[people/pmueller/ipfire-2.x.git] / config / tripwire / twpol.txt

@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL="/var/ipfire/tripwire";
TWDB="/var/ipfire/tripwire";
TWSKEY="/var/ipfire/tripwire";
TWLKEY="/var/ipfire/tripwire";
TWREPORT="/var/ipfire/tripwire/report";
HOSTNAME=ipfire;

@@section FS
SEC_CRIT      = $(IgnoreNone)-SHa ;  # Critical files that cannot change
SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed infrequently but accessed often
SEC_LOG       = $(Growing) ;         # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ;              # Directories that should never change permission or ownership
SIG_LOW       = 33 ;                 # Non-critical files that are of minimal security impact
SIG_MED       = 66 ;                 # Non-critical files that are of significant security impact
SIG_HI        = 100 ;                # Critical files that are significant points of vulnerability

# System Files

(
  rulename = "System Files",
  severity = $(SIG_HI)
)
{
  $(TWDB)                          -> $(SEC_CRIT) ;
  $(TWPOL)/tw.pol                  -> $(SEC_CRIT) -i ;
  $(TWPOL)/tw.cfg                  -> $(SEC_CRIT) -i ;
  $(TWLKEY)/local.key              -> $(SEC_CRIT) ;
  $(TWSKEY)/site.key               -> $(SEC_CRIT) ;

  /bin		                         -> $(SEC_CRIT) ;
  /boot                            -> $(SEC_CRIT) ;
  /etc                             -> $(SEC_CRIT) ;
  /etc/snort/rules/                -> $(Dynamic)  ;
  /lib                             -> $(SEC_CRIT) ;
  /root                            -> $(SEC_CRIT) ;
  /root/.bash_history              -> $(Dynamic)  ;
  /sbin                            -> $(SEC_CRIT) ;
  /usr                             -> $(SEC_CRIT) ;
  /usr/share/clamav                -> $(Dynamic)  ;
  /etc/mtab                        -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount

  #don't scan the individual reports
  $(TWREPORT)                      -> $(SEC_CONFIG) (recurse=0) ;
}

# Commonly accessed directories that should remain static with regards to owner and group
(
  rulename = "Invariant Directories",
  severity = $(SIG_MED)
)
{
  /                               -> $(SEC_INVARIANT) (recurse = 0) ;
  /home                           -> $(SEC_INVARIANT) (recurse = 0) ;
  /tmp                            -> $(SEC_INVARIANT) ;
}

# Critical Devices

(
  rulename = "Critical devices",
  severity = $(SIG_HI),
  recurse = false
)
{
     /dev/console                 -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.
     /dev/initctl                 -> $(SEC_CONFIG) ;     /dev/log                     -> $(SEC_CONFIG) ;
     /proc/modules                -> $(Device) ;
     /proc/mounts                 -> $(Device) ;
     /proc/filesystems            -> $(Device) ;
     /proc/misc                   -> $(Device) ;
     /var/log                     -> $(SEC_LOG) ;
}
Commit	Line	Data
92004c61 CS	1	@@section GLOBAL
	2	TWROOT=/usr/sbin;
	3	TWBIN=/usr/sbin;
	4	TWPOL="/var/ipfire/tripwire";
	5	TWDB="/var/ipfire/tripwire";
	6	TWSKEY="/var/ipfire/tripwire";
	7	TWLKEY="/var/ipfire/tripwire";
	8	TWREPORT="/var/ipfire/tripwire/report";
71dfc4b7	9	HOSTNAME=ipfire;
92004c61 CS	10
	11	@@section FS
	12	SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
92004c61 CS	13	SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
	14	SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
	15	SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
	16	SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
	17	SIG_MED = 66 ; # Non-critical files that are of significant security impact
	18	SIG_HI = 100 ; # Critical files that are significant points of vulnerability
	19
71dfc4b7	20	# System Files
92004c61	21
92004c61	22	(
71dfc4b7	23	rulename = "System Files",
92004c61 CS	24	severity = $(SIG_HI)
	25	)
	26	{
71dfc4b7 CS	27	$(TWDB) -> $(SEC_CRIT) ;
	28	$(TWPOL)/tw.pol -> $(SEC_CRIT) -i ;
	29	$(TWPOL)/tw.cfg -> $(SEC_CRIT) -i ;
8871b9f2	30	$(TWLKEY)/local.key -> $(SEC_CRIT) ;
71dfc4b7	31	$(TWSKEY)/site.key -> $(SEC_CRIT) ;
92004c61	32
8871b9f2	33	/bin -> $(SEC_CRIT) ;
71dfc4b7 CS	34	/boot -> $(SEC_CRIT) ;
71dfc4b7 CS	35	/etc -> $(SEC_CRIT) ;
1b73b07e	36	/etc/snort/rules/ -> $(Dynamic) ;
71dfc4b7 CS	37	/lib -> $(SEC_CRIT) ;
	38	/root -> $(SEC_CRIT) ;
	39	/root/.bash_history -> $(Dynamic) ;
	40	/sbin -> $(SEC_CRIT) ;
	41	/usr -> $(SEC_CRIT) ;
1b73b07e	42	/usr/share/clamav -> $(Dynamic) ;
71dfc4b7	43	/etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount
92004c61 CS	44
92004c61 CS	45	#don't scan the individual reports
71dfc4b7	46	$(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
92004c61 CS	47	}
92004c61 CS	48
92004c61 CS	49	# Commonly accessed directories that should remain static with regards to owner and group
	50	(
	51	rulename = "Invariant Directories",
92004c61 CS	52	severity = $(SIG_MED)
	53	)
	54	{
71dfc4b7 CS	55	/ -> $(SEC_INVARIANT) (recurse = 0) ;
	56	/home -> $(SEC_INVARIANT) (recurse = 0) ;
	57	/tmp -> $(SEC_INVARIANT) ;
92004c61 CS	58	}
92004c61 CS	59
71dfc4b7	60	# Critical Devices
92004c61	61
92004c61 CS	62	(
92004c61 CS	63	rulename = "Critical devices",
92004c61 CS	64	severity = $(SIG_HI),
	65	recurse = false
	66	)
	67	{
71dfc4b7 CS	68	/dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.
	69	/dev/initctl -> $(SEC_CONFIG) ; /dev/log -> $(SEC_CONFIG) ;
	70	/proc/modules -> $(Device) ;
	71	/proc/mounts -> $(Device) ;
	72	/proc/filesystems -> $(Device) ;
	73	/proc/misc -> $(Device) ;
8871b9f2 CS	74	/var/log -> $(SEC_LOG) ;
8871b9f2 CS	75	}