rpms/tripwire/devel License-Issues, 1.3, 1.4 README.Fedora.in, NONE, 1.1 tripwire-2.4.0.1-gcc4.patch, NONE, 1.1 tripwire-setup-keyfiles.in, 1.2, 1.3 tripwire-siggen-man8.patch, 1.2, 1.3 tripwire.cron.in, 1.2, 1.3 tripwire.gif, 1.2, 1.3 tripwire.txt, 1.2, 1.3 twcfg.txt.in, 1.2, 1.3 twpol.txt.in, 1.3, 1.4 .cvsignore, 1.4, 1.5 sources, 1.4, 1.5 import.log, 1.1, NONE
Brandon Holbrook (static)
fedora-extras-commits at redhat.com
Fri Dec 22 04:48:26 UTC 2006
Author: static
Update of /cvs/extras/rpms/tripwire/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv22337/devel
Modified Files:
.cvsignore sources
Added Files:
License-Issues README.Fedora.in tripwire-2.4.0.1-gcc4.patch
tripwire-setup-keyfiles.in tripwire-siggen-man8.patch
tripwire.cron.in tripwire.gif tripwire.txt twcfg.txt.in
twpol.txt.in
Removed Files:
import.log
Log Message:
auto-import tripwire-2.4.0.1-4 on branch devel from tripwire-2.4.0.1-4.src.rpm
Index: License-Issues
===================================================================
RCS file: License-Issues
diff -N License-Issues
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ License-Issues 22 Dec 2006 04:47:55 -0000 1.4
@@ -0,0 +1,66 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+Update 19 Feb 2004:
+
+The following issues are soon to disappear, since:
+
+ 1) There are now cleaner upstream sources to work with (Debian)
+ 2) I'm working towards ditching Crypto++ altogether
+
+######
+
+There seems to be some speculation as to the legal status of this
+software.
+
+The problem seems to stem from patents, copyrights and licenses in the
+Crypto++ distribution, by Wei Dei.
+
+For more information on the exact issues, please refer to the following
+URL:
+
+http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=153007
+
+The situation with the Fedora release is not as complex however, since
+many of the questionable components are not included, specifically:
+
+The following are not in the archive, so there is no issue:
+src/cryptlib/idea.cpp
+src/cryptlib/haval.cpp
+src/cryptlib/mars.cpp
+src/cryptlib/serpent.cpp
+src/cryptlib/md5.cpp
+src/cryptlib/md5mac.cpp
+src/cryptlib/cast.cpp
+
+The following are copyrighted, but have no license:
+src/cryptlib/zbits.cpp
+src/cryptlib/ztrees.cpp
+src/cryptlib/zdeflate.cpp
+src/cryptlib/sha.cpp ?
+
+With regards to those last four files, Stephen Zander <gibreel[AT]pobox
+.com> is apparently going to approach Wei Dei with regards clearing up
+the "no license" issues. However, I don't think this is a "fatal"
+problem at this stage. Hopefully this will include clearing up the
+implications of section 2 of src/cryptlib/license.txt, which reads:
+
+"2. Users of the software included in this compilation agree to use
+their best efforts to provide Wei Dai with any modifications containing
+improvements or extensions and hereby grant Wei Dai a perpetual,
+royalty-free license to use and distribute such modifications under the
+terms of this license."
+
+I'm no GPL/OSS expert, but there are some who believe this is
+incompatible with the GPL. Discussions are ongoing, and I will continue
+to update this file in future releases with any news.
+
+Keith G. Robertson-Turner <tripwire-devel[AT]genesis-x.nildram.co.uk>
+
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.2.3 (GNU/Linux)
+
+iD8DBQFANEDN2XoLj+pGfn8RArdFAJ0edxT3u8DmWJEOpQ7eSFcFd17cXACfVH5I
+PKV00HlQoZBBfbrq8//6pd8=
+=HlLR
+-----END PGP SIGNATURE-----
--- NEW FILE README.Fedora.in ---
After installing this package, you should run:
@sbindir@/tripwire-setup-keyfiles
to generate cryptographic keys, and "tripwire --init" to initialize the
database Tripwire uses. This must be done manually because the key used
to sign the database should be different for each system.
tripwire-2.4.0.1-gcc4.patch:
--- NEW FILE tripwire-2.4.0.1-gcc4.patch ---
--- ./src/fco/fcosetimpl.h.orig 2005-12-14 06:18:01.000000000 -0600
+++ ./src/fco/fcosetimpl.h 2005-12-14 06:18:01.000000000 -0600
@@ -46,6 +46,8 @@
#include "fconame.h"
#endif
+class cFCOIterImpl;
+
class cFCOSetImpl : public iFCOSet
{
friend class cFCOIterImpl;
--- ./src/fco/fconame.h.orig 2005-12-14 06:18:01.000000000 -0600
+++ ./src/fco/fconame.h 2005-12-14 06:18:01.000000000 -0600
@@ -49,6 +49,7 @@
///////////////////////////////////////////////////////////////////////////////
class cFCONameTblNode;
class cFCONameIter;
+class cFCOName_i;
class cFCOName : public iTypedSerializable
{
--- ./src/tw/fcoreport.h.orig 2005-12-14 06:18:01.000000000 -0600
+++ ./src/tw/fcoreport.h 2005-12-14 06:21:41.000000000 -0600
@@ -85,6 +85,7 @@
class cFileHeaderID;
class cErrorQueue;
class cFCOReportGenreHeader;
+class cFCOReportSpecIter;
class cFCOReport : public iTypedSerializable
{
Index: tripwire-setup-keyfiles.in
===================================================================
RCS file: tripwire-setup-keyfiles.in
diff -N tripwire-setup-keyfiles.in
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ tripwire-setup-keyfiles.in 22 Dec 2006 04:47:55 -0000 1.3
@@ -0,0 +1,329 @@
+#!/bin/sh
+
+########################################################################
+########################################################################
+##
+## Tripwire(R) 2.3 for LINUX(R) Post-RPM installation script
+##
+## Copyleft information contained in footer
+##
+########################################################################
+########################################################################
+
+##=======================================================
+## Setup
+##=======================================================
+
+# We can assume all the correct tools are in place because the
+# RPM installed, didn't it?
+
+##-------------------------------------------------------
+## Set HOST_NAME variable
+##-------------------------------------------------------
+HOST_NAME='localhost'
+if uname -n > /dev/null 2> /dev/null ; then
+ HOST_NAME=`uname -n`
+fi
+
+##-------------------------------------------------------
+## Program variables - edited by RPM during initial install
+##-------------------------------------------------------
+
+# Site Passphrase variable
+TW_SITE_PASS=""
+
+# Complete path to site key
+SITE_KEY="@sysconfdir@/tripwire/site.key"
+
+# Local Passphrase variable
+TW_LOCAL_PASS=""
+
+# Complete path to local key
+LOCAL_KEY="@sysconfdir@/tripwire/${HOST_NAME}-local.key"
+
+# If clobber==true, overwrite files; if false, do not overwrite files.
+CLOBBER="false"
+
+# If prompt==true, ask for confirmation before continuing with install.
+PROMPT="true"
+
+# Name of twadmin executeable
+TWADMIN="twadmin"
+
+# Path to twadmin executeable
+TWADMPATH=@sbindir@
+
+# Path to configuration directory
+CONF_PATH="@sysconfdir@/tripwire"
+
+# Name of clear text policy file
+TXT_POL=$CONF_PATH/twpol.txt
+
+# Name of clear text configuration file
+TXT_CFG=$CONF_PATH/twcfg.txt
+
+# Name of encrypted configuration file
+CONFIG_FILE=$CONF_PATH/tw.cfg
+
+# Path of the final Tripwire policy file (signed)
+SIGNED_POL=`grep POLFILE $TXT_CFG | sed -e 's/^.*=\(.*\)/\1/'`
+
+
+##=======================================================
+## Create Key Files
+##=======================================================
+
+##-------------------------------------------------------
+## If user has to enter a passphrase, give some
+## advice about what is appropriate.
+##-------------------------------------------------------
+
+if [ -z "$TW_SITE_PASS" ] || [ -z "$TW_LOCAL_PASS" ]; then
+cat << END_OF_TEXT
+
+----------------------------------------------
+The Tripwire site and local passphrases are used to sign a variety of
+files, such as the configuration, policy, and database files.
+
+Passphrases should be at least 8 characters in length and contain both
+letters and numbers.
+
+See the Tripwire manual for more information.
+END_OF_TEXT
+fi
+
+##=======================================================
+## Generate keys.
+##=======================================================
+
+echo
+echo "----------------------------------------------"
+echo "Creating key files..."
+
+##-------------------------------------------------------
+## Site key file.
+##-------------------------------------------------------
+
+# If clobber is true, and prompting is off (unattended operation)
+# and the key file already exists, remove it. Otherwise twadmin
+# will prompt with an "are you sure?" message.
+
+if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$SITE_KEY" ] ; then
+ rm -f "$SITE_KEY"
+fi
+
+if [ -f "$SITE_KEY" ] && [ "$CLOBBER" = "false" ] ; then
+ echo "The site key file \"$SITE_KEY\""
+ echo 'exists and will not be overwritten.'
+else
+ cmdargs="--generate-keys --site-keyfile \"$SITE_KEY\""
+ if [ -n "$TW_SITE_PASS" ] ; then
+ cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
+ fi
+ eval "\"$TWADMPATH/$TWADMIN\" $cmdargs"
+ if [ $? -ne 0 ] ; then
+ echo "Error: site key generation failed"
+ exit 1
+ else chmod 640 "$SITE_KEY"
+ fi
+fi
+
+##-------------------------------------------------------
+## Local key file.
+##-------------------------------------------------------
+
+# If clobber is true, and prompting is off (unattended operation)
+# and the key file already exists, remove it. Otherwise twadmin
+# will prompt with an "are you sure?" message.
+
+if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$LOCAL_KEY" ] ; then
+ rm -f "$LOCAL_KEY"
+fi
+
+if [ -f "$LOCAL_KEY" ] && [ "$CLOBBER" = "false" ] ; then
+ echo "The local key file \"$LOCAL_KEY\""
+ echo 'exists and will not be overwritten.'
+else
+ cmdargs="--generate-keys --local-keyfile \"$LOCAL_KEY\""
+ if [ -n "$TW_LOCAL_PASS" ] ; then
+ cmdargs="$cmdargs --local-passphrase \"$TW_LOCAL_PASS\""
+ fi
+ eval "\"$TWADMPATH/$TWADMIN\" $cmdargs"
+ if [ $? -ne 0 ] ; then
+ echo "Error: local key generation failed"
+ exit 1
+ else chmod 640 "$LOCAL_KEY"
+ fi
+fi
+
+##=======================================================
+## Sign the Configuration File
+##=======================================================
+
+echo
+echo "----------------------------------------------"
+echo "Signing configuration file..."
+
+##-------------------------------------------------------
+## If noclobber, then backup any existing config file.
+##-------------------------------------------------------
+
+if [ "$CLOBBER" = "false" ] && [ -s "$CONFIG_FILE" ] ; then
+ backup="${CONFIG_FILE}.$$.bak"
+ echo "Backing up $CONFIG_FILE"
+ echo " to $backup"
+ `mv "$CONFIG_FILE" "$backup"`
+ if [ $? -ne 0 ] ; then
+ echo "Error: backup of configuration file failed."
+ exit 1
+ fi
+fi
+
+##-------------------------------------------------------
+## Build command line.
+##-------------------------------------------------------
+
+cmdargs="--create-cfgfile"
+cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\""
+cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\""
+if [ -n "$TW_SITE_PASS" ] ; then
+ cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
+fi
+
+##-------------------------------------------------------
+## Sign the file.
+##-------------------------------------------------------
+
+eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_CFG\""
+if [ $? -ne 0 ] ; then
+ echo "Error: signing of configuration file failed."
+ exit 1
+fi
+
+# Set the rights properly
+chmod 640 "$CONFIG_FILE"
+
+##-------------------------------------------------------
+## We keep the cleartext version around.
+##-------------------------------------------------------
+
+cat << END_OF_TEXT
+
+A clear-text version of the Tripwire configuration file:
+$TXT_CFG
+has been preserved for your inspection. It is recommended that you
+move this file to a secure location and/or encrypt it in place (using a
+tool such as GPG, for example) after you have examined it.
+
+END_OF_TEXT
+
+##=======================================================
+## Sign tripwire policy file.
+##=======================================================
+
+echo
+echo "----------------------------------------------"
+echo "Signing policy file..."
+
+##-------------------------------------------------------
+## If noclobber, then backup any existing policy file.
+##-------------------------------------------------------
+
+if [ "$CLOBBER" = "false" ] && [ -s "$POLICY_FILE" ] ; then
+ backup="${POLICY_FILE}.$$.bak"
+ echo "Backing up $POLICY_FILE"
+ echo " to $backup"
+ mv "$POLICY_FILE" "$backup"
+ if [ $? -ne 0 ] ; then
+ echo "Error: backup of policy file failed."
+ exit 1
+ fi
+fi
+
+##-------------------------------------------------------
+## Build command line.
+##-------------------------------------------------------
+
+cmdargs="--create-polfile"
+cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\""
+cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\""
+if [ -n "$TW_SITE_PASS" ] ; then
+ cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
+fi
+
+##-------------------------------------------------------
+## Sign the file.
+##-------------------------------------------------------
+
+eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_POL\""
+if [ $? -ne 0 ] ; then
+ echo "Error: signing of policy file failed."
+ exit 1
+fi
+
+# Set the proper rights on the newly signed policy file.
+chmod 0640 "$SIGNED_POL"
+
+##-------------------------------------------------------
+## We keep the cleartext version around.
+##-------------------------------------------------------
+
+cat << END_OF_TEXT
+
+A clear-text version of the Tripwire policy file:
+$TXT_POL
+has been preserved for your inspection. This implements a minimal
+policy, intended only to test essential Tripwire functionality. You
+should edit the policy file to describe your system, and then use
+twadmin to generate a new signed copy of the Tripwire policy.
+
+Once you have a satisfactory Tripwire policy file, you should move the
+clear-text version to a secure location and/or encrypt it in place
+(using a tool such as GPG, for example).
+
+Now run "tripwire --init" to enter Database Initialization Mode. This
+reads the policy file, generates a database based on its contents, and
+then cryptographically signs the resulting database. Options can be
+entered on the command line to specify which policy, configuration, and
+key files are used to create the database. The filename for the
+database can be specified as well. If no options are specified, the
+default values from the current configuration file are used.
+
+END_OF_TEXT
+
+exit 0
+
+########################################################################
+########################################################################
+#
+# TRIPWIRE GPL NOTICES
+#
+# The developer of the original code and/or files is Tripwire, Inc.
+# Portions created by Tripwire, Inc. are copyright 2000 Tripwire, Inc.
+# Tripwire is a registered trademark of Tripwire, Inc. All rights reserved.
+#
+# This program is free software. The contents of this file are subject to
+# the terms of the GNU General Public License as published by the Free
+# Software Foundation; either version 2 of the License, or (at your option)
+# any later version. You may redistribute it and/or modify it only in
+# compliance with the GNU General Public License.
+#
+# This program is distributed in the hope that it will be useful. However,
+# this program is distributed "AS-IS" WITHOUT ANY WARRANTY; INCLUDING THE
+# IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+# Please see the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+# Nothing in the GNU General Public License or any other license to use the
+# code or files shall permit you to use Tripwire's trademarks,
+# service marks, or other intellectual property without Tripwire's
+# prior written consent.
+#
+# If you have any questions, please contact Tripwire, Inc. at either
+# info at tripwire.org or www.tripwire.org.
+#
+########################################################################
+########################################################################
tripwire-siggen-man8.patch:
Index: tripwire-siggen-man8.patch
===================================================================
RCS file: tripwire-siggen-man8.patch
diff -N tripwire-siggen-man8.patch
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ tripwire-siggen-man8.patch 22 Dec 2006 04:47:55 -0000 1.3
@@ -0,0 +1,47 @@
+diff -Nur tripwire-2.3.1-2/man/man8/siggen.8 tripwire-2.3.1-2.new/man/man8/siggen.8
+--- tripwire-2.3.1-2/man/man8/siggen.8 2001-03-04 00:30:29.000000000 +0000
++++ tripwire-2.3.1-2.new/man/man8/siggen.8 2004-02-19 01:18:43.000000000 +0000
+@@ -2,28 +2,25 @@
+ .\" Do not move or remove previous line.
+ .\" Used by some man commands to know that tbl should be used.
+ .nh
+-.TH SIGGEN 8 "1 July 2000"
++.TH SIGGEN 8 "19 Feb 2004"
+ .SH NAME
+ siggen \- signature gathering routine for Tripwire
+ .SH SYNOPSIS
+ .B siggen
+-.RI "[ " "options..." " ]"
+-.IR file1 " [ " "file2..." " ] "
+-
+-.I Options:
+-.RS +0.5i
+-.TS
+-;
+-lbw(0.8i) lb.
+--t --terse
+--h --hexadecimal
+--a --all
+--C --CRC32
+--M --MD5
+--S --SHA
+--H --HAVAL
+-.TE
+-.RE
++[
++.BR -t | --terse
++] [
++.BR -h | --hexadecimal
++] [
++.BR -a | --all
++] [
++.BR -C | --CRC32
++] [
++.BR -S | --SHA
++] [
++.BR -h | --HAVAL
++]
++.IR file1 ,,,
+ .SH DESCRIPTION
+ .PP
+ \fBsiggen\fP is a utility that displays the hash function values
Index: tripwire.cron.in
===================================================================
RCS file: tripwire.cron.in
diff -N tripwire.cron.in
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ tripwire.cron.in 22 Dec 2006 04:47:55 -0000 1.3
@@ -0,0 +1,8 @@
+#!/bin/sh
+HOST_NAME=`uname -n`
+if [ ! -e @vardir@/lib/tripwire/${HOST_NAME}.twd ] ; then
+ echo "**** Error: Tripwire database for ${HOST_NAME} not found. ****"
+ echo "**** Run "@sysconfdir@/tripwire/twinstall.sh" and/or "tripwire --init". ****"
+else
+ test -f @sysconfdir@/tripwire/tw.cfg && @sbindir@/tripwire --check
+fi
Index: tripwire.txt
===================================================================
RCS file: tripwire.txt
diff -N tripwire.txt
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ tripwire.txt 22 Dec 2006 04:47:55 -0000 1.3
@@ -0,0 +1,82 @@
+Introduction
+Tripwire v2.4 software ensures the integrity of critical system files and directories by identifying all changes made to specified system files and directories. Configure Tripwire software to monitor your system in the way that is best for you.
+
+Tripwire software works by comparing files and directories against a baseline. It generates the baseline by taking a "snapshot" of specified files and directories in a known secure state. Tripwire software then compares the current system against the baseline and reports any modifications, additions, or deletions. Use Tripwire software for system security, intrusion detection, damage assessment, and recovery forensics.
+
+To install Tripwire v2.4
+1. Locate the RPM directory on the CD.
+2. Locate the Tripwire RPM.
+3. Type rpm -i "name"
+4. After installing the Tripwire binary RPM, follow these Post-Installation instructions.
+5. We recommend you read the Release Notes and README file.
+
+Post-Installation Instructions
+The Tripwire binary RPM installs the basic program files needed to run the software. However, this installation does not complete custom configurations that Tripwire 2.4 needs to perform correctly. After you unpack the RPM, you must:
+1. Run the configuration script: /etc/tripwire/twinstall.sh to sign these files. This script walks you through the processes of setting passphrases and signing the Tripwire policy and configuration files.
+Note: Once encoded and signed, the configuration file should not be renamed or moved.
+2. Initialize the Tripwire database file. (/usr/sbin/tripwire--init)
+3. Run the first integrity check. (/usr/sbin/tripwire--check)
+4. Edit the configuration file (twcfg.txt) with a text editor, if desired.
+5. Edit the policy file (twpol.txt) with a text editor, if desired.
+
+Note: If you plan to modify the policy file, we recommend you do so before running the configuration script. If you modify the policy file after running the configuration script, you must re-run the configuration file before initializing the database file.
+
+Modifying the Policy File
+You can specify how Tripwire software checks your system in the Tripwire policy file (twpol.txt). A default policy file is included in the Tripwire software installation. We recommend you tailor this policy file to fit your particular system. Tailoring the policy file greatly increases Tripwire software's ability to ensure the integrity of your system.
+
+Locate the default policy file at /etc/tripwire/twpol.txt. An example policy file (located at /usr/doc/tripwire-VER#-REL#/policyguide.txt) is included to help you learn the policy language. Read the sample policy file and the comments in the sample policy file to learn the policy language.
+
+After you modify the policy file, follow the Post-Installation Instructions (run the configuration script). This script signs the modified policy file and renames it to tw.pol. This is the active policy file that runs as part of the Tripwire software.
+
+Selecting Passphrases
+Tripwire files are signed or encrypted using site or local keys. These keys are protected by passphrases. When selecting passphrases, the following recommendations apply:
+Use at least eight alphanumeric and symbolic characters for each passphrase. The maximum length of a passphrase is 1023 characters. Quotes should not be used as passphrase characters.
+
+Assign a unique passphrase for the site key. The site key passphrase protects the site key, which is used to sign Tripwire software configuration and policy files. Assign a unique passphrase for the local key. The local key signs Tripwire database files. The local key may sign the Tripwire report files also.
+
+Store the passphrases in a secure location. There is no way to remove encryption from a signed file if you forget your passphrase. If you forget the passphrases, the files are unusable. In that case you must reinitialize the baseline database.
+
+Initializing the Database
+In Database Initialization mode, Tripwire software builds a database of filesystem objects based on the rules in the policy file. This database serves as the baseline for integrity checks. The syntax for Database Initialization mode is:
+tripwire --init
+
+Running an Integrity Check
+The Integrity Check mode compares the current file system objects with their properties recorded in the Tripwire database. Violations are printed to stdout. The report file is saved and can later be accessed by twprint. An email option enables you to send email. The syntax for Integrity Check mode is:
+tripwire --check
+
+Printing Reports - twprint Print Report Mode
+The twprint --print-report mode prints the contents of a Tripwire report. If you do not specify a report with the --twrfile or -r command-line argument, the default report file specified by the configuration file REPORTFILE variable is used.
+Example: On a machine named LIGHTHOUSE, the command would be:
+./twprint -m r --twrfile LIGHTHOUSE-19990622-021212.twr
+
+Updating the Database after an Integrity Check
+Database Update mode enables you to update the Tripwire database after an integrity check if you determine that the violations discovered are valid. This update process saves time by enabling you to update the database without having to re-initialize it. It also enables selective updating, which cannot be done through re-initialization. The syntax for Database Update mode is:
+tripwire --update
+
+Updating the Policy File
+Change the way that Tripwire software scans the system by changing the rules in the policy file. You can then update the database without a complete re-initialization. This saves a significant amount of time and preserves security by keeping the policy file synchronized with the database it uses. The syntax for Policy Update mode is:
+tripwire --update-policy
+
+Testing email functions
+Test mode tests the software's email notification system, using the settings currently specified in the configuration file. The syntax for Email Test Reporting mode is:
+tripwire --test
+
+Tripwire Components
+The policy file begins as a text file containing comments, rules, directives, and variables. These dictate the way Tripwire software checks your system. Each rule in the policy file specifies a system object to be monitored. Rules also describe which changes to the object to report, and which to ignore.
+
+System objects are the files and directories you wish to monitor. Each object is identified by an object name. A property refers to a single characteristic of an object that Tripwire software can monitor. Directives control conditional processing of sets of rules in a policy file. During installation, the text policy file is encrypted and renamed, and becomes the active policy file.
+
+The database file is an important component of Tripwire software. When first installed, Tripwire software uses the policy file rules to create the database file. The database file is a baseline "snapshot" of the system in a known secure state. Tripwire software compares this baseline against the current system to determine what changes have occurred. This is an integrity check.
+
+When you perform an integrity check, Tripwire software produces report files. Report files summarize any changes that violated the policy file rules during the integrity check. You can view the report file in a variety of formats, at varying levels of detail.
+
+The Tripwire configuration file stores system-specific information, such as the location of Tripwire data files. Tripwire software generates some of the configuration file information during installation. The system administrator can change parameters in the configuration file at any time. The configuration file variables POLFILE, DBFILE, REPORTFILE, SITEKEYFILE, and LOCALKEYFILE specify where the policy file, database file, report files, and site and local key files reside. These variables must be defined or the configuration file is invalid. If any of these variables are undefined, an error occurs on execution of Tripwire software and the program exits.
+
+Tripwire Help
+All Tripwire commands support the help arguments. Example: To get help with Create Configuration File mode, type: ./twadmin --help --create-cfgfile
+
+-? Display usage and version information
+--help Display all command modes
+--help all Display help for all command modes
+--help [mode] Display help for current command mode
+--version Display version information
Index: twcfg.txt.in
===================================================================
RCS file: twcfg.txt.in
diff -N twcfg.txt.in
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ twcfg.txt.in 22 Dec 2006 04:47:55 -0000 1.3
@@ -0,0 +1,15 @@
+ROOT =@sbindir@
+POLFILE =@sysconfdir@/tripwire/tw.pol
+DBFILE =@vardir@/lib/tripwire/$(HOSTNAME).twd
+REPORTFILE =@vardir@/lib/tripwire/report/$(HOSTNAME)-$(DATE).twr
+SITEKEYFILE =@sysconfdir@/tripwire/site.key
+LOCALKEYFILE =@sysconfdir@/tripwire/$(HOSTNAME)-local.key
+EDITOR =@path_to_vi@
+LATEPROMPTING =false
+LOOSEDIRECTORYCHECKING =false
+MAILNOVIOLATIONS =true
+EMAILREPORTLEVEL =3
+REPORTLEVEL =3
+MAILMETHOD =SENDMAIL
+SYSLOGREPORTING =false
+MAILPROGRAM =@path_to_sendmail@ -oi -t
Index: twpol.txt.in
===================================================================
RCS file: twpol.txt.in
diff -N twpol.txt.in
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ twpol.txt.in 22 Dec 2006 04:47:55 -0000 1.4
@@ -0,0 +1,1036 @@
+# identifier: tripwire IDS policy input file
+# host: Fedora Core release 1 (Yarrow)
+# version: 2.3.1-19.fdr.1
+# maintainer: Keith G. Robertson-Turner <tripwire-devel[AT]genesis-x.nildram.co.uk>
+# validator: unvalidated
+# date: Tue Jun 15 17:09:21 BST 2004
+
+# description:
+# This is an example Tripwire Policy input file. It is intended as the
+# starting point to creating your own custom Tripwire Policy. Referring
+# to it, as well as the Tripwire Policy Guide, should give you enough
+# information to make a good custom Tripwire Policy that better fits
+# your configuration and security needs. This text version will be used
+# by tripwire as input to create a proprietary type of file called a
+# Tripwire Policy file, which will then be signed for further security.
+# It is recommended that once you complete the creation of the Policy
+# file, you move this plaintext version to a secure location (possibly
+# on removable media) or encrypt the file using a tool such as GPG. You
+# should also do this for the Tripwire plaintext configuration file
+# (twcfg.txt) once you have finished setting up the Policy.
+#
+# Note that this file is tuned to an "everything" install of Fedora
+# Linux. If run unmodified, this file should create no errors on
+# database creation, or violations on a subsequent integrity check.
+# However, it is impossible for there to be one policy file for all
+# machines, so this existing one errs on the side of security. Your
+# Linux configuration will most likely differ from the one our policy
+# file was tuned to, and will therefore require some editing of the
+# default Tripwire Policy file. The example policy file is best run
+# with "Loose Directory Checking" enabled.
+#
+# Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration file.
+#
+# Note - legacy entries (which are commented out) are included for
+# historical reasons only, and are overdue for removal. They will
+# likely disappear from future releases.
+#
+# The following info is only really useful for non-RPM distributions:
+#
+# Email support is not included and must be added to this file. Add the
+# "emailto=" to the rule directive section of each rule (add a comma
+# after the "severity=" line and add an "emailto=" and include the
+# email addresses you want the violation reports to go to). Addresses
+# are semi-colon delimited.
+#
+# If you installed from the Fedora RPM, a cron job has already been set
+# up for you. Tripwire will perform an integrity check once every day,
+# and the generated report will be emailed to root. In this case, you
+# do not need to perform the steps in the previous paragraph.
+
+# policy:
+
+
+# Global Variable Definitions
+
+@@section GLOBAL
+TWROOT=@sbindir@;
+TWBIN=@sbindir@;
+TWPOL="@sysconfdir@/tripwire";
+TWDB="@vardir@/lib/tripwire";
+TWSKEY="@sysconfdir@/tripwire";
+TWLKEY="@sysconfdir@/tripwire";
+TWREPORT="@vardir@/lib/tripwire/report";
+HOSTNAME=localhost;
+
+@@section FS
+SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
+SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
+SEC_BIN = $(ReadOnly) ; # Binaries that should not change
+SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
+SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
+SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
+SIG_LOW = 33 ; # Non-critical files that are of minimal security impact
+SIG_MED = 66 ; # Non-critical files that are of significant security impact
+SIG_HI = 100 ; # Critical files that are significant points of vulnerability
+
+
+# Tripwire Binaries
+
+(
+ rulename = "Tripwire Binaries",
+ severity = $(SIG_HI)
+)
+{
+ $(TWBIN)/siggen -> $(SEC_BIN) ;
+ $(TWBIN)/tripwire -> $(SEC_BIN) ;
+ $(TWBIN)/twadmin -> $(SEC_BIN) ;
+ $(TWBIN)/twprint -> $(SEC_BIN) ;
+}
+
+
+# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
+
+(
+ rulename = "Tripwire Data Files",
+ severity = $(SIG_HI)
+)
+{
+ # NOTE: We remove the inode attribute because when Tripwire creates a backup,
+ # it does so by renaming the old file and creating a new one (which will
+ # have a new inode number). Inode is left turned on for keys, which shouldn't
+ # ever change.
+
+ # NOTE: The first integrity check triggers this rule and each integrity check
+ # afterward triggers this rule until a database update is run, since the
+ # database file does not exist before that point.
+
+ $(TWDB) -> $(SEC_CONFIG) -i ;
+ $(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
+ $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
+ $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
+ $(TWSKEY)/site.key -> $(SEC_BIN) ;
+
+ #don't scan the individual reports
+ $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
+}
+
+
+# Tripwire HQ Connector Binaries
+#
+# This commercial product has been phased out and is no longer
+# supported. This section will disappear from future releases.
+#
+#(
+# rulename = "Tripwire HQ Connector Binaries",
+# severity = $(SIG_HI)
+#)
+#{
+# $(TWBIN)/hqagent -> $(SEC_BIN) ;
+#}
+#
+# Tripwire HQ Connector - Configuration Files, Keys, and Logs
+
+# Note: File locations here are different than in a stock HQ Connector
+# installation. This is because Tripwire 2.3 uses a different path
+# structure than Tripwire 2.2.1.
+#
+# You may need to update your HQ Agent configuation file (or this
+# policy file) to correct the paths. We have attempted to support the
+# FHS standard here by placing the HQ Agent files similarly to the way
+# Tripwire 2.3 places them.
+
+#(
+# rulename = "Tripwire HQ Connector Data Files",
+# severity = $(SIG_HI)
+#)
+#{
+ # NOTE: Removing the inode attribute because when Tripwire creates a
+ # backup it does so by renaming the old file and creating a new one
+ # (which will have a new inode number). Leaving inode turned on for
+ # keys, which shouldn't ever change.
+#
+# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; # legacy
+# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; # legacy
+# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; # legacy
+# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; # legacy
+#
+ # Uncomment if you have agent logging enabled.
+ #/var/log/tripwire/agent.log -> $(SEC_LOG) ; # legacy
+#}
+
+
+# Commonly accessed directories that should remain static with regards
+# to owner and group.
+
+(
+ rulename = "Invariant Directories",
+ severity = $(SIG_MED)
+)
+{
+ / -> $(SEC_INVARIANT) (recurse = 0) ;
+ /home -> $(SEC_INVARIANT) (recurse = 0) ;
+ /etc -> $(SEC_INVARIANT) (recurse = 0) ;
+}
+
+
+# File System and Disk Administration Programs.
+
+(
+ rulename = "File System and Disk Administraton Programs",
+ severity = $(SIG_HI)
+)
+{
+ /sbin/accton -> $(SEC_CRIT) ;
+ /sbin/badblocks -> $(SEC_CRIT) ;
+ /sbin/busybox -> $(SEC_CRIT) ;
+ /sbin/busybox.anaconda -> $(SEC_CRIT) ;
+ /sbin/convertquota -> $(SEC_CRIT) ;
+ /sbin/dosfsck -> $(SEC_CRIT) ;
+ /sbin/debugfs -> $(SEC_CRIT) ;
+ /sbin/debugreiserfs -> $(SEC_CRIT) ;
+ /sbin/dumpe2fs -> $(SEC_CRIT) ;
+ /sbin/dump -> $(SEC_CRIT) ;
+ /sbin/dump.static -> $(SEC_CRIT) ;
+ #/sbin/e2fsadm -> $(SEC_CRIT) ; tune2fs? # legacy
+ /sbin/e2fsck -> $(SEC_CRIT) ;
+ /sbin/e2label -> $(SEC_CRIT) ;
+ /sbin/fdisk -> $(SEC_CRIT) ;
+ /sbin/fsck -> $(SEC_CRIT) ;
+ /sbin/fsck.ext2 -> $(SEC_CRIT) ;
+ /sbin/fsck.ext3 -> $(SEC_CRIT) ;
+ #/sbin/fsck.minix -> $(SEC_CRIT) ;
+ /sbin/fsck.msdos -> $(SEC_CRIT) ;
+ /sbin/fsck.vfat -> $(SEC_CRIT) ;
+ /sbin/ftl_check -> $(SEC_CRIT) ;
+ /sbin/ftl_format -> $(SEC_CRIT) ;
+ /sbin/hdparm -> $(SEC_CRIT) ;
+ #/sbin/lvchange -> $(SEC_CRIT) ;
+ #/sbin/lvcreate -> $(SEC_CRIT) ;
+ #/sbin/lvdisplay -> $(SEC_CRIT) ;
+ #/sbin/lvextend -> $(SEC_CRIT) ;
+ #/sbin/lvmchange -> $(SEC_CRIT) ;
+ #/sbin/lvmcreate_initrd -> $(SEC_CRIT) ;
+ #/sbin/lvmdiskscan -> $(SEC_CRIT) ;
+ #/sbin/lvmsadc -> $(SEC_CRIT) ;
+ #/sbin/lvmsar -> $(SEC_CRIT) ;
+ #/sbin/lvreduce -> $(SEC_CRIT) ;
+ #/sbin/lvremove -> $(SEC_CRIT) ;
+ #/sbin/lvrename -> $(SEC_CRIT) ;
+ #/sbin/lvscan -> $(SEC_CRIT) ;
+ /sbin/mkbootdisk -> $(SEC_CRIT) ;
+ /sbin/mkdosfs -> $(SEC_CRIT) ;
+ /sbin/mke2fs -> $(SEC_CRIT) ;
+ /sbin/mkfs -> $(SEC_CRIT) ;
+ #/sbin/mkfs.bfs -> $(SEC_CRIT) ;
+ /sbin/mkfs.ext2 -> $(SEC_CRIT) ;
+ #/sbin/mkfs.minix -> $(SEC_CRIT) ;
+ /sbin/mkfs.msdos -> $(SEC_CRIT) ;
+ /sbin/mkfs.vfat -> $(SEC_CRIT) ;
+ /sbin/mkinitrd -> $(SEC_CRIT) ;
+ #/sbin/mkpv -> $(SEC_CRIT) ;
+ /sbin/mkraid -> $(SEC_CRIT) ;
+ /sbin/mkreiserfs -> $(SEC_CRIT) ;
+ /sbin/mkswap -> $(SEC_CRIT) ;
+ #/sbin/mtx -> $(SEC_CRIT) ;
+ /sbin/pam_console_apply -> $(SEC_CRIT) ;
+ /sbin/parted -> $(SEC_CRIT) ;
+ /sbin/pcinitrd -> $(SEC_CRIT) ;
+ #/sbin/pvchange -> $(SEC_CRIT) ;
+ #/sbin/pvcreate -> $(SEC_CRIT) ;
+ #/sbin/pvdata -> $(SEC_CRIT) ;
+ #/sbin/pvdisplay -> $(SEC_CRIT) ;
+ #/sbin/pvmove -> $(SEC_CRIT) ;
+ #/sbin/pvscan -> $(SEC_CRIT) ;
+ /sbin/quotacheck -> $(SEC_CRIT) ;
+ /sbin/quotaon -> $(SEC_CRIT) ;
+ /sbin/raidstart -> $(SEC_CRIT) ;
+ /sbin/reiserfsck -> $(SEC_CRIT) ;
+ /sbin/resize2fs -> $(SEC_CRIT) ;
+ /sbin/resize_reiserfs -> $(SEC_CRIT) ;
+ /sbin/restore -> $(SEC_CRIT) ;
+ /sbin/restore.static -> $(SEC_CRIT) ;
+ /sbin/scsi_info -> $(SEC_CRIT) ;
+ /sbin/sfdisk -> $(SEC_CRIT) ;
+ /sbin/stinit -> $(SEC_CRIT) ;
+ #/sbin/tapeinfo -> $(SEC_CRIT) ; # legacy
+ /sbin/tune2fs -> $(SEC_CRIT) ;
+ /sbin/unpack -> $(SEC_CRIT) ;
+ #/sbin/update -> $(SEC_CRIT) ;
+ #/sbin/vgcfgbackup -> $(SEC_CRIT) ;
+ #/sbin/vgcfgrestore -> $(SEC_CRIT) ;
+ #/sbin/vgchange -> $(SEC_CRIT) ;
+ #/sbin/vgck -> $(SEC_CRIT) ;
+ #/sbin/vgcreate -> $(SEC_CRIT) ;
+ #/sbin/vgdisplay -> $(SEC_CRIT) ;
+ #/sbin/vgexport -> $(SEC_CRIT) ;
+ #/sbin/vgextend -> $(SEC_CRIT) ;
+ #/sbin/vgimport -> $(SEC_CRIT) ;
+ #/sbin/vgmerge -> $(SEC_CRIT) ;
+ #/sbin/vgmknodes -> $(SEC_CRIT) ;
+ #/sbin/vgreduce -> $(SEC_CRIT) ;
+ #/sbin/vgremove -> $(SEC_CRIT) ;
+ #/sbin/vgrename -> $(SEC_CRIT) ;
+ #/sbin/vgscan -> $(SEC_CRIT) ;
+ #/sbin/vgsplit -> $(SEC_CRIT) ;
+ /bin/chgrp -> $(SEC_CRIT) ;
+ /bin/chmod -> $(SEC_CRIT) ;
+ /bin/chown -> $(SEC_CRIT) ;
+ /bin/cp -> $(SEC_CRIT) ;
+ /bin/cpio -> $(SEC_CRIT) ;
+ /bin/mount -> $(SEC_CRIT) ;
+ /bin/umount -> $(SEC_CRIT) ;
+ /bin/mkdir -> $(SEC_CRIT) ;
+ /bin/mknod -> $(SEC_CRIT) ;
+ /bin/mktemp -> $(SEC_CRIT) ;
+ /bin/rm -> $(SEC_CRIT) ;
+ /bin/rmdir -> $(SEC_CRIT) ;
+ /bin/touch -> $(SEC_CRIT) ;
+}
+
+
+# Kernel Administration Programs.
+
+(
+ rulename = "Kernel Administration Programs",
+ severity = $(SIG_HI)
+)
+{
+ /sbin/adjtimex -> $(SEC_CRIT) ;
+ /sbin/ctrlaltdel -> $(SEC_CRIT) ;
+ /sbin/depmod -> $(SEC_CRIT) ;
+ /sbin/insmod -> $(SEC_CRIT) ;
+ /sbin/insmod.static -> $(SEC_CRIT) ;
+ /sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ;
+ /sbin/klogd -> $(SEC_CRIT) ;
+ /sbin/ldconfig -> $(SEC_CRIT) ;
+ /sbin/minilogd -> $(SEC_CRIT) ;
+ /sbin/modinfo -> $(SEC_CRIT) ;
+ #/sbin/nuactlun -> $(SEC_CRIT) ;
+ #/sbin/nuscsitcpd -> $(SEC_CRIT) ;
+ /sbin/pivot_root -> $(SEC_CRIT) ;
+ /sbin/sndconfig -> $(SEC_CRIT) ;
+ /sbin/sysctl -> $(SEC_CRIT) ;
+}
+
+
+# Networking Programs.
+
+(
+ rulename = "Networking Programs",
+ severity = $(SIG_HI)
+)
+{
+ /etc/sysconfig/network-scripts/ifdown -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifdown-cipcb -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifdown-ippp -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifdown-ipv6 -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifdown-isdn -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifdown-post -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifdown-ppp -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifdown-sit -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifdown-sl -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifup -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifup-aliases -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifup-cipcb -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifup-ippp -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifup-ipv6 -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifup-isdn -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifup-plip -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifup-plusb -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifup-post -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifup-ppp -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifup-routes -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifup-sit -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifup-sl -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/ifup-wireless -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/network-functions -> $(SEC_CRIT) ;
+ /etc/sysconfig/network-scripts/network-functions-ipv6 -> $(SEC_CRIT) ;
+ /bin/ping -> $(SEC_CRIT) ;
+ /sbin/agetty -> $(SEC_CRIT) ;
+ /sbin/arp -> $(SEC_CRIT) ;
+ /sbin/arping -> $(SEC_CRIT) ;
+ /sbin/dhclient -> $(SEC_CRIT) ;
+ /sbin/ether-wake -> $(SEC_CRIT) ;
+ #/sbin/getty -> $(SEC_CRIT) ;
+ /sbin/ifcfg -> $(SEC_CRIT) ;
+ /sbin/ifconfig -> $(SEC_CRIT) ;
+ /sbin/ifdown -> $(SEC_CRIT) ;
+ /sbin/ifenslave -> $(SEC_CRIT) ;
+ /sbin/ifport -> $(SEC_CRIT) ;
+ /sbin/ifup -> $(SEC_CRIT) ;
+ /sbin/ifuser -> $(SEC_CRIT) ;
+ /sbin/ip -> $(SEC_CRIT) ;
+ /sbin/ip6tables -> $(SEC_CRIT) ;
+ #/sbin/ipchains -> $(SEC_CRIT) ; # legacy
+ #/sbin/ipchains-restore -> $(SEC_CRIT) ; # legacy
+ #/sbin/ipchains-save -> $(SEC_CRIT) ; # legacy
+ #/sbin/ipfwadm -> $(SEC_CRIT) ;
+ /sbin/ipmaddr -> $(SEC_CRIT) ;
+ /sbin/iptables -> $(SEC_CRIT) ;
+ /sbin/iptables-restore -> $(SEC_CRIT) ;
+ /sbin/iptables-save -> $(SEC_CRIT) ;
+ /sbin/iptunnel -> $(SEC_CRIT) ;
+ #/sbin/ipvsadm -> $(SEC_CRIT) ;
+ #/sbin/ipvsadm-restore -> $(SEC_CRIT) ;
+ #/sbin/ipvsadm-save -> $(SEC_CRIT) ;
+ /sbin/ipx_configure -> $(SEC_CRIT) ;
+ /sbin/ipx_interface -> $(SEC_CRIT) ;
+ /sbin/ipx_internal_net -> $(SEC_CRIT) ;
+ /sbin/iwconfig -> $(SEC_CRIT) ;
+ /sbin/iwgetid -> $(SEC_CRIT) ;
+ /sbin/iwlist -> $(SEC_CRIT) ;
+ /sbin/iwpriv -> $(SEC_CRIT) ;
+ /sbin/iwspy -> $(SEC_CRIT) ;
+ /sbin/mgetty -> $(SEC_CRIT) ;
+ /sbin/mingetty -> $(SEC_CRIT) ;
+ /sbin/nameif -> $(SEC_CRIT) ;
+ /sbin/netreport -> $(SEC_CRIT) ;
+ /sbin/plipconfig -> $(SEC_CRIT) ;
+ /sbin/portmap -> $(SEC_CRIT) ;
+ /sbin/ppp-watch -> $(SEC_CRIT) ;
+ #/sbin/rarp -> $(SEC_CRIT) ;
+ /sbin/route -> $(SEC_CRIT) ;
+ /sbin/slattach -> $(SEC_CRIT) ;
+ /sbin/tc -> $(SEC_CRIT) ;
+ #/sbin/uugetty -> $(SEC_CRIT) ;
+ /sbin/vgetty -> $(SEC_CRIT) ;
+ /sbin/ypbind -> $(SEC_CRIT) ;
+}
+
+
+# System Administration Programs.
+
+(
+ rulename = "System Administration Programs",
+ severity = $(SIG_HI)
+)
+{
+ /sbin/chkconfig -> $(SEC_CRIT) ;
+ /sbin/fuser -> $(SEC_CRIT) ;
+ /sbin/halt -> $(SEC_CRIT) ;
+ /sbin/init -> $(SEC_CRIT) ;
+ /sbin/initlog -> $(SEC_CRIT) ;
+ /sbin/install-info -> $(SEC_CRIT) ;
+ /sbin/killall5 -> $(SEC_CRIT) ;
+ #/sbin/linuxconf -> $(SEC_CRIT) ; # legacy
+ #/sbin/linuxconf-auth -> $(SEC_CRIT) ; # legacy
+ /sbin/pam_tally -> $(SEC_CRIT) ;
+ /sbin/pwdb_chkpwd -> $(SEC_CRIT) ;
+ #/sbin/remadmin -> $(SEC_CRIT) ;
+ /sbin/rescuept -> $(SEC_CRIT) ;
+ /sbin/rmt -> $(SEC_CRIT) ;
+ /sbin/rpc.lockd -> $(SEC_CRIT) ;
+ /sbin/rpc.statd -> $(SEC_CRIT) ;
+ /sbin/rpcdebug -> $(SEC_CRIT) ;
+ /sbin/service -> $(SEC_CRIT) ;
+ /sbin/setsysfont -> $(SEC_CRIT) ;
+ /sbin/shutdown -> $(SEC_CRIT) ;
+ /sbin/sulogin -> $(SEC_CRIT) ;
+ /sbin/swapon -> $(SEC_CRIT) ;
+ /sbin/syslogd -> $(SEC_CRIT) ;
+ /sbin/unix_chkpwd -> $(SEC_CRIT) ;
+ /bin/pwd -> $(SEC_CRIT) ;
+ /bin/uname -> $(SEC_CRIT) ;
+}
+
+
+# Hardware and Device Control Programs.
+
+(
+ rulename = "Hardware and Device Control Programs",
+ severity = $(SIG_HI)
+)
+{
+ /bin/setserial -> $(SEC_CRIT) ;
+ /bin/sfxload -> $(SEC_CRIT) ;
+ /sbin/blockdev -> $(SEC_CRIT) ;
+ /sbin/cardctl -> $(SEC_CRIT) ;
+ /sbin/cardmgr -> $(SEC_CRIT) ;
+ /sbin/cbq -> $(SEC_CRIT) ;
+ /sbin/dump_cis -> $(SEC_CRIT) ;
+ /sbin/elvtune -> $(SEC_CRIT) ;
+ /sbin/hotplug -> $(SEC_CRIT) ;
+ /sbin/hwclock -> $(SEC_CRIT) ;
+ /sbin/ide_info -> $(SEC_CRIT) ;
+ #/sbin/isapnp -> $(SEC_CRIT) ;
+ #/sbin/kbdrate -> $(SEC_CRIT) ;
+ /sbin/losetup -> $(SEC_CRIT) ;
+ /sbin/lspci -> $(SEC_CRIT) ;
+ /sbin/lspnp -> $(SEC_CRIT) ;
+ /sbin/mii-tool -> $(SEC_CRIT) ;
+ /sbin/pack_cis -> $(SEC_CRIT) ;
+ #/sbin/pnpdump -> $(SEC_CRIT) ;
+ /sbin/probe -> $(SEC_CRIT) ;
+ #/sbin/pump -> $(SEC_CRIT) ;
+ /sbin/setpci -> $(SEC_CRIT) ;
+ /sbin/shapecfg -> $(SEC_CRIT) ;
+}
+
+
+# System Information Programs.
+
+(
+ rulename = "System Information Programs",
+ severity = $(SIG_HI)
+)
+{
+ /sbin/consoletype -> $(SEC_CRIT) ;
+ /sbin/kernelversion -> $(SEC_CRIT) ;
+ /sbin/runlevel -> $(SEC_CRIT) ;
+}
+
+
+# Application Information Programs.
+
+(
+ rulename = "Application Information Programs",
+ severity = $(SIG_HI)
+)
+{
+ /sbin/genksyms -> $(SEC_CRIT) ;
+ #/sbin/genksyms.old -> $(SEC_CRIT) ;
+ /sbin/rtmon -> $(SEC_CRIT) ;
+}
+
+
+# Shell Related Programs.
+
+(
+ rulename = "Shell Related Programs",
+ severity = $(SIG_HI)
+)
+{
+ /sbin/getkey -> $(SEC_CRIT) ;
+ /sbin/nash -> $(SEC_CRIT) ;
+ /sbin/sash -> $(SEC_CRIT) ;
+}
+
+
+# OS Utilities.
+
+(
+ rulename = "Operating System Utilities",
+ severity = $(SIG_HI)
+)
+{
+ /bin/arch -> $(SEC_CRIT) ;
+ /bin/ash -> $(SEC_CRIT) ;
+ /bin/ash.static -> $(SEC_CRIT) ;
+ /bin/aumix-minimal -> $(SEC_CRIT) ;
+ /bin/basename -> $(SEC_CRIT) ;
+ /bin/cat -> $(SEC_CRIT) ;
+ #/bin/consolechars -> $(SEC_CRIT) ;
+ /bin/cut -> $(SEC_CRIT) ;
+ /bin/date -> $(SEC_CRIT) ;
+ /bin/dd -> $(SEC_CRIT) ;
+ /bin/df -> $(SEC_CRIT) ;
+ /bin/dmesg -> $(SEC_CRIT) ;
+ /bin/doexec -> $(SEC_CRIT) ;
+ /bin/echo -> $(SEC_CRIT) ;
+ /bin/ed -> $(SEC_CRIT) ;
+ /bin/egrep -> $(SEC_CRIT) ;
+ /bin/false -> $(SEC_CRIT) ;
+ /bin/fgrep -> $(SEC_CRIT) ;
+ /bin/gawk -> $(SEC_CRIT) ;
+ #/bin/gawk-3.1.0 -> $(SEC_CRIT) ; # legacy
+ /bin/gettext -> $(SEC_CRIT) ;
+ /bin/grep -> $(SEC_CRIT) ;
+ /bin/gunzip -> $(SEC_CRIT) ;
+ /bin/gzip -> $(SEC_CRIT) ;
+ /bin/hostname -> $(SEC_CRIT) ;
+ /bin/igawk -> $(SEC_CRIT) ;
+ /bin/ipcalc -> $(SEC_CRIT) ;
+ /bin/kill -> $(SEC_CRIT) ;
+ /bin/ln -> $(SEC_CRIT) ;
+ /bin/loadkeys -> $(SEC_CRIT) ;
+ /bin/login -> $(SEC_CRIT) ;
+ /bin/ls -> $(SEC_CRIT) ;
+ /bin/mail -> $(SEC_CRIT) ;
+ /bin/more -> $(SEC_CRIT) ;
+ /bin/mt -> $(SEC_CRIT) ;
+ /bin/mv -> $(SEC_CRIT) ;
+ /bin/netstat -> $(SEC_CRIT) ;
+ /bin/nice -> $(SEC_CRIT) ;
+ /bin/pgawk -> $(SEC_CRIT) ;
+ /bin/ps -> $(SEC_CRIT) ;
+ /bin/rpm -> $(SEC_CRIT) ;
+ /bin/sed -> $(SEC_CRIT) ;
+ /bin/sleep -> $(SEC_CRIT) ;
+ /bin/sort -> $(SEC_CRIT) ;
+ /bin/stty -> $(SEC_CRIT) ;
+ /bin/su -> $(SEC_CRIT) ;
+ /bin/sync -> $(SEC_CRIT) ;
+ /bin/tar -> $(SEC_CRIT) ;
+ /bin/true -> $(SEC_CRIT) ;
+ /bin/usleep -> $(SEC_CRIT) ;
+ /bin/vi -> $(SEC_CRIT) ;
+ /bin/zcat -> $(SEC_CRIT) ;
+ /bin/zsh -> $(SEC_CRIT) ;
+ #/bin/zsh-4.0.2 -> $(SEC_CRIT) ; # legacy
+ /sbin/sln -> $(SEC_CRIT) ;
+ /usr/bin/vimtutor -> $(SEC_CRIT) ;
+}
+
+
+# Critical Utility Sym-Links.
+
+(
+ rulename = "Critical Utility Sym-Links",
+ severity = $(SIG_HI)
+)
+{
+ #/sbin/askrunlevel -> $(SEC_CRIT) ;
+ /sbin/clock -> $(SEC_CRIT) ;
+ #/sbin/fixperm -> $(SEC_CRIT) ;
+ /sbin/fsck.reiserfs -> $(SEC_CRIT) ;
+ #/sbin/fsconf -> $(SEC_CRIT) ;
+ #/sbin/ipfwadm-wrapper -> $(SEC_CRIT) ;
+ /sbin/kallsyms -> $(SEC_CRIT) ;
+ /sbin/ksyms -> $(SEC_CRIT) ;
+ /sbin/lsmod -> $(SEC_CRIT) ;
+ #/sbin/mailconf -> $(SEC_CRIT) ;
+ /sbin/mkfs.reiserfs -> $(SEC_CRIT) ;
+ #/sbin/modemconf -> $(SEC_CRIT) ; # legacy
+ /sbin/modprobe -> $(SEC_CRIT) ;
+ /sbin/mount.ncp -> $(SEC_CRIT) ;
+ /sbin/mount.ncpfs -> $(SEC_CRIT) ;
+ /sbin/mount.smb -> $(SEC_CRIT) ;
+ /sbin/mount.smbfs -> $(SEC_CRIT) ;
+ #/sbin/netconf -> $(SEC_CRIT) ;
+ /sbin/pidof -> $(SEC_CRIT) ;
+ /sbin/poweroff -> $(SEC_CRIT) ;
+ /sbin/quotaoff -> $(SEC_CRIT) ;
+ /sbin/raid0run -> $(SEC_CRIT) ;
+ /sbin/raidhotadd -> $(SEC_CRIT) ;
+ #/sbin/raidhotgenerateerror -> $(SEC_CRIT) ;
+ /sbin/raidhotremove -> $(SEC_CRIT) ;
+ /sbin/raidstop -> $(SEC_CRIT) ;
+ /sbin/rdump -> $(SEC_CRIT) ;
+ /sbin/rdump.static -> $(SEC_CRIT) ;
+ /sbin/reboot -> $(SEC_CRIT) ;
+ /sbin/rmmod -> $(SEC_CRIT) ;
+ /sbin/rrestore -> $(SEC_CRIT) ;
+ /sbin/rrestore.static -> $(SEC_CRIT) ;
+ /sbin/swapoff -> $(SEC_CRIT) ;
+ /sbin/telinit -> $(SEC_CRIT) ;
+ #/sbin/userconf -> $(SEC_CRIT) ;
+ #/sbin/uucpconf -> $(SEC_CRIT) ;
+ #/sbin/vregistry -> $(SEC_CRIT) ;
+ /bin/awk -> $(SEC_CRIT) ;
+ /bin/bash2 -> $(SEC_CRIT) ;
+ /bin/bsh -> $(SEC_CRIT) ;
+ /bin/csh -> $(SEC_CRIT) ;
+ /bin/dnsdomainname -> $(SEC_CRIT) ;
+ /bin/domainname -> $(SEC_CRIT) ;
+ /bin/ex -> $(SEC_CRIT) ;
+ /bin/gtar -> $(SEC_CRIT) ;
+ /bin/nisdomainname -> $(SEC_CRIT) ;
+ /bin/red -> $(SEC_CRIT) ;
+ /bin/rvi -> $(SEC_CRIT) ;
+ /bin/rview -> $(SEC_CRIT) ;
+ /bin/view -> $(SEC_CRIT) ;
+ /bin/ypdomainname -> $(SEC_CRIT) ;
+}
+
+
+# Temporary directories.
+
+(
+ rulename = "Temporary directories",
+ recurse = false,
+ severity = $(SIG_LOW)
+)
+{
+ /usr/tmp -> $(SEC_INVARIANT) ;
+ /var/tmp -> $(SEC_INVARIANT) ;
+ /tmp -> $(SEC_INVARIANT) ;
+}
+
+
+# Local files.
+
+(
+ rulename = "User binaries",
+ severity = $(SIG_MED)
+)
+{
+ /sbin -> $(SEC_BIN) (recurse = 1) ;
+ /usr/bin -> $(SEC_BIN) (recurse = 1) ;
+ /usr/sbin -> $(SEC_BIN) (recurse = 1) ;
+ /usr/local/bin -> $(SEC_BIN) (recurse = 1) ;
+}
+
+(
+ rulename = "Shell Binaries",
+ severity = $(SIG_HI)
+)
+{
+ /bin/bash -> $(SEC_BIN) ;
+ /bin/ksh -> $(SEC_BIN) ;
+ #/bin/psh -> $(SEC_BIN) ; # legacy
+ #/bin/Rsh -> $(SEC_BIN) ; # legacy
+ /bin/sh -> $(SEC_BIN) ;
+ #/bin/shell -> $(SEC_SUID) ; # legacy
+ #/bin/tsh -> $(SEC_BIN) ; # legacy
+ /bin/tcsh -> $(SEC_BIN) ;
+ /sbin/nologin -> $(SEC_BIN) ;
+}
+
+(
+ rulename = "Security Control",
+ severity = $(SIG_HI)
+)
+{
+ /etc/group -> $(SEC_CRIT) ;
+ /etc/security -> $(SEC_CRIT) ;
+ #/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists
+}
+
+#(
+# rulename = "Boot Scripts",
+# severity = $(SIG_HI)
+#)
+#{
+# /etc/rc -> $(SEC_CONFIG) ;
+# /etc/rc.bsdnet -> $(SEC_CONFIG) ;
+# /etc/rc.dt -> $(SEC_CONFIG) ;
+# /etc/rc.net -> $(SEC_CONFIG) ;
+# /etc/rc.net.serial -> $(SEC_CONFIG) ;
+# /etc/rc.nfs -> $(SEC_CONFIG) ;
+# /etc/rc.powerfail -> $(SEC_CONFIG) ;
+# /etc/rc.tcpip -> $(SEC_CONFIG) ;
+# /etc/trcfmt.Z -> $(SEC_CONFIG) ;
+#}
+
+(
+ rulename = "Login Scripts",
+ severity = $(SIG_HI)
+)
+{
+ /etc/bashrc -> $(SEC_CONFIG) ;
+ /etc/csh.cshrc -> $(SEC_CONFIG) ;
+ /etc/csh.login -> $(SEC_CONFIG) ;
+ /etc/inputrc -> $(SEC_CONFIG) ;
+ #/etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists
+ /etc/profile -> $(SEC_CONFIG) ;
+}
+
+
+# Libraries
+(
+ rulename = "Libraries",
+ severity = $(SIG_MED)
+)
+{
+ /usr/lib -> $(SEC_BIN) ;
+ /usr/local/lib -> $(SEC_BIN) ;
+}
+
+
+# Critical System Boot Files.
+# These files are critical to a correct system boot.
+
+(
+ rulename = "Critical system boot files",
+ severity = $(SIG_HI)
+)
+{
+ /boot -> $(SEC_CRIT) ;
+ #/sbin/devfsd -> $(SEC_CRIT) ;
+ /sbin/grub -> $(SEC_CRIT) ;
+ /sbin/grub-install -> $(SEC_CRIT) ;
+ /sbin/grub-md5-crypt -> $(SEC_CRIT) ;
+ /sbin/installkernel -> $(SEC_CRIT) ;
+ /sbin/lilo -> $(SEC_CRIT) ;
+ /sbin/mkkerneldoth -> $(SEC_CRIT) ;
+ !/boot/System.map ;
+ !/boot/module-info ;
+ /usr/share/grub/i386-redhat/e2fs_stage1_5 -> $(SEC_CRIT) ;
+ /usr/share/grub/i386-redhat/fat_stage1_5 -> $(SEC_CRIT) ;
+ /usr/share/grub/i386-redhat/ffs_stage1_5 -> $(SEC_CRIT) ;
+ /usr/share/grub/i386-redhat/minix_stage1_5 -> $(SEC_CRIT) ;
+ /usr/share/grub/i386-redhat/reiserfs_stage1_5 -> $(SEC_CRIT) ;
+ /usr/share/grub/i386-redhat/stage1 -> $(SEC_CRIT) ;
+ /usr/share/grub/i386-redhat/stage2 -> $(SEC_CRIT) ;
+ /usr/share/grub/i386-redhat/vstafs_stage1_5 -> $(SEC_CRIT) ;
+ # other boot files may exist. Look for:
+ #/ufsboot -> $(SEC_CRIT) ;
+}
+
+ # These files change every time the system boots.
+
+(
+ rulename = "System boot changes",
+ severity = $(SIG_HI)
+)
+{
+ !/var/run/ftp.pids-all ; # Comes and goes on reboot.
+ !/root/.enlightenment ;
+ /dev/log -> $(SEC_CONFIG) ;
+ /dev/cua0 -> $(SEC_CONFIG) ;
+ #/dev/printer -> $(SEC_CONFIG) ; # legacy
+ /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.
+ /dev/tty1 -> $(SEC_CONFIG) ; # tty devices
+ /dev/tty2 -> $(SEC_CONFIG) ; # tty devices
+ /dev/tty3 -> $(SEC_CONFIG) ; # are extremely
+ /dev/tty4 -> $(SEC_CONFIG) ; # variable
+ /dev/tty5 -> $(SEC_CONFIG) ;
+ /dev/tty6 -> $(SEC_CONFIG) ;
+ /dev/urandom -> $(SEC_CONFIG) ;
+ /dev/initctl -> $(SEC_CONFIG) ;
+ /var/lock/subsys -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/amd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/anacron -> $(SEC_CONFIG) ;
+ /var/lock/subsys/apmd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/arpwatch -> $(SEC_CONFIG) ;
+ /var/lock/subsys/atd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/autofs -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/bgpd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/bootparamd -> $(SEC_CONFIG) ;
+ /var/lock/subsys/canna -> $(SEC_CONFIG) ;
+ /var/lock/subsys/crond -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/cWnn -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/dhcpd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/firewall -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/freeWnn -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/gated -> $(SEC_CONFIG) ;
+ /var/lock/subsys/gpm -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/httpd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/identd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/innd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/ipchains -> $(SEC_CONFIG) ; # legacy
+ /var/lock/subsys/iptables -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/irda -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/iscsi -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/isdn -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/junkbuster -> $(SEC_CONFIG) ; # legacy
+ #/var/lock/subsys/kadmin -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/keytable -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/kprop -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/krb524 -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ;
+ /var/lock/subsys/kudzu -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/kWnn -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/ldap -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/linuxconf -> $(SEC_CONFIG) ; # legacy
+ #/var/lock/subsys/lpd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/mcserv -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/mysqld -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/named -> $(SEC_CONFIG) ;
+ /var/lock/subsys/netfs -> $(SEC_CONFIG) ;
+ /var/lock/subsys/network -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/nfs -> $(SEC_CONFIG) ;
+ /var/lock/subsys/nfslock -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/nscd -> $(SEC_CONFIG) ;
+ /var/lock/subsys/ntpd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/ospf6d -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/ospfd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/pcmcia -> $(SEC_CONFIG) ;
+ /var/lock/subsys/portmap -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/postgresql -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/pxe -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/radvd -> $(SEC_CONFIG) ;
+ /var/lock/subsys/random -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/rarpd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/reconfig -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/rhnsd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/ripd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/ripngd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/routed -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/rstatd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/rusersd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/rwalld -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/rwhod -> $(SEC_CONFIG) ;
+ /var/lock/subsys/sendmail -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/smb -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/snmpd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/squid -> $(SEC_CONFIG) ;
+ /var/lock/subsys/sshd -> $(SEC_CONFIG) ;
+ /var/lock/subsys/syslog -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/tux -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/tWnn -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/ups -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/vncserver -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/wine -> $(SEC_CONFIG) ;
+ /var/lock/subsys/xfs -> $(SEC_CONFIG) ;
+ /var/lock/subsys/xinetd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/ypbind -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/ypserv -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ;
+ #/var/lock/subsys/zebra -> $(SEC_CONFIG) ;
+ /var/run -> $(SEC_CONFIG) ;
+ /var/log -> $(SEC_CONFIG) ;
+ #/etc/ioctl.save -> $(SEC_CONFIG) ;
+ /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes
+ /etc/issue -> $(SEC_CONFIG) ;
+ /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount
+ /lib/modules -> $(SEC_CONFIG) ;
+ /etc/.pwd.lock -> $(SEC_CONFIG) ;
+ #/lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists
+}
+
+# These files change the behavior of the root account
+(
+ rulename = "Root config files",
+ severity = 100
+)
+{
+ /root -> $(SEC_CRIT) ; # Catch all additions to /root
+ /root/.Xresources -> $(SEC_CONFIG) ;
+ /root/.bashrc -> $(SEC_CONFIG) ;
+ /root/.bash_profile -> $(SEC_CONFIG) ;
+ /root/.bash_logout -> $(SEC_CONFIG) ;
+ /root/.cshrc -> $(SEC_CONFIG) ;
+ /root/.tcshrc -> $(SEC_CONFIG) ;
+ #/root/Mail -> $(SEC_CONFIG) ;
+ #/root/mail -> $(SEC_CONFIG) ;
+ #/root/.amandahosts -> $(SEC_CONFIG) ;
+ #/root/.addressbook.lu -> $(SEC_CONFIG) ;
+ #/root/.addressbook -> $(SEC_CONFIG) ;
+ /root/.bash_history -> $(SEC_CONFIG) ;
+ #/root/.elm -> $(SEC_CONFIG) ;
+ /root/.esd_auth -> $(SEC_CONFIG) ;
+ #/root/.gnome_private -> $(SEC_CONFIG) ;
+ #/root/.gnome-desktop -> $(SEC_CONFIG) ;
+ /root/.gnome -> $(SEC_CONFIG) ;
+ /root/.ICEauthority -> $(SEC_CONFIG) ;
+ #/root/.mc -> $(SEC_CONFIG) ;
+ #/root/.pinerc -> $(SEC_CONFIG) ;
+ #/root/.sawfish -> $(SEC_CONFIG) ;
+ /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login
+ #/root/.xauth -> $(SEC_CONFIG) ;
+ #/root/.xsession-errors -> $(SEC_CONFIG) ;
+}
+
+# Critical configuration files.
+
+(
+ rulename = "Critical configuration files",
+ severity = $(SIG_HI)
+)
+{
+ #/etc/conf.linuxconf -> $(SEC_BIN) ; # legacy
+ /etc/crontab -> $(SEC_BIN) ;
+ /etc/cron.hourly -> $(SEC_BIN) ;
+ /etc/cron.daily -> $(SEC_BIN) ;
+ /etc/cron.weekly -> $(SEC_BIN) ;
+ /etc/cron.monthly -> $(SEC_BIN) ;
+ /etc/default -> $(SEC_BIN) ;
+ /etc/fstab -> $(SEC_BIN) ;
+ /etc/exports -> $(SEC_BIN) ;
+ /etc/group- -> $(SEC_BIN) ; # changes should be infrequent
+ /etc/host.conf -> $(SEC_BIN) ;
+ /etc/hosts.allow -> $(SEC_BIN) ;
+ /etc/hosts.deny -> $(SEC_BIN) ;
+ /etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent
+ /etc/protocols -> $(SEC_BIN) ;
+ /etc/services -> $(SEC_BIN) ;
+ /etc/rc.d/init.d -> $(SEC_BIN) ;
+ /etc/rc.d -> $(SEC_BIN) ;
+ /etc/mail.rc -> $(SEC_BIN) ;
+ /etc/modules.conf -> $(SEC_BIN) ; # post 2.6 legacy
+ #/etc/modprobe.conf -> $(SEC_BIN) ; # include this for 2.6 kernels
+ /etc/motd -> $(SEC_BIN) ;
+ /etc/named.conf -> $(SEC_BIN) ;
+ /etc/passwd -> $(SEC_CONFIG) ;
+ /etc/passwd- -> $(SEC_CONFIG) ;
+ /etc/profile.d -> $(SEC_BIN) ;
+ /var/lib/nfs/rmtab -> $(SEC_BIN) ;
+ /usr/sbin/fixrmtab -> $(SEC_BIN) ;
+ /etc/rpc -> $(SEC_BIN) ;
+ /etc/sysconfig -> $(SEC_BIN) ;
+ /etc/samba/smb.conf -> $(SEC_CONFIG) ;
+ #/etc/gettydefs -> $(SEC_BIN) ;
+ /etc/nsswitch.conf -> $(SEC_BIN) ;
+ /etc/yp.conf -> $(SEC_BIN) ;
+ /etc/hosts -> $(SEC_CONFIG) ;
+ /etc/xinetd.conf -> $(SEC_CONFIG) ;
+ /etc/inittab -> $(SEC_CONFIG) ;
+ /etc/resolv.conf -> $(SEC_CONFIG) ;
+ /etc/syslog.conf -> $(SEC_CONFIG) ;
+}
+
+# Critical devices.
+
+(
+ rulename = "Critical devices",
+ severity = $(SIG_HI),
+ recurse = false
+)
+{
+ /dev/kmem -> $(Device) ;
+ /dev/mem -> $(Device) ;
+ /dev/null -> $(Device) ;
+ /dev/zero -> $(Device) ;
+ /proc/devices -> $(Device) ;
+ /proc/net -> $(Device) ;
+ /proc/sys -> $(Device) ;
+ /proc/cpuinfo -> $(Device) ;
+ /proc/modules -> $(Device) ;
+ /proc/mounts -> $(Device) ;
+ /proc/dma -> $(Device) ;
+ /proc/filesystems -> $(Device) ;
+ /proc/pci -> $(Device) ;
+ /proc/interrupts -> $(Device) ;
+ /proc/driver/rtc -> $(Device) ;
+ /proc/ioports -> $(Device) ;
+ /proc/scsi -> $(Device) ;
+ /proc/kcore -> $(Device) ;
+ /proc/self -> $(Device) ;
+ /proc/kmsg -> $(Device) ;
+ /proc/stat -> $(Device) ;
+ /proc/ksyms -> $(Device) ;
+ /proc/loadavg -> $(Device) ;
+ /proc/uptime -> $(Device) ;
+ /proc/locks -> $(Device) ;
+ /proc/version -> $(Device) ;
+ /proc/mdstat -> $(Device) ;
+ /proc/meminfo -> $(Device) ;
+ /proc/cmdline -> $(Device) ;
+ /proc/misc -> $(Device) ;
+}
+
+# Rest of critical system binaries
+(
+ rulename = "OS executables and libraries",
+ severity = $(SIG_HI)
+)
+{
+ /bin -> $(SEC_BIN) ;
+ /lib -> $(SEC_BIN) ;
+}
+
+# disabled-entries: 184
+
+# license:
+#=============================================================================
+#
+# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
+# Inc. in the United States and other countries. All rights reserved.
+#
+# Linux is a registered trademark of Linus Torvalds.
+#
+# UNIX is a registered trademark of The Open Group.
+#
+#=============================================================================
+#
+# Permission is granted to make and distribute verbatim copies of this document
+# provided the copyright notice and this permission notice are preserved on all
+# copies.
+#
+# Permission is granted to copy and distribute modified versions of this
+# document under the conditions for verbatim copying, provided that the entire
+# resulting derived work is distributed under the terms of a permission notice
+# identical to this one.
+#
+# Permission is granted to copy and distribute translations of this document
+# into another language, under the above conditions for modified versions,
+# except that this permission notice may be stated in a translation approved by
+# Tripwire, Inc.
+#
+# DCM
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/tripwire/devel/.cvsignore,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- .cvsignore 22 Dec 2006 04:44:31 -0000 1.4
+++ .cvsignore 22 Dec 2006 04:47:55 -0000 1.5
@@ -0,0 +1 @@
+tripwire-2.4.0.1-src.tar.bz2
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/tripwire/devel/sources,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- sources 22 Dec 2006 04:44:31 -0000 1.4
+++ sources 22 Dec 2006 04:47:55 -0000 1.5
@@ -0,0 +1 @@
+b371f79ac23cacc9ad40b1da76b4a0c4 tripwire-2.4.0.1-src.tar.bz2
--- import.log DELETED ---
More information about the scm-commits
mailing list