diff options
author | Armin Kuster <akuster@mvista.com> | 2014-08-11 16:38:09 -0700 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2014-08-27 21:09:49 -0700 |
commit | e6b6816192993b022738d204091348577c8fb45e (patch) | |
tree | 0cb52f768a5ffa9bfbab4467c71892056aacfaad /recipes-security/tripwire/files/twpol-yocto.txt | |
parent | fa3c8b475c95ae4d5b20d46e3c7143014709e802 (diff) | |
download | meta-security-e6b6816192993b022738d204091348577c8fb45e.tar.gz |
tripwire: Add files for package support
Signed-off-by: Armin Kuster <akuster@mvista.com>
Diffstat (limited to 'recipes-security/tripwire/files/twpol-yocto.txt')
-rw-r--r-- | recipes-security/tripwire/files/twpol-yocto.txt | 1107 |
1 files changed, 1107 insertions, 0 deletions
diff --git a/recipes-security/tripwire/files/twpol-yocto.txt b/recipes-security/tripwire/files/twpol-yocto.txt new file mode 100644 index 0000000..65f5f75 --- /dev/null +++ b/recipes-security/tripwire/files/twpol-yocto.txt | |||
@@ -0,0 +1,1107 @@ | |||
1 | ############################################################################## | ||
2 | # ## | ||
3 | ############################################################################## # | ||
4 | # # # | ||
5 | # Generic Policy file # # | ||
6 | # V1.2.0rh # # | ||
7 | # August 9, 2001 # # | ||
8 | # ## | ||
9 | ############################################################################## | ||
10 | |||
11 | |||
12 | ############################################################################## | ||
13 | # ## | ||
14 | ############################################################################## # | ||
15 | # # # | ||
16 | # This is the example Tripwire Policy file. It is intended as a place to # # | ||
17 | # start creating your own custom Tripwire Policy file. Referring to it as # # | ||
18 | # well as the Tripwire Policy Guide should give you enough information to # # | ||
19 | # make a good custom Tripwire Policy file that better covers your # # | ||
20 | # configuration and security needs. A text version of this policy file is # # | ||
21 | # called twpol.txt. # # | ||
22 | # # # | ||
23 | # Note that this file is tuned to an 'everything' install of Red Hat Linux. # # | ||
24 | # If run unmodified, this file should create no errors on database # # | ||
25 | # creation, or violations on a subsiquent integrity check. However, it is # # | ||
26 | # impossible for there to be one policy file for all machines, so this # # | ||
27 | # existing one errs on the side of security. Your Linux configuration will # # | ||
28 | # most likey differ from the one our policy file was tuned to, and will # # | ||
29 | # therefore require some editing of the default Tripwire Policy file. # # | ||
30 | # # # | ||
31 | # The example policy file is best run with 'Loose Directory Checking' # # | ||
32 | # enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # # | ||
33 | # file. # # | ||
34 | # # # | ||
35 | # Email support is not included and must be added to this file. # # | ||
36 | # Add the 'emailto=' to the rule directive section of each rule (add a comma # # | ||
37 | # after the 'severity=' line and add an 'emailto=' and include the email # # | ||
38 | # addresses you want the violation reports to go to). Addresses are # # | ||
39 | # semi-colon delimited. # # | ||
40 | # ## | ||
41 | ############################################################################## | ||
42 | |||
43 | |||
44 | |||
45 | ############################################################################## | ||
46 | # ## | ||
47 | ############################################################################## # | ||
48 | # # # | ||
49 | # Global Variable Definitions # # | ||
50 | # # # | ||
51 | # These are defined at install time by the installation script. You may # # | ||
52 | # Manually edit these if you are using this file directly and not from the # # | ||
53 | # installation script itself. # # | ||
54 | # ## | ||
55 | ############################################################################## | ||
56 | |||
57 | @@section GLOBAL | ||
58 | TWROOT=/usr/sbin; | ||
59 | TWBIN=/usr/sbin; | ||
60 | TWPOL="/etc/tripwire"; | ||
61 | TWDB="/var/lib/tripwire"; | ||
62 | TWSKEY="/etc/tripwire"; | ||
63 | TWLKEY="/etc/tripwire"; | ||
64 | TWREPORT="/var/lib/tripwire/report"; | ||
65 | HOSTNAME=localhost; | ||
66 | |||
67 | @@section FS | ||
68 | SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change | ||
69 | SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set | ||
70 | SEC_BIN = $(ReadOnly) ; # Binaries that should not change | ||
71 | SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often | ||
72 | SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership | ||
73 | SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership | ||
74 | SIG_LOW = 33 ; # Non-critical files that are of minimal security impact | ||
75 | SIG_MED = 66 ; # Non-critical files that are of significant security impact | ||
76 | SIG_HI = 100 ; # Critical files that are significant points of vulnerability | ||
77 | |||
78 | |||
79 | # Tripwire Binaries | ||
80 | ( | ||
81 | rulename = "Tripwire Binaries", | ||
82 | severity = $(SIG_HI) | ||
83 | ) | ||
84 | { | ||
85 | $(TWBIN)/siggen -> $(SEC_BIN) ; | ||
86 | $(TWBIN)/tripwire -> $(SEC_BIN) ; | ||
87 | $(TWBIN)/twadmin -> $(SEC_BIN) ; | ||
88 | $(TWBIN)/twprint -> $(SEC_BIN) ; | ||
89 | } | ||
90 | |||
91 | # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases | ||
92 | ( | ||
93 | rulename = "Tripwire Data Files", | ||
94 | severity = $(SIG_HI) | ||
95 | ) | ||
96 | { | ||
97 | # NOTE: We remove the inode attribute because when Tripwire creates a backup, | ||
98 | # it does so by renaming the old file and creating a new one (which will | ||
99 | # have a new inode number). Inode is left turned on for keys, which shouldn't | ||
100 | # ever change. | ||
101 | |||
102 | # NOTE: The first integrity check triggers this rule and each integrity check | ||
103 | # afterward triggers this rule until a database update is run, since the | ||
104 | # database file does not exist before that point. | ||
105 | |||
106 | $(TWDB) -> $(SEC_CONFIG) -i ; | ||
107 | $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; | ||
108 | $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; | ||
109 | $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; | ||
110 | $(TWSKEY)/site.key -> $(SEC_BIN) ; | ||
111 | |||
112 | #don't scan the individual reports | ||
113 | $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; | ||
114 | } | ||
115 | |||
116 | |||
117 | # Tripwire HQ Connector Binaries | ||
118 | #( | ||
119 | # rulename = "Tripwire HQ Connector Binaries", | ||
120 | # severity = $(SIG_HI) | ||
121 | #) | ||
122 | #{ | ||
123 | # $(TWBIN)/hqagent -> $(SEC_BIN) ; | ||
124 | #} | ||
125 | # | ||
126 | # Tripwire HQ Connector - Configuration Files, Keys, and Logs | ||
127 | |||
128 | ############################################################################## | ||
129 | # ## | ||
130 | ############################################################################## # | ||
131 | # # # | ||
132 | # Note: File locations here are different than in a stock HQ Connector # # | ||
133 | # installation. This is because Tripwire 2.3 uses a different path # # | ||
134 | # structure than Tripwire 2.2.1. # # | ||
135 | # # # | ||
136 | # You may need to update your HQ Agent configuation file (or this policy # # | ||
137 | # file) to correct the paths. We have attempted to support the FHS standard # # | ||
138 | # here by placing the HQ Agent files similarly to the way Tripwire 2.3 # # | ||
139 | # places them. # # | ||
140 | # ## | ||
141 | ############################################################################## | ||
142 | |||
143 | #( | ||
144 | # rulename = "Tripwire HQ Connector Data Files", | ||
145 | # severity = $(SIG_HI) | ||
146 | #) | ||
147 | #{ | ||
148 | # ############################################################################# | ||
149 | # ############################################################################## | ||
150 | # # NOTE: Removing the inode attribute because when Tripwire creates a backup ## | ||
151 | # # it does so by renaming the old file and creating a new one (which will ## | ||
152 | # # have a new inode number). Leaving inode turned on for keys, which ## | ||
153 | # # shouldn't ever change. ## | ||
154 | # ############################################################################# | ||
155 | # | ||
156 | # $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; | ||
157 | # $(TWLKEY)/authentication.key -> $(SEC_BIN) ; | ||
158 | # $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; | ||
159 | # $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; | ||
160 | # | ||
161 | # # Uncomment if you have agent logging enabled. | ||
162 | # #/var/log/tripwire/agent.log -> $(SEC_LOG) ; | ||
163 | #} | ||
164 | |||
165 | |||
166 | |||
167 | # Commonly accessed directories that should remain static with regards to owner and group | ||
168 | ( | ||
169 | rulename = "Invariant Directories", | ||
170 | severity = $(SIG_MED) | ||
171 | ) | ||
172 | { | ||
173 | / -> $(SEC_INVARIANT) (recurse = 0) ; | ||
174 | /home -> $(SEC_INVARIANT) (recurse = 0) ; | ||
175 | /etc -> $(SEC_INVARIANT) (recurse = 0) ; | ||
176 | } | ||
177 | ################################################ | ||
178 | # ## | ||
179 | ################################################ # | ||
180 | # # # | ||
181 | # File System and Disk Administration Programs # # | ||
182 | # ## | ||
183 | ################################################ | ||
184 | |||
185 | ( | ||
186 | rulename = "File System and Disk Administraton Programs", | ||
187 | severity = $(SIG_HI) | ||
188 | ) | ||
189 | { | ||
190 | /sbin/accton -> $(SEC_CRIT) ; | ||
191 | /sbin/badblocks -> $(SEC_CRIT) ; | ||
192 | /sbin/busybox -> $(SEC_CRIT) ; | ||
193 | /sbin/busybox.anaconda -> $(SEC_CRIT) ; | ||
194 | /sbin/convertquota -> $(SEC_CRIT) ; | ||
195 | /sbin/dosfsck -> $(SEC_CRIT) ; | ||
196 | /sbin/debugfs -> $(SEC_CRIT) ; | ||
197 | /sbin/debugreiserfs -> $(SEC_CRIT) ; | ||
198 | /sbin/dumpe2fs -> $(SEC_CRIT) ; | ||
199 | /sbin/dump -> $(SEC_CRIT) ; | ||
200 | /sbin/dump.static -> $(SEC_CRIT) ; | ||
201 | # /sbin/e2fsadm -> $(SEC_CRIT) ; tune2fs? | ||
202 | /sbin/e2fsck -> $(SEC_CRIT) ; | ||
203 | /sbin/e2label -> $(SEC_CRIT) ; | ||
204 | /sbin/fdisk -> $(SEC_CRIT) ; | ||
205 | /sbin/fsck -> $(SEC_CRIT) ; | ||
206 | /sbin/fsck.ext2 -> $(SEC_CRIT) ; | ||
207 | /sbin/fsck.ext3 -> $(SEC_CRIT) ; | ||
208 | /sbin/fsck.minix -> $(SEC_CRIT) ; | ||
209 | /sbin/fsck.msdos -> $(SEC_CRIT) ; | ||
210 | /sbin/fsck.vfat -> $(SEC_CRIT) ; | ||
211 | /sbin/ftl_check -> $(SEC_CRIT) ; | ||
212 | /sbin/ftl_format -> $(SEC_CRIT) ; | ||
213 | /sbin/hdparm -> $(SEC_CRIT) ; | ||
214 | #/sbin/lvchange -> $(SEC_CRIT) ; | ||
215 | #/sbin/lvcreate -> $(SEC_CRIT) ; | ||
216 | #/sbin/lvdisplay -> $(SEC_CRIT) ; | ||
217 | #/sbin/lvextend -> $(SEC_CRIT) ; | ||
218 | #/sbin/lvmchange -> $(SEC_CRIT) ; | ||
219 | #/sbin/lvmcreate_initrd -> $(SEC_CRIT) ; | ||
220 | #/sbin/lvmdiskscan -> $(SEC_CRIT) ; | ||
221 | #/sbin/lvmsadc -> $(SEC_CRIT) ; | ||
222 | #/sbin/lvmsar -> $(SEC_CRIT) ; | ||
223 | #/sbin/lvreduce -> $(SEC_CRIT) ; | ||
224 | #/sbin/lvremove -> $(SEC_CRIT) ; | ||
225 | #/sbin/lvrename -> $(SEC_CRIT) ; | ||
226 | #/sbin/lvscan -> $(SEC_CRIT) ; | ||
227 | /sbin/mkbootdisk -> $(SEC_CRIT) ; | ||
228 | /sbin/mkdosfs -> $(SEC_CRIT) ; | ||
229 | /sbin/mke2fs -> $(SEC_CRIT) ; | ||
230 | /sbin/mkfs -> $(SEC_CRIT) ; | ||
231 | /sbin/mkfs.bfs -> $(SEC_CRIT) ; | ||
232 | /sbin/mkfs.ext2 -> $(SEC_CRIT) ; | ||
233 | /sbin/mkfs.minix -> $(SEC_CRIT) ; | ||
234 | /sbin/mkfs.msdos -> $(SEC_CRIT) ; | ||
235 | /sbin/mkfs.vfat -> $(SEC_CRIT) ; | ||
236 | /sbin/mkinitrd -> $(SEC_CRIT) ; | ||
237 | #/sbin/mkpv -> $(SEC_CRIT) ; | ||
238 | /sbin/mkraid -> $(SEC_CRIT) ; | ||
239 | /sbin/mkreiserfs -> $(SEC_CRIT) ; | ||
240 | /sbin/mkswap -> $(SEC_CRIT) ; | ||
241 | #/sbin/mtx -> $(SEC_CRIT) ; | ||
242 | /sbin/pam_console_apply -> $(SEC_CRIT) ; | ||
243 | /sbin/parted -> $(SEC_CRIT) ; | ||
244 | /sbin/pcinitrd -> $(SEC_CRIT) ; | ||
245 | #/sbin/pvchange -> $(SEC_CRIT) ; | ||
246 | #/sbin/pvcreate -> $(SEC_CRIT) ; | ||
247 | #/sbin/pvdata -> $(SEC_CRIT) ; | ||
248 | #/sbin/pvdisplay -> $(SEC_CRIT) ; | ||
249 | #/sbin/pvmove -> $(SEC_CRIT) ; | ||
250 | #/sbin/pvscan -> $(SEC_CRIT) ; | ||
251 | /sbin/quotacheck -> $(SEC_CRIT) ; | ||
252 | /sbin/quotaon -> $(SEC_CRIT) ; | ||
253 | /sbin/raidstart -> $(SEC_CRIT) ; | ||
254 | /sbin/reiserfsck -> $(SEC_CRIT) ; | ||
255 | /sbin/resize2fs -> $(SEC_CRIT) ; | ||
256 | /sbin/resize_reiserfs -> $(SEC_CRIT) ; | ||
257 | /sbin/restore -> $(SEC_CRIT) ; | ||
258 | /sbin/restore.static -> $(SEC_CRIT) ; | ||
259 | /sbin/scsi_info -> $(SEC_CRIT) ; | ||
260 | /sbin/sfdisk -> $(SEC_CRIT) ; | ||
261 | /sbin/stinit -> $(SEC_CRIT) ; | ||
262 | #/sbin/tapeinfo -> $(SEC_CRIT) ; | ||
263 | /sbin/tune2fs -> $(SEC_CRIT) ; | ||
264 | /sbin/unpack -> $(SEC_CRIT) ; | ||
265 | /sbin/update -> $(SEC_CRIT) ; | ||
266 | #/sbin/vgcfgbackup -> $(SEC_CRIT) ; | ||
267 | #/sbin/vgcfgrestore -> $(SEC_CRIT) ; | ||
268 | #/sbin/vgchange -> $(SEC_CRIT) ; | ||
269 | #/sbin/vgck -> $(SEC_CRIT) ; | ||
270 | #/sbin/vgcreate -> $(SEC_CRIT) ; | ||
271 | #/sbin/vgdisplay -> $(SEC_CRIT) ; | ||
272 | #/sbin/vgexport -> $(SEC_CRIT) ; | ||
273 | #/sbin/vgextend -> $(SEC_CRIT) ; | ||
274 | #/sbin/vgimport -> $(SEC_CRIT) ; | ||
275 | #/sbin/vgmerge -> $(SEC_CRIT) ; | ||
276 | #/sbin/vgmknodes -> $(SEC_CRIT) ; | ||
277 | #/sbin/vgreduce -> $(SEC_CRIT) ; | ||
278 | #/sbin/vgremove -> $(SEC_CRIT) ; | ||
279 | #/sbin/vgrename -> $(SEC_CRIT) ; | ||
280 | #/sbin/vgscan -> $(SEC_CRIT) ; | ||
281 | #/sbin/vgsplit -> $(SEC_CRIT) ; | ||
282 | /bin/chgrp -> $(SEC_CRIT) ; | ||
283 | /bin/chmod -> $(SEC_CRIT) ; | ||
284 | /bin/chown -> $(SEC_CRIT) ; | ||
285 | /bin/cp -> $(SEC_CRIT) ; | ||
286 | /bin/cpio -> $(SEC_CRIT) ; | ||
287 | /bin/mount -> $(SEC_CRIT) ; | ||
288 | /bin/umount -> $(SEC_CRIT) ; | ||
289 | /bin/mkdir -> $(SEC_CRIT) ; | ||
290 | /bin/mknod -> $(SEC_CRIT) ; | ||
291 | /bin/mktemp -> $(SEC_CRIT) ; | ||
292 | /bin/rm -> $(SEC_CRIT) ; | ||
293 | /bin/rmdir -> $(SEC_CRIT) ; | ||
294 | /bin/touch -> $(SEC_CRIT) ; | ||
295 | } | ||
296 | |||
297 | ################################## | ||
298 | # ## | ||
299 | ################################## # | ||
300 | # # # | ||
301 | # Kernel Administration Programs # # | ||
302 | # ## | ||
303 | ################################## | ||
304 | |||
305 | ( | ||
306 | rulename = "Kernel Administration Programs", | ||
307 | severity = $(SIG_HI) | ||
308 | ) | ||
309 | { | ||
310 | /sbin/adjtimex -> $(SEC_CRIT) ; | ||
311 | /sbin/ctrlaltdel -> $(SEC_CRIT) ; | ||
312 | /sbin/depmod -> $(SEC_CRIT) ; | ||
313 | /sbin/insmod -> $(SEC_CRIT) ; | ||
314 | /sbin/insmod.static -> $(SEC_CRIT) ; | ||
315 | /sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ; | ||
316 | /sbin/klogd -> $(SEC_CRIT) ; | ||
317 | /sbin/ldconfig -> $(SEC_CRIT) ; | ||
318 | /sbin/minilogd -> $(SEC_CRIT) ; | ||
319 | /sbin/modinfo -> $(SEC_CRIT) ; | ||
320 | #/sbin/nuactlun -> $(SEC_CRIT) ; | ||
321 | #/sbin/nuscsitcpd -> $(SEC_CRIT) ; | ||
322 | /sbin/pivot_root -> $(SEC_CRIT) ; | ||
323 | /sbin/sndconfig -> $(SEC_CRIT) ; | ||
324 | /sbin/sysctl -> $(SEC_CRIT) ; | ||
325 | } | ||
326 | |||
327 | ####################### | ||
328 | # ## | ||
329 | ####################### # | ||
330 | # # # | ||
331 | # Networking Programs # # | ||
332 | # ## | ||
333 | ####################### | ||
334 | |||
335 | ( | ||
336 | rulename = "Networking Programs", | ||
337 | severity = $(SIG_HI) | ||
338 | ) | ||
339 | { | ||
340 | /etc/sysconfig/network-scripts/ifdown -> $(SEC_CRIT) ; | ||
341 | /etc/sysconfig/network-scripts/ifdown-cipcb -> $(SEC_CRIT) ; | ||
342 | /etc/sysconfig/network-scripts/ifdown-ippp -> $(SEC_CRIT) ; | ||
343 | /etc/sysconfig/network-scripts/ifdown-ipv6 -> $(SEC_CRIT) ; | ||
344 | /etc/sysconfig/network-scripts/ifdown-isdn -> $(SEC_CRIT) ; | ||
345 | /etc/sysconfig/network-scripts/ifdown-post -> $(SEC_CRIT) ; | ||
346 | /etc/sysconfig/network-scripts/ifdown-ppp -> $(SEC_CRIT) ; | ||
347 | /etc/sysconfig/network-scripts/ifdown-sit -> $(SEC_CRIT) ; | ||
348 | /etc/sysconfig/network-scripts/ifdown-sl -> $(SEC_CRIT) ; | ||
349 | /etc/sysconfig/network-scripts/ifup -> $(SEC_CRIT) ; | ||
350 | /etc/sysconfig/network-scripts/ifup-aliases -> $(SEC_CRIT) ; | ||
351 | /etc/sysconfig/network-scripts/ifup-cipcb -> $(SEC_CRIT) ; | ||
352 | /etc/sysconfig/network-scripts/ifup-ippp -> $(SEC_CRIT) ; | ||
353 | /etc/sysconfig/network-scripts/ifup-ipv6 -> $(SEC_CRIT) ; | ||
354 | /etc/sysconfig/network-scripts/ifup-isdn -> $(SEC_CRIT) ; | ||
355 | /etc/sysconfig/network-scripts/ifup-plip -> $(SEC_CRIT) ; | ||
356 | /etc/sysconfig/network-scripts/ifup-plusb -> $(SEC_CRIT) ; | ||
357 | /etc/sysconfig/network-scripts/ifup-post -> $(SEC_CRIT) ; | ||
358 | /etc/sysconfig/network-scripts/ifup-ppp -> $(SEC_CRIT) ; | ||
359 | /etc/sysconfig/network-scripts/ifup-routes -> $(SEC_CRIT) ; | ||
360 | /etc/sysconfig/network-scripts/ifup-sit -> $(SEC_CRIT) ; | ||
361 | /etc/sysconfig/network-scripts/ifup-sl -> $(SEC_CRIT) ; | ||
362 | /etc/sysconfig/network-scripts/ifup-wireless -> $(SEC_CRIT) ; | ||
363 | /etc/sysconfig/network-scripts/network-functions -> $(SEC_CRIT) ; | ||
364 | /etc/sysconfig/network-scripts/network-functions-ipv6 -> $(SEC_CRIT) ; | ||
365 | /bin/ping -> $(SEC_CRIT) ; | ||
366 | /sbin/agetty -> $(SEC_CRIT) ; | ||
367 | /sbin/arp -> $(SEC_CRIT) ; | ||
368 | /sbin/arping -> $(SEC_CRIT) ; | ||
369 | /sbin/dhcpcd -> $(SEC_CRIT) ; | ||
370 | /sbin/ether-wake -> $(SEC_CRIT) ; | ||
371 | #/sbin/getty -> $(SEC_CRIT) ; | ||
372 | /sbin/ifcfg -> $(SEC_CRIT) ; | ||
373 | /sbin/ifconfig -> $(SEC_CRIT) ; | ||
374 | /sbin/ifdown -> $(SEC_CRIT) ; | ||
375 | /sbin/ifenslave -> $(SEC_CRIT) ; | ||
376 | /sbin/ifport -> $(SEC_CRIT) ; | ||
377 | /sbin/ifup -> $(SEC_CRIT) ; | ||
378 | /sbin/ifuser -> $(SEC_CRIT) ; | ||
379 | /sbin/ip -> $(SEC_CRIT) ; | ||
380 | /sbin/ip6tables -> $(SEC_CRIT) ; | ||
381 | /sbin/ipchains -> $(SEC_CRIT) ; | ||
382 | /sbin/ipchains-restore -> $(SEC_CRIT) ; | ||
383 | /sbin/ipchains-save -> $(SEC_CRIT) ; | ||
384 | /sbin/ipfwadm -> $(SEC_CRIT) ; | ||
385 | /sbin/ipmaddr -> $(SEC_CRIT) ; | ||
386 | /sbin/iptables -> $(SEC_CRIT) ; | ||
387 | /sbin/iptables-restore -> $(SEC_CRIT) ; | ||
388 | /sbin/iptables-save -> $(SEC_CRIT) ; | ||
389 | /sbin/iptunnel -> $(SEC_CRIT) ; | ||
390 | #/sbin/ipvsadm -> $(SEC_CRIT) ; | ||
391 | #/sbin/ipvsadm-restore -> $(SEC_CRIT) ; | ||
392 | #/sbin/ipvsadm-save -> $(SEC_CRIT) ; | ||
393 | /sbin/ipx_configure -> $(SEC_CRIT) ; | ||
394 | /sbin/ipx_interface -> $(SEC_CRIT) ; | ||
395 | /sbin/ipx_internal_net -> $(SEC_CRIT) ; | ||
396 | /sbin/iwconfig -> $(SEC_CRIT) ; | ||
397 | /sbin/iwgetid -> $(SEC_CRIT) ; | ||
398 | /sbin/iwlist -> $(SEC_CRIT) ; | ||
399 | /sbin/iwpriv -> $(SEC_CRIT) ; | ||
400 | /sbin/iwspy -> $(SEC_CRIT) ; | ||
401 | /sbin/mgetty -> $(SEC_CRIT) ; | ||
402 | /sbin/mingetty -> $(SEC_CRIT) ; | ||
403 | /sbin/nameif -> $(SEC_CRIT) ; | ||
404 | /sbin/netreport -> $(SEC_CRIT) ; | ||
405 | /sbin/plipconfig -> $(SEC_CRIT) ; | ||
406 | /sbin/portmap -> $(SEC_CRIT) ; | ||
407 | /sbin/ppp-watch -> $(SEC_CRIT) ; | ||
408 | #/sbin/rarp -> $(SEC_CRIT) ; | ||
409 | /sbin/route -> $(SEC_CRIT) ; | ||
410 | /sbin/slattach -> $(SEC_CRIT) ; | ||
411 | /sbin/tc -> $(SEC_CRIT) ; | ||
412 | #/sbin/uugetty -> $(SEC_CRIT) ; | ||
413 | /sbin/vgetty -> $(SEC_CRIT) ; | ||
414 | /sbin/ypbind -> $(SEC_CRIT) ; | ||
415 | } | ||
416 | |||
417 | ################################## | ||
418 | # ## | ||
419 | ################################## # | ||
420 | # # # | ||
421 | # System Administration Programs # # | ||
422 | # ## | ||
423 | ################################## | ||
424 | |||
425 | ( | ||
426 | rulename = "System Administration Programs", | ||
427 | severity = $(SIG_HI) | ||
428 | ) | ||
429 | { | ||
430 | /sbin/chkconfig -> $(SEC_CRIT) ; | ||
431 | /sbin/fuser -> $(SEC_CRIT) ; | ||
432 | /sbin/halt -> $(SEC_CRIT) ; | ||
433 | /sbin/init -> $(SEC_CRIT) ; | ||
434 | /sbin/initlog -> $(SEC_CRIT) ; | ||
435 | /sbin/install-info -> $(SEC_CRIT) ; | ||
436 | /sbin/killall5 -> $(SEC_CRIT) ; | ||
437 | #/sbin/linuxconf -> $(SEC_CRIT) ; | ||
438 | #/sbin/linuxconf-auth -> $(SEC_CRIT) ; | ||
439 | /sbin/pam_tally -> $(SEC_CRIT) ; | ||
440 | /sbin/pwdb_chkpwd -> $(SEC_CRIT) ; | ||
441 | #/sbin/remadmin -> $(SEC_CRIT) ; | ||
442 | /sbin/rescuept -> $(SEC_CRIT) ; | ||
443 | /sbin/rmt -> $(SEC_CRIT) ; | ||
444 | /sbin/rpc.lockd -> $(SEC_CRIT) ; | ||
445 | /sbin/rpc.statd -> $(SEC_CRIT) ; | ||
446 | /sbin/rpcdebug -> $(SEC_CRIT) ; | ||
447 | /sbin/service -> $(SEC_CRIT) ; | ||
448 | /sbin/setsysfont -> $(SEC_CRIT) ; | ||
449 | /sbin/shutdown -> $(SEC_CRIT) ; | ||
450 | /sbin/sulogin -> $(SEC_CRIT) ; | ||
451 | /sbin/swapon -> $(SEC_CRIT) ; | ||
452 | /sbin/syslogd -> $(SEC_CRIT) ; | ||
453 | /sbin/unix_chkpwd -> $(SEC_CRIT) ; | ||
454 | /bin/pwd -> $(SEC_CRIT) ; | ||
455 | /bin/uname -> $(SEC_CRIT) ; | ||
456 | } | ||
457 | |||
458 | ######################################## | ||
459 | # ## | ||
460 | ######################################## # | ||
461 | # # # | ||
462 | # Hardware and Device Control Programs # # | ||
463 | # ## | ||
464 | ######################################## | ||
465 | ( | ||
466 | rulename = "Hardware and Device Control Programs", | ||
467 | severity = $(SIG_HI) | ||
468 | ) | ||
469 | { | ||
470 | /bin/setserial -> $(SEC_CRIT) ; | ||
471 | /bin/sfxload -> $(SEC_CRIT) ; | ||
472 | /sbin/blockdev -> $(SEC_CRIT) ; | ||
473 | /sbin/cardctl -> $(SEC_CRIT) ; | ||
474 | /sbin/cardmgr -> $(SEC_CRIT) ; | ||
475 | /sbin/cbq -> $(SEC_CRIT) ; | ||
476 | /sbin/dump_cis -> $(SEC_CRIT) ; | ||
477 | /sbin/elvtune -> $(SEC_CRIT) ; | ||
478 | /sbin/hotplug -> $(SEC_CRIT) ; | ||
479 | /sbin/hwclock -> $(SEC_CRIT) ; | ||
480 | /sbin/ide_info -> $(SEC_CRIT) ; | ||
481 | #/sbin/isapnp -> $(SEC_CRIT) ; | ||
482 | /sbin/kbdrate -> $(SEC_CRIT) ; | ||
483 | /sbin/losetup -> $(SEC_CRIT) ; | ||
484 | /sbin/lspci -> $(SEC_CRIT) ; | ||
485 | /sbin/lspnp -> $(SEC_CRIT) ; | ||
486 | /sbin/mii-tool -> $(SEC_CRIT) ; | ||
487 | /sbin/pack_cis -> $(SEC_CRIT) ; | ||
488 | #/sbin/pnpdump -> $(SEC_CRIT) ; | ||
489 | /sbin/probe -> $(SEC_CRIT) ; | ||
490 | /sbin/pump -> $(SEC_CRIT) ; | ||
491 | /sbin/setpci -> $(SEC_CRIT) ; | ||
492 | /sbin/shapecfg -> $(SEC_CRIT) ; | ||
493 | } | ||
494 | |||
495 | ############################### | ||
496 | # ## | ||
497 | ############################### # | ||
498 | # # # | ||
499 | # System Information Programs # # | ||
500 | # ## | ||
501 | ############################### | ||
502 | ( | ||
503 | rulename = "System Information Programs", | ||
504 | severity = $(SIG_HI) | ||
505 | ) | ||
506 | { | ||
507 | /sbin/consoletype -> $(SEC_CRIT) ; | ||
508 | /sbin/kernelversion -> $(SEC_CRIT) ; | ||
509 | /sbin/runlevel -> $(SEC_CRIT) ; | ||
510 | } | ||
511 | |||
512 | #################################### | ||
513 | # ## | ||
514 | #################################### # | ||
515 | # # # | ||
516 | # Application Information Programs # # | ||
517 | # ## | ||
518 | #################################### | ||
519 | |||
520 | ( | ||
521 | rulename = "Application Information Programs", | ||
522 | severity = $(SIG_HI) | ||
523 | ) | ||
524 | { | ||
525 | /sbin/genksyms -> $(SEC_CRIT) ; | ||
526 | #/sbin/genksyms.old -> $(SEC_CRIT) ; | ||
527 | /sbin/rtmon -> $(SEC_CRIT) ; | ||
528 | } | ||
529 | |||
530 | ########################## | ||
531 | # ## | ||
532 | ########################## # | ||
533 | # # # | ||
534 | # Shell Related Programs # # | ||
535 | # ## | ||
536 | ########################## | ||
537 | ( | ||
538 | rulename = "Shell Related Programs", | ||
539 | severity = $(SIG_HI) | ||
540 | ) | ||
541 | { | ||
542 | /sbin/getkey -> $(SEC_CRIT) ; | ||
543 | /sbin/nash -> $(SEC_CRIT) ; | ||
544 | /sbin/sash -> $(SEC_CRIT) ; | ||
545 | } | ||
546 | |||
547 | |||
548 | ################ | ||
549 | # ## | ||
550 | ################ # | ||
551 | # # # | ||
552 | # OS Utilities # # | ||
553 | # ## | ||
554 | ################ | ||
555 | ( | ||
556 | rulename = "Operating System Utilities", | ||
557 | severity = $(SIG_HI) | ||
558 | ) | ||
559 | { | ||
560 | /bin/arch -> $(SEC_CRIT) ; | ||
561 | /bin/ash -> $(SEC_CRIT) ; | ||
562 | /bin/ash.static -> $(SEC_CRIT) ; | ||
563 | /bin/aumix-minimal -> $(SEC_CRIT) ; | ||
564 | /bin/basename -> $(SEC_CRIT) ; | ||
565 | /bin/cat -> $(SEC_CRIT) ; | ||
566 | /bin/consolechars -> $(SEC_CRIT) ; | ||
567 | /bin/cut -> $(SEC_CRIT) ; | ||
568 | /bin/date -> $(SEC_CRIT) ; | ||
569 | /bin/dd -> $(SEC_CRIT) ; | ||
570 | /bin/df -> $(SEC_CRIT) ; | ||
571 | /bin/dmesg -> $(SEC_CRIT) ; | ||
572 | /bin/doexec -> $(SEC_CRIT) ; | ||
573 | /bin/echo -> $(SEC_CRIT) ; | ||
574 | /bin/ed -> $(SEC_CRIT) ; | ||
575 | /bin/egrep -> $(SEC_CRIT) ; | ||
576 | /bin/false -> $(SEC_CRIT) ; | ||
577 | /bin/fgrep -> $(SEC_CRIT) ; | ||
578 | /bin/gawk -> $(SEC_CRIT) ; | ||
579 | /bin/gawk-3.1.0 -> $(SEC_CRIT) ; | ||
580 | /bin/gettext -> $(SEC_CRIT) ; | ||
581 | /bin/grep -> $(SEC_CRIT) ; | ||
582 | /bin/gunzip -> $(SEC_CRIT) ; | ||
583 | /bin/gzip -> $(SEC_CRIT) ; | ||
584 | /bin/hostname -> $(SEC_CRIT) ; | ||
585 | /bin/igawk -> $(SEC_CRIT) ; | ||
586 | /bin/ipcalc -> $(SEC_CRIT) ; | ||
587 | /bin/kill -> $(SEC_CRIT) ; | ||
588 | /bin/ln -> $(SEC_CRIT) ; | ||
589 | /bin/loadkeys -> $(SEC_CRIT) ; | ||
590 | /bin/login -> $(SEC_CRIT) ; | ||
591 | /bin/ls -> $(SEC_CRIT) ; | ||
592 | /bin/mail -> $(SEC_CRIT) ; | ||
593 | /bin/more -> $(SEC_CRIT) ; | ||
594 | /bin/mt -> $(SEC_CRIT) ; | ||
595 | /bin/mv -> $(SEC_CRIT) ; | ||
596 | /bin/netstat -> $(SEC_CRIT) ; | ||
597 | /bin/nice -> $(SEC_CRIT) ; | ||
598 | /bin/pgawk -> $(SEC_CRIT) ; | ||
599 | /bin/ps -> $(SEC_CRIT) ; | ||
600 | /bin/rpm -> $(SEC_CRIT) ; | ||
601 | /bin/sed -> $(SEC_CRIT) ; | ||
602 | /bin/sleep -> $(SEC_CRIT) ; | ||
603 | /bin/sort -> $(SEC_CRIT) ; | ||
604 | /bin/stty -> $(SEC_CRIT) ; | ||
605 | /bin/su -> $(SEC_CRIT) ; | ||
606 | /bin/sync -> $(SEC_CRIT) ; | ||
607 | /bin/tar -> $(SEC_CRIT) ; | ||
608 | /bin/true -> $(SEC_CRIT) ; | ||
609 | /bin/usleep -> $(SEC_CRIT) ; | ||
610 | /bin/vi -> $(SEC_CRIT) ; | ||
611 | /bin/zcat -> $(SEC_CRIT) ; | ||
612 | /bin/zsh -> $(SEC_CRIT) ; | ||
613 | #/bin/zsh-4.0.2 -> $(SEC_CRIT) ; | ||
614 | /sbin/sln -> $(SEC_CRIT) ; | ||
615 | /usr/bin/vimtutor -> $(SEC_CRIT) ; | ||
616 | } | ||
617 | |||
618 | ############################## | ||
619 | # ## | ||
620 | ############################## # | ||
621 | # # # | ||
622 | # Critical Utility Sym-Links # # | ||
623 | # ## | ||
624 | ############################## | ||
625 | ( | ||
626 | rulename = "Critical Utility Sym-Links", | ||
627 | severity = $(SIG_HI) | ||
628 | ) | ||
629 | { | ||
630 | #/sbin/askrunlevel -> $(SEC_CRIT) ; | ||
631 | /sbin/clock -> $(SEC_CRIT) ; | ||
632 | #/sbin/fixperm -> $(SEC_CRIT) ; | ||
633 | /sbin/fsck.reiserfs -> $(SEC_CRIT) ; | ||
634 | #/sbin/fsconf -> $(SEC_CRIT) ; | ||
635 | /sbin/ipfwadm-wrapper -> $(SEC_CRIT) ; | ||
636 | /sbin/kallsyms -> $(SEC_CRIT) ; | ||
637 | /sbin/ksyms -> $(SEC_CRIT) ; | ||
638 | /sbin/lsmod -> $(SEC_CRIT) ; | ||
639 | #/sbin/mailconf -> $(SEC_CRIT) ; | ||
640 | /sbin/mkfs.reiserfs -> $(SEC_CRIT) ; | ||
641 | #/sbin/modemconf -> $(SEC_CRIT) ; | ||
642 | /sbin/modprobe -> $(SEC_CRIT) ; | ||
643 | /sbin/mount.ncp -> $(SEC_CRIT) ; | ||
644 | /sbin/mount.ncpfs -> $(SEC_CRIT) ; | ||
645 | /sbin/mount.smb -> $(SEC_CRIT) ; | ||
646 | /sbin/mount.smbfs -> $(SEC_CRIT) ; | ||
647 | #/sbin/netconf -> $(SEC_CRIT) ; | ||
648 | /sbin/pidof -> $(SEC_CRIT) ; | ||
649 | /sbin/poweroff -> $(SEC_CRIT) ; | ||
650 | /sbin/quotaoff -> $(SEC_CRIT) ; | ||
651 | /sbin/raid0run -> $(SEC_CRIT) ; | ||
652 | /sbin/raidhotadd -> $(SEC_CRIT) ; | ||
653 | /sbin/raidhotgenerateerror -> $(SEC_CRIT) ; | ||
654 | /sbin/raidhotremove -> $(SEC_CRIT) ; | ||
655 | /sbin/raidstop -> $(SEC_CRIT) ; | ||
656 | /sbin/rdump -> $(SEC_CRIT) ; | ||
657 | /sbin/rdump.static -> $(SEC_CRIT) ; | ||
658 | /sbin/reboot -> $(SEC_CRIT) ; | ||
659 | /sbin/rmmod -> $(SEC_CRIT) ; | ||
660 | /sbin/rrestore -> $(SEC_CRIT) ; | ||
661 | /sbin/rrestore.static -> $(SEC_CRIT) ; | ||
662 | /sbin/swapoff -> $(SEC_CRIT) ; | ||
663 | /sbin/telinit -> $(SEC_CRIT) ; | ||
664 | #/sbin/userconf -> $(SEC_CRIT) ; | ||
665 | #/sbin/uucpconf -> $(SEC_CRIT) ; | ||
666 | #/sbin/vregistry -> $(SEC_CRIT) ; | ||
667 | /bin/awk -> $(SEC_CRIT) ; | ||
668 | /bin/bash2 -> $(SEC_CRIT) ; | ||
669 | /bin/bsh -> $(SEC_CRIT) ; | ||
670 | /bin/csh -> $(SEC_CRIT) ; | ||
671 | /bin/dnsdomainname -> $(SEC_CRIT) ; | ||
672 | /bin/domainname -> $(SEC_CRIT) ; | ||
673 | /bin/ex -> $(SEC_CRIT) ; | ||
674 | /bin/gtar -> $(SEC_CRIT) ; | ||
675 | /bin/nisdomainname -> $(SEC_CRIT) ; | ||
676 | /bin/red -> $(SEC_CRIT) ; | ||
677 | /bin/rvi -> $(SEC_CRIT) ; | ||
678 | /bin/rview -> $(SEC_CRIT) ; | ||
679 | /bin/view -> $(SEC_CRIT) ; | ||
680 | /bin/ypdomainname -> $(SEC_CRIT) ; | ||
681 | } | ||
682 | |||
683 | |||
684 | ######################### | ||
685 | # ## | ||
686 | ######################### # | ||
687 | # # # | ||
688 | # Temporary directories # # | ||
689 | # ## | ||
690 | ######################### | ||
691 | ( | ||
692 | rulename = "Temporary directories", | ||
693 | recurse = false, | ||
694 | severity = $(SIG_LOW) | ||
695 | ) | ||
696 | { | ||
697 | /usr/tmp -> $(SEC_INVARIANT) ; | ||
698 | /var/tmp -> $(SEC_INVARIANT) ; | ||
699 | /tmp -> $(SEC_INVARIANT) ; | ||
700 | } | ||
701 | |||
702 | ############### | ||
703 | # ## | ||
704 | ############### # | ||
705 | # # # | ||
706 | # Local files # # | ||
707 | # ## | ||
708 | ############### | ||
709 | ( | ||
710 | rulename = "User binaries", | ||
711 | severity = $(SIG_MED) | ||
712 | ) | ||
713 | { | ||
714 | /sbin -> $(SEC_BIN) (recurse = 1) ; | ||
715 | /usr/bin -> $(SEC_BIN) (recurse = 1) ; | ||
716 | /usr/sbin -> $(SEC_BIN) (recurse = 1) ; | ||
717 | /usr/local/bin -> $(SEC_BIN) (recurse = 1) ; | ||
718 | } | ||
719 | |||
720 | ( | ||
721 | rulename = "Shell Binaries", | ||
722 | severity = $(SIG_HI) | ||
723 | ) | ||
724 | { | ||
725 | /bin/bash -> $(SEC_BIN) ; | ||
726 | /bin/ksh -> $(SEC_BIN) ; | ||
727 | # /bin/psh -> $(SEC_BIN) ; # No longer used? | ||
728 | # /bin/Rsh -> $(SEC_BIN) ; # No longer used? | ||
729 | /bin/sh -> $(SEC_BIN) ; | ||
730 | # /bin/shell -> $(SEC_SUID) ; # No longer used? | ||
731 | # /bin/tsh -> $(SEC_BIN) ; # No longer used? | ||
732 | /bin/tcsh -> $(SEC_BIN) ; | ||
733 | /sbin/nologin -> $(SEC_BIN) ; | ||
734 | } | ||
735 | |||
736 | ( | ||
737 | rulename = "Security Control", | ||
738 | severity = $(SIG_HI) | ||
739 | ) | ||
740 | { | ||
741 | /etc/group -> $(SEC_CRIT) ; | ||
742 | /etc/security -> $(SEC_CRIT) ; | ||
743 | #/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists | ||
744 | } | ||
745 | |||
746 | #( | ||
747 | # rulename = "Boot Scripts", | ||
748 | # severity = $(SIG_HI) | ||
749 | #) | ||
750 | #{ | ||
751 | # /etc/rc -> $(SEC_CONFIG) ; | ||
752 | # /etc/rc.bsdnet -> $(SEC_CONFIG) ; | ||
753 | # /etc/rc.dt -> $(SEC_CONFIG) ; | ||
754 | # /etc/rc.net -> $(SEC_CONFIG) ; | ||
755 | # /etc/rc.net.serial -> $(SEC_CONFIG) ; | ||
756 | # /etc/rc.nfs -> $(SEC_CONFIG) ; | ||
757 | # /etc/rc.powerfail -> $(SEC_CONFIG) ; | ||
758 | # /etc/rc.tcpip -> $(SEC_CONFIG) ; | ||
759 | # /etc/trcfmt.Z -> $(SEC_CONFIG) ; | ||
760 | #} | ||
761 | |||
762 | ( | ||
763 | rulename = "Login Scripts", | ||
764 | severity = $(SIG_HI) | ||
765 | ) | ||
766 | { | ||
767 | /etc/bashrc -> $(SEC_CONFIG) ; | ||
768 | /etc/csh.cshrc -> $(SEC_CONFIG) ; | ||
769 | /etc/csh.login -> $(SEC_CONFIG) ; | ||
770 | /etc/inputrc -> $(SEC_CONFIG) ; | ||
771 | # /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists | ||
772 | /etc/profile -> $(SEC_CONFIG) ; | ||
773 | } | ||
774 | |||
775 | # Libraries | ||
776 | ( | ||
777 | rulename = "Libraries", | ||
778 | severity = $(SIG_MED) | ||
779 | ) | ||
780 | { | ||
781 | /usr/lib -> $(SEC_BIN) ; | ||
782 | /usr/local/lib -> $(SEC_BIN) ; | ||
783 | } | ||
784 | |||
785 | |||
786 | ###################################################### | ||
787 | # ## | ||
788 | ###################################################### # | ||
789 | # # # | ||
790 | # Critical System Boot Files # # | ||
791 | # These files are critical to a correct system boot. # # | ||
792 | # ## | ||
793 | ###################################################### | ||
794 | |||
795 | ( | ||
796 | rulename = "Critical system boot files", | ||
797 | severity = $(SIG_HI) | ||
798 | ) | ||
799 | { | ||
800 | /boot -> $(SEC_CRIT) ; | ||
801 | #/sbin/devfsd -> $(SEC_CRIT) ; | ||
802 | /sbin/grub -> $(SEC_CRIT) ; | ||
803 | /sbin/grub-install -> $(SEC_CRIT) ; | ||
804 | /sbin/grub-md5-crypt -> $(SEC_CRIT) ; | ||
805 | /sbin/installkernel -> $(SEC_CRIT) ; | ||
806 | /sbin/lilo -> $(SEC_CRIT) ; | ||
807 | /sbin/mkkerneldoth -> $(SEC_CRIT) ; | ||
808 | !/boot/System.map ; | ||
809 | !/boot/module-info ; | ||
810 | /usr/share/grub/i386-redhat/e2fs_stage1_5 -> $(SEC_CRIT) ; | ||
811 | /usr/share/grub/i386-redhat/fat_stage1_5 -> $(SEC_CRIT) ; | ||
812 | /usr/share/grub/i386-redhat/ffs_stage1_5 -> $(SEC_CRIT) ; | ||
813 | /usr/share/grub/i386-redhat/minix_stage1_5 -> $(SEC_CRIT) ; | ||
814 | /usr/share/grub/i386-redhat/reiserfs_stage1_5 -> $(SEC_CRIT) ; | ||
815 | /usr/share/grub/i386-redhat/stage1 -> $(SEC_CRIT) ; | ||
816 | /usr/share/grub/i386-redhat/stage2 -> $(SEC_CRIT) ; | ||
817 | /usr/share/grub/i386-redhat/vstafs_stage1_5 -> $(SEC_CRIT) ; | ||
818 | # other boot files may exist. Look for: | ||
819 | #/ufsboot -> $(SEC_CRIT) ; | ||
820 | } | ||
821 | ################################################## | ||
822 | ################################################### | ||
823 | # These files change every time the system boots ## | ||
824 | ################################################## | ||
825 | ( | ||
826 | rulename = "System boot changes", | ||
827 | severity = $(SIG_HI) | ||
828 | ) | ||
829 | { | ||
830 | !/var/run/ftp.pids-all ; # Comes and goes on reboot. | ||
831 | !/root/.enlightenment ; | ||
832 | /dev/log -> $(SEC_CONFIG) ; | ||
833 | /dev/cua0 -> $(SEC_CONFIG) ; | ||
834 | # /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device | ||
835 | /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. | ||
836 | /dev/tty1 -> $(SEC_CONFIG) ; # tty devices | ||
837 | /dev/tty2 -> $(SEC_CONFIG) ; # tty devices | ||
838 | /dev/tty3 -> $(SEC_CONFIG) ; # are extremely | ||
839 | /dev/tty4 -> $(SEC_CONFIG) ; # variable | ||
840 | /dev/tty5 -> $(SEC_CONFIG) ; | ||
841 | /dev/tty6 -> $(SEC_CONFIG) ; | ||
842 | /dev/urandom -> $(SEC_CONFIG) ; | ||
843 | /dev/initctl -> $(SEC_CONFIG) ; | ||
844 | /var/lock/subsys -> $(SEC_CONFIG) ; | ||
845 | #/var/lock/subsys/amd -> $(SEC_CONFIG) ; | ||
846 | /var/lock/subsys/anacron -> $(SEC_CONFIG) ; | ||
847 | /var/lock/subsys/apmd -> $(SEC_CONFIG) ; | ||
848 | #/var/lock/subsys/arpwatch -> $(SEC_CONFIG) ; | ||
849 | /var/lock/subsys/atd -> $(SEC_CONFIG) ; | ||
850 | /var/lock/subsys/autofs -> $(SEC_CONFIG) ; | ||
851 | #/var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ; | ||
852 | #/var/lock/subsys/bgpd -> $(SEC_CONFIG) ; | ||
853 | #/var/lock/subsys/bootparamd -> $(SEC_CONFIG) ; | ||
854 | #/var/lock/subsys/canna -> $(SEC_CONFIG) ; | ||
855 | /var/lock/subsys/crond -> $(SEC_CONFIG) ; | ||
856 | #/var/lock/subsys/cWnn -> $(SEC_CONFIG) ; | ||
857 | #/var/lock/subsys/dhcpd -> $(SEC_CONFIG) ; | ||
858 | #/var/lock/subsys/firewall -> $(SEC_CONFIG) ; | ||
859 | #/var/lock/subsys/freeWnn -> $(SEC_CONFIG) ; | ||
860 | #/var/lock/subsys/gated -> $(SEC_CONFIG) ; | ||
861 | /var/lock/subsys/gpm -> $(SEC_CONFIG) ; | ||
862 | #/var/lock/subsys/httpd -> $(SEC_CONFIG) ; | ||
863 | #/var/lock/subsys/identd -> $(SEC_CONFIG) ; | ||
864 | #/var/lock/subsys/innd -> $(SEC_CONFIG) ; | ||
865 | /var/lock/subsys/ipchains -> $(SEC_CONFIG) ; | ||
866 | #/var/lock/subsys/iptables -> $(SEC_CONFIG) ; | ||
867 | #/var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ; | ||
868 | #/var/lock/subsys/irda -> $(SEC_CONFIG) ; | ||
869 | #/var/lock/subsys/iscsi -> $(SEC_CONFIG) ; | ||
870 | #/var/lock/subsys/isdn -> $(SEC_CONFIG) ; | ||
871 | #/var/lock/subsys/junkbuster -> $(SEC_CONFIG) ; | ||
872 | #/var/lock/subsys/kadmin -> $(SEC_CONFIG) ; | ||
873 | /var/lock/subsys/keytable -> $(SEC_CONFIG) ; | ||
874 | #/var/lock/subsys/kprop -> $(SEC_CONFIG) ; | ||
875 | #/var/lock/subsys/krb524 -> $(SEC_CONFIG) ; | ||
876 | #/var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ; | ||
877 | /var/lock/subsys/kudzu -> $(SEC_CONFIG) ; | ||
878 | #/var/lock/subsys/kWnn -> $(SEC_CONFIG) ; | ||
879 | #/var/lock/subsys/ldap -> $(SEC_CONFIG) ; | ||
880 | #/var/lock/subsys/linuxconf -> $(SEC_CONFIG) ; | ||
881 | #/var/lock/subsys/lpd -> $(SEC_CONFIG) ; | ||
882 | #/var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ; | ||
883 | #/var/lock/subsys/mcserv -> $(SEC_CONFIG) ; | ||
884 | #/var/lock/subsys/mysqld -> $(SEC_CONFIG) ; | ||
885 | #/var/lock/subsys/named -> $(SEC_CONFIG) ; | ||
886 | /var/lock/subsys/netfs -> $(SEC_CONFIG) ; | ||
887 | /var/lock/subsys/network -> $(SEC_CONFIG) ; | ||
888 | #/var/lock/subsys/nfs -> $(SEC_CONFIG) ; | ||
889 | /var/lock/subsys/nfslock -> $(SEC_CONFIG) ; | ||
890 | #/var/lock/subsys/nscd -> $(SEC_CONFIG) ; | ||
891 | #/var/lock/subsys/ntpd -> $(SEC_CONFIG) ; | ||
892 | #/var/lock/subsys/ospf6d -> $(SEC_CONFIG) ; | ||
893 | #/var/lock/subsys/ospfd -> $(SEC_CONFIG) ; | ||
894 | /var/lock/subsys/pcmcia -> $(SEC_CONFIG) ; | ||
895 | /var/lock/subsys/portmap -> $(SEC_CONFIG) ; | ||
896 | #/var/lock/subsys/postgresql -> $(SEC_CONFIG) ; | ||
897 | #/var/lock/subsys/pxe -> $(SEC_CONFIG) ; | ||
898 | #/var/lock/subsys/radvd -> $(SEC_CONFIG) ; | ||
899 | /var/lock/subsys/random -> $(SEC_CONFIG) ; | ||
900 | #/var/lock/subsys/rarpd -> $(SEC_CONFIG) ; | ||
901 | /var/lock/subsys/reconfig -> $(SEC_CONFIG) ; | ||
902 | /var/lock/subsys/rhnsd -> $(SEC_CONFIG) ; | ||
903 | #/var/lock/subsys/ripd -> $(SEC_CONFIG) ; | ||
904 | #/var/lock/subsys/ripngd -> $(SEC_CONFIG) ; | ||
905 | #/var/lock/subsys/routed -> $(SEC_CONFIG) ; | ||
906 | #/var/lock/subsys/rstatd -> $(SEC_CONFIG) ; | ||
907 | #/var/lock/subsys/rusersd -> $(SEC_CONFIG) ; | ||
908 | #/var/lock/subsys/rwalld -> $(SEC_CONFIG) ; | ||
909 | #/var/lock/subsys/rwhod -> $(SEC_CONFIG) ; | ||
910 | /var/lock/subsys/sendmail -> $(SEC_CONFIG) ; | ||
911 | #/var/lock/subsys/smb -> $(SEC_CONFIG) ; | ||
912 | #/var/lock/subsys/snmpd -> $(SEC_CONFIG) ; | ||
913 | #/var/lock/subsys/squid -> $(SEC_CONFIG) ; | ||
914 | /var/lock/subsys/sshd -> $(SEC_CONFIG) ; | ||
915 | /var/lock/subsys/syslog -> $(SEC_CONFIG) ; | ||
916 | #/var/lock/subsys/tux -> $(SEC_CONFIG) ; | ||
917 | #/var/lock/subsys/tWnn -> $(SEC_CONFIG) ; | ||
918 | #/var/lock/subsys/ups -> $(SEC_CONFIG) ; | ||
919 | #/var/lock/subsys/vncserver -> $(SEC_CONFIG) ; | ||
920 | #/var/lock/subsys/wine -> $(SEC_CONFIG) ; | ||
921 | /var/lock/subsys/xfs -> $(SEC_CONFIG) ; | ||
922 | /var/lock/subsys/xinetd -> $(SEC_CONFIG) ; | ||
923 | /var/lock/subsys/ypbind -> $(SEC_CONFIG) ; | ||
924 | #/var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ; | ||
925 | #/var/lock/subsys/ypserv -> $(SEC_CONFIG) ; | ||
926 | #/var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ; | ||
927 | #/var/lock/subsys/zebra -> $(SEC_CONFIG) ; | ||
928 | /var/run -> $(SEC_CONFIG) ; | ||
929 | /var/log -> $(SEC_CONFIG) ; | ||
930 | /etc/ioctl.save -> $(SEC_CONFIG) ; | ||
931 | /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes | ||
932 | /etc/issue -> $(SEC_CONFIG) ; | ||
933 | /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount | ||
934 | /lib/modules -> $(SEC_CONFIG) ; | ||
935 | /etc/.pwd.lock -> $(SEC_CONFIG) ; | ||
936 | # /lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists | ||
937 | } | ||
938 | |||
939 | # These files change the behavior of the root account | ||
940 | ( | ||
941 | rulename = "Root config files", | ||
942 | severity = 100 | ||
943 | ) | ||
944 | { | ||
945 | /root -> $(SEC_CRIT) ; # Catch all additions to /root | ||
946 | #/root/.Xresources -> $(SEC_CONFIG) ; | ||
947 | /root/.bashrc -> $(SEC_CONFIG) ; | ||
948 | /root/.bash_profile -> $(SEC_CONFIG) ; | ||
949 | /root/.bash_logout -> $(SEC_CONFIG) ; | ||
950 | /root/.cshrc -> $(SEC_CONFIG) ; | ||
951 | /root/.tcshrc -> $(SEC_CONFIG) ; | ||
952 | /root/Mail -> $(SEC_CONFIG) ; | ||
953 | #/root/mail -> $(SEC_CONFIG) ; | ||
954 | #/root/.amandahosts -> $(SEC_CONFIG) ; | ||
955 | #/root/.addressbook.lu -> $(SEC_CONFIG) ; | ||
956 | #/root/.addressbook -> $(SEC_CONFIG) ; | ||
957 | /root/.bash_history -> $(SEC_CONFIG) ; | ||
958 | /root/.elm -> $(SEC_CONFIG) ; | ||
959 | #/root/.esd_auth -> $(SEC_CONFIG) ; | ||
960 | /root/.gnome_private -> $(SEC_CONFIG) ; | ||
961 | /root/.gnome-desktop -> $(SEC_CONFIG) ; | ||
962 | /root/.gnome -> $(SEC_CONFIG) ; | ||
963 | /root/.ICEauthority -> $(SEC_CONFIG) ; | ||
964 | #/root/.mc -> $(SEC_CONFIG) ; | ||
965 | #/root/.pinerc -> $(SEC_CONFIG) ; | ||
966 | /root/.sawfish -> $(SEC_CONFIG) ; | ||
967 | /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login | ||
968 | #/root/.xauth -> $(SEC_CONFIG) ; | ||
969 | /root/.xsession-errors -> $(SEC_CONFIG) ; | ||
970 | } | ||
971 | |||
972 | ################################ | ||
973 | # ## | ||
974 | ################################ # | ||
975 | # # # | ||
976 | # Critical configuration files # # | ||
977 | # ## | ||
978 | ################################ | ||
979 | ( | ||
980 | rulename = "Critical configuration files", | ||
981 | severity = $(SIG_HI) | ||
982 | ) | ||
983 | { | ||
984 | #/etc/conf.linuxconf -> $(SEC_BIN) ; | ||
985 | /etc/crontab -> $(SEC_BIN) ; | ||
986 | /etc/cron.hourly -> $(SEC_BIN) ; | ||
987 | /etc/cron.daily -> $(SEC_BIN) ; | ||
988 | /etc/cron.weekly -> $(SEC_BIN) ; | ||
989 | /etc/cron.monthly -> $(SEC_BIN) ; | ||
990 | /etc/default -> $(SEC_BIN) ; | ||
991 | /etc/fstab -> $(SEC_BIN) ; | ||
992 | /etc/exports -> $(SEC_BIN) ; | ||
993 | /etc/group- -> $(SEC_BIN) ; # changes should be infrequent | ||
994 | /etc/host.conf -> $(SEC_BIN) ; | ||
995 | /etc/hosts.allow -> $(SEC_BIN) ; | ||
996 | /etc/hosts.deny -> $(SEC_BIN) ; | ||
997 | /etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent | ||
998 | /etc/protocols -> $(SEC_BIN) ; | ||
999 | /etc/services -> $(SEC_BIN) ; | ||
1000 | /etc/rc.d/init.d -> $(SEC_BIN) ; | ||
1001 | /etc/rc.d -> $(SEC_BIN) ; | ||
1002 | /etc/mail.rc -> $(SEC_BIN) ; | ||
1003 | /etc/modules.conf -> $(SEC_BIN) ; | ||
1004 | /etc/motd -> $(SEC_BIN) ; | ||
1005 | /etc/named.conf -> $(SEC_BIN) ; | ||
1006 | /etc/passwd -> $(SEC_CONFIG) ; | ||
1007 | /etc/passwd- -> $(SEC_CONFIG) ; | ||
1008 | /etc/profile.d -> $(SEC_BIN) ; | ||
1009 | /var/lib/nfs/rmtab -> $(SEC_BIN) ; | ||
1010 | /usr/sbin/fixrmtab -> $(SEC_BIN) ; | ||
1011 | /etc/rpc -> $(SEC_BIN) ; | ||
1012 | /etc/sysconfig -> $(SEC_BIN) ; | ||
1013 | /etc/samba/smb.conf -> $(SEC_CONFIG) ; | ||
1014 | #/etc/gettydefs -> $(SEC_BIN) ; | ||
1015 | /etc/nsswitch.conf -> $(SEC_BIN) ; | ||
1016 | /etc/yp.conf -> $(SEC_BIN) ; | ||
1017 | /etc/hosts -> $(SEC_CONFIG) ; | ||
1018 | /etc/xinetd.conf -> $(SEC_CONFIG) ; | ||
1019 | /etc/inittab -> $(SEC_CONFIG) ; | ||
1020 | /etc/resolv.conf -> $(SEC_CONFIG) ; | ||
1021 | /etc/syslog.conf -> $(SEC_CONFIG) ; | ||
1022 | } | ||
1023 | |||
1024 | #################### | ||
1025 | # ## | ||
1026 | #################### # | ||
1027 | # # # | ||
1028 | # Critical devices # # | ||
1029 | # ## | ||
1030 | #################### | ||
1031 | ( | ||
1032 | rulename = "Critical devices", | ||
1033 | severity = $(SIG_HI), | ||
1034 | recurse = false | ||
1035 | ) | ||
1036 | { | ||
1037 | /dev/kmem -> $(Device) ; | ||
1038 | /dev/mem -> $(Device) ; | ||
1039 | /dev/null -> $(Device) ; | ||
1040 | /dev/zero -> $(Device) ; | ||
1041 | /proc/devices -> $(Device) ; | ||
1042 | /proc/net -> $(Device) ; | ||
1043 | /proc/sys -> $(Device) ; | ||
1044 | /proc/cpuinfo -> $(Device) ; | ||
1045 | /proc/modules -> $(Device) ; | ||
1046 | /proc/mounts -> $(Device) ; | ||
1047 | /proc/dma -> $(Device) ; | ||
1048 | /proc/filesystems -> $(Device) ; | ||
1049 | /proc/pci -> $(Device) ; | ||
1050 | /proc/interrupts -> $(Device) ; | ||
1051 | /proc/driver/rtc -> $(Device) ; | ||
1052 | /proc/ioports -> $(Device) ; | ||
1053 | #/proc/scsi -> $(Device) ; | ||
1054 | /proc/kcore -> $(Device) ; | ||
1055 | /proc/self -> $(Device) ; | ||
1056 | /proc/kmsg -> $(Device) ; | ||
1057 | /proc/stat -> $(Device) ; | ||
1058 | /proc/ksyms -> $(Device) ; | ||
1059 | /proc/loadavg -> $(Device) ; | ||
1060 | /proc/uptime -> $(Device) ; | ||
1061 | /proc/locks -> $(Device) ; | ||
1062 | /proc/version -> $(Device) ; | ||
1063 | /proc/mdstat -> $(Device) ; | ||
1064 | /proc/meminfo -> $(Device) ; | ||
1065 | /proc/cmdline -> $(Device) ; | ||
1066 | /proc/misc -> $(Device) ; | ||
1067 | } | ||
1068 | |||
1069 | # Rest of critical system binaries | ||
1070 | ( | ||
1071 | rulename = "OS executables and libraries", | ||
1072 | severity = $(SIG_HI) | ||
1073 | ) | ||
1074 | { | ||
1075 | /bin -> $(SEC_BIN) ; | ||
1076 | /lib -> $(SEC_BIN) ; | ||
1077 | } | ||
1078 | |||
1079 | #============================================================================= | ||
1080 | # | ||
1081 | # Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, | ||
1082 | # Inc. in the United States and other countries. All rights reserved. | ||
1083 | # | ||
1084 | # Linux is a registered trademark of Linus Torvalds. | ||
1085 | # | ||
1086 | # UNIX is a registered trademark of The Open Group. | ||
1087 | # | ||
1088 | #============================================================================= | ||
1089 | # | ||
1090 | # Permission is granted to make and distribute verbatim copies of this document | ||
1091 | # provided the copyright notice and this permission notice are preserved on all | ||
1092 | # copies. | ||
1093 | # | ||
1094 | # Permission is granted to copy and distribute modified versions of this | ||
1095 | # document under the conditions for verbatim copying, provided that the entire | ||
1096 | # resulting derived work is distributed under the terms of a permission notice | ||
1097 | # identical to this one. | ||
1098 | # | ||
1099 | # Permission is granted to copy and distribute translations of this document | ||
1100 | # into another language, under the above conditions for modified versions, | ||
1101 | # except that this permission notice may be stated in a translation approved by | ||
1102 | # Tripwire, Inc. | ||
1103 | # | ||
1104 | # DCM | ||
1105 | # | ||
1106 | # $Id: twpol-GENERIC.txt,v 1.1 2003/06/08 02:00:06 pherman Exp $ | ||
1107 | # | ||