[people/pmueller/ipfire-2.x.git] / config / tripwire / twpol.txt

@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL="/var/ipfire/tripwire";
TWDB="/var/ipfire/tripwire";
TWSKEY="/var/ipfire/tripwire";
TWLKEY="/var/ipfire/tripwire";
TWREPORT="/var/ipfire/tripwire/report";
HOSTNAME=ipfire;

@@section FS
SEC_CRIT      = $(IgnoreNone)-SHa ;  # Critical files that cannot change
SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed infrequently but accessed often
SEC_LOG       = $(Growing) ;         # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ;              # Directories that should never change permission or ownership
SIG_LOW       = 33 ;                 # Non-critical files that are of minimal security impact
SIG_MED       = 66 ;                 # Non-critical files that are of significant security impact
SIG_HI        = 100 ;                # Critical files that are significant points of vulnerability

# System Files

(
  rulename = "System Files",
  severity = $(SIG_HI)
)
{
  $(TWDB)                          -> $(SEC_CRIT) ;
  $(TWPOL)/tw.pol                  -> $(SEC_CRIT) -i ;
  $(TWPOL)/tw.cfg                  -> $(SEC_CRIT) -i ;
  $(TWLKEY)/local.key  -> $(SEC_CRIT) ;
  $(TWSKEY)/site.key               -> $(SEC_CRIT) ;

  /bin		                   -> $(SEC_CRIT) ;
  /boot                            -> $(SEC_CRIT) ;
  /etc                             -> $(SEC_CRIT) ;
  /lib                             -> $(SEC_CRIT) ;
  /root                            -> $(SEC_CRIT) ;
  /root/.bash_history              -> $(Dynamic)  ;
  /sbin                            -> $(SEC_CRIT) ;
  /usr                             -> $(SEC_CRIT) ;
  !/usr/src                                       ;
  /etc/mtab                        -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount

  #don't scan the individual reports
  $(TWREPORT)                      -> $(SEC_CONFIG) (recurse=0) ;
}

# Commonly accessed directories that should remain static with regards to owner and group
(
  rulename = "Invariant Directories",
  severity = $(SIG_MED)
)
{
  /                               -> $(SEC_INVARIANT) (recurse = 0) ;
  /home                           -> $(SEC_INVARIANT) (recurse = 0) ;
  /tmp                            -> $(SEC_INVARIANT) ;
}

# Critical Devices

(
  rulename = "Critical devices",
  severity = $(SIG_HI),
  recurse = false
)
{
     /dev/console                 -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.
     /dev/initctl                 -> $(SEC_CONFIG) ;     /dev/log                     -> $(SEC_CONFIG) ;
     /proc/modules                -> $(Device) ;
     /proc/mounts                 -> $(Device) ;
     /proc/filesystems            -> $(Device) ;
     /proc/misc                   -> $(Device) ;
     /var/log                     -> $(SEC_CONFIG) ;
}
Commit	Line	Data
92004c61 CS	1	@@section GLOBAL
	2	TWROOT=/usr/sbin;
	3	TWBIN=/usr/sbin;
	4	TWPOL="/var/ipfire/tripwire";
	5	TWDB="/var/ipfire/tripwire";
	6	TWSKEY="/var/ipfire/tripwire";
	7	TWLKEY="/var/ipfire/tripwire";
	8	TWREPORT="/var/ipfire/tripwire/report";
71dfc4b7	9	HOSTNAME=ipfire;
92004c61 CS	10
	11	@@section FS
	12	SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
92004c61 CS	13	SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
	14	SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
	15	SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
	16	SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
	17	SIG_MED = 66 ; # Non-critical files that are of significant security impact
	18	SIG_HI = 100 ; # Critical files that are significant points of vulnerability
	19
71dfc4b7	20	# System Files
92004c61	21
92004c61	22	(
71dfc4b7	23	rulename = "System Files",
92004c61 CS	24	severity = $(SIG_HI)
	25	)
	26	{
71dfc4b7 CS	27	$(TWDB) -> $(SEC_CRIT) ;
	28	$(TWPOL)/tw.pol -> $(SEC_CRIT) -i ;
	29	$(TWPOL)/tw.cfg -> $(SEC_CRIT) -i ;
	30	$(TWLKEY)/local.key -> $(SEC_CRIT) ;
	31	$(TWSKEY)/site.key -> $(SEC_CRIT) ;
92004c61	32
71dfc4b7 CS	33	/bin -> $(SEC_CRIT) ;
	34	/boot -> $(SEC_CRIT) ;
	35	/etc -> $(SEC_CRIT) ;
	36	/lib -> $(SEC_CRIT) ;
	37	/root -> $(SEC_CRIT) ;
	38	/root/.bash_history -> $(Dynamic) ;
	39	/sbin -> $(SEC_CRIT) ;
	40	/usr -> $(SEC_CRIT) ;
	41	!/usr/src ;
	42	/etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount
92004c61 CS	43
92004c61 CS	44	#don't scan the individual reports
71dfc4b7	45	$(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
92004c61 CS	46	}
92004c61 CS	47
92004c61 CS	48	# Commonly accessed directories that should remain static with regards to owner and group
	49	(
	50	rulename = "Invariant Directories",
92004c61 CS	51	severity = $(SIG_MED)
	52	)
	53	{
71dfc4b7 CS	54	/ -> $(SEC_INVARIANT) (recurse = 0) ;
	55	/home -> $(SEC_INVARIANT) (recurse = 0) ;
	56	/tmp -> $(SEC_INVARIANT) ;
92004c61 CS	57	}
92004c61 CS	58
71dfc4b7	59	# Critical Devices
92004c61	60
92004c61 CS	61	(
92004c61 CS	62	rulename = "Critical devices",
92004c61 CS	63	severity = $(SIG_HI),
	64	recurse = false
	65	)
	66	{
71dfc4b7 CS	67	/dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.
	68	/dev/initctl -> $(SEC_CONFIG) ; /dev/log -> $(SEC_CONFIG) ;
	69	/proc/modules -> $(Device) ;
	70	/proc/mounts -> $(Device) ;
	71	/proc/filesystems -> $(Device) ;
	72	/proc/misc -> $(Device) ;
	73	/var/log -> $(SEC_CONFIG) ;
	74	}