- ##############################
- # ##
-############################## #
-# # #
-# Critical Utility Sym-Links # #
-# ##
-##############################
-(
- rulename = "Critical Utility Sym-Links",
-# emailto = <email addr>,
- severity = $(SIG_HI)
-)
-{
- #/sbin/askrunlevel -> $(SEC_CRIT) ;
-# /sbin/clock -> $(SEC_CRIT) ;
- #/sbin/fixperm -> $(SEC_CRIT) ;
-# /sbin/fsck.reiserfs -> $(SEC_CRIT) ;
- #/sbin/fsconf -> $(SEC_CRIT) ;
-# /sbin/ipfwadm-wrapper -> $(SEC_CRIT) ;
-# /sbin/kallsyms -> $(SEC_CRIT) ;
-# /sbin/ksyms -> $(SEC_CRIT) ;
-# /sbin/lsmod -> $(SEC_CRIT) ;
- #/sbin/mailconf -> $(SEC_CRIT) ;
-# /sbin/mkfs.reiserfs -> $(SEC_CRIT) ;
- #/sbin/modemconf -> $(SEC_CRIT) ;
- /sbin/modprobe -> $(SEC_CRIT) ;
-# /sbin/mount.ncp -> $(SEC_CRIT) ;
-# /sbin/mount.ncpfs -> $(SEC_CRIT) ;
-# /sbin/mount.smb -> $(SEC_CRIT) ;
-# /sbin/mount.smbfs -> $(SEC_CRIT) ;
- #/sbin/netconf -> $(SEC_CRIT) ;
-# /sbin/pidof -> $(SEC_CRIT) ;
- /sbin/poweroff -> $(SEC_CRIT) ;
-# /sbin/quotaoff -> $(SEC_CRIT) ;
-# /sbin/raid0run -> $(SEC_CRIT) ;
-# /sbin/raidhotadd -> $(SEC_CRIT) ;
-# /sbin/raidhotgenerateerror -> $(SEC_CRIT) ;
-# /sbin/raidhotremove -> $(SEC_CRIT) ;
-# /sbin/raidstop -> $(SEC_CRIT) ;
-# /sbin/rdump -> $(SEC_CRIT) ;
-# /sbin/rdump.static -> $(SEC_CRIT) ;
- /sbin/reboot -> $(SEC_CRIT) ;
- /sbin/rmmod -> $(SEC_CRIT) ;
-# /sbin/rrestore -> $(SEC_CRIT) ;
-# /sbin/rrestore.static -> $(SEC_CRIT) ;
- /sbin/swapoff -> $(SEC_CRIT) ;
- /sbin/telinit -> $(SEC_CRIT) ;
- #/sbin/userconf -> $(SEC_CRIT) ;
- #/sbin/uucpconf -> $(SEC_CRIT) ;
- #/sbin/vregistry -> $(SEC_CRIT) ;
-# /bin/awk -> $(SEC_CRIT) ;
-# /bin/bash2 -> $(SEC_CRIT) ;
-# /bin/bsh -> $(SEC_CRIT) ;
-# /bin/csh -> $(SEC_CRIT) ;
- /bin/dnsdomainname -> $(SEC_CRIT) ;
- /bin/domainname -> $(SEC_CRIT) ;
-# /bin/ex -> $(SEC_CRIT) ;
-# /bin/gtar -> $(SEC_CRIT) ;
- /bin/nisdomainname -> $(SEC_CRIT) ;
-# /bin/red -> $(SEC_CRIT) ;
-# /bin/rvi -> $(SEC_CRIT) ;
-# /bin/rview -> $(SEC_CRIT) ;
-# /bin/view -> $(SEC_CRIT) ;
-# /bin/ypdomainname -> $(SEC_CRIT) ;
-}
-
-
- #########################
- # ##
-######################### #
-# # #
-# Temporary directories # #
-# ##
-#########################
-(
- rulename = "Temporary directories",
-# emailto = <email addr>,
- recurse = false,
- severity = $(SIG_LOW)
-)
-{
- /var/tmp -> $(SEC_INVARIANT) ;
- /tmp -> $(SEC_INVARIANT) ;
-}
-
- ###############
- # ##
-############### #
-# # #
-# Local files # #
-# ##
-###############
-(
- rulename = "User binaries",
-# emailto = <email addr>,
- severity = $(SIG_MED)
-)
-{
- /sbin -> $(SEC_BIN) (recurse = 1) ;
- /usr/bin -> $(SEC_BIN) (recurse = 1) ;
- /usr/sbin -> $(SEC_BIN) (recurse = 1) ;
- /usr/local/bin -> $(SEC_BIN) (recurse = 1) ;
-}
-
-(
- rulename = "Shell Binaries",
-# emailto = <email addr>,
- severity = $(SIG_HI)
-)
-{
- /bin/bash -> $(SEC_BIN) ;
- /bin/sh -> $(SEC_BIN) ;
-# /sbin/nologin -> $(SEC_BIN) ;
-}
-
-(
- rulename = "Security Control",
-# emailto = <email addr>,
- severity = $(SIG_HI)
-)
-{
- /etc/group -> $(SEC_CRIT) ;
- /etc/security -> $(SEC_CRIT) ;
- #/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists
-}
-
-#(
-# rulename = "Boot Scripts",
-# emailto = <email addr>,
-# severity = $(SIG_HI)
-#)
-#{
-# /etc/rc -> $(SEC_CONFIG) ;
-# /etc/rc.bsdnet -> $(SEC_CONFIG) ;
-# /etc/rc.dt -> $(SEC_CONFIG) ;
-# /etc/rc.net -> $(SEC_CONFIG) ;
-# /etc/rc.net.serial -> $(SEC_CONFIG) ;
-# /etc/rc.nfs -> $(SEC_CONFIG) ;
-# /etc/rc.powerfail -> $(SEC_CONFIG) ;
-# /etc/rc.tcpip -> $(SEC_CONFIG) ;
-# /etc/trcfmt.Z -> $(SEC_CONFIG) ;
-#}
-
-(
- rulename = "Login Scripts",
-# emailto = <email addr>,
- severity = $(SIG_HI)
-)
-{
- /etc/bashrc -> $(SEC_CONFIG) ;
-# /etc/csh.cshrc -> $(SEC_CONFIG) ;
-# /etc/csh.login -> $(SEC_CONFIG) ;
- /etc/inputrc -> $(SEC_CONFIG) ;
- # /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists
- /etc/profile -> $(SEC_CONFIG) ;
-}
-
-# Libraries
-(
- rulename = "Libraries",
-# emailto = <email addr>,
- severity = $(SIG_MED)
-)
-{
- /usr/lib -> $(SEC_BIN) ;
- /usr/local/lib -> $(SEC_BIN) ;
-}
-
-
- ######################################################
- # ##
-###################################################### #
-# # #
-# Critical System Boot Files # #
-# These files are critical to a correct system boot. # #
-# ##
-######################################################
-
-(
- rulename = "Critical system boot files",
-# emailto = <email addr>,
- severity = $(SIG_HI)
-)
-{
- /boot -> $(SEC_CRIT) ;
- #/sbin/devfsd -> $(SEC_CRIT) ;
-# /sbin/grub -> $(SEC_CRIT) ;
-# /sbin/grub-install -> $(SEC_CRIT) ;
-# /sbin/grub-md5-crypt -> $(SEC_CRIT) ;
-# /sbin/installkernel -> $(SEC_CRIT) ;
-# /sbin/lilo -> $(SEC_CRIT) ;
-# /sbin/mkkerneldoth -> $(SEC_CRIT) ;
- !/boot/System.map ;
- !/boot/module-info ;
- # other boot files may exist. Look for:
- #/ufsboot -> $(SEC_CRIT) ;
-}
- ##################################################
- ###################################################
- # These files change every time the system boots ##
- ##################################################
-(
- rulename = "System boot changes",
-# emailto = <email addr>,
- severity = $(SIG_HI)
-)
-{
- !/var/run/ftp.pids-all ; # Comes and goes on reboot.
- !/root/.enlightenment ;
- /dev/log -> $(SEC_CONFIG) ;
-# /dev/cua0 -> $(SEC_CONFIG) ;
- # /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device
- /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.
- /dev/tty1 -> $(SEC_CONFIG) ; # tty devices
- /dev/tty2 -> $(SEC_CONFIG) ; # tty devices
- /dev/tty3 -> $(SEC_CONFIG) ; # are extremely
- /dev/tty4 -> $(SEC_CONFIG) ; # variable
- /dev/tty5 -> $(SEC_CONFIG) ;
- /dev/tty6 -> $(SEC_CONFIG) ;
- /dev/urandom -> $(SEC_CONFIG) ;
- /dev/initctl -> $(SEC_CONFIG) ;
-# /var/lock/subsys -> $(SEC_CONFIG) ;
- /var/run -> $(SEC_CONFIG) ;
- /var/log -> $(SEC_CONFIG) ;
- ! /var/log/mrtg/red.log ;
- ! /var/log/mrtg/red.old ;
- ! /var/log/mrtg/green.log ;
- ! /var/log/mrtg/green.old ;
-# /etc/ioctl.save -> $(SEC_CONFIG) ;
-# /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes
- /etc/issue -> $(SEC_CONFIG) ;
- /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount
- /lib/modules -> $(SEC_CONFIG) ;
- /etc/.pwd.lock -> $(SEC_CONFIG) ;
- # /lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists
-}
-
-# These files change the behavior of the root account
-(
- rulename = "Root config files",
-# emailto = <email addr>,
- severity = 100
-)
-{
- /root -> $(SEC_CRIT) ; # Catch all additions to /root
-# /root/.Xresources -> $(SEC_CONFIG) ;
-# /root/.bashrc -> $(SEC_CONFIG) ;
-# /root/.bash_profile -> $(SEC_CONFIG) ;
-# /root/.bash_logout -> $(SEC_CONFIG) ;
-# /root/.cshrc -> $(SEC_CONFIG) ;
-# /root/.tcshrc -> $(SEC_CONFIG) ;
- #/root/Mail -> $(SEC_CONFIG) ;
- #/root/mail -> $(SEC_CONFIG) ;
- #/root/.amandahosts -> $(SEC_CONFIG) ;
- #/root/.addressbook.lu -> $(SEC_CONFIG) ;
- #/root/.addressbook -> $(SEC_CONFIG) ;
-# /root/.bash_history -> $(SEC_CONFIG) ;
- #/root/.elm -> $(SEC_CONFIG) ;
-# /root/.esd_auth -> $(SEC_CONFIG) ;
-# /root/.gnome_private -> $(SEC_CONFIG) ;
-# /root/.gnome-desktop -> $(SEC_CONFIG) ;
-# /root/.gnome -> $(SEC_CONFIG) ;
-# /root/.ICEauthority -> $(SEC_CONFIG) ;
- #/root/.mc -> $(SEC_CONFIG) ;
- #/root/.pinerc -> $(SEC_CONFIG) ;
- #/root/.sawfish -> $(SEC_CONFIG) ;
-# /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
- #/root/.xauth -> $(SEC_CONFIG) ;
- #/root/.xsession-errors -> $(SEC_CONFIG) ;
-}
-
- ################################
- # ##
-################################ #
-# # #
-# Critical configuration files # #
-# ##
-################################
-(
- rulename = "Critical configuration files",
-# emailto = <email addr>,
- severity = $(SIG_HI)
-)
-{
- #/etc/conf.linuxconf -> $(SEC_BIN) ;
-# /etc/crontab -> $(SEC_BIN) ;
-# /etc/cron.hourly -> $(SEC_BIN) ;
-# /etc/cron.daily -> $(SEC_BIN) ;
-# /etc/cron.weekly -> $(SEC_BIN) ;
-# /etc/cron.monthly -> $(SEC_BIN) ;
- /etc/default -> $(SEC_BIN) ;
- /etc/fstab -> $(SEC_BIN) ;
-# /etc/exports -> $(SEC_BIN) ;
- /etc/group- -> $(SEC_BIN) ; # changes should be infrequent
- /etc/host.conf -> $(SEC_BIN) ;
- /etc/hosts.allow -> $(SEC_BIN) ;
- /etc/hosts.deny -> $(SEC_BIN) ;
- /etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent
- /etc/protocols -> $(SEC_BIN) ;
- /etc/services -> $(SEC_BIN) ;
- /etc/rc.d/init.d -> $(SEC_BIN) ;
- /etc/rc.d -> $(SEC_BIN) ;
-# /etc/mail.rc -> $(SEC_BIN) ;
- /etc/modules.conf -> $(SEC_BIN) ;
-# /etc/motd -> $(SEC_BIN) ;
-# /etc/named.conf -> $(SEC_BIN) ;
- /etc/passwd -> $(SEC_CONFIG) ;
- /etc/passwd- -> $(SEC_CONFIG) ;
- /etc/profile.d -> $(SEC_BIN) ;
-# /var/lib/nfs/rmtab -> $(SEC_BIN) ;
-# /usr/sbin/fixrmtab -> $(SEC_BIN) ;
-# /etc/rpc -> $(SEC_BIN) ;
-# /etc/sysconfig -> $(SEC_BIN) ;
- /var/ipfire/samba/smb.conf -> $(SEC_CONFIG) ;
- #/etc/gettydefs -> $(SEC_BIN) ;
- /etc/nsswitch.conf -> $(SEC_BIN) ;
-# /etc/yp.conf -> $(SEC_BIN) ;
- /etc/hosts -> $(SEC_CONFIG) ;
-# /etc/xinetd.conf -> $(SEC_CONFIG) ;
- /etc/inittab -> $(SEC_CONFIG) ;
- /etc/resolv.conf -> $(SEC_CONFIG) ;
- /etc/syslog.conf -> $(SEC_CONFIG) ;
-}
-
- ####################
- # ##
-#################### #
-# # #
-# Critical devices # #
-# ##
-####################