# identifier: tripwire IDS policy input file # host: Fedora Core release 1 (Yarrow) # version: 2.4.3 # maintainer: FRLinux # validator: unvalidated # date: Wed Sep 21 13:50:21 UTC 2011 # description: # This is an example Tripwire Policy input file. It is intended as the # starting point to creating your own custom Tripwire Policy. Referring # to it, as well as the Tripwire Policy Guide, should give you enough # information to make a good custom Tripwire Policy that better fits # your configuration and security needs. This text version will be used # by tripwire as input to create a proprietary type of file called a # Tripwire Policy file, which will then be signed for further security. # It is recommended that once you complete the creation of the Policy # file, you move this plaintext version to a secure location (possibly # on removable media) or encrypt the file using a tool such as GPG. You # should also do this for the Tripwire plaintext configuration file # (twcfg.txt) once you have finished setting up the Policy. # # Note that this file is tuned to an "everything" install of Fedora # Linux. If run unmodified, this file should create no errors on # database creation, or violations on a subsequent integrity check. # However, it is impossible for there to be one policy file for all # machines, so this existing one errs on the side of security. Your # Linux configuration will most likely differ from the one our policy # file was tuned to, and will therefore require some editing of the # default Tripwire Policy file. The example policy file is best run # with "Loose Directory Checking" enabled. # # Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration file. # # Note - legacy entries (which are commented out) are included for # historical reasons only, and are overdue for removal. They will # likely disappear from future releases. # # The following info is only really useful for non-RPM distributions: # # Email support is not included and must be added to this file. Add the # "emailto=" to the rule directive section of each rule (add a comma # after the "severity=" line and add an "emailto=" and include the # email addresses you want the violation reports to go to). Addresses # are semi-colon delimited. # # If you installed from the Fedora RPM, a cron job has already been set # up for you. Tripwire will perform an integrity check once every day, # and the generated report will be emailed to root. In this case, you # do not need to perform the steps in the previous paragraph. # policy: # Global Variable Definitions @@section GLOBAL TWROOT=/usr/sbin; TWBIN=/usr/sbin; TWPOL="/etc/tripwire"; TWDB="/var/lib/tripwire"; TWSKEY="/etc/tripwire"; TWLKEY="/etc/tripwire"; TWREPORT="/var/lib/tripwire/report"; HOSTNAME=dub6041; @@section FS SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership SIG_LOW = 33 ; # Non-critical files that are of minimal security impact SIG_MED = 66 ; # Non-critical files that are of significant security impact SIG_HI = 100 ; # Critical files that are significant points of vulnerability # Commonly accessed directories that should remain static with regards # to owner and group. ( rulename = "Invariant Directories", severity = $(SIG_MED) ) { / -> $(SEC_INVARIANT) (recurse = 0) ; /home -> $(SEC_INVARIANT) (recurse = 0) ; /etc -> $(SEC_INVARIANT) (recurse = 0) ; }