Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 193236933b0f4ab91b1625b64e2187e2db4e0e8f / . / meta-security / recipes-ids / tripwire / files / twpol-yocto.txt
blob: 65f5f75004c92c9c8ed299ad3010e9646023699c [file] [log] [blame]
Richard Marian Thomaiyar14fddef2018-07-13 23:55:56 +0530[diff] [blame]1 ##############################################################################
2 # ##
3############################################################################## #
4# # #
5# Generic Policy file # #
6# V1.2.0rh # #
7# August 9, 2001 # #
8# ##
9##############################################################################
10
11
12 ##############################################################################
13 # ##
14############################################################################## #
15# # #
16# This is the example Tripwire Policy file. It is intended as a place to # #
17# start creating your own custom Tripwire Policy file. Referring to it as # #
18# well as the Tripwire Policy Guide should give you enough information to # #
19# make a good custom Tripwire Policy file that better covers your # #
20# configuration and security needs. A text version of this policy file is # #
21# called twpol.txt. # #
22# # #
23# Note that this file is tuned to an 'everything' install of Red Hat Linux. # #
24# If run unmodified, this file should create no errors on database # #
25# creation, or violations on a subsiquent integrity check. However, it is # #
26# impossible for there to be one policy file for all machines, so this # #
27# existing one errs on the side of security. Your Linux configuration will # #
28# most likey differ from the one our policy file was tuned to, and will # #
29# therefore require some editing of the default Tripwire Policy file. # #
30# # #
31# The example policy file is best run with 'Loose Directory Checking' # #
32# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # #
33# file. # #
34# # #
35# Email support is not included and must be added to this file. # #
36# Add the 'emailto=' to the rule directive section of each rule (add a comma # #
37# after the 'severity=' line and add an 'emailto=' and include the email # #
38# addresses you want the violation reports to go to). Addresses are # #
39# semi-colon delimited. # #
40# ##
41##############################################################################
42
43
44
45 ##############################################################################
46 # ##
47############################################################################## #
48# # #
49# Global Variable Definitions # #
50# # #
51# These are defined at install time by the installation script. You may # #
52# Manually edit these if you are using this file directly and not from the # #
53# installation script itself. # #
54# ##
55##############################################################################
56
57@@section GLOBAL
58TWROOT=/usr/sbin;
59TWBIN=/usr/sbin;
60TWPOL="/etc/tripwire";
61TWDB="/var/lib/tripwire";
62TWSKEY="/etc/tripwire";
63TWLKEY="/etc/tripwire";
64TWREPORT="/var/lib/tripwire/report";
65HOSTNAME=localhost;
66
67@@section FS
68SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
69SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
70SEC_BIN = $(ReadOnly) ; # Binaries that should not change
71SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
72SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
73SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
74SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
75SIG_MED = 66 ; # Non-critical files that are of significant security impact
76SIG_HI = 100 ; # Critical files that are significant points of vulnerability
77
78
79# Tripwire Binaries
80(
81 rulename = "Tripwire Binaries",
82 severity = $(SIG_HI)
83)
84{
85 $(TWBIN)/siggen -> $(SEC_BIN) ;
86 $(TWBIN)/tripwire -> $(SEC_BIN) ;
87 $(TWBIN)/twadmin -> $(SEC_BIN) ;
88 $(TWBIN)/twprint -> $(SEC_BIN) ;
89}
90
91# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
92(
93 rulename = "Tripwire Data Files",
94 severity = $(SIG_HI)
95)
96{
97 # NOTE: We remove the inode attribute because when Tripwire creates a backup,
98 # it does so by renaming the old file and creating a new one (which will
99 # have a new inode number). Inode is left turned on for keys, which shouldn't
100 # ever change.
101
102 # NOTE: The first integrity check triggers this rule and each integrity check
103 # afterward triggers this rule until a database update is run, since the
104 # database file does not exist before that point.
105
106 $(TWDB) -> $(SEC_CONFIG) -i ;
107 $(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
108 $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
109 $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
110 $(TWSKEY)/site.key -> $(SEC_BIN) ;
111
112 #don't scan the individual reports
113 $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
114}
115
116
117# Tripwire HQ Connector Binaries
118#(
119# rulename = "Tripwire HQ Connector Binaries",
120# severity = $(SIG_HI)
121#)
122#{
123# $(TWBIN)/hqagent -> $(SEC_BIN) ;
124#}
125#
126# Tripwire HQ Connector - Configuration Files, Keys, and Logs
127
128 ##############################################################################
129 # ##
130############################################################################## #
131# # #
132# Note: File locations here are different than in a stock HQ Connector # #
133# installation. This is because Tripwire 2.3 uses a different path # #
134# structure than Tripwire 2.2.1. # #
135# # #
136# You may need to update your HQ Agent configuation file (or this policy # #
137# file) to correct the paths. We have attempted to support the FHS standard # #
138# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # #
139# places them. # #
140# ##
141##############################################################################
142
143#(
144# rulename = "Tripwire HQ Connector Data Files",
145# severity = $(SIG_HI)
146#)
147#{
148# #############################################################################
149# ##############################################################################
150# # NOTE: Removing the inode attribute because when Tripwire creates a backup ##
151# # it does so by renaming the old file and creating a new one (which will ##
152# # have a new inode number). Leaving inode turned on for keys, which ##
153# # shouldn't ever change. ##
154# #############################################################################
155#
156# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ;
157# $(TWLKEY)/authentication.key -> $(SEC_BIN) ;
158# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ;
159# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ;
160#
161# # Uncomment if you have agent logging enabled.
162# #/var/log/tripwire/agent.log -> $(SEC_LOG) ;
163#}
164
165
166
167# Commonly accessed directories that should remain static with regards to owner and group
168(
169 rulename = "Invariant Directories",
170 severity = $(SIG_MED)
171)
172{
173 / -> $(SEC_INVARIANT) (recurse = 0) ;
174 /home -> $(SEC_INVARIANT) (recurse = 0) ;
175 /etc -> $(SEC_INVARIANT) (recurse = 0) ;
176}
177 ################################################
178 # ##
179################################################ #
180# # #
181# File System and Disk Administration Programs # #
182# ##
183################################################
184
185(
186 rulename = "File System and Disk Administraton Programs",
187 severity = $(SIG_HI)
188)
189{
190 /sbin/accton -> $(SEC_CRIT) ;
191 /sbin/badblocks -> $(SEC_CRIT) ;
192 /sbin/busybox -> $(SEC_CRIT) ;
193 /sbin/busybox.anaconda -> $(SEC_CRIT) ;
194 /sbin/convertquota -> $(SEC_CRIT) ;
195 /sbin/dosfsck -> $(SEC_CRIT) ;
196 /sbin/debugfs -> $(SEC_CRIT) ;
197 /sbin/debugreiserfs -> $(SEC_CRIT) ;
198 /sbin/dumpe2fs -> $(SEC_CRIT) ;
199 /sbin/dump -> $(SEC_CRIT) ;
200 /sbin/dump.static -> $(SEC_CRIT) ;
201 # /sbin/e2fsadm -> $(SEC_CRIT) ; tune2fs?
202 /sbin/e2fsck -> $(SEC_CRIT) ;
203 /sbin/e2label -> $(SEC_CRIT) ;
204 /sbin/fdisk -> $(SEC_CRIT) ;
205 /sbin/fsck -> $(SEC_CRIT) ;
206 /sbin/fsck.ext2 -> $(SEC_CRIT) ;
207 /sbin/fsck.ext3 -> $(SEC_CRIT) ;
208 /sbin/fsck.minix -> $(SEC_CRIT) ;
209 /sbin/fsck.msdos -> $(SEC_CRIT) ;
210 /sbin/fsck.vfat -> $(SEC_CRIT) ;
211 /sbin/ftl_check -> $(SEC_CRIT) ;
212 /sbin/ftl_format -> $(SEC_CRIT) ;
213 /sbin/hdparm -> $(SEC_CRIT) ;
214 #/sbin/lvchange -> $(SEC_CRIT) ;
215 #/sbin/lvcreate -> $(SEC_CRIT) ;
216 #/sbin/lvdisplay -> $(SEC_CRIT) ;
217 #/sbin/lvextend -> $(SEC_CRIT) ;
218 #/sbin/lvmchange -> $(SEC_CRIT) ;
219 #/sbin/lvmcreate_initrd -> $(SEC_CRIT) ;
220 #/sbin/lvmdiskscan -> $(SEC_CRIT) ;
221 #/sbin/lvmsadc -> $(SEC_CRIT) ;
222 #/sbin/lvmsar -> $(SEC_CRIT) ;
223 #/sbin/lvreduce -> $(SEC_CRIT) ;
224 #/sbin/lvremove -> $(SEC_CRIT) ;
225 #/sbin/lvrename -> $(SEC_CRIT) ;
226 #/sbin/lvscan -> $(SEC_CRIT) ;
227 /sbin/mkbootdisk -> $(SEC_CRIT) ;
228 /sbin/mkdosfs -> $(SEC_CRIT) ;
229 /sbin/mke2fs -> $(SEC_CRIT) ;
230 /sbin/mkfs -> $(SEC_CRIT) ;
231 /sbin/mkfs.bfs -> $(SEC_CRIT) ;
232 /sbin/mkfs.ext2 -> $(SEC_CRIT) ;
233 /sbin/mkfs.minix -> $(SEC_CRIT) ;
234 /sbin/mkfs.msdos -> $(SEC_CRIT) ;
235 /sbin/mkfs.vfat -> $(SEC_CRIT) ;
236 /sbin/mkinitrd -> $(SEC_CRIT) ;
237 #/sbin/mkpv -> $(SEC_CRIT) ;
238 /sbin/mkraid -> $(SEC_CRIT) ;
239 /sbin/mkreiserfs -> $(SEC_CRIT) ;
240 /sbin/mkswap -> $(SEC_CRIT) ;
241 #/sbin/mtx -> $(SEC_CRIT) ;
242 /sbin/pam_console_apply -> $(SEC_CRIT) ;
243 /sbin/parted -> $(SEC_CRIT) ;
244 /sbin/pcinitrd -> $(SEC_CRIT) ;
245 #/sbin/pvchange -> $(SEC_CRIT) ;
246 #/sbin/pvcreate -> $(SEC_CRIT) ;
247 #/sbin/pvdata -> $(SEC_CRIT) ;
248 #/sbin/pvdisplay -> $(SEC_CRIT) ;
249 #/sbin/pvmove -> $(SEC_CRIT) ;
250 #/sbin/pvscan -> $(SEC_CRIT) ;
251 /sbin/quotacheck -> $(SEC_CRIT) ;
252 /sbin/quotaon -> $(SEC_CRIT) ;
253 /sbin/raidstart -> $(SEC_CRIT) ;
254 /sbin/reiserfsck -> $(SEC_CRIT) ;
255 /sbin/resize2fs -> $(SEC_CRIT) ;
256 /sbin/resize_reiserfs -> $(SEC_CRIT) ;
257 /sbin/restore -> $(SEC_CRIT) ;
258 /sbin/restore.static -> $(SEC_CRIT) ;
259 /sbin/scsi_info -> $(SEC_CRIT) ;
260 /sbin/sfdisk -> $(SEC_CRIT) ;
261 /sbin/stinit -> $(SEC_CRIT) ;
262 #/sbin/tapeinfo -> $(SEC_CRIT) ;
263 /sbin/tune2fs -> $(SEC_CRIT) ;
264 /sbin/unpack -> $(SEC_CRIT) ;
265 /sbin/update -> $(SEC_CRIT) ;
266 #/sbin/vgcfgbackup -> $(SEC_CRIT) ;
267 #/sbin/vgcfgrestore -> $(SEC_CRIT) ;
268 #/sbin/vgchange -> $(SEC_CRIT) ;
269 #/sbin/vgck -> $(SEC_CRIT) ;
270 #/sbin/vgcreate -> $(SEC_CRIT) ;
271 #/sbin/vgdisplay -> $(SEC_CRIT) ;
272 #/sbin/vgexport -> $(SEC_CRIT) ;
273 #/sbin/vgextend -> $(SEC_CRIT) ;
274 #/sbin/vgimport -> $(SEC_CRIT) ;
275 #/sbin/vgmerge -> $(SEC_CRIT) ;
276 #/sbin/vgmknodes -> $(SEC_CRIT) ;
277 #/sbin/vgreduce -> $(SEC_CRIT) ;
278 #/sbin/vgremove -> $(SEC_CRIT) ;
279 #/sbin/vgrename -> $(SEC_CRIT) ;
280 #/sbin/vgscan -> $(SEC_CRIT) ;
281 #/sbin/vgsplit -> $(SEC_CRIT) ;
282 /bin/chgrp -> $(SEC_CRIT) ;
283 /bin/chmod -> $(SEC_CRIT) ;
284 /bin/chown -> $(SEC_CRIT) ;
285 /bin/cp -> $(SEC_CRIT) ;
286 /bin/cpio -> $(SEC_CRIT) ;
287 /bin/mount -> $(SEC_CRIT) ;
288 /bin/umount -> $(SEC_CRIT) ;
289 /bin/mkdir -> $(SEC_CRIT) ;
290 /bin/mknod -> $(SEC_CRIT) ;
291 /bin/mktemp -> $(SEC_CRIT) ;
292 /bin/rm -> $(SEC_CRIT) ;
293 /bin/rmdir -> $(SEC_CRIT) ;
294 /bin/touch -> $(SEC_CRIT) ;
295}
296
297 ##################################
298 # ##
299################################## #
300# # #
301# Kernel Administration Programs # #
302# ##
303##################################
304
305(
306 rulename = "Kernel Administration Programs",
307 severity = $(SIG_HI)
308)
309{
310 /sbin/adjtimex -> $(SEC_CRIT) ;
311 /sbin/ctrlaltdel -> $(SEC_CRIT) ;
312 /sbin/depmod -> $(SEC_CRIT) ;
313 /sbin/insmod -> $(SEC_CRIT) ;
314 /sbin/insmod.static -> $(SEC_CRIT) ;
315 /sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ;
316 /sbin/klogd -> $(SEC_CRIT) ;
317 /sbin/ldconfig -> $(SEC_CRIT) ;
318 /sbin/minilogd -> $(SEC_CRIT) ;
319 /sbin/modinfo -> $(SEC_CRIT) ;
320 #/sbin/nuactlun -> $(SEC_CRIT) ;
321 #/sbin/nuscsitcpd -> $(SEC_CRIT) ;
322 /sbin/pivot_root -> $(SEC_CRIT) ;
323 /sbin/sndconfig -> $(SEC_CRIT) ;
324 /sbin/sysctl -> $(SEC_CRIT) ;
325}
326
327 #######################
328 # ##
329####################### #
330# # #
331# Networking Programs # #
332# ##
333#######################
334
335(
336 rulename = "Networking Programs",
337 severity = $(SIG_HI)
338)
339{
340 /etc/sysconfig/network-scripts/ifdown -> $(SEC_CRIT) ;
341 /etc/sysconfig/network-scripts/ifdown-cipcb -> $(SEC_CRIT) ;
342 /etc/sysconfig/network-scripts/ifdown-ippp -> $(SEC_CRIT) ;
343 /etc/sysconfig/network-scripts/ifdown-ipv6 -> $(SEC_CRIT) ;
344 /etc/sysconfig/network-scripts/ifdown-isdn -> $(SEC_CRIT) ;
345 /etc/sysconfig/network-scripts/ifdown-post -> $(SEC_CRIT) ;
346 /etc/sysconfig/network-scripts/ifdown-ppp -> $(SEC_CRIT) ;
347 /etc/sysconfig/network-scripts/ifdown-sit -> $(SEC_CRIT) ;
348 /etc/sysconfig/network-scripts/ifdown-sl -> $(SEC_CRIT) ;
349 /etc/sysconfig/network-scripts/ifup -> $(SEC_CRIT) ;
350 /etc/sysconfig/network-scripts/ifup-aliases -> $(SEC_CRIT) ;
351 /etc/sysconfig/network-scripts/ifup-cipcb -> $(SEC_CRIT) ;
352 /etc/sysconfig/network-scripts/ifup-ippp -> $(SEC_CRIT) ;
353 /etc/sysconfig/network-scripts/ifup-ipv6 -> $(SEC_CRIT) ;
354 /etc/sysconfig/network-scripts/ifup-isdn -> $(SEC_CRIT) ;
355 /etc/sysconfig/network-scripts/ifup-plip -> $(SEC_CRIT) ;
356 /etc/sysconfig/network-scripts/ifup-plusb -> $(SEC_CRIT) ;
357 /etc/sysconfig/network-scripts/ifup-post -> $(SEC_CRIT) ;
358 /etc/sysconfig/network-scripts/ifup-ppp -> $(SEC_CRIT) ;
359 /etc/sysconfig/network-scripts/ifup-routes -> $(SEC_CRIT) ;
360 /etc/sysconfig/network-scripts/ifup-sit -> $(SEC_CRIT) ;
361 /etc/sysconfig/network-scripts/ifup-sl -> $(SEC_CRIT) ;
362 /etc/sysconfig/network-scripts/ifup-wireless -> $(SEC_CRIT) ;
363 /etc/sysconfig/network-scripts/network-functions -> $(SEC_CRIT) ;
364 /etc/sysconfig/network-scripts/network-functions-ipv6 -> $(SEC_CRIT) ;
365 /bin/ping -> $(SEC_CRIT) ;
366 /sbin/agetty -> $(SEC_CRIT) ;
367 /sbin/arp -> $(SEC_CRIT) ;
368 /sbin/arping -> $(SEC_CRIT) ;
369 /sbin/dhcpcd -> $(SEC_CRIT) ;
370 /sbin/ether-wake -> $(SEC_CRIT) ;
371 #/sbin/getty -> $(SEC_CRIT) ;
372 /sbin/ifcfg -> $(SEC_CRIT) ;
373 /sbin/ifconfig -> $(SEC_CRIT) ;
374 /sbin/ifdown -> $(SEC_CRIT) ;
375 /sbin/ifenslave -> $(SEC_CRIT) ;
376 /sbin/ifport -> $(SEC_CRIT) ;
377 /sbin/ifup -> $(SEC_CRIT) ;
378 /sbin/ifuser -> $(SEC_CRIT) ;
379 /sbin/ip -> $(SEC_CRIT) ;
380 /sbin/ip6tables -> $(SEC_CRIT) ;
381 /sbin/ipchains -> $(SEC_CRIT) ;
382 /sbin/ipchains-restore -> $(SEC_CRIT) ;
383 /sbin/ipchains-save -> $(SEC_CRIT) ;
384 /sbin/ipfwadm -> $(SEC_CRIT) ;
385 /sbin/ipmaddr -> $(SEC_CRIT) ;
386 /sbin/iptables -> $(SEC_CRIT) ;
387 /sbin/iptables-restore -> $(SEC_CRIT) ;
388 /sbin/iptables-save -> $(SEC_CRIT) ;
389 /sbin/iptunnel -> $(SEC_CRIT) ;
390 #/sbin/ipvsadm -> $(SEC_CRIT) ;
391 #/sbin/ipvsadm-restore -> $(SEC_CRIT) ;
392 #/sbin/ipvsadm-save -> $(SEC_CRIT) ;
393 /sbin/ipx_configure -> $(SEC_CRIT) ;
394 /sbin/ipx_interface -> $(SEC_CRIT) ;
395 /sbin/ipx_internal_net -> $(SEC_CRIT) ;
396 /sbin/iwconfig -> $(SEC_CRIT) ;
397 /sbin/iwgetid -> $(SEC_CRIT) ;
398 /sbin/iwlist -> $(SEC_CRIT) ;
399 /sbin/iwpriv -> $(SEC_CRIT) ;
400 /sbin/iwspy -> $(SEC_CRIT) ;
401 /sbin/mgetty -> $(SEC_CRIT) ;
402 /sbin/mingetty -> $(SEC_CRIT) ;
403 /sbin/nameif -> $(SEC_CRIT) ;
404 /sbin/netreport -> $(SEC_CRIT) ;
405 /sbin/plipconfig -> $(SEC_CRIT) ;
406 /sbin/portmap -> $(SEC_CRIT) ;
407 /sbin/ppp-watch -> $(SEC_CRIT) ;
408 #/sbin/rarp -> $(SEC_CRIT) ;
409 /sbin/route -> $(SEC_CRIT) ;
410 /sbin/slattach -> $(SEC_CRIT) ;
411 /sbin/tc -> $(SEC_CRIT) ;
412 #/sbin/uugetty -> $(SEC_CRIT) ;
413 /sbin/vgetty -> $(SEC_CRIT) ;
414 /sbin/ypbind -> $(SEC_CRIT) ;
415}
416
417 ##################################
418 # ##
419################################## #
420# # #
421# System Administration Programs # #
422# ##
423##################################
424
425(
426 rulename = "System Administration Programs",
427 severity = $(SIG_HI)
428)
429{
430 /sbin/chkconfig -> $(SEC_CRIT) ;
431 /sbin/fuser -> $(SEC_CRIT) ;
432 /sbin/halt -> $(SEC_CRIT) ;
433 /sbin/init -> $(SEC_CRIT) ;
434 /sbin/initlog -> $(SEC_CRIT) ;
435 /sbin/install-info -> $(SEC_CRIT) ;
436 /sbin/killall5 -> $(SEC_CRIT) ;
437 #/sbin/linuxconf -> $(SEC_CRIT) ;
438 #/sbin/linuxconf-auth -> $(SEC_CRIT) ;
439 /sbin/pam_tally -> $(SEC_CRIT) ;
440 /sbin/pwdb_chkpwd -> $(SEC_CRIT) ;
441 #/sbin/remadmin -> $(SEC_CRIT) ;
442 /sbin/rescuept -> $(SEC_CRIT) ;
443 /sbin/rmt -> $(SEC_CRIT) ;
444 /sbin/rpc.lockd -> $(SEC_CRIT) ;
445 /sbin/rpc.statd -> $(SEC_CRIT) ;
446 /sbin/rpcdebug -> $(SEC_CRIT) ;
447 /sbin/service -> $(SEC_CRIT) ;
448 /sbin/setsysfont -> $(SEC_CRIT) ;
449 /sbin/shutdown -> $(SEC_CRIT) ;
450 /sbin/sulogin -> $(SEC_CRIT) ;
451 /sbin/swapon -> $(SEC_CRIT) ;
452 /sbin/syslogd -> $(SEC_CRIT) ;
453 /sbin/unix_chkpwd -> $(SEC_CRIT) ;
454 /bin/pwd -> $(SEC_CRIT) ;
455 /bin/uname -> $(SEC_CRIT) ;
456}
457
458 ########################################
459 # ##
460######################################## #
461# # #
462# Hardware and Device Control Programs # #
463# ##
464########################################
465(
466 rulename = "Hardware and Device Control Programs",
467 severity = $(SIG_HI)
468)
469{
470 /bin/setserial -> $(SEC_CRIT) ;
471 /bin/sfxload -> $(SEC_CRIT) ;
472 /sbin/blockdev -> $(SEC_CRIT) ;
473 /sbin/cardctl -> $(SEC_CRIT) ;
474 /sbin/cardmgr -> $(SEC_CRIT) ;
475 /sbin/cbq -> $(SEC_CRIT) ;
476 /sbin/dump_cis -> $(SEC_CRIT) ;
477 /sbin/elvtune -> $(SEC_CRIT) ;
478 /sbin/hotplug -> $(SEC_CRIT) ;
479 /sbin/hwclock -> $(SEC_CRIT) ;
480 /sbin/ide_info -> $(SEC_CRIT) ;
481 #/sbin/isapnp -> $(SEC_CRIT) ;
482 /sbin/kbdrate -> $(SEC_CRIT) ;
483 /sbin/losetup -> $(SEC_CRIT) ;
484 /sbin/lspci -> $(SEC_CRIT) ;
485 /sbin/lspnp -> $(SEC_CRIT) ;
486 /sbin/mii-tool -> $(SEC_CRIT) ;
487 /sbin/pack_cis -> $(SEC_CRIT) ;
488 #/sbin/pnpdump -> $(SEC_CRIT) ;
489 /sbin/probe -> $(SEC_CRIT) ;
490 /sbin/pump -> $(SEC_CRIT) ;
491 /sbin/setpci -> $(SEC_CRIT) ;
492 /sbin/shapecfg -> $(SEC_CRIT) ;
493}
494
495 ###############################
496 # ##
497############################### #
498# # #
499# System Information Programs # #
500# ##
501###############################
502(
503 rulename = "System Information Programs",
504 severity = $(SIG_HI)
505)
506{
507 /sbin/consoletype -> $(SEC_CRIT) ;
508 /sbin/kernelversion -> $(SEC_CRIT) ;
509 /sbin/runlevel -> $(SEC_CRIT) ;
510}
511
512 ####################################
513 # ##
514#################################### #
515# # #
516# Application Information Programs # #
517# ##
518####################################
519
520(
521 rulename = "Application Information Programs",
522 severity = $(SIG_HI)
523)
524{
525 /sbin/genksyms -> $(SEC_CRIT) ;
526 #/sbin/genksyms.old -> $(SEC_CRIT) ;
527 /sbin/rtmon -> $(SEC_CRIT) ;
528}
529
530 ##########################
531 # ##
532########################## #
533# # #
534# Shell Related Programs # #
535# ##
536##########################
537(
538 rulename = "Shell Related Programs",
539 severity = $(SIG_HI)
540)
541{
542 /sbin/getkey -> $(SEC_CRIT) ;
543 /sbin/nash -> $(SEC_CRIT) ;
544 /sbin/sash -> $(SEC_CRIT) ;
545}
546
547
548 ################
549 # ##
550################ #
551# # #
552# OS Utilities # #
553# ##
554################
555(
556 rulename = "Operating System Utilities",
557 severity = $(SIG_HI)
558)
559{
560 /bin/arch -> $(SEC_CRIT) ;
561 /bin/ash -> $(SEC_CRIT) ;
562 /bin/ash.static -> $(SEC_CRIT) ;
563 /bin/aumix-minimal -> $(SEC_CRIT) ;
564 /bin/basename -> $(SEC_CRIT) ;
565 /bin/cat -> $(SEC_CRIT) ;
566 /bin/consolechars -> $(SEC_CRIT) ;
567 /bin/cut -> $(SEC_CRIT) ;
568 /bin/date -> $(SEC_CRIT) ;
569 /bin/dd -> $(SEC_CRIT) ;
570 /bin/df -> $(SEC_CRIT) ;
571 /bin/dmesg -> $(SEC_CRIT) ;
572 /bin/doexec -> $(SEC_CRIT) ;
573 /bin/echo -> $(SEC_CRIT) ;
574 /bin/ed -> $(SEC_CRIT) ;
575 /bin/egrep -> $(SEC_CRIT) ;
576 /bin/false -> $(SEC_CRIT) ;
577 /bin/fgrep -> $(SEC_CRIT) ;
578 /bin/gawk -> $(SEC_CRIT) ;
579 /bin/gawk-3.1.0 -> $(SEC_CRIT) ;
580 /bin/gettext -> $(SEC_CRIT) ;
581 /bin/grep -> $(SEC_CRIT) ;
582 /bin/gunzip -> $(SEC_CRIT) ;
583 /bin/gzip -> $(SEC_CRIT) ;
584 /bin/hostname -> $(SEC_CRIT) ;
585 /bin/igawk -> $(SEC_CRIT) ;
586 /bin/ipcalc -> $(SEC_CRIT) ;
587 /bin/kill -> $(SEC_CRIT) ;
588 /bin/ln -> $(SEC_CRIT) ;
589 /bin/loadkeys -> $(SEC_CRIT) ;
590 /bin/login -> $(SEC_CRIT) ;
591 /bin/ls -> $(SEC_CRIT) ;
592 /bin/mail -> $(SEC_CRIT) ;
593 /bin/more -> $(SEC_CRIT) ;
594 /bin/mt -> $(SEC_CRIT) ;
595 /bin/mv -> $(SEC_CRIT) ;
596 /bin/netstat -> $(SEC_CRIT) ;
597 /bin/nice -> $(SEC_CRIT) ;
598 /bin/pgawk -> $(SEC_CRIT) ;
599 /bin/ps -> $(SEC_CRIT) ;
600 /bin/rpm -> $(SEC_CRIT) ;
601 /bin/sed -> $(SEC_CRIT) ;
602 /bin/sleep -> $(SEC_CRIT) ;
603 /bin/sort -> $(SEC_CRIT) ;
604 /bin/stty -> $(SEC_CRIT) ;
605 /bin/su -> $(SEC_CRIT) ;
606 /bin/sync -> $(SEC_CRIT) ;
607 /bin/tar -> $(SEC_CRIT) ;
608 /bin/true -> $(SEC_CRIT) ;
609 /bin/usleep -> $(SEC_CRIT) ;
610 /bin/vi -> $(SEC_CRIT) ;
611 /bin/zcat -> $(SEC_CRIT) ;
612 /bin/zsh -> $(SEC_CRIT) ;
613 #/bin/zsh-4.0.2 -> $(SEC_CRIT) ;
614 /sbin/sln -> $(SEC_CRIT) ;
615 /usr/bin/vimtutor -> $(SEC_CRIT) ;
616}
617
618 ##############################
619 # ##
620############################## #
621# # #
622# Critical Utility Sym-Links # #
623# ##
624##############################
625(
626 rulename = "Critical Utility Sym-Links",
627 severity = $(SIG_HI)
628)
629{
630 #/sbin/askrunlevel -> $(SEC_CRIT) ;
631 /sbin/clock -> $(SEC_CRIT) ;
632 #/sbin/fixperm -> $(SEC_CRIT) ;
633 /sbin/fsck.reiserfs -> $(SEC_CRIT) ;
634 #/sbin/fsconf -> $(SEC_CRIT) ;
635 /sbin/ipfwadm-wrapper -> $(SEC_CRIT) ;
636 /sbin/kallsyms -> $(SEC_CRIT) ;
637 /sbin/ksyms -> $(SEC_CRIT) ;
638 /sbin/lsmod -> $(SEC_CRIT) ;
639 #/sbin/mailconf -> $(SEC_CRIT) ;
640 /sbin/mkfs.reiserfs -> $(SEC_CRIT) ;
641 #/sbin/modemconf -> $(SEC_CRIT) ;
642 /sbin/modprobe -> $(SEC_CRIT) ;
643 /sbin/mount.ncp -> $(SEC_CRIT) ;
644 /sbin/mount.ncpfs -> $(SEC_CRIT) ;
645 /sbin/mount.smb -> $(SEC_CRIT) ;
646 /sbin/mount.smbfs -> $(SEC_CRIT) ;
647 #/sbin/netconf -> $(SEC_CRIT) ;
648 /sbin/pidof -> $(SEC_CRIT) ;
649 /sbin/poweroff -> $(SEC_CRIT) ;
650 /sbin/quotaoff -> $(SEC_CRIT) ;
651 /sbin/raid0run -> $(SEC_CRIT) ;
652 /sbin/raidhotadd -> $(SEC_CRIT) ;
653 /sbin/raidhotgenerateerror -> $(SEC_CRIT) ;
654 /sbin/raidhotremove -> $(SEC_CRIT) ;
655 /sbin/raidstop -> $(SEC_CRIT) ;
656 /sbin/rdump -> $(SEC_CRIT) ;
657 /sbin/rdump.static -> $(SEC_CRIT) ;
658 /sbin/reboot -> $(SEC_CRIT) ;
659 /sbin/rmmod -> $(SEC_CRIT) ;
660 /sbin/rrestore -> $(SEC_CRIT) ;
661 /sbin/rrestore.static -> $(SEC_CRIT) ;
662 /sbin/swapoff -> $(SEC_CRIT) ;
663 /sbin/telinit -> $(SEC_CRIT) ;
664 #/sbin/userconf -> $(SEC_CRIT) ;
665 #/sbin/uucpconf -> $(SEC_CRIT) ;
666 #/sbin/vregistry -> $(SEC_CRIT) ;
667 /bin/awk -> $(SEC_CRIT) ;
668 /bin/bash2 -> $(SEC_CRIT) ;
669 /bin/bsh -> $(SEC_CRIT) ;
670 /bin/csh -> $(SEC_CRIT) ;
671 /bin/dnsdomainname -> $(SEC_CRIT) ;
672 /bin/domainname -> $(SEC_CRIT) ;
673 /bin/ex -> $(SEC_CRIT) ;
674 /bin/gtar -> $(SEC_CRIT) ;
675 /bin/nisdomainname -> $(SEC_CRIT) ;
676 /bin/red -> $(SEC_CRIT) ;
677 /bin/rvi -> $(SEC_CRIT) ;
678 /bin/rview -> $(SEC_CRIT) ;
679 /bin/view -> $(SEC_CRIT) ;
680 /bin/ypdomainname -> $(SEC_CRIT) ;
681}
682
683
684 #########################
685 # ##
686######################### #
687# # #
688# Temporary directories # #
689# ##
690#########################
691(
692 rulename = "Temporary directories",
693 recurse = false,
694 severity = $(SIG_LOW)
695)
696{
697 /usr/tmp -> $(SEC_INVARIANT) ;
698 /var/tmp -> $(SEC_INVARIANT) ;
699 /tmp -> $(SEC_INVARIANT) ;
700}
701
702 ###############
703 # ##
704############### #
705# # #
706# Local files # #
707# ##
708###############
709(
710 rulename = "User binaries",
711 severity = $(SIG_MED)
712)
713{
714 /sbin -> $(SEC_BIN) (recurse = 1) ;
715 /usr/bin -> $(SEC_BIN) (recurse = 1) ;
716 /usr/sbin -> $(SEC_BIN) (recurse = 1) ;
717 /usr/local/bin -> $(SEC_BIN) (recurse = 1) ;
718}
719
720(
721 rulename = "Shell Binaries",
722 severity = $(SIG_HI)
723)
724{
725 /bin/bash -> $(SEC_BIN) ;
726 /bin/ksh -> $(SEC_BIN) ;
727 # /bin/psh -> $(SEC_BIN) ; # No longer used?
728 # /bin/Rsh -> $(SEC_BIN) ; # No longer used?
729 /bin/sh -> $(SEC_BIN) ;
730 # /bin/shell -> $(SEC_SUID) ; # No longer used?
731 # /bin/tsh -> $(SEC_BIN) ; # No longer used?
732 /bin/tcsh -> $(SEC_BIN) ;
733 /sbin/nologin -> $(SEC_BIN) ;
734}
735
736(
737 rulename = "Security Control",
738 severity = $(SIG_HI)
739)
740{
741 /etc/group -> $(SEC_CRIT) ;
742 /etc/security -> $(SEC_CRIT) ;
743 #/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists
744}
745
746#(
747# rulename = "Boot Scripts",
748# severity = $(SIG_HI)
749#)
750#{
751# /etc/rc -> $(SEC_CONFIG) ;
752# /etc/rc.bsdnet -> $(SEC_CONFIG) ;
753# /etc/rc.dt -> $(SEC_CONFIG) ;
754# /etc/rc.net -> $(SEC_CONFIG) ;
755# /etc/rc.net.serial -> $(SEC_CONFIG) ;
756# /etc/rc.nfs -> $(SEC_CONFIG) ;
757# /etc/rc.powerfail -> $(SEC_CONFIG) ;
758# /etc/rc.tcpip -> $(SEC_CONFIG) ;
759# /etc/trcfmt.Z -> $(SEC_CONFIG) ;
760#}
761
762(
763 rulename = "Login Scripts",
764 severity = $(SIG_HI)
765)
766{
767 /etc/bashrc -> $(SEC_CONFIG) ;
768 /etc/csh.cshrc -> $(SEC_CONFIG) ;
769 /etc/csh.login -> $(SEC_CONFIG) ;
770 /etc/inputrc -> $(SEC_CONFIG) ;
771 # /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists
772 /etc/profile -> $(SEC_CONFIG) ;
773}
774
775# Libraries
776(
777 rulename = "Libraries",
778 severity = $(SIG_MED)
779)
780{
781 /usr/lib -> $(SEC_BIN) ;
782 /usr/local/lib -> $(SEC_BIN) ;
783}
784
785
786 ######################################################
787 # ##
788###################################################### #
789# # #
790# Critical System Boot Files # #
791# These files are critical to a correct system boot. # #
792# ##
793######################################################
794
795(
796 rulename = "Critical system boot files",
797 severity = $(SIG_HI)
798)
799{
800 /boot -> $(SEC_CRIT) ;
801 #/sbin/devfsd -> $(SEC_CRIT) ;
802 /sbin/grub -> $(SEC_CRIT) ;
803 /sbin/grub-install -> $(SEC_CRIT) ;
804 /sbin/grub-md5-crypt -> $(SEC_CRIT) ;
805 /sbin/installkernel -> $(SEC_CRIT) ;
806 /sbin/lilo -> $(SEC_CRIT) ;
807 /sbin/mkkerneldoth -> $(SEC_CRIT) ;
808 !/boot/System.map ;
809 !/boot/module-info ;
810 /usr/share/grub/i386-redhat/e2fs_stage1_5 -> $(SEC_CRIT) ;
811 /usr/share/grub/i386-redhat/fat_stage1_5 -> $(SEC_CRIT) ;
812 /usr/share/grub/i386-redhat/ffs_stage1_5 -> $(SEC_CRIT) ;
813 /usr/share/grub/i386-redhat/minix_stage1_5 -> $(SEC_CRIT) ;
814 /usr/share/grub/i386-redhat/reiserfs_stage1_5 -> $(SEC_CRIT) ;
815 /usr/share/grub/i386-redhat/stage1 -> $(SEC_CRIT) ;
816 /usr/share/grub/i386-redhat/stage2 -> $(SEC_CRIT) ;
817 /usr/share/grub/i386-redhat/vstafs_stage1_5 -> $(SEC_CRIT) ;
818 # other boot files may exist. Look for:
819 #/ufsboot -> $(SEC_CRIT) ;
820}
821 ##################################################
822 ###################################################
823 # These files change every time the system boots ##
824 ##################################################
825(
826 rulename = "System boot changes",
827 severity = $(SIG_HI)
828)
829{
830 !/var/run/ftp.pids-all ; # Comes and goes on reboot.
831 !/root/.enlightenment ;
832 /dev/log -> $(SEC_CONFIG) ;
833 /dev/cua0 -> $(SEC_CONFIG) ;
834 # /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device
835 /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.
836 /dev/tty1 -> $(SEC_CONFIG) ; # tty devices
837 /dev/tty2 -> $(SEC_CONFIG) ; # tty devices
838 /dev/tty3 -> $(SEC_CONFIG) ; # are extremely
839 /dev/tty4 -> $(SEC_CONFIG) ; # variable
840 /dev/tty5 -> $(SEC_CONFIG) ;
841 /dev/tty6 -> $(SEC_CONFIG) ;
842 /dev/urandom -> $(SEC_CONFIG) ;
843 /dev/initctl -> $(SEC_CONFIG) ;
844 /var/lock/subsys -> $(SEC_CONFIG) ;
845 #/var/lock/subsys/amd -> $(SEC_CONFIG) ;
846 /var/lock/subsys/anacron -> $(SEC_CONFIG) ;
847 /var/lock/subsys/apmd -> $(SEC_CONFIG) ;
848 #/var/lock/subsys/arpwatch -> $(SEC_CONFIG) ;
849 /var/lock/subsys/atd -> $(SEC_CONFIG) ;
850 /var/lock/subsys/autofs -> $(SEC_CONFIG) ;
851 #/var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ;
852 #/var/lock/subsys/bgpd -> $(SEC_CONFIG) ;
853 #/var/lock/subsys/bootparamd -> $(SEC_CONFIG) ;
854 #/var/lock/subsys/canna -> $(SEC_CONFIG) ;
855 /var/lock/subsys/crond -> $(SEC_CONFIG) ;
856 #/var/lock/subsys/cWnn -> $(SEC_CONFIG) ;
857 #/var/lock/subsys/dhcpd -> $(SEC_CONFIG) ;
858 #/var/lock/subsys/firewall -> $(SEC_CONFIG) ;
859 #/var/lock/subsys/freeWnn -> $(SEC_CONFIG) ;
860 #/var/lock/subsys/gated -> $(SEC_CONFIG) ;
861 /var/lock/subsys/gpm -> $(SEC_CONFIG) ;
862 #/var/lock/subsys/httpd -> $(SEC_CONFIG) ;
863 #/var/lock/subsys/identd -> $(SEC_CONFIG) ;
864 #/var/lock/subsys/innd -> $(SEC_CONFIG) ;
865 /var/lock/subsys/ipchains -> $(SEC_CONFIG) ;
866 #/var/lock/subsys/iptables -> $(SEC_CONFIG) ;
867 #/var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ;
868 #/var/lock/subsys/irda -> $(SEC_CONFIG) ;
869 #/var/lock/subsys/iscsi -> $(SEC_CONFIG) ;
870 #/var/lock/subsys/isdn -> $(SEC_CONFIG) ;
871 #/var/lock/subsys/junkbuster -> $(SEC_CONFIG) ;
872 #/var/lock/subsys/kadmin -> $(SEC_CONFIG) ;
873 /var/lock/subsys/keytable -> $(SEC_CONFIG) ;
874 #/var/lock/subsys/kprop -> $(SEC_CONFIG) ;
875 #/var/lock/subsys/krb524 -> $(SEC_CONFIG) ;
876 #/var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ;
877 /var/lock/subsys/kudzu -> $(SEC_CONFIG) ;
878 #/var/lock/subsys/kWnn -> $(SEC_CONFIG) ;
879 #/var/lock/subsys/ldap -> $(SEC_CONFIG) ;
880 #/var/lock/subsys/linuxconf -> $(SEC_CONFIG) ;
881 #/var/lock/subsys/lpd -> $(SEC_CONFIG) ;
882 #/var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ;
883 #/var/lock/subsys/mcserv -> $(SEC_CONFIG) ;
884 #/var/lock/subsys/mysqld -> $(SEC_CONFIG) ;
885 #/var/lock/subsys/named -> $(SEC_CONFIG) ;
886 /var/lock/subsys/netfs -> $(SEC_CONFIG) ;
887 /var/lock/subsys/network -> $(SEC_CONFIG) ;
888 #/var/lock/subsys/nfs -> $(SEC_CONFIG) ;
889 /var/lock/subsys/nfslock -> $(SEC_CONFIG) ;
890 #/var/lock/subsys/nscd -> $(SEC_CONFIG) ;
891 #/var/lock/subsys/ntpd -> $(SEC_CONFIG) ;
892 #/var/lock/subsys/ospf6d -> $(SEC_CONFIG) ;
893 #/var/lock/subsys/ospfd -> $(SEC_CONFIG) ;
894 /var/lock/subsys/pcmcia -> $(SEC_CONFIG) ;
895 /var/lock/subsys/portmap -> $(SEC_CONFIG) ;
896 #/var/lock/subsys/postgresql -> $(SEC_CONFIG) ;
897 #/var/lock/subsys/pxe -> $(SEC_CONFIG) ;
898 #/var/lock/subsys/radvd -> $(SEC_CONFIG) ;
899 /var/lock/subsys/random -> $(SEC_CONFIG) ;
900 #/var/lock/subsys/rarpd -> $(SEC_CONFIG) ;
901 /var/lock/subsys/reconfig -> $(SEC_CONFIG) ;
902 /var/lock/subsys/rhnsd -> $(SEC_CONFIG) ;
903 #/var/lock/subsys/ripd -> $(SEC_CONFIG) ;
904 #/var/lock/subsys/ripngd -> $(SEC_CONFIG) ;
905 #/var/lock/subsys/routed -> $(SEC_CONFIG) ;
906 #/var/lock/subsys/rstatd -> $(SEC_CONFIG) ;
907 #/var/lock/subsys/rusersd -> $(SEC_CONFIG) ;
908 #/var/lock/subsys/rwalld -> $(SEC_CONFIG) ;
909 #/var/lock/subsys/rwhod -> $(SEC_CONFIG) ;
910 /var/lock/subsys/sendmail -> $(SEC_CONFIG) ;
911 #/var/lock/subsys/smb -> $(SEC_CONFIG) ;
912 #/var/lock/subsys/snmpd -> $(SEC_CONFIG) ;
913 #/var/lock/subsys/squid -> $(SEC_CONFIG) ;
914 /var/lock/subsys/sshd -> $(SEC_CONFIG) ;
915 /var/lock/subsys/syslog -> $(SEC_CONFIG) ;
916 #/var/lock/subsys/tux -> $(SEC_CONFIG) ;
917 #/var/lock/subsys/tWnn -> $(SEC_CONFIG) ;
918 #/var/lock/subsys/ups -> $(SEC_CONFIG) ;
919 #/var/lock/subsys/vncserver -> $(SEC_CONFIG) ;
920 #/var/lock/subsys/wine -> $(SEC_CONFIG) ;
921 /var/lock/subsys/xfs -> $(SEC_CONFIG) ;
922 /var/lock/subsys/xinetd -> $(SEC_CONFIG) ;
923 /var/lock/subsys/ypbind -> $(SEC_CONFIG) ;
924 #/var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ;
925 #/var/lock/subsys/ypserv -> $(SEC_CONFIG) ;
926 #/var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ;
927 #/var/lock/subsys/zebra -> $(SEC_CONFIG) ;
928 /var/run -> $(SEC_CONFIG) ;
929 /var/log -> $(SEC_CONFIG) ;
930 /etc/ioctl.save -> $(SEC_CONFIG) ;
931 /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes
932 /etc/issue -> $(SEC_CONFIG) ;
933 /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount
934 /lib/modules -> $(SEC_CONFIG) ;
935 /etc/.pwd.lock -> $(SEC_CONFIG) ;
936 # /lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists
937}
938
939# These files change the behavior of the root account
940(
941 rulename = "Root config files",
942 severity = 100
943)
944{
945 /root -> $(SEC_CRIT) ; # Catch all additions to /root
946 #/root/.Xresources -> $(SEC_CONFIG) ;
947 /root/.bashrc -> $(SEC_CONFIG) ;
948 /root/.bash_profile -> $(SEC_CONFIG) ;
949 /root/.bash_logout -> $(SEC_CONFIG) ;
950 /root/.cshrc -> $(SEC_CONFIG) ;
951 /root/.tcshrc -> $(SEC_CONFIG) ;
952 /root/Mail -> $(SEC_CONFIG) ;
953 #/root/mail -> $(SEC_CONFIG) ;
954 #/root/.amandahosts -> $(SEC_CONFIG) ;
955 #/root/.addressbook.lu -> $(SEC_CONFIG) ;
956 #/root/.addressbook -> $(SEC_CONFIG) ;
957 /root/.bash_history -> $(SEC_CONFIG) ;
958 /root/.elm -> $(SEC_CONFIG) ;
959 #/root/.esd_auth -> $(SEC_CONFIG) ;
960 /root/.gnome_private -> $(SEC_CONFIG) ;
961 /root/.gnome-desktop -> $(SEC_CONFIG) ;
962 /root/.gnome -> $(SEC_CONFIG) ;
963 /root/.ICEauthority -> $(SEC_CONFIG) ;
964 #/root/.mc -> $(SEC_CONFIG) ;
965 #/root/.pinerc -> $(SEC_CONFIG) ;
966 /root/.sawfish -> $(SEC_CONFIG) ;
967 /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
968 #/root/.xauth -> $(SEC_CONFIG) ;
969 /root/.xsession-errors -> $(SEC_CONFIG) ;
970}
971
972 ################################
973 # ##
974################################ #
975# # #
976# Critical configuration files # #
977# ##
978################################
979(
980 rulename = "Critical configuration files",
981 severity = $(SIG_HI)
982)
983{
984 #/etc/conf.linuxconf -> $(SEC_BIN) ;
985 /etc/crontab -> $(SEC_BIN) ;
986 /etc/cron.hourly -> $(SEC_BIN) ;
987 /etc/cron.daily -> $(SEC_BIN) ;
988 /etc/cron.weekly -> $(SEC_BIN) ;
989 /etc/cron.monthly -> $(SEC_BIN) ;
990 /etc/default -> $(SEC_BIN) ;
991 /etc/fstab -> $(SEC_BIN) ;
992 /etc/exports -> $(SEC_BIN) ;
993 /etc/group- -> $(SEC_BIN) ; # changes should be infrequent
994 /etc/host.conf -> $(SEC_BIN) ;
995 /etc/hosts.allow -> $(SEC_BIN) ;
996 /etc/hosts.deny -> $(SEC_BIN) ;
997 /etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent
998 /etc/protocols -> $(SEC_BIN) ;
999 /etc/services -> $(SEC_BIN) ;
1000 /etc/rc.d/init.d -> $(SEC_BIN) ;
1001 /etc/rc.d -> $(SEC_BIN) ;
1002 /etc/mail.rc -> $(SEC_BIN) ;
1003 /etc/modules.conf -> $(SEC_BIN) ;
1004 /etc/motd -> $(SEC_BIN) ;
1005 /etc/named.conf -> $(SEC_BIN) ;
1006 /etc/passwd -> $(SEC_CONFIG) ;
1007 /etc/passwd- -> $(SEC_CONFIG) ;
1008 /etc/profile.d -> $(SEC_BIN) ;
1009 /var/lib/nfs/rmtab -> $(SEC_BIN) ;
1010 /usr/sbin/fixrmtab -> $(SEC_BIN) ;
1011 /etc/rpc -> $(SEC_BIN) ;
1012 /etc/sysconfig -> $(SEC_BIN) ;
1013 /etc/samba/smb.conf -> $(SEC_CONFIG) ;
1014 #/etc/gettydefs -> $(SEC_BIN) ;
1015 /etc/nsswitch.conf -> $(SEC_BIN) ;
1016 /etc/yp.conf -> $(SEC_BIN) ;
1017 /etc/hosts -> $(SEC_CONFIG) ;
1018 /etc/xinetd.conf -> $(SEC_CONFIG) ;
1019 /etc/inittab -> $(SEC_CONFIG) ;
1020 /etc/resolv.conf -> $(SEC_CONFIG) ;
1021 /etc/syslog.conf -> $(SEC_CONFIG) ;
1022}
1023
1024 ####################
1025 # ##
1026#################### #
1027# # #
1028# Critical devices # #
1029# ##
1030####################
1031(
1032 rulename = "Critical devices",
1033 severity = $(SIG_HI),
1034 recurse = false
1035)
1036{
1037 /dev/kmem -> $(Device) ;
1038 /dev/mem -> $(Device) ;
1039 /dev/null -> $(Device) ;
1040 /dev/zero -> $(Device) ;
1041 /proc/devices -> $(Device) ;
1042 /proc/net -> $(Device) ;
1043 /proc/sys -> $(Device) ;
1044 /proc/cpuinfo -> $(Device) ;
1045 /proc/modules -> $(Device) ;
1046 /proc/mounts -> $(Device) ;
1047 /proc/dma -> $(Device) ;
1048 /proc/filesystems -> $(Device) ;
1049 /proc/pci -> $(Device) ;
1050 /proc/interrupts -> $(Device) ;
1051 /proc/driver/rtc -> $(Device) ;
1052 /proc/ioports -> $(Device) ;
1053 #/proc/scsi -> $(Device) ;
1054 /proc/kcore -> $(Device) ;
1055 /proc/self -> $(Device) ;
1056 /proc/kmsg -> $(Device) ;
1057 /proc/stat -> $(Device) ;
1058 /proc/ksyms -> $(Device) ;
1059 /proc/loadavg -> $(Device) ;
1060 /proc/uptime -> $(Device) ;
1061 /proc/locks -> $(Device) ;
1062 /proc/version -> $(Device) ;
1063 /proc/mdstat -> $(Device) ;
1064 /proc/meminfo -> $(Device) ;
1065 /proc/cmdline -> $(Device) ;
1066 /proc/misc -> $(Device) ;
1067}
1068
1069# Rest of critical system binaries
1070(
1071 rulename = "OS executables and libraries",
1072 severity = $(SIG_HI)
1073)
1074{
1075 /bin -> $(SEC_BIN) ;
1076 /lib -> $(SEC_BIN) ;
1077}
1078
1079#=============================================================================
1080#
1081# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
1082# Inc. in the United States and other countries. All rights reserved.
1083#
1084# Linux is a registered trademark of Linus Torvalds.
1085#
1086# UNIX is a registered trademark of The Open Group.
1087#
1088#=============================================================================
1089#
1090# Permission is granted to make and distribute verbatim copies of this document
1091# provided the copyright notice and this permission notice are preserved on all
1092# copies.
1093#
1094# Permission is granted to copy and distribute modified versions of this
1095# document under the conditions for verbatim copying, provided that the entire
1096# resulting derived work is distributed under the terms of a permission notice
1097# identical to this one.
1098#
1099# Permission is granted to copy and distribute translations of this document
1100# into another language, under the above conditions for modified versions,
1101# except that this permission notice may be stated in a translation approved by
1102# Tripwire, Inc.
1103#
1104# DCM
1105#
1106# $Id: twpol-GENERIC.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $
1107#