diff --git a/policy/twpol-Bitrig.txt b/policy/twpol-Bitrig.txt new file mode 100644 index 0000000..7130be2 --- /dev/null +++ b/policy/twpol-Bitrig.txt @@ -0,0 +1,292 @@ + ############################################################################## + # ## +############################################################################## # +# # # +# Policy file for Bitrig 1.x # # +# (adapted from OpenBSD policy) # # +# ## +############################################################################## + + ############################################################################## + # ## +############################################################################## # +# # # +# Global Variable Definitions # # +# # # +# These are defined at install time by the installation script. You may # # +# manually edit these if you are using this file directly and not from the # # +# installation script itself. # # +# ## +############################################################################## + +@@section GLOBAL +TWROOT=; +TWBIN=; +TWPOL=; +TWDB=; +TWSKEY=; +TWLKEY=; +TWREPORT=; +HOSTNAME=; + + ############################################################################## + # Predefined Variables # +############################################################################## +# +# Property Masks +# +# - ignore the following properties +# + check the following properties +# +# a access timestamp (mutually exclusive with +CMSH) +# b number of blocks allocated +# c inode creation/modification timestamp +# d ID of device on which inode resides +# g group id of owner +# i inode number +# l growing files (logfiles for example) +# m modification timestamp +# n number of links +# p permission and file mode bits +# r ID of device pointed to by inode (valid only for device objects) +# s file size +# t file type +# u user id of owner +# +# C CRC-32 hash +# H HAVAL hash +# M MD5 hash +# S SHA hash +# +############################################################################## + +Device = +pugsdr-intlbamcCMSH ; +Dynamic = +pinugtd-srlbamcCMSH ; +Growing = +pinugtdl-srbamcCMSH ; +IgnoreAll = -pinugtsdrlbamcCMSH ; +IgnoreNone = +pinugtsdrbamcCMSH-l ; +ReadOnly = +pinugtsdbmCM-rlacSH ; +Temporary = +pugt ; + +@@section FS + + ######################################## + # ## +######################################## # +# # # +# Tripwire Binaries and Data Files # # +# ## +######################################## + +# Tripwire Binaries +( + rulename = "Tripwire Binaries", +) +{ + $(TWBIN)/siggen -> $(ReadOnly) ; + $(TWBIN)/tripwire -> $(ReadOnly) ; + $(TWBIN)/twadmin -> $(ReadOnly) ; + $(TWBIN)/twprint -> $(ReadOnly) ; +} + +# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases +( + rulename = "Tripwire Data Files", +) +{ + # NOTE: We remove the inode attribute because when Tripwire creates a backup, + # it does so by renaming the old file and creating a new one (which will + # have a new inode number). Inode is left turned on for keys, which shouldn't + # ever change. + + # NOTE: The first integrity check triggers this rule and each integrity check + # afterward triggers this rule until a database update is run, since the + # database file does not exist before that point. + + $(TWDB) -> $(Dynamic) -i ; + $(TWPOL)/tw.pol -> $(ReadOnly) -i ; + $(TWPOL)/tw.cfg -> $(ReadOnly) -i ; + $(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ; + $(TWSKEY)/site.key -> $(ReadOnly) ; + + # don't scan the individual reports + $(TWREPORT) -> $(Dynamic) (recurse=0) ; + + # In this configuration /usr/local is a symbolic link to /home/local. + # We want to ignore the following directories since they are already + # scanned using the real directory or mount point. Otherwise we see + # duplicates in the reports. + + !/home/local ; +} + + ################################################ + # ## +################################################ # +# # # +# OS Boot and Configuration Files # # +# ## +################################################ +( + rulename = "OS Boot and Configuration Files", +) +{ + /boot -> $(ReadOnly) ; + /bsd -> $(ReadOnly) ; + /etc -> $(IgnoreNone) -SHa ; +} + + ################################################### + # ## +################################################### # +# # # +# Mount Points # # +# ## +################################################### +( + rulename = "Mount Points", +) +{ + / -> $(ReadOnly) ; + /cdrom -> $(Dynamic) ; + /floppy -> $(Dynamic) ; + /home -> $(ReadOnly) ; # Modify as needed + /mnt -> $(Dynamic) ; + /usr -> $(ReadOnly) ; + /var -> $(ReadOnly) ; +} + + ################################################### + # ## +################################################### # +# # # +# Misc Top-Level Directories # # +# ## +################################################### +( + rulename = "Misc Top-Level Directories", +) +{ + /altroot -> $(Dynamic) ; + /stand -> $(Dynamic) ; +} + + ################################################ + # ## +################################################ # +# # # +# System Devices # # +# ## +################################################ +( + rulename = "System Devices", +) +{ + /dev -> $(Device) ; + /dev/fd -> $(Device) ; + /var/cron/tabs/.sock -> $(Device) ; + /var/empty/dev/log -> $(Device) ; +} + + ################################################ + # ## +################################################ # +# # # +# OS Binaries and Libraries # # +# ## +################################################ +( + rulename = "OS Binaries and Libraries", +) +{ + /bin -> $(ReadOnly) ; + /sbin -> $(ReadOnly) ; + /usr/bin -> $(ReadOnly) ; + /usr/lib -> $(ReadOnly) ; + /usr/libexec -> $(ReadOnly) ; + /usr/sbin -> $(ReadOnly) ; + /usr/X11R6/bin -> $(ReadOnly) ; + /usr/X11R6/lib -> $(ReadOnly) ; +} + ################################################ + # ## +################################################ # +# # # +# Usr Local Files # # +# ## +################################################ +#OK( + #OKrulename = "Usr Local Files", +#OK) +#OK{ + #OK/usr/local -> $(ReadOnly) ; + #OK/usr/local/bin -> $(ReadOnly) ; + #OK/usr/local/doc -> $(ReadOnly) ; + #OK/usr/local/etc -> $(ReadOnly) ; + #OK/usr/local/include -> $(ReadOnly) ; + #OK/usr/local/info -> $(ReadOnly) ; + #OK/usr/local/lib -> $(ReadOnly) ; + #OK/usr/local/libdata -> $(ReadOnly) ; + #OK/usr/local/libexec -> $(ReadOnly) ; + #OK/usr/local/man -> $(ReadOnly) ; + #OK/usr/local/sbin -> $(ReadOnly) ; + #OK/usr/local/share -> $(ReadOnly) ; + #OK/usr/local/src -> $(ReadOnly) ; +#OK} + + ################################################ + # ## +################################################ # +# # # +# Root Directory and Files # # +# ## +################################################ +( + rulename = "Root Directory and Files", +) +{ + /root -> $(IgnoreNone) -SHa ; + /root/.cshrc -> $(Dynamic) ; + /root/.profile -> $(Dynamic) ; +} + + ################################################ + # ## +################################################ # +# # # +# Temporary Directories # # +# ## +################################################ +( + rulename = "Temporary Directories", +) +{ + /tmp -> $(Temporary) ; + /var/tmp -> $(Temporary) ; +} + + ################################################ + # ## +################################################ # +# # # +# System and Boot Changes # # +# ## +################################################ +( + rulename = "System and Boot Changes", +) +{ + /var/backups -> $(Dynamic) -i ; + /var/db/host.random -> $(ReadOnly) -mCM ; + /var/cron -> $(Growing) -i ; + /var/log -> $(Growing) -i ; + /var/run -> $(Dynamic) -i ; + /var/mail -> $(Growing) ; + /var/msgs/bounds -> $(ReadOnly) -smbCM ; + /var/spool/clientmqueue -> $(Temporary) ; + /var/spool/mqueue -> $(Temporary) ; +} + +# +# $Id: twpol-OpenBSD.txt,v 1.2 2004/05/14 21:56:21 pherman Exp $ +# diff --git a/policy/twpol-DragonFly.txt b/policy/twpol-DragonFly.txt new file mode 100644 index 0000000..1c3f184 --- /dev/null +++ b/policy/twpol-DragonFly.txt @@ -0,0 +1,656 @@ +# +# Policy file for DragonFly BSD +# (adapted from FreeBSD policy) +# +# $FreeBSD: ports/security/tripwire/files/twpol.txt,v 1.2 2002/03/04 16:55:21 cy Exp $ +# $Id: twpol-FreeBSD.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $ + +# +# This is the example Tripwire Policy file. It is intended as a place to +# start creating your own custom Tripwire Policy file. Referring to it as +# well as the Tripwire Policy Guide should give you enough information to +# make a good custom Tripwire Policy file that better covers your +# configuration and security needs. A text version of this policy file is +# called twpol.txt. +# +# Note that this file is tuned to an install of FreeBSD using +# buildworld. If run unmodified, this file should create no errors on +# database creation, or violations on a subsiquent integrity check. +# However it is impossible for there to be one policy file for all machines, +# so this existing one errs on the side of security. Your FreeBSD +# configuration will most likey differ from the one our policy file was +# tuned to, and will therefore require some editing of the default +# Tripwire Policy file. +# +# The example policy file is best run with 'Loose Directory Checking' +# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration +# file. +# +# Email support is not included and must be added to this file. +# Add the 'emailto=' to the rule directive section of each rule (add a comma +# after the 'severity=' line and add an 'emailto=' and include the email +# addresses you want the violation reports to go to). Addresses are +# semi-colon delimited. +# + + + +# +# Global Variable Definitions +# +# These are defined at install time by the installation script. You may +# Manually edit these if you are using this file directly and not from the +# installation script itself. +# + +@@section GLOBAL +TWROOT=; +TWBIN=; +TWPOL=; +TWDB=; +TWSKEY=; +TWLKEY=; +TWREPORT=; +HOSTNAME=; + +@@section FS +SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change +SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set +SEC_BIN = $(ReadOnly) ; # Binaries that should not change +SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often +SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login +SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership +SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership +SIG_LOW = 33 ; # Non-critical files that are of minimal security impact +SIG_MED = 66 ; # Non-critical files that are of significant security impact +SIG_HI = 100 ; # Critical files that are significant points of vulnerability + + +# Tripwire Binaries +( + rulename = "Tripwire Binaries", + severity = $(SIG_HI) +) +{ + $(TWBIN)/siggen -> $(SEC_BIN) ; + $(TWBIN)/tripwire -> $(SEC_BIN) ; + $(TWBIN)/twadmin -> $(SEC_BIN) ; + $(TWBIN)/twprint -> $(SEC_BIN) ; +} + +# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases +( + rulename = "Tripwire Data Files", + severity = $(SIG_HI) +) +{ + # NOTE: We remove the inode attribute because when Tripwire creates a backup, + # it does so by renaming the old file and creating a new one (which will + # have a new inode number). Inode is left turned on for keys, which shouldn't + # ever change. + + # NOTE: The first integrity check triggers this rule and each integrity check + # afterward triggers this rule until a database update is run, since the + # database file does not exist before that point. + + $(TWDB) -> $(SEC_CONFIG) -i ; + $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; + $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; + $(TWPOL)/twcfg.txt -> $(SEC_BIN) ; + $(TWPOL)/twpol.txt -> $(SEC_BIN) ; + $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; + $(TWSKEY)/site.key -> $(SEC_BIN) ; + + #don't scan the individual reports + $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; +} + + +# Tripwire HQ Connector Binaries +#( +# rulename = "Tripwire HQ Connector Binaries", +# severity = $(SIG_HI) +#) +#{ +# $(TWBIN)/hqagent -> $(SEC_BIN) ; +#} +# +# Tripwire HQ Connector - Configuration Files, Keys, and Logs + +# +# Note: File locations here are different than in a stock HQ Connector +# installation. This is because Tripwire 2.3 uses a different path +# structure than Tripwire 2.2.1. +# +# You may need to update your HQ Agent configuation file (or this policy +# file) to correct the paths. We have attempted to support the FHS standard +# here by placing the HQ Agent files similarly to the way Tripwire 2.3 +# places them. +# + +#( +# rulename = "Tripwire HQ Connector Data Files", +# severity = $(SIG_HI) +#) +#{ +# +# # NOTE: Removing the inode attribute because when Tripwire creates a backup +# # it does so by renaming the old file and creating a new one (which will +# # have a new inode number). Leaving inode turned on for keys, which +# # shouldn't ever change. +# +# +# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; +# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; +# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; +# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; +# +# # Uncomment if you have agent logging enabled. +# #/var/log/tripwire/agent.log -> $(SEC_LOG) ; +#} + + + +# Commonly accessed directories that should remain static with regards to owner and group +( + rulename = "Invariant Directories", + severity = $(SIG_MED) +) +{ + / -> $(SEC_INVARIANT) (recurse = false) ; + /home -> $(SEC_INVARIANT) (recurse = false) ; +} + +# +# First, root's "home" +# + +( + rulename = "Root's home", + severity = $(SIG_HI) +) +{ + # /.rhosts -> $(SEC_CRIT) ; + /.profile -> $(SEC_CRIT) ; + /.cshrc -> $(SEC_CRIT) ; + /.login -> $(SEC_CRIT) ; + # /.exrc -> $(SEC_CRIT) ; + # /.logout -> $(SEC_CRIT) ; + # /.forward -> $(SEC_CRIT) ; + /root -> $(SEC_CRIT) (recurse = true) ; + !/root/.history ; + !/root/.bash_history ; + # !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed +} + + +# +# FreeBSD Kernel +# + +( + rulename = "FreeBSD Kernel", + severity = $(SIG_HI) +) +{ + /kernel -> $(SEC_CRIT) ; + /kernel.old -> $(SEC_CRIT) ; + /kernel.GENERIC -> $(SEC_CRIT) ; +} + + +# +# FreeBSD Modules +# + +( + rulename = "FreeBSD Modules", + severity = $(SIG_HI) +) +{ + /modules -> $(SEC_CRIT) (recurse = true) ; + /modules.old -> $(SEC_CRIT) (recurse = true) ; + # /lkm -> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld +} + + +# +# System Administration Programs +# + +( + rulename = "System Administration Programs", + severity = $(SIG_HI) +) +{ + /sbin -> $(SEC_CRIT) (recurse = true) ; + /usr/sbin -> $(SEC_CRIT) (recurse = true) ; +} + + +# +# User Utilities +# + +( + rulename = "User Utilities", + severity = $(SIG_HI) +) +{ + /bin -> $(SEC_CRIT) (recurse = true) ; + /usr/bin -> $(SEC_CRIT) (recurse = true) ; +} + + +# +# /dev +# + +( + rulename = "/dev", + severity = $(SIG_HI) +) +{ + /dev -> $(Device) (recurse = true) ; + !/dev/vga ; + !/dev/dri ; + /dev/console -> $(SEC_TTY) ; + /dev/ttyv0 -> $(SEC_TTY) ; + /dev/ttyv1 -> $(SEC_TTY) ; + /dev/ttyv2 -> $(SEC_TTY) ; + /dev/ttyv3 -> $(SEC_TTY) ; + /dev/ttyv4 -> $(SEC_TTY) ; + /dev/ttyv5 -> $(SEC_TTY) ; + /dev/ttyv6 -> $(SEC_TTY) ; + /dev/ttyv7 -> $(SEC_TTY) ; + /dev/ttyp0 -> $(SEC_TTY) ; + /dev/ttyp1 -> $(SEC_TTY) ; + /dev/ttyp2 -> $(SEC_TTY) ; + /dev/ttyp3 -> $(SEC_TTY) ; + /dev/ttyp4 -> $(SEC_TTY) ; + /dev/ttyp5 -> $(SEC_TTY) ; + /dev/ttyp6 -> $(SEC_TTY) ; + /dev/ttyp7 -> $(SEC_TTY) ; + /dev/ttyp8 -> $(SEC_TTY) ; + /dev/ttyp9 -> $(SEC_TTY) ; + /dev/ttypa -> $(SEC_TTY) ; + /dev/ttypb -> $(SEC_TTY) ; + /dev/ttypc -> $(SEC_TTY) ; + /dev/ttypd -> $(SEC_TTY) ; + /dev/ttype -> $(SEC_TTY) ; + /dev/ttypf -> $(SEC_TTY) ; + /dev/ttypg -> $(SEC_TTY) ; + /dev/ttyph -> $(SEC_TTY) ; + /dev/ttypi -> $(SEC_TTY) ; + /dev/ttypj -> $(SEC_TTY) ; + /dev/ttypl -> $(SEC_TTY) ; + /dev/ttypm -> $(SEC_TTY) ; + /dev/ttypn -> $(SEC_TTY) ; + /dev/ttypo -> $(SEC_TTY) ; + /dev/ttypp -> $(SEC_TTY) ; + /dev/ttypq -> $(SEC_TTY) ; + /dev/ttypr -> $(SEC_TTY) ; + /dev/ttyps -> $(SEC_TTY) ; + /dev/ttypt -> $(SEC_TTY) ; + /dev/ttypu -> $(SEC_TTY) ; + /dev/ttypv -> $(SEC_TTY) ; + /dev/cuaa0 -> $(SEC_TTY) ; # modem +} + + +# +# /etc +# + +( + rulename = "/etc", + severity = $(SIG_HI) +) +{ + /etc -> $(SEC_CRIT) (recurse = true) ; + # /etc/mail/aliases -> $(SEC_CONFIG) ; + /etc/dumpdates -> $(SEC_CONFIG) ; + /etc/motd -> $(SEC_CONFIG) ; + !/etc/ppp/connect-errors ; + /etc/skeykeys -> $(SEC_CONFIG) ; + # Uncomment the following 4 lines if your password file does not change + # /etc/passwd -> $(SEC_CONFIG) ; + # /etc/master.passwd -> $(SEC_CONFIG) ; + # /etc/pwd.db -> $(SEC_CONFIG) ; + # /etc/spwd.db -> $(SEC_CONFIG) ; +} + + +# +# Copatibility (Linux) +# + +( + rulename = "Linux Compatibility", + severity = $(SIG_HI) +) +{ + /compat -> $(SEC_CRIT) (recurse = true) ; +# +# Uncomment the following if Linux compatibility is used. Replace +# HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port +# installed. +# +#@@ifhost HOSTNAME1 || HOSTNAME2 +# /compat/linux/etc -> $(SEC_INVARIANT) (recurse = false) ; +# /compat/linux/etc/X11 -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/pam.d -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/profile.d -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/real -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/bashrc -> $(SEC_CONFIG) ; +# /compat/linux/etc/csh.login -> $(SEC_CONFIG) ; +# /compat/linux/etc/host.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/hosts.allow -> $(SEC_CONFIG) ; +# /compat/linux/etc/hosts.deny -> $(SEC_CONFIG) ; +# /compat/linux/etc/info-dir -> $(SEC_CONFIG) ; +# /compat/linux/etc/inputrc -> $(SEC_CONFIG) ; +# /compat/linux/etc/ld.so.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/nsswitch.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/profile -> $(SEC_CONFIG) ; +# /compat/linux/etc/redhat-release -> $(SEC_CONFIG) ; +# /compat/linux/etc/rpc -> $(SEC_CONFIG) ; +# /compat/linux/etc/securetty -> $(SEC_CONFIG) ; +# /compat/linux/etc/shells -> $(SEC_CONFIG) ; +# /compat/linux/etc/termcap -> $(SEC_CONFIG) ; +# /compat/linux/etc/yp.conf -> $(SEC_CONFIG) ; +# !/compat/linux/etc/ld.so.cache ; +# !/compat/linux/var/spool/mail ; +#@@endif +} + + +# +# Libraries, include files, and other system files +# + +( + rulename = "Libraries, include files, and other system files", + severity = $(SIG_HI) +) +{ + /usr/include -> $(SEC_CRIT) (recurse = true) ; + /usr/lib -> $(SEC_CRIT) (recurse = true) ; + /usr/libdata -> $(SEC_CRIT) (recurse = true) ; + /usr/libexec -> $(SEC_CRIT) (recurse = true) ; + /usr/share -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man -> $(SEC_CONFIG) ; + !/usr/share/man/whatis ; + !/usr/share/man/.glimpse_filenames ; + !/usr/share/man/.glimpse_filenames_index ; + !/usr/share/man/.glimpse_filetimes ; + !/usr/share/man/.glimpse_filters ; + !/usr/share/man/.glimpse_index ; + !/usr/share/man/.glimpse_messages ; + !/usr/share/man/.glimpse_partitions ; + !/usr/share/man/.glimpse_statistics ; + !/usr/share/man/.glimpse_turbo ; + /usr/share/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/share/man/cat1 ; + ! /usr/share/man/cat2 ; + ! /usr/share/man/cat3 ; + ! /usr/share/man/cat4 ; + ! /usr/share/man/cat5 ; + ! /usr/share/man/cat6 ; + ! /usr/share/man/cat7 ; + ! /usr/share/man/cat8 ; + ! /usr/share/man/cat9 ; + ! /usr/share/man/catl ; + ! /usr/share/man/catn ; + /usr/share/perl/man -> $(SEC_CONFIG) ; + !/usr/share/perl/man/whatis ; + !/usr/share/perl/man/.glimpse_filenames ; + !/usr/share/perl/man/.glimpse_filenames_index ; + !/usr/share/perl/man/.glimpse_filetimes ; + !/usr/share/perl/man/.glimpse_filters ; + !/usr/share/perl/man/.glimpse_index ; + !/usr/share/perl/man/.glimpse_messages ; + !/usr/share/perl/man/.glimpse_partitions ; + !/usr/share/perl/man/.glimpse_statistics ; + !/usr/share/perl/man/.glimpse_turbo ; + /usr/share/perl/man/man3 -> $(SEC_CRIT) (recurse = true) ; + ! /usr/share/perl/man/cat3 ; + /usr/local/lib/perl5/5.00503/man -> $(SEC_CONFIG) ; + ! /usr/local/lib/perl5/5.00503/man/whatis ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_index ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ; + /usr/local/lib/perl5/5.00503/man/man3 -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/lib/perl5/5.00503/man/cat3 ; +} + + +# +# X11R6 +# + +( + rulename = "X11R6", + severity = $(SIG_HI) +) +{ + /usr/X11R6 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/lib/X11/xdm -> $(SEC_CONFIG) (recurse = true) ; + !/usr/X11R6/lib/X11/xdm/xdm-errors ; + !/usr/X11R6/lib/X11/xdm/authdir/authfiles ; + !/usr/X11R6/lib/X11/xdm/xdm-pid ; + /usr/X11R6/lib/X11/xkb/compiled -> $(SEC_CONFIG) (recurse = true) ; + /usr/X11R6/man -> $(SEC_CONFIG) ; + !/usr/X11R6/man/whatis ; + !/usr/X11R6/man/.glimpse_filenames ; + !/usr/X11R6/man/.glimpse_filenames_index ; + !/usr/X11R6/man/.glimpse_filetimes ; + !/usr/X11R6/man/.glimpse_filters ; + !/usr/X11R6/man/.glimpse_index ; + !/usr/X11R6/man/.glimpse_messages ; + !/usr/X11R6/man/.glimpse_partitions ; + !/usr/X11R6/man/.glimpse_statistics ; + !/usr/X11R6/man/.glimpse_turbo ; + /usr/X11R6/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/X11R6/man/cat1 ; + ! /usr/X11R6/man/cat2 ; + ! /usr/X11R6/man/cat3 ; + ! /usr/X11R6/man/cat4 ; + ! /usr/X11R6/man/cat5 ; + ! /usr/X11R6/man/cat6 ; + ! /usr/X11R6/man/cat7 ; + ! /usr/X11R6/man/cat8 ; + ! /usr/X11R6/man/cat9 ; + ! /usr/X11R6/man/catl ; + ! /usr/X11R6/man/catn ; +} + + +# +# sources +# + +( + rulename = "Sources", + severity = $(SIG_HI) +) +{ + /usr/src -> $(SEC_CRIT) (recurse = true) ; + /usr/src/sys/compile -> $(SEC_CONFIG) (recurse = false) ; +} + + +# +# NIS +# + +( + rulename = "NIS", + severity = $(SIG_HI) +) +{ + /var/yp -> $(SEC_CRIT) (recurse = true) ; + !/var/yp/binding ; +} + + +# +# Temporary directories +# +( + rulename = "Temporary directories", + recurse = false, + severity = $(SIG_LOW) +) +{ + /usr/tmp -> $(SEC_INVARIANT) ; + /var/tmp -> $(SEC_INVARIANT) ; + /var/preserve -> $(SEC_INVARIANT) ; + /tmp -> $(SEC_INVARIANT) ; +} + +# +# Local files +# + +( + rulename = "Local files", + severity = $(SIG_MED) +) +{ + /usr/local/bin -> $(SEC_BIN) (recurse = true) ; + /usr/local/sbin -> $(SEC_BIN) (recurse = true) ; + /usr/local/etc -> $(SEC_BIN) (recurse = true) ; + /usr/local/lib -> $(SEC_BIN) (recurse = true ) ; + /usr/local/libexec -> $(SEC_BIN) (recurse = true ) ; + /usr/local/share -> $(SEC_BIN) (recurse = true ) ; + /usr/local/man -> $(SEC_CONFIG) ; + !/usr/local/man/whatis ; + !/usr/local/man/.glimpse_filenames ; + !/usr/local/man/.glimpse_filenames_index ; + !/usr/local/man/.glimpse_filetimes ; + !/usr/local/man/.glimpse_filters ; + !/usr/local/man/.glimpse_index ; + !/usr/local/man/.glimpse_messages ; + !/usr/local/man/.glimpse_partitions ; + !/usr/local/man/.glimpse_statistics ; + !/usr/local/man/.glimpse_turbo ; + /usr/local/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/man/cat1 ; + ! /usr/local/man/cat2 ; + ! /usr/local/man/cat3 ; + ! /usr/local/man/cat4 ; + ! /usr/local/man/cat5 ; + ! /usr/local/man/cat6 ; + ! /usr/local/man/cat7 ; + ! /usr/local/man/cat8 ; + ! /usr/local/man/cat9 ; + ! /usr/local/man/catl ; + ! /usr/local/man/catn ; + /usr/local/krb5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man -> $(SEC_CONFIG) ; + !/usr/local/krb5/man/whatis ; + !/usr/local/krb5/man/.glimpse_filenames ; + !/usr/local/krb5/man/.glimpse_filenames_index ; + !/usr/local/krb5/man/.glimpse_filetimes ; + !/usr/local/krb5/man/.glimpse_filters ; + !/usr/local/krb5/man/.glimpse_index ; + !/usr/local/krb5/man/.glimpse_messages ; + !/usr/local/krb5/man/.glimpse_partitions ; + !/usr/local/krb5/man/.glimpse_statistics ; + !/usr/local/krb5/man/.glimpse_turbo ; + /usr/local/krb5/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/krb5/man/cat1 ; + ! /usr/local/krb5/man/cat2 ; + ! /usr/local/krb5/man/cat3 ; + ! /usr/local/krb5/man/cat4 ; + ! /usr/local/krb5/man/cat5 ; + ! /usr/local/krb5/man/cat6 ; + ! /usr/local/krb5/man/cat7 ; + ! /usr/local/krb5/man/cat8 ; + ! /usr/local/krb5/man/cat9 ; + ! /usr/local/krb5/man/catl ; + ! /usr/local/krb5/man/catn ; + /usr/local/www -> $(SEC_CONFIG) (recurse = true) ; +} + + +( + rulename = "Security Control", + severity = $(SIG_HI) +) +{ + /etc/group -> $(SEC_CRIT) ; + /etc/crontab -> $(SEC_CRIT) ; +} + +#============================================================================= +# +# Copyright 2000-2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, +# Inc. in the United States and other countries. All rights reserved. +# +# FreeBSD is a registered trademark of the FreeBSD Project Inc. +# +# UNIX is a registered trademark of The Open Group. +# +#============================================================================= +# +# Permission is granted to make and distribute verbatim copies of this document +# provided the copyright notice and this permission notice are preserved on all +# copies. +# +# Permission is granted to copy and distribute modified versions of this +# document under the conditions for verbatim copying, provided that the entire +# resulting derived work is distributed under the terms of a permission notice +# identical to this one. +# +# Permission is granted to copy and distribute translations of this document +# into another language, under the above conditions for modified versions, +# except that this permission notice may be stated in a translation approved by +# Tripwire, Inc. +# +# DCM diff --git a/policy/twpol-HP-UX.txt b/policy/twpol-HP-UX.txt new file mode 100644 index 0000000..176aa5d --- /dev/null +++ b/policy/twpol-HP-UX.txt @@ -0,0 +1,1106 @@ + ############################################################################## + # ## +############################################################################## # +# # # +# Policy file for HP-UX # # +# (adapted from OST generic policy) # # +# ## +############################################################################## + + + ############################################################################## + # ## +############################################################################## # +# # # +# This is the example Tripwire Policy file. It is intended as a place to # # +# start creating your own custom Tripwire Policy file. Referring to it as # # +# well as the Tripwire Policy Guide should give you enough information to # # +# make a good custom Tripwire Policy file that better covers your # # +# configuration and security needs. A text version of this policy file is # # +# called twpol.txt. # # +# # # +# Note that this file is tuned to an 'everything' install of Red Hat Linux. # # +# If run unmodified, this file should create no errors on database # # +# creation, or violations on a subsiquent integrity check. However, it is # # +# impossible for there to be one policy file for all machines, so this # # +# existing one errs on the side of security. Your Linux configuration will # # +# most likey differ from the one our policy file was tuned to, and will # # +# therefore require some editing of the default Tripwire Policy file. # # +# # # +# The example policy file is best run with 'Loose Directory Checking' # # +# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # # +# file. # # +# # # +# Email support is not included and must be added to this file. # # +# Add the 'emailto=' to the rule directive section of each rule (add a comma # # +# after the 'severity=' line and add an 'emailto=' and include the email # # +# addresses you want the violation reports to go to). Addresses are # # +# semi-colon delimited. # # +# ## +############################################################################## + + + + ############################################################################## + # ## +############################################################################## # +# # # +# Global Variable Definitions # # +# # # +# These are defined at install time by the installation script. You may # # +# Manually edit these if you are using this file directly and not from the # # +# installation script itself. # # +# ## +############################################################################## + +@@section GLOBAL +TWROOT=; +TWBIN=; +TWPOL=; +TWDB=; +TWSKEY=; +TWLKEY=; +TWREPORT=; +HOSTNAME=; + +@@section FS +SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change +SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set +SEC_BIN = $(ReadOnly) ; # Binaries that should not change +SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often +SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership +SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership +SIG_LOW = 33 ; # Non-critical files that are of minimal security impact +SIG_MED = 66 ; # Non-critical files that are of significant security impact +SIG_HI = 100 ; # Critical files that are significant points of vulnerability + + +# Tripwire Binaries +( + rulename = "Tripwire Binaries", + severity = $(SIG_HI) +) +{ + $(TWBIN)/siggen -> $(SEC_BIN) ; + $(TWBIN)/tripwire -> $(SEC_BIN) ; + $(TWBIN)/twadmin -> $(SEC_BIN) ; + $(TWBIN)/twprint -> $(SEC_BIN) ; +} + +# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases +( + rulename = "Tripwire Data Files", + severity = $(SIG_HI) +) +{ + # NOTE: We remove the inode attribute because when Tripwire creates a backup, + # it does so by renaming the old file and creating a new one (which will + # have a new inode number). Inode is left turned on for keys, which shouldn't + # ever change. + + # NOTE: The first integrity check triggers this rule and each integrity check + # afterward triggers this rule until a database update is run, since the + # database file does not exist before that point. + + $(TWDB) -> $(SEC_CONFIG) -i ; + $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; + $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; + $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; + $(TWSKEY)/site.key -> $(SEC_BIN) ; + + #don't scan the individual reports + $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; +} + + +# Tripwire HQ Connector Binaries +#( +# rulename = "Tripwire HQ Connector Binaries", +# severity = $(SIG_HI) +#) +#{ +# $(TWBIN)/hqagent -> $(SEC_BIN) ; +#} +# +# Tripwire HQ Connector - Configuration Files, Keys, and Logs + + ############################################################################## + # ## +############################################################################## # +# # # +# Note: File locations here are different than in a stock HQ Connector # # +# installation. This is because Tripwire 2.3 uses a different path # # +# structure than Tripwire 2.2.1. # # +# # # +# You may need to update your HQ Agent configuation file (or this policy # # +# file) to correct the paths. We have attempted to support the FHS standard # # +# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # # +# places them. # # +# ## +############################################################################## + +#( +# rulename = "Tripwire HQ Connector Data Files", +# severity = $(SIG_HI) +#) +#{ +# ############################################################################# +# ############################################################################## +# # NOTE: Removing the inode attribute because when Tripwire creates a backup ## +# # it does so by renaming the old file and creating a new one (which will ## +# # have a new inode number). Leaving inode turned on for keys, which ## +# # shouldn't ever change. ## +# ############################################################################# +# +# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; +# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; +# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; +# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; +# +# # Uncomment if you have agent logging enabled. +# #/var/log/tripwire/agent.log -> $(SEC_LOG) ; +#} + + + +# Commonly accessed directories that should remain static with regards to owner and group +( + rulename = "Invariant Directories", + severity = $(SIG_MED) +) +{ + / -> $(SEC_INVARIANT) (recurse = 0) ; + /home -> $(SEC_INVARIANT) (recurse = 0) ; + /etc -> $(SEC_INVARIANT) (recurse = 0) ; +} + ################################################ + # ## +################################################ # +# # # +# File System and Disk Administration Programs # # +# ## +################################################ + +( + rulename = "File System and Disk Administraton Programs", + severity = $(SIG_HI) +) +{ + /sbin/accton -> $(SEC_CRIT) ; + /sbin/badblocks -> $(SEC_CRIT) ; + /sbin/busybox -> $(SEC_CRIT) ; + /sbin/busybox.anaconda -> $(SEC_CRIT) ; + /sbin/convertquota -> $(SEC_CRIT) ; + /sbin/dosfsck -> $(SEC_CRIT) ; + /sbin/debugfs -> $(SEC_CRIT) ; + /sbin/debugreiserfs -> $(SEC_CRIT) ; + /sbin/dumpe2fs -> $(SEC_CRIT) ; + /sbin/dump -> $(SEC_CRIT) ; + /sbin/dump.static -> $(SEC_CRIT) ; + # /sbin/e2fsadm -> $(SEC_CRIT) ; tune2fs? + /sbin/e2fsck -> $(SEC_CRIT) ; + /sbin/e2label -> $(SEC_CRIT) ; + /sbin/fdisk -> $(SEC_CRIT) ; + /sbin/fsck -> $(SEC_CRIT) ; + /sbin/fsck.ext2 -> $(SEC_CRIT) ; + /sbin/fsck.ext3 -> $(SEC_CRIT) ; + /sbin/fsck.minix -> $(SEC_CRIT) ; + /sbin/fsck.msdos -> $(SEC_CRIT) ; + /sbin/fsck.vfat -> $(SEC_CRIT) ; + /sbin/ftl_check -> $(SEC_CRIT) ; + /sbin/ftl_format -> $(SEC_CRIT) ; + /sbin/hdparm -> $(SEC_CRIT) ; + #/sbin/lvchange -> $(SEC_CRIT) ; + #/sbin/lvcreate -> $(SEC_CRIT) ; + #/sbin/lvdisplay -> $(SEC_CRIT) ; + #/sbin/lvextend -> $(SEC_CRIT) ; + #/sbin/lvmchange -> $(SEC_CRIT) ; + #/sbin/lvmcreate_initrd -> $(SEC_CRIT) ; + #/sbin/lvmdiskscan -> $(SEC_CRIT) ; + #/sbin/lvmsadc -> $(SEC_CRIT) ; + #/sbin/lvmsar -> $(SEC_CRIT) ; + #/sbin/lvreduce -> $(SEC_CRIT) ; + #/sbin/lvremove -> $(SEC_CRIT) ; + #/sbin/lvrename -> $(SEC_CRIT) ; + #/sbin/lvscan -> $(SEC_CRIT) ; + /sbin/mkbootdisk -> $(SEC_CRIT) ; + /sbin/mkdosfs -> $(SEC_CRIT) ; + /sbin/mke2fs -> $(SEC_CRIT) ; + /sbin/mkfs -> $(SEC_CRIT) ; + /sbin/mkfs.bfs -> $(SEC_CRIT) ; + /sbin/mkfs.ext2 -> $(SEC_CRIT) ; + /sbin/mkfs.minix -> $(SEC_CRIT) ; + /sbin/mkfs.msdos -> $(SEC_CRIT) ; + /sbin/mkfs.vfat -> $(SEC_CRIT) ; + /sbin/mkinitrd -> $(SEC_CRIT) ; + #/sbin/mkpv -> $(SEC_CRIT) ; + /sbin/mkraid -> $(SEC_CRIT) ; + /sbin/mkreiserfs -> $(SEC_CRIT) ; + /sbin/mkswap -> $(SEC_CRIT) ; + #/sbin/mtx -> $(SEC_CRIT) ; + /sbin/pam_console_apply -> $(SEC_CRIT) ; + /sbin/parted -> $(SEC_CRIT) ; + /sbin/pcinitrd -> $(SEC_CRIT) ; + #/sbin/pvchange -> $(SEC_CRIT) ; + #/sbin/pvcreate -> $(SEC_CRIT) ; + #/sbin/pvdata -> $(SEC_CRIT) ; + #/sbin/pvdisplay -> $(SEC_CRIT) ; + #/sbin/pvmove -> $(SEC_CRIT) ; + #/sbin/pvscan -> $(SEC_CRIT) ; + /sbin/quotacheck -> $(SEC_CRIT) ; + /sbin/quotaon -> $(SEC_CRIT) ; + /sbin/raidstart -> $(SEC_CRIT) ; + /sbin/reiserfsck -> $(SEC_CRIT) ; + /sbin/resize2fs -> $(SEC_CRIT) ; + /sbin/resize_reiserfs -> $(SEC_CRIT) ; + /sbin/restore -> $(SEC_CRIT) ; + /sbin/restore.static -> $(SEC_CRIT) ; + /sbin/scsi_info -> $(SEC_CRIT) ; + /sbin/sfdisk -> $(SEC_CRIT) ; + /sbin/stinit -> $(SEC_CRIT) ; + #/sbin/tapeinfo -> $(SEC_CRIT) ; + /sbin/tune2fs -> $(SEC_CRIT) ; + /sbin/unpack -> $(SEC_CRIT) ; + /sbin/update -> $(SEC_CRIT) ; + #/sbin/vgcfgbackup -> $(SEC_CRIT) ; + #/sbin/vgcfgrestore -> $(SEC_CRIT) ; + #/sbin/vgchange -> $(SEC_CRIT) ; + #/sbin/vgck -> $(SEC_CRIT) ; + #/sbin/vgcreate -> $(SEC_CRIT) ; + #/sbin/vgdisplay -> $(SEC_CRIT) ; + #/sbin/vgexport -> $(SEC_CRIT) ; + #/sbin/vgextend -> $(SEC_CRIT) ; + #/sbin/vgimport -> $(SEC_CRIT) ; + #/sbin/vgmerge -> $(SEC_CRIT) ; + #/sbin/vgmknodes -> $(SEC_CRIT) ; + #/sbin/vgreduce -> $(SEC_CRIT) ; + #/sbin/vgremove -> $(SEC_CRIT) ; + #/sbin/vgrename -> $(SEC_CRIT) ; + #/sbin/vgscan -> $(SEC_CRIT) ; + #/sbin/vgsplit -> $(SEC_CRIT) ; + /bin/chgrp -> $(SEC_CRIT) ; + /bin/chmod -> $(SEC_CRIT) ; + /bin/chown -> $(SEC_CRIT) ; + /bin/cp -> $(SEC_CRIT) ; + /bin/cpio -> $(SEC_CRIT) ; + /bin/mount -> $(SEC_CRIT) ; + /bin/umount -> $(SEC_CRIT) ; + /bin/mkdir -> $(SEC_CRIT) ; + /bin/mknod -> $(SEC_CRIT) ; + /bin/mktemp -> $(SEC_CRIT) ; + /bin/rm -> $(SEC_CRIT) ; + /bin/rmdir -> $(SEC_CRIT) ; + /bin/touch -> $(SEC_CRIT) ; +} + + ################################## + # ## +################################## # +# # # +# Kernel Administration Programs # # +# ## +################################## + +( + rulename = "Kernel Administration Programs", + severity = $(SIG_HI) +) +{ + /sbin/adjtimex -> $(SEC_CRIT) ; + /sbin/ctrlaltdel -> $(SEC_CRIT) ; + /sbin/depmod -> $(SEC_CRIT) ; + /sbin/insmod -> $(SEC_CRIT) ; + /sbin/insmod.static -> $(SEC_CRIT) ; + /sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ; + /sbin/klogd -> $(SEC_CRIT) ; + /sbin/ldconfig -> $(SEC_CRIT) ; + /sbin/minilogd -> $(SEC_CRIT) ; + /sbin/modinfo -> $(SEC_CRIT) ; + #/sbin/nuactlun -> $(SEC_CRIT) ; + #/sbin/nuscsitcpd -> $(SEC_CRIT) ; + /sbin/pivot_root -> $(SEC_CRIT) ; + /sbin/sndconfig -> $(SEC_CRIT) ; + /sbin/sysctl -> $(SEC_CRIT) ; +} + + ####################### + # ## +####################### # +# # # +# Networking Programs # # +# ## +####################### + +( + rulename = "Networking Programs", + severity = $(SIG_HI) +) +{ + /etc/sysconfig/network-scripts/ifdown -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-cipcb -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-ippp -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-ipv6 -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-isdn -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-post -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-ppp -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-sit -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifdown-sl -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-aliases -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-cipcb -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-ippp -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-ipv6 -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-isdn -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-plip -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-plusb -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-post -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-ppp -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-routes -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-sit -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-sl -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/ifup-wireless -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/network-functions -> $(SEC_CRIT) ; + /etc/sysconfig/network-scripts/network-functions-ipv6 -> $(SEC_CRIT) ; + /bin/ping -> $(SEC_CRIT) ; + /sbin/agetty -> $(SEC_CRIT) ; + /sbin/arp -> $(SEC_CRIT) ; + /sbin/arping -> $(SEC_CRIT) ; + /sbin/dhcpcd -> $(SEC_CRIT) ; + /sbin/ether-wake -> $(SEC_CRIT) ; + #/sbin/getty -> $(SEC_CRIT) ; + /sbin/ifcfg -> $(SEC_CRIT) ; + /sbin/ifconfig -> $(SEC_CRIT) ; + /sbin/ifdown -> $(SEC_CRIT) ; + /sbin/ifenslave -> $(SEC_CRIT) ; + /sbin/ifport -> $(SEC_CRIT) ; + /sbin/ifup -> $(SEC_CRIT) ; + /sbin/ifuser -> $(SEC_CRIT) ; + /sbin/ip -> $(SEC_CRIT) ; + /sbin/ip6tables -> $(SEC_CRIT) ; + /sbin/ipchains -> $(SEC_CRIT) ; + /sbin/ipchains-restore -> $(SEC_CRIT) ; + /sbin/ipchains-save -> $(SEC_CRIT) ; + /sbin/ipfwadm -> $(SEC_CRIT) ; + /sbin/ipmaddr -> $(SEC_CRIT) ; + /sbin/iptables -> $(SEC_CRIT) ; + /sbin/iptables-restore -> $(SEC_CRIT) ; + /sbin/iptables-save -> $(SEC_CRIT) ; + /sbin/iptunnel -> $(SEC_CRIT) ; + #/sbin/ipvsadm -> $(SEC_CRIT) ; + #/sbin/ipvsadm-restore -> $(SEC_CRIT) ; + #/sbin/ipvsadm-save -> $(SEC_CRIT) ; + /sbin/ipx_configure -> $(SEC_CRIT) ; + /sbin/ipx_interface -> $(SEC_CRIT) ; + /sbin/ipx_internal_net -> $(SEC_CRIT) ; + /sbin/iwconfig -> $(SEC_CRIT) ; + /sbin/iwgetid -> $(SEC_CRIT) ; + /sbin/iwlist -> $(SEC_CRIT) ; + /sbin/iwpriv -> $(SEC_CRIT) ; + /sbin/iwspy -> $(SEC_CRIT) ; + /sbin/mgetty -> $(SEC_CRIT) ; + /sbin/mingetty -> $(SEC_CRIT) ; + /sbin/nameif -> $(SEC_CRIT) ; + /sbin/netreport -> $(SEC_CRIT) ; + /sbin/plipconfig -> $(SEC_CRIT) ; + /sbin/portmap -> $(SEC_CRIT) ; + /sbin/ppp-watch -> $(SEC_CRIT) ; + #/sbin/rarp -> $(SEC_CRIT) ; + /sbin/route -> $(SEC_CRIT) ; + /sbin/slattach -> $(SEC_CRIT) ; + /sbin/tc -> $(SEC_CRIT) ; + #/sbin/uugetty -> $(SEC_CRIT) ; + /sbin/vgetty -> $(SEC_CRIT) ; + /sbin/ypbind -> $(SEC_CRIT) ; +} + + ################################## + # ## +################################## # +# # # +# System Administration Programs # # +# ## +################################## + +( + rulename = "System Administration Programs", + severity = $(SIG_HI) +) +{ + /sbin/chkconfig -> $(SEC_CRIT) ; + /sbin/fuser -> $(SEC_CRIT) ; + /sbin/halt -> $(SEC_CRIT) ; + /sbin/init -> $(SEC_CRIT) ; + /sbin/initlog -> $(SEC_CRIT) ; + /sbin/install-info -> $(SEC_CRIT) ; + /sbin/killall5 -> $(SEC_CRIT) ; + #/sbin/linuxconf -> $(SEC_CRIT) ; + #/sbin/linuxconf-auth -> $(SEC_CRIT) ; + /sbin/pam_tally -> $(SEC_CRIT) ; + /sbin/pwdb_chkpwd -> $(SEC_CRIT) ; + #/sbin/remadmin -> $(SEC_CRIT) ; + /sbin/rescuept -> $(SEC_CRIT) ; + /sbin/rmt -> $(SEC_CRIT) ; + /sbin/rpc.lockd -> $(SEC_CRIT) ; + /sbin/rpc.statd -> $(SEC_CRIT) ; + /sbin/rpcdebug -> $(SEC_CRIT) ; + /sbin/service -> $(SEC_CRIT) ; + /sbin/setsysfont -> $(SEC_CRIT) ; + /sbin/shutdown -> $(SEC_CRIT) ; + /sbin/sulogin -> $(SEC_CRIT) ; + /sbin/swapon -> $(SEC_CRIT) ; + /sbin/syslogd -> $(SEC_CRIT) ; + /sbin/unix_chkpwd -> $(SEC_CRIT) ; + /bin/pwd -> $(SEC_CRIT) ; + /bin/uname -> $(SEC_CRIT) ; +} + + ######################################## + # ## +######################################## # +# # # +# Hardware and Device Control Programs # # +# ## +######################################## +( + rulename = "Hardware and Device Control Programs", + severity = $(SIG_HI) +) +{ + /bin/setserial -> $(SEC_CRIT) ; + /bin/sfxload -> $(SEC_CRIT) ; + /sbin/blockdev -> $(SEC_CRIT) ; + /sbin/cardctl -> $(SEC_CRIT) ; + /sbin/cardmgr -> $(SEC_CRIT) ; + /sbin/cbq -> $(SEC_CRIT) ; + /sbin/dump_cis -> $(SEC_CRIT) ; + /sbin/elvtune -> $(SEC_CRIT) ; + /sbin/hotplug -> $(SEC_CRIT) ; + /sbin/hwclock -> $(SEC_CRIT) ; + /sbin/ide_info -> $(SEC_CRIT) ; + #/sbin/isapnp -> $(SEC_CRIT) ; + /sbin/kbdrate -> $(SEC_CRIT) ; + /sbin/losetup -> $(SEC_CRIT) ; + /sbin/lspci -> $(SEC_CRIT) ; + /sbin/lspnp -> $(SEC_CRIT) ; + /sbin/mii-tool -> $(SEC_CRIT) ; + /sbin/pack_cis -> $(SEC_CRIT) ; + #/sbin/pnpdump -> $(SEC_CRIT) ; + /sbin/probe -> $(SEC_CRIT) ; + /sbin/pump -> $(SEC_CRIT) ; + /sbin/setpci -> $(SEC_CRIT) ; + /sbin/shapecfg -> $(SEC_CRIT) ; +} + + ############################### + # ## +############################### # +# # # +# System Information Programs # # +# ## +############################### +( + rulename = "System Information Programs", + severity = $(SIG_HI) +) +{ + /sbin/consoletype -> $(SEC_CRIT) ; + /sbin/kernelversion -> $(SEC_CRIT) ; + /sbin/runlevel -> $(SEC_CRIT) ; +} + + #################################### + # ## +#################################### # +# # # +# Application Information Programs # # +# ## +#################################### + +( + rulename = "Application Information Programs", + severity = $(SIG_HI) +) +{ + /sbin/genksyms -> $(SEC_CRIT) ; + #/sbin/genksyms.old -> $(SEC_CRIT) ; + /sbin/rtmon -> $(SEC_CRIT) ; +} + + ########################## + # ## +########################## # +# # # +# Shell Related Programs # # +# ## +########################## +( + rulename = "Shell Related Programs", + severity = $(SIG_HI) +) +{ + /sbin/getkey -> $(SEC_CRIT) ; + /sbin/nash -> $(SEC_CRIT) ; + /sbin/sash -> $(SEC_CRIT) ; +} + + + ################ + # ## +################ # +# # # +# OS Utilities # # +# ## +################ +( + rulename = "Operating System Utilities", + severity = $(SIG_HI) +) +{ + /bin/arch -> $(SEC_CRIT) ; + /bin/ash -> $(SEC_CRIT) ; + /bin/ash.static -> $(SEC_CRIT) ; + /bin/aumix-minimal -> $(SEC_CRIT) ; + /bin/basename -> $(SEC_CRIT) ; + /bin/cat -> $(SEC_CRIT) ; + /bin/consolechars -> $(SEC_CRIT) ; + /bin/cut -> $(SEC_CRIT) ; + /bin/date -> $(SEC_CRIT) ; + /bin/dd -> $(SEC_CRIT) ; + /bin/df -> $(SEC_CRIT) ; + /bin/dmesg -> $(SEC_CRIT) ; + /bin/doexec -> $(SEC_CRIT) ; + /bin/echo -> $(SEC_CRIT) ; + /bin/ed -> $(SEC_CRIT) ; + /bin/egrep -> $(SEC_CRIT) ; + /bin/false -> $(SEC_CRIT) ; + /bin/fgrep -> $(SEC_CRIT) ; + /bin/gawk -> $(SEC_CRIT) ; + /bin/gawk-3.1.0 -> $(SEC_CRIT) ; + /bin/gettext -> $(SEC_CRIT) ; + /bin/grep -> $(SEC_CRIT) ; + /bin/gunzip -> $(SEC_CRIT) ; + /bin/gzip -> $(SEC_CRIT) ; + /bin/hostname -> $(SEC_CRIT) ; + /bin/igawk -> $(SEC_CRIT) ; + /bin/ipcalc -> $(SEC_CRIT) ; + /bin/kill -> $(SEC_CRIT) ; + /bin/ln -> $(SEC_CRIT) ; + /bin/loadkeys -> $(SEC_CRIT) ; + /bin/login -> $(SEC_CRIT) ; + /bin/ls -> $(SEC_CRIT) ; + /bin/mail -> $(SEC_CRIT) ; + /bin/more -> $(SEC_CRIT) ; + /bin/mt -> $(SEC_CRIT) ; + /bin/mv -> $(SEC_CRIT) ; + /bin/netstat -> $(SEC_CRIT) ; + /bin/nice -> $(SEC_CRIT) ; + /bin/pgawk -> $(SEC_CRIT) ; + /bin/ps -> $(SEC_CRIT) ; + /bin/rpm -> $(SEC_CRIT) ; + /bin/sed -> $(SEC_CRIT) ; + /bin/sleep -> $(SEC_CRIT) ; + /bin/sort -> $(SEC_CRIT) ; + /bin/stty -> $(SEC_CRIT) ; + /bin/su -> $(SEC_CRIT) ; + /bin/sync -> $(SEC_CRIT) ; + /bin/tar -> $(SEC_CRIT) ; + /bin/true -> $(SEC_CRIT) ; + /bin/usleep -> $(SEC_CRIT) ; + /bin/vi -> $(SEC_CRIT) ; + /bin/zcat -> $(SEC_CRIT) ; + /bin/zsh -> $(SEC_CRIT) ; + #/bin/zsh-4.0.2 -> $(SEC_CRIT) ; + /sbin/sln -> $(SEC_CRIT) ; + /usr/bin/vimtutor -> $(SEC_CRIT) ; +} + + ############################## + # ## +############################## # +# # # +# Critical Utility Sym-Links # # +# ## +############################## +( + rulename = "Critical Utility Sym-Links", + severity = $(SIG_HI) +) +{ + #/sbin/askrunlevel -> $(SEC_CRIT) ; + /sbin/clock -> $(SEC_CRIT) ; + #/sbin/fixperm -> $(SEC_CRIT) ; + /sbin/fsck.reiserfs -> $(SEC_CRIT) ; + #/sbin/fsconf -> $(SEC_CRIT) ; + /sbin/ipfwadm-wrapper -> $(SEC_CRIT) ; + /sbin/kallsyms -> $(SEC_CRIT) ; + /sbin/ksyms -> $(SEC_CRIT) ; + /sbin/lsmod -> $(SEC_CRIT) ; + #/sbin/mailconf -> $(SEC_CRIT) ; + /sbin/mkfs.reiserfs -> $(SEC_CRIT) ; + #/sbin/modemconf -> $(SEC_CRIT) ; + /sbin/modprobe -> $(SEC_CRIT) ; + /sbin/mount.ncp -> $(SEC_CRIT) ; + /sbin/mount.ncpfs -> $(SEC_CRIT) ; + /sbin/mount.smb -> $(SEC_CRIT) ; + /sbin/mount.smbfs -> $(SEC_CRIT) ; + #/sbin/netconf -> $(SEC_CRIT) ; + /sbin/pidof -> $(SEC_CRIT) ; + /sbin/poweroff -> $(SEC_CRIT) ; + /sbin/quotaoff -> $(SEC_CRIT) ; + /sbin/raid0run -> $(SEC_CRIT) ; + /sbin/raidhotadd -> $(SEC_CRIT) ; + /sbin/raidhotgenerateerror -> $(SEC_CRIT) ; + /sbin/raidhotremove -> $(SEC_CRIT) ; + /sbin/raidstop -> $(SEC_CRIT) ; + /sbin/rdump -> $(SEC_CRIT) ; + /sbin/rdump.static -> $(SEC_CRIT) ; + /sbin/reboot -> $(SEC_CRIT) ; + /sbin/rmmod -> $(SEC_CRIT) ; + /sbin/rrestore -> $(SEC_CRIT) ; + /sbin/rrestore.static -> $(SEC_CRIT) ; + /sbin/swapoff -> $(SEC_CRIT) ; + /sbin/telinit -> $(SEC_CRIT) ; + #/sbin/userconf -> $(SEC_CRIT) ; + #/sbin/uucpconf -> $(SEC_CRIT) ; + #/sbin/vregistry -> $(SEC_CRIT) ; + /bin/awk -> $(SEC_CRIT) ; + /bin/bash2 -> $(SEC_CRIT) ; + /bin/bsh -> $(SEC_CRIT) ; + /bin/csh -> $(SEC_CRIT) ; + /bin/dnsdomainname -> $(SEC_CRIT) ; + /bin/domainname -> $(SEC_CRIT) ; + /bin/ex -> $(SEC_CRIT) ; + /bin/gtar -> $(SEC_CRIT) ; + /bin/nisdomainname -> $(SEC_CRIT) ; + /bin/red -> $(SEC_CRIT) ; + /bin/rvi -> $(SEC_CRIT) ; + /bin/rview -> $(SEC_CRIT) ; + /bin/view -> $(SEC_CRIT) ; + /bin/ypdomainname -> $(SEC_CRIT) ; +} + + + ######################### + # ## +######################### # +# # # +# Temporary directories # # +# ## +######################### +( + rulename = "Temporary directories", + recurse = false, + severity = $(SIG_LOW) +) +{ + /usr/tmp -> $(SEC_INVARIANT) ; + /var/tmp -> $(SEC_INVARIANT) ; + /tmp -> $(SEC_INVARIANT) ; +} + + ############### + # ## +############### # +# # # +# Local files # # +# ## +############### +( + rulename = "User binaries", + severity = $(SIG_MED) +) +{ + /sbin -> $(SEC_BIN) (recurse = 1) ; + /usr/bin -> $(SEC_BIN) (recurse = 1) ; + /usr/sbin -> $(SEC_BIN) (recurse = 1) ; + /usr/local/bin -> $(SEC_BIN) (recurse = 1) ; +} + +( + rulename = "Shell Binaries", + severity = $(SIG_HI) +) +{ + /bin/bash -> $(SEC_BIN) ; + /bin/ksh -> $(SEC_BIN) ; + # /bin/psh -> $(SEC_BIN) ; # No longer used? + # /bin/Rsh -> $(SEC_BIN) ; # No longer used? + /bin/sh -> $(SEC_BIN) ; + # /bin/shell -> $(SEC_SUID) ; # No longer used? + # /bin/tsh -> $(SEC_BIN) ; # No longer used? + /bin/tcsh -> $(SEC_BIN) ; + /sbin/nologin -> $(SEC_BIN) ; +} + +( + rulename = "Security Control", + severity = $(SIG_HI) +) +{ + /etc/group -> $(SEC_CRIT) ; + /etc/security -> $(SEC_CRIT) ; + #/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists +} + +#( +# rulename = "Boot Scripts", +# severity = $(SIG_HI) +#) +#{ +# /etc/rc -> $(SEC_CONFIG) ; +# /etc/rc.bsdnet -> $(SEC_CONFIG) ; +# /etc/rc.dt -> $(SEC_CONFIG) ; +# /etc/rc.net -> $(SEC_CONFIG) ; +# /etc/rc.net.serial -> $(SEC_CONFIG) ; +# /etc/rc.nfs -> $(SEC_CONFIG) ; +# /etc/rc.powerfail -> $(SEC_CONFIG) ; +# /etc/rc.tcpip -> $(SEC_CONFIG) ; +# /etc/trcfmt.Z -> $(SEC_CONFIG) ; +#} + +( + rulename = "Login Scripts", + severity = $(SIG_HI) +) +{ + /etc/bashrc -> $(SEC_CONFIG) ; + /etc/csh.cshrc -> $(SEC_CONFIG) ; + /etc/csh.login -> $(SEC_CONFIG) ; + /etc/inputrc -> $(SEC_CONFIG) ; + # /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists + /etc/profile -> $(SEC_CONFIG) ; +} + +# Libraries +( + rulename = "Libraries", + severity = $(SIG_MED) +) +{ + /usr/lib -> $(SEC_BIN) ; + /usr/local/lib -> $(SEC_BIN) ; +} + + + ###################################################### + # ## +###################################################### # +# # # +# Critical System Boot Files # # +# These files are critical to a correct system boot. # # +# ## +###################################################### + +( + rulename = "Critical system boot files", + severity = $(SIG_HI) +) +{ + /boot -> $(SEC_CRIT) ; + #/sbin/devfsd -> $(SEC_CRIT) ; + /sbin/grub -> $(SEC_CRIT) ; + /sbin/grub-install -> $(SEC_CRIT) ; + /sbin/grub-md5-crypt -> $(SEC_CRIT) ; + /sbin/installkernel -> $(SEC_CRIT) ; + /sbin/lilo -> $(SEC_CRIT) ; + /sbin/mkkerneldoth -> $(SEC_CRIT) ; + !/boot/System.map ; + !/boot/module-info ; + /usr/share/grub/i386-redhat/e2fs_stage1_5 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/fat_stage1_5 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/ffs_stage1_5 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/minix_stage1_5 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/reiserfs_stage1_5 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/stage1 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/stage2 -> $(SEC_CRIT) ; + /usr/share/grub/i386-redhat/vstafs_stage1_5 -> $(SEC_CRIT) ; + # other boot files may exist. Look for: + #/ufsboot -> $(SEC_CRIT) ; +} + ################################################## + ################################################### + # These files change every time the system boots ## + ################################################## +( + rulename = "System boot changes", + severity = $(SIG_HI) +) +{ + !/var/run/ftp.pids-all ; # Comes and goes on reboot. + !/root/.enlightenment ; + /dev/log -> $(SEC_CONFIG) ; + /dev/cua0 -> $(SEC_CONFIG) ; + # /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device + /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. + /dev/tty1 -> $(SEC_CONFIG) ; # tty devices + /dev/tty2 -> $(SEC_CONFIG) ; # tty devices + /dev/tty3 -> $(SEC_CONFIG) ; # are extremely + /dev/tty4 -> $(SEC_CONFIG) ; # variable + /dev/tty5 -> $(SEC_CONFIG) ; + /dev/tty6 -> $(SEC_CONFIG) ; + /dev/urandom -> $(SEC_CONFIG) ; + /dev/initctl -> $(SEC_CONFIG) ; + /var/lock/subsys -> $(SEC_CONFIG) ; + #/var/lock/subsys/amd -> $(SEC_CONFIG) ; + /var/lock/subsys/anacron -> $(SEC_CONFIG) ; + /var/lock/subsys/apmd -> $(SEC_CONFIG) ; + #/var/lock/subsys/arpwatch -> $(SEC_CONFIG) ; + /var/lock/subsys/atd -> $(SEC_CONFIG) ; + /var/lock/subsys/autofs -> $(SEC_CONFIG) ; + #/var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ; + #/var/lock/subsys/bgpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/bootparamd -> $(SEC_CONFIG) ; + #/var/lock/subsys/canna -> $(SEC_CONFIG) ; + /var/lock/subsys/crond -> $(SEC_CONFIG) ; + #/var/lock/subsys/cWnn -> $(SEC_CONFIG) ; + #/var/lock/subsys/dhcpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/firewall -> $(SEC_CONFIG) ; + #/var/lock/subsys/freeWnn -> $(SEC_CONFIG) ; + #/var/lock/subsys/gated -> $(SEC_CONFIG) ; + /var/lock/subsys/gpm -> $(SEC_CONFIG) ; + #/var/lock/subsys/httpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/identd -> $(SEC_CONFIG) ; + #/var/lock/subsys/innd -> $(SEC_CONFIG) ; + /var/lock/subsys/ipchains -> $(SEC_CONFIG) ; + #/var/lock/subsys/iptables -> $(SEC_CONFIG) ; + #/var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ; + #/var/lock/subsys/irda -> $(SEC_CONFIG) ; + #/var/lock/subsys/iscsi -> $(SEC_CONFIG) ; + #/var/lock/subsys/isdn -> $(SEC_CONFIG) ; + #/var/lock/subsys/junkbuster -> $(SEC_CONFIG) ; + #/var/lock/subsys/kadmin -> $(SEC_CONFIG) ; + /var/lock/subsys/keytable -> $(SEC_CONFIG) ; + #/var/lock/subsys/kprop -> $(SEC_CONFIG) ; + #/var/lock/subsys/krb524 -> $(SEC_CONFIG) ; + #/var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ; + /var/lock/subsys/kudzu -> $(SEC_CONFIG) ; + #/var/lock/subsys/kWnn -> $(SEC_CONFIG) ; + #/var/lock/subsys/ldap -> $(SEC_CONFIG) ; + #/var/lock/subsys/linuxconf -> $(SEC_CONFIG) ; + #/var/lock/subsys/lpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ; + #/var/lock/subsys/mcserv -> $(SEC_CONFIG) ; + #/var/lock/subsys/mysqld -> $(SEC_CONFIG) ; + #/var/lock/subsys/named -> $(SEC_CONFIG) ; + /var/lock/subsys/netfs -> $(SEC_CONFIG) ; + /var/lock/subsys/network -> $(SEC_CONFIG) ; + #/var/lock/subsys/nfs -> $(SEC_CONFIG) ; + /var/lock/subsys/nfslock -> $(SEC_CONFIG) ; + #/var/lock/subsys/nscd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ntpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ospf6d -> $(SEC_CONFIG) ; + #/var/lock/subsys/ospfd -> $(SEC_CONFIG) ; + /var/lock/subsys/pcmcia -> $(SEC_CONFIG) ; + /var/lock/subsys/portmap -> $(SEC_CONFIG) ; + #/var/lock/subsys/postgresql -> $(SEC_CONFIG) ; + #/var/lock/subsys/pxe -> $(SEC_CONFIG) ; + #/var/lock/subsys/radvd -> $(SEC_CONFIG) ; + /var/lock/subsys/random -> $(SEC_CONFIG) ; + #/var/lock/subsys/rarpd -> $(SEC_CONFIG) ; + /var/lock/subsys/reconfig -> $(SEC_CONFIG) ; + /var/lock/subsys/rhnsd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ripd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ripngd -> $(SEC_CONFIG) ; + #/var/lock/subsys/routed -> $(SEC_CONFIG) ; + #/var/lock/subsys/rstatd -> $(SEC_CONFIG) ; + #/var/lock/subsys/rusersd -> $(SEC_CONFIG) ; + #/var/lock/subsys/rwalld -> $(SEC_CONFIG) ; + #/var/lock/subsys/rwhod -> $(SEC_CONFIG) ; + /var/lock/subsys/sendmail -> $(SEC_CONFIG) ; + #/var/lock/subsys/smb -> $(SEC_CONFIG) ; + #/var/lock/subsys/snmpd -> $(SEC_CONFIG) ; + #/var/lock/subsys/squid -> $(SEC_CONFIG) ; + /var/lock/subsys/sshd -> $(SEC_CONFIG) ; + /var/lock/subsys/syslog -> $(SEC_CONFIG) ; + #/var/lock/subsys/tux -> $(SEC_CONFIG) ; + #/var/lock/subsys/tWnn -> $(SEC_CONFIG) ; + #/var/lock/subsys/ups -> $(SEC_CONFIG) ; + #/var/lock/subsys/vncserver -> $(SEC_CONFIG) ; + #/var/lock/subsys/wine -> $(SEC_CONFIG) ; + /var/lock/subsys/xfs -> $(SEC_CONFIG) ; + /var/lock/subsys/xinetd -> $(SEC_CONFIG) ; + /var/lock/subsys/ypbind -> $(SEC_CONFIG) ; + #/var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ; + #/var/lock/subsys/ypserv -> $(SEC_CONFIG) ; + #/var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ; + #/var/lock/subsys/zebra -> $(SEC_CONFIG) ; + /var/run -> $(SEC_CONFIG) ; + /var/log -> $(SEC_CONFIG) ; + /etc/ioctl.save -> $(SEC_CONFIG) ; + /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes + /etc/issue -> $(SEC_CONFIG) ; + /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount + /lib/modules -> $(SEC_CONFIG) ; + /etc/.pwd.lock -> $(SEC_CONFIG) ; + # /lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists +} + +# These files change the behavior of the root account +( + rulename = "Root config files", + severity = 100 +) +{ + /root -> $(SEC_CRIT) ; # Catch all additions to /root + #/root/.Xresources -> $(SEC_CONFIG) ; + /root/.bashrc -> $(SEC_CONFIG) ; + /root/.bash_profile -> $(SEC_CONFIG) ; + /root/.bash_logout -> $(SEC_CONFIG) ; + /root/.cshrc -> $(SEC_CONFIG) ; + /root/.tcshrc -> $(SEC_CONFIG) ; + /root/Mail -> $(SEC_CONFIG) ; + #/root/mail -> $(SEC_CONFIG) ; + #/root/.amandahosts -> $(SEC_CONFIG) ; + #/root/.addressbook.lu -> $(SEC_CONFIG) ; + #/root/.addressbook -> $(SEC_CONFIG) ; + /root/.bash_history -> $(SEC_CONFIG) ; + /root/.elm -> $(SEC_CONFIG) ; + #/root/.esd_auth -> $(SEC_CONFIG) ; + /root/.gnome_private -> $(SEC_CONFIG) ; + /root/.gnome-desktop -> $(SEC_CONFIG) ; + /root/.gnome -> $(SEC_CONFIG) ; + /root/.ICEauthority -> $(SEC_CONFIG) ; + #/root/.mc -> $(SEC_CONFIG) ; + #/root/.pinerc -> $(SEC_CONFIG) ; + /root/.sawfish -> $(SEC_CONFIG) ; + /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login + #/root/.xauth -> $(SEC_CONFIG) ; + /root/.xsession-errors -> $(SEC_CONFIG) ; +} + + ################################ + # ## +################################ # +# # # +# Critical configuration files # # +# ## +################################ +( + rulename = "Critical configuration files", + severity = $(SIG_HI) +) +{ + #/etc/conf.linuxconf -> $(SEC_BIN) ; + /etc/crontab -> $(SEC_BIN) ; + /etc/cron.hourly -> $(SEC_BIN) ; + /etc/cron.daily -> $(SEC_BIN) ; + /etc/cron.weekly -> $(SEC_BIN) ; + /etc/cron.monthly -> $(SEC_BIN) ; + /etc/default -> $(SEC_BIN) ; + /etc/fstab -> $(SEC_BIN) ; + /etc/exports -> $(SEC_BIN) ; + /etc/group- -> $(SEC_BIN) ; # changes should be infrequent + /etc/host.conf -> $(SEC_BIN) ; + /etc/hosts.allow -> $(SEC_BIN) ; + /etc/hosts.deny -> $(SEC_BIN) ; + /etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent + /etc/protocols -> $(SEC_BIN) ; + /etc/services -> $(SEC_BIN) ; + /etc/rc.d/init.d -> $(SEC_BIN) ; + /etc/rc.d -> $(SEC_BIN) ; + /etc/mail.rc -> $(SEC_BIN) ; + /etc/modules.conf -> $(SEC_BIN) ; + /etc/motd -> $(SEC_BIN) ; + /etc/named.conf -> $(SEC_BIN) ; + /etc/passwd -> $(SEC_CONFIG) ; + /etc/passwd- -> $(SEC_CONFIG) ; + /etc/profile.d -> $(SEC_BIN) ; + /var/lib/nfs/rmtab -> $(SEC_BIN) ; + /usr/sbin/fixrmtab -> $(SEC_BIN) ; + /etc/rpc -> $(SEC_BIN) ; + /etc/sysconfig -> $(SEC_BIN) ; + /etc/samba/smb.conf -> $(SEC_CONFIG) ; + #/etc/gettydefs -> $(SEC_BIN) ; + /etc/nsswitch.conf -> $(SEC_BIN) ; + /etc/yp.conf -> $(SEC_BIN) ; + /etc/hosts -> $(SEC_CONFIG) ; + /etc/xinetd.conf -> $(SEC_CONFIG) ; + /etc/inittab -> $(SEC_CONFIG) ; + /etc/resolv.conf -> $(SEC_CONFIG) ; + /etc/syslog.conf -> $(SEC_CONFIG) ; +} + + #################### + # ## +#################### # +# # # +# Critical devices # # +# ## +#################### +( + rulename = "Critical devices", + severity = $(SIG_HI), + recurse = false +) +{ + /dev/kmem -> $(Device) ; + /dev/mem -> $(Device) ; + /dev/null -> $(Device) ; + /dev/zero -> $(Device) ; + /proc/devices -> $(Device) ; + /proc/net -> $(Device) ; + /proc/sys -> $(Device) ; + /proc/cpuinfo -> $(Device) ; + /proc/modules -> $(Device) ; + /proc/mounts -> $(Device) ; + /proc/dma -> $(Device) ; + /proc/filesystems -> $(Device) ; + /proc/pci -> $(Device) ; + /proc/interrupts -> $(Device) ; + /proc/driver/rtc -> $(Device) ; + /proc/ioports -> $(Device) ; + #/proc/scsi -> $(Device) ; + /proc/kcore -> $(Device) ; + /proc/self -> $(Device) ; + /proc/kmsg -> $(Device) ; + /proc/stat -> $(Device) ; + /proc/ksyms -> $(Device) ; + /proc/loadavg -> $(Device) ; + /proc/uptime -> $(Device) ; + /proc/locks -> $(Device) ; + /proc/version -> $(Device) ; + /proc/mdstat -> $(Device) ; + /proc/meminfo -> $(Device) ; + /proc/cmdline -> $(Device) ; + /proc/misc -> $(Device) ; +} + +# Rest of critical system binaries +( + rulename = "OS executables and libraries", + severity = $(SIG_HI) +) +{ + /bin -> $(SEC_BIN) ; + /lib -> $(SEC_BIN) ; +} + +#============================================================================= +# +# Copyright 2000-2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, +# Inc. in the United States and other countries. All rights reserved. +# +# Linux is a registered trademark of Linus Torvalds. +# +# UNIX is a registered trademark of The Open Group. +# +#============================================================================= +# +# Permission is granted to make and distribute verbatim copies of this document +# provided the copyright notice and this permission notice are preserved on all +# copies. +# +# Permission is granted to copy and distribute modified versions of this +# document under the conditions for verbatim copying, provided that the entire +# resulting derived work is distributed under the terms of a permission notice +# identical to this one. +# +# Permission is granted to copy and distribute translations of this document +# into another language, under the above conditions for modified versions, +# except that this permission notice may be stated in a translation approved by +# Tripwire, Inc. +# +# DCM +# +# $Id: twpol-GENERIC.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $ +# diff --git a/policy/twpol-MidnightBSD.txt b/policy/twpol-MidnightBSD.txt new file mode 100644 index 0000000..b9c55a3 --- /dev/null +++ b/policy/twpol-MidnightBSD.txt @@ -0,0 +1,656 @@ +# +# Policy file for MidnightBSD +# (adapted from FreeBSD policy) +# +# $FreeBSD: ports/security/tripwire/files/twpol.txt,v 1.2 2002/03/04 16:55:21 cy Exp $ +# $Id: twpol-FreeBSD.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $ + +# +# This is the example Tripwire Policy file. It is intended as a place to +# start creating your own custom Tripwire Policy file. Referring to it as +# well as the Tripwire Policy Guide should give you enough information to +# make a good custom Tripwire Policy file that better covers your +# configuration and security needs. A text version of this policy file is +# called twpol.txt. +# +# Note that this file is tuned to an install of FreeBSD using +# buildworld. If run unmodified, this file should create no errors on +# database creation, or violations on a subsiquent integrity check. +# However it is impossible for there to be one policy file for all machines, +# so this existing one errs on the side of security. Your FreeBSD +# configuration will most likey differ from the one our policy file was +# tuned to, and will therefore require some editing of the default +# Tripwire Policy file. +# +# The example policy file is best run with 'Loose Directory Checking' +# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration +# file. +# +# Email support is not included and must be added to this file. +# Add the 'emailto=' to the rule directive section of each rule (add a comma +# after the 'severity=' line and add an 'emailto=' and include the email +# addresses you want the violation reports to go to). Addresses are +# semi-colon delimited. +# + + + +# +# Global Variable Definitions +# +# These are defined at install time by the installation script. You may +# Manually edit these if you are using this file directly and not from the +# installation script itself. +# + +@@section GLOBAL +TWROOT=; +TWBIN=; +TWPOL=; +TWDB=; +TWSKEY=; +TWLKEY=; +TWREPORT=; +HOSTNAME=; + +@@section FS +SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change +SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set +SEC_BIN = $(ReadOnly) ; # Binaries that should not change +SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often +SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login +SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership +SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership +SIG_LOW = 33 ; # Non-critical files that are of minimal security impact +SIG_MED = 66 ; # Non-critical files that are of significant security impact +SIG_HI = 100 ; # Critical files that are significant points of vulnerability + + +# Tripwire Binaries +( + rulename = "Tripwire Binaries", + severity = $(SIG_HI) +) +{ + $(TWBIN)/siggen -> $(SEC_BIN) ; + $(TWBIN)/tripwire -> $(SEC_BIN) ; + $(TWBIN)/twadmin -> $(SEC_BIN) ; + $(TWBIN)/twprint -> $(SEC_BIN) ; +} + +# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases +( + rulename = "Tripwire Data Files", + severity = $(SIG_HI) +) +{ + # NOTE: We remove the inode attribute because when Tripwire creates a backup, + # it does so by renaming the old file and creating a new one (which will + # have a new inode number). Inode is left turned on for keys, which shouldn't + # ever change. + + # NOTE: The first integrity check triggers this rule and each integrity check + # afterward triggers this rule until a database update is run, since the + # database file does not exist before that point. + + $(TWDB) -> $(SEC_CONFIG) -i ; + $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; + $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; + $(TWPOL)/twcfg.txt -> $(SEC_BIN) ; + $(TWPOL)/twpol.txt -> $(SEC_BIN) ; + $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; + $(TWSKEY)/site.key -> $(SEC_BIN) ; + + #don't scan the individual reports + $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; +} + + +# Tripwire HQ Connector Binaries +#( +# rulename = "Tripwire HQ Connector Binaries", +# severity = $(SIG_HI) +#) +#{ +# $(TWBIN)/hqagent -> $(SEC_BIN) ; +#} +# +# Tripwire HQ Connector - Configuration Files, Keys, and Logs + +# +# Note: File locations here are different than in a stock HQ Connector +# installation. This is because Tripwire 2.3 uses a different path +# structure than Tripwire 2.2.1. +# +# You may need to update your HQ Agent configuation file (or this policy +# file) to correct the paths. We have attempted to support the FHS standard +# here by placing the HQ Agent files similarly to the way Tripwire 2.3 +# places them. +# + +#( +# rulename = "Tripwire HQ Connector Data Files", +# severity = $(SIG_HI) +#) +#{ +# +# # NOTE: Removing the inode attribute because when Tripwire creates a backup +# # it does so by renaming the old file and creating a new one (which will +# # have a new inode number). Leaving inode turned on for keys, which +# # shouldn't ever change. +# +# +# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; +# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; +# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; +# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; +# +# # Uncomment if you have agent logging enabled. +# #/var/log/tripwire/agent.log -> $(SEC_LOG) ; +#} + + + +# Commonly accessed directories that should remain static with regards to owner and group +( + rulename = "Invariant Directories", + severity = $(SIG_MED) +) +{ + / -> $(SEC_INVARIANT) (recurse = false) ; + /home -> $(SEC_INVARIANT) (recurse = false) ; +} + +# +# First, root's "home" +# + +( + rulename = "Root's home", + severity = $(SIG_HI) +) +{ + # /.rhosts -> $(SEC_CRIT) ; + /.profile -> $(SEC_CRIT) ; + /.cshrc -> $(SEC_CRIT) ; + /.login -> $(SEC_CRIT) ; + # /.exrc -> $(SEC_CRIT) ; + # /.logout -> $(SEC_CRIT) ; + # /.forward -> $(SEC_CRIT) ; + /root -> $(SEC_CRIT) (recurse = true) ; + !/root/.history ; + !/root/.bash_history ; + # !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed +} + + +# +# FreeBSD Kernel +# + +( + rulename = "FreeBSD Kernel", + severity = $(SIG_HI) +) +{ + /kernel -> $(SEC_CRIT) ; + /kernel.old -> $(SEC_CRIT) ; + /kernel.GENERIC -> $(SEC_CRIT) ; +} + + +# +# FreeBSD Modules +# + +( + rulename = "FreeBSD Modules", + severity = $(SIG_HI) +) +{ + /modules -> $(SEC_CRIT) (recurse = true) ; + /modules.old -> $(SEC_CRIT) (recurse = true) ; + # /lkm -> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld +} + + +# +# System Administration Programs +# + +( + rulename = "System Administration Programs", + severity = $(SIG_HI) +) +{ + /sbin -> $(SEC_CRIT) (recurse = true) ; + /usr/sbin -> $(SEC_CRIT) (recurse = true) ; +} + + +# +# User Utilities +# + +( + rulename = "User Utilities", + severity = $(SIG_HI) +) +{ + /bin -> $(SEC_CRIT) (recurse = true) ; + /usr/bin -> $(SEC_CRIT) (recurse = true) ; +} + + +# +# /dev +# + +( + rulename = "/dev", + severity = $(SIG_HI) +) +{ + /dev -> $(Device) (recurse = true) ; + !/dev/vga ; + !/dev/dri ; + /dev/console -> $(SEC_TTY) ; + /dev/ttyv0 -> $(SEC_TTY) ; + /dev/ttyv1 -> $(SEC_TTY) ; + /dev/ttyv2 -> $(SEC_TTY) ; + /dev/ttyv3 -> $(SEC_TTY) ; + /dev/ttyv4 -> $(SEC_TTY) ; + /dev/ttyv5 -> $(SEC_TTY) ; + /dev/ttyv6 -> $(SEC_TTY) ; + /dev/ttyv7 -> $(SEC_TTY) ; + /dev/ttyp0 -> $(SEC_TTY) ; + /dev/ttyp1 -> $(SEC_TTY) ; + /dev/ttyp2 -> $(SEC_TTY) ; + /dev/ttyp3 -> $(SEC_TTY) ; + /dev/ttyp4 -> $(SEC_TTY) ; + /dev/ttyp5 -> $(SEC_TTY) ; + /dev/ttyp6 -> $(SEC_TTY) ; + /dev/ttyp7 -> $(SEC_TTY) ; + /dev/ttyp8 -> $(SEC_TTY) ; + /dev/ttyp9 -> $(SEC_TTY) ; + /dev/ttypa -> $(SEC_TTY) ; + /dev/ttypb -> $(SEC_TTY) ; + /dev/ttypc -> $(SEC_TTY) ; + /dev/ttypd -> $(SEC_TTY) ; + /dev/ttype -> $(SEC_TTY) ; + /dev/ttypf -> $(SEC_TTY) ; + /dev/ttypg -> $(SEC_TTY) ; + /dev/ttyph -> $(SEC_TTY) ; + /dev/ttypi -> $(SEC_TTY) ; + /dev/ttypj -> $(SEC_TTY) ; + /dev/ttypl -> $(SEC_TTY) ; + /dev/ttypm -> $(SEC_TTY) ; + /dev/ttypn -> $(SEC_TTY) ; + /dev/ttypo -> $(SEC_TTY) ; + /dev/ttypp -> $(SEC_TTY) ; + /dev/ttypq -> $(SEC_TTY) ; + /dev/ttypr -> $(SEC_TTY) ; + /dev/ttyps -> $(SEC_TTY) ; + /dev/ttypt -> $(SEC_TTY) ; + /dev/ttypu -> $(SEC_TTY) ; + /dev/ttypv -> $(SEC_TTY) ; + /dev/cuaa0 -> $(SEC_TTY) ; # modem +} + + +# +# /etc +# + +( + rulename = "/etc", + severity = $(SIG_HI) +) +{ + /etc -> $(SEC_CRIT) (recurse = true) ; + # /etc/mail/aliases -> $(SEC_CONFIG) ; + /etc/dumpdates -> $(SEC_CONFIG) ; + /etc/motd -> $(SEC_CONFIG) ; + !/etc/ppp/connect-errors ; + /etc/skeykeys -> $(SEC_CONFIG) ; + # Uncomment the following 4 lines if your password file does not change + # /etc/passwd -> $(SEC_CONFIG) ; + # /etc/master.passwd -> $(SEC_CONFIG) ; + # /etc/pwd.db -> $(SEC_CONFIG) ; + # /etc/spwd.db -> $(SEC_CONFIG) ; +} + + +# +# Copatibility (Linux) +# + +( + rulename = "Linux Compatibility", + severity = $(SIG_HI) +) +{ + /compat -> $(SEC_CRIT) (recurse = true) ; +# +# Uncomment the following if Linux compatibility is used. Replace +# HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port +# installed. +# +#@@ifhost HOSTNAME1 || HOSTNAME2 +# /compat/linux/etc -> $(SEC_INVARIANT) (recurse = false) ; +# /compat/linux/etc/X11 -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/pam.d -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/profile.d -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/real -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/bashrc -> $(SEC_CONFIG) ; +# /compat/linux/etc/csh.login -> $(SEC_CONFIG) ; +# /compat/linux/etc/host.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/hosts.allow -> $(SEC_CONFIG) ; +# /compat/linux/etc/hosts.deny -> $(SEC_CONFIG) ; +# /compat/linux/etc/info-dir -> $(SEC_CONFIG) ; +# /compat/linux/etc/inputrc -> $(SEC_CONFIG) ; +# /compat/linux/etc/ld.so.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/nsswitch.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/profile -> $(SEC_CONFIG) ; +# /compat/linux/etc/redhat-release -> $(SEC_CONFIG) ; +# /compat/linux/etc/rpc -> $(SEC_CONFIG) ; +# /compat/linux/etc/securetty -> $(SEC_CONFIG) ; +# /compat/linux/etc/shells -> $(SEC_CONFIG) ; +# /compat/linux/etc/termcap -> $(SEC_CONFIG) ; +# /compat/linux/etc/yp.conf -> $(SEC_CONFIG) ; +# !/compat/linux/etc/ld.so.cache ; +# !/compat/linux/var/spool/mail ; +#@@endif +} + + +# +# Libraries, include files, and other system files +# + +( + rulename = "Libraries, include files, and other system files", + severity = $(SIG_HI) +) +{ + /usr/include -> $(SEC_CRIT) (recurse = true) ; + /usr/lib -> $(SEC_CRIT) (recurse = true) ; + /usr/libdata -> $(SEC_CRIT) (recurse = true) ; + /usr/libexec -> $(SEC_CRIT) (recurse = true) ; + /usr/share -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man -> $(SEC_CONFIG) ; + !/usr/share/man/whatis ; + !/usr/share/man/.glimpse_filenames ; + !/usr/share/man/.glimpse_filenames_index ; + !/usr/share/man/.glimpse_filetimes ; + !/usr/share/man/.glimpse_filters ; + !/usr/share/man/.glimpse_index ; + !/usr/share/man/.glimpse_messages ; + !/usr/share/man/.glimpse_partitions ; + !/usr/share/man/.glimpse_statistics ; + !/usr/share/man/.glimpse_turbo ; + /usr/share/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/share/man/cat1 ; + ! /usr/share/man/cat2 ; + ! /usr/share/man/cat3 ; + ! /usr/share/man/cat4 ; + ! /usr/share/man/cat5 ; + ! /usr/share/man/cat6 ; + ! /usr/share/man/cat7 ; + ! /usr/share/man/cat8 ; + ! /usr/share/man/cat9 ; + ! /usr/share/man/catl ; + ! /usr/share/man/catn ; + /usr/share/perl/man -> $(SEC_CONFIG) ; + !/usr/share/perl/man/whatis ; + !/usr/share/perl/man/.glimpse_filenames ; + !/usr/share/perl/man/.glimpse_filenames_index ; + !/usr/share/perl/man/.glimpse_filetimes ; + !/usr/share/perl/man/.glimpse_filters ; + !/usr/share/perl/man/.glimpse_index ; + !/usr/share/perl/man/.glimpse_messages ; + !/usr/share/perl/man/.glimpse_partitions ; + !/usr/share/perl/man/.glimpse_statistics ; + !/usr/share/perl/man/.glimpse_turbo ; + /usr/share/perl/man/man3 -> $(SEC_CRIT) (recurse = true) ; + ! /usr/share/perl/man/cat3 ; + /usr/local/lib/perl5/5.00503/man -> $(SEC_CONFIG) ; + ! /usr/local/lib/perl5/5.00503/man/whatis ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_index ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ; + /usr/local/lib/perl5/5.00503/man/man3 -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/lib/perl5/5.00503/man/cat3 ; +} + + +# +# X11R6 +# + +( + rulename = "X11R6", + severity = $(SIG_HI) +) +{ + /usr/X11R6 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/lib/X11/xdm -> $(SEC_CONFIG) (recurse = true) ; + !/usr/X11R6/lib/X11/xdm/xdm-errors ; + !/usr/X11R6/lib/X11/xdm/authdir/authfiles ; + !/usr/X11R6/lib/X11/xdm/xdm-pid ; + /usr/X11R6/lib/X11/xkb/compiled -> $(SEC_CONFIG) (recurse = true) ; + /usr/X11R6/man -> $(SEC_CONFIG) ; + !/usr/X11R6/man/whatis ; + !/usr/X11R6/man/.glimpse_filenames ; + !/usr/X11R6/man/.glimpse_filenames_index ; + !/usr/X11R6/man/.glimpse_filetimes ; + !/usr/X11R6/man/.glimpse_filters ; + !/usr/X11R6/man/.glimpse_index ; + !/usr/X11R6/man/.glimpse_messages ; + !/usr/X11R6/man/.glimpse_partitions ; + !/usr/X11R6/man/.glimpse_statistics ; + !/usr/X11R6/man/.glimpse_turbo ; + /usr/X11R6/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/X11R6/man/cat1 ; + ! /usr/X11R6/man/cat2 ; + ! /usr/X11R6/man/cat3 ; + ! /usr/X11R6/man/cat4 ; + ! /usr/X11R6/man/cat5 ; + ! /usr/X11R6/man/cat6 ; + ! /usr/X11R6/man/cat7 ; + ! /usr/X11R6/man/cat8 ; + ! /usr/X11R6/man/cat9 ; + ! /usr/X11R6/man/catl ; + ! /usr/X11R6/man/catn ; +} + + +# +# sources +# + +( + rulename = "Sources", + severity = $(SIG_HI) +) +{ + /usr/src -> $(SEC_CRIT) (recurse = true) ; + /usr/src/sys/compile -> $(SEC_CONFIG) (recurse = false) ; +} + + +# +# NIS +# + +( + rulename = "NIS", + severity = $(SIG_HI) +) +{ + /var/yp -> $(SEC_CRIT) (recurse = true) ; + !/var/yp/binding ; +} + + +# +# Temporary directories +# +( + rulename = "Temporary directories", + recurse = false, + severity = $(SIG_LOW) +) +{ + /usr/tmp -> $(SEC_INVARIANT) ; + /var/tmp -> $(SEC_INVARIANT) ; + /var/preserve -> $(SEC_INVARIANT) ; + /tmp -> $(SEC_INVARIANT) ; +} + +# +# Local files +# + +( + rulename = "Local files", + severity = $(SIG_MED) +) +{ + /usr/local/bin -> $(SEC_BIN) (recurse = true) ; + /usr/local/sbin -> $(SEC_BIN) (recurse = true) ; + /usr/local/etc -> $(SEC_BIN) (recurse = true) ; + /usr/local/lib -> $(SEC_BIN) (recurse = true ) ; + /usr/local/libexec -> $(SEC_BIN) (recurse = true ) ; + /usr/local/share -> $(SEC_BIN) (recurse = true ) ; + /usr/local/man -> $(SEC_CONFIG) ; + !/usr/local/man/whatis ; + !/usr/local/man/.glimpse_filenames ; + !/usr/local/man/.glimpse_filenames_index ; + !/usr/local/man/.glimpse_filetimes ; + !/usr/local/man/.glimpse_filters ; + !/usr/local/man/.glimpse_index ; + !/usr/local/man/.glimpse_messages ; + !/usr/local/man/.glimpse_partitions ; + !/usr/local/man/.glimpse_statistics ; + !/usr/local/man/.glimpse_turbo ; + /usr/local/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/man/cat1 ; + ! /usr/local/man/cat2 ; + ! /usr/local/man/cat3 ; + ! /usr/local/man/cat4 ; + ! /usr/local/man/cat5 ; + ! /usr/local/man/cat6 ; + ! /usr/local/man/cat7 ; + ! /usr/local/man/cat8 ; + ! /usr/local/man/cat9 ; + ! /usr/local/man/catl ; + ! /usr/local/man/catn ; + /usr/local/krb5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man -> $(SEC_CONFIG) ; + !/usr/local/krb5/man/whatis ; + !/usr/local/krb5/man/.glimpse_filenames ; + !/usr/local/krb5/man/.glimpse_filenames_index ; + !/usr/local/krb5/man/.glimpse_filetimes ; + !/usr/local/krb5/man/.glimpse_filters ; + !/usr/local/krb5/man/.glimpse_index ; + !/usr/local/krb5/man/.glimpse_messages ; + !/usr/local/krb5/man/.glimpse_partitions ; + !/usr/local/krb5/man/.glimpse_statistics ; + !/usr/local/krb5/man/.glimpse_turbo ; + /usr/local/krb5/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/krb5/man/cat1 ; + ! /usr/local/krb5/man/cat2 ; + ! /usr/local/krb5/man/cat3 ; + ! /usr/local/krb5/man/cat4 ; + ! /usr/local/krb5/man/cat5 ; + ! /usr/local/krb5/man/cat6 ; + ! /usr/local/krb5/man/cat7 ; + ! /usr/local/krb5/man/cat8 ; + ! /usr/local/krb5/man/cat9 ; + ! /usr/local/krb5/man/catl ; + ! /usr/local/krb5/man/catn ; + /usr/local/www -> $(SEC_CONFIG) (recurse = true) ; +} + + +( + rulename = "Security Control", + severity = $(SIG_HI) +) +{ + /etc/group -> $(SEC_CRIT) ; + /etc/crontab -> $(SEC_CRIT) ; +} + +#============================================================================= +# +# Copyright 2000-2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, +# Inc. in the United States and other countries. All rights reserved. +# +# FreeBSD is a registered trademark of the FreeBSD Project Inc. +# +# UNIX is a registered trademark of The Open Group. +# +#============================================================================= +# +# Permission is granted to make and distribute verbatim copies of this document +# provided the copyright notice and this permission notice are preserved on all +# copies. +# +# Permission is granted to copy and distribute modified versions of this +# document under the conditions for verbatim copying, provided that the entire +# resulting derived work is distributed under the terms of a permission notice +# identical to this one. +# +# Permission is granted to copy and distribute translations of this document +# into another language, under the above conditions for modified versions, +# except that this permission notice may be stated in a translation approved by +# Tripwire, Inc. +# +# DCM diff --git a/policy/twpol-MirBSD.txt b/policy/twpol-MirBSD.txt index 1591119..a74fb67 100644 --- a/policy/twpol-MirBSD.txt +++ b/policy/twpol-MirBSD.txt @@ -2,8 +2,8 @@ # ## ############################################################################## # # # # -# Policy file for OpenBSD 3.5 # # -# May 20, 2003 # # +# Policy file for MirOS BSD # # +# (adapted from OpenBSD policy) # # # ## ############################################################################## diff --git a/policy/twpol-NetBSD.txt b/policy/twpol-NetBSD.txt new file mode 100644 index 0000000..79e742e --- /dev/null +++ b/policy/twpol-NetBSD.txt @@ -0,0 +1,656 @@ +# +# Policy file for NetBSD +# (adapted from FreeBSD policy) +# +# $FreeBSD: ports/security/tripwire/files/twpol.txt,v 1.2 2002/03/04 16:55:21 cy Exp $ +# $Id: twpol-FreeBSD.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $ + +# +# This is the example Tripwire Policy file. It is intended as a place to +# start creating your own custom Tripwire Policy file. Referring to it as +# well as the Tripwire Policy Guide should give you enough information to +# make a good custom Tripwire Policy file that better covers your +# configuration and security needs. A text version of this policy file is +# called twpol.txt. +# +# Note that this file is tuned to an install of FreeBSD using +# buildworld. If run unmodified, this file should create no errors on +# database creation, or violations on a subsiquent integrity check. +# However it is impossible for there to be one policy file for all machines, +# so this existing one errs on the side of security. Your FreeBSD +# configuration will most likey differ from the one our policy file was +# tuned to, and will therefore require some editing of the default +# Tripwire Policy file. +# +# The example policy file is best run with 'Loose Directory Checking' +# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration +# file. +# +# Email support is not included and must be added to this file. +# Add the 'emailto=' to the rule directive section of each rule (add a comma +# after the 'severity=' line and add an 'emailto=' and include the email +# addresses you want the violation reports to go to). Addresses are +# semi-colon delimited. +# + + + +# +# Global Variable Definitions +# +# These are defined at install time by the installation script. You may +# Manually edit these if you are using this file directly and not from the +# installation script itself. +# + +@@section GLOBAL +TWROOT=; +TWBIN=; +TWPOL=; +TWDB=; +TWSKEY=; +TWLKEY=; +TWREPORT=; +HOSTNAME=; + +@@section FS +SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change +SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set +SEC_BIN = $(ReadOnly) ; # Binaries that should not change +SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often +SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login +SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership +SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership +SIG_LOW = 33 ; # Non-critical files that are of minimal security impact +SIG_MED = 66 ; # Non-critical files that are of significant security impact +SIG_HI = 100 ; # Critical files that are significant points of vulnerability + + +# Tripwire Binaries +( + rulename = "Tripwire Binaries", + severity = $(SIG_HI) +) +{ + $(TWBIN)/siggen -> $(SEC_BIN) ; + $(TWBIN)/tripwire -> $(SEC_BIN) ; + $(TWBIN)/twadmin -> $(SEC_BIN) ; + $(TWBIN)/twprint -> $(SEC_BIN) ; +} + +# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases +( + rulename = "Tripwire Data Files", + severity = $(SIG_HI) +) +{ + # NOTE: We remove the inode attribute because when Tripwire creates a backup, + # it does so by renaming the old file and creating a new one (which will + # have a new inode number). Inode is left turned on for keys, which shouldn't + # ever change. + + # NOTE: The first integrity check triggers this rule and each integrity check + # afterward triggers this rule until a database update is run, since the + # database file does not exist before that point. + + $(TWDB) -> $(SEC_CONFIG) -i ; + $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; + $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; + $(TWPOL)/twcfg.txt -> $(SEC_BIN) ; + $(TWPOL)/twpol.txt -> $(SEC_BIN) ; + $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; + $(TWSKEY)/site.key -> $(SEC_BIN) ; + + #don't scan the individual reports + $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; +} + + +# Tripwire HQ Connector Binaries +#( +# rulename = "Tripwire HQ Connector Binaries", +# severity = $(SIG_HI) +#) +#{ +# $(TWBIN)/hqagent -> $(SEC_BIN) ; +#} +# +# Tripwire HQ Connector - Configuration Files, Keys, and Logs + +# +# Note: File locations here are different than in a stock HQ Connector +# installation. This is because Tripwire 2.3 uses a different path +# structure than Tripwire 2.2.1. +# +# You may need to update your HQ Agent configuation file (or this policy +# file) to correct the paths. We have attempted to support the FHS standard +# here by placing the HQ Agent files similarly to the way Tripwire 2.3 +# places them. +# + +#( +# rulename = "Tripwire HQ Connector Data Files", +# severity = $(SIG_HI) +#) +#{ +# +# # NOTE: Removing the inode attribute because when Tripwire creates a backup +# # it does so by renaming the old file and creating a new one (which will +# # have a new inode number). Leaving inode turned on for keys, which +# # shouldn't ever change. +# +# +# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; +# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; +# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; +# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; +# +# # Uncomment if you have agent logging enabled. +# #/var/log/tripwire/agent.log -> $(SEC_LOG) ; +#} + + + +# Commonly accessed directories that should remain static with regards to owner and group +( + rulename = "Invariant Directories", + severity = $(SIG_MED) +) +{ + / -> $(SEC_INVARIANT) (recurse = false) ; + /home -> $(SEC_INVARIANT) (recurse = false) ; +} + +# +# First, root's "home" +# + +( + rulename = "Root's home", + severity = $(SIG_HI) +) +{ + # /.rhosts -> $(SEC_CRIT) ; + /.profile -> $(SEC_CRIT) ; + /.cshrc -> $(SEC_CRIT) ; + /.login -> $(SEC_CRIT) ; + # /.exrc -> $(SEC_CRIT) ; + # /.logout -> $(SEC_CRIT) ; + # /.forward -> $(SEC_CRIT) ; + /root -> $(SEC_CRIT) (recurse = true) ; + !/root/.history ; + !/root/.bash_history ; + # !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed +} + + +# +# FreeBSD Kernel +# + +( + rulename = "FreeBSD Kernel", + severity = $(SIG_HI) +) +{ + /kernel -> $(SEC_CRIT) ; + /kernel.old -> $(SEC_CRIT) ; + /kernel.GENERIC -> $(SEC_CRIT) ; +} + + +# +# FreeBSD Modules +# + +( + rulename = "FreeBSD Modules", + severity = $(SIG_HI) +) +{ + /modules -> $(SEC_CRIT) (recurse = true) ; + /modules.old -> $(SEC_CRIT) (recurse = true) ; + # /lkm -> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld +} + + +# +# System Administration Programs +# + +( + rulename = "System Administration Programs", + severity = $(SIG_HI) +) +{ + /sbin -> $(SEC_CRIT) (recurse = true) ; + /usr/sbin -> $(SEC_CRIT) (recurse = true) ; +} + + +# +# User Utilities +# + +( + rulename = "User Utilities", + severity = $(SIG_HI) +) +{ + /bin -> $(SEC_CRIT) (recurse = true) ; + /usr/bin -> $(SEC_CRIT) (recurse = true) ; +} + + +# +# /dev +# + +( + rulename = "/dev", + severity = $(SIG_HI) +) +{ + /dev -> $(Device) (recurse = true) ; + !/dev/vga ; + !/dev/dri ; + /dev/console -> $(SEC_TTY) ; + /dev/ttyv0 -> $(SEC_TTY) ; + /dev/ttyv1 -> $(SEC_TTY) ; + /dev/ttyv2 -> $(SEC_TTY) ; + /dev/ttyv3 -> $(SEC_TTY) ; + /dev/ttyv4 -> $(SEC_TTY) ; + /dev/ttyv5 -> $(SEC_TTY) ; + /dev/ttyv6 -> $(SEC_TTY) ; + /dev/ttyv7 -> $(SEC_TTY) ; + /dev/ttyp0 -> $(SEC_TTY) ; + /dev/ttyp1 -> $(SEC_TTY) ; + /dev/ttyp2 -> $(SEC_TTY) ; + /dev/ttyp3 -> $(SEC_TTY) ; + /dev/ttyp4 -> $(SEC_TTY) ; + /dev/ttyp5 -> $(SEC_TTY) ; + /dev/ttyp6 -> $(SEC_TTY) ; + /dev/ttyp7 -> $(SEC_TTY) ; + /dev/ttyp8 -> $(SEC_TTY) ; + /dev/ttyp9 -> $(SEC_TTY) ; + /dev/ttypa -> $(SEC_TTY) ; + /dev/ttypb -> $(SEC_TTY) ; + /dev/ttypc -> $(SEC_TTY) ; + /dev/ttypd -> $(SEC_TTY) ; + /dev/ttype -> $(SEC_TTY) ; + /dev/ttypf -> $(SEC_TTY) ; + /dev/ttypg -> $(SEC_TTY) ; + /dev/ttyph -> $(SEC_TTY) ; + /dev/ttypi -> $(SEC_TTY) ; + /dev/ttypj -> $(SEC_TTY) ; + /dev/ttypl -> $(SEC_TTY) ; + /dev/ttypm -> $(SEC_TTY) ; + /dev/ttypn -> $(SEC_TTY) ; + /dev/ttypo -> $(SEC_TTY) ; + /dev/ttypp -> $(SEC_TTY) ; + /dev/ttypq -> $(SEC_TTY) ; + /dev/ttypr -> $(SEC_TTY) ; + /dev/ttyps -> $(SEC_TTY) ; + /dev/ttypt -> $(SEC_TTY) ; + /dev/ttypu -> $(SEC_TTY) ; + /dev/ttypv -> $(SEC_TTY) ; + /dev/cuaa0 -> $(SEC_TTY) ; # modem +} + + +# +# /etc +# + +( + rulename = "/etc", + severity = $(SIG_HI) +) +{ + /etc -> $(SEC_CRIT) (recurse = true) ; + # /etc/mail/aliases -> $(SEC_CONFIG) ; + /etc/dumpdates -> $(SEC_CONFIG) ; + /etc/motd -> $(SEC_CONFIG) ; + !/etc/ppp/connect-errors ; + /etc/skeykeys -> $(SEC_CONFIG) ; + # Uncomment the following 4 lines if your password file does not change + # /etc/passwd -> $(SEC_CONFIG) ; + # /etc/master.passwd -> $(SEC_CONFIG) ; + # /etc/pwd.db -> $(SEC_CONFIG) ; + # /etc/spwd.db -> $(SEC_CONFIG) ; +} + + +# +# Copatibility (Linux) +# + +( + rulename = "Linux Compatibility", + severity = $(SIG_HI) +) +{ + /compat -> $(SEC_CRIT) (recurse = true) ; +# +# Uncomment the following if Linux compatibility is used. Replace +# HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port +# installed. +# +#@@ifhost HOSTNAME1 || HOSTNAME2 +# /compat/linux/etc -> $(SEC_INVARIANT) (recurse = false) ; +# /compat/linux/etc/X11 -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/pam.d -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/profile.d -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/real -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/bashrc -> $(SEC_CONFIG) ; +# /compat/linux/etc/csh.login -> $(SEC_CONFIG) ; +# /compat/linux/etc/host.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/hosts.allow -> $(SEC_CONFIG) ; +# /compat/linux/etc/hosts.deny -> $(SEC_CONFIG) ; +# /compat/linux/etc/info-dir -> $(SEC_CONFIG) ; +# /compat/linux/etc/inputrc -> $(SEC_CONFIG) ; +# /compat/linux/etc/ld.so.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/nsswitch.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/profile -> $(SEC_CONFIG) ; +# /compat/linux/etc/redhat-release -> $(SEC_CONFIG) ; +# /compat/linux/etc/rpc -> $(SEC_CONFIG) ; +# /compat/linux/etc/securetty -> $(SEC_CONFIG) ; +# /compat/linux/etc/shells -> $(SEC_CONFIG) ; +# /compat/linux/etc/termcap -> $(SEC_CONFIG) ; +# /compat/linux/etc/yp.conf -> $(SEC_CONFIG) ; +# !/compat/linux/etc/ld.so.cache ; +# !/compat/linux/var/spool/mail ; +#@@endif +} + + +# +# Libraries, include files, and other system files +# + +( + rulename = "Libraries, include files, and other system files", + severity = $(SIG_HI) +) +{ + /usr/include -> $(SEC_CRIT) (recurse = true) ; + /usr/lib -> $(SEC_CRIT) (recurse = true) ; + /usr/libdata -> $(SEC_CRIT) (recurse = true) ; + /usr/libexec -> $(SEC_CRIT) (recurse = true) ; + /usr/share -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man -> $(SEC_CONFIG) ; + !/usr/share/man/whatis ; + !/usr/share/man/.glimpse_filenames ; + !/usr/share/man/.glimpse_filenames_index ; + !/usr/share/man/.glimpse_filetimes ; + !/usr/share/man/.glimpse_filters ; + !/usr/share/man/.glimpse_index ; + !/usr/share/man/.glimpse_messages ; + !/usr/share/man/.glimpse_partitions ; + !/usr/share/man/.glimpse_statistics ; + !/usr/share/man/.glimpse_turbo ; + /usr/share/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/share/man/cat1 ; + ! /usr/share/man/cat2 ; + ! /usr/share/man/cat3 ; + ! /usr/share/man/cat4 ; + ! /usr/share/man/cat5 ; + ! /usr/share/man/cat6 ; + ! /usr/share/man/cat7 ; + ! /usr/share/man/cat8 ; + ! /usr/share/man/cat9 ; + ! /usr/share/man/catl ; + ! /usr/share/man/catn ; + /usr/share/perl/man -> $(SEC_CONFIG) ; + !/usr/share/perl/man/whatis ; + !/usr/share/perl/man/.glimpse_filenames ; + !/usr/share/perl/man/.glimpse_filenames_index ; + !/usr/share/perl/man/.glimpse_filetimes ; + !/usr/share/perl/man/.glimpse_filters ; + !/usr/share/perl/man/.glimpse_index ; + !/usr/share/perl/man/.glimpse_messages ; + !/usr/share/perl/man/.glimpse_partitions ; + !/usr/share/perl/man/.glimpse_statistics ; + !/usr/share/perl/man/.glimpse_turbo ; + /usr/share/perl/man/man3 -> $(SEC_CRIT) (recurse = true) ; + ! /usr/share/perl/man/cat3 ; + /usr/local/lib/perl5/5.00503/man -> $(SEC_CONFIG) ; + ! /usr/local/lib/perl5/5.00503/man/whatis ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_index ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ; + /usr/local/lib/perl5/5.00503/man/man3 -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/lib/perl5/5.00503/man/cat3 ; +} + + +# +# X11R6 +# + +( + rulename = "X11R6", + severity = $(SIG_HI) +) +{ + /usr/X11R6 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/lib/X11/xdm -> $(SEC_CONFIG) (recurse = true) ; + !/usr/X11R6/lib/X11/xdm/xdm-errors ; + !/usr/X11R6/lib/X11/xdm/authdir/authfiles ; + !/usr/X11R6/lib/X11/xdm/xdm-pid ; + /usr/X11R6/lib/X11/xkb/compiled -> $(SEC_CONFIG) (recurse = true) ; + /usr/X11R6/man -> $(SEC_CONFIG) ; + !/usr/X11R6/man/whatis ; + !/usr/X11R6/man/.glimpse_filenames ; + !/usr/X11R6/man/.glimpse_filenames_index ; + !/usr/X11R6/man/.glimpse_filetimes ; + !/usr/X11R6/man/.glimpse_filters ; + !/usr/X11R6/man/.glimpse_index ; + !/usr/X11R6/man/.glimpse_messages ; + !/usr/X11R6/man/.glimpse_partitions ; + !/usr/X11R6/man/.glimpse_statistics ; + !/usr/X11R6/man/.glimpse_turbo ; + /usr/X11R6/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/X11R6/man/cat1 ; + ! /usr/X11R6/man/cat2 ; + ! /usr/X11R6/man/cat3 ; + ! /usr/X11R6/man/cat4 ; + ! /usr/X11R6/man/cat5 ; + ! /usr/X11R6/man/cat6 ; + ! /usr/X11R6/man/cat7 ; + ! /usr/X11R6/man/cat8 ; + ! /usr/X11R6/man/cat9 ; + ! /usr/X11R6/man/catl ; + ! /usr/X11R6/man/catn ; +} + + +# +# sources +# + +( + rulename = "Sources", + severity = $(SIG_HI) +) +{ + /usr/src -> $(SEC_CRIT) (recurse = true) ; + /usr/src/sys/compile -> $(SEC_CONFIG) (recurse = false) ; +} + + +# +# NIS +# + +( + rulename = "NIS", + severity = $(SIG_HI) +) +{ + /var/yp -> $(SEC_CRIT) (recurse = true) ; + !/var/yp/binding ; +} + + +# +# Temporary directories +# +( + rulename = "Temporary directories", + recurse = false, + severity = $(SIG_LOW) +) +{ + /usr/tmp -> $(SEC_INVARIANT) ; + /var/tmp -> $(SEC_INVARIANT) ; + /var/preserve -> $(SEC_INVARIANT) ; + /tmp -> $(SEC_INVARIANT) ; +} + +# +# Local files +# + +( + rulename = "Local files", + severity = $(SIG_MED) +) +{ + /usr/local/bin -> $(SEC_BIN) (recurse = true) ; + /usr/local/sbin -> $(SEC_BIN) (recurse = true) ; + /usr/local/etc -> $(SEC_BIN) (recurse = true) ; + /usr/local/lib -> $(SEC_BIN) (recurse = true ) ; + /usr/local/libexec -> $(SEC_BIN) (recurse = true ) ; + /usr/local/share -> $(SEC_BIN) (recurse = true ) ; + /usr/local/man -> $(SEC_CONFIG) ; + !/usr/local/man/whatis ; + !/usr/local/man/.glimpse_filenames ; + !/usr/local/man/.glimpse_filenames_index ; + !/usr/local/man/.glimpse_filetimes ; + !/usr/local/man/.glimpse_filters ; + !/usr/local/man/.glimpse_index ; + !/usr/local/man/.glimpse_messages ; + !/usr/local/man/.glimpse_partitions ; + !/usr/local/man/.glimpse_statistics ; + !/usr/local/man/.glimpse_turbo ; + /usr/local/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/man/cat1 ; + ! /usr/local/man/cat2 ; + ! /usr/local/man/cat3 ; + ! /usr/local/man/cat4 ; + ! /usr/local/man/cat5 ; + ! /usr/local/man/cat6 ; + ! /usr/local/man/cat7 ; + ! /usr/local/man/cat8 ; + ! /usr/local/man/cat9 ; + ! /usr/local/man/catl ; + ! /usr/local/man/catn ; + /usr/local/krb5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man -> $(SEC_CONFIG) ; + !/usr/local/krb5/man/whatis ; + !/usr/local/krb5/man/.glimpse_filenames ; + !/usr/local/krb5/man/.glimpse_filenames_index ; + !/usr/local/krb5/man/.glimpse_filetimes ; + !/usr/local/krb5/man/.glimpse_filters ; + !/usr/local/krb5/man/.glimpse_index ; + !/usr/local/krb5/man/.glimpse_messages ; + !/usr/local/krb5/man/.glimpse_partitions ; + !/usr/local/krb5/man/.glimpse_statistics ; + !/usr/local/krb5/man/.glimpse_turbo ; + /usr/local/krb5/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/krb5/man/cat1 ; + ! /usr/local/krb5/man/cat2 ; + ! /usr/local/krb5/man/cat3 ; + ! /usr/local/krb5/man/cat4 ; + ! /usr/local/krb5/man/cat5 ; + ! /usr/local/krb5/man/cat6 ; + ! /usr/local/krb5/man/cat7 ; + ! /usr/local/krb5/man/cat8 ; + ! /usr/local/krb5/man/cat9 ; + ! /usr/local/krb5/man/catl ; + ! /usr/local/krb5/man/catn ; + /usr/local/www -> $(SEC_CONFIG) (recurse = true) ; +} + + +( + rulename = "Security Control", + severity = $(SIG_HI) +) +{ + /etc/group -> $(SEC_CRIT) ; + /etc/crontab -> $(SEC_CRIT) ; +} + +#============================================================================= +# +# Copyright 2000-2017 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, +# Inc. in the United States and other countries. All rights reserved. +# +# FreeBSD is a registered trademark of the FreeBSD Project Inc. +# +# UNIX is a registered trademark of The Open Group. +# +#============================================================================= +# +# Permission is granted to make and distribute verbatim copies of this document +# provided the copyright notice and this permission notice are preserved on all +# copies. +# +# Permission is granted to copy and distribute modified versions of this +# document under the conditions for verbatim copying, provided that the entire +# resulting derived work is distributed under the terms of a permission notice +# identical to this one. +# +# Permission is granted to copy and distribute translations of this document +# into another language, under the above conditions for modified versions, +# except that this permission notice may be stated in a translation approved by +# Tripwire, Inc. +# +# DCM diff --git a/src/core/platform.h b/src/core/platform.h index 92b8d82..f6f09b8 100644 --- a/src/core/platform.h +++ b/src/core/platform.h @@ -65,6 +65,7 @@ #define OS_DRAGONFLYBSD 0x0305 #define OS_MIDNIGHTBSD 0x0306 #define OS_MIRBSD 0x0307 +#define OS_BITRIG 0x0308 #define OS_SOLARIS 0x0400 #define OS_AIX 0x0401 @@ -132,8 +133,18 @@ #elif defined(__linux__) #define OS OS_LINUX #define IS_LINUX 1 - - + + +// A herd of BSDs. Have to detect MidnightBSD before FreeBSD, and MirOS & Bitrig before OpenBSD +// because they also define symbols for their ancestor BSDs. +#elif defined(__DragonFly__) + #define OS OS_DRAGONFLYBSD + #define IS_DRAGONFLYBSD 1 + +#elif defined(__MidnightBSD__) + #define OS OS_MIDNIGHTBSD + #define IS_MIDNIGHTBSD 1 + #elif defined(__FreeBSD__) #define OS OS_FREEBSD #define IS_FREEBSD 1 @@ -142,11 +153,14 @@ #define OS OS_NETBSD #define IS_NETBSD 1 - // Must check for __MirBSD__ symbol first since its gcc also defines __OpenBSD__ #elif defined(__MirBSD__) #define OS OS_MIRBSD #define IS_MIRBSD 1 +#elif defined(__Bitrig__) + #define OS OS_BITRIG + #define IS_BITRIG 1 + #elif defined(__OpenBSD__) #define OS OS_OPENBSD #define IS_OPENBSD 1 @@ -155,14 +169,6 @@ #define OS OS_DARWIN #define IS_DARWIN 1 -#elif defined(__DragonFly__) - #define OS OS_DRAGONFLYBSD - #define IS_DRAGONFLYBSD 1 - -#elif defined(__MidnightBSD__) - #define OS OS_MIDNIGHTBSD - #define IS_MIDNIGHTBSD 1 - #elif defined(__sun) #define OS OS_SOLARIS