Guest User

Untitled

a guest
Aug 21st, 2017
210
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. #
  3. # Standard Debian Tripwire configuration
  4. #
  5. #
  6. # This configuration covers the contents of all 'Essential: yes'
  7. # packages along with any packages necessary for access to an internet
  8. # or system availability, e.g. name services, mail services, PCMCIA
  9. # support, RAID support, and backup/restore support.
  10. #
  11.  
  12. #
  13. # Global Variable Definitions
  14. #
  15. # These definitions override those in to configuration file. Do not
  16. # change them unless you understand what you're doing.
  17. #
  18.  
  19. @@section GLOBAL
  20. TWBIN = /usr/sbin;
  21. TWETC = /etc/tripwire;
  22. TWVAR = /var/lib/tripwire;
  23.  
  24. #
  25. # File System Definitions
  26. #
  27. @@section FS
  28.  
  29. #
  30. # First, some variables to make configuration easier
  31. #
  32. SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
  33.  
  34. SEC_BIN = $(ReadOnly) ; # Binaries that should not change
  35.  
  36. SEC_CONFIG = $(Dynamic) ; # Config files that are changed
  37. # infrequently but accessed
  38. # often
  39.  
  40. SEC_LOG = $(Growing) ; # Files that grow, but that
  41. # should never change ownership
  42.  
  43. SEC_INVARIANT = +tpug ; # Directories that should never
  44. # change permission or ownership
  45.  
  46. SIG_LOW = 33 ; # Non-critical files that are of
  47. # minimal security impact
  48.  
  49. SIG_MED = 66 ; # Non-critical files that are of
  50. # significant security impact
  51.  
  52. SIG_HI = 100 ; # Critical files that are
  53. # significant points of
  54. # vulnerability
  55.  
  56. #
  57. # Tripwire Binaries
  58. #
  59. (
  60. rulename = "Tripwire Binaries",
  61. severity = $(SIG_HI)
  62. )
  63. {
  64. $(TWBIN)/siggen -> $(SEC_BIN) ;
  65. $(TWBIN)/tripwire -> $(SEC_BIN) ;
  66. $(TWBIN)/twadmin -> $(SEC_BIN) ;
  67. $(TWBIN)/twprint -> $(SEC_BIN) ;
  68. }
  69.  
  70. #
  71. # Tripwire Data Files - Configuration Files, Policy Files, Keys,
  72. # Reports, Databases
  73. #
  74.  
  75. # NOTE: We remove the inode attribute because when Tripwire creates a
  76. # backup, it does so by renaming the old file and creating a new one
  77. # (which will have a new inode number). Inode is left turned on for
  78. # keys, which shouldn't ever change.
  79.  
  80. # NOTE: The first integrity check triggers this rule and each
  81. # integrity check afterward triggers this rule until a database update
  82. # is run, since the database file does not exist before that point.
  83. (
  84. rulename = "Tripwire Data Files",
  85. severity = $(SIG_HI)
  86. )
  87. {
  88. $(TWVAR)/$(HOSTNAME).twd -> $(SEC_CONFIG) -i ;
  89. $(TWETC)/tw.pol -> $(SEC_BIN) -i ;
  90. $(TWETC)/tw.cfg -> $(SEC_BIN) -i ;
  91. $(TWETC)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
  92. $(TWETC)/site.key -> $(SEC_BIN) ;
  93.  
  94. #don't scan the individual reports
  95. $(TWVAR)/report -> $(SEC_CONFIG) (recurse=0) ;
  96. }
  97.  
  98. #
  99. # Critical System Boot Files
  100. # These files are critical to a correct system boot.
  101. #
  102. (
  103. rulename = "Critical system boot files",
  104. severity = $(SIG_HI)
  105. )
  106. {
  107. /boot -> $(SEC_CRIT) ;
  108. /lib/modules -> $(SEC_CRIT) ;
  109. }
  110.  
  111. (
  112. rulename = "Boot Scripts",
  113. severity = $(SIG_HI)
  114. )
  115. {
  116. /etc/init.d -> $(SEC_BIN) ;
  117. /etc/rc.boot -> $(SEC_BIN) ;
  118. /etc/rcS.d -> $(SEC_BIN) ;
  119. /etc/rc0.d -> $(SEC_BIN) ;
  120. /etc/rc1.d -> $(SEC_BIN) ;
  121. /etc/rc2.d -> $(SEC_BIN) ;
  122. /etc/rc3.d -> $(SEC_BIN) ;
  123. /etc/rc4.d -> $(SEC_BIN) ;
  124. /etc/rc5.d -> $(SEC_BIN) ;
  125. /etc/rc6.d -> $(SEC_BIN) ;
  126. }
  127.  
  128.  
  129. #
  130. # Critical executables
  131. #
  132. (
  133. rulename = "Root file-system executables",
  134. severity = $(SIG_HI)
  135. )
  136. {
  137. /bin -> $(SEC_BIN) ;
  138. /sbin -> $(SEC_BIN) ;
  139. }
  140.  
  141. #
  142. # Critical Libraries
  143. #
  144. (
  145. rulename = "Root file-system libraries",
  146. severity = $(SIG_HI)
  147. )
  148. {
  149. /lib -> $(SEC_BIN) ;
  150. }
  151.  
  152.  
  153. #
  154. # Login and Privilege Raising Programs
  155. #
  156. (
  157. rulename = "Security Control",
  158. severity = $(SIG_MED)
  159. )
  160. {
  161. /etc/passwd -> $(SEC_CONFIG) ;
  162. /etc/shadow -> $(SEC_CONFIG) ;
  163. }
  164.  
  165.  
  166.  
  167.  
  168. #
  169. # These files change every time the system boots
  170. #
  171. (
  172. rulename = "System boot changes",
  173. severity = $(SIG_HI)
  174. )
  175. {
  176. /var/lock -> $(SEC_CONFIG) ;
  177. /var/run -> $(SEC_CONFIG) ; # daemon PIDs
  178. /var/log -> $(SEC_CONFIG) ;
  179. }
  180.  
  181. # These files change the behavior of the root account
  182. (
  183. rulename = "Root config files",
  184. severity = 100
  185. )
  186. {
  187. /root -> $(SEC_CRIT) ; # Catch all additions to /root
  188. /root/mail -> $(SEC_CONFIG) ;
  189. /root/Mail -> $(SEC_CONFIG) ;
  190. /root/.xsession-errors -> $(SEC_CONFIG) ;
  191. /root/.xauth -> $(SEC_CONFIG) ;
  192. /root/.tcshrc -> $(SEC_CONFIG) ;
  193. /root/.sawfish -> $(SEC_CONFIG) ;
  194. /root/.pinerc -> $(SEC_CONFIG) ;
  195. /root/.mc -> $(SEC_CONFIG) ;
  196. /root/.gnome_private -> $(SEC_CONFIG) ;
  197. /root/.gnome-desktop -> $(SEC_CONFIG) ;
  198. /root/.gnome -> $(SEC_CONFIG) ;
  199. /root/.esd_auth -> $(SEC_CONFIG) ;
  200. /root/.elm -> $(SEC_CONFIG) ;
  201. /root/.cshrc -> $(SEC_CONFIG) ;
  202. /root/.bashrc -> $(SEC_CONFIG) ;
  203. /root/.bash_profile -> $(SEC_CONFIG) ;
  204. /root/.bash_logout -> $(SEC_CONFIG) ;
  205. /root/.bash_history -> $(SEC_CONFIG) ;
  206. /root/.amandahosts -> $(SEC_CONFIG) ;
  207. /root/.addressbook.lu -> $(SEC_CONFIG) ;
  208. /root/.addressbook -> $(SEC_CONFIG) ;
  209. /root/.Xresources -> $(SEC_CONFIG) ;
  210. /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
  211. /root/.ICEauthority -> $(SEC_CONFIG) ;
  212. }
  213.  
  214. #
  215. # Critical devices
  216. #
  217. (
  218. rulename = "Devices & Kernel information",
  219. severity = $(SIG_HI),
  220. )
  221. {
  222. /dev -> $(Device) ;
  223. /proc -> $(Device) ;
  224. }
  225.  
  226. #
  227. # Other configuration files
  228. #
  229. (
  230. rulename = "Other configuration files",
  231. severity = $(SIG_MED)
  232. )
  233. {
  234. /etc -> $(SEC_BIN) ;
  235. }
  236.  
  237. #
  238. # Binaries
  239. #
  240. (
  241. rulename = "Other binaries",
  242. severity = $(SIG_MED)
  243. )
  244. {
  245. /usr/local/sbin -> $(SEC_BIN) ;
  246. /usr/local/bin -> $(SEC_BIN) ;
  247. /usr/sbin -> $(SEC_BIN) ;
  248. /usr/bin -> $(SEC_BIN) ;
  249. }
  250.  
  251. #
  252. # Libraries
  253. #
  254. (
  255. rulename = "Other libraries",
  256. severity = $(SIG_MED)
  257. )
  258. {
  259. /usr/local/lib -> $(SEC_BIN) ;
  260. /usr/lib -> $(SEC_BIN) ;
  261. }
  262.  
  263. #
  264. # Commonly accessed directories that should remain static with regards
  265. # to owner and group
  266. #
  267. (
  268. rulename = "Invariant Directories",
  269. severity = $(SIG_MED)
  270. )
  271. {
  272. / -> $(SEC_INVARIANT) (recurse = 0) ;
  273. /home -> $(SEC_INVARIANT) (recurse = 0) ;
  274. /tmp -> $(SEC_INVARIANT) (recurse = 0) ;
  275. /usr -> $(SEC_INVARIANT) (recurse = 0) ;
  276. /var -> $(SEC_INVARIANT) (recurse = 0) ;
  277. /var/tmp -> $(SEC_INVARIANT) (recurse = 0) ;
  278. }
RAW Paste Data