]>
Commit | Line | Data |
---|---|---|
92004c61 CS |
1 | @@section GLOBAL |
2 | TWROOT=/usr/sbin; | |
3 | TWBIN=/usr/sbin; | |
4 | TWPOL="/var/ipfire/tripwire"; | |
5 | TWDB="/var/ipfire/tripwire"; | |
6 | TWSKEY="/var/ipfire/tripwire"; | |
7 | TWLKEY="/var/ipfire/tripwire"; | |
8 | TWREPORT="/var/ipfire/tripwire/report"; | |
71dfc4b7 | 9 | HOSTNAME=ipfire; |
92004c61 CS |
10 | |
11 | @@section FS | |
12 | SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change | |
92004c61 CS |
13 | SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often |
14 | SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership | |
15 | SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership | |
16 | SIG_LOW = 33 ; # Non-critical files that are of minimal security impact | |
17 | SIG_MED = 66 ; # Non-critical files that are of significant security impact | |
18 | SIG_HI = 100 ; # Critical files that are significant points of vulnerability | |
19 | ||
71dfc4b7 | 20 | # System Files |
92004c61 | 21 | |
92004c61 | 22 | ( |
71dfc4b7 | 23 | rulename = "System Files", |
92004c61 CS |
24 | severity = $(SIG_HI) |
25 | ) | |
26 | { | |
71dfc4b7 CS |
27 | $(TWDB) -> $(SEC_CRIT) ; |
28 | $(TWPOL)/tw.pol -> $(SEC_CRIT) -i ; | |
29 | $(TWPOL)/tw.cfg -> $(SEC_CRIT) -i ; | |
30 | $(TWLKEY)/local.key -> $(SEC_CRIT) ; | |
31 | $(TWSKEY)/site.key -> $(SEC_CRIT) ; | |
92004c61 | 32 | |
71dfc4b7 CS |
33 | /bin -> $(SEC_CRIT) ; |
34 | /boot -> $(SEC_CRIT) ; | |
35 | /etc -> $(SEC_CRIT) ; | |
36 | /lib -> $(SEC_CRIT) ; | |
37 | /root -> $(SEC_CRIT) ; | |
38 | /root/.bash_history -> $(Dynamic) ; | |
39 | /sbin -> $(SEC_CRIT) ; | |
40 | /usr -> $(SEC_CRIT) ; | |
41 | !/usr/src ; | |
42 | /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount | |
92004c61 CS |
43 | |
44 | #don't scan the individual reports | |
71dfc4b7 | 45 | $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; |
92004c61 CS |
46 | } |
47 | ||
92004c61 CS |
48 | # Commonly accessed directories that should remain static with regards to owner and group |
49 | ( | |
50 | rulename = "Invariant Directories", | |
92004c61 CS |
51 | severity = $(SIG_MED) |
52 | ) | |
53 | { | |
71dfc4b7 CS |
54 | / -> $(SEC_INVARIANT) (recurse = 0) ; |
55 | /home -> $(SEC_INVARIANT) (recurse = 0) ; | |
56 | /tmp -> $(SEC_INVARIANT) ; | |
92004c61 CS |
57 | } |
58 | ||
71dfc4b7 | 59 | # Critical Devices |
92004c61 | 60 | |
92004c61 CS |
61 | ( |
62 | rulename = "Critical devices", | |
92004c61 CS |
63 | severity = $(SIG_HI), |
64 | recurse = false | |
65 | ) | |
66 | { | |
71dfc4b7 CS |
67 | /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. |
68 | /dev/initctl -> $(SEC_CONFIG) ; /dev/log -> $(SEC_CONFIG) ; | |
69 | /proc/modules -> $(Device) ; | |
70 | /proc/mounts -> $(Device) ; | |
71 | /proc/filesystems -> $(Device) ; | |
72 | /proc/misc -> $(Device) ; | |
73 | /var/log -> $(SEC_CONFIG) ; | |
74 | } |