Richard Marian Thomaiyar | 14fddef | 2018-07-13 23:55:56 +0530 | [diff] [blame^] | 1 | ############################################################################## |
| 2 | # ## |
| 3 | ############################################################################## # |
| 4 | # # # |
| 5 | # Generic Policy file # # |
| 6 | # V1.2.0rh # # |
| 7 | # August 9, 2001 # # |
| 8 | # ## |
| 9 | ############################################################################## |
| 10 | |
| 11 | |
| 12 | ############################################################################## |
| 13 | # ## |
| 14 | ############################################################################## # |
| 15 | # # # |
| 16 | # This is the example Tripwire Policy file. It is intended as a place to # # |
| 17 | # start creating your own custom Tripwire Policy file. Referring to it as # # |
| 18 | # well as the Tripwire Policy Guide should give you enough information to # # |
| 19 | # make a good custom Tripwire Policy file that better covers your # # |
| 20 | # configuration and security needs. A text version of this policy file is # # |
| 21 | # called twpol.txt. # # |
| 22 | # # # |
| 23 | # Note that this file is tuned to an 'everything' install of Red Hat Linux. # # |
| 24 | # If run unmodified, this file should create no errors on database # # |
| 25 | # creation, or violations on a subsiquent integrity check. However, it is # # |
| 26 | # impossible for there to be one policy file for all machines, so this # # |
| 27 | # existing one errs on the side of security. Your Linux configuration will # # |
| 28 | # most likey differ from the one our policy file was tuned to, and will # # |
| 29 | # therefore require some editing of the default Tripwire Policy file. # # |
| 30 | # # # |
| 31 | # The example policy file is best run with 'Loose Directory Checking' # # |
| 32 | # enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # # |
| 33 | # file. # # |
| 34 | # # # |
| 35 | # Email support is not included and must be added to this file. # # |
| 36 | # Add the 'emailto=' to the rule directive section of each rule (add a comma # # |
| 37 | # after the 'severity=' line and add an 'emailto=' and include the email # # |
| 38 | # addresses you want the violation reports to go to). Addresses are # # |
| 39 | # semi-colon delimited. # # |
| 40 | # ## |
| 41 | ############################################################################## |
| 42 | |
| 43 | |
| 44 | |
| 45 | ############################################################################## |
| 46 | # ## |
| 47 | ############################################################################## # |
| 48 | # # # |
| 49 | # Global Variable Definitions # # |
| 50 | # # # |
| 51 | # These are defined at install time by the installation script. You may # # |
| 52 | # Manually edit these if you are using this file directly and not from the # # |
| 53 | # installation script itself. # # |
| 54 | # ## |
| 55 | ############################################################################## |
| 56 | |
| 57 | @@section GLOBAL |
| 58 | TWROOT=/usr/sbin; |
| 59 | TWBIN=/usr/sbin; |
| 60 | TWPOL="/etc/tripwire"; |
| 61 | TWDB="/var/lib/tripwire"; |
| 62 | TWSKEY="/etc/tripwire"; |
| 63 | TWLKEY="/etc/tripwire"; |
| 64 | TWREPORT="/var/lib/tripwire/report"; |
| 65 | HOSTNAME=localhost; |
| 66 | |
| 67 | @@section FS |
| 68 | SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change |
| 69 | SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set |
| 70 | SEC_BIN = $(ReadOnly) ; # Binaries that should not change |
| 71 | SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often |
| 72 | SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership |
| 73 | SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership |
| 74 | SIG_LOW = 33 ; # Non-critical files that are of minimal security impact |
| 75 | SIG_MED = 66 ; # Non-critical files that are of significant security impact |
| 76 | SIG_HI = 100 ; # Critical files that are significant points of vulnerability |
| 77 | |
| 78 | |
| 79 | # Tripwire Binaries |
| 80 | ( |
| 81 | rulename = "Tripwire Binaries", |
| 82 | severity = $(SIG_HI) |
| 83 | ) |
| 84 | { |
| 85 | $(TWBIN)/siggen -> $(SEC_BIN) ; |
| 86 | $(TWBIN)/tripwire -> $(SEC_BIN) ; |
| 87 | $(TWBIN)/twadmin -> $(SEC_BIN) ; |
| 88 | $(TWBIN)/twprint -> $(SEC_BIN) ; |
| 89 | } |
| 90 | |
| 91 | # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases |
| 92 | ( |
| 93 | rulename = "Tripwire Data Files", |
| 94 | severity = $(SIG_HI) |
| 95 | ) |
| 96 | { |
| 97 | # NOTE: We remove the inode attribute because when Tripwire creates a backup, |
| 98 | # it does so by renaming the old file and creating a new one (which will |
| 99 | # have a new inode number). Inode is left turned on for keys, which shouldn't |
| 100 | # ever change. |
| 101 | |
| 102 | # NOTE: The first integrity check triggers this rule and each integrity check |
| 103 | # afterward triggers this rule until a database update is run, since the |
| 104 | # database file does not exist before that point. |
| 105 | |
| 106 | $(TWDB) -> $(SEC_CONFIG) -i ; |
| 107 | $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; |
| 108 | $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; |
| 109 | $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; |
| 110 | $(TWSKEY)/site.key -> $(SEC_BIN) ; |
| 111 | |
| 112 | #don't scan the individual reports |
| 113 | $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; |
| 114 | } |
| 115 | |
| 116 | |
| 117 | # Tripwire HQ Connector Binaries |
| 118 | #( |
| 119 | # rulename = "Tripwire HQ Connector Binaries", |
| 120 | # severity = $(SIG_HI) |
| 121 | #) |
| 122 | #{ |
| 123 | # $(TWBIN)/hqagent -> $(SEC_BIN) ; |
| 124 | #} |
| 125 | # |
| 126 | # Tripwire HQ Connector - Configuration Files, Keys, and Logs |
| 127 | |
| 128 | ############################################################################## |
| 129 | # ## |
| 130 | ############################################################################## # |
| 131 | # # # |
| 132 | # Note: File locations here are different than in a stock HQ Connector # # |
| 133 | # installation. This is because Tripwire 2.3 uses a different path # # |
| 134 | # structure than Tripwire 2.2.1. # # |
| 135 | # # # |
| 136 | # You may need to update your HQ Agent configuation file (or this policy # # |
| 137 | # file) to correct the paths. We have attempted to support the FHS standard # # |
| 138 | # here by placing the HQ Agent files similarly to the way Tripwire 2.3 # # |
| 139 | # places them. # # |
| 140 | # ## |
| 141 | ############################################################################## |
| 142 | |
| 143 | #( |
| 144 | # rulename = "Tripwire HQ Connector Data Files", |
| 145 | # severity = $(SIG_HI) |
| 146 | #) |
| 147 | #{ |
| 148 | # ############################################################################# |
| 149 | # ############################################################################## |
| 150 | # # NOTE: Removing the inode attribute because when Tripwire creates a backup ## |
| 151 | # # it does so by renaming the old file and creating a new one (which will ## |
| 152 | # # have a new inode number). Leaving inode turned on for keys, which ## |
| 153 | # # shouldn't ever change. ## |
| 154 | # ############################################################################# |
| 155 | # |
| 156 | # $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; |
| 157 | # $(TWLKEY)/authentication.key -> $(SEC_BIN) ; |
| 158 | # $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; |
| 159 | # $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; |
| 160 | # |
| 161 | # # Uncomment if you have agent logging enabled. |
| 162 | # #/var/log/tripwire/agent.log -> $(SEC_LOG) ; |
| 163 | #} |
| 164 | |
| 165 | |
| 166 | |
| 167 | # Commonly accessed directories that should remain static with regards to owner and group |
| 168 | ( |
| 169 | rulename = "Invariant Directories", |
| 170 | severity = $(SIG_MED) |
| 171 | ) |
| 172 | { |
| 173 | / -> $(SEC_INVARIANT) (recurse = 0) ; |
| 174 | /home -> $(SEC_INVARIANT) (recurse = 0) ; |
| 175 | /etc -> $(SEC_INVARIANT) (recurse = 0) ; |
| 176 | } |
| 177 | ################################################ |
| 178 | # ## |
| 179 | ################################################ # |
| 180 | # # # |
| 181 | # File System and Disk Administration Programs # # |
| 182 | # ## |
| 183 | ################################################ |
| 184 | |
| 185 | ( |
| 186 | rulename = "File System and Disk Administraton Programs", |
| 187 | severity = $(SIG_HI) |
| 188 | ) |
| 189 | { |
| 190 | /sbin/accton -> $(SEC_CRIT) ; |
| 191 | /sbin/badblocks -> $(SEC_CRIT) ; |
| 192 | /sbin/busybox -> $(SEC_CRIT) ; |
| 193 | /sbin/busybox.anaconda -> $(SEC_CRIT) ; |
| 194 | /sbin/convertquota -> $(SEC_CRIT) ; |
| 195 | /sbin/dosfsck -> $(SEC_CRIT) ; |
| 196 | /sbin/debugfs -> $(SEC_CRIT) ; |
| 197 | /sbin/debugreiserfs -> $(SEC_CRIT) ; |
| 198 | /sbin/dumpe2fs -> $(SEC_CRIT) ; |
| 199 | /sbin/dump -> $(SEC_CRIT) ; |
| 200 | /sbin/dump.static -> $(SEC_CRIT) ; |
| 201 | # /sbin/e2fsadm -> $(SEC_CRIT) ; tune2fs? |
| 202 | /sbin/e2fsck -> $(SEC_CRIT) ; |
| 203 | /sbin/e2label -> $(SEC_CRIT) ; |
| 204 | /sbin/fdisk -> $(SEC_CRIT) ; |
| 205 | /sbin/fsck -> $(SEC_CRIT) ; |
| 206 | /sbin/fsck.ext2 -> $(SEC_CRIT) ; |
| 207 | /sbin/fsck.ext3 -> $(SEC_CRIT) ; |
| 208 | /sbin/fsck.minix -> $(SEC_CRIT) ; |
| 209 | /sbin/fsck.msdos -> $(SEC_CRIT) ; |
| 210 | /sbin/fsck.vfat -> $(SEC_CRIT) ; |
| 211 | /sbin/ftl_check -> $(SEC_CRIT) ; |
| 212 | /sbin/ftl_format -> $(SEC_CRIT) ; |
| 213 | /sbin/hdparm -> $(SEC_CRIT) ; |
| 214 | #/sbin/lvchange -> $(SEC_CRIT) ; |
| 215 | #/sbin/lvcreate -> $(SEC_CRIT) ; |
| 216 | #/sbin/lvdisplay -> $(SEC_CRIT) ; |
| 217 | #/sbin/lvextend -> $(SEC_CRIT) ; |
| 218 | #/sbin/lvmchange -> $(SEC_CRIT) ; |
| 219 | #/sbin/lvmcreate_initrd -> $(SEC_CRIT) ; |
| 220 | #/sbin/lvmdiskscan -> $(SEC_CRIT) ; |
| 221 | #/sbin/lvmsadc -> $(SEC_CRIT) ; |
| 222 | #/sbin/lvmsar -> $(SEC_CRIT) ; |
| 223 | #/sbin/lvreduce -> $(SEC_CRIT) ; |
| 224 | #/sbin/lvremove -> $(SEC_CRIT) ; |
| 225 | #/sbin/lvrename -> $(SEC_CRIT) ; |
| 226 | #/sbin/lvscan -> $(SEC_CRIT) ; |
| 227 | /sbin/mkbootdisk -> $(SEC_CRIT) ; |
| 228 | /sbin/mkdosfs -> $(SEC_CRIT) ; |
| 229 | /sbin/mke2fs -> $(SEC_CRIT) ; |
| 230 | /sbin/mkfs -> $(SEC_CRIT) ; |
| 231 | /sbin/mkfs.bfs -> $(SEC_CRIT) ; |
| 232 | /sbin/mkfs.ext2 -> $(SEC_CRIT) ; |
| 233 | /sbin/mkfs.minix -> $(SEC_CRIT) ; |
| 234 | /sbin/mkfs.msdos -> $(SEC_CRIT) ; |
| 235 | /sbin/mkfs.vfat -> $(SEC_CRIT) ; |
| 236 | /sbin/mkinitrd -> $(SEC_CRIT) ; |
| 237 | #/sbin/mkpv -> $(SEC_CRIT) ; |
| 238 | /sbin/mkraid -> $(SEC_CRIT) ; |
| 239 | /sbin/mkreiserfs -> $(SEC_CRIT) ; |
| 240 | /sbin/mkswap -> $(SEC_CRIT) ; |
| 241 | #/sbin/mtx -> $(SEC_CRIT) ; |
| 242 | /sbin/pam_console_apply -> $(SEC_CRIT) ; |
| 243 | /sbin/parted -> $(SEC_CRIT) ; |
| 244 | /sbin/pcinitrd -> $(SEC_CRIT) ; |
| 245 | #/sbin/pvchange -> $(SEC_CRIT) ; |
| 246 | #/sbin/pvcreate -> $(SEC_CRIT) ; |
| 247 | #/sbin/pvdata -> $(SEC_CRIT) ; |
| 248 | #/sbin/pvdisplay -> $(SEC_CRIT) ; |
| 249 | #/sbin/pvmove -> $(SEC_CRIT) ; |
| 250 | #/sbin/pvscan -> $(SEC_CRIT) ; |
| 251 | /sbin/quotacheck -> $(SEC_CRIT) ; |
| 252 | /sbin/quotaon -> $(SEC_CRIT) ; |
| 253 | /sbin/raidstart -> $(SEC_CRIT) ; |
| 254 | /sbin/reiserfsck -> $(SEC_CRIT) ; |
| 255 | /sbin/resize2fs -> $(SEC_CRIT) ; |
| 256 | /sbin/resize_reiserfs -> $(SEC_CRIT) ; |
| 257 | /sbin/restore -> $(SEC_CRIT) ; |
| 258 | /sbin/restore.static -> $(SEC_CRIT) ; |
| 259 | /sbin/scsi_info -> $(SEC_CRIT) ; |
| 260 | /sbin/sfdisk -> $(SEC_CRIT) ; |
| 261 | /sbin/stinit -> $(SEC_CRIT) ; |
| 262 | #/sbin/tapeinfo -> $(SEC_CRIT) ; |
| 263 | /sbin/tune2fs -> $(SEC_CRIT) ; |
| 264 | /sbin/unpack -> $(SEC_CRIT) ; |
| 265 | /sbin/update -> $(SEC_CRIT) ; |
| 266 | #/sbin/vgcfgbackup -> $(SEC_CRIT) ; |
| 267 | #/sbin/vgcfgrestore -> $(SEC_CRIT) ; |
| 268 | #/sbin/vgchange -> $(SEC_CRIT) ; |
| 269 | #/sbin/vgck -> $(SEC_CRIT) ; |
| 270 | #/sbin/vgcreate -> $(SEC_CRIT) ; |
| 271 | #/sbin/vgdisplay -> $(SEC_CRIT) ; |
| 272 | #/sbin/vgexport -> $(SEC_CRIT) ; |
| 273 | #/sbin/vgextend -> $(SEC_CRIT) ; |
| 274 | #/sbin/vgimport -> $(SEC_CRIT) ; |
| 275 | #/sbin/vgmerge -> $(SEC_CRIT) ; |
| 276 | #/sbin/vgmknodes -> $(SEC_CRIT) ; |
| 277 | #/sbin/vgreduce -> $(SEC_CRIT) ; |
| 278 | #/sbin/vgremove -> $(SEC_CRIT) ; |
| 279 | #/sbin/vgrename -> $(SEC_CRIT) ; |
| 280 | #/sbin/vgscan -> $(SEC_CRIT) ; |
| 281 | #/sbin/vgsplit -> $(SEC_CRIT) ; |
| 282 | /bin/chgrp -> $(SEC_CRIT) ; |
| 283 | /bin/chmod -> $(SEC_CRIT) ; |
| 284 | /bin/chown -> $(SEC_CRIT) ; |
| 285 | /bin/cp -> $(SEC_CRIT) ; |
| 286 | /bin/cpio -> $(SEC_CRIT) ; |
| 287 | /bin/mount -> $(SEC_CRIT) ; |
| 288 | /bin/umount -> $(SEC_CRIT) ; |
| 289 | /bin/mkdir -> $(SEC_CRIT) ; |
| 290 | /bin/mknod -> $(SEC_CRIT) ; |
| 291 | /bin/mktemp -> $(SEC_CRIT) ; |
| 292 | /bin/rm -> $(SEC_CRIT) ; |
| 293 | /bin/rmdir -> $(SEC_CRIT) ; |
| 294 | /bin/touch -> $(SEC_CRIT) ; |
| 295 | } |
| 296 | |
| 297 | ################################## |
| 298 | # ## |
| 299 | ################################## # |
| 300 | # # # |
| 301 | # Kernel Administration Programs # # |
| 302 | # ## |
| 303 | ################################## |
| 304 | |
| 305 | ( |
| 306 | rulename = "Kernel Administration Programs", |
| 307 | severity = $(SIG_HI) |
| 308 | ) |
| 309 | { |
| 310 | /sbin/adjtimex -> $(SEC_CRIT) ; |
| 311 | /sbin/ctrlaltdel -> $(SEC_CRIT) ; |
| 312 | /sbin/depmod -> $(SEC_CRIT) ; |
| 313 | /sbin/insmod -> $(SEC_CRIT) ; |
| 314 | /sbin/insmod.static -> $(SEC_CRIT) ; |
| 315 | /sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ; |
| 316 | /sbin/klogd -> $(SEC_CRIT) ; |
| 317 | /sbin/ldconfig -> $(SEC_CRIT) ; |
| 318 | /sbin/minilogd -> $(SEC_CRIT) ; |
| 319 | /sbin/modinfo -> $(SEC_CRIT) ; |
| 320 | #/sbin/nuactlun -> $(SEC_CRIT) ; |
| 321 | #/sbin/nuscsitcpd -> $(SEC_CRIT) ; |
| 322 | /sbin/pivot_root -> $(SEC_CRIT) ; |
| 323 | /sbin/sndconfig -> $(SEC_CRIT) ; |
| 324 | /sbin/sysctl -> $(SEC_CRIT) ; |
| 325 | } |
| 326 | |
| 327 | ####################### |
| 328 | # ## |
| 329 | ####################### # |
| 330 | # # # |
| 331 | # Networking Programs # # |
| 332 | # ## |
| 333 | ####################### |
| 334 | |
| 335 | ( |
| 336 | rulename = "Networking Programs", |
| 337 | severity = $(SIG_HI) |
| 338 | ) |
| 339 | { |
| 340 | /etc/sysconfig/network-scripts/ifdown -> $(SEC_CRIT) ; |
| 341 | /etc/sysconfig/network-scripts/ifdown-cipcb -> $(SEC_CRIT) ; |
| 342 | /etc/sysconfig/network-scripts/ifdown-ippp -> $(SEC_CRIT) ; |
| 343 | /etc/sysconfig/network-scripts/ifdown-ipv6 -> $(SEC_CRIT) ; |
| 344 | /etc/sysconfig/network-scripts/ifdown-isdn -> $(SEC_CRIT) ; |
| 345 | /etc/sysconfig/network-scripts/ifdown-post -> $(SEC_CRIT) ; |
| 346 | /etc/sysconfig/network-scripts/ifdown-ppp -> $(SEC_CRIT) ; |
| 347 | /etc/sysconfig/network-scripts/ifdown-sit -> $(SEC_CRIT) ; |
| 348 | /etc/sysconfig/network-scripts/ifdown-sl -> $(SEC_CRIT) ; |
| 349 | /etc/sysconfig/network-scripts/ifup -> $(SEC_CRIT) ; |
| 350 | /etc/sysconfig/network-scripts/ifup-aliases -> $(SEC_CRIT) ; |
| 351 | /etc/sysconfig/network-scripts/ifup-cipcb -> $(SEC_CRIT) ; |
| 352 | /etc/sysconfig/network-scripts/ifup-ippp -> $(SEC_CRIT) ; |
| 353 | /etc/sysconfig/network-scripts/ifup-ipv6 -> $(SEC_CRIT) ; |
| 354 | /etc/sysconfig/network-scripts/ifup-isdn -> $(SEC_CRIT) ; |
| 355 | /etc/sysconfig/network-scripts/ifup-plip -> $(SEC_CRIT) ; |
| 356 | /etc/sysconfig/network-scripts/ifup-plusb -> $(SEC_CRIT) ; |
| 357 | /etc/sysconfig/network-scripts/ifup-post -> $(SEC_CRIT) ; |
| 358 | /etc/sysconfig/network-scripts/ifup-ppp -> $(SEC_CRIT) ; |
| 359 | /etc/sysconfig/network-scripts/ifup-routes -> $(SEC_CRIT) ; |
| 360 | /etc/sysconfig/network-scripts/ifup-sit -> $(SEC_CRIT) ; |
| 361 | /etc/sysconfig/network-scripts/ifup-sl -> $(SEC_CRIT) ; |
| 362 | /etc/sysconfig/network-scripts/ifup-wireless -> $(SEC_CRIT) ; |
| 363 | /etc/sysconfig/network-scripts/network-functions -> $(SEC_CRIT) ; |
| 364 | /etc/sysconfig/network-scripts/network-functions-ipv6 -> $(SEC_CRIT) ; |
| 365 | /bin/ping -> $(SEC_CRIT) ; |
| 366 | /sbin/agetty -> $(SEC_CRIT) ; |
| 367 | /sbin/arp -> $(SEC_CRIT) ; |
| 368 | /sbin/arping -> $(SEC_CRIT) ; |
| 369 | /sbin/dhcpcd -> $(SEC_CRIT) ; |
| 370 | /sbin/ether-wake -> $(SEC_CRIT) ; |
| 371 | #/sbin/getty -> $(SEC_CRIT) ; |
| 372 | /sbin/ifcfg -> $(SEC_CRIT) ; |
| 373 | /sbin/ifconfig -> $(SEC_CRIT) ; |
| 374 | /sbin/ifdown -> $(SEC_CRIT) ; |
| 375 | /sbin/ifenslave -> $(SEC_CRIT) ; |
| 376 | /sbin/ifport -> $(SEC_CRIT) ; |
| 377 | /sbin/ifup -> $(SEC_CRIT) ; |
| 378 | /sbin/ifuser -> $(SEC_CRIT) ; |
| 379 | /sbin/ip -> $(SEC_CRIT) ; |
| 380 | /sbin/ip6tables -> $(SEC_CRIT) ; |
| 381 | /sbin/ipchains -> $(SEC_CRIT) ; |
| 382 | /sbin/ipchains-restore -> $(SEC_CRIT) ; |
| 383 | /sbin/ipchains-save -> $(SEC_CRIT) ; |
| 384 | /sbin/ipfwadm -> $(SEC_CRIT) ; |
| 385 | /sbin/ipmaddr -> $(SEC_CRIT) ; |
| 386 | /sbin/iptables -> $(SEC_CRIT) ; |
| 387 | /sbin/iptables-restore -> $(SEC_CRIT) ; |
| 388 | /sbin/iptables-save -> $(SEC_CRIT) ; |
| 389 | /sbin/iptunnel -> $(SEC_CRIT) ; |
| 390 | #/sbin/ipvsadm -> $(SEC_CRIT) ; |
| 391 | #/sbin/ipvsadm-restore -> $(SEC_CRIT) ; |
| 392 | #/sbin/ipvsadm-save -> $(SEC_CRIT) ; |
| 393 | /sbin/ipx_configure -> $(SEC_CRIT) ; |
| 394 | /sbin/ipx_interface -> $(SEC_CRIT) ; |
| 395 | /sbin/ipx_internal_net -> $(SEC_CRIT) ; |
| 396 | /sbin/iwconfig -> $(SEC_CRIT) ; |
| 397 | /sbin/iwgetid -> $(SEC_CRIT) ; |
| 398 | /sbin/iwlist -> $(SEC_CRIT) ; |
| 399 | /sbin/iwpriv -> $(SEC_CRIT) ; |
| 400 | /sbin/iwspy -> $(SEC_CRIT) ; |
| 401 | /sbin/mgetty -> $(SEC_CRIT) ; |
| 402 | /sbin/mingetty -> $(SEC_CRIT) ; |
| 403 | /sbin/nameif -> $(SEC_CRIT) ; |
| 404 | /sbin/netreport -> $(SEC_CRIT) ; |
| 405 | /sbin/plipconfig -> $(SEC_CRIT) ; |
| 406 | /sbin/portmap -> $(SEC_CRIT) ; |
| 407 | /sbin/ppp-watch -> $(SEC_CRIT) ; |
| 408 | #/sbin/rarp -> $(SEC_CRIT) ; |
| 409 | /sbin/route -> $(SEC_CRIT) ; |
| 410 | /sbin/slattach -> $(SEC_CRIT) ; |
| 411 | /sbin/tc -> $(SEC_CRIT) ; |
| 412 | #/sbin/uugetty -> $(SEC_CRIT) ; |
| 413 | /sbin/vgetty -> $(SEC_CRIT) ; |
| 414 | /sbin/ypbind -> $(SEC_CRIT) ; |
| 415 | } |
| 416 | |
| 417 | ################################## |
| 418 | # ## |
| 419 | ################################## # |
| 420 | # # # |
| 421 | # System Administration Programs # # |
| 422 | # ## |
| 423 | ################################## |
| 424 | |
| 425 | ( |
| 426 | rulename = "System Administration Programs", |
| 427 | severity = $(SIG_HI) |
| 428 | ) |
| 429 | { |
| 430 | /sbin/chkconfig -> $(SEC_CRIT) ; |
| 431 | /sbin/fuser -> $(SEC_CRIT) ; |
| 432 | /sbin/halt -> $(SEC_CRIT) ; |
| 433 | /sbin/init -> $(SEC_CRIT) ; |
| 434 | /sbin/initlog -> $(SEC_CRIT) ; |
| 435 | /sbin/install-info -> $(SEC_CRIT) ; |
| 436 | /sbin/killall5 -> $(SEC_CRIT) ; |
| 437 | #/sbin/linuxconf -> $(SEC_CRIT) ; |
| 438 | #/sbin/linuxconf-auth -> $(SEC_CRIT) ; |
| 439 | /sbin/pam_tally -> $(SEC_CRIT) ; |
| 440 | /sbin/pwdb_chkpwd -> $(SEC_CRIT) ; |
| 441 | #/sbin/remadmin -> $(SEC_CRIT) ; |
| 442 | /sbin/rescuept -> $(SEC_CRIT) ; |
| 443 | /sbin/rmt -> $(SEC_CRIT) ; |
| 444 | /sbin/rpc.lockd -> $(SEC_CRIT) ; |
| 445 | /sbin/rpc.statd -> $(SEC_CRIT) ; |
| 446 | /sbin/rpcdebug -> $(SEC_CRIT) ; |
| 447 | /sbin/service -> $(SEC_CRIT) ; |
| 448 | /sbin/setsysfont -> $(SEC_CRIT) ; |
| 449 | /sbin/shutdown -> $(SEC_CRIT) ; |
| 450 | /sbin/sulogin -> $(SEC_CRIT) ; |
| 451 | /sbin/swapon -> $(SEC_CRIT) ; |
| 452 | /sbin/syslogd -> $(SEC_CRIT) ; |
| 453 | /sbin/unix_chkpwd -> $(SEC_CRIT) ; |
| 454 | /bin/pwd -> $(SEC_CRIT) ; |
| 455 | /bin/uname -> $(SEC_CRIT) ; |
| 456 | } |
| 457 | |
| 458 | ######################################## |
| 459 | # ## |
| 460 | ######################################## # |
| 461 | # # # |
| 462 | # Hardware and Device Control Programs # # |
| 463 | # ## |
| 464 | ######################################## |
| 465 | ( |
| 466 | rulename = "Hardware and Device Control Programs", |
| 467 | severity = $(SIG_HI) |
| 468 | ) |
| 469 | { |
| 470 | /bin/setserial -> $(SEC_CRIT) ; |
| 471 | /bin/sfxload -> $(SEC_CRIT) ; |
| 472 | /sbin/blockdev -> $(SEC_CRIT) ; |
| 473 | /sbin/cardctl -> $(SEC_CRIT) ; |
| 474 | /sbin/cardmgr -> $(SEC_CRIT) ; |
| 475 | /sbin/cbq -> $(SEC_CRIT) ; |
| 476 | /sbin/dump_cis -> $(SEC_CRIT) ; |
| 477 | /sbin/elvtune -> $(SEC_CRIT) ; |
| 478 | /sbin/hotplug -> $(SEC_CRIT) ; |
| 479 | /sbin/hwclock -> $(SEC_CRIT) ; |
| 480 | /sbin/ide_info -> $(SEC_CRIT) ; |
| 481 | #/sbin/isapnp -> $(SEC_CRIT) ; |
| 482 | /sbin/kbdrate -> $(SEC_CRIT) ; |
| 483 | /sbin/losetup -> $(SEC_CRIT) ; |
| 484 | /sbin/lspci -> $(SEC_CRIT) ; |
| 485 | /sbin/lspnp -> $(SEC_CRIT) ; |
| 486 | /sbin/mii-tool -> $(SEC_CRIT) ; |
| 487 | /sbin/pack_cis -> $(SEC_CRIT) ; |
| 488 | #/sbin/pnpdump -> $(SEC_CRIT) ; |
| 489 | /sbin/probe -> $(SEC_CRIT) ; |
| 490 | /sbin/pump -> $(SEC_CRIT) ; |
| 491 | /sbin/setpci -> $(SEC_CRIT) ; |
| 492 | /sbin/shapecfg -> $(SEC_CRIT) ; |
| 493 | } |
| 494 | |
| 495 | ############################### |
| 496 | # ## |
| 497 | ############################### # |
| 498 | # # # |
| 499 | # System Information Programs # # |
| 500 | # ## |
| 501 | ############################### |
| 502 | ( |
| 503 | rulename = "System Information Programs", |
| 504 | severity = $(SIG_HI) |
| 505 | ) |
| 506 | { |
| 507 | /sbin/consoletype -> $(SEC_CRIT) ; |
| 508 | /sbin/kernelversion -> $(SEC_CRIT) ; |
| 509 | /sbin/runlevel -> $(SEC_CRIT) ; |
| 510 | } |
| 511 | |
| 512 | #################################### |
| 513 | # ## |
| 514 | #################################### # |
| 515 | # # # |
| 516 | # Application Information Programs # # |
| 517 | # ## |
| 518 | #################################### |
| 519 | |
| 520 | ( |
| 521 | rulename = "Application Information Programs", |
| 522 | severity = $(SIG_HI) |
| 523 | ) |
| 524 | { |
| 525 | /sbin/genksyms -> $(SEC_CRIT) ; |
| 526 | #/sbin/genksyms.old -> $(SEC_CRIT) ; |
| 527 | /sbin/rtmon -> $(SEC_CRIT) ; |
| 528 | } |
| 529 | |
| 530 | ########################## |
| 531 | # ## |
| 532 | ########################## # |
| 533 | # # # |
| 534 | # Shell Related Programs # # |
| 535 | # ## |
| 536 | ########################## |
| 537 | ( |
| 538 | rulename = "Shell Related Programs", |
| 539 | severity = $(SIG_HI) |
| 540 | ) |
| 541 | { |
| 542 | /sbin/getkey -> $(SEC_CRIT) ; |
| 543 | /sbin/nash -> $(SEC_CRIT) ; |
| 544 | /sbin/sash -> $(SEC_CRIT) ; |
| 545 | } |
| 546 | |
| 547 | |
| 548 | ################ |
| 549 | # ## |
| 550 | ################ # |
| 551 | # # # |
| 552 | # OS Utilities # # |
| 553 | # ## |
| 554 | ################ |
| 555 | ( |
| 556 | rulename = "Operating System Utilities", |
| 557 | severity = $(SIG_HI) |
| 558 | ) |
| 559 | { |
| 560 | /bin/arch -> $(SEC_CRIT) ; |
| 561 | /bin/ash -> $(SEC_CRIT) ; |
| 562 | /bin/ash.static -> $(SEC_CRIT) ; |
| 563 | /bin/aumix-minimal -> $(SEC_CRIT) ; |
| 564 | /bin/basename -> $(SEC_CRIT) ; |
| 565 | /bin/cat -> $(SEC_CRIT) ; |
| 566 | /bin/consolechars -> $(SEC_CRIT) ; |
| 567 | /bin/cut -> $(SEC_CRIT) ; |
| 568 | /bin/date -> $(SEC_CRIT) ; |
| 569 | /bin/dd -> $(SEC_CRIT) ; |
| 570 | /bin/df -> $(SEC_CRIT) ; |
| 571 | /bin/dmesg -> $(SEC_CRIT) ; |
| 572 | /bin/doexec -> $(SEC_CRIT) ; |
| 573 | /bin/echo -> $(SEC_CRIT) ; |
| 574 | /bin/ed -> $(SEC_CRIT) ; |
| 575 | /bin/egrep -> $(SEC_CRIT) ; |
| 576 | /bin/false -> $(SEC_CRIT) ; |
| 577 | /bin/fgrep -> $(SEC_CRIT) ; |
| 578 | /bin/gawk -> $(SEC_CRIT) ; |
| 579 | /bin/gawk-3.1.0 -> $(SEC_CRIT) ; |
| 580 | /bin/gettext -> $(SEC_CRIT) ; |
| 581 | /bin/grep -> $(SEC_CRIT) ; |
| 582 | /bin/gunzip -> $(SEC_CRIT) ; |
| 583 | /bin/gzip -> $(SEC_CRIT) ; |
| 584 | /bin/hostname -> $(SEC_CRIT) ; |
| 585 | /bin/igawk -> $(SEC_CRIT) ; |
| 586 | /bin/ipcalc -> $(SEC_CRIT) ; |
| 587 | /bin/kill -> $(SEC_CRIT) ; |
| 588 | /bin/ln -> $(SEC_CRIT) ; |
| 589 | /bin/loadkeys -> $(SEC_CRIT) ; |
| 590 | /bin/login -> $(SEC_CRIT) ; |
| 591 | /bin/ls -> $(SEC_CRIT) ; |
| 592 | /bin/mail -> $(SEC_CRIT) ; |
| 593 | /bin/more -> $(SEC_CRIT) ; |
| 594 | /bin/mt -> $(SEC_CRIT) ; |
| 595 | /bin/mv -> $(SEC_CRIT) ; |
| 596 | /bin/netstat -> $(SEC_CRIT) ; |
| 597 | /bin/nice -> $(SEC_CRIT) ; |
| 598 | /bin/pgawk -> $(SEC_CRIT) ; |
| 599 | /bin/ps -> $(SEC_CRIT) ; |
| 600 | /bin/rpm -> $(SEC_CRIT) ; |
| 601 | /bin/sed -> $(SEC_CRIT) ; |
| 602 | /bin/sleep -> $(SEC_CRIT) ; |
| 603 | /bin/sort -> $(SEC_CRIT) ; |
| 604 | /bin/stty -> $(SEC_CRIT) ; |
| 605 | /bin/su -> $(SEC_CRIT) ; |
| 606 | /bin/sync -> $(SEC_CRIT) ; |
| 607 | /bin/tar -> $(SEC_CRIT) ; |
| 608 | /bin/true -> $(SEC_CRIT) ; |
| 609 | /bin/usleep -> $(SEC_CRIT) ; |
| 610 | /bin/vi -> $(SEC_CRIT) ; |
| 611 | /bin/zcat -> $(SEC_CRIT) ; |
| 612 | /bin/zsh -> $(SEC_CRIT) ; |
| 613 | #/bin/zsh-4.0.2 -> $(SEC_CRIT) ; |
| 614 | /sbin/sln -> $(SEC_CRIT) ; |
| 615 | /usr/bin/vimtutor -> $(SEC_CRIT) ; |
| 616 | } |
| 617 | |
| 618 | ############################## |
| 619 | # ## |
| 620 | ############################## # |
| 621 | # # # |
| 622 | # Critical Utility Sym-Links # # |
| 623 | # ## |
| 624 | ############################## |
| 625 | ( |
| 626 | rulename = "Critical Utility Sym-Links", |
| 627 | severity = $(SIG_HI) |
| 628 | ) |
| 629 | { |
| 630 | #/sbin/askrunlevel -> $(SEC_CRIT) ; |
| 631 | /sbin/clock -> $(SEC_CRIT) ; |
| 632 | #/sbin/fixperm -> $(SEC_CRIT) ; |
| 633 | /sbin/fsck.reiserfs -> $(SEC_CRIT) ; |
| 634 | #/sbin/fsconf -> $(SEC_CRIT) ; |
| 635 | /sbin/ipfwadm-wrapper -> $(SEC_CRIT) ; |
| 636 | /sbin/kallsyms -> $(SEC_CRIT) ; |
| 637 | /sbin/ksyms -> $(SEC_CRIT) ; |
| 638 | /sbin/lsmod -> $(SEC_CRIT) ; |
| 639 | #/sbin/mailconf -> $(SEC_CRIT) ; |
| 640 | /sbin/mkfs.reiserfs -> $(SEC_CRIT) ; |
| 641 | #/sbin/modemconf -> $(SEC_CRIT) ; |
| 642 | /sbin/modprobe -> $(SEC_CRIT) ; |
| 643 | /sbin/mount.ncp -> $(SEC_CRIT) ; |
| 644 | /sbin/mount.ncpfs -> $(SEC_CRIT) ; |
| 645 | /sbin/mount.smb -> $(SEC_CRIT) ; |
| 646 | /sbin/mount.smbfs -> $(SEC_CRIT) ; |
| 647 | #/sbin/netconf -> $(SEC_CRIT) ; |
| 648 | /sbin/pidof -> $(SEC_CRIT) ; |
| 649 | /sbin/poweroff -> $(SEC_CRIT) ; |
| 650 | /sbin/quotaoff -> $(SEC_CRIT) ; |
| 651 | /sbin/raid0run -> $(SEC_CRIT) ; |
| 652 | /sbin/raidhotadd -> $(SEC_CRIT) ; |
| 653 | /sbin/raidhotgenerateerror -> $(SEC_CRIT) ; |
| 654 | /sbin/raidhotremove -> $(SEC_CRIT) ; |
| 655 | /sbin/raidstop -> $(SEC_CRIT) ; |
| 656 | /sbin/rdump -> $(SEC_CRIT) ; |
| 657 | /sbin/rdump.static -> $(SEC_CRIT) ; |
| 658 | /sbin/reboot -> $(SEC_CRIT) ; |
| 659 | /sbin/rmmod -> $(SEC_CRIT) ; |
| 660 | /sbin/rrestore -> $(SEC_CRIT) ; |
| 661 | /sbin/rrestore.static -> $(SEC_CRIT) ; |
| 662 | /sbin/swapoff -> $(SEC_CRIT) ; |
| 663 | /sbin/telinit -> $(SEC_CRIT) ; |
| 664 | #/sbin/userconf -> $(SEC_CRIT) ; |
| 665 | #/sbin/uucpconf -> $(SEC_CRIT) ; |
| 666 | #/sbin/vregistry -> $(SEC_CRIT) ; |
| 667 | /bin/awk -> $(SEC_CRIT) ; |
| 668 | /bin/bash2 -> $(SEC_CRIT) ; |
| 669 | /bin/bsh -> $(SEC_CRIT) ; |
| 670 | /bin/csh -> $(SEC_CRIT) ; |
| 671 | /bin/dnsdomainname -> $(SEC_CRIT) ; |
| 672 | /bin/domainname -> $(SEC_CRIT) ; |
| 673 | /bin/ex -> $(SEC_CRIT) ; |
| 674 | /bin/gtar -> $(SEC_CRIT) ; |
| 675 | /bin/nisdomainname -> $(SEC_CRIT) ; |
| 676 | /bin/red -> $(SEC_CRIT) ; |
| 677 | /bin/rvi -> $(SEC_CRIT) ; |
| 678 | /bin/rview -> $(SEC_CRIT) ; |
| 679 | /bin/view -> $(SEC_CRIT) ; |
| 680 | /bin/ypdomainname -> $(SEC_CRIT) ; |
| 681 | } |
| 682 | |
| 683 | |
| 684 | ######################### |
| 685 | # ## |
| 686 | ######################### # |
| 687 | # # # |
| 688 | # Temporary directories # # |
| 689 | # ## |
| 690 | ######################### |
| 691 | ( |
| 692 | rulename = "Temporary directories", |
| 693 | recurse = false, |
| 694 | severity = $(SIG_LOW) |
| 695 | ) |
| 696 | { |
| 697 | /usr/tmp -> $(SEC_INVARIANT) ; |
| 698 | /var/tmp -> $(SEC_INVARIANT) ; |
| 699 | /tmp -> $(SEC_INVARIANT) ; |
| 700 | } |
| 701 | |
| 702 | ############### |
| 703 | # ## |
| 704 | ############### # |
| 705 | # # # |
| 706 | # Local files # # |
| 707 | # ## |
| 708 | ############### |
| 709 | ( |
| 710 | rulename = "User binaries", |
| 711 | severity = $(SIG_MED) |
| 712 | ) |
| 713 | { |
| 714 | /sbin -> $(SEC_BIN) (recurse = 1) ; |
| 715 | /usr/bin -> $(SEC_BIN) (recurse = 1) ; |
| 716 | /usr/sbin -> $(SEC_BIN) (recurse = 1) ; |
| 717 | /usr/local/bin -> $(SEC_BIN) (recurse = 1) ; |
| 718 | } |
| 719 | |
| 720 | ( |
| 721 | rulename = "Shell Binaries", |
| 722 | severity = $(SIG_HI) |
| 723 | ) |
| 724 | { |
| 725 | /bin/bash -> $(SEC_BIN) ; |
| 726 | /bin/ksh -> $(SEC_BIN) ; |
| 727 | # /bin/psh -> $(SEC_BIN) ; # No longer used? |
| 728 | # /bin/Rsh -> $(SEC_BIN) ; # No longer used? |
| 729 | /bin/sh -> $(SEC_BIN) ; |
| 730 | # /bin/shell -> $(SEC_SUID) ; # No longer used? |
| 731 | # /bin/tsh -> $(SEC_BIN) ; # No longer used? |
| 732 | /bin/tcsh -> $(SEC_BIN) ; |
| 733 | /sbin/nologin -> $(SEC_BIN) ; |
| 734 | } |
| 735 | |
| 736 | ( |
| 737 | rulename = "Security Control", |
| 738 | severity = $(SIG_HI) |
| 739 | ) |
| 740 | { |
| 741 | /etc/group -> $(SEC_CRIT) ; |
| 742 | /etc/security -> $(SEC_CRIT) ; |
| 743 | #/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists |
| 744 | } |
| 745 | |
| 746 | #( |
| 747 | # rulename = "Boot Scripts", |
| 748 | # severity = $(SIG_HI) |
| 749 | #) |
| 750 | #{ |
| 751 | # /etc/rc -> $(SEC_CONFIG) ; |
| 752 | # /etc/rc.bsdnet -> $(SEC_CONFIG) ; |
| 753 | # /etc/rc.dt -> $(SEC_CONFIG) ; |
| 754 | # /etc/rc.net -> $(SEC_CONFIG) ; |
| 755 | # /etc/rc.net.serial -> $(SEC_CONFIG) ; |
| 756 | # /etc/rc.nfs -> $(SEC_CONFIG) ; |
| 757 | # /etc/rc.powerfail -> $(SEC_CONFIG) ; |
| 758 | # /etc/rc.tcpip -> $(SEC_CONFIG) ; |
| 759 | # /etc/trcfmt.Z -> $(SEC_CONFIG) ; |
| 760 | #} |
| 761 | |
| 762 | ( |
| 763 | rulename = "Login Scripts", |
| 764 | severity = $(SIG_HI) |
| 765 | ) |
| 766 | { |
| 767 | /etc/bashrc -> $(SEC_CONFIG) ; |
| 768 | /etc/csh.cshrc -> $(SEC_CONFIG) ; |
| 769 | /etc/csh.login -> $(SEC_CONFIG) ; |
| 770 | /etc/inputrc -> $(SEC_CONFIG) ; |
| 771 | # /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists |
| 772 | /etc/profile -> $(SEC_CONFIG) ; |
| 773 | } |
| 774 | |
| 775 | # Libraries |
| 776 | ( |
| 777 | rulename = "Libraries", |
| 778 | severity = $(SIG_MED) |
| 779 | ) |
| 780 | { |
| 781 | /usr/lib -> $(SEC_BIN) ; |
| 782 | /usr/local/lib -> $(SEC_BIN) ; |
| 783 | } |
| 784 | |
| 785 | |
| 786 | ###################################################### |
| 787 | # ## |
| 788 | ###################################################### # |
| 789 | # # # |
| 790 | # Critical System Boot Files # # |
| 791 | # These files are critical to a correct system boot. # # |
| 792 | # ## |
| 793 | ###################################################### |
| 794 | |
| 795 | ( |
| 796 | rulename = "Critical system boot files", |
| 797 | severity = $(SIG_HI) |
| 798 | ) |
| 799 | { |
| 800 | /boot -> $(SEC_CRIT) ; |
| 801 | #/sbin/devfsd -> $(SEC_CRIT) ; |
| 802 | /sbin/grub -> $(SEC_CRIT) ; |
| 803 | /sbin/grub-install -> $(SEC_CRIT) ; |
| 804 | /sbin/grub-md5-crypt -> $(SEC_CRIT) ; |
| 805 | /sbin/installkernel -> $(SEC_CRIT) ; |
| 806 | /sbin/lilo -> $(SEC_CRIT) ; |
| 807 | /sbin/mkkerneldoth -> $(SEC_CRIT) ; |
| 808 | !/boot/System.map ; |
| 809 | !/boot/module-info ; |
| 810 | /usr/share/grub/i386-redhat/e2fs_stage1_5 -> $(SEC_CRIT) ; |
| 811 | /usr/share/grub/i386-redhat/fat_stage1_5 -> $(SEC_CRIT) ; |
| 812 | /usr/share/grub/i386-redhat/ffs_stage1_5 -> $(SEC_CRIT) ; |
| 813 | /usr/share/grub/i386-redhat/minix_stage1_5 -> $(SEC_CRIT) ; |
| 814 | /usr/share/grub/i386-redhat/reiserfs_stage1_5 -> $(SEC_CRIT) ; |
| 815 | /usr/share/grub/i386-redhat/stage1 -> $(SEC_CRIT) ; |
| 816 | /usr/share/grub/i386-redhat/stage2 -> $(SEC_CRIT) ; |
| 817 | /usr/share/grub/i386-redhat/vstafs_stage1_5 -> $(SEC_CRIT) ; |
| 818 | # other boot files may exist. Look for: |
| 819 | #/ufsboot -> $(SEC_CRIT) ; |
| 820 | } |
| 821 | ################################################## |
| 822 | ################################################### |
| 823 | # These files change every time the system boots ## |
| 824 | ################################################## |
| 825 | ( |
| 826 | rulename = "System boot changes", |
| 827 | severity = $(SIG_HI) |
| 828 | ) |
| 829 | { |
| 830 | !/var/run/ftp.pids-all ; # Comes and goes on reboot. |
| 831 | !/root/.enlightenment ; |
| 832 | /dev/log -> $(SEC_CONFIG) ; |
| 833 | /dev/cua0 -> $(SEC_CONFIG) ; |
| 834 | # /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device |
| 835 | /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. |
| 836 | /dev/tty1 -> $(SEC_CONFIG) ; # tty devices |
| 837 | /dev/tty2 -> $(SEC_CONFIG) ; # tty devices |
| 838 | /dev/tty3 -> $(SEC_CONFIG) ; # are extremely |
| 839 | /dev/tty4 -> $(SEC_CONFIG) ; # variable |
| 840 | /dev/tty5 -> $(SEC_CONFIG) ; |
| 841 | /dev/tty6 -> $(SEC_CONFIG) ; |
| 842 | /dev/urandom -> $(SEC_CONFIG) ; |
| 843 | /dev/initctl -> $(SEC_CONFIG) ; |
| 844 | /var/lock/subsys -> $(SEC_CONFIG) ; |
| 845 | #/var/lock/subsys/amd -> $(SEC_CONFIG) ; |
| 846 | /var/lock/subsys/anacron -> $(SEC_CONFIG) ; |
| 847 | /var/lock/subsys/apmd -> $(SEC_CONFIG) ; |
| 848 | #/var/lock/subsys/arpwatch -> $(SEC_CONFIG) ; |
| 849 | /var/lock/subsys/atd -> $(SEC_CONFIG) ; |
| 850 | /var/lock/subsys/autofs -> $(SEC_CONFIG) ; |
| 851 | #/var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ; |
| 852 | #/var/lock/subsys/bgpd -> $(SEC_CONFIG) ; |
| 853 | #/var/lock/subsys/bootparamd -> $(SEC_CONFIG) ; |
| 854 | #/var/lock/subsys/canna -> $(SEC_CONFIG) ; |
| 855 | /var/lock/subsys/crond -> $(SEC_CONFIG) ; |
| 856 | #/var/lock/subsys/cWnn -> $(SEC_CONFIG) ; |
| 857 | #/var/lock/subsys/dhcpd -> $(SEC_CONFIG) ; |
| 858 | #/var/lock/subsys/firewall -> $(SEC_CONFIG) ; |
| 859 | #/var/lock/subsys/freeWnn -> $(SEC_CONFIG) ; |
| 860 | #/var/lock/subsys/gated -> $(SEC_CONFIG) ; |
| 861 | /var/lock/subsys/gpm -> $(SEC_CONFIG) ; |
| 862 | #/var/lock/subsys/httpd -> $(SEC_CONFIG) ; |
| 863 | #/var/lock/subsys/identd -> $(SEC_CONFIG) ; |
| 864 | #/var/lock/subsys/innd -> $(SEC_CONFIG) ; |
| 865 | /var/lock/subsys/ipchains -> $(SEC_CONFIG) ; |
| 866 | #/var/lock/subsys/iptables -> $(SEC_CONFIG) ; |
| 867 | #/var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ; |
| 868 | #/var/lock/subsys/irda -> $(SEC_CONFIG) ; |
| 869 | #/var/lock/subsys/iscsi -> $(SEC_CONFIG) ; |
| 870 | #/var/lock/subsys/isdn -> $(SEC_CONFIG) ; |
| 871 | #/var/lock/subsys/junkbuster -> $(SEC_CONFIG) ; |
| 872 | #/var/lock/subsys/kadmin -> $(SEC_CONFIG) ; |
| 873 | /var/lock/subsys/keytable -> $(SEC_CONFIG) ; |
| 874 | #/var/lock/subsys/kprop -> $(SEC_CONFIG) ; |
| 875 | #/var/lock/subsys/krb524 -> $(SEC_CONFIG) ; |
| 876 | #/var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ; |
| 877 | /var/lock/subsys/kudzu -> $(SEC_CONFIG) ; |
| 878 | #/var/lock/subsys/kWnn -> $(SEC_CONFIG) ; |
| 879 | #/var/lock/subsys/ldap -> $(SEC_CONFIG) ; |
| 880 | #/var/lock/subsys/linuxconf -> $(SEC_CONFIG) ; |
| 881 | #/var/lock/subsys/lpd -> $(SEC_CONFIG) ; |
| 882 | #/var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ; |
| 883 | #/var/lock/subsys/mcserv -> $(SEC_CONFIG) ; |
| 884 | #/var/lock/subsys/mysqld -> $(SEC_CONFIG) ; |
| 885 | #/var/lock/subsys/named -> $(SEC_CONFIG) ; |
| 886 | /var/lock/subsys/netfs -> $(SEC_CONFIG) ; |
| 887 | /var/lock/subsys/network -> $(SEC_CONFIG) ; |
| 888 | #/var/lock/subsys/nfs -> $(SEC_CONFIG) ; |
| 889 | /var/lock/subsys/nfslock -> $(SEC_CONFIG) ; |
| 890 | #/var/lock/subsys/nscd -> $(SEC_CONFIG) ; |
| 891 | #/var/lock/subsys/ntpd -> $(SEC_CONFIG) ; |
| 892 | #/var/lock/subsys/ospf6d -> $(SEC_CONFIG) ; |
| 893 | #/var/lock/subsys/ospfd -> $(SEC_CONFIG) ; |
| 894 | /var/lock/subsys/pcmcia -> $(SEC_CONFIG) ; |
| 895 | /var/lock/subsys/portmap -> $(SEC_CONFIG) ; |
| 896 | #/var/lock/subsys/postgresql -> $(SEC_CONFIG) ; |
| 897 | #/var/lock/subsys/pxe -> $(SEC_CONFIG) ; |
| 898 | #/var/lock/subsys/radvd -> $(SEC_CONFIG) ; |
| 899 | /var/lock/subsys/random -> $(SEC_CONFIG) ; |
| 900 | #/var/lock/subsys/rarpd -> $(SEC_CONFIG) ; |
| 901 | /var/lock/subsys/reconfig -> $(SEC_CONFIG) ; |
| 902 | /var/lock/subsys/rhnsd -> $(SEC_CONFIG) ; |
| 903 | #/var/lock/subsys/ripd -> $(SEC_CONFIG) ; |
| 904 | #/var/lock/subsys/ripngd -> $(SEC_CONFIG) ; |
| 905 | #/var/lock/subsys/routed -> $(SEC_CONFIG) ; |
| 906 | #/var/lock/subsys/rstatd -> $(SEC_CONFIG) ; |
| 907 | #/var/lock/subsys/rusersd -> $(SEC_CONFIG) ; |
| 908 | #/var/lock/subsys/rwalld -> $(SEC_CONFIG) ; |
| 909 | #/var/lock/subsys/rwhod -> $(SEC_CONFIG) ; |
| 910 | /var/lock/subsys/sendmail -> $(SEC_CONFIG) ; |
| 911 | #/var/lock/subsys/smb -> $(SEC_CONFIG) ; |
| 912 | #/var/lock/subsys/snmpd -> $(SEC_CONFIG) ; |
| 913 | #/var/lock/subsys/squid -> $(SEC_CONFIG) ; |
| 914 | /var/lock/subsys/sshd -> $(SEC_CONFIG) ; |
| 915 | /var/lock/subsys/syslog -> $(SEC_CONFIG) ; |
| 916 | #/var/lock/subsys/tux -> $(SEC_CONFIG) ; |
| 917 | #/var/lock/subsys/tWnn -> $(SEC_CONFIG) ; |
| 918 | #/var/lock/subsys/ups -> $(SEC_CONFIG) ; |
| 919 | #/var/lock/subsys/vncserver -> $(SEC_CONFIG) ; |
| 920 | #/var/lock/subsys/wine -> $(SEC_CONFIG) ; |
| 921 | /var/lock/subsys/xfs -> $(SEC_CONFIG) ; |
| 922 | /var/lock/subsys/xinetd -> $(SEC_CONFIG) ; |
| 923 | /var/lock/subsys/ypbind -> $(SEC_CONFIG) ; |
| 924 | #/var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ; |
| 925 | #/var/lock/subsys/ypserv -> $(SEC_CONFIG) ; |
| 926 | #/var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ; |
| 927 | #/var/lock/subsys/zebra -> $(SEC_CONFIG) ; |
| 928 | /var/run -> $(SEC_CONFIG) ; |
| 929 | /var/log -> $(SEC_CONFIG) ; |
| 930 | /etc/ioctl.save -> $(SEC_CONFIG) ; |
| 931 | /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes |
| 932 | /etc/issue -> $(SEC_CONFIG) ; |
| 933 | /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount |
| 934 | /lib/modules -> $(SEC_CONFIG) ; |
| 935 | /etc/.pwd.lock -> $(SEC_CONFIG) ; |
| 936 | # /lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists |
| 937 | } |
| 938 | |
| 939 | # These files change the behavior of the root account |
| 940 | ( |
| 941 | rulename = "Root config files", |
| 942 | severity = 100 |
| 943 | ) |
| 944 | { |
| 945 | /root -> $(SEC_CRIT) ; # Catch all additions to /root |
| 946 | #/root/.Xresources -> $(SEC_CONFIG) ; |
| 947 | /root/.bashrc -> $(SEC_CONFIG) ; |
| 948 | /root/.bash_profile -> $(SEC_CONFIG) ; |
| 949 | /root/.bash_logout -> $(SEC_CONFIG) ; |
| 950 | /root/.cshrc -> $(SEC_CONFIG) ; |
| 951 | /root/.tcshrc -> $(SEC_CONFIG) ; |
| 952 | /root/Mail -> $(SEC_CONFIG) ; |
| 953 | #/root/mail -> $(SEC_CONFIG) ; |
| 954 | #/root/.amandahosts -> $(SEC_CONFIG) ; |
| 955 | #/root/.addressbook.lu -> $(SEC_CONFIG) ; |
| 956 | #/root/.addressbook -> $(SEC_CONFIG) ; |
| 957 | /root/.bash_history -> $(SEC_CONFIG) ; |
| 958 | /root/.elm -> $(SEC_CONFIG) ; |
| 959 | #/root/.esd_auth -> $(SEC_CONFIG) ; |
| 960 | /root/.gnome_private -> $(SEC_CONFIG) ; |
| 961 | /root/.gnome-desktop -> $(SEC_CONFIG) ; |
| 962 | /root/.gnome -> $(SEC_CONFIG) ; |
| 963 | /root/.ICEauthority -> $(SEC_CONFIG) ; |
| 964 | #/root/.mc -> $(SEC_CONFIG) ; |
| 965 | #/root/.pinerc -> $(SEC_CONFIG) ; |
| 966 | /root/.sawfish -> $(SEC_CONFIG) ; |
| 967 | /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login |
| 968 | #/root/.xauth -> $(SEC_CONFIG) ; |
| 969 | /root/.xsession-errors -> $(SEC_CONFIG) ; |
| 970 | } |
| 971 | |
| 972 | ################################ |
| 973 | # ## |
| 974 | ################################ # |
| 975 | # # # |
| 976 | # Critical configuration files # # |
| 977 | # ## |
| 978 | ################################ |
| 979 | ( |
| 980 | rulename = "Critical configuration files", |
| 981 | severity = $(SIG_HI) |
| 982 | ) |
| 983 | { |
| 984 | #/etc/conf.linuxconf -> $(SEC_BIN) ; |
| 985 | /etc/crontab -> $(SEC_BIN) ; |
| 986 | /etc/cron.hourly -> $(SEC_BIN) ; |
| 987 | /etc/cron.daily -> $(SEC_BIN) ; |
| 988 | /etc/cron.weekly -> $(SEC_BIN) ; |
| 989 | /etc/cron.monthly -> $(SEC_BIN) ; |
| 990 | /etc/default -> $(SEC_BIN) ; |
| 991 | /etc/fstab -> $(SEC_BIN) ; |
| 992 | /etc/exports -> $(SEC_BIN) ; |
| 993 | /etc/group- -> $(SEC_BIN) ; # changes should be infrequent |
| 994 | /etc/host.conf -> $(SEC_BIN) ; |
| 995 | /etc/hosts.allow -> $(SEC_BIN) ; |
| 996 | /etc/hosts.deny -> $(SEC_BIN) ; |
| 997 | /etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent |
| 998 | /etc/protocols -> $(SEC_BIN) ; |
| 999 | /etc/services -> $(SEC_BIN) ; |
| 1000 | /etc/rc.d/init.d -> $(SEC_BIN) ; |
| 1001 | /etc/rc.d -> $(SEC_BIN) ; |
| 1002 | /etc/mail.rc -> $(SEC_BIN) ; |
| 1003 | /etc/modules.conf -> $(SEC_BIN) ; |
| 1004 | /etc/motd -> $(SEC_BIN) ; |
| 1005 | /etc/named.conf -> $(SEC_BIN) ; |
| 1006 | /etc/passwd -> $(SEC_CONFIG) ; |
| 1007 | /etc/passwd- -> $(SEC_CONFIG) ; |
| 1008 | /etc/profile.d -> $(SEC_BIN) ; |
| 1009 | /var/lib/nfs/rmtab -> $(SEC_BIN) ; |
| 1010 | /usr/sbin/fixrmtab -> $(SEC_BIN) ; |
| 1011 | /etc/rpc -> $(SEC_BIN) ; |
| 1012 | /etc/sysconfig -> $(SEC_BIN) ; |
| 1013 | /etc/samba/smb.conf -> $(SEC_CONFIG) ; |
| 1014 | #/etc/gettydefs -> $(SEC_BIN) ; |
| 1015 | /etc/nsswitch.conf -> $(SEC_BIN) ; |
| 1016 | /etc/yp.conf -> $(SEC_BIN) ; |
| 1017 | /etc/hosts -> $(SEC_CONFIG) ; |
| 1018 | /etc/xinetd.conf -> $(SEC_CONFIG) ; |
| 1019 | /etc/inittab -> $(SEC_CONFIG) ; |
| 1020 | /etc/resolv.conf -> $(SEC_CONFIG) ; |
| 1021 | /etc/syslog.conf -> $(SEC_CONFIG) ; |
| 1022 | } |
| 1023 | |
| 1024 | #################### |
| 1025 | # ## |
| 1026 | #################### # |
| 1027 | # # # |
| 1028 | # Critical devices # # |
| 1029 | # ## |
| 1030 | #################### |
| 1031 | ( |
| 1032 | rulename = "Critical devices", |
| 1033 | severity = $(SIG_HI), |
| 1034 | recurse = false |
| 1035 | ) |
| 1036 | { |
| 1037 | /dev/kmem -> $(Device) ; |
| 1038 | /dev/mem -> $(Device) ; |
| 1039 | /dev/null -> $(Device) ; |
| 1040 | /dev/zero -> $(Device) ; |
| 1041 | /proc/devices -> $(Device) ; |
| 1042 | /proc/net -> $(Device) ; |
| 1043 | /proc/sys -> $(Device) ; |
| 1044 | /proc/cpuinfo -> $(Device) ; |
| 1045 | /proc/modules -> $(Device) ; |
| 1046 | /proc/mounts -> $(Device) ; |
| 1047 | /proc/dma -> $(Device) ; |
| 1048 | /proc/filesystems -> $(Device) ; |
| 1049 | /proc/pci -> $(Device) ; |
| 1050 | /proc/interrupts -> $(Device) ; |
| 1051 | /proc/driver/rtc -> $(Device) ; |
| 1052 | /proc/ioports -> $(Device) ; |
| 1053 | #/proc/scsi -> $(Device) ; |
| 1054 | /proc/kcore -> $(Device) ; |
| 1055 | /proc/self -> $(Device) ; |
| 1056 | /proc/kmsg -> $(Device) ; |
| 1057 | /proc/stat -> $(Device) ; |
| 1058 | /proc/ksyms -> $(Device) ; |
| 1059 | /proc/loadavg -> $(Device) ; |
| 1060 | /proc/uptime -> $(Device) ; |
| 1061 | /proc/locks -> $(Device) ; |
| 1062 | /proc/version -> $(Device) ; |
| 1063 | /proc/mdstat -> $(Device) ; |
| 1064 | /proc/meminfo -> $(Device) ; |
| 1065 | /proc/cmdline -> $(Device) ; |
| 1066 | /proc/misc -> $(Device) ; |
| 1067 | } |
| 1068 | |
| 1069 | # Rest of critical system binaries |
| 1070 | ( |
| 1071 | rulename = "OS executables and libraries", |
| 1072 | severity = $(SIG_HI) |
| 1073 | ) |
| 1074 | { |
| 1075 | /bin -> $(SEC_BIN) ; |
| 1076 | /lib -> $(SEC_BIN) ; |
| 1077 | } |
| 1078 | |
| 1079 | #============================================================================= |
| 1080 | # |
| 1081 | # Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, |
| 1082 | # Inc. in the United States and other countries. All rights reserved. |
| 1083 | # |
| 1084 | # Linux is a registered trademark of Linus Torvalds. |
| 1085 | # |
| 1086 | # UNIX is a registered trademark of The Open Group. |
| 1087 | # |
| 1088 | #============================================================================= |
| 1089 | # |
| 1090 | # Permission is granted to make and distribute verbatim copies of this document |
| 1091 | # provided the copyright notice and this permission notice are preserved on all |
| 1092 | # copies. |
| 1093 | # |
| 1094 | # Permission is granted to copy and distribute modified versions of this |
| 1095 | # document under the conditions for verbatim copying, provided that the entire |
| 1096 | # resulting derived work is distributed under the terms of a permission notice |
| 1097 | # identical to this one. |
| 1098 | # |
| 1099 | # Permission is granted to copy and distribute translations of this document |
| 1100 | # into another language, under the above conditions for modified versions, |
| 1101 | # except that this permission notice may be stated in a translation approved by |
| 1102 | # Tripwire, Inc. |
| 1103 | # |
| 1104 | # DCM |
| 1105 | # |
| 1106 | # $Id: twpol-GENERIC.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $ |
| 1107 | # |