Checksummakontroll med tripwire 2.x
Efter installation och konfigurering av tripwire måste en en databas skapas. Denna databas innehåller information om hur systemet ser ut just nu. Vid senare tillfällen kan tripwire-körningar utföras och jämföra filsystemet mot databasen. På så sätt går det att få reda på om några filer har blivit förändrade och vilka filer som har blivit förändrade.Konfiguration och databasen signeras/krypteras med hjälp av en kryptonyckel. För detta används en assymetrisk kryptering med en publik och en hemlig nyckel.
Konfigurationen och policyinställningarna signeras av site key. Databasen signeras av local key.
tripwire 2.x finns som färdigt paket att installera till flera Linuxdistributioner som t.ex. Ubuntu och RedHat, CentOS m.fl. När paketet är installerat finns konfigureringsinställningarna i filen /etc/tripwire/twcfg.txt och policyinställningarna i /etc/tripwire/twpol.txt . Paketinstallationen brukar dessutom be dig att skapa en site key och en local key och den skapar övriga filer och signerar dessa.
Om du bygger själv och installerar från källkod kommer du att få skapa
site-key och local key. Dessutom skapas en konfigurationsfil utgående
från twcfg.txt och en policyfil utgående från twpol.txt. Dessa signeras
med site passphrase/site key. Om du har byggt från källkod och installerat så behöver du även göra:
tripwire --init
För mer information om konfiguration och policyinställninga se nedan.
Huvudkonfiguration
Huvudkonfigureringen finns i /etc/tripwire/twcfg.txt. Observera att tripwire skiljer på stora och små bokstäver i konfigurationen. Exempel på konfiguration:# Konfigurationen för tripwire
ROOT =/usr/sbin
POLFILE =/etc/tripwire/tw.pol
DBFILE =/var/lib/tripwire/$(HOSTNAME).twd
REPORTFILE =/var/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
SITEKEYFILE =/etc/tripwire/site.key
LOCALKEYFILE =/etc/tripwire/$(HOSTNAME)-local.key
EDITOR =/bin/vi
LATEPROMPTING =false
LOOSEDIRECTORYCHECKING =false
MAILNOVIOLATIONS =true
EMAILREPORTLEVEL =3
REPORTLEVEL =3
MAILMETHOD =SENDMAIL
SYSLOGREPORTING =false
MAILPROGRAM =/usr/sbin/sendmail -oi -t
- POLFILE talar om var policyfilen finns.
- DBFILE talar om var databasfilen finns och vad den heter.
- REPORTFILE talar om till vilken fil rapporter ska skrivas.
- SITEKEYFILE talar om var site key finns.
- LOCALKEYFILE talar om var local key finns.
- EDITOR talar om vilken editor som ska användas vid interaktiv körning.
- LATEPROMPTING om den är true innebär att tripwire väntar så länge den kan med att fråga efter passfras. Passfrasen kommer därmed att finnas i primärminnet en kortare tid.
- LOOSEDIRECTORYCHECKING innebär, om den är satt till true, att tripwire inte rapporterar ändring för en katalog när en fil skapas eller raderas i den katalogen. Om den är satt till false rapporterar tripwire ändring både för filen och katalogen.
- MAILNOVIOLATIONS, om den är satt till yes, talar om ifall mail ska skickas även när det inte finns några ändringar att rapportera. Denna inställning gör att man ändå ser att körningen har utförts och gått bra.
- EMAILREPORTLEVEL specificerar default level för e-postrapporter skapade med: tripwire --check mode email .
- REPORTLEVEL specificerar default level för rapporter skapade med: twprint --print-report
- MAILMETHOD kan vara SMTP eller SENDMAIL.
- SMTP skickar all e-post till en angiven mailserver och port, SMTPHOST och SMTPPORT.
- SENDMAIL använder ett lokalt program för att skicka brev
- MAILPROGRAM specificerar vilket mailprogram som ska användas inklusive eventuella flaggor och argument. Mailprogrammet måste förstå RFC822-headrar.
- SYSLOGREPORTING talar om ifall loggning ska ske med syslog.
När ändringar av konfigurationen har gjorts i /etc/tripwire/twcfg.txt måste följande kommandorad
köras:
twadmin --create-cfgfile -S site.key twcfg.txt
där site.key är din site key.
Policyinställningar
Policyinställningarna talar om för tripwire vilka filer och kataloger den ska titta på och vilka egenskaper den ska titta på för de olika filerna och katalogerna. Några exempel på saker att titta på är accesstid, antal datablock som en fil använder, inodnummer, ägare, grupp, rättigheter, storlek, checksumma för filens innehåll etc.
En policyregel skrivs som:
fil -> vad-som-ska-studeras;
Exempel:
/etc/fil -> +pingumsM;
För varje fil och katalog får det endast finnas en regelrad. Notera att det måste vara mellanslag mellan filnamn och minustecknet i pilen och efter >. Det är även viktigt att avsluta alla regelrader med semikolon. Fil och katalognamn ska alltid vara fullständiga sökvägar. Det är inte tillåtet att använda environmentvariabler från skalet.
De egenskaper som ska studeras skrivs som +egenskap. De egenskaper som inte ska studeras skrivs som -egenskap. Utelämnat tecken tolkas som om man har skrivit + innan egenskapen, egenskap och +egenskap är samma sak.
De olika egenskaperna är:
- a när filen accessades senast.
- b antal datablock för filens innehåll.
- c indexnodens (i-nodens) förändringstid.
- d ID för device där indexnoden finns.
- g filens grupptillhörighet.
- i indexnodens nummer.
- l används för filer som ökar i storlen som t.ex. loggfiler.
- m när filen senast blev ändrad.
- n antal länkar till indexnoden (antal namn för filen).
- p filens rättigheter.
- r ID för device som indexnoden pekar på.
- s filens storlek.
- t filtyp (fil/katalog/symbolisk länk/devicefil etc.).
- u vilken användare som äger filen.
- C checksumma: CRC-32
- H checksumma: Haval
- M checksumma: MD5
- S checksumma: SHA
För att studera ägare, grupp, rättigheter, storlek och MD5-checksumma för en fil blir det: /sökväg/till/fil -> +ugpsM;
I tripwire finns det ett antal inbyggda variabler:
- ReadOnly som är samma sak som +pinugtsdbmCM-rlacSH (lämpligt för filer som inte ska ändras).
- Dynamic som är samma sak som +pinugtd-srlbamcCMSH (lämpligt för filer som ändras ofta).
- Growing som är samma sak som +pinugtdl-srbamcCMSH (lämpligt för loggfiler).
- Device som är samma sak som +pugsdr-intlbamcCMSH (lämplig för devicefiler).
- IgnoreAll som är samma sak som -pinugtsdrlbamcCMS (kontrollerar endast att en fil finns).
- IgnoreNone som är samma sak som +pinugtsdrbamcCMSH-l (testar på allt utom om filen växer).
$(IgnoreNone)-aCHS
Filer kan uteslutas med hjälp av ! . Exempel:
/etc -> $(ReadOnly);
!/etc/rc.d;
!/etc/foo;
Testa på alla filer och kataloger i /etc utom /etc/rc.d och /etc/foo.
Till regler går det att ha attribut. Exempel är att ge en eller flera regler ett namn, ange en e-postadress, ange hur allvarligt förändringar ska anses vara och om och hur djupt tripwire ska recursera ner i underkataloger (gå ner i filträd).
För enstaka regler går att skriva: /fil -> egenskaper (attribut, attribut, attribut);
För flera regler som ska ha samma attribut skriv:
(attribut, attribut)
{
/fil -> egenskaper;
/annafil -> egenskaper;
}
De egenskaper som finns är:
- rulename för att ge en eller flera regler ett namn. Namnet kommer att stå i rapportfilen. (rulename=namnet)
- emailto en e-postadress till vilken rapporter kommer att skickas om det för dessa regler har skett någon förändring. (emailto="admin@foo.com;admin2@foo.com")
- severity anger hur allvarligt det är om en förändring har skett för reglerna i denna regelgrupp. Lägs allvarsgrad är 0 och högst allvarsgrad är 1000000. (severity=50)
- recurse anger om och hur djup tripwire ska recursera ner i ett filträd. false eller 0 anger att tripwire inte ska gå ner i underkataloger. true eller -1 anger att tripwire ska gå ner i hela filträd som finns i underkataloger. En siffra som kan vara upp till 1000000 anger hur djupt tripwire ska gå. recurse=2 avser 2 nivåer ner i filträd. (recurse=2)
##############################################################################
# ##
############################################################################## #
# # #
# Tripwire 2.4 policy for Linux (RPM) # #
# updated March 2018 # #
# ##
##############################################################################
##############################################################################
# ##
############################################################################## #
# # #
# This is the example Tripwire Policy file. It is intended as a place to # #
# start creating your own custom Tripwire Policy file. Referring to it as # #
# well as the Tripwire Policy Guide should give you enough information to # #
# make a good custom Tripwire Policy file that better covers your # #
# configuration and security needs. A text version of this policy file is # #
# called twpol.txt. # #
# # #
# Note that this file is tuned to an 'everything' install of Red Hat Linux. # #
# If run unmodified, this file should create no errors on database # #
# creation, or violations on a subsiquent integrity check. However, it is # #
# impossible for there to be one policy file for all machines, so this # #
# existing one errs on the side of security. Your Linux configuration will # #
# most likey differ from the one our policy file was tuned to, and will # #
# therefore require some editing of the default Tripwire Policy file. # #
# # #
# The example policy file is best run with 'Loose Directory Checking' # #
# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # #
# file. # #
# # #
# Email support is not included and must be added to this file. # #
# Add the 'emailto=' to the rule directive section of each rule (add a comma # #
# after the 'severity=' line and add an 'emailto=' and include the email # #
# addresses you want the violation reports to go to). Addresses are # #
# semi-colon delimited. # #
# ##
##############################################################################
##############################################################################
# ##
############################################################################## #
# # #
# Global Variable Definitions # #
# # #
# These are defined at install time by the installation script. You may # #
# Manually edit these if you are using this file directly and not from the # #
# installation script itself. # #
# ##
##############################################################################
@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL="/etc/tripwire";
TWDB="/var/lib/tripwire";
TWSKEY="/etc/tripwire";
TWLKEY="/etc/tripwire";
TWREPORT="/var/lib/tripwire/report";
HOSTNAME=localhost;
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
SIG_MED = 66 ; # Non-critical files that are of significant security impact
SIG_HI = 100 ; # Critical files that are significant points of vulnerability
# Tripwire Binaries
(
rulename = "Tripwire Binaries",
severity = $(SIG_HI)
)
{
$(TWBIN)/siggen -> $(SEC_BIN) ;
$(TWBIN)/tripwire -> $(SEC_BIN) ;
$(TWBIN)/twadmin -> $(SEC_BIN) ;
$(TWBIN)/twprint -> $(SEC_BIN) ;
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(
rulename = "Tripwire Data Files",
severity = $(SIG_HI)
)
{
# NOTE: We remove the inode attribute because when Tripwire creates a backup,
# it does so by renaming the old file and creating a new one (which will
# have a new inode number). Inode is left turned on for keys, which shouldn't
# ever change.
# NOTE: The first integrity check triggers this rule and each integrity check
# afterward triggers this rule until a database update is run, since the
# database file does not exist before that point.
$(TWDB) -> $(SEC_CONFIG) -i ;
$(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
$(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWSKEY)/site.key -> $(SEC_BIN) ;
#don't scan the individual reports
$(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
}
# Tripwire HQ Connector Binaries
#(
# rulename = "Tripwire HQ Connector Binaries",
# severity = $(SIG_HI)
#)
#{
# $(TWBIN)/hqagent -> $(SEC_BIN) ;
#}
#
# Tripwire HQ Connector - Configuration Files, Keys, and Logs
##############################################################################
# ##
############################################################################## #
# # #
# Note: File locations here are different than in a stock HQ Connector # #
# installation. This is because Tripwire 2.3 uses a different path # #
# structure than Tripwire 2.2.1. # #
# # #
# You may need to update your HQ Agent configuation file (or this policy # #
# file) to correct the paths. We have attempted to support the FHS standard # #
# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # #
# places them. # #
# ##
##############################################################################
#(
# rulename = "Tripwire HQ Connector Data Files",
# severity = $(SIG_HI)
#)
#{
# #############################################################################
# ##############################################################################
# # NOTE: Removing the inode attribute because when Tripwire creates a backup ##
# # it does so by renaming the old file and creating a new one (which will ##
# # have a new inode number). Leaving inode turned on for keys, which ##
# # shouldn't ever change. ##
# #############################################################################
#
# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ;
# $(TWLKEY)/authentication.key -> $(SEC_BIN) ;
# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ;
# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ;
#
# # Uncomment if you have agent logging enabled.
# #/var/log/tripwire/agent.log -> $(SEC_LOG) ;
#}
# Commonly accessed directories that should remain static with regards to owner and group
(
rulename = "Invariant Directories",
severity = $(SIG_MED)
)
{
/ -> $(SEC_INVARIANT) (recurse = 0) ;
/home -> $(SEC_INVARIANT) (recurse = 0) ;
/etc -> $(SEC_INVARIANT) (recurse = 0) ;
}
################################################
# ##
################################################ #
# # #
# File System and Disk Administration Programs # #
# ##
################################################
(
rulename = "File System and Disk Administraton Programs",
severity = $(SIG_HI)
)
{
/sbin/accton -> $(SEC_CRIT) ;
/sbin/badblocks -> $(SEC_CRIT) ;
/sbin/busybox -> $(SEC_CRIT) ;
/sbin/busybox.anaconda -> $(SEC_CRIT) ;
/sbin/convertquota -> $(SEC_CRIT) ;
/sbin/dosfsck -> $(SEC_CRIT) ;
/sbin/debugfs -> $(SEC_CRIT) ;
/sbin/debugreiserfs -> $(SEC_CRIT) ;
/sbin/dumpe2fs -> $(SEC_CRIT) ;
/sbin/dump -> $(SEC_CRIT) ;
/sbin/dump.static -> $(SEC_CRIT) ;
# /sbin/e2fsadm -> $(SEC_CRIT) ; tune2fs?
/sbin/e2fsck -> $(SEC_CRIT) ;
/sbin/e2label -> $(SEC_CRIT) ;
/sbin/fdisk -> $(SEC_CRIT) ;
/sbin/fsck -> $(SEC_CRIT) ;
/sbin/fsck.ext2 -> $(SEC_CRIT) ;
/sbin/fsck.ext3 -> $(SEC_CRIT) ;
/sbin/fsck.minix -> $(SEC_CRIT) ;
/sbin/fsck.msdos -> $(SEC_CRIT) ;
/sbin/fsck.vfat -> $(SEC_CRIT) ;
/sbin/ftl_check -> $(SEC_CRIT) ;
/sbin/ftl_format -> $(SEC_CRIT) ;
/sbin/hdparm -> $(SEC_CRIT) ;
#/sbin/lvchange -> $(SEC_CRIT) ;
#/sbin/lvcreate -> $(SEC_CRIT) ;
#/sbin/lvdisplay -> $(SEC_CRIT) ;
#/sbin/lvextend -> $(SEC_CRIT) ;
#/sbin/lvmchange -> $(SEC_CRIT) ;
#/sbin/lvmcreate_initrd -> $(SEC_CRIT) ;
#/sbin/lvmdiskscan -> $(SEC_CRIT) ;
#/sbin/lvmsadc -> $(SEC_CRIT) ;
#/sbin/lvmsar -> $(SEC_CRIT) ;
#/sbin/lvreduce -> $(SEC_CRIT) ;
#/sbin/lvremove -> $(SEC_CRIT) ;
#/sbin/lvrename -> $(SEC_CRIT) ;
#/sbin/lvscan -> $(SEC_CRIT) ;
/sbin/mkbootdisk -> $(SEC_CRIT) ;
/sbin/mkdosfs -> $(SEC_CRIT) ;
/sbin/mke2fs -> $(SEC_CRIT) ;
/sbin/mkfs -> $(SEC_CRIT) ;
/sbin/mkfs.bfs -> $(SEC_CRIT) ;
/sbin/mkfs.ext2 -> $(SEC_CRIT) ;
/sbin/mkfs.minix -> $(SEC_CRIT) ;
/sbin/mkfs.msdos -> $(SEC_CRIT) ;
/sbin/mkfs.vfat -> $(SEC_CRIT) ;
/sbin/mkinitrd -> $(SEC_CRIT) ;
/sbin/mkpv -> $(SEC_CRIT) ;
/sbin/mkraid -> $(SEC_CRIT) ;
/sbin/mkreiserfs -> $(SEC_CRIT) ;
/sbin/mkswap -> $(SEC_CRIT) ;
#/sbin/mtx -> $(SEC_CRIT) ;
/sbin/pam_console_apply -> $(SEC_CRIT) ;
/sbin/parted -> $(SEC_CRIT) ;
/sbin/pcinitrd -> $(SEC_CRIT) ;
#/sbin/pvchange -> $(SEC_CRIT) ;
#/sbin/pvcreate -> $(SEC_CRIT) ;
#/sbin/pvdata -> $(SEC_CRIT) ;
#/sbin/pvdisplay -> $(SEC_CRIT) ;
#/sbin/pvmove -> $(SEC_CRIT) ;
#/sbin/pvscan -> $(SEC_CRIT) ;
/sbin/quotacheck -> $(SEC_CRIT) ;
/sbin/quotaon -> $(SEC_CRIT) ;
/sbin/raidstart -> $(SEC_CRIT) ;
/sbin/reiserfsck -> $(SEC_CRIT) ;
/sbin/resize2fs -> $(SEC_CRIT) ;
/sbin/resize_reiserfs -> $(SEC_CRIT) ;
/sbin/restore -> $(SEC_CRIT) ;
/sbin/restore.static -> $(SEC_CRIT) ;
/sbin/scsi_info -> $(SEC_CRIT) ;
/sbin/sfdisk -> $(SEC_CRIT) ;
/sbin/stinit -> $(SEC_CRIT) ;
#/sbin/tapeinfo -> $(SEC_CRIT) ;
/sbin/tune2fs -> $(SEC_CRIT) ;
/sbin/unpack -> $(SEC_CRIT) ;
/sbin/update -> $(SEC_CRIT) ;
#/sbin/vgcfgbackup -> $(SEC_CRIT) ;
#/sbin/vgcfgrestore -> $(SEC_CRIT) ;
#/sbin/vgchange -> $(SEC_CRIT) ;
#/sbin/vgck -> $(SEC_CRIT) ;
#/sbin/vgcreate -> $(SEC_CRIT) ;
#/sbin/vgdisplay -> $(SEC_CRIT) ;
#/sbin/vgexport -> $(SEC_CRIT) ;
#/sbin/vgextend -> $(SEC_CRIT) ;
#/sbin/vgimport -> $(SEC_CRIT) ;
#/sbin/vgmerge -> $(SEC_CRIT) ;
#/sbin/vgmknodes -> $(SEC_CRIT) ;
#/sbin/vgreduce -> $(SEC_CRIT) ;
#/sbin/vgremove -> $(SEC_CRIT) ;
#/sbin/vgrename -> $(SEC_CRIT) ;
#/sbin/vgscan -> $(SEC_CRIT) ;
#/sbin/vgsplit -> $(SEC_CRIT) ;
/bin/chgrp -> $(SEC_CRIT) ;
/bin/chmod -> $(SEC_CRIT) ;
/bin/chown -> $(SEC_CRIT) ;
/bin/cp -> $(SEC_CRIT) ;
/bin/cpio -> $(SEC_CRIT) ;
/bin/mount -> $(SEC_CRIT) ;
/bin/umount -> $(SEC_CRIT) ;
/bin/mkdir -> $(SEC_CRIT) ;
/bin/mknod -> $(SEC_CRIT) ;
/bin/mktemp -> $(SEC_CRIT) ;
/bin/rm -> $(SEC_CRIT) ;
/bin/rmdir -> $(SEC_CRIT) ;
/bin/touch -> $(SEC_CRIT) ;
}
##################################
# ##
################################## #
# # #
# Kernel Administration Programs # #
# ##
##################################
(
rulename = "Kernel Administration Programs",
severity = $(SIG_HI)
)
{
/sbin/adjtimex -> $(SEC_CRIT) ;
/sbin/ctrlaltdel -> $(SEC_CRIT) ;
/sbin/depmod -> $(SEC_CRIT) ;
/sbin/insmod -> $(SEC_CRIT) ;
/sbin/insmod.static -> $(SEC_CRIT) ;
/sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ;
/sbin/klogd -> $(SEC_CRIT) ;
/sbin/ldconfig -> $(SEC_CRIT) ;
/sbin/minilogd -> $(SEC_CRIT) ;
/sbin/modinfo -> $(SEC_CRIT) ;
/sbin/nuactlun -> $(SEC_CRIT) ;
/sbin/nuscsitcpd -> $(SEC_CRIT) ;
/sbin/pivot_root -> $(SEC_CRIT) ;
/sbin/sndconfig -> $(SEC_CRIT) ;
/sbin/sysctl -> $(SEC_CRIT) ;
}
#######################
# ##
####################### #
# # #
# Networking Programs # #
# ##
#######################
(
rulename = "Networking Programs",
severity = $(SIG_HI)
)
{
/etc/sysconfig/network-scripts/ifdown -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifdown-cipcb -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifdown-ippp -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifdown-ipv6 -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifdown-isdn -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifdown-post -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifdown-ppp -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifdown-sit -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifdown-sl -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifup -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifup-aliases -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifup-cipcb -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifup-ippp -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifup-ipv6 -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifup-isdn -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifup-plip -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifup-plusb -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifup-post -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifup-ppp -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifup-routes -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifup-sit -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifup-sl -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/ifup-wireless -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/network-functions -> $(SEC_CRIT) ;
/etc/sysconfig/network-scripts/network-functions-ipv6 -> $(SEC_CRIT) ;
/bin/ping -> $(SEC_CRIT) ;
/sbin/agetty -> $(SEC_CRIT) ;
/sbin/arp -> $(SEC_CRIT) ;
/sbin/arping -> $(SEC_CRIT) ;
/sbin/dhcpcd -> $(SEC_CRIT) ;
/sbin/ether-wake -> $(SEC_CRIT) ;
#/sbin/getty -> $(SEC_CRIT) ;
/sbin/ifcfg -> $(SEC_CRIT) ;
/sbin/ifconfig -> $(SEC_CRIT) ;
/sbin/ifdown -> $(SEC_CRIT) ;
/sbin/ifenslave -> $(SEC_CRIT) ;
/sbin/ifport -> $(SEC_CRIT) ;
/sbin/ifup -> $(SEC_CRIT) ;
/sbin/ifuser -> $(SEC_CRIT) ;
/sbin/ip -> $(SEC_CRIT) ;
/sbin/ip6tables -> $(SEC_CRIT) ;
/sbin/ipchains -> $(SEC_CRIT) ;
/sbin/ipchains-restore -> $(SEC_CRIT) ;
/sbin/ipchains-save -> $(SEC_CRIT) ;
/sbin/ipfwadm -> $(SEC_CRIT) ;
/sbin/ipmaddr -> $(SEC_CRIT) ;
/sbin/iptables -> $(SEC_CRIT) ;
/sbin/iptables-restore -> $(SEC_CRIT) ;
/sbin/iptables-save -> $(SEC_CRIT) ;
/sbin/iptunnel -> $(SEC_CRIT) ;
/sbin/ipvsadm -> $(SEC_CRIT) ;
/sbin/ipvsadm-restore -> $(SEC_CRIT) ;
/sbin/ipvsadm-save -> $(SEC_CRIT) ;
/sbin/ipx_configure -> $(SEC_CRIT) ;
/sbin/ipx_interface -> $(SEC_CRIT) ;
/sbin/ipx_internal_net -> $(SEC_CRIT) ;
/sbin/iwconfig -> $(SEC_CRIT) ;
/sbin/iwgetid -> $(SEC_CRIT) ;
/sbin/iwlist -> $(SEC_CRIT) ;
/sbin/iwpriv -> $(SEC_CRIT) ;
/sbin/iwspy -> $(SEC_CRIT) ;
/sbin/mgetty -> $(SEC_CRIT) ;
/sbin/mingetty -> $(SEC_CRIT) ;
/sbin/nameif -> $(SEC_CRIT) ;
/sbin/netreport -> $(SEC_CRIT) ;
/sbin/plipconfig -> $(SEC_CRIT) ;
/sbin/portmap -> $(SEC_CRIT) ;
/sbin/ppp-watch -> $(SEC_CRIT) ;
#/sbin/rarp -> $(SEC_CRIT) ;
/sbin/route -> $(SEC_CRIT) ;
/sbin/slattach -> $(SEC_CRIT) ;
/sbin/tc -> $(SEC_CRIT) ;
#/sbin/uugetty -> $(SEC_CRIT) ;
/sbin/vgetty -> $(SEC_CRIT) ;
/sbin/ypbind -> $(SEC_CRIT) ;
}
##################################
# ##
################################## #
# # #
# System Administration Programs # #
# ##
##################################
(
rulename = "System Administration Programs",
severity = $(SIG_HI)
)
{
/sbin/chkconfig -> $(SEC_CRIT) ;
/sbin/fuser -> $(SEC_CRIT) ;
/sbin/halt -> $(SEC_CRIT) ;
/sbin/init -> $(SEC_CRIT) ;
/sbin/initlog -> $(SEC_CRIT) ;
/sbin/install-info -> $(SEC_CRIT) ;
/sbin/killall5 -> $(SEC_CRIT) ;
/sbin/linuxconf -> $(SEC_CRIT) ;
/sbin/linuxconf-auth -> $(SEC_CRIT) ;
/sbin/pam_tally -> $(SEC_CRIT) ;
/sbin/pwdb_chkpwd -> $(SEC_CRIT) ;
/sbin/remadmin -> $(SEC_CRIT) ;
/sbin/rescuept -> $(SEC_CRIT) ;
/sbin/rmt -> $(SEC_CRIT) ;
/sbin/rpc.lockd -> $(SEC_CRIT) ;
/sbin/rpc.statd -> $(SEC_CRIT) ;
/sbin/rpcdebug -> $(SEC_CRIT) ;
/sbin/service -> $(SEC_CRIT) ;
/sbin/setsysfont -> $(SEC_CRIT) ;
/sbin/shutdown -> $(SEC_CRIT) ;
/sbin/sulogin -> $(SEC_CRIT) ;
/sbin/swapon -> $(SEC_CRIT) ;
/sbin/syslogd -> $(SEC_CRIT) ;
/sbin/unix_chkpwd -> $(SEC_CRIT) ;
/bin/pwd -> $(SEC_CRIT) ;
/bin/uname -> $(SEC_CRIT) ;
}
########################################
# ##
######################################## #
# # #
# Hardware and Device Control Programs # #
# ##
########################################
(
rulename = "Hardware and Device Control Programs",
severity = $(SIG_HI)
)
{
/bin/setserial -> $(SEC_CRIT) ;
/bin/sfxload -> $(SEC_CRIT) ;
/sbin/blockdev -> $(SEC_CRIT) ;
/sbin/cardctl -> $(SEC_CRIT) ;
/sbin/cardmgr -> $(SEC_CRIT) ;
/sbin/cbq -> $(SEC_CRIT) ;
/sbin/dump_cis -> $(SEC_CRIT) ;
/sbin/elvtune -> $(SEC_CRIT) ;
/sbin/hotplug -> $(SEC_CRIT) ;
/sbin/hwclock -> $(SEC_CRIT) ;
/sbin/ide_info -> $(SEC_CRIT) ;
/sbin/isapnp -> $(SEC_CRIT) ;
/sbin/kbdrate -> $(SEC_CRIT) ;
/sbin/losetup -> $(SEC_CRIT) ;
/sbin/lspci -> $(SEC_CRIT) ;
/sbin/lspnp -> $(SEC_CRIT) ;
/sbin/mii-tool -> $(SEC_CRIT) ;
/sbin/pack_cis -> $(SEC_CRIT) ;
/sbin/pnpdump -> $(SEC_CRIT) ;
/sbin/probe -> $(SEC_CRIT) ;
/sbin/pump -> $(SEC_CRIT) ;
/sbin/setpci -> $(SEC_CRIT) ;
/sbin/shapecfg -> $(SEC_CRIT) ;
}
###############################
# ##
############################### #
# # #
# System Information Programs # #
# ##
###############################
(
rulename = "System Information Programs",
severity = $(SIG_HI)
)
{
/sbin/consoletype -> $(SEC_CRIT) ;
/sbin/kernelversion -> $(SEC_CRIT) ;
/sbin/runlevel -> $(SEC_CRIT) ;
}
####################################
# ##
#################################### #
# # #
# Application Information Programs # #
# ##
####################################
(
rulename = "Application Information Programs",
severity = $(SIG_HI)
)
{
/sbin/genksyms -> $(SEC_CRIT) ;
/sbin/genksyms.old -> $(SEC_CRIT) ;
/sbin/rtmon -> $(SEC_CRIT) ;
}
##########################
# ##
########################## #
# # #
# Shell Related Programs # #
# ##
##########################
(
rulename = "Shell Related Programs",
severity = $(SIG_HI)
)
{
/sbin/getkey -> $(SEC_CRIT) ;
/sbin/nash -> $(SEC_CRIT) ;
/sbin/sash -> $(SEC_CRIT) ;
}
################
# ##
################ #
# # #
# OS Utilities # #
# ##
################
(
rulename = "Operating System Utilities",
severity = $(SIG_HI)
)
{
/bin/arch -> $(SEC_CRIT) ;
/bin/ash -> $(SEC_CRIT) ;
/bin/ash.static -> $(SEC_CRIT) ;
/bin/aumix-minimal -> $(SEC_CRIT) ;
/bin/basename -> $(SEC_CRIT) ;
/bin/cat -> $(SEC_CRIT) ;
/bin/consolechars -> $(SEC_CRIT) ;
/bin/cut -> $(SEC_CRIT) ;
/bin/date -> $(SEC_CRIT) ;
/bin/dd -> $(SEC_CRIT) ;
/bin/df -> $(SEC_CRIT) ;
/bin/dmesg -> $(SEC_CRIT) ;
/bin/doexec -> $(SEC_CRIT) ;
/bin/echo -> $(SEC_CRIT) ;
/bin/ed -> $(SEC_CRIT) ;
/bin/egrep -> $(SEC_CRIT) ;
/bin/false -> $(SEC_CRIT) ;
/bin/fgrep -> $(SEC_CRIT) ;
/bin/gawk -> $(SEC_CRIT) ;
/bin/gawk-3.1.0 -> $(SEC_CRIT) ;
/bin/gettext -> $(SEC_CRIT) ;
/bin/grep -> $(SEC_CRIT) ;
/bin/gunzip -> $(SEC_CRIT) ;
/bin/gzip -> $(SEC_CRIT) ;
/bin/hostname -> $(SEC_CRIT) ;
/bin/igawk -> $(SEC_CRIT) ;
/bin/ipcalc -> $(SEC_CRIT) ;
/bin/kill -> $(SEC_CRIT) ;
/bin/ln -> $(SEC_CRIT) ;
/bin/loadkeys -> $(SEC_CRIT) ;
/bin/login -> $(SEC_CRIT) ;
/bin/ls -> $(SEC_CRIT) ;
/bin/mail -> $(SEC_CRIT) ;
/bin/more -> $(SEC_CRIT) ;
/bin/mt -> $(SEC_CRIT) ;
/bin/mv -> $(SEC_CRIT) ;
/bin/netstat -> $(SEC_CRIT) ;
/bin/nice -> $(SEC_CRIT) ;
/bin/pgawk -> $(SEC_CRIT) ;
/bin/ps -> $(SEC_CRIT) ;
/bin/rpm -> $(SEC_CRIT) ;
/bin/sed -> $(SEC_CRIT) ;
/bin/sleep -> $(SEC_CRIT) ;
/bin/sort -> $(SEC_CRIT) ;
/bin/stty -> $(SEC_CRIT) ;
/bin/su -> $(SEC_CRIT) ;
/bin/sync -> $(SEC_CRIT) ;
/bin/tar -> $(SEC_CRIT) ;
/bin/true -> $(SEC_CRIT) ;
/bin/usleep -> $(SEC_CRIT) ;
/bin/vi -> $(SEC_CRIT) ;
/bin/zcat -> $(SEC_CRIT) ;
/bin/zsh -> $(SEC_CRIT) ;
/bin/zsh-4.0.2 -> $(SEC_CRIT) ;
/sbin/sln -> $(SEC_CRIT) ;
/usr/bin/vimtutor -> $(SEC_CRIT) ;
}
##############################
# ##
############################## #
# # #
# Critical Utility Sym-Links # #
# ##
##############################
(
rulename = "Critical Utility Sym-Links",
severity = $(SIG_HI)
)
{
/sbin/askrunlevel -> $(SEC_CRIT) ;
/sbin/clock -> $(SEC_CRIT) ;
/sbin/fixperm -> $(SEC_CRIT) ;
/sbin/fsck.reiserfs -> $(SEC_CRIT) ;
/sbin/fsconf -> $(SEC_CRIT) ;
/sbin/ipfwadm-wrapper -> $(SEC_CRIT) ;
/sbin/kallsyms -> $(SEC_CRIT) ;
/sbin/ksyms -> $(SEC_CRIT) ;
/sbin/lsmod -> $(SEC_CRIT) ;
/sbin/mailconf -> $(SEC_CRIT) ;
/sbin/mkfs.reiserfs -> $(SEC_CRIT) ;
/sbin/modemconf -> $(SEC_CRIT) ;
/sbin/modprobe -> $(SEC_CRIT) ;
/sbin/mount.ncp -> $(SEC_CRIT) ;
/sbin/mount.ncpfs -> $(SEC_CRIT) ;
/sbin/mount.smb -> $(SEC_CRIT) ;
/sbin/mount.smbfs -> $(SEC_CRIT) ;
/sbin/netconf -> $(SEC_CRIT) ;
/sbin/pidof -> $(SEC_CRIT) ;
/sbin/poweroff -> $(SEC_CRIT) ;
/sbin/quotaoff -> $(SEC_CRIT) ;
/sbin/raid0run -> $(SEC_CRIT) ;
/sbin/raidhotadd -> $(SEC_CRIT) ;
/sbin/raidhotgenerateerror -> $(SEC_CRIT) ;
/sbin/raidhotremove -> $(SEC_CRIT) ;
/sbin/raidstop -> $(SEC_CRIT) ;
/sbin/rdump -> $(SEC_CRIT) ;
/sbin/rdump.static -> $(SEC_CRIT) ;
/sbin/reboot -> $(SEC_CRIT) ;
/sbin/rmmod -> $(SEC_CRIT) ;
/sbin/rrestore -> $(SEC_CRIT) ;
/sbin/rrestore.static -> $(SEC_CRIT) ;
/sbin/swapoff -> $(SEC_CRIT) ;
/sbin/telinit -> $(SEC_CRIT) ;
/sbin/userconf -> $(SEC_CRIT) ;
/sbin/uucpconf -> $(SEC_CRIT) ;
/sbin/vregistry -> $(SEC_CRIT) ;
/bin/awk -> $(SEC_CRIT) ;
/bin/bash2 -> $(SEC_CRIT) ;
/bin/bsh -> $(SEC_CRIT) ;
/bin/csh -> $(SEC_CRIT) ;
/bin/dnsdomainname -> $(SEC_CRIT) ;
/bin/domainname -> $(SEC_CRIT) ;
/bin/ex -> $(SEC_CRIT) ;
/bin/gtar -> $(SEC_CRIT) ;
/bin/nisdomainname -> $(SEC_CRIT) ;
/bin/red -> $(SEC_CRIT) ;
/bin/rvi -> $(SEC_CRIT) ;
/bin/rview -> $(SEC_CRIT) ;
/bin/view -> $(SEC_CRIT) ;
/bin/ypdomainname -> $(SEC_CRIT) ;
}
#########################
# ##
######################### #
# # #
# Temporary directories # #
# ##
#########################
(
rulename = "Temporary directories",
recurse = false,
severity = $(SIG_LOW)
)
{
/usr/tmp -> $(SEC_INVARIANT) ;
/var/tmp -> $(SEC_INVARIANT) ;
/tmp -> $(SEC_INVARIANT) ;
}
###############
# ##
############### #
# # #
# Local files # #
# ##
###############
(
rulename = "User binaries",
severity = $(SIG_MED)
)
{
/sbin -> $(SEC_BIN) (recurse = 1) ;
/usr/bin -> $(SEC_BIN) (recurse = 1) ;
/usr/sbin -> $(SEC_BIN) (recurse = 1) ;
/usr/local/bin -> $(SEC_BIN) (recurse = 1) ;
}
(
rulename = "Shell Binaries",
severity = $(SIG_HI)
)
{
/bin/bash -> $(SEC_BIN) ;
/bin/ksh -> $(SEC_BIN) ;
# /bin/psh -> $(SEC_BIN) ; # No longer used?
# /bin/Rsh -> $(SEC_BIN) ; # No longer used?
/bin/sh -> $(SEC_BIN) ;
# /bin/shell -> $(SEC_SUID) ; # No longer used?
# /bin/tsh -> $(SEC_BIN) ; # No longer used?
/bin/tcsh -> $(SEC_BIN) ;
/sbin/nologin -> $(SEC_BIN) ;
}
(
rulename = "Security Control",
severity = $(SIG_HI)
)
{
/etc/group -> $(SEC_CRIT) ;
/etc/security -> $(SEC_CRIT) ;
#/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists
}
#(
# rulename = "Boot Scripts",
# severity = $(SIG_HI)
#)
#{
# /etc/rc -> $(SEC_CONFIG) ;
# /etc/rc.bsdnet -> $(SEC_CONFIG) ;
# /etc/rc.dt -> $(SEC_CONFIG) ;
# /etc/rc.net -> $(SEC_CONFIG) ;
# /etc/rc.net.serial -> $(SEC_CONFIG) ;
# /etc/rc.nfs -> $(SEC_CONFIG) ;
# /etc/rc.powerfail -> $(SEC_CONFIG) ;
# /etc/rc.tcpip -> $(SEC_CONFIG) ;
# /etc/trcfmt.Z -> $(SEC_CONFIG) ;
#}
(
rulename = "Login Scripts",
severity = $(SIG_HI)
)
{
/etc/bashrc -> $(SEC_CONFIG) ;
/etc/csh.cshrc -> $(SEC_CONFIG) ;
/etc/csh.login -> $(SEC_CONFIG) ;
/etc/inputrc -> $(SEC_CONFIG) ;
# /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists
/etc/profile -> $(SEC_CONFIG) ;
}
# Libraries
(
rulename = "Libraries",
severity = $(SIG_MED)
)
{
/usr/lib -> $(SEC_BIN) ;
/usr/local/lib -> $(SEC_BIN) ;
}
######################################################
# ##
###################################################### #
# # #
# Critical System Boot Files # #
# These files are critical to a correct system boot. # #
# ##
######################################################
(
rulename = "Critical system boot files",
severity = $(SIG_HI)
)
{
/boot -> $(SEC_CRIT) ;
#/sbin/devfsd -> $(SEC_CRIT) ;
/sbin/grub -> $(SEC_CRIT) ;
/sbin/grub-install -> $(SEC_CRIT) ;
/sbin/grub-md5-crypt -> $(SEC_CRIT) ;
/sbin/installkernel -> $(SEC_CRIT) ;
/sbin/lilo -> $(SEC_CRIT) ;
/sbin/mkkerneldoth -> $(SEC_CRIT) ;
!/boot/System.map ;
!/boot/module-info ;
/usr/share/grub/i386-redhat/e2fs_stage1_5 -> $(SEC_CRIT) ;
/usr/share/grub/i386-redhat/fat_stage1_5 -> $(SEC_CRIT) ;
/usr/share/grub/i386-redhat/ffs_stage1_5 -> $(SEC_CRIT) ;
/usr/share/grub/i386-redhat/minix_stage1_5 -> $(SEC_CRIT) ;
/usr/share/grub/i386-redhat/reiserfs_stage1_5 -> $(SEC_CRIT) ;
/usr/share/grub/i386-redhat/stage1 -> $(SEC_CRIT) ;
/usr/share/grub/i386-redhat/stage2 -> $(SEC_CRIT) ;
/usr/share/grub/i386-redhat/vstafs_stage1_5 -> $(SEC_CRIT) ;
# other boot files may exist. Look for:
#/ufsboot -> $(SEC_CRIT) ;
}
##################################################
###################################################
# These files change every time the system boots ##
##################################################
(
rulename = "System boot changes",
severity = $(SIG_HI)
)
{
!/var/run/ftp.pids-all ; # Comes and goes on reboot.
!/root/.enlightenment ;
/dev/log -> $(SEC_CONFIG) ;
/dev/cua0 -> $(SEC_CONFIG) ;
# /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device
/dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.
/dev/tty1 -> $(SEC_CONFIG) ; # tty devices
/dev/tty2 -> $(SEC_CONFIG) ; # tty devices
/dev/tty3 -> $(SEC_CONFIG) ; # are extremely
/dev/tty4 -> $(SEC_CONFIG) ; # variable
/dev/tty5 -> $(SEC_CONFIG) ;
/dev/tty6 -> $(SEC_CONFIG) ;
/dev/urandom -> $(SEC_CONFIG) ;
/dev/initctl -> $(SEC_CONFIG) ;
/var/lock/subsys -> $(SEC_CONFIG) ;
/var/lock/subsys/amd -> $(SEC_CONFIG) ;
/var/lock/subsys/anacron -> $(SEC_CONFIG) ;
/var/lock/subsys/apmd -> $(SEC_CONFIG) ;
/var/lock/subsys/arpwatch -> $(SEC_CONFIG) ;
/var/lock/subsys/atd -> $(SEC_CONFIG) ;
/var/lock/subsys/autofs -> $(SEC_CONFIG) ;
/var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ;
/var/lock/subsys/bgpd -> $(SEC_CONFIG) ;
/var/lock/subsys/bootparamd -> $(SEC_CONFIG) ;
/var/lock/subsys/canna -> $(SEC_CONFIG) ;
/var/lock/subsys/crond -> $(SEC_CONFIG) ;
/var/lock/subsys/cWnn -> $(SEC_CONFIG) ;
/var/lock/subsys/dhcpd -> $(SEC_CONFIG) ;
/var/lock/subsys/firewall -> $(SEC_CONFIG) ;
/var/lock/subsys/freeWnn -> $(SEC_CONFIG) ;
/var/lock/subsys/gated -> $(SEC_CONFIG) ;
/var/lock/subsys/gpm -> $(SEC_CONFIG) ;
/var/lock/subsys/httpd -> $(SEC_CONFIG) ;
/var/lock/subsys/identd -> $(SEC_CONFIG) ;
/var/lock/subsys/innd -> $(SEC_CONFIG) ;
/var/lock/subsys/ipchains -> $(SEC_CONFIG) ;
/var/lock/subsys/iptables -> $(SEC_CONFIG) ;
/var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ;
/var/lock/subsys/irda -> $(SEC_CONFIG) ;
/var/lock/subsys/iscsi -> $(SEC_CONFIG) ;
/var/lock/subsys/isdn -> $(SEC_CONFIG) ;
/var/lock/subsys/junkbuster -> $(SEC_CONFIG) ;
/var/lock/subsys/kadmin -> $(SEC_CONFIG) ;
/var/lock/subsys/keytable -> $(SEC_CONFIG) ;
/var/lock/subsys/kprop -> $(SEC_CONFIG) ;
/var/lock/subsys/krb524 -> $(SEC_CONFIG) ;
/var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ;
/var/lock/subsys/kudzu -> $(SEC_CONFIG) ;
/var/lock/subsys/kWnn -> $(SEC_CONFIG) ;
/var/lock/subsys/ldap -> $(SEC_CONFIG) ;
/var/lock/subsys/linuxconf -> $(SEC_CONFIG) ;
/var/lock/subsys/lpd -> $(SEC_CONFIG) ;
/var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ;
/var/lock/subsys/mcserv -> $(SEC_CONFIG) ;
/var/lock/subsys/mysqld -> $(SEC_CONFIG) ;
/var/lock/subsys/named -> $(SEC_CONFIG) ;
/var/lock/subsys/netfs -> $(SEC_CONFIG) ;
/var/lock/subsys/network -> $(SEC_CONFIG) ;
/var/lock/subsys/nfs -> $(SEC_CONFIG) ;
/var/lock/subsys/nfslock -> $(SEC_CONFIG) ;
/var/lock/subsys/nscd -> $(SEC_CONFIG) ;
/var/lock/subsys/ntpd -> $(SEC_CONFIG) ;
/var/lock/subsys/ospf6d -> $(SEC_CONFIG) ;
/var/lock/subsys/ospfd -> $(SEC_CONFIG) ;
/var/lock/subsys/pcmcia -> $(SEC_CONFIG) ;
/var/lock/subsys/portmap -> $(SEC_CONFIG) ;
/var/lock/subsys/postgresql -> $(SEC_CONFIG) ;
/var/lock/subsys/pxe -> $(SEC_CONFIG) ;
/var/lock/subsys/radvd -> $(SEC_CONFIG) ;
/var/lock/subsys/random -> $(SEC_CONFIG) ;
/var/lock/subsys/rarpd -> $(SEC_CONFIG) ;
/var/lock/subsys/reconfig -> $(SEC_CONFIG) ;
/var/lock/subsys/rhnsd -> $(SEC_CONFIG) ;
/var/lock/subsys/ripd -> $(SEC_CONFIG) ;
/var/lock/subsys/ripngd -> $(SEC_CONFIG) ;
/var/lock/subsys/routed -> $(SEC_CONFIG) ;
/var/lock/subsys/rstatd -> $(SEC_CONFIG) ;
/var/lock/subsys/rusersd -> $(SEC_CONFIG) ;
/var/lock/subsys/rwalld -> $(SEC_CONFIG) ;
/var/lock/subsys/rwhod -> $(SEC_CONFIG) ;
/var/lock/subsys/sendmail -> $(SEC_CONFIG) ;
/var/lock/subsys/smb -> $(SEC_CONFIG) ;
/var/lock/subsys/snmpd -> $(SEC_CONFIG) ;
/var/lock/subsys/squid -> $(SEC_CONFIG) ;
/var/lock/subsys/sshd -> $(SEC_CONFIG) ;
/var/lock/subsys/syslog -> $(SEC_CONFIG) ;
/var/lock/subsys/tux -> $(SEC_CONFIG) ;
/var/lock/subsys/tWnn -> $(SEC_CONFIG) ;
/var/lock/subsys/ups -> $(SEC_CONFIG) ;
/var/lock/subsys/vncserver -> $(SEC_CONFIG) ;
/var/lock/subsys/wine -> $(SEC_CONFIG) ;
/var/lock/subsys/xfs -> $(SEC_CONFIG) ;
/var/lock/subsys/xinetd -> $(SEC_CONFIG) ;
/var/lock/subsys/ypbind -> $(SEC_CONFIG) ;
/var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ;
/var/lock/subsys/ypserv -> $(SEC_CONFIG) ;
/var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ;
/var/lock/subsys/zebra -> $(SEC_CONFIG) ;
/var/run -> $(SEC_CONFIG) ;
/var/log -> $(SEC_CONFIG) ;
/etc/ioctl.save -> $(SEC_CONFIG) ;
/etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes
/etc/issue -> $(SEC_CONFIG) ;
/etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount
/lib/modules -> $(SEC_CONFIG) ;
/etc/.pwd.lock -> $(SEC_CONFIG) ;
# /lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists
}
# These files change the behavior of the root account
(
rulename = "Root config files",
severity = 100
)
{
/root -> $(SEC_CRIT) ; # Catch all additions to /root
/root/.Xresources -> $(SEC_CONFIG) ;
/root/.bashrc -> $(SEC_CONFIG) ;
/root/.bash_profile -> $(SEC_CONFIG) ;
/root/.bash_logout -> $(SEC_CONFIG) ;
/root/.cshrc -> $(SEC_CONFIG) ;
/root/.tcshrc -> $(SEC_CONFIG) ;
/root/Mail -> $(SEC_CONFIG) ;
/root/mail -> $(SEC_CONFIG) ;
/root/.amandahosts -> $(SEC_CONFIG) ;
/root/.addressbook.lu -> $(SEC_CONFIG) ;
/root/.addressbook -> $(SEC_CONFIG) ;
/root/.bash_history -> $(SEC_CONFIG) ;
/root/.elm -> $(SEC_CONFIG) ;
/root/.esd_auth -> $(SEC_CONFIG) ;
/root/.gnome_private -> $(SEC_CONFIG) ;
/root/.gnome-desktop -> $(SEC_CONFIG) ;
/root/.gnome -> $(SEC_CONFIG) ;
/root/.ICEauthority -> $(SEC_CONFIG) ;
/root/.mc -> $(SEC_CONFIG) ;
/root/.pinerc -> $(SEC_CONFIG) ;
/root/.sawfish -> $(SEC_CONFIG) ;
/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
/root/.xauth -> $(SEC_CONFIG) ;
/root/.xsession-errors -> $(SEC_CONFIG) ;
}
################################
# ##
################################ #
# # #
# Critical configuration files # #
# ##
################################
(
rulename = "Critical configuration files",
severity = $(SIG_HI)
)
{
/etc/conf.linuxconf -> $(SEC_BIN) ;
/etc/crontab -> $(SEC_BIN) ;
/etc/cron.hourly -> $(SEC_BIN) ;
/etc/cron.daily -> $(SEC_BIN) ;
/etc/cron.weekly -> $(SEC_BIN) ;
/etc/cron.monthly -> $(SEC_BIN) ;
/etc/default -> $(SEC_BIN) ;
/etc/fstab -> $(SEC_BIN) ;
/etc/exports -> $(SEC_BIN) ;
/etc/group- -> $(SEC_BIN) ; # changes should be infrequent
/etc/host.conf -> $(SEC_BIN) ;
/etc/hosts.allow -> $(SEC_BIN) ;
/etc/hosts.deny -> $(SEC_BIN) ;
/etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent
/etc/protocols -> $(SEC_BIN) ;
/etc/services -> $(SEC_BIN) ;
/etc/rc.d/init.d -> $(SEC_BIN) ;
/etc/rc.d -> $(SEC_BIN) ;
/etc/mail.rc -> $(SEC_BIN) ;
/etc/modules.conf -> $(SEC_BIN) ;
/etc/motd -> $(SEC_BIN) ;
/etc/named.conf -> $(SEC_BIN) ;
/etc/passwd -> $(SEC_CONFIG) ;
/etc/passwd- -> $(SEC_CONFIG) ;
/etc/profile.d -> $(SEC_BIN) ;
/var/lib/nfs/rmtab -> $(SEC_BIN) ;
/usr/sbin/fixrmtab -> $(SEC_BIN) ;
/etc/rpc -> $(SEC_BIN) ;
/etc/sysconfig -> $(SEC_BIN) ;
/etc/samba/smb.conf -> $(SEC_CONFIG) ;
#/etc/gettydefs -> $(SEC_BIN) ;
/etc/nsswitch.conf -> $(SEC_BIN) ;
/etc/yp.conf -> $(SEC_BIN) ;
/etc/hosts -> $(SEC_CONFIG) ;
/etc/xinetd.conf -> $(SEC_CONFIG) ;
/etc/inittab -> $(SEC_CONFIG) ;
/etc/resolv.conf -> $(SEC_CONFIG) ;
/etc/syslog.conf -> $(SEC_CONFIG) ;
}
####################
# ##
#################### #
# # #
# Critical devices # #
# ##
####################
(
rulename = "Critical devices",
severity = $(SIG_HI),
recurse = false
)
{
/dev/kmem -> $(Device) ;
/dev/mem -> $(Device) ;
/dev/null -> $(Device) ;
/dev/zero -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/mounts -> $(Device) ;
/proc/dma -> $(Device) ;
/proc/filesystems -> $(Device) ;
/proc/pci -> $(Device) ;
/proc/interrupts -> $(Device) ;
/proc/driver/rtc -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/scsi -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/self -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/stat -> $(Device) ;
/proc/ksyms -> $(Device) ;
/proc/loadavg -> $(Device) ;
/proc/uptime -> $(Device) ;
/proc/locks -> $(Device) ;
/proc/version -> $(Device) ;
/proc/mdstat -> $(Device) ;
/proc/meminfo -> $(Device) ;
/proc/cmdline -> $(Device) ;
/proc/misc -> $(Device) ;
}
# Rest of critical system binaries
(
rulename = "OS executables and libraries",
severity = $(SIG_HI)
)
{
/bin -> $(SEC_BIN) ;
/lib -> $(SEC_BIN) ;
}
#=============================================================================
#
# Copyright 2006 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
# Inc. in the United States and other countries. All rights reserved.
#
# Linux is a registered trademark of Linus Torvalds.
#
# UNIX is a registered trademark of The Open Group.
#
#=============================================================================
#
# Permission is granted to make and distribute verbatim copies of this document
# provided the copyright notice and this permission notice are preserved on all
# copies.
#
# Permission is granted to copy and distribute modified versions of this
# document under the conditions for verbatim copying, provided that the entire
# resulting derived work is distributed under the terms of a permission notice
# identical to this one.
#
# Permission is granted to copy and distribute translations of this document
# into another language, under the above conditions for modified versions,
# except that this permission notice may be stated in a translation approved by
# Tripwire, Inc.
#
# DCM
Om ändringar av policyinställningar görs måste följande kommandorad
köras:tripwire --update-policy twpol.txt
Notera att tripwiredatabasen måste finnas.
Skapa tripwiredatabas
Skapa en ny tripwiredatabas med:tripwire --init
Tripwirekontroll
För kontroll av filsystemet mot databasen kör:tripwire --check
För att göra en kontroll av allt som har allvarlighetsgrad 100 och
uppåt skriv:
tripwire --check --severity 100
För att endast kontrollera reglerna med namnet "OS executables and libraries" tripwire --check --rule-name "OS executables and libraries"
Copyright © 2010-2024
Kjell Enblom.
This document is covered by the GNU Free Documentation License, Version 1.3
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".