Skip to content

Commit 579df11

Browse files
author
mooreja
committed
new file: stig_os_scripts/doc/twpol.txt
1 parent 67b0e38 commit 579df11

1 file changed

Lines changed: 358 additions & 0 deletions

File tree

stig_os_scripts/doc/twpol.txt

Lines changed: 358 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,358 @@
1+
#
2+
# Standard Debian Tripwire configuration
3+
#
4+
#
5+
# This configuration covers the contents of all 'Essential: yes'
6+
# packages along with any packages necessary for access to an internet
7+
# or system availability, e.g. name services, mail services, PCMCIA
8+
# support, RAID support, and backup/restore support.
9+
#
10+
# This is an updated file. The default with the install has syntax errors
11+
# and at least two conflicting policies. Both of these cause the tripwire
12+
# config to fail. This file corrects those errors.
13+
14+
#
15+
# Global Variable Definitions
16+
#
17+
# These definitions override those in to configuration file. Do not
18+
# change them unless you understand what you're doing.
19+
#
20+
21+
@@section GLOBAL
22+
TWBIN = /usr/sbin;
23+
TWETC = /etc/tripwire;
24+
TWVAR = /var/lib/tripwire;
25+
26+
#
27+
# File System Definitions
28+
#
29+
@@section FS
30+
31+
#
32+
# First, some variables to make configuration easier
33+
#
34+
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
35+
36+
SEC_BIN = $(ReadOnly) ; # Binaries that should not change
37+
38+
SEC_CONFIG = $(Dynamic) ; # Config files that are changed
39+
# infrequently but accessed
40+
# often
41+
42+
SEC_LOG = $(Growing) ; # Files that grow, but that
43+
# should never change ownership
44+
45+
SEC_INVARIANT = +tpug ; # Directories that should never
46+
# change permission or ownership
47+
48+
SIG_LOW = 33 ; # Non-critical files that are of
49+
# minimal security impact
50+
51+
SIG_MED = 66 ; # Non-critical files that are of
52+
# significant security impact
53+
54+
SIG_HI = 100 ; # Critical files that are
55+
# significant points of
56+
# vulnerability
57+
58+
#
59+
# Tripwire Binaries
60+
#
61+
(
62+
rulename = "Tripwire Binaries",
63+
severity = $(SIG_HI),
64+
emailto = rogue
65+
)
66+
{
67+
$(TWBIN)/siggen -> $(SEC_BIN) ;
68+
$(TWBIN)/tripwire -> $(SEC_BIN) ;
69+
$(TWBIN)/twadmin -> $(SEC_BIN) ;
70+
$(TWBIN)/twprint -> $(SEC_BIN) ;
71+
}
72+
73+
#
74+
# Tripwire Data Files - Configuration Files, Policy Files, Keys,
75+
# Reports, Databases
76+
#
77+
78+
# NOTE: We remove the inode attribute because when Tripwire creates a
79+
# backup, it does so by renaming the old file and creating a new one
80+
# (which will have a new inode number). Inode is left turned on for
81+
# keys, which shouldn't ever change.
82+
83+
# NOTE: The first integrity check triggers this rule and each
84+
# integrity check afterward triggers this rule until a database update
85+
# is run, since the database file does not exist before that point.
86+
(
87+
rulename = "Tripwire Data Files",
88+
severity = $(SIG_HI),
89+
emailto = rogue
90+
)
91+
{
92+
$(TWVAR)/$(HOSTNAME).twd -> $(SEC_CONFIG) -i ;
93+
$(TWETC)/tw.pol -> $(SEC_BIN) -i ;
94+
$(TWETC)/tw.cfg -> $(SEC_BIN) -i ;
95+
$(TWETC)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
96+
$(TWETC)/site.key -> $(SEC_BIN) ;
97+
98+
#don't scan the individual reports
99+
$(TWVAR)/report -> $(SEC_CONFIG) (recurse=0) ;
100+
}
101+
102+
#
103+
# Critical System Boot Files
104+
# These files are critical to a correct system boot.
105+
#
106+
(
107+
rulename = "Critical system boot files",
108+
severity = $(SIG_HI),
109+
emailto = rogue
110+
)
111+
{
112+
/boot -> $(SEC_CRIT) ;
113+
/lib/modules -> $(SEC_CRIT) ;
114+
}
115+
116+
(
117+
rulename = "Boot Scripts",
118+
severity = $(SIG_HI),
119+
emailto = rogue
120+
)
121+
{
122+
/etc/init.d -> $(SEC_BIN) ;
123+
/etc/rc.boot -> $(SEC_BIN) ;
124+
/etc/rcS.d -> $(SEC_BIN) ;
125+
/etc/rc0.d -> $(SEC_BIN) ;
126+
/etc/rc1.d -> $(SEC_BIN) ;
127+
/etc/rc2.d -> $(SEC_BIN) ;
128+
/etc/rc3.d -> $(SEC_BIN) ;
129+
/etc/rc4.d -> $(SEC_BIN) ;
130+
/etc/rc5.d -> $(SEC_BIN) ;
131+
/etc/rc6.d -> $(SEC_BIN) ;
132+
}
133+
134+
135+
#
136+
# Critical executables
137+
#
138+
(
139+
rulename = "Root file-system executables",
140+
severity = $(SIG_HI),
141+
emailto = rogue
142+
)
143+
{
144+
/bin -> $(SEC_BIN) ;
145+
/sbin -> $(SEC_BIN) ;
146+
}
147+
148+
#
149+
# Critical Libraries
150+
#
151+
(
152+
rulename = "Root file-system libraries",
153+
severity = $(SIG_HI),
154+
emailto = rogue
155+
)
156+
{
157+
/lib -> $(SEC_BIN) ;
158+
}
159+
160+
161+
#
162+
# Login and Privilege Raising Programs
163+
#
164+
(
165+
rulename = "Security Control",
166+
severity = $(SIG_MED),
167+
emailto = rogue
168+
)
169+
{
170+
/etc/passwd -> $(SEC_CONFIG) ;
171+
/etc/shadow -> $(SEC_CONFIG) ;
172+
}
173+
174+
175+
176+
177+
#
178+
# These files change every time the system boots
179+
#
180+
(
181+
rulename = "System boot changes",
182+
severity = $(SIG_HI),
183+
emailto = rogue
184+
)
185+
{
186+
/var/lock -> $(SEC_CONFIG) ;
187+
/var/run -> $(SEC_CONFIG) ; # daemon PIDs
188+
/var/log -> $(SEC_CONFIG) ;
189+
}
190+
191+
# These files change the behavior of the root account
192+
(
193+
rulename = "Root config files",
194+
severity = 100,
195+
emailto = rogue
196+
)
197+
{
198+
/root -> $(SEC_CRIT) ; # Catch all additions to /root
199+
/root/mail -> $(SEC_CONFIG) ;
200+
/root/Mail -> $(SEC_CONFIG) ;
201+
/root/.xsession-errors -> $(SEC_CONFIG) ;
202+
/root/.xauth -> $(SEC_CONFIG) ;
203+
/root/.tcshrc -> $(SEC_CONFIG) ;
204+
/root/.sawfish -> $(SEC_CONFIG) ;
205+
/root/.pinerc -> $(SEC_CONFIG) ;
206+
/root/.mc -> $(SEC_CONFIG) ;
207+
/root/.gnome_private -> $(SEC_CONFIG) ;
208+
/root/.gnome-desktop -> $(SEC_CONFIG) ;
209+
/root/.gnome -> $(SEC_CONFIG) ;
210+
/root/.esd_auth -> $(SEC_CONFIG) ;
211+
/root/.elm -> $(SEC_CONFIG) ;
212+
/root/.cshrc -> $(SEC_CONFIG) ;
213+
/root/.bashrc -> $(SEC_CONFIG) ;
214+
/root/.bash_profile -> $(SEC_CONFIG) ;
215+
/root/.bash_logout -> $(SEC_CONFIG) ;
216+
/root/.bash_history -> $(SEC_CONFIG) ;
217+
/root/.amandahosts -> $(SEC_CONFIG) ;
218+
/root/.addressbook.lu -> $(SEC_CONFIG) ;
219+
/root/.addressbook -> $(SEC_CONFIG) ;
220+
/root/.Xresources -> $(SEC_CONFIG) ;
221+
/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
222+
/root/.ICEauthority -> $(SEC_CONFIG) ;
223+
}
224+
225+
#
226+
# Critical devices
227+
#
228+
(
229+
rulename = "Devices & Kernel information",
230+
severity = $(SIG_HI),
231+
emailto = rogue
232+
)
233+
{
234+
/dev -> $(Device) ;
235+
/proc -> $(Device) ;
236+
}
237+
238+
#
239+
# Other configuration files
240+
#
241+
(
242+
rulename = "Other configuration files",
243+
severity = $(SIG_MED),
244+
emailto = rogue
245+
)
246+
{
247+
/etc -> $(SEC_BIN) ;
248+
}
249+
250+
#
251+
# Binaries
252+
#
253+
(
254+
rulename = "Other binaries",
255+
severity = $(SIG_MED),
256+
emailto = rogue
257+
)
258+
{
259+
/usr/local/sbin -> $(SEC_BIN) ;
260+
/usr/local/bin -> $(SEC_BIN) ;
261+
/usr/sbin -> $(SEC_BIN) ;
262+
/usr/bin -> $(SEC_BIN) ;
263+
}
264+
265+
#
266+
# Libraries
267+
#
268+
(
269+
rulename = "Other libraries",
270+
severity = $(SIG_MED),
271+
emailto = rogue
272+
)
273+
{
274+
/usr/local/lib -> $(SEC_BIN) ;
275+
/usr/lib -> $(SEC_BIN) ;
276+
}
277+
278+
#
279+
# Commonly accessed directories that should remain static with regards
280+
# to owner and group
281+
#
282+
(
283+
rulename = "Invariant Directories",
284+
severity = $(SIG_MED),
285+
emailto = rogue
286+
)
287+
{
288+
/ -> $(SEC_INVARIANT) (recurse = 0) ;
289+
/home -> $(SEC_INVARIANT) (recurse = 0) ;
290+
/tmp -> $(SEC_INVARIANT) (recurse = 0) ;
291+
/usr -> $(SEC_INVARIANT) (recurse = 0) ;
292+
/var -> $(SEC_INVARIANT) (recurse = 0) ;
293+
/var/tmp -> $(SEC_INVARIANT) (recurse = 0) ;
294+
}
295+
296+
#
297+
# SUID files
298+
#
299+
(
300+
rulename = "SUID Files",
301+
severity = $(SIG_HI),
302+
emailto = rogue
303+
)
304+
{
305+
/bin/ping -> $(SEC_BIN) ;
306+
/bin/su -> $(SEC_BIN) ;
307+
/bin/ping6 -> $(SEC_BIN) ;
308+
/bin/umount -> $(SEC_BIN) ;
309+
/bin/mount -> $(SEC_BIN) ;
310+
/bin/fusermount -> $(SEC_BIN) ;
311+
/usr/bin/passwd -> $(SEC_BIN) ;
312+
/usr/bin/newgrp -> $(SEC_BIN) ;
313+
/usr/bin/traceroute6.iputils -> $(SEC_BIN) ;
314+
/usr/bin/sudoedit -> $(SEC_BIN) ;
315+
/usr/bin/sudo -> $(SEC_BIN) ;
316+
/usr/bin/chfn -> $(SEC_BIN) ;
317+
/usr/bin/chsh -> $(SEC_BIN) ;
318+
/usr/bin/gpasswd -> $(SEC_BIN) ;
319+
/usr/bin/mtr -> $(SEC_BIN) ;
320+
/usr/bin/at -> $(SEC_BIN) ;
321+
/usr/lib/authbind/helper -> $(SEC_BIN) ;
322+
/usr/lib/dbus-1.0/dbus-daemon-launch-helper -> $(SEC_BIN) ;
323+
/usr/lib/openssh/ssh-keysign -> $(SEC_BIN) ;
324+
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper -> $(SEC_BIN) ;
325+
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper -> $(SEC_BIN) ;
326+
/usr/lib/pt_chown -> $(SEC_BIN) ;
327+
/usr/lib/eject/dmcrypt-get-device -> $(SEC_BIN) ;
328+
/usr/sbin/uuidd -> $(SEC_BIN) ;
329+
/usr/sbin/pppd -> $(SEC_BIN) ;
330+
}
331+
332+
#
333+
# SGID files
334+
#
335+
(
336+
rulename = "SGID Files",
337+
severity = $(SIG_HI),
338+
emailto = rogue
339+
)
340+
{
341+
/usr/bin/mail-unlock -> $(SEC_BIN) ;
342+
/usr/bin/bsd-write -> $(SEC_BIN) ;
343+
/usr/bin/chage -> $(SEC_BIN) ;
344+
/usr/bin/crontab -> $(SEC_BIN) ;
345+
/usr/bin/ssh-agent -> $(SEC_BIN) ;
346+
/usr/bin/mail-lock -> $(SEC_BIN) ;
347+
/usr/bin/mlocate -> $(SEC_BIN) ;
348+
/usr/bin/expiry -> $(SEC_BIN) ;
349+
/usr/bin/mail-touchlock -> $(SEC_BIN) ;
350+
/usr/bin/dotlockfile -> $(SEC_BIN) ;
351+
/usr/bin/wall -> $(SEC_BIN) ;
352+
/usr/sbin/postdrop -> $(SEC_BIN) ;
353+
/usr/sbin/postqueue -> $(SEC_BIN) ;
354+
/sbin/unix_chkpwd -> $(SEC_BIN) ;
355+
}
356+
357+
# /usr/bin/at -> $(SEC_BIN) ;
358+
# /usr/sbin/uuidd -> $(SEC_BIN) ;

0 commit comments

Comments
 (0)