colin
/
tripwire-open-source
mirror of https://github.com/Tripwire/tripwire-open-source.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Tinker with BSD platform detection (now including Bitrig); add policy files for various BSDs (adapted from policy for the closest BSD, Free or Open), plus one for HP-UX adapted from the generic policy

This commit is contained in:
Brian Cox 2017-09-21 19:46:56 -07:00
parent b60dcfa7d6
commit 4f0b019ef3
7 changed files with 3385 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

292
policy/twpol-Bitrig.txt Normal file
View File

@ -0,0 +1,292 @@
##############################################################################
# ##
############################################################################## #
# # #
# Policy file for Bitrig 1.x # #
# (adapted from OpenBSD policy) # #
# ##
##############################################################################
##############################################################################
# ##
############################################################################## #
# # #
# Global Variable Definitions # #
# # #
# These are defined at install time by the installation script. You may # #
# manually edit these if you are using this file directly and not from the # #
# installation script itself. # #
# ##
##############################################################################
@@section GLOBAL
TWROOT=;
TWBIN=;
TWPOL=;
TWDB=;
TWSKEY=;
TWLKEY=;
TWREPORT=;
HOSTNAME=;
##############################################################################
# Predefined Variables #
##############################################################################
#
# Property Masks
#
# - ignore the following properties
# + check the following properties
#
# a access timestamp (mutually exclusive with +CMSH)
# b number of blocks allocated
# c inode creation/modification timestamp
# d ID of device on which inode resides
# g group id of owner
# i inode number
# l growing files (logfiles for example)
# m modification timestamp
# n number of links
# p permission and file mode bits
# r ID of device pointed to by inode (valid only for device objects)
# s file size
# t file type
# u user id of owner
#
# C CRC-32 hash
# H HAVAL hash
# M MD5 hash
# S SHA hash
#
##############################################################################
Device = +pugsdr-intlbamcCMSH ;
Dynamic = +pinugtd-srlbamcCMSH ;
Growing = +pinugtdl-srbamcCMSH ;
IgnoreAll = -pinugtsdrlbamcCMSH ;
IgnoreNone = +pinugtsdrbamcCMSH-l ;
ReadOnly = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ;
@@section FS
########################################
# ##
######################################## #
# # #
# Tripwire Binaries and Data Files # #
# ##
########################################
# Tripwire Binaries
(
rulename = "Tripwire Binaries",
)
{
$(TWBIN)/siggen -> $(ReadOnly) ;
$(TWBIN)/tripwire -> $(ReadOnly) ;
$(TWBIN)/twadmin -> $(ReadOnly) ;
$(TWBIN)/twprint -> $(ReadOnly) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(
rulename = "Tripwire Data Files",
)
{
# NOTE: We remove the inode attribute because when Tripwire creates a backup,
# it does so by renaming the old file and creating a new one (which will
# have a new inode number). Inode is left turned on for keys, which shouldn't
# ever change.
# NOTE: The first integrity check triggers this rule and each integrity check
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ;
$(TWSKEY)/site.key -> $(ReadOnly) ;
# don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ;
# In this configuration /usr/local is a symbolic link to /home/local.
# We want to ignore the following directories since they are already
# scanned using the real directory or mount point. Otherwise we see
# duplicates in the reports.
!/home/local ;
}
################################################
# ##
################################################ #
# # #
# OS Boot and Configuration Files # #
# ##
################################################
(
rulename = "OS Boot and Configuration Files",
)
{
/boot -> $(ReadOnly) ;
/bsd -> $(ReadOnly) ;
/etc -> $(IgnoreNone) -SHa ;
}
###################################################
# ##
################################################### #
# # #
# Mount Points # #
# ##
###################################################
(
rulename = "Mount Points",
)
{
/ -> $(ReadOnly) ;
/cdrom -> $(Dynamic) ;
/floppy -> $(Dynamic) ;
/home -> $(ReadOnly) ; # Modify as needed
/mnt -> $(Dynamic) ;
/usr -> $(ReadOnly) ;
/var -> $(ReadOnly) ;
}
###################################################
# ##
################################################### #
# # #
# Misc Top-Level Directories # #
# ##
###################################################
(
rulename = "Misc Top-Level Directories",
)
{
/altroot -> $(Dynamic) ;
/stand -> $(Dynamic) ;
}
################################################
# ##
################################################ #
# # #
# System Devices # #
# ##
################################################
(
rulename = "System Devices",
)
{
/dev -> $(Device) ;
/dev/fd -> $(Device) ;
/var/cron/tabs/.sock -> $(Device) ;
/var/empty/dev/log -> $(Device) ;
}
################################################
# ##
################################################ #
# # #
# OS Binaries and Libraries # #
# ##
################################################
(
rulename = "OS Binaries and Libraries",
)
{
/bin -> $(ReadOnly) ;
/sbin -> $(ReadOnly) ;
/usr/bin -> $(ReadOnly) ;
/usr/lib -> $(ReadOnly) ;
/usr/libexec -> $(ReadOnly) ;
/usr/sbin -> $(ReadOnly) ;
/usr/X11R6/bin -> $(ReadOnly) ;
/usr/X11R6/lib -> $(ReadOnly) ;
}
################################################
# ##
################################################ #
# # #
# Usr Local Files # #
# ##
################################################
#OK(
#OKrulename = "Usr Local Files",
#OK)
#OK{
#OK/usr/local -> $(ReadOnly) ;
#OK/usr/local/bin -> $(ReadOnly) ;
#OK/usr/local/doc -> $(ReadOnly) ;
#OK/usr/local/etc -> $(ReadOnly) ;
#OK/usr/local/include -> $(ReadOnly) ;
#OK/usr/local/info -> $(ReadOnly) ;
#OK/usr/local/lib -> $(ReadOnly) ;
#OK/usr/local/libdata -> $(ReadOnly) ;
#OK/usr/local/libexec -> $(ReadOnly) ;
#OK/usr/local/man -> $(ReadOnly) ;
#OK/usr/local/sbin -> $(ReadOnly) ;
#OK/usr/local/share -> $(ReadOnly) ;
#OK/usr/local/src -> $(ReadOnly) ;
#OK}
################################################
# ##
################################################ #
# # #
# Root Directory and Files # #
# ##
################################################
(
rulename = "Root Directory and Files",
)
{
/root -> $(IgnoreNone) -SHa ;
/root/.cshrc -> $(Dynamic) ;
/root/.profile -> $(Dynamic) ;
}
################################################
# ##
################################################ #
# # #
# Temporary Directories # #
# ##
################################################
(
rulename = "Temporary Directories",
)
{
/tmp -> $(Temporary) ;
/var/tmp -> $(Temporary) ;
}
################################################
# ##
################################################ #
# # #
# System and Boot Changes # #
# ##
################################################
(
rulename = "System and Boot Changes",
)
{
/var/backups -> $(Dynamic) -i ;
/var/db/host.random -> $(ReadOnly) -mCM ;
/var/cron -> $(Growing) -i ;
/var/log -> $(Growing) -i ;
/var/run -> $(Dynamic) -i ;
/var/mail -> $(Growing) ;
/var/msgs/bounds -> $(ReadOnly) -smbCM ;
/var/spool/clientmqueue -> $(Temporary) ;
/var/spool/mqueue -> $(Temporary) ;
}
#
# $Id: twpol-OpenBSD.txt,v 1.2 2004/05/14 21:56:21 pherman Exp $
#

656
policy/twpol-DragonFly.txt Normal file
View File

@ -0,0 +1,656 @@
#
# Policy file for DragonFly BSD
# (adapted from FreeBSD policy)
#
# $FreeBSD: ports/security/tripwire/files/twpol.txt,v 1.2 2002/03/04 16:55:21 cy Exp $
# $Id: twpol-FreeBSD.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $
#
# This is the example Tripwire Policy file. It is intended as a place to
# start creating your own custom Tripwire Policy file. Referring to it as
# well as the Tripwire Policy Guide should give you enough information to
# make a good custom Tripwire Policy file that better covers your
# configuration and security needs. A text version of this policy file is
# called twpol.txt.
#
# Note that this file is tuned to an install of FreeBSD using
# buildworld. If run unmodified, this file should create no errors on
# database creation, or violations on a subsiquent integrity check.
# However it is impossible for there to be one policy file for all machines,
# so this existing one errs on the side of security. Your FreeBSD
# configuration will most likey differ from the one our policy file was
# tuned to, and will therefore require some editing of the default
# Tripwire Policy file.
#
# The example policy file is best run with 'Loose Directory Checking'
# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration
# file.
#
# Email support is not included and must be added to this file.
# Add the 'emailto=' to the rule directive section of each rule (add a comma
# after the 'severity=' line and add an 'emailto=' and include the email
# addresses you want the violation reports to go to). Addresses are
# semi-colon delimited.
#
#
# Global Variable Definitions
#
# These are defined at install time by the installation script. You may
# Manually edit these if you are using this file directly and not from the
# installation script itself.
#
@@section GLOBAL
TWROOT=;
TWBIN=;
TWPOL=;
TWDB=;
TWSKEY=;
TWLKEY=;
TWREPORT=;
HOSTNAME=;
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability
# Tripwire Binaries
(
rulename = "Tripwire Binaries",
severity = $(SIG_HI)
)
{
$(TWBIN)/siggen -> $(SEC_BIN) ;
$(TWBIN)/tripwire -> $(SEC_BIN) ;
$(TWBIN)/twadmin -> $(SEC_BIN) ;
$(TWBIN)/twprint -> $(SEC_BIN) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(
rulename = "Tripwire Data Files",
severity = $(SIG_HI)
)
{
# NOTE: We remove the inode attribute because when Tripwire creates a backup,
# it does so by renaming the old file and creating a new one (which will
# have a new inode number). Inode is left turned on for keys, which shouldn't
# ever change.
# NOTE: The first integrity check triggers this rule and each integrity check
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(SEC_CONFIG) -i ;
$(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
$(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
$(TWPOL)/twcfg.txt -> $(SEC_BIN) ;
$(TWPOL)/twpol.txt -> $(SEC_BIN) ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWSKEY)/site.key -> $(SEC_BIN) ;
#don't scan the individual reports
$(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
}
# Tripwire HQ Connector Binaries
#(
# rulename = "Tripwire HQ Connector Binaries",
# severity = $(SIG_HI)
#)
#{
# $(TWBIN)/hqagent -> $(SEC_BIN) ;
#}
#
# Tripwire HQ Connector - Configuration Files, Keys, and Logs
#
# Note: File locations here are different than in a stock HQ Connector
# installation. This is because Tripwire 2.3 uses a different path
# structure than Tripwire 2.2.1.
#
# You may need to update your HQ Agent configuation file (or this policy
# file) to correct the paths. We have attempted to support the FHS standard
# here by placing the HQ Agent files similarly to the way Tripwire 2.3
# places them.
#
#(
# rulename = "Tripwire HQ Connector Data Files",
# severity = $(SIG_HI)
#)
#{
#
# # NOTE: Removing the inode attribute because when Tripwire creates a backup
# # it does so by renaming the old file and creating a new one (which will
# # have a new inode number). Leaving inode turned on for keys, which
# # shouldn't ever change.
#
#
# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ;
# $(TWLKEY)/authentication.key -> $(SEC_BIN) ;
# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ;
# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ;
#
# # Uncomment if you have agent logging enabled.
# #/var/log/tripwire/agent.log -> $(SEC_LOG) ;
#}
# Commonly accessed directories that should remain static with regards to owner and group
(
rulename = "Invariant Directories",
severity = $(SIG_MED)
)
{
/ -> $(SEC_INVARIANT) (recurse = false) ;
/home -> $(SEC_INVARIANT) (recurse = false) ;
}
#
# First, root's "home"
#
(
rulename = "Root's home",
severity = $(SIG_HI)
)
{
# /.rhosts -> $(SEC_CRIT) ;
/.profile -> $(SEC_CRIT) ;
/.cshrc -> $(SEC_CRIT) ;
/.login -> $(SEC_CRIT) ;
# /.exrc -> $(SEC_CRIT) ;
# /.logout -> $(SEC_CRIT) ;
# /.forward -> $(SEC_CRIT) ;
/root -> $(SEC_CRIT) (recurse = true) ;
!/root/.history ;
!/root/.bash_history ;
# !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed
}
#
# FreeBSD Kernel
#
(
rulename = "FreeBSD Kernel",
severity = $(SIG_HI)
)
{
/kernel -> $(SEC_CRIT) ;
/kernel.old -> $(SEC_CRIT) ;
/kernel.GENERIC -> $(SEC_CRIT) ;
}
#
# FreeBSD Modules
#
(
rulename = "FreeBSD Modules",
severity = $(SIG_HI)
)
{
/modules -> $(SEC_CRIT) (recurse = true) ;
/modules.old -> $(SEC_CRIT) (recurse = true) ;
# /lkm -> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld
}
#
# System Administration Programs
#
(
rulename = "System Administration Programs",
severity = $(SIG_HI)
)
{
/sbin -> $(SEC_CRIT) (recurse = true) ;
/usr/sbin -> $(SEC_CRIT) (recurse = true) ;
}
#
# User Utilities
#
(
rulename = "User Utilities",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_CRIT) (recurse = true) ;
/usr/bin -> $(SEC_CRIT) (recurse = true) ;
}
#
# /dev
#
(
rulename = "/dev",
severity = $(SIG_HI)
)
{
/dev -> $(Device) (recurse = true) ;
!/dev/vga ;
!/dev/dri ;
/dev/console -> $(SEC_TTY) ;
/dev/ttyv0 -> $(SEC_TTY) ;
/dev/ttyv1 -> $(SEC_TTY) ;
/dev/ttyv2 -> $(SEC_TTY) ;
/dev/ttyv3 -> $(SEC_TTY) ;
/dev/ttyv4 -> $(SEC_TTY) ;
/dev/ttyv5 -> $(SEC_TTY) ;
/dev/ttyv6 -> $(SEC_TTY) ;
/dev/ttyv7 -> $(SEC_TTY) ;
/dev/ttyp0 -> $(SEC_TTY) ;
/dev/ttyp1 -> $(SEC_TTY) ;
/dev/ttyp2 -> $(SEC_TTY) ;
/dev/ttyp3 -> $(SEC_TTY) ;
/dev/ttyp4 -> $(SEC_TTY) ;
/dev/ttyp5 -> $(SEC_TTY) ;
/dev/ttyp6 -> $(SEC_TTY) ;
/dev/ttyp7 -> $(SEC_TTY) ;
/dev/ttyp8 -> $(SEC_TTY) ;
/dev/ttyp9 -> $(SEC_TTY) ;
/dev/ttypa -> $(SEC_TTY) ;
/dev/ttypb -> $(SEC_TTY) ;
/dev/ttypc -> $(SEC_TTY) ;
/dev/ttypd -> $(SEC_TTY) ;
/dev/ttype -> $(SEC_TTY) ;
/dev/ttypf -> $(SEC_TTY) ;
/dev/ttypg -> $(SEC_TTY) ;
/dev/ttyph -> $(SEC_TTY) ;
/dev/ttypi -> $(SEC_TTY) ;
/dev/ttypj -> $(SEC_TTY) ;
/dev/ttypl -> $(SEC_TTY) ;
/dev/ttypm -> $(SEC_TTY) ;
/dev/ttypn -> $(SEC_TTY) ;
/dev/ttypo -> $(SEC_TTY) ;
/dev/ttypp -> $(SEC_TTY) ;
/dev/ttypq -> $(SEC_TTY) ;
/dev/ttypr -> $(SEC_TTY) ;
/dev/ttyps -> $(SEC_TTY) ;
/dev/ttypt -> $(SEC_TTY) ;
/dev/ttypu -> $(SEC_TTY) ;
/dev/ttypv -> $(SEC_TTY) ;
/dev/cuaa0 -> $(SEC_TTY) ; # modem
}
#
# /etc
#
(
rulename = "/etc",
severity = $(SIG_HI)
)
{
/etc -> $(SEC_CRIT) (recurse = true) ;
# /etc/mail/aliases -> $(SEC_CONFIG) ;
/etc/dumpdates -> $(SEC_CONFIG) ;
/etc/motd -> $(SEC_CONFIG) ;
!/etc/ppp/connect-errors ;
/etc/skeykeys -> $(SEC_CONFIG) ;
# Uncomment the following 4 lines if your password file does not change
# /etc/passwd -> $(SEC_CONFIG) ;
# /etc/master.passwd -> $(SEC_CONFIG) ;
# /etc/pwd.db -> $(SEC_CONFIG) ;
# /etc/spwd.db -> $(SEC_CONFIG) ;
}
#
# Copatibility (Linux)
#
(
rulename = "Linux Compatibility",
severity = $(SIG_HI)
)
{
/compat -> $(SEC_CRIT) (recurse = true) ;
#
# Uncomment the following if Linux compatibility is used. Replace
# HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port
# installed.
#
#@@ifhost HOSTNAME1 || HOSTNAME2
# /compat/linux/etc -> $(SEC_INVARIANT) (recurse = false) ;
# /compat/linux/etc/X11 -> $(SEC_CONFIG) (recurse = true) ;
# /compat/linux/etc/pam.d -> $(SEC_CONFIG) (recurse = true) ;
# /compat/linux/etc/profile.d -> $(SEC_CONFIG) (recurse = true) ;
# /compat/linux/etc/real -> $(SEC_CONFIG) (recurse = true) ;
# /compat/linux/etc/bashrc -> $(SEC_CONFIG) ;
# /compat/linux/etc/csh.login -> $(SEC_CONFIG) ;
# /compat/linux/etc/host.conf -> $(SEC_CONFIG) ;
# /compat/linux/etc/hosts.allow -> $(SEC_CONFIG) ;
# /compat/linux/etc/hosts.deny -> $(SEC_CONFIG) ;
# /compat/linux/etc/info-dir -> $(SEC_CONFIG) ;
# /compat/linux/etc/inputrc -> $(SEC_CONFIG) ;
# /compat/linux/etc/ld.so.conf -> $(SEC_CONFIG) ;
# /compat/linux/etc/nsswitch.conf -> $(SEC_CONFIG) ;
# /compat/linux/etc/profile -> $(SEC_CONFIG) ;
# /compat/linux/etc/redhat-release -> $(SEC_CONFIG) ;
# /compat/linux/etc/rpc -> $(SEC_CONFIG) ;
# /compat/linux/etc/securetty -> $(SEC_CONFIG) ;
# /compat/linux/etc/shells -> $(SEC_CONFIG) ;
# /compat/linux/etc/termcap -> $(SEC_CONFIG) ;
# /compat/linux/etc/yp.conf -> $(SEC_CONFIG) ;
# !/compat/linux/etc/ld.so.cache ;
# !/compat/linux/var/spool/mail ;
#@@endif
}
#
# Libraries, include files, and other system files
#
(
rulename = "Libraries, include files, and other system files",
severity = $(SIG_HI)
)
{
/usr/include -> $(SEC_CRIT) (recurse = true) ;
/usr/lib -> $(SEC_CRIT) (recurse = true) ;
/usr/libdata -> $(SEC_CRIT) (recurse = true) ;
/usr/libexec -> $(SEC_CRIT) (recurse = true) ;
/usr/share -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man -> $(SEC_CONFIG) ;
!/usr/share/man/whatis ;
!/usr/share/man/.glimpse_filenames ;
!/usr/share/man/.glimpse_filenames_index ;
!/usr/share/man/.glimpse_filetimes ;
!/usr/share/man/.glimpse_filters ;
!/usr/share/man/.glimpse_index ;
!/usr/share/man/.glimpse_messages ;
!/usr/share/man/.glimpse_partitions ;
!/usr/share/man/.glimpse_statistics ;
!/usr/share/man/.glimpse_turbo ;
/usr/share/man/man1 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man2 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man3 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man4 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man5 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man6 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man7 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man8 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man9 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/mann -> $(SEC_CRIT) (recurse = true) ;
! /usr/share/man/cat1 ;
! /usr/share/man/cat2 ;
! /usr/share/man/cat3 ;
! /usr/share/man/cat4 ;
! /usr/share/man/cat5 ;
! /usr/share/man/cat6 ;
! /usr/share/man/cat7 ;
! /usr/share/man/cat8 ;
! /usr/share/man/cat9 ;
! /usr/share/man/catl ;
! /usr/share/man/catn ;
/usr/share/perl/man -> $(SEC_CONFIG) ;
!/usr/share/perl/man/whatis ;
!/usr/share/perl/man/.glimpse_filenames ;
!/usr/share/perl/man/.glimpse_filenames_index ;
!/usr/share/perl/man/.glimpse_filetimes ;
!/usr/share/perl/man/.glimpse_filters ;
!/usr/share/perl/man/.glimpse_index ;
!/usr/share/perl/man/.glimpse_messages ;
!/usr/share/perl/man/.glimpse_partitions ;
!/usr/share/perl/man/.glimpse_statistics ;
!/usr/share/perl/man/.glimpse_turbo ;
/usr/share/perl/man/man3 -> $(SEC_CRIT) (recurse = true) ;
! /usr/share/perl/man/cat3 ;
/usr/local/lib/perl5/5.00503/man -> $(SEC_CONFIG) ;
! /usr/local/lib/perl5/5.00503/man/whatis ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_index ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ;
/usr/local/lib/perl5/5.00503/man/man3 -> $(SEC_CRIT) (recurse = true) ;
! /usr/local/lib/perl5/5.00503/man/cat3 ;
}
#
# X11R6
#
(
rulename = "X11R6",
severity = $(SIG_HI)
)
{
/usr/X11R6 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/lib/X11/xdm -> $(SEC_CONFIG) (recurse = true) ;
!/usr/X11R6/lib/X11/xdm/xdm-errors ;
!/usr/X11R6/lib/X11/xdm/authdir/authfiles ;
!/usr/X11R6/lib/X11/xdm/xdm-pid ;
/usr/X11R6/lib/X11/xkb/compiled -> $(SEC_CONFIG) (recurse = true) ;
/usr/X11R6/man -> $(SEC_CONFIG) ;
!/usr/X11R6/man/whatis ;
!/usr/X11R6/man/.glimpse_filenames ;
!/usr/X11R6/man/.glimpse_filenames_index ;
!/usr/X11R6/man/.glimpse_filetimes ;
!/usr/X11R6/man/.glimpse_filters ;
!/usr/X11R6/man/.glimpse_index ;
!/usr/X11R6/man/.glimpse_messages ;
!/usr/X11R6/man/.glimpse_partitions ;
!/usr/X11R6/man/.glimpse_statistics ;
!/usr/X11R6/man/.glimpse_turbo ;
/usr/X11R6/man/man1 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man2 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man3 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man4 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man5 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man6 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man7 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man8 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man9 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/manl -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/mann -> $(SEC_CRIT) (recurse = true) ;
! /usr/X11R6/man/cat1 ;
! /usr/X11R6/man/cat2 ;
! /usr/X11R6/man/cat3 ;
! /usr/X11R6/man/cat4 ;
! /usr/X11R6/man/cat5 ;
! /usr/X11R6/man/cat6 ;
! /usr/X11R6/man/cat7 ;
! /usr/X11R6/man/cat8 ;
! /usr/X11R6/man/cat9 ;
! /usr/X11R6/man/catl ;
! /usr/X11R6/man/catn ;
}
#
# sources
#
(
rulename = "Sources",
severity = $(SIG_HI)
)
{
/usr/src -> $(SEC_CRIT) (recurse = true) ;
/usr/src/sys/compile -> $(SEC_CONFIG) (recurse = false) ;
}
#
# NIS
#
(
rulename = "NIS",
severity = $(SIG_HI)
)
{
/var/yp -> $(SEC_CRIT) (recurse = true) ;
!/var/yp/binding ;
}
#
# Temporary directories
#
(
rulename = "Temporary directories",
recurse = false,
severity = $(SIG_LOW)
)
{
/usr/tmp -> $(SEC_INVARIANT) ;
/var/tmp -> $(SEC_INVARIANT) ;
/var/preserve -> $(SEC_INVARIANT) ;
/tmp -> $(SEC_INVARIANT) ;
}
#
# Local files
#
(
rulename = "Local files",
severity = $(SIG_MED)
)
{
/usr/local/bin -> $(SEC_BIN) (recurse = true) ;
/usr/local/sbin -> $(SEC_BIN) (recurse = true) ;
/usr/local/etc -> $(SEC_BIN) (recurse = true) ;
/usr/local/lib -> $(SEC_BIN) (recurse = true ) ;
/usr/local/libexec -> $(SEC_BIN) (recurse = true ) ;
/usr/local/share -> $(SEC_BIN) (recurse = true ) ;
/usr/local/man -> $(SEC_CONFIG) ;
!/usr/local/man/whatis ;
!/usr/local/man/.glimpse_filenames ;
!/usr/local/man/.glimpse_filenames_index ;
!/usr/local/man/.glimpse_filetimes ;
!/usr/local/man/.glimpse_filters ;
!/usr/local/man/.glimpse_index ;
!/usr/local/man/.glimpse_messages ;
!/usr/local/man/.glimpse_partitions ;
!/usr/local/man/.glimpse_statistics ;
!/usr/local/man/.glimpse_turbo ;
/usr/local/man/man1 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man2 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man3 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man4 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man5 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man6 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man7 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man8 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man9 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/manl -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/mann -> $(SEC_CRIT) (recurse = true) ;
! /usr/local/man/cat1 ;
! /usr/local/man/cat2 ;
! /usr/local/man/cat3 ;
! /usr/local/man/cat4 ;
! /usr/local/man/cat5 ;
! /usr/local/man/cat6 ;
! /usr/local/man/cat7 ;
! /usr/local/man/cat8 ;
! /usr/local/man/cat9 ;
! /usr/local/man/catl ;
! /usr/local/man/catn ;
/usr/local/krb5 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man -> $(SEC_CONFIG) ;
!/usr/local/krb5/man/whatis ;
!/usr/local/krb5/man/.glimpse_filenames ;
!/usr/local/krb5/man/.glimpse_filenames_index ;
!/usr/local/krb5/man/.glimpse_filetimes ;
!/usr/local/krb5/man/.glimpse_filters ;
!/usr/local/krb5/man/.glimpse_index ;
!/usr/local/krb5/man/.glimpse_messages ;
!/usr/local/krb5/man/.glimpse_partitions ;
!/usr/local/krb5/man/.glimpse_statistics ;
!/usr/local/krb5/man/.glimpse_turbo ;
/usr/local/krb5/man/man1 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man2 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man3 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man4 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man5 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man6 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man7 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man8 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man9 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/manl -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/mann -> $(SEC_CRIT) (recurse = true) ;
! /usr/local/krb5/man/cat1 ;
! /usr/local/krb5/man/cat2 ;
! /usr/local/krb5/man/cat3 ;
! /usr/local/krb5/man/cat4 ;
! /usr/local/krb5/man/cat5 ;
! /usr/local/krb5/man/cat6 ;
! /usr/local/krb5/man/cat7 ;
! /usr/local/krb5/man/cat8 ;
! /usr/local/krb5/man/cat9 ;
! /usr/local/krb5/man/catl ;
! /usr/local/krb5/man/catn ;
/usr/local/www -> $(SEC_CONFIG) (recurse = true) ;
}
(
rulename = "Security Control",
severity = $(SIG_HI)
)
{
/etc/group -> $(SEC_CRIT) ;
/etc/crontab -> $(SEC_CRIT) ;
}
#=============================================================================
#
# Copyright 2000-2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
# Inc. in the United States and other countries. All rights reserved.
#
# FreeBSD is a registered trademark of the FreeBSD Project Inc.
#
# UNIX is a registered trademark of The Open Group.
#
#=============================================================================
#
# Permission is granted to make and distribute verbatim copies of this document
# provided the copyright notice and this permission notice are preserved on all
# copies.
#
# Permission is granted to copy and distribute modified versions of this
# document under the conditions for verbatim copying, provided that the entire
# resulting derived work is distributed under the terms of a permission notice
# identical to this one.
#
# Permission is granted to copy and distribute translations of this document
# into another language, under the above conditions for modified versions,
# except that this permission notice may be stated in a translation approved by
# Tripwire, Inc.
#
# DCM

1106
policy/twpol-HP-UX.txt Normal file
View File

File diff suppressed because it is too large Load Diff

656
policy/twpol-MidnightBSD.txt Normal file
View File

@ -0,0 +1,656 @@
#
# Policy file for MidnightBSD
# (adapted from FreeBSD policy)
#
# $FreeBSD: ports/security/tripwire/files/twpol.txt,v 1.2 2002/03/04 16:55:21 cy Exp $
# $Id: twpol-FreeBSD.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $
#
# This is the example Tripwire Policy file. It is intended as a place to
# start creating your own custom Tripwire Policy file. Referring to it as
# well as the Tripwire Policy Guide should give you enough information to
# make a good custom Tripwire Policy file that better covers your
# configuration and security needs. A text version of this policy file is
# called twpol.txt.
#
# Note that this file is tuned to an install of FreeBSD using
# buildworld. If run unmodified, this file should create no errors on
# database creation, or violations on a subsiquent integrity check.
# However it is impossible for there to be one policy file for all machines,
# so this existing one errs on the side of security. Your FreeBSD
# configuration will most likey differ from the one our policy file was
# tuned to, and will therefore require some editing of the default
# Tripwire Policy file.
#
# The example policy file is best run with 'Loose Directory Checking'
# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration
# file.
#
# Email support is not included and must be added to this file.
# Add the 'emailto=' to the rule directive section of each rule (add a comma
# after the 'severity=' line and add an 'emailto=' and include the email
# addresses you want the violation reports to go to). Addresses are
# semi-colon delimited.
#
#
# Global Variable Definitions
#
# These are defined at install time by the installation script. You may
# Manually edit these if you are using this file directly and not from the
# installation script itself.
#
@@section GLOBAL
TWROOT=;
TWBIN=;
TWPOL=;
TWDB=;
TWSKEY=;
TWLKEY=;
TWREPORT=;
HOSTNAME=;
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability
# Tripwire Binaries
(
rulename = "Tripwire Binaries",
severity = $(SIG_HI)
)
{
$(TWBIN)/siggen -> $(SEC_BIN) ;
$(TWBIN)/tripwire -> $(SEC_BIN) ;
$(TWBIN)/twadmin -> $(SEC_BIN) ;
$(TWBIN)/twprint -> $(SEC_BIN) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(
rulename = "Tripwire Data Files",
severity = $(SIG_HI)
)
{
# NOTE: We remove the inode attribute because when Tripwire creates a backup,
# it does so by renaming the old file and creating a new one (which will
# have a new inode number). Inode is left turned on for keys, which shouldn't
# ever change.
# NOTE: The first integrity check triggers this rule and each integrity check
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(SEC_CONFIG) -i ;
$(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
$(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
$(TWPOL)/twcfg.txt -> $(SEC_BIN) ;
$(TWPOL)/twpol.txt -> $(SEC_BIN) ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWSKEY)/site.key -> $(SEC_BIN) ;
#don't scan the individual reports
$(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
}
# Tripwire HQ Connector Binaries
#(
# rulename = "Tripwire HQ Connector Binaries",
# severity = $(SIG_HI)
#)
#{
# $(TWBIN)/hqagent -> $(SEC_BIN) ;
#}
#
# Tripwire HQ Connector - Configuration Files, Keys, and Logs
#
# Note: File locations here are different than in a stock HQ Connector
# installation. This is because Tripwire 2.3 uses a different path
# structure than Tripwire 2.2.1.
#
# You may need to update your HQ Agent configuation file (or this policy
# file) to correct the paths. We have attempted to support the FHS standard
# here by placing the HQ Agent files similarly to the way Tripwire 2.3
# places them.
#
#(
# rulename = "Tripwire HQ Connector Data Files",
# severity = $(SIG_HI)
#)
#{
#
# # NOTE: Removing the inode attribute because when Tripwire creates a backup
# # it does so by renaming the old file and creating a new one (which will
# # have a new inode number). Leaving inode turned on for keys, which
# # shouldn't ever change.
#
#
# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ;
# $(TWLKEY)/authentication.key -> $(SEC_BIN) ;
# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ;
# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ;
#
# # Uncomment if you have agent logging enabled.
# #/var/log/tripwire/agent.log -> $(SEC_LOG) ;
#}
# Commonly accessed directories that should remain static with regards to owner and group
(
rulename = "Invariant Directories",
severity = $(SIG_MED)
)
{
/ -> $(SEC_INVARIANT) (recurse = false) ;
/home -> $(SEC_INVARIANT) (recurse = false) ;
}
#
# First, root's "home"
#
(
rulename = "Root's home",
severity = $(SIG_HI)
)
{
# /.rhosts -> $(SEC_CRIT) ;
/.profile -> $(SEC_CRIT) ;
/.cshrc -> $(SEC_CRIT) ;
/.login -> $(SEC_CRIT) ;
# /.exrc -> $(SEC_CRIT) ;
# /.logout -> $(SEC_CRIT) ;
# /.forward -> $(SEC_CRIT) ;
/root -> $(SEC_CRIT) (recurse = true) ;
!/root/.history ;
!/root/.bash_history ;
# !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed
}
#
# FreeBSD Kernel
#
(
rulename = "FreeBSD Kernel",
severity = $(SIG_HI)
)
{
/kernel -> $(SEC_CRIT) ;
/kernel.old -> $(SEC_CRIT) ;
/kernel.GENERIC -> $(SEC_CRIT) ;
}
#
# FreeBSD Modules
#
(
rulename = "FreeBSD Modules",
severity = $(SIG_HI)
)
{
/modules -> $(SEC_CRIT) (recurse = true) ;
/modules.old -> $(SEC_CRIT) (recurse = true) ;
# /lkm -> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld
}
#
# System Administration Programs
#
(
rulename = "System Administration Programs",
severity = $(SIG_HI)
)
{
/sbin -> $(SEC_CRIT) (recurse = true) ;
/usr/sbin -> $(SEC_CRIT) (recurse = true) ;
}
#
# User Utilities
#
(
rulename = "User Utilities",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_CRIT) (recurse = true) ;
/usr/bin -> $(SEC_CRIT) (recurse = true) ;
}
#
# /dev
#
(
rulename = "/dev",
severity = $(SIG_HI)
)
{
/dev -> $(Device) (recurse = true) ;
!/dev/vga ;
!/dev/dri ;
/dev/console -> $(SEC_TTY) ;
/dev/ttyv0 -> $(SEC_TTY) ;
/dev/ttyv1 -> $(SEC_TTY) ;
/dev/ttyv2 -> $(SEC_TTY) ;
/dev/ttyv3 -> $(SEC_TTY) ;
/dev/ttyv4 -> $(SEC_TTY) ;
/dev/ttyv5 -> $(SEC_TTY) ;
/dev/ttyv6 -> $(SEC_TTY) ;
/dev/ttyv7 -> $(SEC_TTY) ;
/dev/ttyp0 -> $(SEC_TTY) ;
/dev/ttyp1 -> $(SEC_TTY) ;
/dev/ttyp2 -> $(SEC_TTY) ;
/dev/ttyp3 -> $(SEC_TTY) ;
/dev/ttyp4 -> $(SEC_TTY) ;
/dev/ttyp5 -> $(SEC_TTY) ;
/dev/ttyp6 -> $(SEC_TTY) ;
/dev/ttyp7 -> $(SEC_TTY) ;
/dev/ttyp8 -> $(SEC_TTY) ;
/dev/ttyp9 -> $(SEC_TTY) ;
/dev/ttypa -> $(SEC_TTY) ;
/dev/ttypb -> $(SEC_TTY) ;
/dev/ttypc -> $(SEC_TTY) ;
/dev/ttypd -> $(SEC_TTY) ;
/dev/ttype -> $(SEC_TTY) ;
/dev/ttypf -> $(SEC_TTY) ;
/dev/ttypg -> $(SEC_TTY) ;
/dev/ttyph -> $(SEC_TTY) ;
/dev/ttypi -> $(SEC_TTY) ;
/dev/ttypj -> $(SEC_TTY) ;
/dev/ttypl -> $(SEC_TTY) ;
/dev/ttypm -> $(SEC_TTY) ;
/dev/ttypn -> $(SEC_TTY) ;
/dev/ttypo -> $(SEC_TTY) ;
/dev/ttypp -> $(SEC_TTY) ;
/dev/ttypq -> $(SEC_TTY) ;
/dev/ttypr -> $(SEC_TTY) ;
/dev/ttyps -> $(SEC_TTY) ;
/dev/ttypt -> $(SEC_TTY) ;
/dev/ttypu -> $(SEC_TTY) ;
/dev/ttypv -> $(SEC_TTY) ;
/dev/cuaa0 -> $(SEC_TTY) ; # modem
}
#
# /etc
#
(
rulename = "/etc",
severity = $(SIG_HI)
)
{
/etc -> $(SEC_CRIT) (recurse = true) ;
# /etc/mail/aliases -> $(SEC_CONFIG) ;
/etc/dumpdates -> $(SEC_CONFIG) ;
/etc/motd -> $(SEC_CONFIG) ;
!/etc/ppp/connect-errors ;
/etc/skeykeys -> $(SEC_CONFIG) ;
# Uncomment the following 4 lines if your password file does not change
# /etc/passwd -> $(SEC_CONFIG) ;
# /etc/master.passwd -> $(SEC_CONFIG) ;
# /etc/pwd.db -> $(SEC_CONFIG) ;
# /etc/spwd.db -> $(SEC_CONFIG) ;
}
#
# Copatibility (Linux)
#
(
rulename = "Linux Compatibility",
severity = $(SIG_HI)
)
{
/compat -> $(SEC_CRIT) (recurse = true) ;
#
# Uncomment the following if Linux compatibility is used. Replace
# HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port
# installed.
#
#@@ifhost HOSTNAME1 || HOSTNAME2
# /compat/linux/etc -> $(SEC_INVARIANT) (recurse = false) ;
# /compat/linux/etc/X11 -> $(SEC_CONFIG) (recurse = true) ;
# /compat/linux/etc/pam.d -> $(SEC_CONFIG) (recurse = true) ;
# /compat/linux/etc/profile.d -> $(SEC_CONFIG) (recurse = true) ;
# /compat/linux/etc/real -> $(SEC_CONFIG) (recurse = true) ;
# /compat/linux/etc/bashrc -> $(SEC_CONFIG) ;
# /compat/linux/etc/csh.login -> $(SEC_CONFIG) ;
# /compat/linux/etc/host.conf -> $(SEC_CONFIG) ;
# /compat/linux/etc/hosts.allow -> $(SEC_CONFIG) ;
# /compat/linux/etc/hosts.deny -> $(SEC_CONFIG) ;
# /compat/linux/etc/info-dir -> $(SEC_CONFIG) ;
# /compat/linux/etc/inputrc -> $(SEC_CONFIG) ;
# /compat/linux/etc/ld.so.conf -> $(SEC_CONFIG) ;
# /compat/linux/etc/nsswitch.conf -> $(SEC_CONFIG) ;
# /compat/linux/etc/profile -> $(SEC_CONFIG) ;
# /compat/linux/etc/redhat-release -> $(SEC_CONFIG) ;
# /compat/linux/etc/rpc -> $(SEC_CONFIG) ;
# /compat/linux/etc/securetty -> $(SEC_CONFIG) ;
# /compat/linux/etc/shells -> $(SEC_CONFIG) ;
# /compat/linux/etc/termcap -> $(SEC_CONFIG) ;
# /compat/linux/etc/yp.conf -> $(SEC_CONFIG) ;
# !/compat/linux/etc/ld.so.cache ;
# !/compat/linux/var/spool/mail ;
#@@endif
}
#
# Libraries, include files, and other system files
#
(
rulename = "Libraries, include files, and other system files",
severity = $(SIG_HI)
)
{
/usr/include -> $(SEC_CRIT) (recurse = true) ;
/usr/lib -> $(SEC_CRIT) (recurse = true) ;
/usr/libdata -> $(SEC_CRIT) (recurse = true) ;
/usr/libexec -> $(SEC_CRIT) (recurse = true) ;
/usr/share -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man -> $(SEC_CONFIG) ;
!/usr/share/man/whatis ;
!/usr/share/man/.glimpse_filenames ;
!/usr/share/man/.glimpse_filenames_index ;
!/usr/share/man/.glimpse_filetimes ;
!/usr/share/man/.glimpse_filters ;
!/usr/share/man/.glimpse_index ;
!/usr/share/man/.glimpse_messages ;
!/usr/share/man/.glimpse_partitions ;
!/usr/share/man/.glimpse_statistics ;
!/usr/share/man/.glimpse_turbo ;
/usr/share/man/man1 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man2 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man3 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man4 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man5 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man6 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man7 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man8 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man9 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/mann -> $(SEC_CRIT) (recurse = true) ;
! /usr/share/man/cat1 ;
! /usr/share/man/cat2 ;
! /usr/share/man/cat3 ;
! /usr/share/man/cat4 ;
! /usr/share/man/cat5 ;
! /usr/share/man/cat6 ;
! /usr/share/man/cat7 ;
! /usr/share/man/cat8 ;
! /usr/share/man/cat9 ;
! /usr/share/man/catl ;
! /usr/share/man/catn ;
/usr/share/perl/man -> $(SEC_CONFIG) ;
!/usr/share/perl/man/whatis ;
!/usr/share/perl/man/.glimpse_filenames ;
!/usr/share/perl/man/.glimpse_filenames_index ;
!/usr/share/perl/man/.glimpse_filetimes ;
!/usr/share/perl/man/.glimpse_filters ;
!/usr/share/perl/man/.glimpse_index ;
!/usr/share/perl/man/.glimpse_messages ;
!/usr/share/perl/man/.glimpse_partitions ;
!/usr/share/perl/man/.glimpse_statistics ;
!/usr/share/perl/man/.glimpse_turbo ;
/usr/share/perl/man/man3 -> $(SEC_CRIT) (recurse = true) ;
! /usr/share/perl/man/cat3 ;
/usr/local/lib/perl5/5.00503/man -> $(SEC_CONFIG) ;
! /usr/local/lib/perl5/5.00503/man/whatis ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_index ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ;
/usr/local/lib/perl5/5.00503/man/man3 -> $(SEC_CRIT) (recurse = true) ;
! /usr/local/lib/perl5/5.00503/man/cat3 ;
}
#
# X11R6
#
(
rulename = "X11R6",
severity = $(SIG_HI)
)
{
/usr/X11R6 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/lib/X11/xdm -> $(SEC_CONFIG) (recurse = true) ;
!/usr/X11R6/lib/X11/xdm/xdm-errors ;
!/usr/X11R6/lib/X11/xdm/authdir/authfiles ;
!/usr/X11R6/lib/X11/xdm/xdm-pid ;
/usr/X11R6/lib/X11/xkb/compiled -> $(SEC_CONFIG) (recurse = true) ;
/usr/X11R6/man -> $(SEC_CONFIG) ;
!/usr/X11R6/man/whatis ;
!/usr/X11R6/man/.glimpse_filenames ;
!/usr/X11R6/man/.glimpse_filenames_index ;
!/usr/X11R6/man/.glimpse_filetimes ;
!/usr/X11R6/man/.glimpse_filters ;
!/usr/X11R6/man/.glimpse_index ;
!/usr/X11R6/man/.glimpse_messages ;
!/usr/X11R6/man/.glimpse_partitions ;
!/usr/X11R6/man/.glimpse_statistics ;
!/usr/X11R6/man/.glimpse_turbo ;
/usr/X11R6/man/man1 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man2 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man3 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man4 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man5 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man6 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man7 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man8 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man9 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/manl -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/mann -> $(SEC_CRIT) (recurse = true) ;
! /usr/X11R6/man/cat1 ;
! /usr/X11R6/man/cat2 ;
! /usr/X11R6/man/cat3 ;
! /usr/X11R6/man/cat4 ;
! /usr/X11R6/man/cat5 ;
! /usr/X11R6/man/cat6 ;
! /usr/X11R6/man/cat7 ;
! /usr/X11R6/man/cat8 ;
! /usr/X11R6/man/cat9 ;
! /usr/X11R6/man/catl ;
! /usr/X11R6/man/catn ;
}
#
# sources
#
(
rulename = "Sources",
severity = $(SIG_HI)
)
{
/usr/src -> $(SEC_CRIT) (recurse = true) ;
/usr/src/sys/compile -> $(SEC_CONFIG) (recurse = false) ;
}
#
# NIS
#
(
rulename = "NIS",
severity = $(SIG_HI)
)
{
/var/yp -> $(SEC_CRIT) (recurse = true) ;
!/var/yp/binding ;
}
#
# Temporary directories
#
(
rulename = "Temporary directories",
recurse = false,
severity = $(SIG_LOW)
)
{
/usr/tmp -> $(SEC_INVARIANT) ;
/var/tmp -> $(SEC_INVARIANT) ;
/var/preserve -> $(SEC_INVARIANT) ;
/tmp -> $(SEC_INVARIANT) ;
}
#
# Local files
#
(
rulename = "Local files",
severity = $(SIG_MED)
)
{
/usr/local/bin -> $(SEC_BIN) (recurse = true) ;
/usr/local/sbin -> $(SEC_BIN) (recurse = true) ;
/usr/local/etc -> $(SEC_BIN) (recurse = true) ;
/usr/local/lib -> $(SEC_BIN) (recurse = true ) ;
/usr/local/libexec -> $(SEC_BIN) (recurse = true ) ;
/usr/local/share -> $(SEC_BIN) (recurse = true ) ;
/usr/local/man -> $(SEC_CONFIG) ;
!/usr/local/man/whatis ;
!/usr/local/man/.glimpse_filenames ;
!/usr/local/man/.glimpse_filenames_index ;
!/usr/local/man/.glimpse_filetimes ;
!/usr/local/man/.glimpse_filters ;
!/usr/local/man/.glimpse_index ;
!/usr/local/man/.glimpse_messages ;
!/usr/local/man/.glimpse_partitions ;
!/usr/local/man/.glimpse_statistics ;
!/usr/local/man/.glimpse_turbo ;
/usr/local/man/man1 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man2 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man3 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man4 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man5 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man6 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man7 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man8 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man9 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/manl -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/mann -> $(SEC_CRIT) (recurse = true) ;
! /usr/local/man/cat1 ;
! /usr/local/man/cat2 ;
! /usr/local/man/cat3 ;
! /usr/local/man/cat4 ;
! /usr/local/man/cat5 ;
! /usr/local/man/cat6 ;
! /usr/local/man/cat7 ;
! /usr/local/man/cat8 ;
! /usr/local/man/cat9 ;
! /usr/local/man/catl ;
! /usr/local/man/catn ;
/usr/local/krb5 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man -> $(SEC_CONFIG) ;
!/usr/local/krb5/man/whatis ;
!/usr/local/krb5/man/.glimpse_filenames ;
!/usr/local/krb5/man/.glimpse_filenames_index ;
!/usr/local/krb5/man/.glimpse_filetimes ;
!/usr/local/krb5/man/.glimpse_filters ;
!/usr/local/krb5/man/.glimpse_index ;
!/usr/local/krb5/man/.glimpse_messages ;
!/usr/local/krb5/man/.glimpse_partitions ;
!/usr/local/krb5/man/.glimpse_statistics ;
!/usr/local/krb5/man/.glimpse_turbo ;
/usr/local/krb5/man/man1 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man2 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man3 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man4 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man5 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man6 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man7 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man8 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man9 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/manl -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/mann -> $(SEC_CRIT) (recurse = true) ;
! /usr/local/krb5/man/cat1 ;
! /usr/local/krb5/man/cat2 ;
! /usr/local/krb5/man/cat3 ;
! /usr/local/krb5/man/cat4 ;
! /usr/local/krb5/man/cat5 ;
! /usr/local/krb5/man/cat6 ;
! /usr/local/krb5/man/cat7 ;
! /usr/local/krb5/man/cat8 ;
! /usr/local/krb5/man/cat9 ;
! /usr/local/krb5/man/catl ;
! /usr/local/krb5/man/catn ;
/usr/local/www -> $(SEC_CONFIG) (recurse = true) ;
}
(
rulename = "Security Control",
severity = $(SIG_HI)
)
{
/etc/group -> $(SEC_CRIT) ;
/etc/crontab -> $(SEC_CRIT) ;
}
#=============================================================================
#
# Copyright 2000-2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
# Inc. in the United States and other countries. All rights reserved.
#
# FreeBSD is a registered trademark of the FreeBSD Project Inc.
#
# UNIX is a registered trademark of The Open Group.
#
#=============================================================================
#
# Permission is granted to make and distribute verbatim copies of this document
# provided the copyright notice and this permission notice are preserved on all
# copies.
#
# Permission is granted to copy and distribute modified versions of this
# document under the conditions for verbatim copying, provided that the entire
# resulting derived work is distributed under the terms of a permission notice
# identical to this one.
#
# Permission is granted to copy and distribute translations of this document
# into another language, under the above conditions for modified versions,
# except that this permission notice may be stated in a translation approved by
# Tripwire, Inc.
#
# DCM

4
policy/twpol-MirBSD.txt
View File

@ -2,8 +2,8 @@
# ##
############################################################################## #
# # #
# Policy file for OpenBSD 3.5 # #
# May 20, 2003 # #
# Policy file for MirOS BSD # #
# (adapted from OpenBSD policy) # #
# ##
##############################################################################

656
policy/twpol-NetBSD.txt Normal file
View File

@ -0,0 +1,656 @@
#
# Policy file for NetBSD
# (adapted from FreeBSD policy)
#
# $FreeBSD: ports/security/tripwire/files/twpol.txt,v 1.2 2002/03/04 16:55:21 cy Exp $
# $Id: twpol-FreeBSD.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $
#
# This is the example Tripwire Policy file. It is intended as a place to
# start creating your own custom Tripwire Policy file. Referring to it as
# well as the Tripwire Policy Guide should give you enough information to
# make a good custom Tripwire Policy file that better covers your
# configuration and security needs. A text version of this policy file is
# called twpol.txt.
#
# Note that this file is tuned to an install of FreeBSD using
# buildworld. If run unmodified, this file should create no errors on
# database creation, or violations on a subsiquent integrity check.
# However it is impossible for there to be one policy file for all machines,
# so this existing one errs on the side of security. Your FreeBSD
# configuration will most likey differ from the one our policy file was
# tuned to, and will therefore require some editing of the default
# Tripwire Policy file.
#
# The example policy file is best run with 'Loose Directory Checking'
# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration
# file.
#
# Email support is not included and must be added to this file.
# Add the 'emailto=' to the rule directive section of each rule (add a comma
# after the 'severity=' line and add an 'emailto=' and include the email
# addresses you want the violation reports to go to). Addresses are
# semi-colon delimited.
#
#
# Global Variable Definitions
#
# These are defined at install time by the installation script. You may
# Manually edit these if you are using this file directly and not from the
# installation script itself.
#
@@section GLOBAL
TWROOT=;
TWBIN=;
TWPOL=;
TWDB=;
TWSKEY=;
TWLKEY=;
TWREPORT=;
HOSTNAME=;
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability
# Tripwire Binaries
(
rulename = "Tripwire Binaries",
severity = $(SIG_HI)
)
{
$(TWBIN)/siggen -> $(SEC_BIN) ;
$(TWBIN)/tripwire -> $(SEC_BIN) ;
$(TWBIN)/twadmin -> $(SEC_BIN) ;
$(TWBIN)/twprint -> $(SEC_BIN) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(
rulename = "Tripwire Data Files",
severity = $(SIG_HI)
)
{
# NOTE: We remove the inode attribute because when Tripwire creates a backup,
# it does so by renaming the old file and creating a new one (which will
# have a new inode number). Inode is left turned on for keys, which shouldn't
# ever change.
# NOTE: The first integrity check triggers this rule and each integrity check
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(SEC_CONFIG) -i ;
$(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
$(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
$(TWPOL)/twcfg.txt -> $(SEC_BIN) ;
$(TWPOL)/twpol.txt -> $(SEC_BIN) ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWSKEY)/site.key -> $(SEC_BIN) ;
#don't scan the individual reports
$(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
}
# Tripwire HQ Connector Binaries
#(
# rulename = "Tripwire HQ Connector Binaries",
# severity = $(SIG_HI)
#)
#{
# $(TWBIN)/hqagent -> $(SEC_BIN) ;
#}
#
# Tripwire HQ Connector - Configuration Files, Keys, and Logs
#
# Note: File locations here are different than in a stock HQ Connector
# installation. This is because Tripwire 2.3 uses a different path
# structure than Tripwire 2.2.1.
#
# You may need to update your HQ Agent configuation file (or this policy
# file) to correct the paths. We have attempted to support the FHS standard
# here by placing the HQ Agent files similarly to the way Tripwire 2.3
# places them.
#
#(
# rulename = "Tripwire HQ Connector Data Files",
# severity = $(SIG_HI)
#)
#{
#
# # NOTE: Removing the inode attribute because when Tripwire creates a backup
# # it does so by renaming the old file and creating a new one (which will
# # have a new inode number). Leaving inode turned on for keys, which
# # shouldn't ever change.
#
#
# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ;
# $(TWLKEY)/authentication.key -> $(SEC_BIN) ;
# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ;
# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ;
#
# # Uncomment if you have agent logging enabled.
# #/var/log/tripwire/agent.log -> $(SEC_LOG) ;
#}
# Commonly accessed directories that should remain static with regards to owner and group
(
rulename = "Invariant Directories",
severity = $(SIG_MED)
)
{
/ -> $(SEC_INVARIANT) (recurse = false) ;
/home -> $(SEC_INVARIANT) (recurse = false) ;
}
#
# First, root's "home"
#
(
rulename = "Root's home",
severity = $(SIG_HI)
)
{
# /.rhosts -> $(SEC_CRIT) ;
/.profile -> $(SEC_CRIT) ;
/.cshrc -> $(SEC_CRIT) ;
/.login -> $(SEC_CRIT) ;
# /.exrc -> $(SEC_CRIT) ;
# /.logout -> $(SEC_CRIT) ;
# /.forward -> $(SEC_CRIT) ;
/root -> $(SEC_CRIT) (recurse = true) ;
!/root/.history ;
!/root/.bash_history ;
# !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed
}
#
# FreeBSD Kernel
#
(
rulename = "FreeBSD Kernel",
severity = $(SIG_HI)
)
{
/kernel -> $(SEC_CRIT) ;
/kernel.old -> $(SEC_CRIT) ;
/kernel.GENERIC -> $(SEC_CRIT) ;
}
#
# FreeBSD Modules
#
(
rulename = "FreeBSD Modules",
severity = $(SIG_HI)
)
{
/modules -> $(SEC_CRIT) (recurse = true) ;
/modules.old -> $(SEC_CRIT) (recurse = true) ;
# /lkm -> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld
}
#
# System Administration Programs
#
(
rulename = "System Administration Programs",
severity = $(SIG_HI)
)
{
/sbin -> $(SEC_CRIT) (recurse = true) ;
/usr/sbin -> $(SEC_CRIT) (recurse = true) ;
}
#
# User Utilities
#
(
rulename = "User Utilities",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_CRIT) (recurse = true) ;
/usr/bin -> $(SEC_CRIT) (recurse = true) ;
}
#
# /dev
#
(
rulename = "/dev",
severity = $(SIG_HI)
)
{
/dev -> $(Device) (recurse = true) ;
!/dev/vga ;
!/dev/dri ;
/dev/console -> $(SEC_TTY) ;
/dev/ttyv0 -> $(SEC_TTY) ;
/dev/ttyv1 -> $(SEC_TTY) ;
/dev/ttyv2 -> $(SEC_TTY) ;
/dev/ttyv3 -> $(SEC_TTY) ;
/dev/ttyv4 -> $(SEC_TTY) ;
/dev/ttyv5 -> $(SEC_TTY) ;
/dev/ttyv6 -> $(SEC_TTY) ;
/dev/ttyv7 -> $(SEC_TTY) ;
/dev/ttyp0 -> $(SEC_TTY) ;
/dev/ttyp1 -> $(SEC_TTY) ;
/dev/ttyp2 -> $(SEC_TTY) ;
/dev/ttyp3 -> $(SEC_TTY) ;
/dev/ttyp4 -> $(SEC_TTY) ;
/dev/ttyp5 -> $(SEC_TTY) ;
/dev/ttyp6 -> $(SEC_TTY) ;
/dev/ttyp7 -> $(SEC_TTY) ;
/dev/ttyp8 -> $(SEC_TTY) ;
/dev/ttyp9 -> $(SEC_TTY) ;
/dev/ttypa -> $(SEC_TTY) ;
/dev/ttypb -> $(SEC_TTY) ;
/dev/ttypc -> $(SEC_TTY) ;
/dev/ttypd -> $(SEC_TTY) ;
/dev/ttype -> $(SEC_TTY) ;
/dev/ttypf -> $(SEC_TTY) ;
/dev/ttypg -> $(SEC_TTY) ;
/dev/ttyph -> $(SEC_TTY) ;
/dev/ttypi -> $(SEC_TTY) ;
/dev/ttypj -> $(SEC_TTY) ;
/dev/ttypl -> $(SEC_TTY) ;
/dev/ttypm -> $(SEC_TTY) ;
/dev/ttypn -> $(SEC_TTY) ;
/dev/ttypo -> $(SEC_TTY) ;
/dev/ttypp -> $(SEC_TTY) ;
/dev/ttypq -> $(SEC_TTY) ;
/dev/ttypr -> $(SEC_TTY) ;
/dev/ttyps -> $(SEC_TTY) ;
/dev/ttypt -> $(SEC_TTY) ;
/dev/ttypu -> $(SEC_TTY) ;
/dev/ttypv -> $(SEC_TTY) ;
/dev/cuaa0 -> $(SEC_TTY) ; # modem
}
#
# /etc
#
(
rulename = "/etc",
severity = $(SIG_HI)
)
{
/etc -> $(SEC_CRIT) (recurse = true) ;
# /etc/mail/aliases -> $(SEC_CONFIG) ;
/etc/dumpdates -> $(SEC_CONFIG) ;
/etc/motd -> $(SEC_CONFIG) ;
!/etc/ppp/connect-errors ;
/etc/skeykeys -> $(SEC_CONFIG) ;
# Uncomment the following 4 lines if your password file does not change
# /etc/passwd -> $(SEC_CONFIG) ;
# /etc/master.passwd -> $(SEC_CONFIG) ;
# /etc/pwd.db -> $(SEC_CONFIG) ;
# /etc/spwd.db -> $(SEC_CONFIG) ;
}
#
# Copatibility (Linux)
#
(
rulename = "Linux Compatibility",
severity = $(SIG_HI)
)
{
/compat -> $(SEC_CRIT) (recurse = true) ;
#
# Uncomment the following if Linux compatibility is used. Replace
# HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port
# installed.
#
#@@ifhost HOSTNAME1 || HOSTNAME2
# /compat/linux/etc -> $(SEC_INVARIANT) (recurse = false) ;
# /compat/linux/etc/X11 -> $(SEC_CONFIG) (recurse = true) ;
# /compat/linux/etc/pam.d -> $(SEC_CONFIG) (recurse = true) ;
# /compat/linux/etc/profile.d -> $(SEC_CONFIG) (recurse = true) ;
# /compat/linux/etc/real -> $(SEC_CONFIG) (recurse = true) ;
# /compat/linux/etc/bashrc -> $(SEC_CONFIG) ;
# /compat/linux/etc/csh.login -> $(SEC_CONFIG) ;
# /compat/linux/etc/host.conf -> $(SEC_CONFIG) ;
# /compat/linux/etc/hosts.allow -> $(SEC_CONFIG) ;
# /compat/linux/etc/hosts.deny -> $(SEC_CONFIG) ;
# /compat/linux/etc/info-dir -> $(SEC_CONFIG) ;
# /compat/linux/etc/inputrc -> $(SEC_CONFIG) ;
# /compat/linux/etc/ld.so.conf -> $(SEC_CONFIG) ;
# /compat/linux/etc/nsswitch.conf -> $(SEC_CONFIG) ;
# /compat/linux/etc/profile -> $(SEC_CONFIG) ;
# /compat/linux/etc/redhat-release -> $(SEC_CONFIG) ;
# /compat/linux/etc/rpc -> $(SEC_CONFIG) ;
# /compat/linux/etc/securetty -> $(SEC_CONFIG) ;
# /compat/linux/etc/shells -> $(SEC_CONFIG) ;
# /compat/linux/etc/termcap -> $(SEC_CONFIG) ;
# /compat/linux/etc/yp.conf -> $(SEC_CONFIG) ;
# !/compat/linux/etc/ld.so.cache ;
# !/compat/linux/var/spool/mail ;
#@@endif
}
#
# Libraries, include files, and other system files
#
(
rulename = "Libraries, include files, and other system files",
severity = $(SIG_HI)
)
{
/usr/include -> $(SEC_CRIT) (recurse = true) ;
/usr/lib -> $(SEC_CRIT) (recurse = true) ;
/usr/libdata -> $(SEC_CRIT) (recurse = true) ;
/usr/libexec -> $(SEC_CRIT) (recurse = true) ;
/usr/share -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man -> $(SEC_CONFIG) ;
!/usr/share/man/whatis ;
!/usr/share/man/.glimpse_filenames ;
!/usr/share/man/.glimpse_filenames_index ;
!/usr/share/man/.glimpse_filetimes ;
!/usr/share/man/.glimpse_filters ;
!/usr/share/man/.glimpse_index ;
!/usr/share/man/.glimpse_messages ;
!/usr/share/man/.glimpse_partitions ;
!/usr/share/man/.glimpse_statistics ;
!/usr/share/man/.glimpse_turbo ;
/usr/share/man/man1 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man2 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man3 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man4 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man5 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man6 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man7 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man8 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/man9 -> $(SEC_CRIT) (recurse = true) ;
/usr/share/man/mann -> $(SEC_CRIT) (recurse = true) ;
! /usr/share/man/cat1 ;
! /usr/share/man/cat2 ;
! /usr/share/man/cat3 ;
! /usr/share/man/cat4 ;
! /usr/share/man/cat5 ;
! /usr/share/man/cat6 ;
! /usr/share/man/cat7 ;
! /usr/share/man/cat8 ;
! /usr/share/man/cat9 ;
! /usr/share/man/catl ;
! /usr/share/man/catn ;
/usr/share/perl/man -> $(SEC_CONFIG) ;
!/usr/share/perl/man/whatis ;
!/usr/share/perl/man/.glimpse_filenames ;
!/usr/share/perl/man/.glimpse_filenames_index ;
!/usr/share/perl/man/.glimpse_filetimes ;
!/usr/share/perl/man/.glimpse_filters ;
!/usr/share/perl/man/.glimpse_index ;
!/usr/share/perl/man/.glimpse_messages ;
!/usr/share/perl/man/.glimpse_partitions ;
!/usr/share/perl/man/.glimpse_statistics ;
!/usr/share/perl/man/.glimpse_turbo ;
/usr/share/perl/man/man3 -> $(SEC_CRIT) (recurse = true) ;
! /usr/share/perl/man/cat3 ;
/usr/local/lib/perl5/5.00503/man -> $(SEC_CONFIG) ;
! /usr/local/lib/perl5/5.00503/man/whatis ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_index ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ;
! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ;
/usr/local/lib/perl5/5.00503/man/man3 -> $(SEC_CRIT) (recurse = true) ;
! /usr/local/lib/perl5/5.00503/man/cat3 ;
}
#
# X11R6
#
(
rulename = "X11R6",
severity = $(SIG_HI)
)
{
/usr/X11R6 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/lib/X11/xdm -> $(SEC_CONFIG) (recurse = true) ;
!/usr/X11R6/lib/X11/xdm/xdm-errors ;
!/usr/X11R6/lib/X11/xdm/authdir/authfiles ;
!/usr/X11R6/lib/X11/xdm/xdm-pid ;
/usr/X11R6/lib/X11/xkb/compiled -> $(SEC_CONFIG) (recurse = true) ;
/usr/X11R6/man -> $(SEC_CONFIG) ;
!/usr/X11R6/man/whatis ;
!/usr/X11R6/man/.glimpse_filenames ;
!/usr/X11R6/man/.glimpse_filenames_index ;
!/usr/X11R6/man/.glimpse_filetimes ;
!/usr/X11R6/man/.glimpse_filters ;
!/usr/X11R6/man/.glimpse_index ;
!/usr/X11R6/man/.glimpse_messages ;
!/usr/X11R6/man/.glimpse_partitions ;
!/usr/X11R6/man/.glimpse_statistics ;
!/usr/X11R6/man/.glimpse_turbo ;
/usr/X11R6/man/man1 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man2 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man3 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man4 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man5 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man6 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man7 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man8 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/man9 -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/manl -> $(SEC_CRIT) (recurse = true) ;
/usr/X11R6/man/mann -> $(SEC_CRIT) (recurse = true) ;
! /usr/X11R6/man/cat1 ;
! /usr/X11R6/man/cat2 ;
! /usr/X11R6/man/cat3 ;
! /usr/X11R6/man/cat4 ;
! /usr/X11R6/man/cat5 ;
! /usr/X11R6/man/cat6 ;
! /usr/X11R6/man/cat7 ;
! /usr/X11R6/man/cat8 ;
! /usr/X11R6/man/cat9 ;
! /usr/X11R6/man/catl ;
! /usr/X11R6/man/catn ;
}
#
# sources
#
(
rulename = "Sources",
severity = $(SIG_HI)
)
{
/usr/src -> $(SEC_CRIT) (recurse = true) ;
/usr/src/sys/compile -> $(SEC_CONFIG) (recurse = false) ;
}
#
# NIS
#
(
rulename = "NIS",
severity = $(SIG_HI)
)
{
/var/yp -> $(SEC_CRIT) (recurse = true) ;
!/var/yp/binding ;
}
#
# Temporary directories
#
(
rulename = "Temporary directories",
recurse = false,
severity = $(SIG_LOW)
)
{
/usr/tmp -> $(SEC_INVARIANT) ;
/var/tmp -> $(SEC_INVARIANT) ;
/var/preserve -> $(SEC_INVARIANT) ;
/tmp -> $(SEC_INVARIANT) ;
}
#
# Local files
#
(
rulename = "Local files",
severity = $(SIG_MED)
)
{
/usr/local/bin -> $(SEC_BIN) (recurse = true) ;
/usr/local/sbin -> $(SEC_BIN) (recurse = true) ;
/usr/local/etc -> $(SEC_BIN) (recurse = true) ;
/usr/local/lib -> $(SEC_BIN) (recurse = true ) ;
/usr/local/libexec -> $(SEC_BIN) (recurse = true ) ;
/usr/local/share -> $(SEC_BIN) (recurse = true ) ;
/usr/local/man -> $(SEC_CONFIG) ;
!/usr/local/man/whatis ;
!/usr/local/man/.glimpse_filenames ;
!/usr/local/man/.glimpse_filenames_index ;
!/usr/local/man/.glimpse_filetimes ;
!/usr/local/man/.glimpse_filters ;
!/usr/local/man/.glimpse_index ;
!/usr/local/man/.glimpse_messages ;
!/usr/local/man/.glimpse_partitions ;
!/usr/local/man/.glimpse_statistics ;
!/usr/local/man/.glimpse_turbo ;
/usr/local/man/man1 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man2 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man3 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man4 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man5 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man6 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man7 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man8 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/man9 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/manl -> $(SEC_CRIT) (recurse = true) ;
/usr/local/man/mann -> $(SEC_CRIT) (recurse = true) ;
! /usr/local/man/cat1 ;
! /usr/local/man/cat2 ;
! /usr/local/man/cat3 ;
! /usr/local/man/cat4 ;
! /usr/local/man/cat5 ;
! /usr/local/man/cat6 ;
! /usr/local/man/cat7 ;
! /usr/local/man/cat8 ;
! /usr/local/man/cat9 ;
! /usr/local/man/catl ;
! /usr/local/man/catn ;
/usr/local/krb5 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man -> $(SEC_CONFIG) ;
!/usr/local/krb5/man/whatis ;
!/usr/local/krb5/man/.glimpse_filenames ;
!/usr/local/krb5/man/.glimpse_filenames_index ;
!/usr/local/krb5/man/.glimpse_filetimes ;
!/usr/local/krb5/man/.glimpse_filters ;
!/usr/local/krb5/man/.glimpse_index ;
!/usr/local/krb5/man/.glimpse_messages ;
!/usr/local/krb5/man/.glimpse_partitions ;
!/usr/local/krb5/man/.glimpse_statistics ;
!/usr/local/krb5/man/.glimpse_turbo ;
/usr/local/krb5/man/man1 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man2 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man3 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man4 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man5 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man6 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man7 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man8 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/man9 -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/manl -> $(SEC_CRIT) (recurse = true) ;
/usr/local/krb5/man/mann -> $(SEC_CRIT) (recurse = true) ;
! /usr/local/krb5/man/cat1 ;
! /usr/local/krb5/man/cat2 ;
! /usr/local/krb5/man/cat3 ;
! /usr/local/krb5/man/cat4 ;
! /usr/local/krb5/man/cat5 ;
! /usr/local/krb5/man/cat6 ;
! /usr/local/krb5/man/cat7 ;
! /usr/local/krb5/man/cat8 ;
! /usr/local/krb5/man/cat9 ;
! /usr/local/krb5/man/catl ;
! /usr/local/krb5/man/catn ;
/usr/local/www -> $(SEC_CONFIG) (recurse = true) ;
}
(
rulename = "Security Control",
severity = $(SIG_HI)
)
{
/etc/group -> $(SEC_CRIT) ;
/etc/crontab -> $(SEC_CRIT) ;
}
#=============================================================================
#
# Copyright 2000-2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
# Inc. in the United States and other countries. All rights reserved.
#
# FreeBSD is a registered trademark of the FreeBSD Project Inc.
#
# UNIX is a registered trademark of The Open Group.
#
#=============================================================================
#
# Permission is granted to make and distribute verbatim copies of this document
# provided the copyright notice and this permission notice are preserved on all
# copies.
#
# Permission is granted to copy and distribute modified versions of this
# document under the conditions for verbatim copying, provided that the entire
# resulting derived work is distributed under the terms of a permission notice
# identical to this one.
#
# Permission is granted to copy and distribute translations of this document
# into another language, under the above conditions for modified versions,
# except that this permission notice may be stated in a translation approved by
# Tripwire, Inc.
#
# DCM

28
src/core/platform.h
View File

@ -65,6 +65,7 @@
#define OS_DRAGONFLYBSD 0x0305
#define OS_MIDNIGHTBSD 0x0306
#define OS_MIRBSD 0x0307
#define OS_BITRIG 0x0308
#define OS_SOLARIS 0x0400
#define OS_AIX 0x0401
@ -132,8 +133,18 @@
#elif defined(__linux__)
#define OS OS_LINUX
#define IS_LINUX 1
// A herd of BSDs. Have to detect MidnightBSD before FreeBSD, and MirOS & Bitrig before OpenBSD
// because they also define symbols for their ancestor BSDs.
#elif defined(__DragonFly__)
#define OS OS_DRAGONFLYBSD
#define IS_DRAGONFLYBSD 1
#elif defined(__MidnightBSD__)
#define OS OS_MIDNIGHTBSD
#define IS_MIDNIGHTBSD 1
#elif defined(__FreeBSD__)
#define OS OS_FREEBSD
#define IS_FREEBSD 1
@ -142,11 +153,14 @@
#define OS OS_NETBSD
#define IS_NETBSD 1
// Must check for __MirBSD__ symbol first since its gcc also defines __OpenBSD__
#elif defined(__MirBSD__)
#define OS OS_MIRBSD
#define IS_MIRBSD 1
#elif defined(__Bitrig__)
#define OS OS_BITRIG
#define IS_BITRIG 1
#elif defined(__OpenBSD__)
#define OS OS_OPENBSD
#define IS_OPENBSD 1
@ -155,14 +169,6 @@
#define OS OS_DARWIN
#define IS_DARWIN 1
#elif defined(__DragonFly__)
#define OS OS_DRAGONFLYBSD
#define IS_DRAGONFLYBSD 1
#elif defined(__MidnightBSD__)
#define OS OS_MIDNIGHTBSD
#define IS_MIDNIGHTBSD 1
#elif defined(__sun)
#define OS OS_SOLARIS