/consolechars /bin/cut /bin/date /bin/dd /bin/df /bin/dmesg /bin/doexec /bin/echo /bin/ed /bin/egrep /bin/false /bin/fgrep /bin/gawk #/bin/gawk-3.1.0 /bin/gettext /bin/grep /bin/gunzip /bin/gzip /bin/hostname /bin/igawk /bin/ipcalc /bin/kill /bin/ln /bin/loadkeys /bin/login /bin/ls /bin/mail /bin/more /bin/mt /bin/mv /bin/netstat /bin/nice /bin/pgawk /bin/ps /bin/rpm /bin/sed /bin/sleep /bin/sort /bin/stty /bin/su /bin/sync /bin/tar /bin/true /bin/usleep /bin/vi /bin/zcat /bin/zsh #/bin/zsh-4.0.2 /sbin/sln /usr/bin/vimtutor -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; # legacy ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; # legacy ; ;

    } # Critical Utility Sym-Links. ( rulename = "Critical Utility Sym-Links", severity = $(SIG_HI) ) { #/sbin/askrunlevel /sbin/clock #/sbin/fixperm /sbin/fsck.reiserfs #/sbin/fsconf #/sbin/ipfwadm-wrapper /sbin/kallsyms /sbin/ksyms /sbin/lsmod #/sbin/mailconf /sbin/mkfs.reiserfs #/sbin/modemconf /sbin/modprobe /sbin/mount.ncp /sbin/mount.ncpfs /sbin/mount.smb /sbin/mount.smbfs #/sbin/netconf /sbin/pidof /sbin/poweroff /sbin/quotaoff /sbin/raid0run /sbin/raidhotadd #/sbin/raidhotgenerateerror /sbin/raidhotremove /sbin/raidstop /sbin/rdump /sbin/rdump.static /sbin/reboot /sbin/rmmod /sbin/rrestore /sbin/rrestore.static /sbin/swapoff /sbin/telinit #/sbin/userconf #/sbin/uucpconf #/sbin/vregistry /bin/awk /bin/bash2 /bin/bsh /bin/csh /bin/dnsdomainname /bin/domainname /bin/ex /bin/gtar /bin/nisdomainname /bin/red /bin/rvi /bin/rview /bin/view -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) ; ; ; ; ; ; ; ; ; ; ; ; # legacy ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

    /bin/ypdomainname } # Temporary directories. ( rulename = "Temporary directories", recurse = false, severity = $(SIG_LOW) ) { /usr/tmp /var/tmp /tmp } # Local files. ( rulename = "User binaries", severity = $(SIG_MED) ) { /sbin /usr/bin /usr/sbin /usr/local/bin } ( rulename = "Shell Binaries", severity = $(SIG_HI) ) { /bin/bash /bin/ksh #/bin/psh #/bin/Rsh /bin/sh #/bin/shell #/bin/tsh /bin/tcsh /sbin/nologin } ( rulename = "Security Control", severity = $(SIG_HI) ) { /etc/group /etc/security #/var/spool/cron/crontabs le exists } #( # rulename = "Boot Scripts",

    -> $(SEC_CRIT) ;

    -> $(SEC_INVARIANT) ; -> $(SEC_INVARIANT) ; -> $(SEC_INVARIANT) ;

    -> -> -> ->

    $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN)

    (recurse (recurse (recurse (recurse

    = = = =

    1) 1) 1) 1)

    ; ; ; ;

    -> -> -> -> -> -> -> -> ->

    $(SEC_BIN) ; $(SEC_BIN) ; $(SEC_BIN) ; # legacy $(SEC_BIN) ; # legacy $(SEC_BIN) ; $(SEC_SUID) ; # legacy $(SEC_BIN) ; # legacy $(SEC_BIN) ; $(SEC_BIN) ;

    -> $(SEC_CRIT) ; -> $(SEC_CRIT) ; -> $(SEC_CRIT) ; # Uncomment when this fi

    # #) #{ # # # # # # # # # #} (

    severity = $(SIG_HI) /etc/rc /etc/rc.bsdnet /etc/rc.dt /etc/rc.net /etc/rc.net.serial /etc/rc.nfs /etc/rc.powerfail /etc/rc.tcpip /etc/trcfmt.Z -> -> -> -> -> -> -> -> -> $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) ; ; ; ; ; ; ; ; ;

    rulename = "Login Scripts", severity = $(SIG_HI) ) { /etc/bashrc /etc/csh.cshrc /etc/csh.login /etc/inputrc #/etc/tsh_profile ile exists /etc/profile } # Libraries ( rulename = "Libraries", severity = $(SIG_MED) ) { /usr/lib /usr/local/lib /usr/lib64 /usr/local/lib64 } -> -> -> -> -> $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) ; ; ; ; ; #Uncomment when this f

    -> $(SEC_CONFIG) ;

    -> -> -> ->

    $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN)

    ; ; ; ;

    # Critical System Boot Files. # These files are critical to a correct system boot. ( rulename = "Critical system boot files", severity = $(SIG_HI) ) { /boot #/sbin/devfsd /sbin/grub /sbin/grub-install /sbin/grub-md5-crypt /sbin/installkernel /sbin/lilo /sbin/mkkerneldoth !/boot/System.map ; !/boot/module-info ; -> -> -> -> -> -> -> -> $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) ; ; ; ; ; ; ; ;

    /usr/share/grub/i386-redhat/e2fs_stage1_5 -> /usr/share/grub/i386-redhat/fat_stage1_5 -> /usr/share/grub/i386-redhat/ffs_stage1_5 -> /usr/share/grub/i386-redhat/minix_stage1_5 -> /usr/share/grub/i386-redhat/reiserfs_stage1_5 -> /usr/share/grub/i386-redhat/stage1 -> /usr/share/grub/i386-redhat/stage2 -> /usr/share/grub/i386-redhat/vstafs_stage1_5 -> # other boot files may exist. Look for: #/ufsboot -> $(SEC_CRIT) } # These files change every time the system boots. ( rulename = "System boot changes", severity = $(SIG_HI) ) { !/var/run/ftp.pids-all ; # Comes !/root/.enlightenment ; /dev/log /dev/cua0 #/dev/printer /dev/console e on console login/logout. /dev/tty1 /dev/tty2 /dev/tty3 /dev/tty4 /dev/tty5 /dev/tty6 /dev/urandom /dev/initctl /var/lock/subsys #/var/lock/subsys/amd #/var/lock/subsys/anacron /var/lock/subsys/apmd #/var/lock/subsys/arpwatch /var/lock/subsys/atd #/var/lock/subsys/autofs #/var/lock/subsys/bcm5820 #/var/lock/subsys/bgpd #/var/lock/subsys/bootparamd /var/lock/subsys/canna /var/lock/subsys/crond #/var/lock/subsys/cWnn #/var/lock/subsys/dhcpd #/var/lock/subsys/firewall #/var/lock/subsys/freeWnn #/var/lock/subsys/gated /var/lock/subsys/gpm #/var/lock/subsys/httpd #/var/lock/subsys/identd #/var/lock/subsys/innd #/var/lock/subsys/ipchains /var/lock/subsys/iptables #/var/lock/subsys/ipvsadm #/var/lock/subsys/irda #/var/lock/subsys/iscsi

    $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) $(SEC_CRIT) ;

    ; ; ; ; ; ; ; ;

    and goes on reboot. -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) ; ; ; # legacy -u ; # User ID may chang ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; # # # # tty devices tty devices are extremely variable

    # legacy

    #/var/lock/subsys/isdn #/var/lock/subsys/junkbuster #/var/lock/subsys/kadmin #/var/lock/subsys/keytable #/var/lock/subsys/kprop #/var/lock/subsys/krb524 #/var/lock/subsys/krb5kdc /var/lock/subsys/kudzu #/var/lock/subsys/kWnn #/var/lock/subsys/ldap #/var/lock/subsys/linuxconf #/var/lock/subsys/lpd #/var/lock/subsys/mars_nwe #/var/lock/subsys/mcserv #/var/lock/subsys/mysqld #/var/lock/subsys/named /var/lock/subsys/netfs /var/lock/subsys/network #/var/lock/subsys/nfs /var/lock/subsys/nfslock #/var/lock/subsys/nscd /var/lock/subsys/ntpd #/var/lock/subsys/ospf6d #/var/lock/subsys/ospfd #/var/lock/subsys/pcmcia /var/lock/subsys/portmap #/var/lock/subsys/postgresql #/var/lock/subsys/pxe #/var/lock/subsys/radvd /var/lock/subsys/random #/var/lock/subsys/rarpd #/var/lock/subsys/reconfig #/var/lock/subsys/rhnsd #/var/lock/subsys/ripd #/var/lock/subsys/ripngd #/var/lock/subsys/routed #/var/lock/subsys/rstatd #/var/lock/subsys/rusersd #/var/lock/subsys/rwalld #/var/lock/subsys/rwhod /var/lock/subsys/sendmail #/var/lock/subsys/smb #/var/lock/subsys/snmpd #/var/lock/subsys/squid /var/lock/subsys/sshd /var/lock/subsys/syslog #/var/lock/subsys/tux #/var/lock/subsys/tWnn #/var/lock/subsys/ups #/var/lock/subsys/vncserver #/var/lock/subsys/wine /var/lock/subsys/xfs /var/lock/subsys/xinetd #/var/lock/subsys/ypbind #/var/lock/subsys/yppasswdd #/var/lock/subsys/ypserv #/var/lock/subsys/ypxfrd #/var/lock/subsys/zebra /var/run /var/log

    -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> ->

    $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG)

    ; ; # legacy ; ; ; ; ; ; ; ; ; # legacy ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

    #/etc/ioctl.save /etc/issue.net ges /etc/issue /etc/mtab ges on any mount/unmount /lib/modules /etc/.pwd.lock #/lib/modules/preferred ile exists }

    -> $(SEC_CONFIG) ; -> $(SEC_CONFIG) -i ; # Inode number chan -> $(SEC_CONFIG) ; -> $(SEC_CONFIG) -i ; # Inode number chan -> $(SEC_CONFIG) ; -> $(SEC_CONFIG) ; -> $(SEC_CONFIG) ; #Uncomment when this f

    # These files change the behavior of the root account ( rulename = "Root config files", severity = 100 ) { /root -> $(SEC_CRIT) ; /root /root/.Xresources -> $(SEC_CONFIG) /root/.bashrc -> $(SEC_CONFIG) /root/.bash_profile -> $(SEC_CONFIG) /root/.bash_logout -> $(SEC_CONFIG) /root/.cshrc -> $(SEC_CONFIG) /root/.tcshrc -> $(SEC_CONFIG) #/root/Mail -> $(SEC_CONFIG) #/root/mail -> $(SEC_CONFIG) #/root/.amandahosts -> $(SEC_CONFIG) #/root/.addressbook.lu -> $(SEC_CONFIG) #/root/.addressbook -> $(SEC_CONFIG) /root/.bash_history -> $(SEC_CONFIG) #/root/.elm -> $(SEC_CONFIG) /root/.esd_auth -> $(SEC_CONFIG) #/root/.gnome_private -> $(SEC_CONFIG) #/root/.gnome-desktop -> $(SEC_CONFIG) /root/.gnome -> $(SEC_CONFIG) /root/.ICEauthority -> $(SEC_CONFIG) #/root/.mc -> $(SEC_CONFIG) #/root/.pinerc -> $(SEC_CONFIG) #/root/.sawfish -> $(SEC_CONFIG) /root/.Xauthority -> $(SEC_CONFIG) ber on login #/root/.xauth -> $(SEC_CONFIG) #/root/.xsession-errors -> $(SEC_CONFIG) } # Critical configuration files. ( rulename = "Critical configuration files", severity = $(SIG_HI) ) { #/etc/conf.linuxconf /etc/crontab /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly -> -> -> -> -> -> $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN)

    # Catch all additions to ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; -i ; # Changes Inode num ; ;

    ; # legacy ; ; ; ; ;

    /etc/default /etc/fstab /etc/exports /etc/groupequent /etc/host.conf /etc/hosts.allow /etc/hosts.deny /etc/httpd/conf equent /etc/protocols /etc/services /etc/rc.d/init.d /etc/rc.d /etc/mail.rc /etc/modules.conf #/etc/modprobe.conf rnels /etc/motd /etc/named.conf /etc/passwd /etc/passwd/etc/profile.d /var/lib/nfs/rmtab /usr/sbin/fixrmtab /etc/rpc /etc/sysconfig /etc/samba/smb.conf #/etc/gettydefs /etc/nsswitch.conf /etc/yp.conf /etc/hosts /etc/xinetd.conf /etc/inittab /etc/resolv.conf /etc/syslog.conf } # Critical devices. ( rulename = "Critical devices", severity = $(SIG_HI), recurse = false ) { /dev/kmem /dev/mem /dev/null /dev/zero /proc/devices /proc/net /proc/sys /proc/cpuinfo /proc/modules /proc/mounts /proc/dma /proc/filesystems /proc/pci /proc/interrupts

    -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> ->

    $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN) $(SEC_BIN)

    ; ; ; ; # changes should be infr ; ; ; ; # changes should be infr ; ; ; ; ; ; # post 2.6 legacy ; # include this for 2.6 ke

    $(SEC_BIN) ; $(SEC_BIN) ; $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_BIN) ; $(SEC_BIN) ; $(SEC_BIN) ; $(SEC_BIN) ; $(SEC_BIN) ; $(SEC_CONFIG) $(SEC_BIN) ; $(SEC_BIN) ; $(SEC_BIN) ; $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG) $(SEC_CONFIG)

    ; ;

    ; ; ; ; ;

    -> -> -> -> -> -> -> -> -> -> -> -> -> ->

    $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device)

    ; ; ; ; ; ; ; ; ; ; ; ; ; ;

    /proc/driver/rtc /proc/ioports /proc/scsi /proc/kcore /proc/self /proc/kmsg /proc/stat /proc/ksyms /proc/loadavg /proc/uptime /proc/locks /proc/version /proc/mdstat /proc/meminfo /proc/cmdline /proc/misc }

    -> -> -> -> -> -> -> -> -> -> -> -> -> -> -> ->

    $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device) $(Device)

    ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ;

    # Rest of critical system binaries ( rulename = "OS executables and libraries", severity = $(SIG_HI) ) { /bin -> $(SEC_BIN) ; /lib -> $(SEC_BIN) ; } # disabled-entries: 184 # license: #============================================================================= # # Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, # Inc. in the United States and other countries. All rights reserved. # # Linux is a registered trademark of Linus Torvalds. # # UNIX is a registered trademark of The Open Group. # #============================================================================= # # Permission is granted to make and distribute verbatim copies of this document # provided the copyright notice and this permission notice are preserved on all # copies. # # Permission is granted to copy and distribute modified versions of this # document under the conditions for verbatim copying, provided that the entire # resulting derived work is distributed under the terms of a permission notice # identical to this one. # # Permission is granted to copy and distribute translations of this document # into another language, under the above conditions for modified versions, # except that this permission notice may be stated in a translation approved by # Tripwire, Inc. # # DCM

    Potrebbero piacerti anche