# # Standard Debian Tripwire configuration # # # This configuration covers the contents of all 'Essential: yes' # packages along with any packages necessary for access to an internet # or system availability, e.g. name services, mail services, PCMCIA # support, RAID support, and backup/restore support. # # # Global Variable Definitions # # These definitions override those in to configuration file. Do not # change them unless you understand what you're doing. # @@section GLOBAL TWBIN = /usr/sbin; TWETC = /etc/tripwire; TWVAR = /var/lib/tripwire; # # File System Definitions # @@section FS # # First, some variables to make configuration easier # SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership SIG_LOW = 33 ; # Non-critical files that are of minimal security impact SIG_MED = 66 ; # Non-critical files that are of significant security impact SIG_HI = 100 ; # Critical files that are significant points of vulnerability # # Tripwire Binaries # ( rulename = "Tripwire Binaries", severity = $(SIG_HI) ) { $(TWBIN)/siggen -> $(SEC_BIN) ; $(TWBIN)/tripwire -> $(SEC_BIN) ; $(TWBIN)/twadmin -> $(SEC_BIN) ; $(TWBIN)/twprint -> $(SEC_BIN) ; } # # Tripwire Data Files - Configuration Files, Policy Files, Keys, # Reports, Databases # # NOTE: We remove the inode attribute because when Tripwire creates a # backup, it does so by renaming the old file and creating a new one # (which will have a new inode number). Inode is left turned on for # keys, which shouldn't ever change. # NOTE: The first integrity check triggers this rule and each # integrity check afterward triggers this rule until a database update # is run, since the database file does not exist before that point. ( rulename = "Tripwire Data Files", severity = $(SIG_HI) ) { $(TWVAR)/$(HOSTNAME).twd -> $(SEC_CONFIG) -i ; $(TWETC)/tw.pol -> $(SEC_BIN) -i ; $(TWETC)/tw.cfg -> $(SEC_BIN) -i ; $(TWETC)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; $(TWETC)/site.key -> $(SEC_BIN) ; #don't scan the individual reports $(TWVAR)/report -> $(SEC_CONFIG) (recurse=0) ; } # # Critical System Boot Files # These files are critical to a correct system boot. # ( rulename = "Critical system boot files", severity = $(SIG_HI) ) { /boot -> $(SEC_CRIT) ; /lib/modules -> $(SEC_CRIT) ; } ( rulename = "Boot Scripts", severity = $(SIG_HI) ) { /etc/init.d -> $(SEC_BIN) ; # /etc/rc.boot -> $(SEC_BIN) ; /etc/rcS.d -> $(SEC_BIN) ; /etc/rc0.d -> $(SEC_BIN) ; /etc/rc1.d -> $(SEC_BIN) ; /etc/rc2.d -> $(SEC_BIN) ; /etc/rc3.d -> $(SEC_BIN) ; /etc/rc4.d -> $(SEC_BIN) ; /etc/rc5.d -> $(SEC_BIN) ; /etc/rc6.d -> $(SEC_BIN) ; } # # Critical executables # ( rulename = "Root file-system executables", severity = $(SIG_HI) ) { /bin -> $(SEC_BIN) ; /sbin -> $(SEC_BIN) ; } # # Critical Libraries # ( rulename = "Root file-system libraries", severity = $(SIG_HI) ) { /lib -> $(SEC_BIN) ; } # # Login and Privilege Raising Programs # ( rulename = "Security Control", severity = $(SIG_MED) ) { /etc/passwd -> $(SEC_CONFIG) ; /etc/shadow -> $(SEC_CONFIG) ; } # # These files change every time the system boots # ( rulename = "System boot changes", severity = $(SIG_HI) ) { /var/lock -> $(SEC_CONFIG) ; /var/run -> $(SEC_CONFIG) ; # daemon PIDs /var/log -> $(SEC_CONFIG) ; } # These files change the behavior of the root account ( rulename = "Root config files", severity = 100, ) { /root -> $(SEC_CRIT) ; # Catch all additions to /root # /root/mail -> $(SEC_CONFIG) ; # /root/Mail -> $(SEC_CONFIG) ; # /root/.xsession-errors -> $(SEC_CONFIG) ; # /root/.xauth -> $(SEC_CONFIG) ; # /root/.tcshrc -> $(SEC_CONFIG) ; # /root/.sawfish -> $(SEC_CONFIG) ; # /root/.pinerc -> $(SEC_CONFIG) ; # /root/.mc -> $(SEC_CONFIG) ; /root/.gnome_private -> $(SEC_CONFIG) ; /root/.gnome -> $(SEC_CONFIG) ; # /root/.esd_auth -> $(SEC_CONFIG) ; # /root/.elm -> $(SEC_CONFIG) ; # /root/.cshrc -> $(SEC_CONFIG) ; /root/.bashrc -> $(SEC_CONFIG) ; # /root/.bash_profile -> $(SEC_CONFIG) ; # /root/.bash_logout -> $(SEC_CONFIG) ; /root/.bash_history -> $(SEC_CONFIG) ; # /root/.amandahosts -> $(SEC_CONFIG) ; # /root/.addressbook.lu -> $(SEC_CONFIG) ; # /root/.addressbook -> $(SEC_CONFIG) ; # /root/.Xresources -> $(SEC_CONFIG) ; /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login /root/.ICEauthority -> $(SEC_CONFIG) ; } # # Critical devices # ( rulename = "Devices & Kernel information", severity = $(SIG_HI), ) { /dev -> $(Device) ; /proc -> $(Device) ; } # # Other configuration files # ( rulename = "Other configuration files", severity = $(SIG_MED) ) { /etc -> $(SEC_BIN) ; } # # Binaries # ( rulename = "Other binaries", severity = $(SIG_MED) ) { /usr/local/sbin -> $(SEC_BIN) ; /usr/local/bin -> $(SEC_BIN) ; /usr/sbin -> $(SEC_BIN) ; /usr/bin -> $(SEC_BIN) ; } # # Libraries # ( rulename = "Other libraries", severity = $(SIG_MED) ) { /usr/local/lib -> $(SEC_BIN) ; /usr/lib -> $(SEC_BIN) ; } # # Commonly accessed directories that should remain static with regards # to owner and group # ( rulename = "Invariant Directories", severity = $(SIG_MED) ) { / -> $(SEC_INVARIANT) (recurse = 0) ; /home -> $(SEC_INVARIANT) (recurse = 0) ; /tmp -> $(SEC_INVARIANT) (recurse = 0) ; /usr -> $(SEC_INVARIANT) (recurse = 0) ; /var -> $(SEC_INVARIANT) (recurse = 0) ; /var/tmp -> $(SEC_INVARIANT) (recurse = 0) ; }