config/tripwire/twpol.txt

   1 @@section GLOBAL
   2 TWROOT=/usr/sbin;
   3 TWBIN=/usr/sbin;
   4 TWPOL="/var/ipfire/tripwire";
   5 TWDB="/var/ipfire/tripwire";
   6 TWSKEY="/var/ipfire/tripwire";
   7 TWLKEY="/var/ipfire/tripwire";
   8 TWREPORT="/var/ipfire/tripwire/report";
   9 HOSTNAME=ipfire;
  10
  11 @@section FS
  12 SEC_CRIT      = $(IgnoreNone)-SHa ;  # Critical files that cannot change
  13 SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed infrequently but accessed often
  14 SEC_LOG       = $(Growing) ;         # Files that grow, but that should never change ownership
  15 SEC_INVARIANT = +tpug ;              # Directories that should never change permission or ownership
  16 SIG_LOW       = 33 ;                 # Non-critical files that are of minimal security impact
  17 SIG_MED       = 66 ;                 # Non-critical files that are of significant security impact
  18 SIG_HI        = 100 ;                # Critical files that are significant points of vulnerability
  19
  20 # System Files
  21
  22 (
  23   rulename = "System Files",
  24   severity = $(SIG_HI)
  25 )
  26 {
  27   $(TWDB)                          -> $(SEC_CRIT) ;
  28   $(TWPOL)/tw.pol                  -> $(SEC_CRIT) -i ;
  29   $(TWPOL)/tw.cfg                  -> $(SEC_CRIT) -i ;
  30   $(TWLKEY)/local.key  -> $(SEC_CRIT) ;
  31   $(TWSKEY)/site.key               -> $(SEC_CRIT) ;
  32
  33   /bin                             -> $(SEC_CRIT) ;
  34   /boot                            -> $(SEC_CRIT) ;
  35   /etc                             -> $(SEC_CRIT) ;
  36   /lib                             -> $(SEC_CRIT) ;
  37   /root                            -> $(SEC_CRIT) ;
  38   /root/.bash_history              -> $(Dynamic)  ;
  39   /sbin                            -> $(SEC_CRIT) ;
  40   /usr                             -> $(SEC_CRIT) ;
  41   !/usr/src                                       ;
  42   /etc/mtab                        -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount
  43
  44   #don't scan the individual reports
  45   $(TWREPORT)                      -> $(SEC_CONFIG) (recurse=0) ;
  46 }
  47
  48 # Commonly accessed directories that should remain static with regards to owner and group
  49 (
  50   rulename = "Invariant Directories",
  51   severity = $(SIG_MED)
  52 )
  53 {
  54   /                               -> $(SEC_INVARIANT) (recurse = 0) ;
  55   /home                           -> $(SEC_INVARIANT) (recurse = 0) ;
  56   /tmp                            -> $(SEC_INVARIANT) ;
  57 }
  58
  59 # Critical Devices
  60
  61 (
  62   rulename = "Critical devices",
  63   severity = $(SIG_HI),
  64   recurse = false
  65 )
  66 {
  67      /dev/console                 -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.
  68      /dev/initctl                 -> $(SEC_CONFIG) ;     /dev/log                     -> $(SEC_CONFIG) ;
  69      /proc/modules                -> $(Device) ;
  70      /proc/mounts                 -> $(Device) ;
  71      /proc/filesystems            -> $(Device) ;
  72      /proc/misc                   -> $(Device) ;
  73      /var/log                     -> $(SEC_CONFIG) ;
  74 }