NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SuSE Linux> 2004-q2

Re: [suse-security] Tripewire Policy file which works out of the box for SuSE 9?

suserio.vg
Date: Fri Apr 02 2004 - 15:55:50 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Tobias Weisserth <tobiasweisserth.de>:
>
> Am Fr, den 02.04.2004 schrieb suserio.vg um 23:43:
> > Attached is one of mine. It's pretty basic, I just stripped down the
> redhat one
> > and moved some things... no big deal, but it covers the basics...
>
> You mean it *had* been attached ;-) Obviously, attachment filtering on
> mailing lists has its downsides too...
>
> But thanks anyway ;-)
>

OK, time to do this the old-fashioned way...

##############################################################################
# ##
############################################################################## #
# # #
# Global Variable Definitions # #
# # #
# These are defined at install time by the installation script. You may # #
# Manually edit these if you are using this file directly and not from the # #
# installation script itself. # #
# ##
##############################################################################

section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL="/etc/tripwire";
TWDB="/var/lib/tripwire";
TWSKEY="/etc/tripwire";
TWLKEY="/etc/tripwire";
TWREPORT="/var/lib/tripwire/report";
HOSTNAME=shoggoth;

section FS
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
SEC_CONFIG = $(Dynamic) ; # Config files that are changed
infrequently but accessed often
SEC_LOG = $(Growing) ; # Files that grow, but that should never
change ownership
SEC_INVARIANT = +tpug ; # Directories that should never change
permission or ownership
SIG_LOW = 33 ; # Non-critical files that are of minimal
security impact
SIG_MED = 66 ; # Non-critical files that are of
significant security impact
SIG_HI = 100 ; # Critical files that are significant
points of vulnerability

# Tripwire Binaries
(
  rulename = "Tripwire Binaries",
  severity = $(SIG_HI)
)
{
  $(TWBIN)/siggen -> $(SEC_BIN) ;
  $(TWBIN)/tripwire -> $(SEC_BIN) ;
  $(TWBIN)/twadmin -> $(SEC_BIN) ;
  $(TWBIN)/twprint -> $(SEC_BIN) ;
}

# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports,
Databases
(
  rulename = "Tripwire Data Files",
  severity = $(SIG_HI)
)
{
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number). Inode is left turned on for keys, which shouldn't
  # ever change.

  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.

  $(TWDB) -> $(SEC_CONFIG) -i ;
  $(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
  $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
  $(TWSKEY)/site.key -> $(SEC_BIN) ;

#don't scan the individual reports
$(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
}

# Tripwire HQ Connector Binaries
#(
# rulename = "Tripwire HQ Connector Binaries",
# severity = $(SIG_HI)
#)
#{
# $(TWBIN)/hqagent -> $(SEC_BIN) ;
#}
#
# Tripwire HQ Connector - Configuration Files, Keys, and Logs

##############################################################################
# ##
############################################################################## #
# # #
# Note: File locations here are different than in a stock HQ Connector # #
# installation. This is because Tripwire 2.3 uses a different path # #
# structure than Tripwire 2.2.1. # #
# # #
# You may need to update your HQ Agent configuation file (or this policy # #
# file) to correct the paths. We have attempted to support the FHS standard # #
# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # #
# places them. # #
# ##
##############################################################################

#(
# rulename = "Tripwire HQ Connector Data Files",
# severity = $(SIG_HI)
#)
#{
#
#############################################################################
#
##############################################################################
# # NOTE: Removing the inode attribute because when Tripwire creates a backup
##
# # it does so by renaming the old file and creating a new one (which will
##
# # have a new inode number). Leaving inode turned on for keys, which
##
# # shouldn't ever change.
##
# #############################################################################
#
# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ;
# $(TWLKEY)/authentication.key -> $(SEC_BIN) ;
# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ;
# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ;
#
# # Uncomment if you have agent logging enabled.
# #/var/log/tripwire/agent.log -> $(SEC_LOG) ;
#}

# Commonly accessed directories that should remain static with regards to owner
and group
(
  rulename = "Invariant Directories",
  severity = $(SIG_MED)
)
{
  / -> $(SEC_INVARIANT) (recurse = 0) ;
}
  ################################################
# ##
################################################ #
# # #
# File System and Disk Administration Programs # #
# ##
################################################

(
  rulename = "System Binaries",
  severity = $(SIG_HI)
)
{
  /sbin -> $(SEC_CRIT) (recurse = 1) ;
  /bin -> $(SEC_CRIT) (recurse = 1) ;
}

  #########################
# ##
######################### #
# # #
# Temporary directories # #
# ##
#########################
(
  rulename = "Temporary directories",
  recurse = false,
  severity = $(SIG_LOW)
)
{
  /usr/tmp -> $(SEC_INVARIANT) ;
  /var/tmp -> $(SEC_INVARIANT) ;
  /tmp -> $(SEC_INVARIANT) ;
}

  ###############
# ##
############### #
# # #
# Local files # #
# ##
###############
(
  rulename = "User binaries",
  severity = $(SIG_MED)
)
{
  /usr/bin -> $(SEC_BIN) (recurse = 1) ;
  /usr/sbin -> $(SEC_BIN) (recurse = 1) ;
  /usr/local/bin -> $(SEC_BIN) (recurse = 1) ;
  /usr/local/sbin -> $(SEC_BIN) (recurse = 1) ;
}

(
  rulename = "Root & Configs",
  severity = $(SIG_HI)
)
{
  /etc -> $(SEC_CRIT) (recurse = 1) ;
  /boot -> $(SEC_CRIT) (recurse = 1) ;
  /root -> $(SEC_CRIT) (recurse = 1) ; # Catch
all additions t
o /root
}

# Libraries
(
  rulename = "Libraries",
  severity = $(SIG_HI)
)
{
  /lib -> $(SEC_BIN) (recurse = 1) ;
  /usr/lib -> $(SEC_BIN) (recurse = 1) ;
  /usr/local/lib -> $(SEC_BIN) (recurse = 1) ;
}

   ##################################################
  ###################################################
  # These files change every time the system boots ##
  ##################################################
(
  rulename = "System boot changes",
  severity = $(SIG_HI)
)
{
     !/var/run/ftp.pids-all ; # Comes and goes on reboot.
     /dev/log -> $(SEC_CONFIG) ;
     /dev/cua0 -> $(SEC_CONFIG) ;
     /dev/console -> $(SEC_CONFIG) -u ; # User ID may
change on console
login/logout.
     /dev/tty1 -> $(SEC_CONFIG) ; # tty devices
     /dev/tty2 -> $(SEC_CONFIG) ; # tty devices
     /dev/tty3 -> $(SEC_CONFIG) ; # are extremely
     /dev/tty4 -> $(SEC_CONFIG) ; # variable
     /dev/tty5 -> $(SEC_CONFIG) ;
     /dev/tty6 -> $(SEC_CONFIG) ;
     /dev/urandom -> $(SEC_CONFIG) ;
     /dev/initctl -> $(SEC_CONFIG) ;
     /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number
changes
     /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number
changes on any mo
unt/unmount
}

  ####################
# ##
#################### #
# # #
# Critical devices # #
# ##
####################
(
  rulename = "Critical devices",
  severity = $(SIG_HI),
  recurse = false
)
{
     /dev/kmem -> $(Device) ;
     /dev/mem -> $(Device) ;
     /dev/null -> $(Device) ;
     /dev/zero -> $(Device) ;
     /proc/devices -> $(Device) ;
     /proc/net -> $(Device) ;
     /proc/sys -> $(Device) ;
     /proc/cpuinfo -> $(Device) ;
     /proc/modules -> $(Device) ;
     /proc/mounts -> $(Device) ;
     /proc/dma -> $(Device) ;
     /proc/filesystems -> $(Device) ;
     /proc/pci -> $(Device) ;
     /proc/interrupts -> $(Device) ;
     /proc/driver/rtc -> $(Device) ;
     /proc/ioports -> $(Device) ;
     #/proc/scsi -> $(Device) ;
     /proc/kcore -> $(Device) ;
     /proc/self -> $(Device) ;
     /proc/kmsg -> $(Device) ;
     /proc/stat -> $(Device) ;
     /proc/ksyms -> $(Device) ;
     /proc/loadavg -> $(Device) ;
     /proc/uptime -> $(Device) ;
     /proc/locks -> $(Device) ;
     /proc/version -> $(Device) ;
     /proc/mdstat -> $(Device) ;
     /proc/meminfo -> $(Device) ;
     /proc/cmdline -> $(Device) ;
     /proc/misc -> $(Device) ;
}

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]