############################################################################## # ## ############################################################################## # # # # # Tripwire 2.4 policy for Mac OS X # # # updated March 2018 # # # ## ############################################################################## ############################################################################## # ## ############################################################################## # # # # # Global Variable Definitions # # # # # # These are defined at install time by the installation script. You may # # # manually edit these if you are using this file directly and not from the # # # installation script itself. # # # ## ############################################################################## @@section GLOBAL TWROOT=; TWBIN=; TWPOL=; TWDB=; TWSKEY=; TWLKEY=; TWREPORT=; HOSTNAME=; ############################################################################## # Predefined Variables # ############################################################################## # # Property Masks # # - ignore the following properties # + check the following properties # # a access timestamp (mutually exclusive with +CMSH) # b number of blocks allocated # c inode creation/modification timestamp # d ID of device on which inode resides # g group id of owner # i inode number # l growing files (logfiles for example) # m modification timestamp # n number of links # p permission and file mode bits # r ID of device pointed to by inode (valid only for device objects) # s file size # t file type # u user id of owner # # C CRC-32 hash # H HAVAL hash # M MD5 hash # S SHA hash # ############################################################################## SEC_DEVICE = +pugsr-dintlbamcCMSH ; SEC_DYNAMIC = +pinugt-dsrlbamcCMSH ; SEC_READONLY = +pinugtsbmCM-drlacSH ; SEC_GROWING = +pinugtl-dsrbamcCMSH ; SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ; SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ; SEC_TEMPORARY = +pugt ; @@section FS ######################################## # ## ######################################## # # # # # Tripwire Binaries and Data Files # # # ## ######################################## # Tripwire Binaries ( rulename = "Tripwire Binaries", severity=100 ) { $(TWBIN)/siggen -> $(SEC_READONLY) ; $(TWBIN)/tripwire -> $(SEC_READONLY) ; $(TWBIN)/twadmin -> $(SEC_READONLY) ; $(TWBIN)/twprint -> $(SEC_READONLY) ; } # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases ( rulename = "Tripwire Data Files", severity=100 ) { # NOTE: We remove the inode attribute because when Tripwire creates a backup, # it does so by renaming the old file and creating a new one (which will # have a new inode number). Inode is left turned on for keys, which shouldn't # ever change. # NOTE: The first integrity check triggers this rule and each integrity check # afterward triggers this rule until a database update is run, since the # database file does not exist before that point. $(TWDB) -> $(SEC_DYNAMIC) -i ; $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ; $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ; $(TWSKEY)/site.key -> $(SEC_READONLY) ; # don't scan the individual reports $(TWREPORT) -> $(SEC_DYNAMIC)(recurse=0) ; } ################################################ # ## ################################################ # # # # # OS Boot and Configuration Files # # # ## ################################################ ( rulename = "OS Boot and Configuration Files", severity=100 ) { #/mach.sym -> $(SEC_READONLY)-im ; /mach_kernel -> $(SEC_READONLY) ; /private/etc -> $(SEC_READONLY)-m ; #/private/etc/appletalk.cfg -> $(SEC_READONLY)-im ; #/private/etc/appletalk.nvram.en0 -> $(SEC_DYNAMIC) ; /private/etc/cups/certs -> $(SEC_DYNAMIC) -i(recurse=0) ; #/private/etc/smb.conf -> $(SEC_READONLY)-im ; /Library -> $(SEC_READONLY) ; /System -> $(SEC_READONLY) ; /Library/Printers -> $(SEC_READONLY)(recurse=2) ; /Library/Documentation -> $(SEC_READONLY)(recurse=2) ; /Library/Filesystems -> $(SEC_DYNAMIC)-i ; /Library/"Application Support" -> $(SEC_DYNAMIC)-im(recurse=2) ; /System/Library/Filesystems -> $(SEC_DYNAMIC)-i ; /System/Library/CoreServices -> $(SEC_READONLY)-im ; /System/Library/Filesystems/hfs.fs -> $(SEC_DYNAMIC)(recurse=0) ; } ################################################### # ## ################################################### # # # # # Mount Points # # # ## ################################################### ( rulename = "Mount Points", severity=60 ) { / -> $(SEC_READONLY)(recurse=0) ; /Volumes -> $(SEC_READONLY)-M (recurse=0) ; /usr -> $(SEC_READONLY)(recurse=0) ; } ################################################ # ## ################################################ # # # # # System Devices # # # ## ################################################ ( rulename = "System Devices", severity=60 ) { /dev -> $(SEC_DEVICE)(recurse=0) ; } ################################################ # ## ################################################ # # # # # OS Binaries and Libraries # # # ## ################################################ ( rulename = "OS Binaries and Libraries", severity=100 ) { /bin -> $(SEC_READONLY) ; /sbin -> $(SEC_READONLY) ; /usr/bin -> $(SEC_READONLY) ; /usr/lib -> $(SEC_READONLY) ; /usr/libexec -> $(SEC_READONLY) ; /usr/sbin -> $(SEC_READONLY) ; /usr/X11 -> $(SEC_READONLY)(recurse=2) ; # May not be present #/usr/X11/man -> $(SEC_DYNAMIC)-i(recurse=1) ; # May not be present /usr/share -> $(SEC_READONLY) ; /usr/share/man -> $(SEC_DYNAMIC)-i(recurse=1) ; } ################################################ # ## ################################################ # # # # # OS X Applications # # # ## ################################################ ( rulename = "OS Binaries and Libraries", severity=100 ) { /Applications -> $(SEC_READONLY)-im(recurse=2) ; } ################################################ # ## ################################################ # # # # # Usr Local Files # # # ## ################################################ ( rulename = "Usr Local Files", severity=60 ) { /usr/local -> $(SEC_READONLY) ; /usr/local/sbin -> $(SEC_READONLY) ; /usr/local/bin -> $(SEC_READONLY) ; /usr/local/include -> $(SEC_READONLY) ; /usr/local/opt -> $(SEC_READONLY) ; /usr/local/libexec -> $(SEC_READONLY) ; /usr/local/lib -> $(SEC_READONLY) ; /usr/local/etc -> $(SEC_READONLY) ; /usr/local/share -> $(SEC_READONLY) ; /usr/local/man -> $(SEC_READONLY) ; /usr/local/Frameworks -> $(SEC_READONLY) ; # Homebrew /usr/local/.git -> $(SEC_READONLY) ; /usr/local/Cellar -> $(SEC_READONLY) ; } ################################################ # ## ################################################ # # # # # Temporary Files and Directories # # # ## ################################################ ( rulename = "Variable System Files", severity=60 ) { /private/tmp -> $(SEC_DYNAMIC)-in(recurse=0) ; /private/tftpboot -> $(SEC_READONLY)-i ; /private/var -> $(SEC_READONLY)-i ; /private/var/backups -> $(SEC_READONLY)-imc(severity=100) ; #/private/var/backups/local.nidump -> $(SEC_DYNAMIC) -i(severity=100) ; #/private/var/cron -> $(SEC_DYNAMIC) -i ; /private/var/db -> $(SEC_READONLY)-im ; /private/var/db/BootCache.playlist -> $(SEC_DYNAMIC) -i ; #/private/var/db/netinfo/local.nidb/Store.384 -> $(SEC_READONLY)-imc(severity=100) ; #/private/var/db/netinfo/local.nidb/Store.672 -> $(SEC_READONLY)-imc(severity=100) ; #/private/var/db/prebindOnDemandBadFiles -> $(SEC_DYNAMIC) -i ; /private/var/log -> $(SEC_DYNAMIC) -i ; #/private/var/mail -> $(SEC_DYNAMIC) ; /private/var/msgs/bounds -> $(SEC_READONLY)-smbCM ; /private/var/root/Library/Caches -> $(SEC_DYNAMIC) -i ; /private/var/run -> $(SEC_DYNAMIC) -i(rulename="Running Services") ; #/private/var/slp.regfile -> $(SEC_READONLY)-im ; #/private/var/spool/clientmqueue -> $(SEC_DYNAMIC)(recurse=0) ; /private/var/spool/mqueue -> $(SEC_DYNAMIC)(recurse=0) ; #/private/var/spool/lock -> $(SEC_DYNAMIC) -i(recurse=1) ; /private/var/spool/cups -> $(SEC_DYNAMIC) -i(recurse=0) ; /private/var/tmp -> $(SEC_DYNAMIC) -i(recurse=0) ; /private/var/vm -> $(SEC_DYNAMIC)(recurse=0) ; /Library/Caches -> $(SEC_DYNAMIC) -i ; /Library/Logs -> $(SEC_DYNAMIC) -i(recurse=1) ; /Library/Preferences -> $(SEC_DYNAMIC) -i(recurse=1) ; "/Library/Internet Plug-Ins" -> $(SEC_DYNAMIC) -i ; !/private/var/db/dhcpclient ; !/private/var/db/dhcpd_leases ; !/private/var/db/locate.database ; !/private/var/db/SystemEntropyCache ; !/private/var/db/mds/messages/se_SecurityMessages ; !/private/var/db/samba/secrets.tdb ; !/private/var/db/ntp.drift ; !/private/var/folders ; !/private/var/vm/sleepimage ; !/private/var/vm/swap0 ; !/private/var/vm/swap[1-9][0-9]* ; # Sophos !/Library/Caches/com.sophos.sau ; !/Library/Caches/com.sophos.sxld ; } ################################################### # ## ################################################### # # # # # User Home Directories # # # ## ################################################### ( rulename = "Home Directories", severity=60 ) { /Users -> $(SEC_READONLY)(recurse=0) ; # Modify as needed ##### # # USER1 as defined at top of policy # ##### # /Users/$(USER1) -> $(SEC_READONLY)-mc ; # /Users/$(USER1)/Library/Preferences -> $(SEC_DYNAMIC)-i ; # "/Users/$(USER1)/Library/Recent Servers" -> $(SEC_DYNAMIC)-i ; # "/Users/$(USER1)/Library/Safari" -> $(SEC_DYNAMIC)-i(recurse=3) ; # "/Users/$(USER1)/Library/Spelling" -> $(SEC_DYNAMIC)-i ; # "/Users/$(USER1)/Library/Mail" -> $(SEC_DYNAMIC)-i(recurse=2) ; # "/Users/$(USER1)/Pictures/iPhoto Library" -> $(SEC_DYNAMIC)-i(recurse=1) ; # "/Users/$(USER1)/Library/Application Support" -> $(SEC_DYNAMIC)-im(recurse=2) ; # /Users/$(USER1)/Documents -> $(SEC_DYNAMIC)(recurse=0) ; # /Users/$(USER1)/Desktop -> $(SEC_DYNAMIC)(recurse=0) ; #!"/Users/$(USER1)/Documents/Virtual PC List" ; # These items are *huge*, and are of little value to scan. #!"/Users/$(USER1)/Library/Preferences/Microsoft/Clipboard" ; #!"/Users/$(USER1)/Library/Safari/Icons" ; #!"/Users/$(USER1)/Music/iTunes" ; #!"/Users/$(USER1)/Library/Caches" ; #!"/Users/$(USER1)/Library/Cookies" ; #!"/Users/$(USER1)/Library/Logs" ; #!"/Users/$(USER1)/Library/Folding@home" ; #!"/Users/$(USER1)/setiathome" ; #!"/Users/$(USER1)/Documents/seti-A" ; #!"/Users/$(USER1)/Documents/seti-B" ; #!"/Users/$(USER1)/.tcsh_history" ; #!"/Users/$(USER1)/.DS_Store" ; #!"/Users/$(USER1)/Public/.DS_Store" ; #!"/Users/$(USER1)/.jpi_cache" ; #!"/Users/$(USER1)/.lpoptions" ; #!"/Users/$(USER1)/.Trash" ; }