colin
/
tripwire-open-source
mirror of https://github.com/Tripwire/tripwire-open-source.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update BSD & generic policies to use same SEC_ naming conventions as other policies

This commit is contained in:
Brian Cox 2018-03-30 19:13:49 -07:00
parent 29efce4805
commit 4a40b22487
5 changed files with 90 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
policy/twpol-DragonFly.txt
View File

@ -54,16 +54,24 @@ TWREPORT=;
HOSTNAME=; HOSTNAME=;
@@section FS @@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_DEVICE = +pugsdr-intlbamcCMSH ;
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_GROWING = +pinugtdl-srbamcCMSH ;
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership SEC_READONLY = +pinugtsdbmCM-rlacSH ;
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership SEC_TEMPORARY = +pugt ;
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact SEC_CRIT = $(SEC_IGNORE_NONE)-SHa ; # Critical files that cannot change
SIG_HI = 100 ; # Critical files that are significant points of vulnerability SEC_SUID = $(SEC_IGNORE_NONE)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(SEC_READONLY) ; # Binaries that should not change
SEC_CONFIG = $(SEC_DYNAMIC) ; # Config files that are changed infrequently but accessed often
SEC_TTY = $(SEC_DYNAMIC)-ugp ; # Tty files that change ownership at login
SEC_LOG = $(SEC_GROWING) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = $(SEC_TEMPORARY) ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability
# Tripwire Binaries # Tripwire Binaries

28
policy/twpol-FreeBSD.txt
View File

@ -53,16 +53,24 @@ TWREPORT=;
HOSTNAME=; HOSTNAME=;
@@section FS @@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_DEVICE = +pugsdr-intlbamcCMSH ;
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_GROWING = +pinugtdl-srbamcCMSH ;
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership SEC_READONLY = +pinugtsdbmCM-rlacSH ;
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership SEC_TEMPORARY = +pugt ;
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact SEC_CRIT = $(SEC_IGNORE_NONE)-SHa ; # Critical files that cannot change
SIG_HI = 100 ; # Critical files that are significant points of vulnerability SEC_SUID = $(SEC_IGNORE_NONE)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(SEC_READONLY) ; # Binaries that should not change
SEC_CONFIG = $(SEC_DYNAMIC) ; # Config files that are changed infrequently but accessed often
SEC_TTY = $(SEC_DYNAMIC)-ugp ; # Tty files that change ownership at login
SEC_LOG = $(SEC_GROWING) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = $(SEC_TEMPORARY) ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability
# Tripwire Binaries # Tripwire Binaries

77
policy/twpol-GENERIC.txt
View File

@ -65,15 +65,24 @@ TWREPORT=;
HOSTNAME=; HOSTNAME=;
@@section FS @@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_DEVICE = +pugsdr-intlbamcCMSH ;
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_GROWING = +pinugtdl-srbamcCMSH ;
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership SEC_READONLY = +pinugtsdbmCM-rlacSH ;
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact SEC_TEMPORARY = +pugt ;
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability SEC_CRIT = $(SEC_IGNORE_NONE)-SHa ; # Critical files that cannot change
SEC_SUID = $(SEC_IGNORE_NONE)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(SEC_READONLY) ; # Binaries that should not change
SEC_CONFIG = $(SEC_DYNAMIC) ; # Config files that are changed infrequently but accessed often
SEC_TTY = $(SEC_DYNAMIC)-ugp ; # Tty files that change ownership at login
SEC_LOG = $(SEC_GROWING) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = $(SEC_TEMPORARY) ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability
# Tripwire Binaries # Tripwire Binaries
@ -114,56 +123,6 @@ SIG_HI = 100 ; # Critical files that are significant point
} }
# Tripwire HQ Connector Binaries
#(
# rulename = "Tripwire HQ Connector Binaries",
# severity = $(SIG_HI)
#)
#{
# $(TWBIN)/hqagent -> $(SEC_BIN) ;
#}
#
# Tripwire HQ Connector - Configuration Files, Keys, and Logs
##############################################################################
# ##
############################################################################## #
# # #
# Note: File locations here are different than in a stock HQ Connector # #
# installation. This is because Tripwire 2.3 uses a different path # #
# structure than Tripwire 2.2.1. # #
# # #
# You may need to update your HQ Agent configuation file (or this policy # #
# file) to correct the paths. We have attempted to support the FHS standard # #
# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # #
# places them. # #
# ##
##############################################################################
#(
# rulename = "Tripwire HQ Connector Data Files",
# severity = $(SIG_HI)
#)
#{
# #############################################################################
# ##############################################################################
# # NOTE: Removing the inode attribute because when Tripwire creates a backup ##
# # it does so by renaming the old file and creating a new one (which will ##
# # have a new inode number). Leaving inode turned on for keys, which ##
# # shouldn't ever change. ##
# #############################################################################
#
# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ;
# $(TWLKEY)/authentication.key -> $(SEC_BIN) ;
# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ;
# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ;
#
# # Uncomment if you have agent logging enabled.
# #/var/log/tripwire/agent.log -> $(SEC_LOG) ;
#}
# Commonly accessed directories that should remain static with regards to owner and group # Commonly accessed directories that should remain static with regards to owner and group
( (
rulename = "Invariant Directories", rulename = "Invariant Directories",

28
policy/twpol-MidnightBSD.txt
View File

@ -54,16 +54,24 @@ TWREPORT=;
HOSTNAME=; HOSTNAME=;
@@section FS @@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_DEVICE = +pugsdr-intlbamcCMSH ;
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_GROWING = +pinugtdl-srbamcCMSH ;
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership SEC_READONLY = +pinugtsdbmCM-rlacSH ;
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership SEC_TEMPORARY = +pugt ;
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact SEC_CRIT = $(SEC_IGNORE_NONE)-SHa ; # Critical files that cannot change
SIG_HI = 100 ; # Critical files that are significant points of vulnerability SEC_SUID = $(SEC_IGNORE_NONE)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(SEC_READONLY) ; # Binaries that should not change
SEC_CONFIG = $(SEC_DYNAMIC) ; # Config files that are changed infrequently but accessed often
SEC_TTY = $(SEC_DYNAMIC)-ugp ; # Tty files that change ownership at login
SEC_LOG = $(SEC_GROWING) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = $(SEC_TEMPORARY) ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability
# Tripwire Binaries # Tripwire Binaries

28
policy/twpol-NetBSD.txt
View File

@ -54,16 +54,24 @@ TWREPORT=;
HOSTNAME=; HOSTNAME=;
@@section FS @@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_DEVICE = +pugsdr-intlbamcCMSH ;
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_GROWING = +pinugtdl-srbamcCMSH ;
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership SEC_READONLY = +pinugtsdbmCM-rlacSH ;
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership SEC_TEMPORARY = +pugt ;
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact SEC_CRIT = $(SEC_IGNORE_NONE)-SHa ; # Critical files that cannot change
SIG_HI = 100 ; # Critical files that are significant points of vulnerability SEC_SUID = $(SEC_IGNORE_NONE)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(SEC_READONLY) ; # Binaries that should not change
SEC_CONFIG = $(SEC_DYNAMIC) ; # Config files that are changed infrequently but accessed often
SEC_TTY = $(SEC_DYNAMIC)-ugp ; # Tty files that change ownership at login
SEC_LOG = $(SEC_GROWING) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = $(SEC_TEMPORARY) ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability
# Tripwire Binaries # Tripwire Binaries