364 lines
14 KiB
Plaintext
364 lines
14 KiB
Plaintext
##############################################################################
|
|
# ##
|
|
############################################################################## #
|
|
# # #
|
|
# Tripwire 2.4 policy for Mac OS X # #
|
|
# updated March 2018 # #
|
|
# ##
|
|
##############################################################################
|
|
|
|
##############################################################################
|
|
# ##
|
|
############################################################################## #
|
|
# # #
|
|
# Global Variable Definitions # #
|
|
# # #
|
|
# These are defined at install time by the installation script. You may # #
|
|
# manually edit these if you are using this file directly and not from the # #
|
|
# installation script itself. # #
|
|
# ##
|
|
##############################################################################
|
|
|
|
@@section GLOBAL
|
|
|
|
TWROOT=;
|
|
TWBIN=;
|
|
TWPOL=;
|
|
TWDB=;
|
|
TWSKEY=;
|
|
TWLKEY=;
|
|
TWREPORT=;
|
|
HOSTNAME=;
|
|
|
|
|
|
##############################################################################
|
|
# Predefined Variables #
|
|
##############################################################################
|
|
#
|
|
# Property Masks
|
|
#
|
|
# - ignore the following properties
|
|
# + check the following properties
|
|
#
|
|
# a access timestamp (mutually exclusive with +CMSH)
|
|
# b number of blocks allocated
|
|
# c inode creation/modification timestamp
|
|
# d ID of device on which inode resides
|
|
# g group id of owner
|
|
# i inode number
|
|
# l growing files (logfiles for example)
|
|
# m modification timestamp
|
|
# n number of links
|
|
# p permission and file mode bits
|
|
# r ID of device pointed to by inode (valid only for device objects)
|
|
# s file size
|
|
# t file type
|
|
# u user id of owner
|
|
#
|
|
# C CRC-32 hash
|
|
# H HAVAL hash
|
|
# M MD5 hash
|
|
# S SHA hash
|
|
#
|
|
##############################################################################
|
|
|
|
SEC_DEVICE = +pugsr-dintlbamcCMSH ;
|
|
SEC_DYNAMIC = +pinugt-dsrlbamcCMSH ;
|
|
SEC_READONLY = +pinugtsbmCM-drlacSH ;
|
|
SEC_GROWING = +pinugtl-dsrbamcCMSH ;
|
|
|
|
SEC_IGNORE_ALL = -pinugtsdrlbamcCMSH ;
|
|
SEC_IGNORE_NONE = +pinugtsdrbamcCMSH-l ;
|
|
SEC_TEMPORARY = +pugt ;
|
|
|
|
|
|
@@section FS
|
|
|
|
########################################
|
|
# ##
|
|
######################################## #
|
|
# # #
|
|
# Tripwire Binaries and Data Files # #
|
|
# ##
|
|
########################################
|
|
|
|
# Tripwire Binaries
|
|
(
|
|
rulename = "Tripwire Binaries", severity=100
|
|
)
|
|
{
|
|
$(TWBIN)/siggen -> $(SEC_READONLY) ;
|
|
$(TWBIN)/tripwire -> $(SEC_READONLY) ;
|
|
$(TWBIN)/twadmin -> $(SEC_READONLY) ;
|
|
$(TWBIN)/twprint -> $(SEC_READONLY) ;
|
|
}
|
|
|
|
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
|
|
(
|
|
rulename = "Tripwire Data Files", severity=100
|
|
)
|
|
{
|
|
# NOTE: We remove the inode attribute because when Tripwire creates a backup,
|
|
# it does so by renaming the old file and creating a new one (which will
|
|
# have a new inode number). Inode is left turned on for keys, which shouldn't
|
|
# ever change.
|
|
|
|
# NOTE: The first integrity check triggers this rule and each integrity check
|
|
# afterward triggers this rule until a database update is run, since the
|
|
# database file does not exist before that point.
|
|
|
|
$(TWDB) -> $(SEC_DYNAMIC) -i ;
|
|
$(TWPOL)/tw.pol -> $(SEC_READONLY) -i ;
|
|
$(TWPOL)/tw.cfg -> $(SEC_READONLY) -i ;
|
|
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_READONLY) ;
|
|
$(TWSKEY)/site.key -> $(SEC_READONLY) ;
|
|
|
|
# don't scan the individual reports
|
|
$(TWREPORT) -> $(SEC_DYNAMIC)(recurse=0) ;
|
|
|
|
|
|
}
|
|
|
|
################################################
|
|
# ##
|
|
################################################ #
|
|
# # #
|
|
# OS Boot and Configuration Files # #
|
|
# ##
|
|
################################################
|
|
(
|
|
rulename = "OS Boot and Configuration Files", severity=100
|
|
)
|
|
{
|
|
#/mach.sym -> $(SEC_READONLY)-im ;
|
|
/mach_kernel -> $(SEC_READONLY) ;
|
|
/private/etc -> $(SEC_READONLY)-m ;
|
|
|
|
#/private/etc/appletalk.cfg -> $(SEC_READONLY)-im ;
|
|
#/private/etc/appletalk.nvram.en0 -> $(SEC_DYNAMIC) ;
|
|
/private/etc/cups/certs -> $(SEC_DYNAMIC) -i(recurse=0) ;
|
|
#/private/etc/smb.conf -> $(SEC_READONLY)-im ;
|
|
|
|
/Library -> $(SEC_READONLY) ;
|
|
/System -> $(SEC_READONLY) ;
|
|
|
|
/Library/Printers -> $(SEC_READONLY)(recurse=2) ;
|
|
/Library/Documentation -> $(SEC_READONLY)(recurse=2) ;
|
|
/Library/Filesystems -> $(SEC_DYNAMIC)-i ;
|
|
/Library/"Application Support" -> $(SEC_DYNAMIC)-im(recurse=2) ;
|
|
|
|
/System/Library/Filesystems -> $(SEC_DYNAMIC)-i ;
|
|
/System/Library/CoreServices -> $(SEC_READONLY)-im ;
|
|
/System/Library/Filesystems/hfs.fs -> $(SEC_DYNAMIC)(recurse=0) ;
|
|
|
|
}
|
|
|
|
###################################################
|
|
# ##
|
|
################################################### #
|
|
# # #
|
|
# Mount Points # #
|
|
# ##
|
|
###################################################
|
|
(
|
|
rulename = "Mount Points", severity=60
|
|
)
|
|
{
|
|
/ -> $(SEC_READONLY)(recurse=0) ;
|
|
/Volumes -> $(SEC_READONLY)-M (recurse=0) ;
|
|
/usr -> $(SEC_READONLY)(recurse=0) ;
|
|
|
|
}
|
|
|
|
|
|
################################################
|
|
# ##
|
|
################################################ #
|
|
# # #
|
|
# System Devices # #
|
|
# ##
|
|
################################################
|
|
(
|
|
rulename = "System Devices", severity=60
|
|
)
|
|
{
|
|
/dev -> $(SEC_DEVICE)(recurse=0) ;
|
|
}
|
|
|
|
################################################
|
|
# ##
|
|
################################################ #
|
|
# # #
|
|
# OS Binaries and Libraries # #
|
|
# ##
|
|
################################################
|
|
(
|
|
rulename = "OS Binaries and Libraries", severity=100
|
|
)
|
|
{
|
|
/bin -> $(SEC_READONLY) ;
|
|
/sbin -> $(SEC_READONLY) ;
|
|
/usr/bin -> $(SEC_READONLY) ;
|
|
/usr/lib -> $(SEC_READONLY) ;
|
|
/usr/libexec -> $(SEC_READONLY) ;
|
|
/usr/sbin -> $(SEC_READONLY) ;
|
|
/usr/X11 -> $(SEC_READONLY)(recurse=2) ; # May not be present
|
|
#/usr/X11/man -> $(SEC_DYNAMIC)-i(recurse=1) ; # May not be present
|
|
/usr/share -> $(SEC_READONLY) ;
|
|
/usr/share/man -> $(SEC_DYNAMIC)-i(recurse=1) ;
|
|
|
|
}
|
|
|
|
|
|
################################################
|
|
# ##
|
|
################################################ #
|
|
# # #
|
|
# OS X Applications # #
|
|
# ##
|
|
################################################
|
|
(
|
|
rulename = "OS Binaries and Libraries", severity=100
|
|
)
|
|
{
|
|
/Applications -> $(SEC_READONLY)-im(recurse=2) ;
|
|
}
|
|
|
|
################################################
|
|
# ##
|
|
################################################ #
|
|
# # #
|
|
# Usr Local Files # #
|
|
# ##
|
|
################################################
|
|
(
|
|
rulename = "Usr Local Files", severity=60
|
|
)
|
|
{
|
|
/usr/local -> $(SEC_READONLY) ;
|
|
/usr/local/sbin -> $(SEC_READONLY) ;
|
|
/usr/local/bin -> $(SEC_READONLY) ;
|
|
/usr/local/include -> $(SEC_READONLY) ;
|
|
/usr/local/opt -> $(SEC_READONLY) ;
|
|
/usr/local/libexec -> $(SEC_READONLY) ;
|
|
/usr/local/lib -> $(SEC_READONLY) ;
|
|
/usr/local/etc -> $(SEC_READONLY) ;
|
|
/usr/local/share -> $(SEC_READONLY) ;
|
|
/usr/local/man -> $(SEC_READONLY) ;
|
|
/usr/local/Frameworks -> $(SEC_READONLY) ;
|
|
# Homebrew
|
|
/usr/local/.git -> $(SEC_READONLY) ;
|
|
/usr/local/Cellar -> $(SEC_READONLY) ;
|
|
}
|
|
|
|
|
|
################################################
|
|
# ##
|
|
################################################ #
|
|
# # #
|
|
# Temporary Files and Directories # #
|
|
# ##
|
|
################################################
|
|
(
|
|
rulename = "Variable System Files", severity=60
|
|
)
|
|
{
|
|
/private/tmp -> $(SEC_DYNAMIC)-in(recurse=0) ;
|
|
|
|
/private/tftpboot -> $(SEC_READONLY)-i ;
|
|
|
|
/private/var -> $(SEC_READONLY)-i ;
|
|
/private/var/backups -> $(SEC_READONLY)-imc(severity=100) ;
|
|
#/private/var/backups/local.nidump -> $(SEC_DYNAMIC) -i(severity=100) ;
|
|
#/private/var/cron -> $(SEC_DYNAMIC) -i ;
|
|
/private/var/db -> $(SEC_READONLY)-im ;
|
|
/private/var/db/BootCache.playlist -> $(SEC_DYNAMIC) -i ;
|
|
#/private/var/db/netinfo/local.nidb/Store.384 -> $(SEC_READONLY)-imc(severity=100) ;
|
|
#/private/var/db/netinfo/local.nidb/Store.672 -> $(SEC_READONLY)-imc(severity=100) ;
|
|
#/private/var/db/prebindOnDemandBadFiles -> $(SEC_DYNAMIC) -i ;
|
|
/private/var/log -> $(SEC_DYNAMIC) -i ;
|
|
#/private/var/mail -> $(SEC_DYNAMIC) ;
|
|
/private/var/msgs/bounds -> $(SEC_READONLY)-smbCM ;
|
|
/private/var/root/Library/Caches -> $(SEC_DYNAMIC) -i ;
|
|
/private/var/run -> $(SEC_DYNAMIC) -i(rulename="Running Services") ;
|
|
#/private/var/slp.regfile -> $(SEC_READONLY)-im ;
|
|
#/private/var/spool/clientmqueue -> $(SEC_DYNAMIC)(recurse=0) ;
|
|
/private/var/spool/mqueue -> $(SEC_DYNAMIC)(recurse=0) ;
|
|
#/private/var/spool/lock -> $(SEC_DYNAMIC) -i(recurse=1) ;
|
|
/private/var/spool/cups -> $(SEC_DYNAMIC) -i(recurse=0) ;
|
|
/private/var/tmp -> $(SEC_DYNAMIC) -i(recurse=0) ;
|
|
/private/var/vm -> $(SEC_DYNAMIC)(recurse=0) ;
|
|
|
|
/Library/Caches -> $(SEC_DYNAMIC) -i ;
|
|
/Library/Logs -> $(SEC_DYNAMIC) -i(recurse=1) ;
|
|
/Library/Preferences -> $(SEC_DYNAMIC) -i(recurse=1) ;
|
|
"/Library/Internet Plug-Ins" -> $(SEC_DYNAMIC) -i ;
|
|
|
|
!/private/var/db/dhcpclient ;
|
|
!/private/var/db/dhcpd_leases ;
|
|
!/private/var/db/locate.database ;
|
|
!/private/var/db/SystemEntropyCache ;
|
|
!/private/var/db/mds/messages/se_SecurityMessages ;
|
|
!/private/var/db/samba/secrets.tdb ;
|
|
!/private/var/db/ntp.drift ;
|
|
!/private/var/folders ;
|
|
!/private/var/vm/sleepimage ;
|
|
!/private/var/vm/swap0 ;
|
|
!/private/var/vm/swap[1-9][0-9]* ;
|
|
# Sophos
|
|
!/Library/Caches/com.sophos.sau ;
|
|
!/Library/Caches/com.sophos.sxld ;
|
|
}
|
|
|
|
|
|
###################################################
|
|
# ##
|
|
################################################### #
|
|
# # #
|
|
# User Home Directories # #
|
|
# ##
|
|
###################################################
|
|
(
|
|
rulename = "Home Directories", severity=60
|
|
)
|
|
{
|
|
/Users -> $(SEC_READONLY)(recurse=0) ; # Modify as needed
|
|
|
|
|
|
#####
|
|
#
|
|
# USER1 as defined at top of policy
|
|
#
|
|
#####
|
|
|
|
# /Users/$(USER1) -> $(SEC_READONLY)-mc ;
|
|
# /Users/$(USER1)/Library/Preferences -> $(SEC_DYNAMIC)-i ;
|
|
# "/Users/$(USER1)/Library/Recent Servers" -> $(SEC_DYNAMIC)-i ;
|
|
# "/Users/$(USER1)/Library/Safari" -> $(SEC_DYNAMIC)-i(recurse=3) ;
|
|
# "/Users/$(USER1)/Library/Spelling" -> $(SEC_DYNAMIC)-i ;
|
|
# "/Users/$(USER1)/Library/Mail" -> $(SEC_DYNAMIC)-i(recurse=2) ;
|
|
# "/Users/$(USER1)/Pictures/iPhoto Library" -> $(SEC_DYNAMIC)-i(recurse=1) ;
|
|
# "/Users/$(USER1)/Library/Application Support" -> $(SEC_DYNAMIC)-im(recurse=2) ;
|
|
# /Users/$(USER1)/Documents -> $(SEC_DYNAMIC)(recurse=0) ;
|
|
# /Users/$(USER1)/Desktop -> $(SEC_DYNAMIC)(recurse=0) ;
|
|
|
|
|
|
#!"/Users/$(USER1)/Documents/Virtual PC List" ; # These items are *huge*, and are of little value to scan.
|
|
#!"/Users/$(USER1)/Library/Preferences/Microsoft/Clipboard" ;
|
|
#!"/Users/$(USER1)/Library/Safari/Icons" ;
|
|
#!"/Users/$(USER1)/Music/iTunes" ;
|
|
#!"/Users/$(USER1)/Library/Caches" ;
|
|
#!"/Users/$(USER1)/Library/Cookies" ;
|
|
#!"/Users/$(USER1)/Library/Logs" ;
|
|
#!"/Users/$(USER1)/Library/Folding@home" ;
|
|
#!"/Users/$(USER1)/setiathome" ;
|
|
#!"/Users/$(USER1)/Documents/seti-A" ;
|
|
#!"/Users/$(USER1)/Documents/seti-B" ;
|
|
#!"/Users/$(USER1)/.tcsh_history" ;
|
|
#!"/Users/$(USER1)/.DS_Store" ;
|
|
#!"/Users/$(USER1)/Public/.DS_Store" ;
|
|
#!"/Users/$(USER1)/.jpi_cache" ;
|
|
#!"/Users/$(USER1)/.lpoptions" ;
|
|
#!"/Users/$(USER1)/.Trash" ;
|
|
}
|