colin
/
tripwire-open-source
mirror of https://github.com/Tripwire/tripwire-open-source.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use SEC_ naming convention in new policies

This commit is contained in:
Brian Cox 2018-03-19 23:09:15 -07:00
parent 392b533045
commit ab4c9203da
6 changed files with 207 additions and 207 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
policy/twpol-AROS.txt
View File

@ -56,13 +56,13 @@ HOSTNAME=;
#
##############################################################################
#Device = +pugsdr-intlbamcCMSH ;
#Dynamic = +pinugtd-srlbamcCMSH ;
#Growing = +pinugtdl-srbamcCMSH ;
#IgnoreAll = -pinugtsdrlbamcCMSH ;
#IgnoreNone = +pinugtsdrbamcCMSH-l ;
#ReadOnly = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ;
SEC_DEVICE = +pugsdr-intlbamcCMSH ;
SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
SEC_GROWING = +pinugtdl-srbamcCMSH ;
SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
SEC_READONLY = +pinugtsdbmCM-rlacSH ;
SEC_TEMPORARY = +pugt ;
@@section FS
@ -77,10 +77,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries",
)
{
$(TWBIN)/siggen -> $(ReadOnly) ;
$(TWBIN)/tripwire -> $(ReadOnly) ;
$(TWBIN)/twadmin -> $(ReadOnly) ;
$(TWBIN)/twprint -> $(ReadOnly) ;
$(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(SEC_READONLY) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -97,14 +97,14 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ;
$(TWSKEY)/site.key -> $(ReadOnly) ;
$(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ;
$(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
}
@ -112,21 +112,21 @@ Temporary = +pugt ;
(rulename="OS Files",)
{
AROS:System -> $(IgnoreNone);
AROS:Devs -> $(IgnoreNone);
AROS:Libs -> $(IgnoreNone);
AROS:Tools-> $(IgnoreNone);
AROS:Prefs -> $(IgnoreNone);
AROS:Utilities -> $(IgnoreNone);
AROS:WBStartup -> $(IgnoreNone);
AROS:System -> $(SEC_READONLY);
AROS:Devs -> $(SEC_READONLY);
AROS:Libs -> $(SEC_READONLY);
AROS:Tools-> $(SEC_READONLY);
AROS:Prefs -> $(SEC_READONLY);
AROS:Utilities -> $(SEC_READONLY);
AROS:WBStartup -> $(SEC_READONLY);
}
(rulename="Development Tools",)
{
Work:Development -> $(IgnoreNone);
Work:Development -> $(SEC_READONLY);
}
(rulename="Extras",)
{
Work:Extras -> $(IgnoreNone);
Work:Extras -> $(SEC_READONLY);
}

68
policy/twpol-GNU.txt
View File

@ -56,13 +56,13 @@ HOSTNAME=;
#
##############################################################################
#Device = +pugsdr-intlbamcCMSH ;
#Dynamic = +pinugtd-srlbamcCMSH ;
#Growing = +pinugtdl-srbamcCMSH ;
#IgnoreAll = -pinugtsdrlbamcCMSH ;
#IgnoreNone = +pinugtsdrbamcCMSH-l ;
#ReadOnly = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ;
SEC_DEVICE = +pugsdr-intlbamcCMSH ;
SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
SEC_GROWING = +pinugtdl-srbamcCMSH ;
SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
SEC_READONLY = +pinugtsdbmCM-rlacSH ;
SEC_TEMPORARY = +pugt ;
@@section FS
@ -77,10 +77,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries",
)
{
$(TWBIN)/siggen -> $(ReadOnly) ;
$(TWBIN)/tripwire -> $(ReadOnly) ;
$(TWBIN)/twadmin -> $(ReadOnly) ;
$(TWBIN)/twprint -> $(ReadOnly) ;
$(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(SEC_READONLY) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -97,63 +97,63 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ;
$(TWSKEY)/site.key -> $(ReadOnly) ;
$(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ;
$(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
}
##############################################################################
(rulename="Boot files",)
{
/boot -> $(IgnoreNone) -a;
/boot -> $(SEC_READONLY) -a;
}
(rulename="Binary files",)
{
/bin -> $(IgnoreNone) -a;
/usr/bin -> $(IgnoreNone) -a;
/usr/local/bin -> $(IgnoreNone) -a;
/bin -> $(SEC_READONLY) -a;
/usr/bin -> $(SEC_READONLY) -a;
/usr/local/bin -> $(SEC_READONLY) -a;
}
(rulename="Admin binaries",)
{
/servers -> $(IgnoreNone) -a;
/sbin -> $(IgnoreNone) -a;
/usr/sbin -> $(IgnoreNone) -a;
/hurd -> $(IgnoreNone) -a;
/servers -> $(SEC_READONLY) -a;
/sbin -> $(SEC_READONLY) -a;
/usr/sbin -> $(SEC_READONLY) -a;
/hurd -> $(SEC_READONLY) -a;
}
(rulename="Libraries",)
{
/lib -> $(IgnoreNone) -a;
/usr/lib -> $(IgnoreNone) -a;
/usr/local/lib -> $(IgnoreNone) -a;
/lib -> $(SEC_READONLY) -a;
/usr/lib -> $(SEC_READONLY) -a;
/usr/local/lib -> $(SEC_READONLY) -a;
}
(rulename="Etc",)
{
/etc -> $(IgnoreNone) -a;
/usr/local/etc -> $(IgnoreNone) -a;
/etc -> $(SEC_READONLY) -a;
/usr/local/etc -> $(SEC_READONLY) -a;
}
(rulename="Dev",)
{
/dev -> $(Device);
/dev -> $(SEC_DEVICE);
}
(rulename="Tmp",)
{
/tmp -> $(Temporary);
/var/tmp -> $(Temporary);
/tmp -> $(SEC_TEMPORARY);
/var/tmp -> $(SEC_TEMPORARY);
}
(rulename="Log",)
{
/var/log -> $(Growing);
/var/log -> $(SEC_GROWING);
}

66
policy/twpol-Haiku.txt
View File

@ -56,13 +56,13 @@ HOSTNAME=;
#
##############################################################################
#Device = +pugsdr-intlbamcCMSH ;
#Dynamic = +pinugtd-srlbamcCMSH ;
#Growing = +pinugtdl-srbamcCMSH ;
#IgnoreAll = -pinugtsdrlbamcCMSH ;
#IgnoreNone = +pinugtsdrbamcCMSH-l ;
#ReadOnly = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ;
SEC_DEVICE = +pugsdr-intlbamcCMSH ;
SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
SEC_GROWING = +pinugtdl-srbamcCMSH ;
SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
SEC_READONLY = +pinugtsdbmCM-rlacSH ;
SEC_TEMPORARY = +pugt ;
@@section FS
@ -77,10 +77,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries",
)
{
$(TWBIN)/siggen -> $(ReadOnly) ;
$(TWBIN)/tripwire -> $(ReadOnly) ;
$(TWBIN)/twadmin -> $(ReadOnly) ;
$(TWBIN)/twprint -> $(ReadOnly) ;
$(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(SEC_READONLY) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -97,14 +97,14 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ;
$(TWSKEY)/site.key -> $(ReadOnly) ;
$(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ;
$(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
}
@ -115,7 +115,7 @@ Temporary = +pugt ;
#
(rulename = "System Directory",)
{
/boot/system -> $(IgnoreNone) -a;
/boot/system -> $(SEC_READONLY) -a;
}
@ -123,10 +123,10 @@ Temporary = +pugt ;
#
(rulename = "Binary Directories",)
{
/boot/home/config/bin -> $(IgnoreNone) -a;
/boot/common/bin -> $(IgnoreNone) -a;
/boot/apps -> $(IgnoreNone) -a;
# /boot/develop/tools/gnupro/bin -> $(IgnoreNone) -a; #uncomment to monitor dev tools if present
/boot/home/config/bin -> $(SEC_READONLY) -a;
/boot/common/bin -> $(SEC_READONLY) -a;
/boot/apps -> $(SEC_READONLY) -a;
# /boot/develop/tools/gnupro/bin -> $(SEC_READONLY) -a; #uncomment to monitor dev tools if present
}
@ -134,45 +134,45 @@ Temporary = +pugt ;
#
(rulename = "Library Directories",)
{
/boot/common/lib -> $(IgnoreNone) -a;
/boot/home/config/lib -> $(IgnoreNone) -a;
/boot/common/lib -> $(SEC_READONLY) -a;
/boot/home/config/lib -> $(SEC_READONLY) -a;
}
### Other boot dirs ###########################################################
#
(rulename = "Boot Directories",)
{
/boot/common/boot -> $(IgnoreNone) -a;
/boot/home/config/boot -> $(IgnoreNone) -a;
/boot/common/boot -> $(SEC_READONLY) -a;
/boot/home/config/boot -> $(SEC_READONLY) -a;
}
### Settings ##################################################################
#
(rulename = "Settings",)
{
/boot/common/settings -> $(IgnoreNone) -a;
/boot/common/data -> $(IgnoreNone) -a;
/boot/common/etc -> $(IgnoreNone) -a;
/boot/home/config/settings -> $(IgnoreNone) -a;
/boot/common/settings -> $(SEC_READONLY) -a;
/boot/common/data -> $(SEC_READONLY) -a;
/boot/common/etc -> $(SEC_READONLY) -a;
/boot/home/config/settings -> $(SEC_READONLY) -a;
}
# Logs ########################################################################
#
(rulename = "Logs",)
{
/boot/common/var/log -> $(Growing) -a;
/boot/common/var/log -> $(SEC_GROWING) -a;
}
# Dev #########################################################################
#
(rulename = "Devices",)
{
/dev -> $(Device) -a;
/dev -> $(SEC_DEVICE) -a;
}
# Temp dirs #########################
#
(rulename = "Temp Directories",)
{
/boot/common/cache/tmp -> $(Temporary) -a;
/boot/common/cache/tmp -> $(SEC_TEMPORARY) -a;
}

86
policy/twpol-Minix.txt
View File

@ -56,13 +56,13 @@ HOSTNAME=;
#
##############################################################################
#Device = +pugsdr-intlbamcCMSH ;
#Dynamic = +pinugtd-srlbamcCMSH ;
#Growing = +pinugtdl-srbamcCMSH ;
#IgnoreAll = -pinugtsdrlbamcCMSH ;
#IgnoreNone = +pinugtsdrbamcCMSH-l ;
#ReadOnly = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ;
SEC_DEVICE = +pugsdr-intlbamcCMSH ;
SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
SEC_GROWING = +pinugtdl-srbamcCMSH ;
SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
SEC_READONLY = +pinugtsdbmCM-rlacSH ;
SEC_TEMPORARY = +pugt ;
@@section FS
@ -77,10 +77,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries",
)
{
$(TWBIN)/siggen -> $(ReadOnly) ;
$(TWBIN)/tripwire -> $(ReadOnly) ;
$(TWBIN)/twadmin -> $(ReadOnly) ;
$(TWBIN)/twprint -> $(ReadOnly) ;
$(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(SEC_READONLY) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -97,80 +97,80 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ;
$(TWSKEY)/site.key -> $(ReadOnly) ;
$(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ;
$(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
}
##############################################################################
(rulename="Boot files",)
{
/boot -> $(IgnoreNone) -a;
/boot_monitor -> $(IgnoreNone) -a;
/boot.cfg -> $(IgnoreNone) -a;
/boot -> $(SEC_READONLY) -a;
/boot_monitor -> $(SEC_READONLY) -a;
/boot.cfg -> $(SEC_READONLY) -a;
}
(rulename="Binary files",)
{
/bin -> $(IgnoreNone) -a;
/usr/bin -> $(IgnoreNone) -a;
/usr/local/bin -> $(IgnoreNone) -a;
/usr/pkg/bin -> $(IgnoreNone) -a;
/bin -> $(SEC_READONLY) -a;
/usr/bin -> $(SEC_READONLY) -a;
/usr/local/bin -> $(SEC_READONLY) -a;
/usr/pkg/bin -> $(SEC_READONLY) -a;
}
(rulename="Development",)
{
/usr/pkg/gnu/bin -> $(IgnoreNone) -a;
/usr/pkg/i386-elf32-minix/bin -> $(IgnoreNone) -a;
/usr/pkg/gnu/bin -> $(SEC_READONLY) -a;
/usr/pkg/i386-elf32-minix/bin -> $(SEC_READONLY) -a;
}
(rulename="Libexec",)
{
/usr/libexec -> $(IgnoreNone) -a;
/usr/pkg/libexec -> $(IgnoreNone) -a;
/usr/libexec -> $(SEC_READONLY) -a;
/usr/pkg/libexec -> $(SEC_READONLY) -a;
}
(rulename="Admin binaries",)
{
/service -> $(IgnoreNone) -a;
/sbin -> $(IgnoreNone) -a;
/usr/sbin -> $(IgnoreNone) -a;
/usr/pkg/sbin -> $(IgnoreNone) -a;
/service -> $(SEC_READONLY) -a;
/sbin -> $(SEC_READONLY) -a;
/usr/sbin -> $(SEC_READONLY) -a;
/usr/pkg/sbin -> $(SEC_READONLY) -a;
}
(rulename="Libraries",)
{
/lib -> $(IgnoreNone) -a;
/usr/lib -> $(IgnoreNone) -a;
/usr/pkg/lib -> $(IgnoreNone) -a;
/lib -> $(SEC_READONLY) -a;
/usr/lib -> $(SEC_READONLY) -a;
/usr/pkg/lib -> $(SEC_READONLY) -a;
}
(rulename="Etc",)
{
/etc -> $(IgnoreNone) -a;
/usr/etc -> $(IgnoreNone) -a;
/usr/pkg/etc -> $(IgnoreNone) -a;
/etc -> $(SEC_READONLY) -a;
/usr/etc -> $(SEC_READONLY) -a;
/usr/pkg/etc -> $(SEC_READONLY) -a;
}
(rulename="Dev",)
{
/dev -> $(Device);
/dev -> $(SEC_DEVICE);
}
(rulename="Tmp",)
{
/tmp -> $(Temporary);
/var/tmp -> $(Temporary);
/usr/tmp -> $(Temporary);
/tmp -> $(SEC_TEMPORARY);
/var/tmp -> $(SEC_TEMPORARY);
/usr/tmp -> $(SEC_TEMPORARY);
}
(rulename="Log",)
{
/var/log -> $(Growing);
/var/log -> $(SEC_GROWING);
}

70
policy/twpol-Syllable.txt
View File

@ -56,13 +56,13 @@ HOSTNAME=;
#
##############################################################################
#Device = +pugsdr-intlbamcCMSH ;
#Dynamic = +pinugtd-srlbamcCMSH ;
#Growing = +pinugtdl-srbamcCMSH ;
#IgnoreAll = -pinugtsdrlbamcCMSH ;
#IgnoreNone = +pinugtsdrbamcCMSH-l ;
#ReadOnly = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ;
SEC_DEVICE = +pugsdr-intlbamcCMSH ;
SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
SEC_GROWING = +pinugtdl-srbamcCMSH ;
SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
SEC_READONLY = +pinugtsdbmCM-rlacSH ;
SEC_TEMPORARY = +pugt ;
@@section FS
@ -77,10 +77,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries",
)
{
$(TWBIN)/siggen -> $(ReadOnly) ;
$(TWBIN)/tripwire -> $(ReadOnly) ;
$(TWBIN)/twadmin -> $(ReadOnly) ;
$(TWBIN)/twprint -> $(ReadOnly) ;
$(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(SEC_READONLY) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -97,14 +97,14 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ;
$(TWSKEY)/site.key -> $(ReadOnly) ;
$(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ;
$(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
}
@ -115,7 +115,7 @@ Temporary = +pugt ;
#
(rulename = "System Directory",)
{
/boot/system -> $(IgnoreNone) -a;
/boot/system -> $(SEC_READONLY) -a;
}
@ -123,19 +123,19 @@ Temporary = +pugt ;
#
(rulename = "Binary Directories",)
{
/boot/bin -> $(IgnoreNone) -a;
/usr/bin -> $(IgnoreNone) -a;
/usr/local/bin -> $(IgnoreNone) -a;
/boot/Applications -> $(IgnoreNone) -a;
/resources/index/bin -> $(IgnoreNone) -a;
/boot/bin -> $(SEC_READONLY) -a;
/usr/bin -> $(SEC_READONLY) -a;
/usr/local/bin -> $(SEC_READONLY) -a;
/boot/Applications -> $(SEC_READONLY) -a;
/resources/index/bin -> $(SEC_READONLY) -a;
}
(rulename = "Admin Binary Directories",)
{
/usr/local/sbin -> $(IgnoreNone) -a;
/resources/index/sbin -> $(IgnoreNone) -a;
/usr/local/libexec -> $(IgnoreNone) -a;
/resources/index/libexec -> $(IgnoreNone) -a;
/usr/local/sbin -> $(SEC_READONLY) -a;
/resources/index/sbin -> $(SEC_READONLY) -a;
/usr/local/libexec -> $(SEC_READONLY) -a;
/resources/index/libexec -> $(SEC_READONLY) -a;
}
@ -143,42 +143,42 @@ Temporary = +pugt ;
#
(rulename = "Library Directories",)
{
/usr/local/lib -> $(IgnoreNone) -a;
/resources/index/lib -> $(IgnoreNone) -a;
/usr/local/lib -> $(SEC_READONLY) -a;
/resources/index/lib -> $(SEC_READONLY) -a;
}
### Other boot dirs ###########################################################
#
(rulename = "Boot Directories",)
{
/boot/boot/grub -> $(IgnoreNone) -a;
/boot/boot/grub -> $(SEC_READONLY) -a;
}
### Settings ##################################################################
#
(rulename = "Settings",)
{
/boot/etc -> $(IgnoreNone) -a;
/usr/local/etc -> $(IgnoreNone) -a;
/boot/etc -> $(SEC_READONLY) -a;
/usr/local/etc -> $(SEC_READONLY) -a;
}
# Logs ########################################################################
#
(rulename = "Logs",)
{
/var/log -> $(Growing) -a;
/var/log -> $(SEC_GROWING) -a;
}
# Dev #########################################################################
#
(rulename = "Devices",)
{
/dev -> $(Device) -a;
/dev -> $(SEC_DEVICE) -a;
}
# Temp dirs #########################
#
(rulename = "Temp Directories",)
{
/boot/tmp -> $(Temporary) -a;
/boot/tmp -> $(SEC_TEMPORARY) -a;
}

72
policy/twpol-skyos.txt
View File

@ -56,13 +56,13 @@ HOSTNAME=;
#
##############################################################################
#Device = +pugsdr-intlbamcCMSH ;
#Dynamic = +pinugtd-srlbamcCMSH ;
#Growing = +pinugtdl-srbamcCMSH ;
#IgnoreAll = -pinugtsdrlbamcCMSH ;
#IgnoreNone = +pinugtsdrbamcCMSH-l ;
#ReadOnly = +pinugtsdbmCM-rlacSH ;
Temporary = +pugt ;
SEC_DEVICE = +pugsdr-intlbamcCMSH ;
SEC_DYNAMIC = +pinugtd-srlbamcCMSH ;
SEC_GROWING = +pinugtdl-srbamcCMSH ;
SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
SEC_READONLY = +pinugtsdbmCM-rlacSH ;
SEC_TEMPORARY = +pugt ;
@@section FS
@ -77,10 +77,10 @@ Temporary = +pugt ;
rulename = "Tripwire Binaries",
)
{
$(TWBIN)/siggen -> $(ReadOnly) ;
$(TWBIN)/tripwire -> $(ReadOnly) ;
$(TWBIN)/twadmin -> $(ReadOnly) ;
$(TWBIN)/twprint -> $(ReadOnly) ;
$(TWBIN)/siggen -> $(SEC_READONLY) ;
$(TWBIN)/tripwire -> $(SEC_READONLY) ;
$(TWBIN)/twadmin -> $(SEC_READONLY) ;
$(TWBIN)/twprint -> $(SEC_READONLY) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
@ -97,14 +97,14 @@ Temporary = +pugt ;
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(Dynamic) -i ;
$(TWPOL)/tw.pol -> $(ReadOnly) -i ;
$(TWPOL)/tw.cfg -> $(ReadOnly) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(ReadOnly) ;
$(TWSKEY)/site.key -> $(ReadOnly) ;
$(TWDB) -> $(SEC_DYNAMIC) -i ;
$(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
$(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
$(TWSKEY)/site.key -> $(SEC_READONLY) ;
# don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0) ;
$(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ;
}
@ -115,69 +115,69 @@ Temporary = +pugt ;
#
(rulename = "System Directory",)
{
/boot/system -> $(IgnoreNone) -a;
/boot/system/registry.rsm -> $(IgnoreNone) -am;
/boot/system -> $(SEC_READONLY) -a;
/boot/system/registry.rsm -> $(SEC_READONLY) -am;
}
(rulename = "System Files",)
{
/boot/kernel.sys -> $(IgnoreNone) -a;
/boot/kernel.dbg -> $(IgnoreNone) -a;
/boot/init.scr -> $(IgnoreNone) -a;
/boot/install.sif -> $(IgnoreNone) -a;
/boot/kernel.sys -> $(SEC_READONLY) -a;
/boot/kernel.dbg -> $(SEC_READONLY) -a;
/boot/init.scr -> $(SEC_READONLY) -a;
/boot/install.sif -> $(SEC_READONLY) -a;
}
### Other bin dirs ############################################################
#
(rulename = "Binary Directories",)
{
/boot/programs -> $(IgnoreNone) -a;
/boot/programs -> $(SEC_READONLY) -a;
}
### Other lib dirs ############################################################
#
(rulename = "Library Directories",)
{
/usr/lib -> $(IgnoreNone) -a;
/usr/local/lib -> $(IgnoreNone) -a;
/usr/lib -> $(SEC_READONLY) -a;
/usr/local/lib -> $(SEC_READONLY) -a;
}
### Other boot dirs ###########################################################
#
(rulename = "Boot Directories",)
{
/boot/boot/grub -> $(IgnoreNone) -a;
/boot/boot/grub -> $(SEC_READONLY) -a;
}
### Settings ##################################################################
#
(rulename = "Settings",)
{
/boot/programs/unix/etc -> $(IgnoreNone) -a;
/usr/local/etc -> $(IgnoreNone) -a;
/boot/programs/unix/etc -> $(SEC_READONLY) -a;
/usr/local/etc -> $(SEC_READONLY) -a;
}
# Logs ########################################################################
#
(rulename = "Logs",)
{
/var/log -> $(Growing) -a;
/var/log -> $(SEC_GROWING) -a;
}
# Dev #########################################################################
#
(rulename = "Devices",)
{
/dev -> $(Device) -a;
/fifo -> $(Device) -a;
/pty -> $(Device) -as;
/systeminterface -> $(Device) -a;
/umfs -> $(Device) -a;
/dev -> $(SEC_DEVICE) -a;
/fifo -> $(SEC_DEVICE) -a;
/pty -> $(SEC_DEVICE) -as;
/systeminterface -> $(SEC_DEVICE) -a;
/umfs -> $(SEC_DEVICE) -a;
}
# Temp dirs #########################
#
(rulename = "Temp Directories",)
{
/boot/temp -> $(Temporary) -a;
/boot/temp -> $(SEC_TEMPORARY) -a;
}