Use SEC_ naming convention in new policies

This commit is contained in:
Brian Cox 2018-03-19 23:09:15 -07:00
parent 392b533045
commit ab4c9203da
6 changed files with 207 additions and 207 deletions

View File

@ -56,13 +56,13 @@ HOSTNAME=;
# #
############################################################################## ##############################################################################
#Device = +pugsdr-intlbamcCMSH ; SEC_DEVICE = +pugsdr-intlbamcCMSH ;
#Dynamic = +pinugtd-srlbamcCMSH ; SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
#Growing = +pinugtdl-srbamcCMSH ; SEC_GROWING = +pinugtdl-srbamcCMSH ;
#IgnoreAll = -pinugtsdrlbamcCMSH ; SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
#IgnoreNone = +pinugtsdrbamcCMSH-l ; SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
#ReadOnly = +pinugtsdbmCM-rlacSH ; SEC_READONLY = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ; SEC_TEMPORARY = +pugt ;
@@section FS @@section FS
@ -77,10 +77,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries", rulename = "Tripwire Binaries",
) )
{ {
$(TWBIN)/siggen -> $(ReadOnly) ; $(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(ReadOnly) ; $(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(ReadOnly) ; $(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(ReadOnly) ; $(TWBIN)/twprint -> $(SEC_READONLY) ;
} }
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -97,14 +97,14 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the # afterward triggers this rule until a database update is run, since the
# database file does not exist before that point. # database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ; $(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ; $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ; $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(ReadOnly) ; $(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports # don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ; $(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
} }
@ -112,21 +112,21 @@ Temporary = +pugt ;
(rulename="OS Files",) (rulename="OS Files",)
{ {
AROS:System -> $(IgnoreNone); AROS:System -> $(SEC_READONLY);
AROS:Devs -> $(IgnoreNone); AROS:Devs -> $(SEC_READONLY);
AROS:Libs -> $(IgnoreNone); AROS:Libs -> $(SEC_READONLY);
AROS:Tools-> $(IgnoreNone); AROS:Tools-> $(SEC_READONLY);
AROS:Prefs -> $(IgnoreNone); AROS:Prefs -> $(SEC_READONLY);
AROS:Utilities -> $(IgnoreNone); AROS:Utilities -> $(SEC_READONLY);
AROS:WBStartup -> $(IgnoreNone); AROS:WBStartup -> $(SEC_READONLY);
} }
(rulename="Development Tools",) (rulename="Development Tools",)
{ {
Work:Development -> $(IgnoreNone); Work:Development -> $(SEC_READONLY);
} }
(rulename="Extras",) (rulename="Extras",)
{ {
Work:Extras -> $(IgnoreNone); Work:Extras -> $(SEC_READONLY);
} }

View File

@ -56,13 +56,13 @@ HOSTNAME=;
# #
############################################################################## ##############################################################################
#Device = +pugsdr-intlbamcCMSH ; SEC_DEVICE = +pugsdr-intlbamcCMSH ;
#Dynamic = +pinugtd-srlbamcCMSH ; SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
#Growing = +pinugtdl-srbamcCMSH ; SEC_GROWING = +pinugtdl-srbamcCMSH ;
#IgnoreAll = -pinugtsdrlbamcCMSH ; SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
#IgnoreNone = +pinugtsdrbamcCMSH-l ; SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
#ReadOnly = +pinugtsdbmCM-rlacSH ; SEC_READONLY = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ; SEC_TEMPORARY = +pugt ;
@@section FS @@section FS
@ -77,10 +77,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries", rulename = "Tripwire Binaries",
) )
{ {
$(TWBIN)/siggen -> $(ReadOnly) ; $(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(ReadOnly) ; $(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(ReadOnly) ; $(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(ReadOnly) ; $(TWBIN)/twprint -> $(SEC_READONLY) ;
} }
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -97,63 +97,63 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the # afterward triggers this rule until a database update is run, since the
# database file does not exist before that point. # database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ; $(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ; $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ; $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(ReadOnly) ; $(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports # don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ; $(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
} }
############################################################################## ##############################################################################
(rulename="Boot files",) (rulename="Boot files",)
{ {
/boot -> $(IgnoreNone) -a; /boot -> $(SEC_READONLY) -a;
} }
(rulename="Binary files",) (rulename="Binary files",)
{ {
/bin -> $(IgnoreNone) -a; /bin -> $(SEC_READONLY) -a;
/usr/bin -> $(IgnoreNone) -a; /usr/bin -> $(SEC_READONLY) -a;
/usr/local/bin -> $(IgnoreNone) -a; /usr/local/bin -> $(SEC_READONLY) -a;
} }
(rulename="Admin binaries",) (rulename="Admin binaries",)
{ {
/servers -> $(IgnoreNone) -a; /servers -> $(SEC_READONLY) -a;
/sbin -> $(IgnoreNone) -a; /sbin -> $(SEC_READONLY) -a;
/usr/sbin -> $(IgnoreNone) -a; /usr/sbin -> $(SEC_READONLY) -a;
/hurd -> $(IgnoreNone) -a; /hurd -> $(SEC_READONLY) -a;
} }
(rulename="Libraries",) (rulename="Libraries",)
{ {
/lib -> $(IgnoreNone) -a; /lib -> $(SEC_READONLY) -a;
/usr/lib -> $(IgnoreNone) -a; /usr/lib -> $(SEC_READONLY) -a;
/usr/local/lib -> $(IgnoreNone) -a; /usr/local/lib -> $(SEC_READONLY) -a;
} }
(rulename="Etc",) (rulename="Etc",)
{ {
/etc -> $(IgnoreNone) -a; /etc -> $(SEC_READONLY) -a;
/usr/local/etc -> $(IgnoreNone) -a; /usr/local/etc -> $(SEC_READONLY) -a;
} }
(rulename="Dev",) (rulename="Dev",)
{ {
/dev -> $(Device); /dev -> $(SEC_DEVICE);
} }
(rulename="Tmp",) (rulename="Tmp",)
{ {
/tmp -> $(Temporary); /tmp -> $(SEC_TEMPORARY);
/var/tmp -> $(Temporary); /var/tmp -> $(SEC_TEMPORARY);
} }
(rulename="Log",) (rulename="Log",)
{ {
/var/log -> $(Growing); /var/log -> $(SEC_GROWING);
} }

View File

@ -56,13 +56,13 @@ HOSTNAME=;
# #
############################################################################## ##############################################################################
#Device = +pugsdr-intlbamcCMSH ; SEC_DEVICE = +pugsdr-intlbamcCMSH ;
#Dynamic = +pinugtd-srlbamcCMSH ; SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
#Growing = +pinugtdl-srbamcCMSH ; SEC_GROWING = +pinugtdl-srbamcCMSH ;
#IgnoreAll = -pinugtsdrlbamcCMSH ; SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
#IgnoreNone = +pinugtsdrbamcCMSH-l ; SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
#ReadOnly = +pinugtsdbmCM-rlacSH ; SEC_READONLY = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ; SEC_TEMPORARY = +pugt ;
@@section FS @@section FS
@ -77,10 +77,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries", rulename = "Tripwire Binaries",
) )
{ {
$(TWBIN)/siggen -> $(ReadOnly) ; $(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(ReadOnly) ; $(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(ReadOnly) ; $(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(ReadOnly) ; $(TWBIN)/twprint -> $(SEC_READONLY) ;
} }
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -97,14 +97,14 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the # afterward triggers this rule until a database update is run, since the
# database file does not exist before that point. # database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ; $(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ; $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ; $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(ReadOnly) ; $(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports # don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ; $(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
} }
@ -115,7 +115,7 @@ Temporary = +pugt ;
# #
(rulename = "System Directory",) (rulename = "System Directory",)
{ {
/boot/system -> $(IgnoreNone) -a; /boot/system -> $(SEC_READONLY) -a;
} }
@ -123,10 +123,10 @@ Temporary = +pugt ;
# #
(rulename = "Binary Directories",) (rulename = "Binary Directories",)
{ {
/boot/home/config/bin -> $(IgnoreNone) -a; /boot/home/config/bin -> $(SEC_READONLY) -a;
/boot/common/bin -> $(IgnoreNone) -a; /boot/common/bin -> $(SEC_READONLY) -a;
/boot/apps -> $(IgnoreNone) -a; /boot/apps -> $(SEC_READONLY) -a;
# /boot/develop/tools/gnupro/bin -> $(IgnoreNone) -a; #uncomment to monitor dev tools if present # /boot/develop/tools/gnupro/bin -> $(SEC_READONLY) -a; #uncomment to monitor dev tools if present
} }
@ -134,45 +134,45 @@ Temporary = +pugt ;
# #
(rulename = "Library Directories",) (rulename = "Library Directories",)
{ {
/boot/common/lib -> $(IgnoreNone) -a; /boot/common/lib -> $(SEC_READONLY) -a;
/boot/home/config/lib -> $(IgnoreNone) -a; /boot/home/config/lib -> $(SEC_READONLY) -a;
} }
### Other boot dirs ########################################################### ### Other boot dirs ###########################################################
# #
(rulename = "Boot Directories",) (rulename = "Boot Directories",)
{ {
/boot/common/boot -> $(IgnoreNone) -a; /boot/common/boot -> $(SEC_READONLY) -a;
/boot/home/config/boot -> $(IgnoreNone) -a; /boot/home/config/boot -> $(SEC_READONLY) -a;
} }
### Settings ################################################################## ### Settings ##################################################################
# #
(rulename = "Settings",) (rulename = "Settings",)
{ {
/boot/common/settings -> $(IgnoreNone) -a; /boot/common/settings -> $(SEC_READONLY) -a;
/boot/common/data -> $(IgnoreNone) -a; /boot/common/data -> $(SEC_READONLY) -a;
/boot/common/etc -> $(IgnoreNone) -a; /boot/common/etc -> $(SEC_READONLY) -a;
/boot/home/config/settings -> $(IgnoreNone) -a; /boot/home/config/settings -> $(SEC_READONLY) -a;
} }
# Logs ######################################################################## # Logs ########################################################################
# #
(rulename = "Logs",) (rulename = "Logs",)
{ {
/boot/common/var/log -> $(Growing) -a; /boot/common/var/log -> $(SEC_GROWING) -a;
} }
# Dev ######################################################################### # Dev #########################################################################
# #
(rulename = "Devices",) (rulename = "Devices",)
{ {
/dev -> $(Device) -a; /dev -> $(SEC_DEVICE) -a;
} }
# Temp dirs ######################### # Temp dirs #########################
# #
(rulename = "Temp Directories",) (rulename = "Temp Directories",)
{ {
/boot/common/cache/tmp -> $(Temporary) -a; /boot/common/cache/tmp -> $(SEC_TEMPORARY) -a;
} }

View File

@ -56,13 +56,13 @@ HOSTNAME=;
# #
############################################################################## ##############################################################################
#Device = +pugsdr-intlbamcCMSH ; SEC_DEVICE = +pugsdr-intlbamcCMSH ;
#Dynamic = +pinugtd-srlbamcCMSH ; SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
#Growing = +pinugtdl-srbamcCMSH ; SEC_GROWING = +pinugtdl-srbamcCMSH ;
#IgnoreAll = -pinugtsdrlbamcCMSH ; SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
#IgnoreNone = +pinugtsdrbamcCMSH-l ; SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
#ReadOnly = +pinugtsdbmCM-rlacSH ; SEC_READONLY = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ; SEC_TEMPORARY = +pugt ;
@@section FS @@section FS
@ -77,10 +77,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries", rulename = "Tripwire Binaries",
) )
{ {
$(TWBIN)/siggen -> $(ReadOnly) ; $(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(ReadOnly) ; $(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(ReadOnly) ; $(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(ReadOnly) ; $(TWBIN)/twprint -> $(SEC_READONLY) ;
} }
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -97,80 +97,80 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the # afterward triggers this rule until a database update is run, since the
# database file does not exist before that point. # database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ; $(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ; $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ; $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(ReadOnly) ; $(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports # don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ; $(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
} }
############################################################################## ##############################################################################
(rulename="Boot files",) (rulename="Boot files",)
{ {
/boot -> $(IgnoreNone) -a; /boot -> $(SEC_READONLY) -a;
/boot_monitor -> $(IgnoreNone) -a; /boot_monitor -> $(SEC_READONLY) -a;
/boot.cfg -> $(IgnoreNone) -a; /boot.cfg -> $(SEC_READONLY) -a;
} }
(rulename="Binary files",) (rulename="Binary files",)
{ {
/bin -> $(IgnoreNone) -a; /bin -> $(SEC_READONLY) -a;
/usr/bin -> $(IgnoreNone) -a; /usr/bin -> $(SEC_READONLY) -a;
/usr/local/bin -> $(IgnoreNone) -a; /usr/local/bin -> $(SEC_READONLY) -a;
/usr/pkg/bin -> $(IgnoreNone) -a; /usr/pkg/bin -> $(SEC_READONLY) -a;
} }
(rulename="Development",) (rulename="Development",)
{ {
/usr/pkg/gnu/bin -> $(IgnoreNone) -a; /usr/pkg/gnu/bin -> $(SEC_READONLY) -a;
/usr/pkg/i386-elf32-minix/bin -> $(IgnoreNone) -a; /usr/pkg/i386-elf32-minix/bin -> $(SEC_READONLY) -a;
} }
(rulename="Libexec",) (rulename="Libexec",)
{ {
/usr/libexec -> $(IgnoreNone) -a; /usr/libexec -> $(SEC_READONLY) -a;
/usr/pkg/libexec -> $(IgnoreNone) -a; /usr/pkg/libexec -> $(SEC_READONLY) -a;
} }
(rulename="Admin binaries",) (rulename="Admin binaries",)
{ {
/service -> $(IgnoreNone) -a; /service -> $(SEC_READONLY) -a;
/sbin -> $(IgnoreNone) -a; /sbin -> $(SEC_READONLY) -a;
/usr/sbin -> $(IgnoreNone) -a; /usr/sbin -> $(SEC_READONLY) -a;
/usr/pkg/sbin -> $(IgnoreNone) -a; /usr/pkg/sbin -> $(SEC_READONLY) -a;
} }
(rulename="Libraries",) (rulename="Libraries",)
{ {
/lib -> $(IgnoreNone) -a; /lib -> $(SEC_READONLY) -a;
/usr/lib -> $(IgnoreNone) -a; /usr/lib -> $(SEC_READONLY) -a;
/usr/pkg/lib -> $(IgnoreNone) -a; /usr/pkg/lib -> $(SEC_READONLY) -a;
} }
(rulename="Etc",) (rulename="Etc",)
{ {
/etc -> $(IgnoreNone) -a; /etc -> $(SEC_READONLY) -a;
/usr/etc -> $(IgnoreNone) -a; /usr/etc -> $(SEC_READONLY) -a;
/usr/pkg/etc -> $(IgnoreNone) -a; /usr/pkg/etc -> $(SEC_READONLY) -a;
} }
(rulename="Dev",) (rulename="Dev",)
{ {
/dev -> $(Device); /dev -> $(SEC_DEVICE);
} }
(rulename="Tmp",) (rulename="Tmp",)
{ {
/tmp -> $(Temporary); /tmp -> $(SEC_TEMPORARY);
/var/tmp -> $(Temporary); /var/tmp -> $(SEC_TEMPORARY);
/usr/tmp -> $(Temporary); /usr/tmp -> $(SEC_TEMPORARY);
} }
(rulename="Log",) (rulename="Log",)
{ {
/var/log -> $(Growing); /var/log -> $(SEC_GROWING);
} }

View File

@ -56,13 +56,13 @@ HOSTNAME=;
# #
############################################################################## ##############################################################################
#Device = +pugsdr-intlbamcCMSH ; SEC_DEVICE = +pugsdr-intlbamcCMSH ;
#Dynamic = +pinugtd-srlbamcCMSH ; SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
#Growing = +pinugtdl-srbamcCMSH ; SEC_GROWING = +pinugtdl-srbamcCMSH ;
#IgnoreAll = -pinugtsdrlbamcCMSH ; SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
#IgnoreNone = +pinugtsdrbamcCMSH-l ; SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
#ReadOnly = +pinugtsdbmCM-rlacSH ; SEC_READONLY = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ; SEC_TEMPORARY = +pugt ;
@@section FS @@section FS
@ -77,10 +77,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries", rulename = "Tripwire Binaries",
) )
{ {
$(TWBIN)/siggen -> $(ReadOnly) ; $(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(ReadOnly) ; $(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(ReadOnly) ; $(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(ReadOnly) ; $(TWBIN)/twprint -> $(SEC_READONLY) ;
} }
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -97,14 +97,14 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the # afterward triggers this rule until a database update is run, since the
# database file does not exist before that point. # database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ; $(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ; $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ; $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(ReadOnly) ; $(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports # don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ; $(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
} }
@ -115,7 +115,7 @@ Temporary = +pugt ;
# #
(rulename = "System Directory",) (rulename = "System Directory",)
{ {
/boot/system -> $(IgnoreNone) -a; /boot/system -> $(SEC_READONLY) -a;
} }
@ -123,19 +123,19 @@ Temporary = +pugt ;
# #
(rulename = "Binary Directories",) (rulename = "Binary Directories",)
{ {
/boot/bin -> $(IgnoreNone) -a; /boot/bin -> $(SEC_READONLY) -a;
/usr/bin -> $(IgnoreNone) -a; /usr/bin -> $(SEC_READONLY) -a;
/usr/local/bin -> $(IgnoreNone) -a; /usr/local/bin -> $(SEC_READONLY) -a;
/boot/Applications -> $(IgnoreNone) -a; /boot/Applications -> $(SEC_READONLY) -a;
/resources/index/bin -> $(IgnoreNone) -a; /resources/index/bin -> $(SEC_READONLY) -a;
} }
(rulename = "Admin Binary Directories",) (rulename = "Admin Binary Directories",)
{ {
/usr/local/sbin -> $(IgnoreNone) -a; /usr/local/sbin -> $(SEC_READONLY) -a;
/resources/index/sbin -> $(IgnoreNone) -a; /resources/index/sbin -> $(SEC_READONLY) -a;
/usr/local/libexec -> $(IgnoreNone) -a; /usr/local/libexec -> $(SEC_READONLY) -a;
/resources/index/libexec -> $(IgnoreNone) -a; /resources/index/libexec -> $(SEC_READONLY) -a;
} }
@ -143,42 +143,42 @@ Temporary = +pugt ;
# #
(rulename = "Library Directories",) (rulename = "Library Directories",)
{ {
/usr/local/lib -> $(IgnoreNone) -a; /usr/local/lib -> $(SEC_READONLY) -a;
/resources/index/lib -> $(IgnoreNone) -a; /resources/index/lib -> $(SEC_READONLY) -a;
} }
### Other boot dirs ########################################################### ### Other boot dirs ###########################################################
# #
(rulename = "Boot Directories",) (rulename = "Boot Directories",)
{ {
/boot/boot/grub -> $(IgnoreNone) -a; /boot/boot/grub -> $(SEC_READONLY) -a;
} }
### Settings ################################################################## ### Settings ##################################################################
# #
(rulename = "Settings",) (rulename = "Settings",)
{ {
/boot/etc -> $(IgnoreNone) -a; /boot/etc -> $(SEC_READONLY) -a;
/usr/local/etc -> $(IgnoreNone) -a; /usr/local/etc -> $(SEC_READONLY) -a;
} }
# Logs ######################################################################## # Logs ########################################################################
# #
(rulename = "Logs",) (rulename = "Logs",)
{ {
/var/log -> $(Growing) -a; /var/log -> $(SEC_GROWING) -a;
} }
# Dev ######################################################################### # Dev #########################################################################
# #
(rulename = "Devices",) (rulename = "Devices",)
{ {
/dev -> $(Device) -a; /dev -> $(SEC_DEVICE) -a;
} }
# Temp dirs ######################### # Temp dirs #########################
# #
(rulename = "Temp Directories",) (rulename = "Temp Directories",)
{ {
/boot/tmp -> $(Temporary) -a; /boot/tmp -> $(SEC_TEMPORARY) -a;
} }

View File

@ -56,13 +56,13 @@ HOSTNAME=;
# #
############################################################################## ##############################################################################
#Device = +pugsdr-intlbamcCMSH ; SEC_DEVICE = +pugsdr-intlbamcCMSH ;
#Dynamic = +pinugtd-srlbamcCMSH ; SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
#Growing = +pinugtdl-srbamcCMSH ; SEC_GROWING = +pinugtdl-srbamcCMSH ;
#IgnoreAll = -pinugtsdrlbamcCMSH ; SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
#IgnoreNone = +pinugtsdrbamcCMSH-l ; SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
#ReadOnly = +pinugtsdbmCM-rlacSH ; SEC_READONLY = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ; SEC_TEMPORARY = +pugt ;
@@section FS @@section FS
@ -77,10 +77,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries", rulename = "Tripwire Binaries",
) )
{ {
$(TWBIN)/siggen -> $(ReadOnly) ; $(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(ReadOnly) ; $(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(ReadOnly) ; $(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(ReadOnly) ; $(TWBIN)/twprint -> $(SEC_READONLY) ;
} }
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -97,14 +97,14 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the # afterward triggers this rule until a database update is run, since the
# database file does not exist before that point. # database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ; $(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ; $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ; $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(ReadOnly) ; $(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports # don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ; $(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
} }
@ -115,69 +115,69 @@ Temporary = +pugt ;
# #
(rulename = "System Directory",) (rulename = "System Directory",)
{ {
/boot/system -> $(IgnoreNone) -a; /boot/system -> $(SEC_READONLY) -a;
/boot/system/registry.rsm -> $(IgnoreNone) -am; /boot/system/registry.rsm -> $(SEC_READONLY) -am;
} }
(rulename = "System Files",) (rulename = "System Files",)
{ {
/boot/kernel.sys -> $(IgnoreNone) -a; /boot/kernel.sys -> $(SEC_READONLY) -a;
/boot/kernel.dbg -> $(IgnoreNone) -a; /boot/kernel.dbg -> $(SEC_READONLY) -a;
/boot/init.scr -> $(IgnoreNone) -a; /boot/init.scr -> $(SEC_READONLY) -a;
/boot/install.sif -> $(IgnoreNone) -a; /boot/install.sif -> $(SEC_READONLY) -a;
} }
### Other bin dirs ############################################################ ### Other bin dirs ############################################################
# #
(rulename = "Binary Directories",) (rulename = "Binary Directories",)
{ {
/boot/programs -> $(IgnoreNone) -a; /boot/programs -> $(SEC_READONLY) -a;
} }
### Other lib dirs ############################################################ ### Other lib dirs ############################################################
# #
(rulename = "Library Directories",) (rulename = "Library Directories",)
{ {
/usr/lib -> $(IgnoreNone) -a; /usr/lib -> $(SEC_READONLY) -a;
/usr/local/lib -> $(IgnoreNone) -a; /usr/local/lib -> $(SEC_READONLY) -a;
} }
### Other boot dirs ########################################################### ### Other boot dirs ###########################################################
# #
(rulename = "Boot Directories",) (rulename = "Boot Directories",)
{ {
/boot/boot/grub -> $(IgnoreNone) -a; /boot/boot/grub -> $(SEC_READONLY) -a;
} }
### Settings ################################################################## ### Settings ##################################################################
# #
(rulename = "Settings",) (rulename = "Settings",)
{ {
/boot/programs/unix/etc -> $(IgnoreNone) -a; /boot/programs/unix/etc -> $(SEC_READONLY) -a;
/usr/local/etc -> $(IgnoreNone) -a; /usr/local/etc -> $(SEC_READONLY) -a;
} }
# Logs ######################################################################## # Logs ########################################################################
# #
(rulename = "Logs",) (rulename = "Logs",)
{ {
/var/log -> $(Growing) -a; /var/log -> $(SEC_GROWING) -a;
} }
# Dev ######################################################################### # Dev #########################################################################
# #
(rulename = "Devices",) (rulename = "Devices",)
{ {
/dev -> $(Device) -a; /dev -> $(SEC_DEVICE) -a;
/fifo -> $(Device) -a; /fifo -> $(SEC_DEVICE) -a;
/pty -> $(Device) -as; /pty -> $(SEC_DEVICE) -as;
/systeminterface -> $(Device) -a; /systeminterface -> $(SEC_DEVICE) -a;
/umfs -> $(Device) -a; /umfs -> $(SEC_DEVICE) -a;
} }
# Temp dirs ######################### # Temp dirs #########################
# #
(rulename = "Temp Directories",) (rulename = "Temp Directories",)
{ {
/boot/temp -> $(Temporary) -a; /boot/temp -> $(SEC_TEMPORARY) -a;
} }