# identifier: tripwire IDS policy input file
# host: Fedora Core release 1 (Yarrow)
# version: 2.3.1-19.fdr.1
# maintainer: Keith G. Robertson-Turner <tripwire-devel[AT]genesis-x.nildram.co.uk>
# validator: unvalidated
# date: Tue Jun 15 17:09:21 BST 2004
# description:
# This is an example Tripwire Policy input file. It is intended as the
# starting point to creating your own custom Tripwire Policy. Referring
# to it, as well as the Tripwire Policy Guide, should give you enough
# information to make a good custom Tripwire Policy that better fits
# your configuration and security needs. This text version will be used
# by tripwire as input to create a proprietary type of file called a
# Tripwire Policy file, which will then be signed for further security.
# It is recommended that once you complete the creation of the Policy
# file, you move this plaintext version to a secure location (possibly
# on removable media) or encrypt the file using a tool such as GPG. You
# should also do this for the Tripwire plaintext configuration file
# (twcfg.txt) once you have finished setting up the Policy.
#
# Note that this file is tuned to an "everything" install of Fedora
# Linux. If run unmodified, this file should create no errors on
# database creation, or violations on a subsequent integrity check.
# However, it is impossible for there to be one policy file for all
# machines, so this existing one errs on the side of security. Your
# Linux configuration will most likely differ from the one our policy
# file was tuned to, and will therefore require some editing of the
# default Tripwire Policy file. The example policy file is best run
# with "Loose Directory Checking" enabled.
#
# Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration file.
#
# Note - legacy entries (which are commented out) are included for
# historical reasons only, and are overdue for removal. They will
# likely disappear from future releases.
#
# The following info is only really useful for non-RPM distributions:
#
# Email support is not included and must be added to this file. Add the
# "emailto=" to the rule directive section of each rule (add a comma
# after the "severity=" line and add an "emailto=" and include the
# email addresses you want the violation reports to go to). Addresses
# are semi-colon delimited.
#
# If you installed from the Fedora RPM, a cron job has already been set
# up for you. Tripwire will perform an integrity check once every day,
# and the generated report will be emailed to root. In this case, you
# do not need to perform the steps in the previous paragraph.
# policy:
# Global Variable Definitions
@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL="/etc/tripwire";
TWDB="/var/lib/tripwire";
TWSKEY="/etc/tripwire";
TWLKEY="/etc/tripwire";
TWREPORT="/var/lib/tripwire/report";
HOSTNAME=new-irods-rhel78-dev;
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability
# Tripwire Binaries
(
rulename = "Tripwire Binaries",
severity = $(SIG_HI)
)
{
$(TWBIN)/siggen -> $(SEC_BIN) ;
$(TWBIN)/tripwire -> $(SEC_BIN) ;
$(TWBIN)/twadmin -> $(SEC_BIN) ;
$(TWBIN)/twprint -> $(SEC_BIN) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(
rulename = "Tripwire Data Files",
severity = $(SIG_HI)
)
{
# NOTE: We remove the inode attribute because when Tripwire creates a backup,
# it does so by renaming the old file and creating a new one (which will
# have a new inode number). Inode is left turned on for keys, which shouldn't
# ever change.
# NOTE: The first integrity check triggers this rule and each integrity check
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(SEC_CONFIG) -i ;
$(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
$(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWSKEY)/site.key -> $(SEC_BIN) ;
#don't scan the individual reports
$(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
}
# Tripwire HQ Connector Binaries
#
# This commercial product has been phased out and is no longer
# supported. This section will disappear from future releases.
#
#(
# rulename = "Tripwire HQ Connector Binaries",
# severity = $(SIG_HI)
#)
#{
# $(TWBIN)/hqagent -> $(SEC_BIN) ;
#}
#
# Tripwire HQ Connector - Configuration Files, Keys, and Logs
# Note: File locations here are different than in a stock HQ Connector
# installation. This is because Tripwire 2.3 uses a different path
# structure than Tripwire 2.2.1.
#
# You may need to update your HQ Agent configuation file (or this
# policy file) to correct the paths. We have attempted to support the
# FHS standard here by placing the HQ Agent files similarly to the way
# Tripwire 2.3 places them.
#(
# rulename = "Tripwire HQ Connector Data Files",
# severity = $(SIG_HI)
#)
#{
# NOTE: Removing the inode attribute because when Tripwire creates a
# backup it does so by renaming the old file and creating a new one
# (which will have a new inode number). Leaving inode turned on for
# keys, which shouldn't ever change.
#
# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; # legacy
# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; # legacy
# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; # legacy
# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; # legacy
#
# Uncomment if you have agent logging enabled.
#/var/log/tripwire/agent.log -> $(SEC_LOG) ; # legacy
#}
# Commonly accessed directories that should remain static with regards
# to owner and group.
(
rulename = "Invariant Directories",
severity = $(SIG_MED)
)
{
/var -> $(SEC_CRIT) ;
/home -> $(SEC_CRIT);
/etc -> $(SEC_CRIT);
/ -> $(SEC_CRIT);
/dev -> $(SEC_CRIT);
#/mnt -> $(SEC_CRIT);
/media -> $(SEC_CRIT);
/var/lib -> $(SEC_CRIT);
!/home/ralph/.cache; # not interested in application caches
!/opt/sonatype-work; # not interested in the machinations of sonatype-work area
/irods -> $(SEC_CRIT) ; # am interested in what these guys do
!/mnt; # ignore
!/proc;
!/run;
!/sys;
}
# Temporary directories.
(
rulename = "Temporary directories",
recurse = false,
severity = $(SIG_LOW)
)
{
/usr/tmp -> $(SEC_INVARIANT) ;
/var/tmp -> $(SEC_INVARIANT) ;
/tmp -> $(SEC_INVARIANT) ;
}
(
rulename = "Security Control",
severity = $(SIG_HI)
)
{
/etc/group -> $(SEC_CRIT) ;
/etc/security -> $(SEC_CRIT) ;
#/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists
}
# These files are critical to a correct system boot.
(
rulename = "Critical system boot files",
severity = $(SIG_HI)
)
{
/boot -> $(SEC_CRIT) ;
#/sbin/devfsd -> $(SEC_CRIT) ;
/sbin/grub -> $(SEC_CRIT) ;
/sbin/grub-install -> $(SEC_CRIT) ;
/sbin/grub-md5-crypt -> $(SEC_CRIT) ;
/sbin/installkernel -> $(SEC_CRIT) ;
/sbin/lilo -> $(SEC_CRIT) ;
/sbin/mkkerneldoth -> $(SEC_CRIT) ;
!/boot/System.map ;
!/boot/module-info ;
/usr/share/grub/i386-redhat/e2fs_stage1_5 -> $(SEC_CRIT) ;
/usr/share/grub/i386-redhat/fat_stage1_5 -> $(SEC_CRIT) ;
/usr/share/grub/i386-redhat/ffs_stage1_5 -> $(SEC_CRIT) ;
/usr/share/grub/i386-redhat/minix_stage1_5 -> $(SEC_CRIT) ;
/usr/share/grub/i386-redhat/reiserfs_stage1_5 -> $(SEC_CRIT) ;
/usr/share/grub/i386-redhat/stage1 -> $(SEC_CRIT) ;
/usr/share/grub/i386-redhat/stage2 -> $(SEC_CRIT) ;
/usr/share/grub/i386-redhat/vstafs_stage1_5 -> $(SEC_CRIT) ;
# other boot files may exist. Look for:
#/ufsboot -> $(SEC_CRIT) ;
}
# These files change every time the system boots.
(
rulename = "System boot changes",
severity = $(SIG_HI)
)
{
!/var/run/ftp.pids-all ; # Comes and goes on reboot.
!/root/.enlightenment ;
/dev/log -> $(SEC_CONFIG) ;
/dev/cua0 -> $(SEC_CONFIG) ;
#/dev/printer -> $(SEC_CONFIG) ; # legacy
/dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.
/dev/tty1 -> $(SEC_CONFIG) ; # tty devices
/dev/tty2 -> $(SEC_CONFIG) ; # tty devices
/dev/tty3 -> $(SEC_CONFIG) ; # are extremely
/dev/tty4 -> $(SEC_CONFIG) ; # variable
/dev/tty5 -> $(SEC_CONFIG) ;
/dev/tty6 -> $(SEC_CONFIG) ;
/dev/urandom -> $(SEC_CONFIG) ;
/dev/initctl -> $(SEC_CONFIG) ;
/var/lock -> $(SEC_CONFIG) ;
/var/lock/subsys -> $(SEC_CONFIG) ;
#/var/lock/subsys/amd -> $(SEC_CONFIG) ;
#/var/lock/subsys/anacron -> $(SEC_CONFIG) ;
/var/lock/subsys/apmd -> $(SEC_CONFIG) ;
#/var/lock/subsys/arpwatch -> $(SEC_CONFIG) ;
/var/lock/subsys/atd -> $(SEC_CONFIG) ;
#/var/lock/subsys/autofs -> $(SEC_CONFIG) ;
#/var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ;
#/var/lock/subsys/bgpd -> $(SEC_CONFIG) ;
#/var/lock/subsys/bootparamd -> $(SEC_CONFIG) ;
/var/lock/subsys/canna -> $(SEC_CONFIG) ;
/var/lock/subsys/crond -> $(SEC_CONFIG) ;
#/var/lock/subsys/cWnn -> $(SEC_CONFIG) ;
#/var/lock/subsys/dhcpd -> $(SEC_CONFIG) ;
#/var/lock/subsys/firewall -> $(SEC_CONFIG) ;
#/var/lock/subsys/freeWnn -> $(SEC_CONFIG) ;
#/var/lock/subsys/gated -> $(SEC_CONFIG) ;
/var/lock/subsys/gpm -> $(SEC_CONFIG) ;
#/var/lock/subsys/httpd -> $(SEC_CONFIG) ;
#/var/lock/subsys/identd -> $(SEC_CONFIG) ;
#/var/lock/subsys/innd -> $(SEC_CONFIG) ;
#/var/lock/subsys/ipchains -> $(SEC_CONFIG) ; # legacy
/var/lock/subsys/iptables -> $(SEC_CONFIG) ;
#/var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ;
#/var/lock/subsys/irda -> $(SEC_CONFIG) ;
#/var/lock/subsys/iscsi -> $(SEC_CONFIG) ;
#/var/lock/subsys/isdn -> $(SEC_CONFIG) ;
#/var/lock/subsys/junkbuster -> $(SEC_CONFIG) ; # legacy
#/var/lock/subsys/kadmin -> $(SEC_CONFIG) ;
#/var/lock/subsys/keytable -> $(SEC_CONFIG) ;
#/var/lock/subsys/kprop -> $(SEC_CONFIG) ;
#/var/lock/subsys/krb524 -> $(SEC_CONFIG) ;
#/var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ;
/var/lock/subsys/kudzu -> $(SEC_CONFIG) ;
#/var/lock/subsys/kWnn -> $(SEC_CONFIG) ;
#/var/lock/subsys/ldap -> $(SEC_CONFIG) ;
#/var/lock/subsys/linuxconf -> $(SEC_CONFIG) ; # legacy
#/var/lock/subsys/lpd -> $(SEC_CONFIG) ;
#/var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ;
#/var/lock/subsys/mcserv -> $(SEC_CONFIG) ;
#/var/lock/subsys/mysqld -> $(SEC_CONFIG) ;
#/var/lock/subsys/named -> $(SEC_CONFIG) ;
/var/lock/subsys/netfs -> $(SEC_CONFIG) ;
/var/lock/subsys/network -> $(SEC_CONFIG) ;
#/var/lock/subsys/nfs -> $(SEC_CONFIG) ;
/var/lock/subsys/nfslock -> $(SEC_CONFIG) ;
#/var/lock/subsys/nscd -> $(SEC_CONFIG) ;
/var/lock/subsys/ntpd -> $(SEC_CONFIG) ;
#/var/lock/subsys/ospf6d -> $(SEC_CONFIG) ;
#/var/lock/subsys/ospfd -> $(SEC_CONFIG) ;
#/var/lock/subsys/pcmcia -> $(SEC_CONFIG) ;
/var/lock/subsys/portmap -> $(SEC_CONFIG) ;
#/var/lock/subsys/postgresql -> $(SEC_CONFIG) ;
#/var/lock/subsys/pxe -> $(SEC_CONFIG) ;
#/var/lock/subsys/radvd -> $(SEC_CONFIG) ;
/var/lock/subsys/random -> $(SEC_CONFIG) ;
#/var/lock/subsys/rarpd -> $(SEC_CONFIG) ;
#/var/lock/subsys/reconfig -> $(SEC_CONFIG) ;
#/var/lock/subsys/rhnsd -> $(SEC_CONFIG) ;
#/var/lock/subsys/ripd -> $(SEC_CONFIG) ;
#/var/lock/subsys/ripngd -> $(SEC_CONFIG) ;
#/var/lock/subsys/routed -> $(SEC_CONFIG) ;
#/var/lock/subsys/rstatd -> $(SEC_CONFIG) ;
#/var/lock/subsys/rusersd -> $(SEC_CONFIG) ;
#/var/lock/subsys/rwalld -> $(SEC_CONFIG) ;
#/var/lock/subsys/rwhod -> $(SEC_CONFIG) ;
/var/lock/subsys/sendmail -> $(SEC_CONFIG) ;
#/var/lock/subsys/smb -> $(SEC_CONFIG) ;
#/var/lock/subsys/snmpd -> $(SEC_CONFIG) ;
#/var/lock/subsys/squid -> $(SEC_CONFIG) ;
/var/lock/subsys/sshd -> $(SEC_CONFIG) ;
/var/lock/subsys/syslog -> $(SEC_CONFIG) ;
#/var/lock/subsys/tux -> $(SEC_CONFIG) ;
#/var/lock/subsys/tWnn -> $(SEC_CONFIG) ;
#/var/lock/subsys/ups -> $(SEC_CONFIG) ;
#/var/lock/subsys/vncserver -> $(SEC_CONFIG) ;
#/var/lock/subsys/wine -> $(SEC_CONFIG) ;
/var/lock/subsys/xfs -> $(SEC_CONFIG) ;
/var/lock/subsys/xinetd -> $(SEC_CONFIG) ;
#/var/lock/subsys/ypbind -> $(SEC_CONFIG) ;
#/var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ;
#/var/lock/subsys/ypserv -> $(SEC_CONFIG) ;
#/var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ;
#/var/lock/subsys/zebra -> $(SEC_CONFIG) ;
/var/run -> $(SEC_CONFIG) ;
/var/log -> $(SEC_CONFIG) ;
#/etc/ioctl.save -> $(SEC_CONFIG) ;
/etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes
/etc/issue -> $(SEC_CONFIG) ;
/etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount
/lib/modules -> $(SEC_CONFIG) ;
/etc/.pwd.lock -> $(SEC_CONFIG) ;
#/lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists
}
# These files change the behavior of the root account
(
rulename = "Root config files",
severity = 100
)
{
/root -> $(SEC_CRIT) ; # Catch all additions to /root
/root/.Xresources -> $(SEC_CONFIG) ;
/root/.bashrc -> $(SEC_CONFIG) ;
/root/.bash_profile -> $(SEC_CONFIG) ;
/root/.bash_logout -> $(SEC_CONFIG) ;
/root/.cshrc -> $(SEC_CONFIG) ;
/root/.tcshrc -> $(SEC_CONFIG) ;
#/root/Mail -> $(SEC_CONFIG) ;
#/root/mail -> $(SEC_CONFIG) ;
#/root/.amandahosts -> $(SEC_CONFIG) ;
#/root/.addressbook.lu -> $(SEC_CONFIG) ;
#/root/.addressbook -> $(SEC_CONFIG) ;
/root/.bash_history -> $(SEC_CONFIG) ;
#/root/.elm -> $(SEC_CONFIG) ;
/root/.esd_auth -> $(SEC_CONFIG) ;
#/root/.gnome_private -> $(SEC_CONFIG) ;
#/root/.gnome-desktop -> $(SEC_CONFIG) ;
/root/.gnome -> $(SEC_CONFIG) ;
/root/.ICEauthority -> $(SEC_CONFIG) ;
#/root/.mc -> $(SEC_CONFIG) ;
#/root/.pinerc -> $(SEC_CONFIG) ;
#/root/.sawfish -> $(SEC_CONFIG) ;
/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
#/root/.xauth -> $(SEC_CONFIG) ;
#/root/.xsession-errors -> $(SEC_CONFIG) ;
}
# Critical configuration files.
(
rulename = "Critical configuration files",
severity = $(SIG_HI)
)
{
#/etc/conf.linuxconf -> $(SEC_BIN) ; # legacy
/etc/crontab -> $(SEC_BIN) ;
/etc/cron.hourly -> $(SEC_BIN) ;
/etc/cron.daily -> $(SEC_BIN) ;
/etc/cron.weekly -> $(SEC_BIN) ;
/etc/cron.monthly -> $(SEC_BIN) ;
/etc/default -> $(SEC_BIN) ;
/etc/fstab -> $(SEC_BIN) ;
/etc/exports -> $(SEC_BIN) ;
/etc/group- -> $(SEC_BIN) ; # changes should be infrequent
/etc/host.conf -> $(SEC_BIN) ;
/etc/hosts.allow -> $(SEC_BIN) ;
/etc/hosts.deny -> $(SEC_BIN) ;
/etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent
/etc/protocols -> $(SEC_BIN) ;
/etc/services -> $(SEC_BIN) ;
/etc/rc.d/init.d -> $(SEC_BIN) ;
/etc/rc.d -> $(SEC_BIN) ;
/etc/mail.rc -> $(SEC_BIN) ;
/etc/modules.conf -> $(SEC_BIN) ; # post 2.6 legacy
#/etc/modprobe.conf -> $(SEC_BIN) ; # include this for 2.6 kernels
/etc/motd -> $(SEC_BIN) ;
/etc/named.conf -> $(SEC_BIN) ;
/etc/passwd -> $(SEC_CONFIG) ;
/etc/passwd- -> $(SEC_CONFIG) ;
/etc/profile.d -> $(SEC_BIN) ;
/var/lib/nfs/rmtab -> $(SEC_BIN) ;
/usr/sbin/fixrmtab -> $(SEC_BIN) ;
/etc/rpc -> $(SEC_BIN) ;
/etc/sysconfig -> $(SEC_BIN) ;
/etc/samba/smb.conf -> $(SEC_CONFIG) ;
#/etc/gettydefs -> $(SEC_BIN) ;
/etc/nsswitch.conf -> $(SEC_BIN) ;
/etc/yp.conf -> $(SEC_BIN) ;
/etc/hosts -> $(SEC_CONFIG) ;
/etc/xinetd.conf -> $(SEC_CONFIG) ;
/etc/inittab -> $(SEC_CONFIG) ;
/etc/resolv.conf -> $(SEC_CONFIG) ;
/etc/syslog.conf -> $(SEC_CONFIG) ;
}
# Critical devices.
(
rulename = "Critical devices",
severity = $(SIG_HI),
recurse = false
)
{
/dev/kmem -> $(Device) ;
/dev/mem -> $(Device) ;
/dev/null -> $(Device) ;
/dev/zero -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/mounts -> $(Device) ;
/proc/dma -> $(Device) ;
/proc/filesystems -> $(Device) ;
/proc/pci -> $(Device) ;
/proc/interrupts -> $(Device) ;
/proc/driver/rtc -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/scsi -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/self -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/stat -> $(Device) ;
/proc/ksyms -> $(Device) ;
/proc/loadavg -> $(Device) ;
/proc/uptime -> $(Device) ;
/proc/locks -> $(Device) ;
/proc/version -> $(Device) ;
/proc/mdstat -> $(Device) ;
/proc/meminfo -> $(Device) ;
/proc/cmdline -> $(Device) ;
/proc/misc -> $(Device) ;
}
# Rest of critical system binaries
(
rulename = "OS executables and libraries",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_BIN) ;
/lib -> $(SEC_BIN) ;
}
# disabled-entries: 184
# license:
#=============================================================================
#
# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
# Inc. in the United States and other countries. All rights reserved.
#
# Linux is a registered trademark of Linus Torvalds.
#
# UNIX is a registered trademark of The Open Group.
#
#=============================================================================
#
# Permission is granted to make and distribute verbatim copies of this document
# provided the copyright notice and this permission notice are preserved on all
# copies.
#
# Permission is granted to copy and distribute modified versions of this
# document under the conditions for verbatim copying, provided that the entire
# resulting derived work is distributed under the terms of a permission notice
# identical to this one.
#
# Permission is granted to copy and distribute translations of this document
# into another language, under the above conditions for modified versions,
# except that this permission notice may be stated in a translation approved by
# Tripwire, Inc.
#
# DCM
categories
