############################################################################## # ## ############################################################################## # # # # # Tripwire 2.4 policy for Solaris # # # updated March 2018 # # # ## ############################################################################## ############################################################################## # ## ############################################################################## # # # # # Global Variable Definitions # # # # # # These are defined at install time by the installation script. You may # # # manually edit these if you are using this file directly and not from the # # # installation script itself. # # # ## ############################################################################## @@section GLOBAL TWROOT=; TWBIN=; TWPOL=; TWDB=; TWSKEY=; TWLKEY=; TWREPORT=; HOSTNAME=; ############################################################################## # Predefined Variables # ############################################################################## # # Property Masks # # - ignore the following properties # + check the following properties # # a access timestamp (mutually exclusive with +CMSH) # b number of blocks allocated # c inode creation/modification timestamp # d ID of device on which inode resides # g group id of owner # i inode number # l growing files (logfiles for example) # m modification timestamp # n number of links # p permission and file mode bits # r ID of device pointed to by inode (valid only for device objects) # s file size # t file type # u user id of owner # # C CRC-32 hash # H HAVAL hash # M MD5 hash # S SHA hash # ############################################################################## SEC_DEVICE = +pugsdr-intlbamcCMSH ; SEC_DYNAMIC = +pinugtd-srlbamcCMSH ; SEC_GROWING = +pinugtdl-srbamcCMSH ; SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ; SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ; SEC_READONLY = +pinugtsdbmCM-rlacSH ; SEC_TEMPORARY = +pugt ; @@section FS ######################################## # ## ######################################## # # # # # Tripwire Binaries and Data Files # # # ## ######################################## # Tripwire Binaries ( rulename = "Tripwire Binaries", ) { $(TWBIN)/siggen -> $(SEC_READONLY) ; $(TWBIN)/tripwire -> $(SEC_READONLY) ; $(TWBIN)/twadmin -> $(SEC_READONLY) ; $(TWBIN)/twprint -> $(SEC_READONLY) ; } # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases ( rulename = "Tripwire Data Files", ) { # NOTE: We remove the inode attribute because when Tripwire creates a backup, # it does so by renaming the old file and creating a new one (which will # have a new inode number). Inode is left turned on for keys, which shouldn't # ever change. # NOTE: The first integrity check triggers this rule and each integrity check # afterward triggers this rule until a database update is run, since the # database file does not exist before that point. $(TWDB) -> $(SEC_DYNAMIC) -i ; $(TWPOL)/tw.pol -> $(SEC_READONLY) -i ; $(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ; $(TWSKEY)/site.key -> $(SEC_READONLY) ; # don't scan the individual reports $(TWREPORT) -> $(SEC_DYNAMIC) (recurse=0) ; # In this configuration /usr/local is a symbolic link to /home/local. # We want to ignore the following directories since they are already # scanned using the real directory or mount point. Otherwise we see # duplicates in the reports. !/home/local ; # Ignore since /home already scanned } ################################################ # ## ################################################ # # # # # OS Boot and Configuration Files # # # ## ################################################ ( rulename = "OS Boot and Configuration Files", ) { /etc -> $(SEC_IGNORE_NONE) -SHa ; /kernel -> $(SEC_READONLY) ; } ################################################### # ## ################################################### # # # # # Mount Points # # # ## ################################################### ( rulename = "Mount Points", ) { / -> $(SEC_READONLY) ; /cdrom -> $(SEC_DYNAMIC) ; /home -> $(SEC_READONLY) ; /mnt -> $(SEC_DYNAMIC) ; /usr -> $(SEC_READONLY) ; /var -> $(SEC_READONLY) ; /opt -> $(SEC_READONLY) ; } ################################################### # ## ################################################### # # # # # Misc Top-Level Directories # # # ## ################################################### ( rulename = "Misc Top-Level Directories", ) { /lost+found -> $(SEC_READONLY) ; } ################################################ # ## ################################################ # # # # # System Devices # # # ## ################################################ ( rulename = "System Devices", ) { /dev -> $(SEC_DEVICE) ; /devices -> $(SEC_DEVICE) ; } ################################################ # ## ################################################ # # # # # OS Binaries and Libraries # # # ## ################################################ ( rulename = "OS Binaries and Libraries", ) { /sbin -> $(SEC_READONLY) ; /usr/bin -> $(SEC_READONLY) ; /usr/lib -> $(SEC_READONLY) ; /usr/sbin -> $(SEC_READONLY) ; /usr/openwin/bin -> $(SEC_READONLY) ; /usr/openwin/lib -> $(SEC_READONLY) ; } ################################################ # ## ################################################ # # # # # Root Directory and Files # # # ## ################################################ ( rulename = "Root Directory and Files", ) { ! /.netscape/cache ; /.bash_history -> $(SEC_READONLY) -smbCM; /.sh_history -> $(SEC_DYNAMIC) ; /.Xauthority -> $(SEC_READONLY) ; } ################################################ # ## ################################################ # # # # # Temporary Directories # # # ## ################################################ ( rulename = "Temporary Directories", ) { /tmp -> $(SEC_TEMPORARY) ; /var/tmp -> $(SEC_TEMPORARY) ; } ################################################ # ## ################################################ # # # # # System Doors and Misc Mounts # # # ## ################################################ ( rulename = "System Doors and Misc Mounts", ) { !/etc/mnttab ; !/etc/.name_service_door ; !/etc/sysevent/syseventconfd_event_service ; !/etc/sysevent/sysevent_door ; !/etc/sysevent/piclevent_door ; !/dev/fd ; !/net ; !/proc ; !/var/run ; !/var/run/syslog_door ; !/vol ; !/xfn ; } ################################################ # ## ################################################ # # # # # System FIFOs # # # ## ################################################ ( rulename = "System FIFOs", ) { !/etc/cron.d/FIFO ; !/etc/initpipe ; !/etc/saf/_cmdpipe ; !/etc/saf/_sacpipe ; !/etc/saf/zsmon/_pmpipe ; !/etc/utmppipe ; !/var/spool/lp/fifos/FIFO ; !/tmp/.removable ; !/tmp/.X11-pipe/X0 ; } ################################################ # ## ################################################ # # # # # System and Boot Changes # # # ## ################################################ ( rulename = "System and Boot Changes", ) { /etc/.pwd.lock -> $(SEC_READONLY) -cm; /etc/coreadm.conf -> $(SEC_READONLY) -cm; /var/adm -> $(SEC_GROWING) -i; #/var/backups -> $(SEC_DYNAMIC) -i ; /var/cron/log -> $(SEC_GROWING) -i ; #/var/db/host.random -> $(SEC_READONLY) -mCM ; #/var/db/locate.database -> $(SEC_READONLY) -misCM ; /var/log -> $(SEC_GROWING) -i ; #/var/run -> $(SEC_DYNAMIC) -i ; #/var/mail -> $(SEC_GROWING) ; #/var/msgs/bounds -> $(SEC_READONLY) -smbCM ; !/var/sendmail ; !/var/spool/clientmqueue ; !/var/spool/mqueue ; #!/var/tmp/vi.recover ; # perl script periodically removes this }