Assorted default policy updates
This commit is contained in:
Brian Cox
parent
59947009d0
commit
392b533045
|
|
@ -60,13 +60,14 @@ HOSTNAME=;
|
|||
#
|
||||
##############################################################################
|
||||
|
||||
Device = +pugsdr-intlbamcCMSH ;
|
||||
Dynamic = +pinugtd-srlbamcCMSH ;
|
||||
Growing = +pinugtdl-srbamcCMSH ;
|
||||
IgnoreAll = -pinugtsdrlbamcCMSH ;
|
||||
IgnoreNone = +pinugtsdrbamcCMSH-l ;
|
||||
ReadOnly = +pinugtsdbmCM-rlacSH ;
|
||||
Temporary = +pugt ;
|
||||
SEC_DEVICE = +pugsdr-intlbamcCMSH ;
|
||||
SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
|
||||
SEC_GROWING = +pinugtdl-srbamcCMSH ;
|
||||
SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
|
||||
SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
|
||||
SEC_READONLY = +pinugtsdbmCM-rlacSH ;
|
||||
SEC_TEMPORARY = +pugt ;
|
||||
|
||||
|
||||
@@section FS
|
||||
|
||||
|
|
@ -83,10 +84,10 @@ Temporary = +pugt ;
|
|||
rulename = "Tripwire Binaries",
|
||||
)
|
||||
{
|
||||
$(TWBIN)/siggen -> $(ReadOnly) ;
|
||||
$(TWBIN)/tripwire -> $(ReadOnly) ;
|
||||
$(TWBIN)/twadmin -> $(ReadOnly) ;
|
||||
$(TWBIN)/twprint -> $(ReadOnly) ;
|
||||
$(TWBIN)/siggen -> $(SEC_READONLY) ;
|
||||
$(TWBIN)/tripwire -> $(SEC_READONLY) ;
|
||||
$(TWBIN)/twadmin -> $(SEC_READONLY) ;
|
||||
$(TWBIN)/twprint -> $(SEC_READONLY) ;
|
||||
}
|
||||
|
||||
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
|
||||
|
|
@ -103,14 +104,14 @@ Temporary = +pugt ;
|
|||
# afterward triggers this rule until a database update is run, since the
|
||||
# database file does not exist before that point.
|
||||
|
||||
$(TWDB) -> $(Dynamic) -i ;
|
||||
$(TWPOL)/tw.pol -> $(ReadOnly) -i ;
|
||||
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ;
|
||||
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ;
|
||||
$(TWSKEY)/site.key -> $(ReadOnly) ;
|
||||
$(TWDB) -> $(SEC_DYNAMIC) -i ;
|
||||
$(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
|
||||
$(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
|
||||
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
|
||||
$(TWSKEY)/site.key -> $(SEC_READONLY) ;
|
||||
|
||||
# don't scan the individual reports
|
||||
$(TWREPORT) -> $(Dynamic) (recurse=0) ;
|
||||
$(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
|
||||
}
|
||||
|
||||
################################################
|
||||
|
|
@ -124,7 +125,7 @@ Temporary = +pugt ;
|
|||
rulename = "OS Boot and Configuration Files",
|
||||
)
|
||||
{
|
||||
/etc -> $(IgnoreNone) -SHa ;
|
||||
/etc -> $(SEC_IGNORE_NONE) -SHa ;
|
||||
}
|
||||
|
||||
###################################################
|
||||
|
|
@ -138,9 +139,9 @@ Temporary = +pugt ;
|
|||
rulename = "Mount Points",
|
||||
)
|
||||
{
|
||||
/ -> $(ReadOnly) ;
|
||||
/usr -> $(ReadOnly) ;
|
||||
/var -> $(ReadOnly) ;
|
||||
/ -> $(SEC_READONLY) ;
|
||||
/usr -> $(SEC_READONLY) ;
|
||||
/var -> $(SEC_READONLY) ;
|
||||
}
|
||||
|
||||
###################################################
|
||||
|
|
@ -154,10 +155,10 @@ Temporary = +pugt ;
|
|||
rulename = "Misc Top-Level Directories",
|
||||
)
|
||||
{
|
||||
/lost+found -> $(ReadOnly) ;
|
||||
/hacmplocal -> $(ReadOnly) ;
|
||||
/homelocal -> $(ReadOnly) ;
|
||||
/opt -> $(ReadOnly) ;
|
||||
/lost+found -> $(SEC_READONLY) ;
|
||||
/hacmplocal -> $(SEC_READONLY) ;
|
||||
/homelocal -> $(SEC_READONLY) ;
|
||||
/opt -> $(SEC_READONLY) ;
|
||||
!/var/adm/csd ;
|
||||
}
|
||||
|
||||
|
|
@ -172,7 +173,7 @@ Temporary = +pugt ;
|
|||
rulename = "System Devices",
|
||||
)
|
||||
{
|
||||
/dev -> $(Device) ;
|
||||
/dev -> $(SEC_DEVICE) ;
|
||||
}
|
||||
|
||||
################################################
|
||||
|
|
@ -186,10 +187,10 @@ Temporary = +pugt ;
|
|||
rulename = "OS Binaries and Libraries",
|
||||
)
|
||||
{
|
||||
/sbin -> $(ReadOnly) ;
|
||||
/usr/bin -> $(ReadOnly) ;
|
||||
/usr/lib -> $(ReadOnly) ;
|
||||
/usr/sbin -> $(ReadOnly) ;
|
||||
/sbin -> $(SEC_READONLY) ;
|
||||
/usr/bin -> $(SEC_READONLY) ;
|
||||
/usr/lib -> $(SEC_READONLY) ;
|
||||
/usr/sbin -> $(SEC_READONLY) ;
|
||||
}
|
||||
|
||||
################################################
|
||||
|
|
@ -203,11 +204,11 @@ Temporary = +pugt ;
|
|||
rulename = "Root Directory and Files",
|
||||
)
|
||||
{
|
||||
#/.dtprofile -> $(Dynamic) ;
|
||||
#/.dtprofile -> $(SEC_DYNAMIC) ;
|
||||
! /.netscape/cache ;
|
||||
/.netscape/history.dat -> $(Dynamic) ;
|
||||
/.sh_history -> $(Dynamic) ;
|
||||
#/.Xauthority -> $(ReadOnly) ;
|
||||
/.netscape/history.dat -> $(SEC_DYNAMIC) ;
|
||||
/.sh_history -> $(SEC_DYNAMIC) ;
|
||||
#/.Xauthority -> $(SEC_READONLY) ;
|
||||
}
|
||||
|
||||
################################################
|
||||
|
|
@ -221,8 +222,8 @@ Temporary = +pugt ;
|
|||
rulename = "Temporary Directories",
|
||||
)
|
||||
{
|
||||
/tmp -> $(Temporary) ;
|
||||
/var/tmp -> $(Temporary) ;
|
||||
/tmp -> $(SEC_TEMPORARY) ;
|
||||
/var/tmp -> $(SEC_TEMPORARY) ;
|
||||
}
|
||||
|
||||
################################################
|
||||
|
|
@ -251,31 +252,31 @@ Temporary = +pugt ;
|
|||
rulename = "System and Boot Changes",
|
||||
)
|
||||
{
|
||||
/etc/es/objrepos -> $(ReadOnly) -SHacm ;
|
||||
/etc/es/objrepos/HACMPresource -> $(ReadOnly) -SHCMcm ;
|
||||
/etc/lpp/diagnostics/data -> $(ReadOnly) -SHCMacm ;
|
||||
/etc/ntp.drift -> $(ReadOnly) -SHiacm ;
|
||||
/etc/es/objrepos -> $(SEC_READONLY) -SHacm ;
|
||||
/etc/es/objrepos/HACMPresource -> $(SEC_READONLY) -SHCMcm ;
|
||||
/etc/lpp/diagnostics/data -> $(SEC_READONLY) -SHCMacm ;
|
||||
/etc/ntp.drift -> $(SEC_READONLY) -SHiacm ;
|
||||
!/etc/objrepos ;
|
||||
/etc/security -> $(ReadOnly) -SHacm ;
|
||||
/usr/es/adm/cluster.log -> $(ReadOnly) -SHCMsbm ;
|
||||
/usr/es/sbin/cluster/etc/objrepos/active -> $(ReadOnly) -SHim ;
|
||||
/etc/security -> $(SEC_READONLY) -SHacm ;
|
||||
/usr/es/adm/cluster.log -> $(SEC_READONLY) -SHCMsbm ;
|
||||
/usr/es/sbin/cluster/etc/objrepos/active -> $(SEC_READONLY) -SHim ;
|
||||
!/usr/etc/sbin/cluster/history ;
|
||||
/usr/share/lib/objrepos -> $(ReadOnly) -m ;
|
||||
/usr/lib/objrepos -> $(ReadOnly) -m ;
|
||||
/usr/share/lib/objrepos -> $(SEC_READONLY) -m ;
|
||||
/usr/lib/objrepos -> $(SEC_READONLY) -m ;
|
||||
!/var/adm/SPlogs ;
|
||||
/var/ha/log -> $(Growing) -i ;
|
||||
/var/ha/log -> $(SEC_GROWING) -i ;
|
||||
!/var/adm ;
|
||||
!/var/ct ;
|
||||
|
||||
#/var/backups -> $(Dynamic) -i ;
|
||||
#/var/db/host.random -> $(ReadOnly) -mCM ;
|
||||
#/var/db/locate.database -> $(ReadOnly) -misCM ;
|
||||
#/var/cron -> $(Growing) -i ;
|
||||
#/var/log -> $(Growing) -i ;
|
||||
#/var/run -> $(Dynamic) -i ;
|
||||
#/var/mail -> $(Growing) ;
|
||||
#/var/msgs/bounds -> $(ReadOnly) -smbCM ;
|
||||
#/var/spool/clientmqueue -> $(Temporary) ;
|
||||
#/var/spool/mqueue -> $(Temporary) ;
|
||||
#/var/backups -> $(SEC_DYNAMIC) -i ;
|
||||
#/var/db/host.random -> $(SEC_READONLY) -mCM ;
|
||||
#/var/db/locate.database -> $(SEC_READONLY) -misCM ;
|
||||
#/var/cron -> $(SEC_GROWING) -i ;
|
||||
#/var/log -> $(SEC_GROWING) -i ;
|
||||
#/var/run -> $(SEC_DYNAMIC) -i ;
|
||||
#/var/mail -> $(SEC_GROWING) ;
|
||||
#/var/msgs/bounds -> $(SEC_READONLY) -smbCM ;
|
||||
#/var/spool/clientmqueue -> $(SEC_TEMPORARY) ;
|
||||
#/var/spool/mqueue -> $(SEC_TEMPORARY) ;
|
||||
#!/var/tmp/vi.recover ; # perl script periodically removes this
|
||||
}
|
||||
|
|
|
|||
|
|
@ -56,13 +56,13 @@ HOSTNAME=;
|
|||
#
|
||||
##############################################################################
|
||||
|
||||
#Device = +pugsdr-intlbamcCMSH ;
|
||||
#Dynamic = +pinugtd-srlbamcCMSH ;
|
||||
#Growing = +pinugtdl-srbamcCMSH ;
|
||||
#IgnoreAll = -pinugtsdrlbamcCMSH ;
|
||||
#IgnoreNone = +pinugtsdrbamcCMSH-l ;
|
||||
#ReadOnly = +pinugtsdbmCM-rlacSH ;
|
||||
Temporary = +pugt ;
|
||||
SEC_DEVICE = +pugsdr-intlbamcCMSH ;
|
||||
SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
|
||||
SEC_GROWING = +pinugtdl-srbamcCMSH ;
|
||||
SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
|
||||
SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
|
||||
SEC_READONLY = +pinugtsdbmCM-rlacSH ;
|
||||
SEC_TEMPORARY = +pugt ;
|
||||
|
||||
@@section FS
|
||||
|
||||
|
|
@ -77,10 +77,10 @@ Temporary = +pugt ;
|
|||
rulename = "Tripwire Binaries",
|
||||
)
|
||||
{
|
||||
$(TWBIN)/siggen -> $(ReadOnly) ;
|
||||
$(TWBIN)/tripwire -> $(ReadOnly) ;
|
||||
$(TWBIN)/twadmin -> $(ReadOnly) ;
|
||||
$(TWBIN)/twprint -> $(ReadOnly) ;
|
||||
$(TWBIN)/siggen -> $(SEC_READONLY) ;
|
||||
$(TWBIN)/tripwire -> $(SEC_READONLY) ;
|
||||
$(TWBIN)/twadmin -> $(SEC_READONLY) ;
|
||||
$(TWBIN)/twprint -> $(SEC_READONLY) ;
|
||||
}
|
||||
|
||||
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
|
||||
|
|
@ -97,67 +97,67 @@ Temporary = +pugt ;
|
|||
# afterward triggers this rule until a database update is run, since the
|
||||
# database file does not exist before that point.
|
||||
|
||||
$(TWDB) -> $(Dynamic) -i ;
|
||||
$(TWPOL)/tw.pol -> $(ReadOnly) -i ;
|
||||
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ;
|
||||
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ;
|
||||
$(TWSKEY)/site.key -> $(ReadOnly) ;
|
||||
$(TWDB) -> $(SEC_DYNAMIC) -i ;
|
||||
$(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
|
||||
$(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
|
||||
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
|
||||
$(TWSKEY)/site.key -> $(SEC_READONLY) ;
|
||||
|
||||
# don't scan the individual reports
|
||||
$(TWREPORT) -> $(Dynamic) (recurse=0) ;
|
||||
$(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
|
||||
}
|
||||
|
||||
##############################################################################
|
||||
|
||||
(rulename="Binary files",)
|
||||
{
|
||||
/bin -> $(IgnoreNone) -a;
|
||||
/usr/bin -> $(IgnoreNone) -a;
|
||||
/usr/local/bin -> $(IgnoreNone) -a;
|
||||
/bin -> $(SEC_READONLY) -a;
|
||||
/usr/bin -> $(SEC_READONLY) -a;
|
||||
/usr/local/bin -> $(SEC_READONLY) -a;
|
||||
}
|
||||
|
||||
(rulename="Development",)
|
||||
{
|
||||
/usr/x86_64-pc-cygwin -> $(IgnoreNone) -a;
|
||||
/usr/x86_64-pc-cygwin -> $(SEC_READONLY) -a;
|
||||
}
|
||||
|
||||
(rulename="Libexec",)
|
||||
{
|
||||
/usr/libexec -> $(IgnoreNone) -a;
|
||||
/usr/libexec -> $(SEC_READONLY) -a;
|
||||
}
|
||||
|
||||
(rulename="Admin binaries",)
|
||||
{
|
||||
/sbin -> $(IgnoreNone) -a;
|
||||
/usr/sbin -> $(IgnoreNone) -a;
|
||||
/sbin -> $(SEC_READONLY) -a;
|
||||
/usr/sbin -> $(SEC_READONLY) -a;
|
||||
}
|
||||
|
||||
(rulename="Libraries",)
|
||||
{
|
||||
/lib -> $(IgnoreNone) -a;
|
||||
/usr/lib -> $(IgnoreNone) -a;
|
||||
/usr/local/lib -> $(IgnoreNone) -a;
|
||||
/lib -> $(SEC_READONLY) -a;
|
||||
/usr/lib -> $(SEC_READONLY) -a;
|
||||
/usr/local/lib -> $(SEC_READONLY) -a;
|
||||
}
|
||||
|
||||
(rulename="Etc",)
|
||||
{
|
||||
/etc -> $(IgnoreNone) -a;
|
||||
/usr/local/etc -> $(IgnoreNone) -a;
|
||||
/etc -> $(SEC_READONLY) -a;
|
||||
/usr/local/etc -> $(SEC_READONLY) -a;
|
||||
}
|
||||
|
||||
(rulename="Dev",)
|
||||
{
|
||||
/dev -> $(Device);
|
||||
/dev -> $(SEC_DEVICE);
|
||||
}
|
||||
|
||||
(rulename="Tmp",)
|
||||
{
|
||||
/tmp -> $(Temporary);
|
||||
/var/tmp -> $(Temporary);
|
||||
/usr/tmp -> $(Temporary);
|
||||
/tmp -> $(SEC_TEMPORARY);
|
||||
/var/tmp -> $(SEC_TEMPORARY);
|
||||
/usr/tmp -> $(SEC_TEMPORARY);
|
||||
}
|
||||
|
||||
(rulename="Log",)
|
||||
{
|
||||
/var/log -> $(Growing);
|
||||
/var/log -> $(SEC_GROWING);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,8 +2,8 @@
|
|||
# ##
|
||||
############################################################################## #
|
||||
# # #
|
||||
# Policy file for Mac OS X # #
|
||||
# September 3, 2003 # #
|
||||
# Tripwire 2.4 policy for Mac OS X # #
|
||||
# updated March 2018 # #
|
||||
# ##
|
||||
##############################################################################
|
||||
|
||||
|
|
@ -28,7 +28,7 @@ TWDB=;
|
|||
TWSKEY=;
|
||||
TWLKEY=;
|
||||
TWREPORT=;
|
||||
#USER1=frodo ;
|
||||
HOSTNAME=;
|
||||
|
||||
|
||||
##############################################################################
|
||||
|
|
@ -67,9 +67,10 @@ SEC_DYNAMIC = +pinugt-dsrlbamcCMSH ;
|
|||
SEC_READONLY = +pinugtsbmCM-drlacSH ;
|
||||
SEC_GROWING = +pinugtl-dsrbamcCMSH ;
|
||||
|
||||
IgnoreAll = -pinugtsdrlbamcCMSH ;
|
||||
IgnoreNone = +pinugtsdrbamcCMSH-l ;
|
||||
Temporary = +pugt ;
|
||||
SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
|
||||
SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
|
||||
SEC_TEMPORARY = +pugt ;
|
||||
|
||||
|
||||
@@section FS
|
||||
|
||||
|
|
@ -109,7 +110,7 @@ Temporary = +pugt ;
|
|||
$(TWDB) -> $(SEC_DYNAMIC) -i ;
|
||||
$(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
|
||||
$(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
|
||||
$(TWLKEY)/local.key -> $(SEC_READONLY) ;
|
||||
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
|
||||
$(TWSKEY)/site.key -> $(SEC_READONLY) ;
|
||||
|
||||
# don't scan the individual reports
|
||||
|
|
@ -129,14 +130,14 @@ Temporary = +pugt ;
|
|||
rulename = "OS Boot and Configuration Files", severity=100
|
||||
)
|
||||
{
|
||||
/mach.sym -> $(SEC_READONLY)-im ;
|
||||
#/mach.sym -> $(SEC_READONLY)-im ;
|
||||
/mach_kernel -> $(SEC_READONLY) ;
|
||||
/private/etc -> $(SEC_READONLY)-m ;
|
||||
|
||||
#/private/etc/appletalk.cfg -> $(SEC_READONLY)-im ;
|
||||
#/private/etc/appletalk.nvram.en0 -> $(SEC_DYNAMIC) ;
|
||||
/private/etc/cups/certs -> $(SEC_DYNAMIC) -i(recurse=0) ;
|
||||
/private/etc/smb.conf -> $(SEC_READONLY)-im ;
|
||||
#/private/etc/smb.conf -> $(SEC_READONLY)-im ;
|
||||
|
||||
/Library -> $(SEC_READONLY) ;
|
||||
/System -> $(SEC_READONLY) ;
|
||||
|
|
@ -182,8 +183,6 @@ Temporary = +pugt ;
|
|||
)
|
||||
{
|
||||
/dev -> $(SEC_DEVICE)(recurse=0) ;
|
||||
#/private/var/cron/tabs/.sock -> $(SEC_DEVICE) ;
|
||||
|
||||
}
|
||||
|
||||
################################################
|
||||
|
|
@ -203,8 +202,8 @@ Temporary = +pugt ;
|
|||
/usr/lib -> $(SEC_READONLY) ;
|
||||
/usr/libexec -> $(SEC_READONLY) ;
|
||||
/usr/sbin -> $(SEC_READONLY) ;
|
||||
#/usr/X11R6 -> $(SEC_READONLY)(recurse=2) ; # May not be present
|
||||
#/usr/X11R6/man -> $(SEC_DYNAMIC)-i(recurse=1) ; # May not be present
|
||||
/usr/X11 -> $(SEC_READONLY)(recurse=2) ; # May not be present
|
||||
#/usr/X11/man -> $(SEC_DYNAMIC)-i(recurse=1) ; # May not be present
|
||||
/usr/share -> $(SEC_READONLY) ;
|
||||
/usr/share/man -> $(SEC_DYNAMIC)-i(recurse=1) ;
|
||||
|
||||
|
|
@ -223,12 +222,6 @@ Temporary = +pugt ;
|
|||
)
|
||||
{
|
||||
/Applications -> $(SEC_READONLY)-im(recurse=2) ;
|
||||
"/Applications (Mac OS 9)" -> $(SEC_READONLY) ;
|
||||
|
||||
|
||||
!/Applications/Internet/P2P/Downloads ;
|
||||
!/Applications/Games/"Warcraft III Folder"/Save ;
|
||||
|
||||
}
|
||||
|
||||
################################################
|
||||
|
|
@ -243,10 +236,19 @@ Temporary = +pugt ;
|
|||
)
|
||||
{
|
||||
/usr/local -> $(SEC_READONLY) ;
|
||||
#/usr/local/bin -> $(SEC_READONLY) ;
|
||||
/usr/local/sbin -> $(SEC_READONLY) ;
|
||||
/usr/local/bin -> $(SEC_READONLY) ;
|
||||
/usr/local/include -> $(SEC_READONLY) ;
|
||||
/usr/local/opt -> $(SEC_READONLY) ;
|
||||
/usr/local/libexec -> $(SEC_READONLY) ;
|
||||
/usr/local/lib -> $(SEC_READONLY) ;
|
||||
/usr/local/etc -> $(SEC_READONLY) ;
|
||||
#/usr/local/sbin -> $(SEC_READONLY) ;
|
||||
#/usr/local/share -> $(SEC_READONLY) ;
|
||||
/usr/local/share -> $(SEC_READONLY) ;
|
||||
/usr/local/man -> $(SEC_READONLY) ;
|
||||
/usr/local/Frameworks -> $(SEC_READONLY) ;
|
||||
# Homebrew
|
||||
/usr/local/.git -> $(SEC_READONLY) ;
|
||||
/usr/local/Cellar -> $(SEC_READONLY) ;
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -263,24 +265,26 @@ Temporary = +pugt ;
|
|||
{
|
||||
/private/tmp -> $(SEC_DYNAMIC)-in(recurse=0) ;
|
||||
|
||||
/private/tftpboot -> $(SEC_READONLY)-i ;
|
||||
|
||||
/private/var -> $(SEC_READONLY)-i ;
|
||||
/private/var/backups -> $(SEC_READONLY)-imc(severity=100) ;
|
||||
#/private/var/backups/local.nidump -> $(SEC_DYNAMIC) -i(severity=100) ;
|
||||
#/private/var/cron -> $(SEC_DYNAMIC) -i ;
|
||||
/private/var/db -> $(SEC_READONLY)-im ;
|
||||
/private/var/db/BootCache.playlist -> $(SEC_DYNAMIC) -i ;
|
||||
/private/var/db/netinfo/local.nidb/Store.384 -> $(SEC_READONLY)-imc(severity=100) ;
|
||||
#/private/var/db/netinfo/local.nidb/Store.384 -> $(SEC_READONLY)-imc(severity=100) ;
|
||||
#/private/var/db/netinfo/local.nidb/Store.672 -> $(SEC_READONLY)-imc(severity=100) ;
|
||||
/private/var/db/prebindOnDemandBadFiles -> $(SEC_DYNAMIC) -i ;
|
||||
#/private/var/db/prebindOnDemandBadFiles -> $(SEC_DYNAMIC) -i ;
|
||||
/private/var/log -> $(SEC_DYNAMIC) -i ;
|
||||
#/private/var/mail -> $(SEC_DYNAMIC) ;
|
||||
/private/var/msgs/bounds -> $(SEC_READONLY)-smbCM ;
|
||||
/private/var/root/Library/Caches -> $(SEC_DYNAMIC) -i ;
|
||||
/private/var/run -> $(SEC_DYNAMIC) -i(rulename="Running Services") ;
|
||||
#/private/var/slp.regfile -> $(SEC_READONLY)-im ;
|
||||
/private/var/spool/clientmqueue -> $(SEC_DYNAMIC)(recurse=0) ;
|
||||
#/private/var/spool/clientmqueue -> $(SEC_DYNAMIC)(recurse=0) ;
|
||||
/private/var/spool/mqueue -> $(SEC_DYNAMIC)(recurse=0) ;
|
||||
/private/var/spool/lock -> $(SEC_DYNAMIC) -i(recurse=1) ;
|
||||
#/private/var/spool/lock -> $(SEC_DYNAMIC) -i(recurse=1) ;
|
||||
/private/var/spool/cups -> $(SEC_DYNAMIC) -i(recurse=0) ;
|
||||
/private/var/tmp -> $(SEC_DYNAMIC) -i(recurse=0) ;
|
||||
/private/var/vm -> $(SEC_DYNAMIC)(recurse=0) ;
|
||||
|
|
@ -294,37 +298,19 @@ Temporary = +pugt ;
|
|||
!/private/var/db/dhcpd_leases ;
|
||||
!/private/var/db/locate.database ;
|
||||
!/private/var/db/SystemEntropyCache ;
|
||||
!/private/var/db/mds/messages/se_SecurityMessages ;
|
||||
!/private/var/db/samba/secrets.tdb ;
|
||||
|
||||
!/private/var/db/ntp.drift ;
|
||||
!/private/var/folders ;
|
||||
!/private/var/vm/sleepimage ;
|
||||
!/private/var/vm/swap0 ;
|
||||
!/private/var/vm/swap[1-9][0-9]* ;
|
||||
# Sophos
|
||||
!/Library/Caches/com.sophos.sau ;
|
||||
!/Library/Caches/com.sophos.sxld ;
|
||||
}
|
||||
|
||||
|
||||
|
||||
################################################
|
||||
# ##
|
||||
################################################ #
|
||||
# # #
|
||||
# Classic Environment # #
|
||||
# ##
|
||||
################################################
|
||||
(
|
||||
rulename = "Classic Environment", severity=100
|
||||
)
|
||||
{
|
||||
|
||||
/"System Folder" -> $(SEC_READONLY) ;
|
||||
/"System Folder"/Preferences -> $(SEC_DYNAMIC)-i(recurse=0) ;
|
||||
/"System Folder"/Extensions -> $(SEC_READONLY)-im ;
|
||||
/"System Folder/Apple Menu Items" -> $(SEC_READONLY)-im(recurse=0) ;
|
||||
/"System Folder"/Clipboard -> $(SEC_DYNAMIC) ;
|
||||
|
||||
!/"System Folder"/VolumeNameIconPict ;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
###################################################
|
||||
# ##
|
||||
################################################### #
|
||||
|
|
@ -375,7 +361,3 @@ Temporary = +pugt ;
|
|||
#!"/Users/$(USER1)/.lpoptions" ;
|
||||
#!"/Users/$(USER1)/.Trash" ;
|
||||
}
|
||||
|
||||
#
|
||||
# JTI
|
||||
#
|
||||
|
|
|
|||
|
|
@ -2,7 +2,8 @@
|
|||
# ##
|
||||
############################################################################## #
|
||||
# # #
|
||||
# Tripwire 2.4 policy for Linux # #
|
||||
# Tripwire 2.4 policy for Linux (RPM) # #
|
||||
# updated March 2018 # #
|
||||
# ##
|
||||
##############################################################################
|
||||
|
||||
|
|
@ -59,13 +60,13 @@ HOSTNAME=;
|
|||
#
|
||||
##############################################################################
|
||||
|
||||
Device = +pugsdr-intlbamcCMSH ;
|
||||
Dynamic = +pinugtd-srlbamcCMSH ;
|
||||
Growing = +pinugtdl-srbamcCMSH ;
|
||||
IgnoreAll = -pinugtsdrlbamcCMSH ;
|
||||
IgnoreNone = +pinugtsdrbamcCMSH-l ;
|
||||
ReadOnly = +pinugtsdbmCM-rlacSH ;
|
||||
Temporary = +pugt ;
|
||||
SEC_DEVICE = +pugsdr-intlbamcCMSH ;
|
||||
SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
|
||||
SEC_GROWING = +pinugtdl-srbamcCMSH ;
|
||||
SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
|
||||
SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
|
||||
SEC_READONLY = +pinugtsdbmCM-rlacSH ;
|
||||
SEC_TEMPORARY = +pugt ;
|
||||
|
||||
@@section FS
|
||||
|
||||
|
|
@ -82,10 +83,10 @@ Temporary = +pugt ;
|
|||
rulename = "Tripwire Binaries",
|
||||
)
|
||||
{
|
||||
$(TWBIN)/siggen -> $(ReadOnly) ;
|
||||
$(TWBIN)/tripwire -> $(ReadOnly) ;
|
||||
$(TWBIN)/twadmin -> $(ReadOnly) ;
|
||||
$(TWBIN)/twprint -> $(ReadOnly) ;
|
||||
$(TWBIN)/siggen -> $(SEC_READONLY) ;
|
||||
$(TWBIN)/tripwire -> $(SEC_READONLY) ;
|
||||
$(TWBIN)/twadmin -> $(SEC_READONLY) ;
|
||||
$(TWBIN)/twprint -> $(SEC_READONLY) ;
|
||||
}
|
||||
|
||||
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
|
||||
|
|
@ -102,14 +103,14 @@ Temporary = +pugt ;
|
|||
# afterward triggers this rule until a database update is run, since the
|
||||
# database file does not exist before that point.
|
||||
|
||||
$(TWDB) -> $(Dynamic) -i ;
|
||||
$(TWPOL)/tw.pol -> $(ReadOnly) -i ;
|
||||
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ;
|
||||
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ;
|
||||
$(TWSKEY)/site.key -> $(ReadOnly) ;
|
||||
$(TWDB) -> $(SEC_DYNAMIC) -i ;
|
||||
$(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
|
||||
$(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
|
||||
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
|
||||
$(TWSKEY)/site.key -> $(SEC_READONLY) ;
|
||||
|
||||
# don't scan the individual reports
|
||||
$(TWREPORT) -> $(Dynamic) (recurse=0) ;
|
||||
$(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
|
||||
}
|
||||
|
||||
################################################
|
||||
|
|
@ -123,10 +124,10 @@ Temporary = +pugt ;
|
|||
rulename = "RPM Checksum Files",
|
||||
)
|
||||
{
|
||||
/var/lib/rpm -> $(ReadOnly);
|
||||
/var/lib/rpm/__db.001 -> $(Dynamic) ;
|
||||
/var/lib/rpm/__db.002 -> $(Dynamic) ;
|
||||
/var/lib/rpm/__db.003 -> $(Dynamic) ;
|
||||
/var/lib/rpm -> $(SEC_READONLY);
|
||||
/var/lib/rpm/__db.001 -> $(SEC_DYNAMIC) ;
|
||||
/var/lib/rpm/__db.002 -> $(SEC_DYNAMIC) ;
|
||||
/var/lib/rpm/__db.003 -> $(SEC_DYNAMIC) ;
|
||||
}
|
||||
|
||||
################################################
|
||||
|
|
@ -140,18 +141,18 @@ Temporary = +pugt ;
|
|||
rulename = "Global Configuration Files",
|
||||
)
|
||||
{
|
||||
/etc -> $(IgnoreNone) -SHa ;
|
||||
/etc/adjtime -> $(Dynamic) ;
|
||||
/etc/aliases.db -> $(Dynamic) ;
|
||||
/etc/bashrc -> $(Dynamic) ;
|
||||
/etc/csh.cshrc -> $(Dynamic) ;
|
||||
/etc/csh.login -> $(Dynamic) ;
|
||||
/etc/mail/statistics -> $(Growing) ;
|
||||
/etc/profile -> $(Dynamic) -i ;
|
||||
/etc/mtab -> $(Dynamic) -i ;
|
||||
/etc/rc.d -> $(IgnoreNone) -SHa ;
|
||||
/etc/sysconfig -> $(IgnoreNone) -SHa ;
|
||||
/etc/sysconfig/hwconf -> $(Dynamic) -m ;
|
||||
/etc -> $(SEC_IGNORE_NONE) -SHa ;
|
||||
/etc/adjtime -> $(SEC_DYNAMIC) ;
|
||||
/etc/aliases.db -> $(SEC_DYNAMIC) ;
|
||||
/etc/bashrc -> $(SEC_DYNAMIC) ;
|
||||
/etc/csh.cshrc -> $(SEC_DYNAMIC) ;
|
||||
/etc/csh.login -> $(SEC_DYNAMIC) ;
|
||||
/etc/mail/statistics -> $(SEC_GROWING) ;
|
||||
/etc/profile -> $(SEC_DYNAMIC) -i ;
|
||||
/etc/mtab -> $(SEC_DYNAMIC) -i ;
|
||||
/etc/rc.d -> $(SEC_IGNORE_NONE) -SHa ;
|
||||
/etc/sysconfig -> $(SEC_IGNORE_NONE) -SHa ;
|
||||
/etc/sysconfig/hwconf -> $(SEC_DYNAMIC) -m ;
|
||||
}
|
||||
|
||||
################################################
|
||||
|
|
@ -165,10 +166,10 @@ Temporary = +pugt ;
|
|||
rulename = "OS Boot Files and Mount Points",
|
||||
)
|
||||
{
|
||||
/boot -> $(ReadOnly) ;
|
||||
/cdrom -> $(Dynamic) ;
|
||||
/floppy -> $(Dynamic) ;
|
||||
/mnt -> $(Dynamic) ;
|
||||
/boot -> $(SEC_READONLY) ;
|
||||
/cdrom -> $(SEC_DYNAMIC) ;
|
||||
/floppy -> $(SEC_DYNAMIC) ;
|
||||
/mnt -> $(SEC_DYNAMIC) ;
|
||||
}
|
||||
|
||||
################################################
|
||||
|
|
@ -182,12 +183,12 @@ Temporary = +pugt ;
|
|||
rulename = "OS Devices and Misc Directories",
|
||||
)
|
||||
{
|
||||
/dev -> $(Device) ;
|
||||
/initrd -> $(Dynamic) ;
|
||||
/opt -> $(Dynamic) ;
|
||||
/lost+found -> $(Dynamic) ;
|
||||
/var/lost+found -> $(Dynamic) ;
|
||||
/home/lost+found -> $(Dynamic) ;
|
||||
/dev -> $(SEC_DEVICE) ;
|
||||
/initrd -> $(SEC_DYNAMIC) ;
|
||||
/opt -> $(SEC_DYNAMIC) ;
|
||||
/lost+found -> $(SEC_DYNAMIC) ;
|
||||
/var/lost+found -> $(SEC_DYNAMIC) ;
|
||||
/home/lost+found -> $(SEC_DYNAMIC) ;
|
||||
!/dev/pts ; # Ignore this file
|
||||
!/dev/shm ; # Ignore this file
|
||||
}
|
||||
|
|
@ -203,14 +204,14 @@ Temporary = +pugt ;
|
|||
rulename = "OS Binaries and Libraries",
|
||||
)
|
||||
{
|
||||
/bin -> $(ReadOnly) ;
|
||||
/lib -> $(ReadOnly) ;
|
||||
/sbin -> $(ReadOnly) ;
|
||||
/usr/bin -> $(ReadOnly) ;
|
||||
/usr/lib -> $(ReadOnly) ;
|
||||
/usr/libexec -> $(ReadOnly) ;
|
||||
/usr/sbin -> $(ReadOnly) ;
|
||||
/usr/X11R6/lib -> $(ReadOnly) ;
|
||||
/bin -> $(SEC_READONLY) ;
|
||||
/lib -> $(SEC_READONLY) ;
|
||||
/sbin -> $(SEC_READONLY) ;
|
||||
/usr/bin -> $(SEC_READONLY) ;
|
||||
/usr/lib -> $(SEC_READONLY) ;
|
||||
/usr/libexec -> $(SEC_READONLY) ;
|
||||
/usr/sbin -> $(SEC_READONLY) ;
|
||||
/usr/X11R6/lib -> $(SEC_READONLY) ;
|
||||
}
|
||||
################################################
|
||||
# ##
|
||||
|
|
@ -224,19 +225,19 @@ Temporary = +pugt ;
|
|||
)
|
||||
{
|
||||
!/home/local;
|
||||
/usr/local -> $(ReadOnly) ;
|
||||
/usr/local/bin -> $(ReadOnly) ;
|
||||
/usr/local/doc -> $(ReadOnly) ;
|
||||
/usr/local/etc -> $(ReadOnly) ;
|
||||
/usr/local/games -> $(ReadOnly) ;
|
||||
/usr/local/include -> $(ReadOnly) ;
|
||||
/usr/local/lib -> $(ReadOnly) ;
|
||||
/usr/local/libexec -> $(ReadOnly) ;
|
||||
/usr/local/man -> $(ReadOnly) ;
|
||||
/usr/local/sbin -> $(ReadOnly) ;
|
||||
/usr/local/share -> $(ReadOnly) ;
|
||||
/usr/local/src -> $(ReadOnly) ;
|
||||
/usr/local/sysinfo -> $(ReadOnly) ;
|
||||
/usr/local -> $(SEC_READONLY) ;
|
||||
/usr/local/bin -> $(SEC_READONLY) ;
|
||||
/usr/local/doc -> $(SEC_READONLY) ;
|
||||
/usr/local/etc -> $(SEC_READONLY) ;
|
||||
/usr/local/games -> $(SEC_READONLY) ;
|
||||
/usr/local/include -> $(SEC_READONLY) ;
|
||||
/usr/local/lib -> $(SEC_READONLY) ;
|
||||
/usr/local/libexec -> $(SEC_READONLY) ;
|
||||
/usr/local/man -> $(SEC_READONLY) ;
|
||||
/usr/local/sbin -> $(SEC_READONLY) ;
|
||||
/usr/local/share -> $(SEC_READONLY) ;
|
||||
/usr/local/src -> $(SEC_READONLY) ;
|
||||
/usr/local/sysinfo -> $(SEC_READONLY) ;
|
||||
}
|
||||
|
||||
################################################
|
||||
|
|
@ -250,29 +251,29 @@ Temporary = +pugt ;
|
|||
rulename = "Root Directory and Files",
|
||||
)
|
||||
{
|
||||
/root -> $(IgnoreNone) -SHa ;
|
||||
/root/.bashrc -> $(Dynamic) ;
|
||||
/root/.bash_history -> $(Dynamic) ;
|
||||
#/root/.bash_logout -> $(Dynamic) ;
|
||||
/root/.bash_profile -> $(Dynamic) ;
|
||||
/root/.cshrc -> $(Dynamic) ;
|
||||
#/root/.enlightenment -> $(Dynamic) ;
|
||||
#/root/.esd-auth -> $(Dynamic) ;
|
||||
/root -> $(SEC_IGNORE_NONE) -SHa ;
|
||||
/root/.bashrc -> $(SEC_DYNAMIC) ;
|
||||
/root/.bash_history -> $(SEC_DYNAMIC) ;
|
||||
#/root/.bash_logout -> $(SEC_DYNAMIC) ;
|
||||
/root/.bash_profile -> $(SEC_DYNAMIC) ;
|
||||
/root/.cshrc -> $(SEC_DYNAMIC) ;
|
||||
#/root/.enlightenment -> $(SEC_DYNAMIC) ;
|
||||
#/root/.esd-auth -> $(SEC_DYNAMIC) ;
|
||||
!/root/.gconf ;
|
||||
!/root/.gconfd ;
|
||||
#/root/.gnome -> $(Dynamic) ;
|
||||
#/root/.gnome-desktop -> $(Dynamic) ;
|
||||
#/root/.gnome2 -> $(Dynamic) ;
|
||||
#/root/.gtkrc -> $(Dynamic) ;
|
||||
#/root/.gtkrc-1.2-gnome2 -> $(Dynamic) ;
|
||||
#/root/.metacity -> $(Dynamic) ;
|
||||
#/root/.nautilus -> $(Dynamic) ;
|
||||
#/root/.rhn-applet.conf -> $(Dynamic) ;
|
||||
#/root/.tcshrc -> $(Dynamic) ;
|
||||
#/root/.xauth -> $(Dynamic) ;
|
||||
#/root/.ICEauthority -> $(Dynamic) ;
|
||||
#/root/.Xauthority -> $(Dynamic) -i ;
|
||||
#/root/.Xresources -> $(Dynamic) ;
|
||||
#/root/.gnome -> $(SEC_DYNAMIC) ;
|
||||
#/root/.gnome-desktop -> $(SEC_DYNAMIC) ;
|
||||
#/root/.gnome2 -> $(SEC_DYNAMIC) ;
|
||||
#/root/.gtkrc -> $(SEC_DYNAMIC) ;
|
||||
#/root/.gtkrc-1.2-gnome2 -> $(SEC_DYNAMIC) ;
|
||||
#/root/.metacity -> $(SEC_DYNAMIC) ;
|
||||
#/root/.nautilus -> $(SEC_DYNAMIC) ;
|
||||
#/root/.rhn-applet.conf -> $(SEC_DYNAMIC) ;
|
||||
#/root/.tcshrc -> $(SEC_DYNAMIC) ;
|
||||
#/root/.xauth -> $(SEC_DYNAMIC) ;
|
||||
#/root/.ICEauthority -> $(SEC_DYNAMIC) ;
|
||||
#/root/.Xauthority -> $(SEC_DYNAMIC) -i ;
|
||||
#/root/.Xresources -> $(SEC_DYNAMIC) ;
|
||||
}
|
||||
|
||||
################################################
|
||||
|
|
@ -286,12 +287,12 @@ Temporary = +pugt ;
|
|||
rulename = "Temporary Directories",
|
||||
)
|
||||
{
|
||||
/usr/tmp -> $(Temporary) ;
|
||||
/var/tmp -> $(Temporary) ;
|
||||
/tmp -> $(Temporary) ;
|
||||
#/tmp/.fam-socket -> $(Temporary) ;
|
||||
#/tmp/.ICE-unix -> $(Temporary) ;
|
||||
#/tmp/.X11-unix -> $(Temporary) ;
|
||||
/usr/tmp -> $(SEC_TEMPORARY) ;
|
||||
/var/tmp -> $(SEC_TEMPORARY) ;
|
||||
/tmp -> $(SEC_TEMPORARY) ;
|
||||
#/tmp/.fam-socket -> $(SEC_TEMPORARY) ;
|
||||
#/tmp/.ICE-unix -> $(SEC_TEMPORARY) ;
|
||||
#/tmp/.X11-unix -> $(SEC_TEMPORARY) ;
|
||||
!/tmp/orbit-root ;
|
||||
}
|
||||
|
||||
|
|
@ -306,21 +307,21 @@ Temporary = +pugt ;
|
|||
rulename = "System Boot Changes",
|
||||
)
|
||||
{
|
||||
/.autofsck -> $(Dynamic) -m ;
|
||||
/var/cache/man/whatis -> $(Growing) ;
|
||||
/var/lib/logrotate.status -> $(Growing) ;
|
||||
#/var/lib/nfs/statd -> $(Growing) ;
|
||||
/.autofsck -> $(SEC_DYNAMIC) -m ;
|
||||
/var/cache/man/whatis -> $(SEC_GROWING) ;
|
||||
/var/lib/logrotate.status -> $(SEC_GROWING) ;
|
||||
#/var/lib/nfs/statd -> $(SEC_GROWING) ;
|
||||
!/var/lib/random-seed ;
|
||||
#/var/lib/slocate/slocate.db -> $(Growing) -is ;
|
||||
/var/lock/subsys -> $(Dynamic) -i ;
|
||||
/var/log -> $(Growing) -i ;
|
||||
#/var/lib/slocate/slocate.db -> $(SEC_GROWING) -is ;
|
||||
/var/lock/subsys -> $(SEC_DYNAMIC) -i ;
|
||||
/var/log -> $(SEC_GROWING) -i ;
|
||||
!/var/log/sa;
|
||||
!/var/log/cisco;
|
||||
/var/run -> $(Dynamic) -i ;
|
||||
/etc/cron.daily -> $(Growing);
|
||||
/etc/cron.weekly -> $(Growing);
|
||||
/etc/cron.monthly -> $(Growing);
|
||||
/var/spool/mail -> $(Growing);
|
||||
/var/run -> $(SEC_DYNAMIC) -i ;
|
||||
/etc/cron.daily -> $(SEC_GROWING);
|
||||
/etc/cron.weekly -> $(SEC_GROWING);
|
||||
/etc/cron.monthly -> $(SEC_GROWING);
|
||||
/var/spool/mail -> $(SEC_GROWING);
|
||||
}
|
||||
|
||||
################################################
|
||||
|
|
@ -334,10 +335,10 @@ Temporary = +pugt ;
|
|||
rulename = "Monitor Filesystems",
|
||||
)
|
||||
{
|
||||
/ -> $(ReadOnly) ;
|
||||
/home -> $(ReadOnly) ; # Modify as needed
|
||||
/usr -> $(ReadOnly) ;
|
||||
/var -> $(ReadOnly) ;
|
||||
/ -> $(SEC_READONLY) ;
|
||||
/home -> $(SEC_READONLY) ; # Modify as needed
|
||||
/usr -> $(SEC_READONLY) ;
|
||||
/var -> $(SEC_READONLY) ;
|
||||
}
|
||||
|
||||
################################################
|
||||
|
|
|
|||
Loading…
Reference in New Issue