Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #
- # Standard Debian Tripwire configuration
- #
- #
- # This configuration covers the contents of all 'Essential: yes'
- # packages along with any packages necessary for access to an internet
- # or system availability, e.g. name services, mail services, PCMCIA
- # support, RAID support, and backup/restore support.
- #
- #
- # Global Variable Definitions
- #
- # These definitions override those in to configuration file. Do not
- # change them unless you understand what you're doing.
- #
- @@section GLOBAL
- TWBIN = /usr/sbin;
- TWETC = /etc/tripwire;
- TWVAR = /var/lib/tripwire;
- #
- # File System Definitions
- #
- @@section FS
- #
- # First, some variables to make configuration easier
- #
- SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
- SEC_BIN = $(ReadOnly) ; # Binaries that should not change
- SEC_CONFIG = $(Dynamic) ; # Config files that are changed
- # infrequently but accessed
- # often
- SEC_LOG = $(Growing) ; # Files that grow, but that
- # should never change ownership
- SEC_INVARIANT = +tpug ; # Directories that should never
- # change permission or ownership
- SIG_LOW = 33 ; # Non-critical files that are of
- # minimal security impact
- SIG_MED = 66 ; # Non-critical files that are of
- # significant security impact
- SIG_HI = 100 ; # Critical files that are
- # significant points of
- # vulnerability
- #
- # Tripwire Binaries
- #
- (
- rulename = "Tripwire Binaries",
- severity = $(SIG_HI)
- )
- {
- $(TWBIN)/siggen -> $(SEC_BIN) ;
- $(TWBIN)/tripwire -> $(SEC_BIN) ;
- $(TWBIN)/twadmin -> $(SEC_BIN) ;
- $(TWBIN)/twprint -> $(SEC_BIN) ;
- }
- #
- # Tripwire Data Files - Configuration Files, Policy Files, Keys,
- # Reports, Databases
- #
- # NOTE: We remove the inode attribute because when Tripwire creates a
- # backup, it does so by renaming the old file and creating a new one
- # (which will have a new inode number). Inode is left turned on for
- # keys, which shouldn't ever change.
- # NOTE: The first integrity check triggers this rule and each
- # integrity check afterward triggers this rule until a database update
- # is run, since the database file does not exist before that point.
- (
- rulename = "Tripwire Data Files",
- severity = $(SIG_HI)
- )
- {
- $(TWVAR)/$(HOSTNAME).twd -> $(SEC_CONFIG) -i ;
- $(TWETC)/tw.pol -> $(SEC_BIN) -i ;
- $(TWETC)/tw.cfg -> $(SEC_BIN) -i ;
- $(TWETC)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
- $(TWETC)/site.key -> $(SEC_BIN) ;
- #don't scan the individual reports
- $(TWVAR)/report -> $(SEC_CONFIG) (recurse=0) ;
- }
- #
- # Critical System Boot Files
- # These files are critical to a correct system boot.
- #
- (
- rulename = "Critical system boot files",
- severity = $(SIG_HI)
- )
- {
- /boot -> $(SEC_CRIT) ;
- /lib/modules -> $(SEC_CRIT) ;
- }
- (
- rulename = "Boot Scripts",
- severity = $(SIG_HI)
- )
- {
- /etc/init.d -> $(SEC_BIN) ;
- /etc/rc.boot -> $(SEC_BIN) ;
- /etc/rcS.d -> $(SEC_BIN) ;
- /etc/rc0.d -> $(SEC_BIN) ;
- /etc/rc1.d -> $(SEC_BIN) ;
- /etc/rc2.d -> $(SEC_BIN) ;
- /etc/rc3.d -> $(SEC_BIN) ;
- /etc/rc4.d -> $(SEC_BIN) ;
- /etc/rc5.d -> $(SEC_BIN) ;
- /etc/rc6.d -> $(SEC_BIN) ;
- }
- #
- # Critical executables
- #
- (
- rulename = "Root file-system executables",
- severity = $(SIG_HI)
- )
- {
- /bin -> $(SEC_BIN) ;
- /sbin -> $(SEC_BIN) ;
- }
- #
- # Critical Libraries
- #
- (
- rulename = "Root file-system libraries",
- severity = $(SIG_HI)
- )
- {
- /lib -> $(SEC_BIN) ;
- }
- #
- # Login and Privilege Raising Programs
- #
- (
- rulename = "Security Control",
- severity = $(SIG_MED)
- )
- {
- /etc/passwd -> $(SEC_CONFIG) ;
- /etc/shadow -> $(SEC_CONFIG) ;
- }
- #
- # These files change every time the system boots
- #
- (
- rulename = "System boot changes",
- severity = $(SIG_HI)
- )
- {
- /var/lock -> $(SEC_CONFIG) ;
- /var/run -> $(SEC_CONFIG) ; # daemon PIDs
- /var/log -> $(SEC_CONFIG) ;
- }
- # These files change the behavior of the root account
- (
- rulename = "Root config files",
- severity = 100
- )
- {
- /root -> $(SEC_CRIT) ; # Catch all additions to /root
- /root/mail -> $(SEC_CONFIG) ;
- /root/Mail -> $(SEC_CONFIG) ;
- /root/.xsession-errors -> $(SEC_CONFIG) ;
- /root/.xauth -> $(SEC_CONFIG) ;
- /root/.tcshrc -> $(SEC_CONFIG) ;
- /root/.sawfish -> $(SEC_CONFIG) ;
- /root/.pinerc -> $(SEC_CONFIG) ;
- /root/.mc -> $(SEC_CONFIG) ;
- /root/.gnome_private -> $(SEC_CONFIG) ;
- /root/.gnome-desktop -> $(SEC_CONFIG) ;
- /root/.gnome -> $(SEC_CONFIG) ;
- /root/.esd_auth -> $(SEC_CONFIG) ;
- /root/.elm -> $(SEC_CONFIG) ;
- /root/.cshrc -> $(SEC_CONFIG) ;
- /root/.bashrc -> $(SEC_CONFIG) ;
- /root/.bash_profile -> $(SEC_CONFIG) ;
- /root/.bash_logout -> $(SEC_CONFIG) ;
- /root/.bash_history -> $(SEC_CONFIG) ;
- /root/.amandahosts -> $(SEC_CONFIG) ;
- /root/.addressbook.lu -> $(SEC_CONFIG) ;
- /root/.addressbook -> $(SEC_CONFIG) ;
- /root/.Xresources -> $(SEC_CONFIG) ;
- /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
- /root/.ICEauthority -> $(SEC_CONFIG) ;
- }
- #
- # Critical devices
- #
- (
- rulename = "Devices & Kernel information",
- severity = $(SIG_HI),
- )
- {
- /dev -> $(Device) ;
- /proc -> $(Device) ;
- }
- #
- # Other configuration files
- #
- (
- rulename = "Other configuration files",
- severity = $(SIG_MED)
- )
- {
- /etc -> $(SEC_BIN) ;
- }
- #
- # Binaries
- #
- (
- rulename = "Other binaries",
- severity = $(SIG_MED)
- )
- {
- /usr/local/sbin -> $(SEC_BIN) ;
- /usr/local/bin -> $(SEC_BIN) ;
- /usr/sbin -> $(SEC_BIN) ;
- /usr/bin -> $(SEC_BIN) ;
- }
- #
- # Libraries
- #
- (
- rulename = "Other libraries",
- severity = $(SIG_MED)
- )
- {
- /usr/local/lib -> $(SEC_BIN) ;
- /usr/lib -> $(SEC_BIN) ;
- }
- #
- # Commonly accessed directories that should remain static with regards
- # to owner and group
- #
- (
- rulename = "Invariant Directories",
- severity = $(SIG_MED)
- )
- {
- / -> $(SEC_INVARIANT) (recurse = 0) ;
- /home -> $(SEC_INVARIANT) (recurse = 0) ;
- /tmp -> $(SEC_INVARIANT) (recurse = 0) ;
- /usr -> $(SEC_INVARIANT) (recurse = 0) ;
- /var -> $(SEC_INVARIANT) (recurse = 0) ;
- /var/tmp -> $(SEC_INVARIANT) (recurse = 0) ;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement