Use SEC_ naming convention for OpenBSD (& variants) policies, including new one for LibertyBSD

This commit is contained in:
Brian Cox 2018-03-19 23:23:56 -07:00
parent ab4c9203da
commit 38fc87fa9a
4 changed files with 502 additions and 210 deletions

View File

@ -2,8 +2,8 @@
# ## # ##
############################################################################## # ############################################################################## #
# # # # # #
# Policy file for Bitrig 1.x # # # Tripwire 2.4 policy for Bitrig # #
# (adapted from OpenBSD policy) # # # updated March 2018 # #
# ## # ##
############################################################################## ##############################################################################
@ -60,13 +60,13 @@ HOSTNAME=;
# #
############################################################################## ##############################################################################
Device = +pugsdr-intlbamcCMSH ; SEC_DEVICE = +pugsdr-intlbamcCMSH ;
Dynamic = +pinugtd-srlbamcCMSH ; SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
Growing = +pinugtdl-srbamcCMSH ; SEC_GROWING = +pinugtdl-srbamcCMSH ;
IgnoreAll = -pinugtsdrlbamcCMSH ; SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
IgnoreNone = +pinugtsdrbamcCMSH-l ; SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
ReadOnly = +pinugtsdbmCM-rlacSH ; SEC_READONLY = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ; SEC_TEMPORARY = +pugt ;
@@section FS @@section FS
@ -83,10 +83,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries", rulename = "Tripwire Binaries",
) )
{ {
$(TWBIN)/siggen -> $(ReadOnly) ; $(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(ReadOnly) ; $(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(ReadOnly) ; $(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(ReadOnly) ; $(TWBIN)/twprint -> $(SEC_READONLY) ;
} }
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -103,14 +103,14 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the # afterward triggers this rule until a database update is run, since the
# database file does not exist before that point. # database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ; $(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ; $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ; $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(ReadOnly) ; $(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports # don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ; $(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
# In this configuration /usr/local is a symbolic link to /home/local. # In this configuration /usr/local is a symbolic link to /home/local.
# We want to ignore the following directories since they are already # We want to ignore the following directories since they are already
@ -131,9 +131,9 @@ Temporary = +pugt ;
rulename = "OS Boot and Configuration Files", rulename = "OS Boot and Configuration Files",
) )
{ {
/boot -> $(ReadOnly) ; /boot -> $(SEC_READONLY) ;
/bsd -> $(ReadOnly) ; /bsd -> $(SEC_READONLY) ;
/etc -> $(IgnoreNone) -SHa ; /etc -> $(SEC_IGNORE_NONE) -SHa ;
} }
################################################### ###################################################
@ -147,13 +147,13 @@ Temporary = +pugt ;
rulename = "Mount Points", rulename = "Mount Points",
) )
{ {
/ -> $(ReadOnly) ; / -> $(SEC_READONLY) ;
/cdrom -> $(Dynamic) ; /cdrom -> $(SEC_DYNAMIC) ;
/floppy -> $(Dynamic) ; /floppy -> $(SEC_DYNAMIC) ;
/home -> $(ReadOnly) ; # Modify as needed /home -> $(SEC_READONLY) ; # Modify as needed
/mnt -> $(Dynamic) ; /mnt -> $(SEC_DYNAMIC) ;
/usr -> $(ReadOnly) ; /usr -> $(SEC_READONLY) ;
/var -> $(ReadOnly) ; /var -> $(SEC_READONLY) ;
} }
################################################### ###################################################
@ -167,8 +167,8 @@ Temporary = +pugt ;
rulename = "Misc Top-Level Directories", rulename = "Misc Top-Level Directories",
) )
{ {
/altroot -> $(Dynamic) ; /altroot -> $(SEC_DYNAMIC) ;
/stand -> $(Dynamic) ; /stand -> $(SEC_DYNAMIC) ;
} }
################################################ ################################################
@ -182,10 +182,10 @@ Temporary = +pugt ;
rulename = "System Devices", rulename = "System Devices",
) )
{ {
/dev -> $(Device) ; /dev -> $(SEC_DEVICE) ;
/dev/fd -> $(Device) ; /dev/fd -> $(SEC_DEVICE) ;
/var/cron/tabs/.sock -> $(Device) ; /var/cron/tabs/.sock -> $(SEC_DEVICE) ;
/var/empty/dev/log -> $(Device) ; /var/empty/dev/log -> $(SEC_DEVICE) ;
} }
################################################ ################################################
@ -199,14 +199,14 @@ Temporary = +pugt ;
rulename = "OS Binaries and Libraries", rulename = "OS Binaries and Libraries",
) )
{ {
/bin -> $(ReadOnly) ; /bin -> $(SEC_READONLY) ;
/sbin -> $(ReadOnly) ; /sbin -> $(SEC_READONLY) ;
/usr/bin -> $(ReadOnly) ; /usr/bin -> $(SEC_READONLY) ;
/usr/lib -> $(ReadOnly) ; /usr/lib -> $(SEC_READONLY) ;
/usr/libexec -> $(ReadOnly) ; /usr/libexec -> $(SEC_READONLY) ;
/usr/sbin -> $(ReadOnly) ; /usr/sbin -> $(SEC_READONLY) ;
/usr/X11R6/bin -> $(ReadOnly) ; /usr/X11R6/bin -> $(SEC_READONLY) ;
/usr/X11R6/lib -> $(ReadOnly) ; /usr/X11R6/lib -> $(SEC_READONLY) ;
} }
################################################ ################################################
# ## # ##
@ -219,19 +219,19 @@ Temporary = +pugt ;
#OKrulename = "Usr Local Files", #OKrulename = "Usr Local Files",
#OK) #OK)
#OK{ #OK{
#OK/usr/local -> $(ReadOnly) ; #OK/usr/local -> $(SEC_READONLY) ;
#OK/usr/local/bin -> $(ReadOnly) ; #OK/usr/local/bin -> $(SEC_READONLY) ;
#OK/usr/local/doc -> $(ReadOnly) ; #OK/usr/local/doc -> $(SEC_READONLY) ;
#OK/usr/local/etc -> $(ReadOnly) ; #OK/usr/local/etc -> $(SEC_READONLY) ;
#OK/usr/local/include -> $(ReadOnly) ; #OK/usr/local/include -> $(SEC_READONLY) ;
#OK/usr/local/info -> $(ReadOnly) ; #OK/usr/local/info -> $(SEC_READONLY) ;
#OK/usr/local/lib -> $(ReadOnly) ; #OK/usr/local/lib -> $(SEC_READONLY) ;
#OK/usr/local/libdata -> $(ReadOnly) ; #OK/usr/local/libdata -> $(SEC_READONLY) ;
#OK/usr/local/libexec -> $(ReadOnly) ; #OK/usr/local/libexec -> $(SEC_READONLY) ;
#OK/usr/local/man -> $(ReadOnly) ; #OK/usr/local/man -> $(SEC_READONLY) ;
#OK/usr/local/sbin -> $(ReadOnly) ; #OK/usr/local/sbin -> $(SEC_READONLY) ;
#OK/usr/local/share -> $(ReadOnly) ; #OK/usr/local/share -> $(SEC_READONLY) ;
#OK/usr/local/src -> $(ReadOnly) ; #OK/usr/local/src -> $(SEC_READONLY) ;
#OK} #OK}
################################################ ################################################
@ -245,9 +245,9 @@ Temporary = +pugt ;
rulename = "Root Directory and Files", rulename = "Root Directory and Files",
) )
{ {
/root -> $(IgnoreNone) -SHa ; /root -> $(SEC_IGNORE_NONE) -SHa ;
/root/.cshrc -> $(Dynamic) ; /root/.cshrc -> $(SEC_DYNAMIC) ;
/root/.profile -> $(Dynamic) ; /root/.profile -> $(SEC_DYNAMIC) ;
} }
################################################ ################################################
@ -261,8 +261,8 @@ Temporary = +pugt ;
rulename = "Temporary Directories", rulename = "Temporary Directories",
) )
{ {
/tmp -> $(Temporary) ; /tmp -> $(SEC_TEMPORARY) ;
/var/tmp -> $(Temporary) ; /var/tmp -> $(SEC_TEMPORARY) ;
} }
################################################ ################################################
@ -276,15 +276,15 @@ Temporary = +pugt ;
rulename = "System and Boot Changes", rulename = "System and Boot Changes",
) )
{ {
/var/backups -> $(Dynamic) -i ; /var/backups -> $(SEC_DYNAMIC) -i ;
/var/db/host.random -> $(ReadOnly) -mCM ; /var/db/host.random -> $(SEC_READONLY) -mCM ;
/var/cron -> $(Growing) -i ; /var/cron -> $(SEC_GROWING) -i ;
/var/log -> $(Growing) -i ; /var/log -> $(SEC_GROWING) -i ;
/var/run -> $(Dynamic) -i ; /var/run -> $(SEC_DYNAMIC) -i ;
/var/mail -> $(Growing) ; /var/mail -> $(SEC_GROWING) ;
/var/msgs/bounds -> $(ReadOnly) -smbCM ; /var/msgs/bounds -> $(SEC_READONLY) -smbCM ;
/var/spool/clientmqueue -> $(Temporary) ; /var/spool/clientmqueue -> $(SEC_TEMPORARY) ;
/var/spool/mqueue -> $(Temporary) ; /var/spool/mqueue -> $(SEC_TEMPORARY) ;
} }
# #

292
policy/twpol-LibertyBSD.txt Normal file
View File

@ -0,0 +1,292 @@
##############################################################################
# ##
############################################################################## #
# # #
# Tripwire 2.4 policy for LibertyBSD # #
# updated March 2018 # #
# ##
##############################################################################
##############################################################################
# ##
############################################################################## #
# # #
# Global Variable Definitions # #
# # #
# These are defined at install time by the installation script. You may # #
# manually edit these if you are using this file directly and not from the # #
# installation script itself. # #
# ##
##############################################################################
@@section GLOBAL
TWROOT=;
TWBIN=;
TWPOL=;
TWDB=;
TWSKEY=;
TWLKEY=;
TWREPORT=;
HOSTNAME=;
##############################################################################
# Predefined Variables #
##############################################################################
#
# Property Masks
#
# - ignore the following properties
# + check the following properties
#
# a access timestamp (mutually exclusive with +CMSH)
# b number of blocks allocated
# c inode creation/modification timestamp
# d ID of device on which inode resides
# g group id of owner
# i inode number
# l growing files (logfiles for example)
# m modification timestamp
# n number of links
# p permission and file mode bits
# r ID of device pointed to by inode (valid only for device objects)
# s file size
# t file type
# u user id of owner
#
# C CRC-32 hash
# H HAVAL hash
# M MD5 hash
# S SHA hash
#
##############################################################################
SEC_DEVICE = +pugsdr-intlbamcCMSH ;
SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
SEC_GROWING = +pinugtdl-srbamcCMSH ;
SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
SEC_READONLY = +pinugtsdbmCM-rlacSH ;
SEC_TEMPORARY = +pugt ;
@@section FS
########################################
# ##
######################################## #
# # #
# Tripwire Binaries and Data Files # #
# ##
########################################
# Tripwire Binaries
(
rulename = "Tripwire Binaries",
)
{
$(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(SEC_READONLY) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(
rulename = "Tripwire Data Files",
)
{
# NOTE: We remove the inode attribute because when Tripwire creates a backup,
# it does so by renaming the old file and creating a new one (which will
# have a new inode number). Inode is left turned on for keys, which shouldn't
# ever change.
# NOTE: The first integrity check triggers this rule and each integrity check
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports
$(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
# In this configuration /usr/local is a symbolic link to /home/local.
# We want to ignore the following directories since they are already
# scanned using the real directory or mount point. Otherwise we see
# duplicates in the reports.
!/home/local ;
}
################################################
# ##
################################################ #
# # #
# OS Boot and Configuration Files # #
# ##
################################################
(
rulename = "OS Boot and Configuration Files",
)
{
/boot -> $(SEC_READONLY) ;
/bsd -> $(SEC_READONLY) ;
/etc -> $(SEC_IGNORE_NONE) -SHa ;
}
###################################################
# ##
################################################### #
# # #
# Mount Points # #
# ##
###################################################
(
rulename = "Mount Points",
)
{
/ -> $(SEC_READONLY) ;
/cdrom -> $(SEC_DYNAMIC) ;
/floppy -> $(SEC_DYNAMIC) ;
/home -> $(SEC_READONLY) ; # Modify as needed
/mnt -> $(SEC_DYNAMIC) ;
/usr -> $(SEC_READONLY) ;
/var -> $(SEC_READONLY) ;
}
###################################################
# ##
################################################### #
# # #
# Misc Top-Level Directories # #
# ##
###################################################
(
rulename = "Misc Top-Level Directories",
)
{
/altroot -> $(SEC_DYNAMIC) ;
/stand -> $(SEC_DYNAMIC) ;
}
################################################
# ##
################################################ #
# # #
# System Devices # #
# ##
################################################
(
rulename = "System Devices",
)
{
/dev -> $(SEC_DEVICE) ;
/dev/fd -> $(SEC_DEVICE) ;
/var/cron/tabs/.sock -> $(SEC_DEVICE) ;
/var/empty/dev/log -> $(SEC_DEVICE) ;
}
################################################
# ##
################################################ #
# # #
# OS Binaries and Libraries # #
# ##
################################################
(
rulename = "OS Binaries and Libraries",
)
{
/bin -> $(SEC_READONLY) ;
/sbin -> $(SEC_READONLY) ;
/usr/bin -> $(SEC_READONLY) ;
/usr/lib -> $(SEC_READONLY) ;
/usr/libexec -> $(SEC_READONLY) ;
/usr/sbin -> $(SEC_READONLY) ;
/usr/X11R6/bin -> $(SEC_READONLY) ;
/usr/X11R6/lib -> $(SEC_READONLY) ;
}
################################################
# ##
################################################ #
# # #
# Usr Local Files # #
# ##
################################################
#OK(
#OKrulename = "Usr Local Files",
#OK)
#OK{
#OK/usr/local -> $(SEC_READONLY) ;
#OK/usr/local/bin -> $(SEC_READONLY) ;
#OK/usr/local/doc -> $(SEC_READONLY) ;
#OK/usr/local/etc -> $(SEC_READONLY) ;
#OK/usr/local/include -> $(SEC_READONLY) ;
#OK/usr/local/info -> $(SEC_READONLY) ;
#OK/usr/local/lib -> $(SEC_READONLY) ;
#OK/usr/local/libdata -> $(SEC_READONLY) ;
#OK/usr/local/libexec -> $(SEC_READONLY) ;
#OK/usr/local/man -> $(SEC_READONLY) ;
#OK/usr/local/sbin -> $(SEC_READONLY) ;
#OK/usr/local/share -> $(SEC_READONLY) ;
#OK/usr/local/src -> $(SEC_READONLY) ;
#OK}
################################################
# ##
################################################ #
# # #
# Root Directory and Files # #
# ##
################################################
(
rulename = "Root Directory and Files",
)
{
/root -> $(SEC_IGNORE_NONE) -SHa ;
/root/.cshrc -> $(SEC_DYNAMIC) ;
/root/.profile -> $(SEC_DYNAMIC) ;
}
################################################
# ##
################################################ #
# # #
# Temporary Directories # #
# ##
################################################
(
rulename = "Temporary Directories",
)
{
/tmp -> $(SEC_TEMPORARY) ;
/var/tmp -> $(SEC_TEMPORARY) ;
}
################################################
# ##
################################################ #
# # #
# System and Boot Changes # #
# ##
################################################
(
rulename = "System and Boot Changes",
)
{
/var/backups -> $(SEC_DYNAMIC) -i ;
/var/db/host.random -> $(SEC_READONLY) -mCM ;
/var/cron -> $(SEC_GROWING) -i ;
/var/log -> $(SEC_GROWING) -i ;
/var/run -> $(SEC_DYNAMIC) -i ;
/var/mail -> $(SEC_GROWING) ;
/var/msgs/bounds -> $(SEC_READONLY) -smbCM ;
/var/spool/clientmqueue -> $(SEC_TEMPORARY) ;
/var/spool/mqueue -> $(SEC_TEMPORARY) ;
}
#
# $Id: twpol-OpenBSD.txt,v 1.2 2004/05/14 21:56:21 pherman Exp $
#

View File

@ -2,8 +2,8 @@
# ## # ##
############################################################################## # ############################################################################## #
# # # # # #
# Policy file for MirOS BSD # # # Tripwire 2.4 policy for MirOS BSD # #
# (adapted from OpenBSD policy) # # # updated March 2018 # #
# ## # ##
############################################################################## ##############################################################################
@ -60,13 +60,13 @@ HOSTNAME=;
# #
############################################################################## ##############################################################################
Device = +pugsdr-intlbamcCMSH ; SEC_DEVICE = +pugsdr-intlbamcCMSH ;
Dynamic = +pinugtd-srlbamcCMSH ; SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
Growing = +pinugtdl-srbamcCMSH ; SEC_GROWING = +pinugtdl-srbamcCMSH ;
IgnoreAll = -pinugtsdrlbamcCMSH ; SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
IgnoreNone = +pinugtsdrbamcCMSH-l ; SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
ReadOnly = +pinugtsdbmCM-rlacSH ; SEC_READONLY = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ; SEC_TEMPORARY = +pugt ;
@@section FS @@section FS
@ -83,10 +83,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries", rulename = "Tripwire Binaries",
) )
{ {
$(TWBIN)/siggen -> $(ReadOnly) ; $(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(ReadOnly) ; $(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(ReadOnly) ; $(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(ReadOnly) ; $(TWBIN)/twprint -> $(SEC_READONLY) ;
} }
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -103,14 +103,14 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the # afterward triggers this rule until a database update is run, since the
# database file does not exist before that point. # database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ; $(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ; $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ; $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(ReadOnly) ; $(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports # don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ; $(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
# In this configuration /usr/local is a symbolic link to /home/local. # In this configuration /usr/local is a symbolic link to /home/local.
# We want to ignore the following directories since they are already # We want to ignore the following directories since they are already
@ -131,9 +131,9 @@ Temporary = +pugt ;
rulename = "OS Boot and Configuration Files", rulename = "OS Boot and Configuration Files",
) )
{ {
/boot -> $(ReadOnly) ; /boot -> $(SEC_READONLY) ;
/bsd -> $(ReadOnly) ; /bsd -> $(SEC_READONLY) ;
/etc -> $(IgnoreNone) -SHa ; /etc -> $(SEC_IGNORE_NONE) -SHa ;
} }
################################################### ###################################################
@ -147,13 +147,13 @@ Temporary = +pugt ;
rulename = "Mount Points", rulename = "Mount Points",
) )
{ {
/ -> $(ReadOnly) ; / -> $(SEC_READONLY) ;
/cdrom -> $(Dynamic) ; /cdrom -> $(SEC_DYNAMIC) ;
/floppy -> $(Dynamic) ; /floppy -> $(SEC_DYNAMIC) ;
/home -> $(ReadOnly) ; # Modify as needed /home -> $(SEC_READONLY) ; # Modify as needed
/mnt -> $(Dynamic) ; /mnt -> $(SEC_DYNAMIC) ;
/usr -> $(ReadOnly) ; /usr -> $(SEC_READONLY) ;
/var -> $(ReadOnly) ; /var -> $(SEC_READONLY) ;
} }
################################################### ###################################################
@ -167,8 +167,8 @@ Temporary = +pugt ;
rulename = "Misc Top-Level Directories", rulename = "Misc Top-Level Directories",
) )
{ {
/altroot -> $(Dynamic) ; /altroot -> $(SEC_DYNAMIC) ;
/stand -> $(Dynamic) ; /stand -> $(SEC_DYNAMIC) ;
} }
################################################ ################################################
@ -182,10 +182,10 @@ Temporary = +pugt ;
rulename = "System Devices", rulename = "System Devices",
) )
{ {
/dev -> $(Device) ; /dev -> $(SEC_DEVICE) ;
/dev/fd -> $(Device) ; /dev/fd -> $(SEC_DEVICE) ;
/var/cron/tabs/.sock -> $(Device) ; /var/cron/tabs/.sock -> $(SEC_DEVICE) ;
/var/empty/dev/log -> $(Device) ; /var/empty/dev/log -> $(SEC_DEVICE) ;
} }
################################################ ################################################
@ -199,14 +199,14 @@ Temporary = +pugt ;
rulename = "OS Binaries and Libraries", rulename = "OS Binaries and Libraries",
) )
{ {
/bin -> $(ReadOnly) ; /bin -> $(SEC_READONLY) ;
/sbin -> $(ReadOnly) ; /sbin -> $(SEC_READONLY) ;
/usr/bin -> $(ReadOnly) ; /usr/bin -> $(SEC_READONLY) ;
/usr/lib -> $(ReadOnly) ; /usr/lib -> $(SEC_READONLY) ;
/usr/libexec -> $(ReadOnly) ; /usr/libexec -> $(SEC_READONLY) ;
/usr/sbin -> $(ReadOnly) ; /usr/sbin -> $(SEC_READONLY) ;
/usr/X11R6/bin -> $(ReadOnly) ; /usr/X11R6/bin -> $(SEC_READONLY) ;
/usr/X11R6/lib -> $(ReadOnly) ; /usr/X11R6/lib -> $(SEC_READONLY) ;
} }
################################################ ################################################
# ## # ##
@ -219,19 +219,19 @@ Temporary = +pugt ;
#OKrulename = "Usr Local Files", #OKrulename = "Usr Local Files",
#OK) #OK)
#OK{ #OK{
#OK/usr/local -> $(ReadOnly) ; #OK/usr/local -> $(SEC_READONLY) ;
#OK/usr/local/bin -> $(ReadOnly) ; #OK/usr/local/bin -> $(SEC_READONLY) ;
#OK/usr/local/doc -> $(ReadOnly) ; #OK/usr/local/doc -> $(SEC_READONLY) ;
#OK/usr/local/etc -> $(ReadOnly) ; #OK/usr/local/etc -> $(SEC_READONLY) ;
#OK/usr/local/include -> $(ReadOnly) ; #OK/usr/local/include -> $(SEC_READONLY) ;
#OK/usr/local/info -> $(ReadOnly) ; #OK/usr/local/info -> $(SEC_READONLY) ;
#OK/usr/local/lib -> $(ReadOnly) ; #OK/usr/local/lib -> $(SEC_READONLY) ;
#OK/usr/local/libdata -> $(ReadOnly) ; #OK/usr/local/libdata -> $(SEC_READONLY) ;
#OK/usr/local/libexec -> $(ReadOnly) ; #OK/usr/local/libexec -> $(SEC_READONLY) ;
#OK/usr/local/man -> $(ReadOnly) ; #OK/usr/local/man -> $(SEC_READONLY) ;
#OK/usr/local/sbin -> $(ReadOnly) ; #OK/usr/local/sbin -> $(SEC_READONLY) ;
#OK/usr/local/share -> $(ReadOnly) ; #OK/usr/local/share -> $(SEC_READONLY) ;
#OK/usr/local/src -> $(ReadOnly) ; #OK/usr/local/src -> $(SEC_READONLY) ;
#OK} #OK}
################################################ ################################################
@ -245,9 +245,9 @@ Temporary = +pugt ;
rulename = "Root Directory and Files", rulename = "Root Directory and Files",
) )
{ {
/root -> $(IgnoreNone) -SHa ; /root -> $(SEC_IGNORE_NONE) -SHa ;
/root/.cshrc -> $(Dynamic) ; /root/.cshrc -> $(SEC_DYNAMIC) ;
/root/.profile -> $(Dynamic) ; /root/.profile -> $(SEC_DYNAMIC) ;
} }
################################################ ################################################
@ -261,8 +261,8 @@ Temporary = +pugt ;
rulename = "Temporary Directories", rulename = "Temporary Directories",
) )
{ {
/tmp -> $(Temporary) ; /tmp -> $(SEC_TEMPORARY) ;
/var/tmp -> $(Temporary) ; /var/tmp -> $(SEC_TEMPORARY) ;
} }
################################################ ################################################
@ -276,15 +276,15 @@ Temporary = +pugt ;
rulename = "System and Boot Changes", rulename = "System and Boot Changes",
) )
{ {
/var/backups -> $(Dynamic) -i ; /var/backups -> $(SEC_DYNAMIC) -i ;
/var/db/host.random -> $(ReadOnly) -mCM ; /var/db/host.random -> $(SEC_READONLY) -mCM ;
/var/cron -> $(Growing) -i ; /var/cron -> $(SEC_GROWING) -i ;
/var/log -> $(Growing) -i ; /var/log -> $(SEC_GROWING) -i ;
/var/run -> $(Dynamic) -i ; /var/run -> $(SEC_DYNAMIC) -i ;
/var/mail -> $(Growing) ; /var/mail -> $(SEC_GROWING) ;
/var/msgs/bounds -> $(ReadOnly) -smbCM ; /var/msgs/bounds -> $(SEC_READONLY) -smbCM ;
/var/spool/clientmqueue -> $(Temporary) ; /var/spool/clientmqueue -> $(SEC_TEMPORARY) ;
/var/spool/mqueue -> $(Temporary) ; /var/spool/mqueue -> $(SEC_TEMPORARY) ;
} }
# #

View File

@ -2,8 +2,8 @@
# ## # ##
############################################################################## # ############################################################################## #
# # # # # #
# Policy file for OpenBSD 3.5 # # # Tripwire 2.4 policy for OpenBSD # #
# May 20, 2003 # # # updated March 2018 # #
# ## # ##
############################################################################## ##############################################################################
@ -60,13 +60,13 @@ HOSTNAME=;
# #
############################################################################## ##############################################################################
Device = +pugsdr-intlbamcCMSH ; SEC_DEVICE = +pugsdr-intlbamcCMSH ;
Dynamic = +pinugtd-srlbamcCMSH ; SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
Growing = +pinugtdl-srbamcCMSH ; SEC_GROWING = +pinugtdl-srbamcCMSH ;
IgnoreAll = -pinugtsdrlbamcCMSH ; SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
IgnoreNone = +pinugtsdrbamcCMSH-l ; SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
ReadOnly = +pinugtsdbmCM-rlacSH ; SEC_READONLY = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ; SEC_TEMPORARY = +pugt ;
@@section FS @@section FS
@ -83,10 +83,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries", rulename = "Tripwire Binaries",
) )
{ {
$(TWBIN)/siggen -> $(ReadOnly) ; $(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(ReadOnly) ; $(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(ReadOnly) ; $(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(ReadOnly) ; $(TWBIN)/twprint -> $(SEC_READONLY) ;
} }
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -103,14 +103,14 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the # afterward triggers this rule until a database update is run, since the
# database file does not exist before that point. # database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ; $(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ; $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ; $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(ReadOnly) ; $(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports # don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ; $(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
# In this configuration /usr/local is a symbolic link to /home/local. # In this configuration /usr/local is a symbolic link to /home/local.
# We want to ignore the following directories since they are already # We want to ignore the following directories since they are already
@ -131,9 +131,9 @@ Temporary = +pugt ;
rulename = "OS Boot and Configuration Files", rulename = "OS Boot and Configuration Files",
) )
{ {
/boot -> $(ReadOnly) ; /boot -> $(SEC_READONLY) ;
/bsd -> $(ReadOnly) ; /bsd -> $(SEC_READONLY) ;
/etc -> $(IgnoreNone) -SHa ; /etc -> $(SEC_IGNORE_NONE) -SHa ;
} }
################################################### ###################################################
@ -147,13 +147,13 @@ Temporary = +pugt ;
rulename = "Mount Points", rulename = "Mount Points",
) )
{ {
/ -> $(ReadOnly) ; / -> $(SEC_READONLY) ;
/cdrom -> $(Dynamic) ; /cdrom -> $(SEC_DYNAMIC) ;
/floppy -> $(Dynamic) ; /floppy -> $(SEC_DYNAMIC) ;
/home -> $(ReadOnly) ; # Modify as needed /home -> $(SEC_READONLY) ; # Modify as needed
/mnt -> $(Dynamic) ; /mnt -> $(SEC_DYNAMIC) ;
/usr -> $(ReadOnly) ; /usr -> $(SEC_READONLY) ;
/var -> $(ReadOnly) ; /var -> $(SEC_READONLY) ;
} }
################################################### ###################################################
@ -167,8 +167,8 @@ Temporary = +pugt ;
rulename = "Misc Top-Level Directories", rulename = "Misc Top-Level Directories",
) )
{ {
/altroot -> $(Dynamic) ; /altroot -> $(SEC_DYNAMIC) ;
/stand -> $(Dynamic) ; /stand -> $(SEC_DYNAMIC) ;
} }
################################################ ################################################
@ -182,10 +182,10 @@ Temporary = +pugt ;
rulename = "System Devices", rulename = "System Devices",
) )
{ {
/dev -> $(Device) ; /dev -> $(SEC_DEVICE) ;
/dev/fd -> $(Device) ; /dev/fd -> $(SEC_DEVICE) ;
/var/cron/tabs/.sock -> $(Device) ; /var/cron/tabs/.sock -> $(SEC_DEVICE) ;
/var/empty/dev/log -> $(Device) ; /var/empty/dev/log -> $(SEC_DEVICE) ;
} }
################################################ ################################################
@ -199,14 +199,14 @@ Temporary = +pugt ;
rulename = "OS Binaries and Libraries", rulename = "OS Binaries and Libraries",
) )
{ {
/bin -> $(ReadOnly) ; /bin -> $(SEC_READONLY) ;
/sbin -> $(ReadOnly) ; /sbin -> $(SEC_READONLY) ;
/usr/bin -> $(ReadOnly) ; /usr/bin -> $(SEC_READONLY) ;
/usr/lib -> $(ReadOnly) ; /usr/lib -> $(SEC_READONLY) ;
/usr/libexec -> $(ReadOnly) ; /usr/libexec -> $(SEC_READONLY) ;
/usr/sbin -> $(ReadOnly) ; /usr/sbin -> $(SEC_READONLY) ;
/usr/X11R6/bin -> $(ReadOnly) ; /usr/X11R6/bin -> $(SEC_READONLY) ;
/usr/X11R6/lib -> $(ReadOnly) ; /usr/X11R6/lib -> $(SEC_READONLY) ;
} }
################################################ ################################################
# ## # ##
@ -219,19 +219,19 @@ Temporary = +pugt ;
#OKrulename = "Usr Local Files", #OKrulename = "Usr Local Files",
#OK) #OK)
#OK{ #OK{
#OK/usr/local -> $(ReadOnly) ; #OK/usr/local -> $(SEC_READONLY) ;
#OK/usr/local/bin -> $(ReadOnly) ; #OK/usr/local/bin -> $(SEC_READONLY) ;
#OK/usr/local/doc -> $(ReadOnly) ; #OK/usr/local/doc -> $(SEC_READONLY) ;
#OK/usr/local/etc -> $(ReadOnly) ; #OK/usr/local/etc -> $(SEC_READONLY) ;
#OK/usr/local/include -> $(ReadOnly) ; #OK/usr/local/include -> $(SEC_READONLY) ;
#OK/usr/local/info -> $(ReadOnly) ; #OK/usr/local/info -> $(SEC_READONLY) ;
#OK/usr/local/lib -> $(ReadOnly) ; #OK/usr/local/lib -> $(SEC_READONLY) ;
#OK/usr/local/libdata -> $(ReadOnly) ; #OK/usr/local/libdata -> $(SEC_READONLY) ;
#OK/usr/local/libexec -> $(ReadOnly) ; #OK/usr/local/libexec -> $(SEC_READONLY) ;
#OK/usr/local/man -> $(ReadOnly) ; #OK/usr/local/man -> $(SEC_READONLY) ;
#OK/usr/local/sbin -> $(ReadOnly) ; #OK/usr/local/sbin -> $(SEC_READONLY) ;
#OK/usr/local/share -> $(ReadOnly) ; #OK/usr/local/share -> $(SEC_READONLY) ;
#OK/usr/local/src -> $(ReadOnly) ; #OK/usr/local/src -> $(SEC_READONLY) ;
#OK} #OK}
################################################ ################################################
@ -245,9 +245,9 @@ Temporary = +pugt ;
rulename = "Root Directory and Files", rulename = "Root Directory and Files",
) )
{ {
/root -> $(IgnoreNone) -SHa ; /root -> $(SEC_IGNORE_NONE) -SHa ;
/root/.cshrc -> $(Dynamic) ; /root/.cshrc -> $(SEC_DYNAMIC) ;
/root/.profile -> $(Dynamic) ; /root/.profile -> $(SEC_DYNAMIC) ;
} }
################################################ ################################################
@ -261,8 +261,8 @@ Temporary = +pugt ;
rulename = "Temporary Directories", rulename = "Temporary Directories",
) )
{ {
/tmp -> $(Temporary) ; /tmp -> $(SEC_TEMPORARY) ;
/var/tmp -> $(Temporary) ; /var/tmp -> $(SEC_TEMPORARY) ;
} }
################################################ ################################################
@ -276,15 +276,15 @@ Temporary = +pugt ;
rulename = "System and Boot Changes", rulename = "System and Boot Changes",
) )
{ {
/var/backups -> $(Dynamic) -i ; /var/backups -> $(SEC_DYNAMIC) -i ;
/var/db/host.random -> $(ReadOnly) -mCM ; /var/db/host.random -> $(SEC_READONLY) -mCM ;
/var/cron -> $(Growing) -i ; /var/cron -> $(SEC_GROWING) -i ;
/var/log -> $(Growing) -i ; /var/log -> $(SEC_GROWING) -i ;
/var/run -> $(Dynamic) -i ; /var/run -> $(SEC_DYNAMIC) -i ;
/var/mail -> $(Growing) ; /var/mail -> $(SEC_GROWING) ;
/var/msgs/bounds -> $(ReadOnly) -smbCM ; /var/msgs/bounds -> $(SEC_READONLY) -smbCM ;
/var/spool/clientmqueue -> $(Temporary) ; /var/spool/clientmqueue -> $(SEC_TEMPORARY) ;
/var/spool/mqueue -> $(Temporary) ; /var/spool/mqueue -> $(SEC_TEMPORARY) ;
} }
# #