Re: Tripwire Policies

Tue, 10 Oct 2000 04:21:39 -0700 

On Sat, 07 Oct 2000, you wrote:
> Hi all,
> 
> I've decided it's time to put Tripwire on my Linux servers and I installed a
> copy of it onto a test system.
> 
> Now the default policies from the install contain a lot of references for
> stuff that isn't there on my test server which is a RH6.0 box.
> 
> My question is, should I change the policy file to scan everything except
> the variable stuff like /home, /proc, /var/spool, /var/log or just leave it
> as the Tripwire defaults?
> 
> What policies are others using for RH6.1 and RH6.2 boxes?
> 
> Regards,

Peter,

Here is a copy of the twpol.txt  file That I use. It's basically the
default one with some 6.2  and local changes.  Hope this helps.

Tony.



@@section GLOBAL
TWROOT="/usr/local/security/TSS";
TWBIN="/usr/local/security/TSS/bin";
TWPOL="/usr/local/security/TSS/policy";
TWDB="/usr/local/security/TSS/db";
TWSKEY="/usr/local/security/TSS/key";
TWLKEY="/usr/local/security/TSS/key";
TWREPORT="/usr/local/security/TSS/report";
HOSTNAME=oldtrafford.csis.ul.ie;

@@section FS
SEC_CRIT      = $(IgnoreNone)-SHa;  # Critical files - we can't afford to miss any 
changes.
SEC_SUID      = $(IgnoreNone)-SHa;  # Binaries with the SUID or SGID flags set.
SEC_TCB       = $(ReadOnly);        # Members of the Trusted Computing Base.
SEC_BIN       = $(ReadOnly);        # Binaries that shouldn't change
SEC_CONFIG    = $(Dynamic);         # Config files that are changed infrequently but 
accessed often.
SEC_LOG       = $(Growing);         # Files that grow, but that should never change 
ownership.
SEC_INVARIANT = +pug;               # Directories that should never change permission 
or ownership.
SIG_LOW       = 33;                 # Non-critical files that are of minimal security 
impact
SIG_MED       = 66;                 # Non-critical files that are of significant 
security impact
SIG_HI        = 100;                # Critical files that are significant points of 
vulnerability


# Tripwire Binaries
(rulename = "Tripwire Binaries", severity = $(SIG_HI), emailto = molloyt )
{
  $(TWBIN)/siggen   -> $(ReadOnly);
  $(TWBIN)/tripwire -> $(ReadOnly);
  $(TWBIN)/twadmin  -> $(ReadOnly);
  $(TWBIN)/twprint  -> $(ReadOnly);
}

# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(rulename = "Tripwire Data Files", severity = $(SIG_HI), emailto = molloyt )
{
  # NOTE: Removing the inode attribute because when Tripwire creates a backup
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Leaving inode turned on for keys, which shouldn't
  # ever change.

  # NOTE: this rule will trigger on the first integrity check after database
  # initialization, and each integrity check afterward until a database update 
  # is run, since the database file will not exist before that point.
  $(TWDB)                           -> $(Dynamic) -i;
  $(TWPOL)/tw.pol                   -> $(SEC_BIN) -i;
  $(TWBIN)/tw.cfg                   -> $(SEC_BIN) -i;
  $(TWLKEY)/$(HOSTNAME)-local.key   -> $(SEC_BIN) ;
  $(TWSKEY)/site.key                -> $(SEC_BIN) ;
  
  #don't scan the individual reports
  $(TWREPORT)                       -> $(Dynamic) (recurse=0);  
}

# Commonly accessed directories that should remain static with regards to owner and 
group
(rulename = "Invariant Directories", severity = $(SIG_MED), emailto = molloyt )
{
  /      -> $(SEC_INVARIANT) (recurse = 0);
  /home  -> $(SEC_INVARIANT) (recurse = 0); 
  /etc   -> $(SEC_INVARIANT) (recurse = 0);
}

# setuid/setgid root programs
(rulename = "setuid/setgid", severity = $(SIG_HI),  emailto = molloyt )
{
    /bin/su -> $(SEC_SUID);
    /bin/mount -> $(SEC_SUID);
    /bin/umount -> $(SEC_SUID);
    /bin/ping -> $(SEC_SUID);
    /bin/login -> $(SEC_SUID);
    /sbin/pwdb_chkpwd -> $(SEC_SUID);
    /sbin/unix_chkpwd -> $(SEC_SUID);
    /sbin/dump -> $(SEC_SUID);
    /sbin/restore -> $(SEC_SUID);
    /sbin/dump.static -> $(SEC_SUID);
    /sbin/restore.static -> $(SEC_SUID);
    /sbin/cardctl -> $(SEC_SUID);
    /usr/X11R6/bin/Xwrapper -> $(SEC_SUID);
    /usr/X11R6/bin/xterm -> $(SEC_SUID);
    /usr/X11R6/bin/xhextris -> $(SEC_SUID);
    /usr/X11R6/bin/kterm -> $(SEC_SUID);
    /usr/X11R6/bin/XConsole -> $(SEC_SUID);
    /usr/X11R6/bin/xscreensaver -> $(SEC_SUID);
    /usr/X11R6/bin/nxterm -> $(SEC_SUID);
    /usr/bin/at -> $(SEC_SUID);
    /usr/bin/chage -> $(SEC_SUID);
    /usr/bin/gpasswd -> $(SEC_SUID);
    /usr/bin/lpq -> $(SEC_SUID);
    /usr/bin/lpr -> $(SEC_SUID);
    /usr/bin/lprm -> $(SEC_SUID);
    /usr/bin/ct -> $(SEC_SUID);
    /usr/bin/nwsfind -> $(SEC_SUID);
    /usr/bin/passwd -> $(SEC_SUID);
    /usr/bin/procmail -> $(SEC_SUID);
    /usr/bin/rcp -> $(SEC_SUID);
    /usr/bin/rlogin -> $(SEC_SUID);
    /usr/bin/screen -> $(SEC_SUID);
    /usr/bin/chfn -> $(SEC_SUID);
    /usr/bin/chsh -> $(SEC_SUID);
    /usr/bin/newgrp -> $(SEC_SUID);
    /usr/bin/cu -> $(SEC_SUID);
    /usr/bin/uucp -> $(SEC_SUID);
    /usr/bin/uuname -> $(SEC_SUID);
    /usr/bin/uustat -> $(SEC_SUID);
    /usr/bin/uux -> $(SEC_SUID);
    /usr/bin/crontab -> $(SEC_SUID);
    /usr/bin/inndstart -> $(SEC_SUID);
    /usr/bin/rnews -> $(SEC_SUID);
    /usr/bin/startinnfeed -> $(SEC_SUID);
    /usr/bin/suidperl -> $(SEC_SUID);
    /usr/bin/sperl5.00503 -> $(SEC_SUID);
    /usr/bin/rsh -> $(SEC_SUID);
    /usr/libexec/pt_chown -> $(SEC_SUID);
    /usr/kerberos/bin/ksu -> $(SEC_SUID);
    /usr/kerberos/bin/v4rcp -> $(SEC_SUID);
    /usr/bin/ssh -> $(SEC_SUID);
    /usr/sbin/usernetctl -> $(SEC_SUID);
    /usr/sbin/sendmail -> $(SEC_SUID);
    /usr/sbin/traceroute -> $(SEC_SUID);
    /usr/sbin/userhelper -> $(SEC_SUID);
    /usr/sbin/uucico -> $(SEC_SUID);
    /usr/sbin/uuxqt -> $(SEC_SUID);
}

# Temporary directories
(rulename = "Temporary directories", recurse = false, severity = $(SIG_LOW), emailto = 
molloyt )
{
  /usr/tmp                    -> $(SEC_INVARIANT);
  /var/tmp                    -> $(SEC_INVARIANT);
  /tmp                        -> $(SEC_INVARIANT);
  /usr/local/security/etc/tmp          -> $(SEC_INVARIANT);
}

# Local files
(rulename = "User binaries", severity = $(SIG_MED), emailto = molloyt )
{
  /usr/local/bin              -> $(SEC_BIN) (recurse = 1);
  /usr/local/sbin             -> $(SEC_BIN) (recurse = 1);
  /usr/local/security/bin     -> $(SEC_BIN) (recurse = 1);
  /sbin                       -> $(SEC_BIN) (recurse = 1);
  /usr/sbin                   -> $(SEC_BIN) (recurse = 1);
  /usr/bin                    -> $(SEC_BIN) (recurse = 1);
}

(rulename = "Configuration Files", emailto = molloyt )
{
  /etc/hosts                 -> $(SEC_CONFIG);
  /etc/inetd.conf            -> $(SEC_CONFIG);
  /etc/inittab               -> $(SEC_CONFIG);
  /etc/resolv.conf           -> $(SEC_CONFIG);
  /etc/syslog.conf           -> $(SEC_CONFIG);
  /etc/smb.conf              -> $(SEC_CONFIG);
}

(rulename = "Shell Binaries", emailto = molloy )
{
  /bin/bsh            -> $(SEC_BIN);
  /bin/csh            -> $(SEC_BIN);
  /bin/tcsh           -> $(SEC_BIN);
  /bin/ksh            -> $(SEC_BIN);
  /usr/bin/ksh        -> $(SEC_BIN); 
  /bin/bash           -> $(SEC_BIN);
  /bin/bash2          -> $(SEC_BIN);
}

(rulename = "Security Control", emailto = molloyt )
{
  /etc/group                -> $(SEC_CRIT);
  /etc/security/            -> $(SEC_CRIT);
#  /usr/lib/security/        -> $(SEC_CRIT);
#  /var/adm/                 -> $(SEC_CRIT);
#  /var/spool/cron/crontabs  -> $(SEC_CRIT);
}

(rulename = "Boot Scripts", emailto = molloyt )
{
#  /etc/rc                                -> $(SEC_CONFIG);
#  /etc/rc.bsdnet                         -> $(SEC_CONFIG);
#  /etc/rc.dt                             -> $(SEC_CONFIG);
#  /etc/rc.net                            -> $(SEC_CONFIG);
#  /etc/rc.net.serial                     -> $(SEC_CONFIG);
#  /etc/rc.nfs                            -> $(SEC_CONFIG);
#  /etc/rc.powerfail                      -> $(SEC_CONFIG);
#  /etc/rc.tcpip                          -> $(SEC_CONFIG);
#  /etc/trcfmt.Z                          -> $(SEC_CONFIG);
#  /sbin/rc.boot                          -> $(SEC_CONFIG);
#  /usr/lib/Mail.rc                       -> $(SEC_CONFIG);
#  /usr/share/lib/Mail.rc                 -> $(SEC_CONFIG);
   /etc/rc.d/rc.local                   -> $(SEC_CONFIG);

}

(rulename = "Login Scripts", emailto = molloyt )
{
  /etc/csh.cshrc                         -> $(SEC_CONFIG);
  /etc/csh.login                         -> $(SEC_CONFIG);
  /etc/profile                           -> $(SEC_CONFIG);
  /etc/bashrc                            -> $(SEC_CONFIG);
}

# Libraries
(rulename = "Libraries", severity = $(SIG_MED), emailto = molloyt )
{
  !/usr/lib/perl5/man/whatis                          ;
  /usr/lib                               -> $(SEC_BIN);
  /usr/local/lib                         -> $(SEC_BIN);
  /usr/local/security/lib                -> $(SEC_BIN);
  /usr/X11R6/lib                         -> $(SEC_BIN);
  /usr/kerberos/lib                      -> $(SEC_BIN);
  /usr/i486-linux-libc5/lib              -> $(SEC_BIN);
  /usr/lib/gconv                         -> $(SEC_BIN);
  /usr/lib/qt-2.1.0/lib                  -> $(SEC_BIN);
  /usr/lib/qt-1.45/lib                   -> $(SEC_BIN);
}

# These files are critical to a correct system boot.
(rulename = "Critical system boot files", severity = 100, emailto = molloyt )
{
     # the kernel files
     /boot                                 -> $(SEC_CRIT)   ;
     !/boot/System.map                                     ;
     !/boot/module-info                                    ;

     # other boot files may exist.  Look for:
     # /ufsboot                            -> $(SEC_CRIT)   ;
}

# These files change every time the system boots
(rulename = "System boot changes", severity = $(SIG_HI), emailto = molloyt )
{
     /dev/log                              -> $(Dynamic)   ;
     /dev/cua0                             -> $(Dynamic)   ;
     /dev/printer                          -> $(Dynamic)   ;
     /dev/console                          -> $(Dynamic)   ;
     # /dev/tty2                           -> $(Dynamic)   ; # tty devices
     /dev/tty3                             -> $(Dynamic)   ; # are extremely
     /dev/tty4                             -> $(Dynamic)   ; # variable
     /dev/tty5                             -> $(Dynamic)   ;
     /dev/tty6                             -> $(Dynamic)   ;
     /dev/urandom                          -> $(Dynamic)   ;
     /dev/initctl                          -> $(Dynamic)   ;
     /var/lock/subsys                      -> $(Dynamic) (recurse = 0)  ;
#     /var/lock/subsys/random               -> $(Dynamic)   ;
#     /var/lock/subsys/network              -> $(Dynamic)   ;
#     /var/lock/subsys/portmap              -> $(Dynamic)   ;
#     /var/lock/subsys/syslog               -> $(Dynamic)   ;
#     /var/lock/subsys/atd                  -> $(Dynamic)   ;
#     /var/lock/subsys/crond                -> $(Dynamic)   ;
#     /var/lock/subsys/inet                 -> $(Dynamic)   ;
#     /var/lock/subsys/named                -> $(Dynamic)   ;
#     /var/lock/subsys/lpd                  -> $(Dynamic)   ;
#     /var/lock/subsys/nfs                  -> $(Dynamic)   ;
#     /var/lock/subsys/sendmail             -> $(Dynamic)   ;
#     /var/lock/subsys/gpm                  -> $(Dynamic)   ;
#     /var/lock/subsys/httpd                -> $(Dynamic)   ;
#     /var/lock/subsys/sound                -> $(Dynamic)   ;
#     /var/lock/subsys/identd               -> $(Dynamic)   ;
#     /var/lock/subsys/keytable             -> $(Dynamic)   ;
#     /var/lock/subsys/netfs                -> $(Dynamic)   ;
#     /var/lock/subsys/nfslock              -> $(Dynamic)   ;
#     /var/lock/subsys/sshd                 -> $(Dynamic)   ;
#     /var/lock/subsys/xfs                  -> $(Dynamic)   ;
#     /var/lock/subsys/xntpd                -> $(Dynamic)   ;
#     /var/lock/subsys/smb                  -> $(Dynamic)   ;
     /var/run                              -> $(Dynamic)   ; # daemon PIDs
     /var/spool/lpd/lpd.lock               -> $(Dynamic)   ;
     /var/log                              -> $(Dynamic) (recurse = 0)  ;
     /etc/issue.net                        -> $(Dynamic)   ;
     /etc/ioctl.save                       -> $(Dynamic)   ;
     /etc/issue                            -> $(Dynamic)   ;
     /etc/.pwd.lock                        -> $(Dynamic)   ;
     /etc/mtab                             -> $(Dynamic)   ;
     /lib/modules                          -> $(Dynamic)   ;
}

# These files change the behavior of the root account
(rulename = "Root config files", severity = 100, emailto = molloyt )
{
     /.automount                           -> $(SEC_CRIT)   ;
     /root                                 -> $(SEC_CRIT)   ;
     !/root/.netscape                                       ;
     !/root/.bash_history                                   ;
     !/root/.gnome                                      ;
     !/root/.enlightenment                              ;
     /root/Work                         -> $(Dynamic) (recurse = 0)  ;
}

# Critical configuration files
(rulename = "Critical configuration files", severity = $(SIG_HI), emailto = molloyt )
{
     /proc/ksyms                           -> $(Device)   ;
     /proc/loadavg                         -> $(Device)   ;
     /proc/uptime                          -> $(Device)   ;
     /proc/locks                           -> $(Device)   ;
     /proc/version                         -> $(Device)   ;
     /proc/mdstat                          -> $(Device)   ;
     /proc/meminfo                         -> $(Device)   ;
     /proc/cmdline                         -> $(Device)   ;
     /proc/misc                            -> $(Device)   ;
}

# Rest of critical system binaries
(rulename = "OS executables and libraries", severity = $(SIG_HI),  emailto = molloyt )
{
     /bin                                  -> $(ReadOnly)   ;
     /lib                                  -> $(ReadOnly)   ;
}

---------------------------------------------------------------------
Tony Molloy.                 e-mail:  [EMAIL PROTECTED]
Systems Manager.
Dept. of CSIS.               Phone:   +353-61-202778 (DL)
Univ. of Limerick.                    +353-61-333644 ext. 2778
Ireland.                     Fax:     +353-61-202734
---------------------------------------------------------------------



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to