config/tripwire/twpol.txt

   1 @@section GLOBAL
   2 TWROOT=/usr/sbin;
   3 TWBIN=/usr/sbin;
   4 TWPOL="/var/ipfire/tripwire";
   5 TWDB="/var/ipfire/tripwire";
   6 TWSKEY="/var/ipfire/tripwire";
   7 TWLKEY="/var/ipfire/tripwire";
   8 TWREPORT="/var/ipfire/tripwire/report";
   9 HOSTNAME=ipfire;
  10
  11 @@section FS
  12 SEC_CRIT      = $(IgnoreNone)-SHa ;  # Critical files that cannot change
  13 SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed infrequently but accessed often
  14 SEC_LOG       = $(Growing) ;         # Files that grow, but that should never change ownership
  15 SEC_INVARIANT = +tpug ;              # Directories that should never change permission or ownership
  16 SIG_LOW       = 33 ;                 # Non-critical files that are of minimal security impact
  17 SIG_MED       = 66 ;                 # Non-critical files that are of significant security impact
  18 SIG_HI        = 100 ;                # Critical files that are significant points of vulnerability
  19
  20 # System Files
  21
  22 (
  23   rulename = "System Files",
  24   severity = $(SIG_HI)
  25 )
  26 {
  27   $(TWDB)                          -> $(SEC_CRIT) ;
  28   $(TWPOL)/tw.pol                  -> $(SEC_CRIT) -i ;
  29   $(TWPOL)/tw.cfg                  -> $(SEC_CRIT) -i ;
  30   $(TWLKEY)/local.key              -> $(SEC_CRIT) ;
  31   $(TWSKEY)/site.key               -> $(SEC_CRIT) ;
  32
  33   /bin                                   -> $(SEC_CRIT) ;
  34   /boot                            -> $(SEC_CRIT) ;
  35   /etc                             -> $(SEC_CRIT) ;
  36   /etc/snort/rules/                -> $(Dynamic)  ;
  37   /lib                             -> $(SEC_CRIT) ;
  38   /root                            -> $(SEC_CRIT) ;
  39   /root/.bash_history              -> $(Dynamic)  ;
  40   /sbin                            -> $(SEC_CRIT) ;
  41   /usr                             -> $(SEC_CRIT) ;
  42   /usr/share/clamav                -> $(Dynamic)  ;
  43   /etc/mtab                        -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount
  44
  45   #don't scan the individual reports
  46   $(TWREPORT)                      -> $(SEC_CONFIG) (recurse=0) ;
  47 }
  48
  49 # Commonly accessed directories that should remain static with regards to owner and group
  50 (
  51   rulename = "Invariant Directories",
  52   severity = $(SIG_MED)
  53 )
  54 {
  55   /                               -> $(SEC_INVARIANT) (recurse = 0) ;
  56   /home                           -> $(SEC_INVARIANT) (recurse = 0) ;
  57   /tmp                            -> $(SEC_INVARIANT) ;
  58 }
  59
  60 # Critical Devices
  61
  62 (
  63   rulename = "Critical devices",
  64   severity = $(SIG_HI),
  65   recurse = false
  66 )
  67 {
  68      /dev/console                 -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.
  69      /dev/initctl                 -> $(SEC_CONFIG) ;     /dev/log                     -> $(SEC_CONFIG) ;
  70      /proc/modules                -> $(Device) ;
  71      /proc/mounts                 -> $(Device) ;
  72      /proc/filesystems            -> $(Device) ;
  73      /proc/misc                   -> $(Device) ;
  74      /var/log                     -> $(SEC_LOG) ;
  75 }