diff --git a/policy/twpol-AIX.txt b/policy/twpol-AIX.txt index 7d4f37c..b2be119 100644 --- a/policy/twpol-AIX.txt +++ b/policy/twpol-AIX.txt @@ -60,13 +60,14 @@ HOSTNAME=; # ############################################################################## -Device = +pugsdr-intlbamcCMSH ; -Dynamic = +pinugtd-srlbamcCMSH ; -Growing = +pinugtdl-srbamcCMSH ; -IgnoreAll = -pinugtsdrlbamcCMSH ; -IgnoreNone = +pinugtsdrbamcCMSH-l ; -ReadOnly = +pinugtsdbmCM-rlacSH ; -Temporary = +pugt ; +SEC_DEVICE = +pugsdr-intlbamcCMSH ; +SEC_DYNAMIC = +pinugtd-srlbamcCMSH ; +SEC_GROWING = +pinugtdl-srbamcCMSH ; +SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ; +SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ; +SEC_READONLY = +pinugtsdbmCM-rlacSH ; +SEC_TEMPORARY = +pugt ; + @@section FS @@ -83,10 +84,10 @@ Temporary = +pugt ; rulename = "Tripwire Binaries", ) { - $(TWBIN)/siggen -> $(ReadOnly) ; - $(TWBIN)/tripwire -> $(ReadOnly) ; - $(TWBIN)/twadmin -> $(ReadOnly) ; - $(TWBIN)/twprint -> $(ReadOnly) ; + $(TWBIN)/siggen -> $(SEC_READONLY) ; + $(TWBIN)/tripwire -> $(SEC_READONLY) ; + $(TWBIN)/twadmin -> $(SEC_READONLY) ; + $(TWBIN)/twprint -> $(SEC_READONLY) ; } # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases @@ -103,14 +104,14 @@ Temporary = +pugt ; # afterward triggers this rule until a database update is run, since the # database file does not exist before that point. - $(TWDB) -> $(Dynamic) -i ; - $(TWPOL)/tw.pol -> $(ReadOnly) -i ; - $(TWPOL)/tw.cfg -> $(ReadOnly) -i ; - $(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ; - $(TWSKEY)/site.key -> $(ReadOnly) ; + $(TWDB) -> $(SEC_DYNAMIC) -i ; + $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ; + $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ; + $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ; + $(TWSKEY)/site.key -> $(SEC_READONLY) ; # don't scan the individual reports - $(TWREPORT) -> $(Dynamic) (recurse=0) ; + $(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ; } ################################################ @@ -124,7 +125,7 @@ Temporary = +pugt ; rulename = "OS Boot and Configuration Files", ) { - /etc -> $(IgnoreNone) -SHa ; + /etc -> $(SEC_IGNORE_NONE) -SHa ; } ################################################### @@ -138,9 +139,9 @@ Temporary = +pugt ; rulename = "Mount Points", ) { - / -> $(ReadOnly) ; - /usr -> $(ReadOnly) ; - /var -> $(ReadOnly) ; + / -> $(SEC_READONLY) ; + /usr -> $(SEC_READONLY) ; + /var -> $(SEC_READONLY) ; } ################################################### @@ -154,10 +155,10 @@ Temporary = +pugt ; rulename = "Misc Top-Level Directories", ) { - /lost+found -> $(ReadOnly) ; - /hacmplocal -> $(ReadOnly) ; - /homelocal -> $(ReadOnly) ; - /opt -> $(ReadOnly) ; + /lost+found -> $(SEC_READONLY) ; + /hacmplocal -> $(SEC_READONLY) ; + /homelocal -> $(SEC_READONLY) ; + /opt -> $(SEC_READONLY) ; !/var/adm/csd ; } @@ -172,7 +173,7 @@ Temporary = +pugt ; rulename = "System Devices", ) { - /dev -> $(Device) ; + /dev -> $(SEC_DEVICE) ; } ################################################ @@ -186,10 +187,10 @@ Temporary = +pugt ; rulename = "OS Binaries and Libraries", ) { - /sbin -> $(ReadOnly) ; - /usr/bin -> $(ReadOnly) ; - /usr/lib -> $(ReadOnly) ; - /usr/sbin -> $(ReadOnly) ; + /sbin -> $(SEC_READONLY) ; + /usr/bin -> $(SEC_READONLY) ; + /usr/lib -> $(SEC_READONLY) ; + /usr/sbin -> $(SEC_READONLY) ; } ################################################ @@ -203,11 +204,11 @@ Temporary = +pugt ; rulename = "Root Directory and Files", ) { - #/.dtprofile -> $(Dynamic) ; + #/.dtprofile -> $(SEC_DYNAMIC) ; ! /.netscape/cache ; - /.netscape/history.dat -> $(Dynamic) ; - /.sh_history -> $(Dynamic) ; - #/.Xauthority -> $(ReadOnly) ; + /.netscape/history.dat -> $(SEC_DYNAMIC) ; + /.sh_history -> $(SEC_DYNAMIC) ; + #/.Xauthority -> $(SEC_READONLY) ; } ################################################ @@ -221,8 +222,8 @@ Temporary = +pugt ; rulename = "Temporary Directories", ) { - /tmp -> $(Temporary) ; - /var/tmp -> $(Temporary) ; + /tmp -> $(SEC_TEMPORARY) ; + /var/tmp -> $(SEC_TEMPORARY) ; } ################################################ @@ -251,31 +252,31 @@ Temporary = +pugt ; rulename = "System and Boot Changes", ) { - /etc/es/objrepos -> $(ReadOnly) -SHacm ; - /etc/es/objrepos/HACMPresource -> $(ReadOnly) -SHCMcm ; - /etc/lpp/diagnostics/data -> $(ReadOnly) -SHCMacm ; - /etc/ntp.drift -> $(ReadOnly) -SHiacm ; + /etc/es/objrepos -> $(SEC_READONLY) -SHacm ; + /etc/es/objrepos/HACMPresource -> $(SEC_READONLY) -SHCMcm ; + /etc/lpp/diagnostics/data -> $(SEC_READONLY) -SHCMacm ; + /etc/ntp.drift -> $(SEC_READONLY) -SHiacm ; !/etc/objrepos ; - /etc/security -> $(ReadOnly) -SHacm ; - /usr/es/adm/cluster.log -> $(ReadOnly) -SHCMsbm ; - /usr/es/sbin/cluster/etc/objrepos/active -> $(ReadOnly) -SHim ; + /etc/security -> $(SEC_READONLY) -SHacm ; + /usr/es/adm/cluster.log -> $(SEC_READONLY) -SHCMsbm ; + /usr/es/sbin/cluster/etc/objrepos/active -> $(SEC_READONLY) -SHim ; !/usr/etc/sbin/cluster/history ; - /usr/share/lib/objrepos -> $(ReadOnly) -m ; - /usr/lib/objrepos -> $(ReadOnly) -m ; + /usr/share/lib/objrepos -> $(SEC_READONLY) -m ; + /usr/lib/objrepos -> $(SEC_READONLY) -m ; !/var/adm/SPlogs ; - /var/ha/log -> $(Growing) -i ; + /var/ha/log -> $(SEC_GROWING) -i ; !/var/adm ; !/var/ct ; - #/var/backups -> $(Dynamic) -i ; - #/var/db/host.random -> $(ReadOnly) -mCM ; - #/var/db/locate.database -> $(ReadOnly) -misCM ; - #/var/cron -> $(Growing) -i ; - #/var/log -> $(Growing) -i ; - #/var/run -> $(Dynamic) -i ; - #/var/mail -> $(Growing) ; - #/var/msgs/bounds -> $(ReadOnly) -smbCM ; - #/var/spool/clientmqueue -> $(Temporary) ; - #/var/spool/mqueue -> $(Temporary) ; + #/var/backups -> $(SEC_DYNAMIC) -i ; + #/var/db/host.random -> $(SEC_READONLY) -mCM ; + #/var/db/locate.database -> $(SEC_READONLY) -misCM ; + #/var/cron -> $(SEC_GROWING) -i ; + #/var/log -> $(SEC_GROWING) -i ; + #/var/run -> $(SEC_DYNAMIC) -i ; + #/var/mail -> $(SEC_GROWING) ; + #/var/msgs/bounds -> $(SEC_READONLY) -smbCM ; + #/var/spool/clientmqueue -> $(SEC_TEMPORARY) ; + #/var/spool/mqueue -> $(SEC_TEMPORARY) ; #!/var/tmp/vi.recover ; # perl script periodically removes this } diff --git a/policy/twpol-Cygwin.txt b/policy/twpol-Cygwin.txt old mode 100755 new mode 100644 index d80f56d..df6682c --- a/policy/twpol-Cygwin.txt +++ b/policy/twpol-Cygwin.txt @@ -56,13 +56,13 @@ HOSTNAME=; # ############################################################################## -#Device = +pugsdr-intlbamcCMSH ; -#Dynamic = +pinugtd-srlbamcCMSH ; -#Growing = +pinugtdl-srbamcCMSH ; -#IgnoreAll = -pinugtsdrlbamcCMSH ; -#IgnoreNone = +pinugtsdrbamcCMSH-l ; -#ReadOnly = +pinugtsdbmCM-rlacSH ; -Temporary = +pugt ; +SEC_DEVICE = +pugsdr-intlbamcCMSH ; +SEC_DYNAMIC = +pinugtd-srlbamcCMSH ; +SEC_GROWING = +pinugtdl-srbamcCMSH ; +SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ; +SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ; +SEC_READONLY = +pinugtsdbmCM-rlacSH ; +SEC_TEMPORARY = +pugt ; @@section FS @@ -77,10 +77,10 @@ Temporary = +pugt ; rulename = "Tripwire Binaries", ) { - $(TWBIN)/siggen -> $(ReadOnly) ; - $(TWBIN)/tripwire -> $(ReadOnly) ; - $(TWBIN)/twadmin -> $(ReadOnly) ; - $(TWBIN)/twprint -> $(ReadOnly) ; + $(TWBIN)/siggen -> $(SEC_READONLY) ; + $(TWBIN)/tripwire -> $(SEC_READONLY) ; + $(TWBIN)/twadmin -> $(SEC_READONLY) ; + $(TWBIN)/twprint -> $(SEC_READONLY) ; } # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases @@ -97,67 +97,67 @@ Temporary = +pugt ; # afterward triggers this rule until a database update is run, since the # database file does not exist before that point. - $(TWDB) -> $(Dynamic) -i ; - $(TWPOL)/tw.pol -> $(ReadOnly) -i ; - $(TWPOL)/tw.cfg -> $(ReadOnly) -i ; - $(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ; - $(TWSKEY)/site.key -> $(ReadOnly) ; + $(TWDB) -> $(SEC_DYNAMIC) -i ; + $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ; + $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ; + $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ; + $(TWSKEY)/site.key -> $(SEC_READONLY) ; # don't scan the individual reports - $(TWREPORT) -> $(Dynamic) (recurse=0) ; + $(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ; } ############################################################################## (rulename="Binary files",) { - /bin -> $(IgnoreNone) -a; - /usr/bin -> $(IgnoreNone) -a; - /usr/local/bin -> $(IgnoreNone) -a; + /bin -> $(SEC_READONLY) -a; + /usr/bin -> $(SEC_READONLY) -a; + /usr/local/bin -> $(SEC_READONLY) -a; } (rulename="Development",) { - /usr/x86_64-pc-cygwin -> $(IgnoreNone) -a; + /usr/x86_64-pc-cygwin -> $(SEC_READONLY) -a; } (rulename="Libexec",) { - /usr/libexec -> $(IgnoreNone) -a; + /usr/libexec -> $(SEC_READONLY) -a; } (rulename="Admin binaries",) { - /sbin -> $(IgnoreNone) -a; - /usr/sbin -> $(IgnoreNone) -a; + /sbin -> $(SEC_READONLY) -a; + /usr/sbin -> $(SEC_READONLY) -a; } (rulename="Libraries",) { - /lib -> $(IgnoreNone) -a; - /usr/lib -> $(IgnoreNone) -a; - /usr/local/lib -> $(IgnoreNone) -a; + /lib -> $(SEC_READONLY) -a; + /usr/lib -> $(SEC_READONLY) -a; + /usr/local/lib -> $(SEC_READONLY) -a; } (rulename="Etc",) { - /etc -> $(IgnoreNone) -a; - /usr/local/etc -> $(IgnoreNone) -a; + /etc -> $(SEC_READONLY) -a; + /usr/local/etc -> $(SEC_READONLY) -a; } (rulename="Dev",) { - /dev -> $(Device); + /dev -> $(SEC_DEVICE); } (rulename="Tmp",) { - /tmp -> $(Temporary); - /var/tmp -> $(Temporary); - /usr/tmp -> $(Temporary); + /tmp -> $(SEC_TEMPORARY); + /var/tmp -> $(SEC_TEMPORARY); + /usr/tmp -> $(SEC_TEMPORARY); } (rulename="Log",) { - /var/log -> $(Growing); + /var/log -> $(SEC_GROWING); } diff --git a/policy/twpol-Darwin.txt b/policy/twpol-Darwin.txt index 9443209..eb73510 100644 --- a/policy/twpol-Darwin.txt +++ b/policy/twpol-Darwin.txt @@ -2,8 +2,8 @@ # ## ############################################################################## # # # # -# Policy file for Mac OS X # # -# September 3, 2003 # # +# Tripwire 2.4 policy for Mac OS X # # +# updated March 2018 # # # ## ############################################################################## @@ -28,7 +28,7 @@ TWDB=; TWSKEY=; TWLKEY=; TWREPORT=; -#USER1=frodo ; +HOSTNAME=; ############################################################################## @@ -67,9 +67,10 @@ SEC_DYNAMIC = +pinugt-dsrlbamcCMSH ; SEC_READONLY = +pinugtsbmCM-drlacSH ; SEC_GROWING = +pinugtl-dsrbamcCMSH ; -IgnoreAll = -pinugtsdrlbamcCMSH ; -IgnoreNone = +pinugtsdrbamcCMSH-l ; -Temporary = +pugt ; +SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ; +SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ; +SEC_TEMPORARY = +pugt ; + @@section FS @@ -109,7 +110,7 @@ Temporary = +pugt ; $(TWDB) -> $(SEC_DYNAMIC) -i ; $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ; $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ; - $(TWLKEY)/local.key -> $(SEC_READONLY) ; + $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ; $(TWSKEY)/site.key -> $(SEC_READONLY) ; # don't scan the individual reports @@ -129,14 +130,14 @@ Temporary = +pugt ; rulename = "OS Boot and Configuration Files", severity=100 ) { - /mach.sym -> $(SEC_READONLY)-im ; + #/mach.sym -> $(SEC_READONLY)-im ; /mach_kernel -> $(SEC_READONLY) ; /private/etc -> $(SEC_READONLY)-m ; #/private/etc/appletalk.cfg -> $(SEC_READONLY)-im ; #/private/etc/appletalk.nvram.en0 -> $(SEC_DYNAMIC) ; /private/etc/cups/certs -> $(SEC_DYNAMIC) -i(recurse=0) ; - /private/etc/smb.conf -> $(SEC_READONLY)-im ; + #/private/etc/smb.conf -> $(SEC_READONLY)-im ; /Library -> $(SEC_READONLY) ; /System -> $(SEC_READONLY) ; @@ -182,8 +183,6 @@ Temporary = +pugt ; ) { /dev -> $(SEC_DEVICE)(recurse=0) ; - #/private/var/cron/tabs/.sock -> $(SEC_DEVICE) ; - } ################################################ @@ -203,8 +202,8 @@ Temporary = +pugt ; /usr/lib -> $(SEC_READONLY) ; /usr/libexec -> $(SEC_READONLY) ; /usr/sbin -> $(SEC_READONLY) ; - #/usr/X11R6 -> $(SEC_READONLY)(recurse=2) ; # May not be present - #/usr/X11R6/man -> $(SEC_DYNAMIC)-i(recurse=1) ; # May not be present + /usr/X11 -> $(SEC_READONLY)(recurse=2) ; # May not be present + #/usr/X11/man -> $(SEC_DYNAMIC)-i(recurse=1) ; # May not be present /usr/share -> $(SEC_READONLY) ; /usr/share/man -> $(SEC_DYNAMIC)-i(recurse=1) ; @@ -223,12 +222,6 @@ Temporary = +pugt ; ) { /Applications -> $(SEC_READONLY)-im(recurse=2) ; - "/Applications (Mac OS 9)" -> $(SEC_READONLY) ; - - - !/Applications/Internet/P2P/Downloads ; - !/Applications/Games/"Warcraft III Folder"/Save ; - } ################################################ @@ -243,10 +236,19 @@ Temporary = +pugt ; ) { /usr/local -> $(SEC_READONLY) ; - #/usr/local/bin -> $(SEC_READONLY) ; + /usr/local/sbin -> $(SEC_READONLY) ; + /usr/local/bin -> $(SEC_READONLY) ; + /usr/local/include -> $(SEC_READONLY) ; + /usr/local/opt -> $(SEC_READONLY) ; + /usr/local/libexec -> $(SEC_READONLY) ; + /usr/local/lib -> $(SEC_READONLY) ; /usr/local/etc -> $(SEC_READONLY) ; - #/usr/local/sbin -> $(SEC_READONLY) ; - #/usr/local/share -> $(SEC_READONLY) ; + /usr/local/share -> $(SEC_READONLY) ; + /usr/local/man -> $(SEC_READONLY) ; + /usr/local/Frameworks -> $(SEC_READONLY) ; + # Homebrew + /usr/local/.git -> $(SEC_READONLY) ; + /usr/local/Cellar -> $(SEC_READONLY) ; } @@ -263,24 +265,26 @@ Temporary = +pugt ; { /private/tmp -> $(SEC_DYNAMIC)-in(recurse=0) ; + /private/tftpboot -> $(SEC_READONLY)-i ; + /private/var -> $(SEC_READONLY)-i ; /private/var/backups -> $(SEC_READONLY)-imc(severity=100) ; #/private/var/backups/local.nidump -> $(SEC_DYNAMIC) -i(severity=100) ; #/private/var/cron -> $(SEC_DYNAMIC) -i ; /private/var/db -> $(SEC_READONLY)-im ; /private/var/db/BootCache.playlist -> $(SEC_DYNAMIC) -i ; - /private/var/db/netinfo/local.nidb/Store.384 -> $(SEC_READONLY)-imc(severity=100) ; + #/private/var/db/netinfo/local.nidb/Store.384 -> $(SEC_READONLY)-imc(severity=100) ; #/private/var/db/netinfo/local.nidb/Store.672 -> $(SEC_READONLY)-imc(severity=100) ; - /private/var/db/prebindOnDemandBadFiles -> $(SEC_DYNAMIC) -i ; + #/private/var/db/prebindOnDemandBadFiles -> $(SEC_DYNAMIC) -i ; /private/var/log -> $(SEC_DYNAMIC) -i ; #/private/var/mail -> $(SEC_DYNAMIC) ; /private/var/msgs/bounds -> $(SEC_READONLY)-smbCM ; /private/var/root/Library/Caches -> $(SEC_DYNAMIC) -i ; /private/var/run -> $(SEC_DYNAMIC) -i(rulename="Running Services") ; #/private/var/slp.regfile -> $(SEC_READONLY)-im ; - /private/var/spool/clientmqueue -> $(SEC_DYNAMIC)(recurse=0) ; + #/private/var/spool/clientmqueue -> $(SEC_DYNAMIC)(recurse=0) ; /private/var/spool/mqueue -> $(SEC_DYNAMIC)(recurse=0) ; - /private/var/spool/lock -> $(SEC_DYNAMIC) -i(recurse=1) ; + #/private/var/spool/lock -> $(SEC_DYNAMIC) -i(recurse=1) ; /private/var/spool/cups -> $(SEC_DYNAMIC) -i(recurse=0) ; /private/var/tmp -> $(SEC_DYNAMIC) -i(recurse=0) ; /private/var/vm -> $(SEC_DYNAMIC)(recurse=0) ; @@ -294,37 +298,19 @@ Temporary = +pugt ; !/private/var/db/dhcpd_leases ; !/private/var/db/locate.database ; !/private/var/db/SystemEntropyCache ; + !/private/var/db/mds/messages/se_SecurityMessages ; !/private/var/db/samba/secrets.tdb ; - + !/private/var/db/ntp.drift ; + !/private/var/folders ; + !/private/var/vm/sleepimage ; + !/private/var/vm/swap0 ; + !/private/var/vm/swap[1-9][0-9]* ; + # Sophos + !/Library/Caches/com.sophos.sau ; + !/Library/Caches/com.sophos.sxld ; } - - ################################################ - # ## -################################################ # -# # # -# Classic Environment # # -# ## -################################################ -( - rulename = "Classic Environment", severity=100 -) -{ - - /"System Folder" -> $(SEC_READONLY) ; - /"System Folder"/Preferences -> $(SEC_DYNAMIC)-i(recurse=0) ; - /"System Folder"/Extensions -> $(SEC_READONLY)-im ; - /"System Folder/Apple Menu Items" -> $(SEC_READONLY)-im(recurse=0) ; - /"System Folder"/Clipboard -> $(SEC_DYNAMIC) ; - - !/"System Folder"/VolumeNameIconPict ; - -} - - - - ################################################### # ## ################################################### # @@ -375,7 +361,3 @@ Temporary = +pugt ; #!"/Users/$(USER1)/.lpoptions" ; #!"/Users/$(USER1)/.Trash" ; } - -# -# JTI -# diff --git a/policy/twpol-Linux.txt b/policy/twpol-Linux.txt index 832e86f..ece0e34 100644 --- a/policy/twpol-Linux.txt +++ b/policy/twpol-Linux.txt @@ -2,7 +2,8 @@ # ## ############################################################################## # # # # -# Tripwire 2.4 policy for Linux # # +# Tripwire 2.4 policy for Linux (RPM) # # +# updated March 2018 # # # ## ############################################################################## @@ -59,13 +60,13 @@ HOSTNAME=; # ############################################################################## -Device = +pugsdr-intlbamcCMSH ; -Dynamic = +pinugtd-srlbamcCMSH ; -Growing = +pinugtdl-srbamcCMSH ; -IgnoreAll = -pinugtsdrlbamcCMSH ; -IgnoreNone = +pinugtsdrbamcCMSH-l ; -ReadOnly = +pinugtsdbmCM-rlacSH ; -Temporary = +pugt ; +SEC_DEVICE = +pugsdr-intlbamcCMSH ; +SEC_DYNAMIC = +pinugtd-srlbamcCMSH ; +SEC_GROWING = +pinugtdl-srbamcCMSH ; +SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ; +SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ; +SEC_READONLY = +pinugtsdbmCM-rlacSH ; +SEC_TEMPORARY = +pugt ; @@section FS @@ -82,10 +83,10 @@ Temporary = +pugt ; rulename = "Tripwire Binaries", ) { - $(TWBIN)/siggen -> $(ReadOnly) ; - $(TWBIN)/tripwire -> $(ReadOnly) ; - $(TWBIN)/twadmin -> $(ReadOnly) ; - $(TWBIN)/twprint -> $(ReadOnly) ; + $(TWBIN)/siggen -> $(SEC_READONLY) ; + $(TWBIN)/tripwire -> $(SEC_READONLY) ; + $(TWBIN)/twadmin -> $(SEC_READONLY) ; + $(TWBIN)/twprint -> $(SEC_READONLY) ; } # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases @@ -102,14 +103,14 @@ Temporary = +pugt ; # afterward triggers this rule until a database update is run, since the # database file does not exist before that point. - $(TWDB) -> $(Dynamic) -i ; - $(TWPOL)/tw.pol -> $(ReadOnly) -i ; - $(TWPOL)/tw.cfg -> $(ReadOnly) -i ; - $(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ; - $(TWSKEY)/site.key -> $(ReadOnly) ; + $(TWDB) -> $(SEC_DYNAMIC) -i ; + $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ; + $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ; + $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ; + $(TWSKEY)/site.key -> $(SEC_READONLY) ; # don't scan the individual reports - $(TWREPORT) -> $(Dynamic) (recurse=0) ; + $(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ; } ################################################ @@ -123,10 +124,10 @@ Temporary = +pugt ; rulename = "RPM Checksum Files", ) { - /var/lib/rpm -> $(ReadOnly); - /var/lib/rpm/__db.001 -> $(Dynamic) ; - /var/lib/rpm/__db.002 -> $(Dynamic) ; - /var/lib/rpm/__db.003 -> $(Dynamic) ; + /var/lib/rpm -> $(SEC_READONLY); + /var/lib/rpm/__db.001 -> $(SEC_DYNAMIC) ; + /var/lib/rpm/__db.002 -> $(SEC_DYNAMIC) ; + /var/lib/rpm/__db.003 -> $(SEC_DYNAMIC) ; } ################################################ @@ -140,18 +141,18 @@ Temporary = +pugt ; rulename = "Global Configuration Files", ) { - /etc -> $(IgnoreNone) -SHa ; - /etc/adjtime -> $(Dynamic) ; - /etc/aliases.db -> $(Dynamic) ; - /etc/bashrc -> $(Dynamic) ; - /etc/csh.cshrc -> $(Dynamic) ; - /etc/csh.login -> $(Dynamic) ; - /etc/mail/statistics -> $(Growing) ; - /etc/profile -> $(Dynamic) -i ; - /etc/mtab -> $(Dynamic) -i ; - /etc/rc.d -> $(IgnoreNone) -SHa ; - /etc/sysconfig -> $(IgnoreNone) -SHa ; - /etc/sysconfig/hwconf -> $(Dynamic) -m ; + /etc -> $(SEC_IGNORE_NONE) -SHa ; + /etc/adjtime -> $(SEC_DYNAMIC) ; + /etc/aliases.db -> $(SEC_DYNAMIC) ; + /etc/bashrc -> $(SEC_DYNAMIC) ; + /etc/csh.cshrc -> $(SEC_DYNAMIC) ; + /etc/csh.login -> $(SEC_DYNAMIC) ; + /etc/mail/statistics -> $(SEC_GROWING) ; + /etc/profile -> $(SEC_DYNAMIC) -i ; + /etc/mtab -> $(SEC_DYNAMIC) -i ; + /etc/rc.d -> $(SEC_IGNORE_NONE) -SHa ; + /etc/sysconfig -> $(SEC_IGNORE_NONE) -SHa ; + /etc/sysconfig/hwconf -> $(SEC_DYNAMIC) -m ; } ################################################ @@ -165,10 +166,10 @@ Temporary = +pugt ; rulename = "OS Boot Files and Mount Points", ) { - /boot -> $(ReadOnly) ; - /cdrom -> $(Dynamic) ; - /floppy -> $(Dynamic) ; - /mnt -> $(Dynamic) ; + /boot -> $(SEC_READONLY) ; + /cdrom -> $(SEC_DYNAMIC) ; + /floppy -> $(SEC_DYNAMIC) ; + /mnt -> $(SEC_DYNAMIC) ; } ################################################ @@ -182,12 +183,12 @@ Temporary = +pugt ; rulename = "OS Devices and Misc Directories", ) { - /dev -> $(Device) ; - /initrd -> $(Dynamic) ; - /opt -> $(Dynamic) ; - /lost+found -> $(Dynamic) ; - /var/lost+found -> $(Dynamic) ; - /home/lost+found -> $(Dynamic) ; + /dev -> $(SEC_DEVICE) ; + /initrd -> $(SEC_DYNAMIC) ; + /opt -> $(SEC_DYNAMIC) ; + /lost+found -> $(SEC_DYNAMIC) ; + /var/lost+found -> $(SEC_DYNAMIC) ; + /home/lost+found -> $(SEC_DYNAMIC) ; !/dev/pts ; # Ignore this file !/dev/shm ; # Ignore this file } @@ -203,14 +204,14 @@ Temporary = +pugt ; rulename = "OS Binaries and Libraries", ) { - /bin -> $(ReadOnly) ; - /lib -> $(ReadOnly) ; - /sbin -> $(ReadOnly) ; - /usr/bin -> $(ReadOnly) ; - /usr/lib -> $(ReadOnly) ; - /usr/libexec -> $(ReadOnly) ; - /usr/sbin -> $(ReadOnly) ; - /usr/X11R6/lib -> $(ReadOnly) ; + /bin -> $(SEC_READONLY) ; + /lib -> $(SEC_READONLY) ; + /sbin -> $(SEC_READONLY) ; + /usr/bin -> $(SEC_READONLY) ; + /usr/lib -> $(SEC_READONLY) ; + /usr/libexec -> $(SEC_READONLY) ; + /usr/sbin -> $(SEC_READONLY) ; + /usr/X11R6/lib -> $(SEC_READONLY) ; } ################################################ # ## @@ -224,19 +225,19 @@ Temporary = +pugt ; ) { !/home/local; - /usr/local -> $(ReadOnly) ; - /usr/local/bin -> $(ReadOnly) ; - /usr/local/doc -> $(ReadOnly) ; - /usr/local/etc -> $(ReadOnly) ; - /usr/local/games -> $(ReadOnly) ; - /usr/local/include -> $(ReadOnly) ; - /usr/local/lib -> $(ReadOnly) ; - /usr/local/libexec -> $(ReadOnly) ; - /usr/local/man -> $(ReadOnly) ; - /usr/local/sbin -> $(ReadOnly) ; - /usr/local/share -> $(ReadOnly) ; - /usr/local/src -> $(ReadOnly) ; - /usr/local/sysinfo -> $(ReadOnly) ; + /usr/local -> $(SEC_READONLY) ; + /usr/local/bin -> $(SEC_READONLY) ; + /usr/local/doc -> $(SEC_READONLY) ; + /usr/local/etc -> $(SEC_READONLY) ; + /usr/local/games -> $(SEC_READONLY) ; + /usr/local/include -> $(SEC_READONLY) ; + /usr/local/lib -> $(SEC_READONLY) ; + /usr/local/libexec -> $(SEC_READONLY) ; + /usr/local/man -> $(SEC_READONLY) ; + /usr/local/sbin -> $(SEC_READONLY) ; + /usr/local/share -> $(SEC_READONLY) ; + /usr/local/src -> $(SEC_READONLY) ; + /usr/local/sysinfo -> $(SEC_READONLY) ; } ################################################ @@ -250,29 +251,29 @@ Temporary = +pugt ; rulename = "Root Directory and Files", ) { - /root -> $(IgnoreNone) -SHa ; - /root/.bashrc -> $(Dynamic) ; - /root/.bash_history -> $(Dynamic) ; - #/root/.bash_logout -> $(Dynamic) ; - /root/.bash_profile -> $(Dynamic) ; - /root/.cshrc -> $(Dynamic) ; - #/root/.enlightenment -> $(Dynamic) ; - #/root/.esd-auth -> $(Dynamic) ; + /root -> $(SEC_IGNORE_NONE) -SHa ; + /root/.bashrc -> $(SEC_DYNAMIC) ; + /root/.bash_history -> $(SEC_DYNAMIC) ; + #/root/.bash_logout -> $(SEC_DYNAMIC) ; + /root/.bash_profile -> $(SEC_DYNAMIC) ; + /root/.cshrc -> $(SEC_DYNAMIC) ; + #/root/.enlightenment -> $(SEC_DYNAMIC) ; + #/root/.esd-auth -> $(SEC_DYNAMIC) ; !/root/.gconf ; !/root/.gconfd ; - #/root/.gnome -> $(Dynamic) ; - #/root/.gnome-desktop -> $(Dynamic) ; - #/root/.gnome2 -> $(Dynamic) ; - #/root/.gtkrc -> $(Dynamic) ; - #/root/.gtkrc-1.2-gnome2 -> $(Dynamic) ; - #/root/.metacity -> $(Dynamic) ; - #/root/.nautilus -> $(Dynamic) ; - #/root/.rhn-applet.conf -> $(Dynamic) ; - #/root/.tcshrc -> $(Dynamic) ; - #/root/.xauth -> $(Dynamic) ; - #/root/.ICEauthority -> $(Dynamic) ; - #/root/.Xauthority -> $(Dynamic) -i ; - #/root/.Xresources -> $(Dynamic) ; + #/root/.gnome -> $(SEC_DYNAMIC) ; + #/root/.gnome-desktop -> $(SEC_DYNAMIC) ; + #/root/.gnome2 -> $(SEC_DYNAMIC) ; + #/root/.gtkrc -> $(SEC_DYNAMIC) ; + #/root/.gtkrc-1.2-gnome2 -> $(SEC_DYNAMIC) ; + #/root/.metacity -> $(SEC_DYNAMIC) ; + #/root/.nautilus -> $(SEC_DYNAMIC) ; + #/root/.rhn-applet.conf -> $(SEC_DYNAMIC) ; + #/root/.tcshrc -> $(SEC_DYNAMIC) ; + #/root/.xauth -> $(SEC_DYNAMIC) ; + #/root/.ICEauthority -> $(SEC_DYNAMIC) ; + #/root/.Xauthority -> $(SEC_DYNAMIC) -i ; + #/root/.Xresources -> $(SEC_DYNAMIC) ; } ################################################ @@ -286,12 +287,12 @@ Temporary = +pugt ; rulename = "Temporary Directories", ) { - /usr/tmp -> $(Temporary) ; - /var/tmp -> $(Temporary) ; - /tmp -> $(Temporary) ; - #/tmp/.fam-socket -> $(Temporary) ; - #/tmp/.ICE-unix -> $(Temporary) ; - #/tmp/.X11-unix -> $(Temporary) ; + /usr/tmp -> $(SEC_TEMPORARY) ; + /var/tmp -> $(SEC_TEMPORARY) ; + /tmp -> $(SEC_TEMPORARY) ; + #/tmp/.fam-socket -> $(SEC_TEMPORARY) ; + #/tmp/.ICE-unix -> $(SEC_TEMPORARY) ; + #/tmp/.X11-unix -> $(SEC_TEMPORARY) ; !/tmp/orbit-root ; } @@ -306,21 +307,21 @@ Temporary = +pugt ; rulename = "System Boot Changes", ) { - /.autofsck -> $(Dynamic) -m ; - /var/cache/man/whatis -> $(Growing) ; - /var/lib/logrotate.status -> $(Growing) ; - #/var/lib/nfs/statd -> $(Growing) ; + /.autofsck -> $(SEC_DYNAMIC) -m ; + /var/cache/man/whatis -> $(SEC_GROWING) ; + /var/lib/logrotate.status -> $(SEC_GROWING) ; + #/var/lib/nfs/statd -> $(SEC_GROWING) ; !/var/lib/random-seed ; - #/var/lib/slocate/slocate.db -> $(Growing) -is ; - /var/lock/subsys -> $(Dynamic) -i ; - /var/log -> $(Growing) -i ; + #/var/lib/slocate/slocate.db -> $(SEC_GROWING) -is ; + /var/lock/subsys -> $(SEC_DYNAMIC) -i ; + /var/log -> $(SEC_GROWING) -i ; !/var/log/sa; !/var/log/cisco; - /var/run -> $(Dynamic) -i ; - /etc/cron.daily -> $(Growing); - /etc/cron.weekly -> $(Growing); - /etc/cron.monthly -> $(Growing); - /var/spool/mail -> $(Growing); + /var/run -> $(SEC_DYNAMIC) -i ; + /etc/cron.daily -> $(SEC_GROWING); + /etc/cron.weekly -> $(SEC_GROWING); + /etc/cron.monthly -> $(SEC_GROWING); + /var/spool/mail -> $(SEC_GROWING); } ################################################ @@ -334,10 +335,10 @@ Temporary = +pugt ; rulename = "Monitor Filesystems", ) { - / -> $(ReadOnly) ; - /home -> $(ReadOnly) ; # Modify as needed - /usr -> $(ReadOnly) ; - /var -> $(ReadOnly) ; + / -> $(SEC_READONLY) ; + /home -> $(SEC_READONLY) ; # Modify as needed + /usr -> $(SEC_READONLY) ; + /var -> $(SEC_READONLY) ; } ################################################