Use SEC_ naming convention w/ Solaris policy

This commit is contained in:
Brian Cox 2018-03-20 00:11:55 -07:00
parent 38fc87fa9a
commit a2a9099ab4
1 changed files with 53 additions and 52 deletions

View File

@ -2,7 +2,8 @@
# ## # ##
############################################################################## # ############################################################################## #
# # # # # #
# Policy file for Solaris 8 # # # Tripwire 2.4 policy for Solaris # #
# updated March 2018 # #
# ## # ##
############################################################################## ##############################################################################
@ -61,13 +62,13 @@ HOSTNAME=;
# #
############################################################################## ##############################################################################
Device = +pugsdr-intlbamcCMSH ; SEC_DEVICE = +pugsdr-intlbamcCMSH ;
Dynamic = +pinugtd-srlbamcCMSH ; SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
Growing = +pinugtdl-srbamcCMSH ; SEC_GROWING = +pinugtdl-srbamcCMSH ;
IgnoreAll = -pinugtsdrlbamcCMSH ; SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
IgnoreNone = +pinugtsdrbamcCMSH-l ; SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
ReadOnly = +pinugtsdbmCM-rlacSH ; SEC_READONLY = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ; SEC_TEMPORARY = +pugt ;
@@section FS @@section FS
@ -84,10 +85,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries", rulename = "Tripwire Binaries",
) )
{ {
$(TWBIN)/siggen -> $(ReadOnly) ; $(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(ReadOnly) ; $(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(ReadOnly) ; $(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(ReadOnly) ; $(TWBIN)/twprint -> $(SEC_READONLY) ;
} }
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -104,14 +105,14 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the # afterward triggers this rule until a database update is run, since the
# database file does not exist before that point. # database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ; $(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ; $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ; $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(ReadOnly) ; $(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports # don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ; $(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
# In this configuration /usr/local is a symbolic link to /home/local. # In this configuration /usr/local is a symbolic link to /home/local.
# We want to ignore the following directories since they are already # We want to ignore the following directories since they are already
@ -132,8 +133,8 @@ Temporary = +pugt ;
rulename = "OS Boot and Configuration Files", rulename = "OS Boot and Configuration Files",
) )
{ {
/etc -> $(IgnoreNone) -SHa ; /etc -> $(SEC_IGNORE_NONE) -SHa ;
/kernel -> $(ReadOnly) ; /kernel -> $(SEC_READONLY) ;
} }
################################################### ###################################################
@ -147,13 +148,13 @@ Temporary = +pugt ;
rulename = "Mount Points", rulename = "Mount Points",
) )
{ {
/ -> $(ReadOnly) ; / -> $(SEC_READONLY) ;
/cdrom -> $(Dynamic) ; /cdrom -> $(SEC_DYNAMIC) ;
/home -> $(ReadOnly) ; /home -> $(SEC_READONLY) ;
/mnt -> $(Dynamic) ; /mnt -> $(SEC_DYNAMIC) ;
/usr -> $(ReadOnly) ; /usr -> $(SEC_READONLY) ;
/var -> $(ReadOnly) ; /var -> $(SEC_READONLY) ;
/opt -> $(ReadOnly) ; /opt -> $(SEC_READONLY) ;
} }
################################################### ###################################################
@ -167,7 +168,7 @@ Temporary = +pugt ;
rulename = "Misc Top-Level Directories", rulename = "Misc Top-Level Directories",
) )
{ {
/lost+found -> $(ReadOnly) ; /lost+found -> $(SEC_READONLY) ;
} }
################################################ ################################################
@ -181,8 +182,8 @@ Temporary = +pugt ;
rulename = "System Devices", rulename = "System Devices",
) )
{ {
/dev -> $(Device) ; /dev -> $(SEC_DEVICE) ;
/devices -> $(Device) ; /devices -> $(SEC_DEVICE) ;
} }
################################################ ################################################
@ -196,12 +197,12 @@ Temporary = +pugt ;
rulename = "OS Binaries and Libraries", rulename = "OS Binaries and Libraries",
) )
{ {
/sbin -> $(ReadOnly) ; /sbin -> $(SEC_READONLY) ;
/usr/bin -> $(ReadOnly) ; /usr/bin -> $(SEC_READONLY) ;
/usr/lib -> $(ReadOnly) ; /usr/lib -> $(SEC_READONLY) ;
/usr/sbin -> $(ReadOnly) ; /usr/sbin -> $(SEC_READONLY) ;
/usr/openwin/bin -> $(ReadOnly) ; /usr/openwin/bin -> $(SEC_READONLY) ;
/usr/openwin/lib -> $(ReadOnly) ; /usr/openwin/lib -> $(SEC_READONLY) ;
} }
################################################ ################################################
@ -216,9 +217,9 @@ Temporary = +pugt ;
) )
{ {
! /.netscape/cache ; ! /.netscape/cache ;
/.bash_history -> $(ReadOnly) -smbCM; /.bash_history -> $(SEC_READONLY) -smbCM;
/.sh_history -> $(Dynamic) ; /.sh_history -> $(SEC_DYNAMIC) ;
/.Xauthority -> $(ReadOnly) ; /.Xauthority -> $(SEC_READONLY) ;
} }
################################################ ################################################
@ -232,8 +233,8 @@ Temporary = +pugt ;
rulename = "Temporary Directories", rulename = "Temporary Directories",
) )
{ {
/tmp -> $(Temporary) ; /tmp -> $(SEC_TEMPORARY) ;
/var/tmp -> $(Temporary) ; /var/tmp -> $(SEC_TEMPORARY) ;
} }
################################################ ################################################
@ -295,17 +296,17 @@ Temporary = +pugt ;
rulename = "System and Boot Changes", rulename = "System and Boot Changes",
) )
{ {
/etc/.pwd.lock -> $(ReadOnly) -cm; /etc/.pwd.lock -> $(SEC_READONLY) -cm;
/etc/coreadm.conf -> $(ReadOnly) -cm; /etc/coreadm.conf -> $(SEC_READONLY) -cm;
/var/adm -> $(Growing) -i; /var/adm -> $(SEC_GROWING) -i;
#/var/backups -> $(Dynamic) -i ; #/var/backups -> $(SEC_DYNAMIC) -i ;
/var/cron/log -> $(Growing) -i ; /var/cron/log -> $(SEC_GROWING) -i ;
#/var/db/host.random -> $(ReadOnly) -mCM ; #/var/db/host.random -> $(SEC_READONLY) -mCM ;
#/var/db/locate.database -> $(ReadOnly) -misCM ; #/var/db/locate.database -> $(SEC_READONLY) -misCM ;
/var/log -> $(Growing) -i ; /var/log -> $(SEC_GROWING) -i ;
#/var/run -> $(Dynamic) -i ; #/var/run -> $(SEC_DYNAMIC) -i ;
#/var/mail -> $(Growing) ; #/var/mail -> $(SEC_GROWING) ;
#/var/msgs/bounds -> $(ReadOnly) -smbCM ; #/var/msgs/bounds -> $(SEC_READONLY) -smbCM ;
!/var/sendmail ; !/var/sendmail ;
!/var/spool/clientmqueue ; !/var/spool/clientmqueue ;
!/var/spool/mqueue ; !/var/spool/mqueue ;