Default policy for GNU/Hurd

2018-02-22 01:34:23 -08:00 · 2018-02-22 01:34:23 -08:00 · 0912e56ffe
parent 07ffc89e24
commit 0912e56ffe
1 changed files with 160 additions and 0 deletions
--- a/policy/twpol-GNU.txt
+++ b/policy/twpol-GNU.txt
@ -0,0 +1,160 @@
+###############################################################################
+#                                                                            ##
+#    Default Tripwire 2.4 Policy file for GNU/Hurd                           ##
+#                                                                            ##
+###############################################################################
+
+
+###############################################################################
+#                                                                            ##
+# Global Variable Definitions                                                ##
+#                                                                            ##
+# These are defined at install time by the installation script.  You may     ##
+# Manually edit these if you are using this file directly and not from the   ##
+# installation script itself.                                                ##
+#                                                                            ##
+###############################################################################
+
+@@section GLOBAL
+TWROOT=;
+TWBIN=;
+TWPOL=;
+TWDB=;
+TWSKEY=;
+TWLKEY=;
+TWREPORT=;
+HOSTNAME=;
+
+##############################################################################
+#  Predefined Variables                                                      #
+##############################################################################
+#
+#  Property Masks
+#
+#  -  ignore the following properties
+#  +  check the following properties
+#
+#  a  access timestamp (mutually exclusive with +CMSH)
+#  b  number of blocks allocated
+#  c  inode creation/modification timestamp
+#  d  ID of device on which inode resides
+#  g  group id of owner
+#  i  inode number
+#  l  growing files (logfiles for example)
+#  m  modification timestamp
+#  n  number of links
+#  p  permission and file mode bits
+#  r  ID of device pointed to by inode (valid only for device objects)
+#  s  file size
+#  t  file type
+#  u  user id of owner
+#
+#  C  CRC-32 hash
+#  H  HAVAL hash
+#  M  MD5 hash
+#  S  SHA hash
+#
+##############################################################################
+
+#Device        = +pugsdr-intlbamcCMSH ;
+#Dynamic       = +pinugtd-srlbamcCMSH ;
+#Growing       = +pinugtdl-srbamcCMSH ;
+#IgnoreAll     = -pinugtsdrlbamcCMSH ;
+#IgnoreNone    = +pinugtsdrbamcCMSH-l ;
+#ReadOnly      = +pinugtsdbmCM-rlacSH ;
+Temporary     = +pugt ;
+
+@@section FS 
+
+#########################################
+#                                      ##
+#  Tripwire Binaries and Data Files    ##
+#                                      ##
+#########################################
+
+# Tripwire Binaries
+(
+  rulename = "Tripwire Binaries",
+)
+{
+  $(TWBIN)/siggen                      -> $(ReadOnly) ;
+  $(TWBIN)/tripwire                    -> $(ReadOnly) ;
+  $(TWBIN)/twadmin                     -> $(ReadOnly) ;
+  $(TWBIN)/twprint                     -> $(ReadOnly) ;
+}
+
+# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
+(
+  rulename = "Tripwire Data Files",
+)
+{
+  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
+  # it does so by renaming the old file and creating a new one (which will
+  # have a new inode number).  Inode is left turned on for keys, which shouldn't
+  # ever change.
+
+  # NOTE: The first integrity check triggers this rule and each integrity check
+  # afterward triggers this rule until a database update is run, since the
+  # database file does not exist before that point.
+
+  $(TWDB)                              -> $(Dynamic) -i ;
+  $(TWPOL)/tw.pol                      -> $(ReadOnly) -i ;
+  $(TWPOL)/tw.cfg                      -> $(ReadOnly) -i ;
+  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(ReadOnly) ;
+  $(TWSKEY)/site.key                   -> $(ReadOnly) ;
+
+  # don't scan the individual reports
+  $(TWREPORT)                          -> $(Dynamic) (recurse=0) ;
+}
+
+##############################################################################
+
+(rulename="Boot files",)
+{
+  /boot -> $(IgnoreNone) -a;
+}
+
+(rulename="Binary files",)
+{
+  /bin -> $(IgnoreNone) -a;
+  /usr/bin -> $(IgnoreNone) -a;
+  /usr/local/bin -> $(IgnoreNone) -a;
+}
+
+(rulename="Admin binaries",)
+{
+  /servers -> $(IgnoreNone) -a;
+  /sbin -> $(IgnoreNone) -a;
+  /usr/sbin -> $(IgnoreNone) -a;
+  /hurd -> $(IgnoreNone) -a;
+}
+
+(rulename="Libraries",)
+{
+  /lib -> $(IgnoreNone) -a;
+  /usr/lib -> $(IgnoreNone) -a;
+  /usr/local/lib -> $(IgnoreNone) -a;
+}
+
+(rulename="Etc",)
+{
+  /etc -> $(IgnoreNone) -a;
+  /usr/etc -> $(IgnoreNone) -a;
+  /usr/local/etc -> $(IgnoreNone) -a;
+}
+
+(rulename="Dev",)
+{
+  /dev -> $(Device);
+}
+
+(rulename="Tmp",)
+{
+  /tmp -> $(Temporary);
+  /var/tmp -> $(Temporary);
+}
+
+(rulename="Log",)
+{
+  /var/log -> $(Growing);
+}