diff --git a/policy/twpol-DragonFly.txt b/policy/twpol-DragonFly.txt index 191b79e..a0c0a3e 100644 --- a/policy/twpol-DragonFly.txt +++ b/policy/twpol-DragonFly.txt @@ -54,16 +54,24 @@ TWREPORT=; HOSTNAME=; @@section FS -SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change -SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set -SEC_BIN = $(ReadOnly) ; # Binaries that should not change -SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often -SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login -SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership -SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership -SIG_LOW = 33 ; # Non-critical files that are of minimal security impact -SIG_MED = 66 ; # Non-critical files that are of significant security impact -SIG_HI = 100 ; # Critical files that are significant points of vulnerability +SEC_DEVICE = +pugsdr-intlbamcCMSH ; +SEC_DYNAMIC = +pinugtd-srlbamcCMSH ; +SEC_GROWING = +pinugtdl-srbamcCMSH ; +SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ; +SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ; +SEC_READONLY = +pinugtsdbmCM-rlacSH ; +SEC_TEMPORARY = +pugt ; + +SEC_CRIT = $(SEC_IGNORE_NONE)-SHa ; # Critical files that cannot change +SEC_SUID = $(SEC_IGNORE_NONE)-SHa ; # Binaries with the SUID or SGID flags set +SEC_BIN = $(SEC_READONLY) ; # Binaries that should not change +SEC_CONFIG = $(SEC_DYNAMIC) ; # Config files that are changed infrequently but accessed often +SEC_TTY = $(SEC_DYNAMIC)-ugp ; # Tty files that change ownership at login +SEC_LOG = $(SEC_GROWING) ; # Files that grow, but that should never change ownership +SEC_INVARIANT = $(SEC_TEMPORARY) ; # Directories that should never change permission or ownership +SIG_LOW = 33 ; # Non-critical files that are of minimal security impact +SIG_MED = 66 ; # Non-critical files that are of significant security impact +SIG_HI = 100 ; # Critical files that are significant points of vulnerability # Tripwire Binaries diff --git a/policy/twpol-FreeBSD.txt b/policy/twpol-FreeBSD.txt index db1189b..68b3ad7 100644 --- a/policy/twpol-FreeBSD.txt +++ b/policy/twpol-FreeBSD.txt @@ -53,16 +53,24 @@ TWREPORT=; HOSTNAME=; @@section FS -SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change -SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set -SEC_BIN = $(ReadOnly) ; # Binaries that should not change -SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often -SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login -SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership -SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership -SIG_LOW = 33 ; # Non-critical files that are of minimal security impact -SIG_MED = 66 ; # Non-critical files that are of significant security impact -SIG_HI = 100 ; # Critical files that are significant points of vulnerability +SEC_DEVICE = +pugsdr-intlbamcCMSH ; +SEC_DYNAMIC = +pinugtd-srlbamcCMSH ; +SEC_GROWING = +pinugtdl-srbamcCMSH ; +SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ; +SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ; +SEC_READONLY = +pinugtsdbmCM-rlacSH ; +SEC_TEMPORARY = +pugt ; + +SEC_CRIT = $(SEC_IGNORE_NONE)-SHa ; # Critical files that cannot change +SEC_SUID = $(SEC_IGNORE_NONE)-SHa ; # Binaries with the SUID or SGID flags set +SEC_BIN = $(SEC_READONLY) ; # Binaries that should not change +SEC_CONFIG = $(SEC_DYNAMIC) ; # Config files that are changed infrequently but accessed often +SEC_TTY = $(SEC_DYNAMIC)-ugp ; # Tty files that change ownership at login +SEC_LOG = $(SEC_GROWING) ; # Files that grow, but that should never change ownership +SEC_INVARIANT = $(SEC_TEMPORARY) ; # Directories that should never change permission or ownership +SIG_LOW = 33 ; # Non-critical files that are of minimal security impact +SIG_MED = 66 ; # Non-critical files that are of significant security impact +SIG_HI = 100 ; # Critical files that are significant points of vulnerability # Tripwire Binaries diff --git a/policy/twpol-GENERIC.txt b/policy/twpol-GENERIC.txt index e5a3804..cbf0cdb 100644 --- a/policy/twpol-GENERIC.txt +++ b/policy/twpol-GENERIC.txt @@ -65,15 +65,24 @@ TWREPORT=; HOSTNAME=; @@section FS -SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change -SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set -SEC_BIN = $(ReadOnly) ; # Binaries that should not change -SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often -SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership -SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership -SIG_LOW = 33 ; # Non-critical files that are of minimal security impact -SIG_MED = 66 ; # Non-critical files that are of significant security impact -SIG_HI = 100 ; # Critical files that are significant points of vulnerability +SEC_DEVICE = +pugsdr-intlbamcCMSH ; +SEC_DYNAMIC = +pinugtd-srlbamcCMSH ; +SEC_GROWING = +pinugtdl-srbamcCMSH ; +SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ; +SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ; +SEC_READONLY = +pinugtsdbmCM-rlacSH ; +SEC_TEMPORARY = +pugt ; + +SEC_CRIT = $(SEC_IGNORE_NONE)-SHa ; # Critical files that cannot change +SEC_SUID = $(SEC_IGNORE_NONE)-SHa ; # Binaries with the SUID or SGID flags set +SEC_BIN = $(SEC_READONLY) ; # Binaries that should not change +SEC_CONFIG = $(SEC_DYNAMIC) ; # Config files that are changed infrequently but accessed often +SEC_TTY = $(SEC_DYNAMIC)-ugp ; # Tty files that change ownership at login +SEC_LOG = $(SEC_GROWING) ; # Files that grow, but that should never change ownership +SEC_INVARIANT = $(SEC_TEMPORARY) ; # Directories that should never change permission or ownership +SIG_LOW = 33 ; # Non-critical files that are of minimal security impact +SIG_MED = 66 ; # Non-critical files that are of significant security impact +SIG_HI = 100 ; # Critical files that are significant points of vulnerability # Tripwire Binaries @@ -114,56 +123,6 @@ SIG_HI = 100 ; # Critical files that are significant point } -# Tripwire HQ Connector Binaries -#( -# rulename = "Tripwire HQ Connector Binaries", -# severity = $(SIG_HI) -#) -#{ -# $(TWBIN)/hqagent -> $(SEC_BIN) ; -#} -# -# Tripwire HQ Connector - Configuration Files, Keys, and Logs - - ############################################################################## - # ## -############################################################################## # -# # # -# Note: File locations here are different than in a stock HQ Connector # # -# installation. This is because Tripwire 2.3 uses a different path # # -# structure than Tripwire 2.2.1. # # -# # # -# You may need to update your HQ Agent configuation file (or this policy # # -# file) to correct the paths. We have attempted to support the FHS standard # # -# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # # -# places them. # # -# ## -############################################################################## - -#( -# rulename = "Tripwire HQ Connector Data Files", -# severity = $(SIG_HI) -#) -#{ -# ############################################################################# -# ############################################################################## -# # NOTE: Removing the inode attribute because when Tripwire creates a backup ## -# # it does so by renaming the old file and creating a new one (which will ## -# # have a new inode number). Leaving inode turned on for keys, which ## -# # shouldn't ever change. ## -# ############################################################################# -# -# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; -# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; -# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; -# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; -# -# # Uncomment if you have agent logging enabled. -# #/var/log/tripwire/agent.log -> $(SEC_LOG) ; -#} - - - # Commonly accessed directories that should remain static with regards to owner and group ( rulename = "Invariant Directories", diff --git a/policy/twpol-MidnightBSD.txt b/policy/twpol-MidnightBSD.txt index ad026e4..a9dcac9 100644 --- a/policy/twpol-MidnightBSD.txt +++ b/policy/twpol-MidnightBSD.txt @@ -54,16 +54,24 @@ TWREPORT=; HOSTNAME=; @@section FS -SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change -SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set -SEC_BIN = $(ReadOnly) ; # Binaries that should not change -SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often -SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login -SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership -SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership -SIG_LOW = 33 ; # Non-critical files that are of minimal security impact -SIG_MED = 66 ; # Non-critical files that are of significant security impact -SIG_HI = 100 ; # Critical files that are significant points of vulnerability +SEC_DEVICE = +pugsdr-intlbamcCMSH ; +SEC_DYNAMIC = +pinugtd-srlbamcCMSH ; +SEC_GROWING = +pinugtdl-srbamcCMSH ; +SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ; +SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ; +SEC_READONLY = +pinugtsdbmCM-rlacSH ; +SEC_TEMPORARY = +pugt ; + +SEC_CRIT = $(SEC_IGNORE_NONE)-SHa ; # Critical files that cannot change +SEC_SUID = $(SEC_IGNORE_NONE)-SHa ; # Binaries with the SUID or SGID flags set +SEC_BIN = $(SEC_READONLY) ; # Binaries that should not change +SEC_CONFIG = $(SEC_DYNAMIC) ; # Config files that are changed infrequently but accessed often +SEC_TTY = $(SEC_DYNAMIC)-ugp ; # Tty files that change ownership at login +SEC_LOG = $(SEC_GROWING) ; # Files that grow, but that should never change ownership +SEC_INVARIANT = $(SEC_TEMPORARY) ; # Directories that should never change permission or ownership +SIG_LOW = 33 ; # Non-critical files that are of minimal security impact +SIG_MED = 66 ; # Non-critical files that are of significant security impact +SIG_HI = 100 ; # Critical files that are significant points of vulnerability # Tripwire Binaries diff --git a/policy/twpol-NetBSD.txt b/policy/twpol-NetBSD.txt index 3f64218..9e9f070 100644 --- a/policy/twpol-NetBSD.txt +++ b/policy/twpol-NetBSD.txt @@ -54,16 +54,24 @@ TWREPORT=; HOSTNAME=; @@section FS -SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change -SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set -SEC_BIN = $(ReadOnly) ; # Binaries that should not change -SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often -SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login -SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership -SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership -SIG_LOW = 33 ; # Non-critical files that are of minimal security impact -SIG_MED = 66 ; # Non-critical files that are of significant security impact -SIG_HI = 100 ; # Critical files that are significant points of vulnerability +SEC_DEVICE = +pugsdr-intlbamcCMSH ; +SEC_DYNAMIC = +pinugtd-srlbamcCMSH ; +SEC_GROWING = +pinugtdl-srbamcCMSH ; +SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ; +SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ; +SEC_READONLY = +pinugtsdbmCM-rlacSH ; +SEC_TEMPORARY = +pugt ; + +SEC_CRIT = $(SEC_IGNORE_NONE)-SHa ; # Critical files that cannot change +SEC_SUID = $(SEC_IGNORE_NONE)-SHa ; # Binaries with the SUID or SGID flags set +SEC_BIN = $(SEC_READONLY) ; # Binaries that should not change +SEC_CONFIG = $(SEC_DYNAMIC) ; # Config files that are changed infrequently but accessed often +SEC_TTY = $(SEC_DYNAMIC)-ugp ; # Tty files that change ownership at login +SEC_LOG = $(SEC_GROWING) ; # Files that grow, but that should never change ownership +SEC_INVARIANT = $(SEC_TEMPORARY) ; # Directories that should never change permission or ownership +SIG_LOW = 33 ; # Non-critical files that are of minimal security impact +SIG_MED = 66 ; # Non-critical files that are of significant security impact +SIG_HI = 100 ; # Critical files that are significant points of vulnerability # Tripwire Binaries