#
# Basic TripWire Policy File
# $Id: twpol.txt,v 1.1 2001/12/20 14:24:12 cvs Exp $
# Miguel Armas <kuko@ulpgc.es>
#
# PICA Info
# Object: <#$picaobj#> for host: <#$picahost#>
#

##################################

@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL="/etc/tripwire";
TWDB="/var/lib/tripwire";
TWSKEY="/etc/tripwire";
TWLKEY="/etc/tripwire";
TWREPORT="/var/lib/tripwire/report";

@@section FS
SEC_CRIT      = $(IgnoreNone)-SHa ;  # Critical files that cannot change
SEC_SUID      = $(IgnoreNone)-SHa ;  # Binaries with the SUID or SGID flags set
SEC_BIN       = $(ReadOnly) ;        # Binaries that should not change
SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed infrequently but accessed often
SEC_LOG       = $(Growing) ;         # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ;              # Directories that should never change permission or ownership
SIG_LOW       = 33 ;                 # Non-critical files that are of minimal security impact
SIG_MED       = 66 ;                 # Non-critical files that are of significant security impact
SIG_HI        = 100 ;                # Critical files that are significant points of vulnerability


# Tripwire Binaries
(
  rulename = "Tripwire Binaries",
  severity = $(SIG_HI)
)
{
  $(TWBIN)/siggen                      -> $(SEC_BIN) ;
  $(TWBIN)/tripwire                    -> $(SEC_BIN) ;
  $(TWBIN)/twadmin                     -> $(SEC_BIN) ;
  $(TWBIN)/twprint                     -> $(SEC_BIN) ;
}

# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(
  rulename = "Tripwire Data Files",
  severity = $(SIG_HI)
)
{
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.

  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.

  $(TWDB)                              -> $(SEC_CONFIG) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_BIN) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_BIN) -i ;
  $(TWLKEY)/local.key                  -> $(SEC_BIN) ;
  $(TWSKEY)/site.key                   -> $(SEC_BIN) ;

  #don't scan the individual reports
  $(TWREPORT)                          -> $(SEC_CONFIG) (recurse=0) ;
}

# Commonly accessed directories that should remain static with regards to owner and group
(
  rulename = "Invariant Directories",
  severity = $(SIG_MED)
)
{
  /                                    -> $(SEC_INVARIANT) (recurse = 0) ;
  /home                                -> $(SEC_INVARIANT) (recurse = 0) ;
  /etc                                 -> $(SEC_INVARIANT) (recurse = 0) ;
}

################################
# System Binaries Directories  #
################################
(
  rulename = "System Binaries Diectories",
  severity = $(SIG_HI)
)
{
  /bin                          -> $(SEC_CRIT) ;
  /sbin                         -> $(SEC_CRIT) ;
  /usr/bin                      -> $(SEC_CRIT) ;
  /usr/sbin                     -> $(SEC_CRIT) ;
  /usr/local/bin                -> $(SEC_CRIT) ;
  /usr/local/sbin               -> $(SEC_CRIT) ;
}

####################
# System Libraries #
####################
(
  rulename = "Libraries",
  severity = $(SIG_MED)
)
{
  /lib                                 -> $(SEC_BIN) ;
  /usr/lib                             -> $(SEC_BIN) ;
  /usr/local/lib                       -> $(SEC_BIN) ;
}

#######################
# Networking Scripts  #
#######################
(
  rulename = "Networking Scripts",
  severity = $(SIG_HI)
)
{
  /etc/sysconfig/network-scripts          -> $(SEC_CRIT) ;
}

#########################
# Temporary directories #
#########################
(
  rulename = "Temporary directories",
  recurse = false,
  severity = $(SIG_LOW)
)
{
  /usr/tmp                             -> $(SEC_INVARIANT) ;
  /var/tmp                             -> $(SEC_INVARIANT) ;
  /tmp                                 -> $(SEC_INVARIANT) ;
}

################################
# Critical Configuracion Files #
################################
(
  rulename = "Security Control",
  severity = $(SIG_HI)
)
{
  /etc/group                           -> $(SEC_CRIT) ;
  /etc/security                        -> $(SEC_CRIT) ;
  #/var/spool/cron/crontabs             -> $(SEC_CRIT) ; # Uncomment when this file exists
}

#######################
# System Boot Scripts #
#######################
(
  rulename = "Boot Scripts",
  severity = $(SIG_HI)
)
{
  /etc/rc.d/rc                          -> $(SEC_CRIT) ;
  /etc/rc.d/rc.sysinit                  -> $(SEC_CRIT) ;
  /etc/rc.d/rc.local                    -> $(SEC_CONFIG) ;
  /etc/rc.d/init.d                      -> $(SEC_CONFIG) (recurse = 1);
}

# These files change the behavior of the root account
(
  rulename = "Root config files",
  severity = 100
)
{
     /root/.profile                     -> $(SEC_CONFIG) ;
     /root/.bash_profile                -> $(SEC_CONFIG) ;
     /root/.bashrc                      -> $(SEC_CONFIG) ;
     /root/.cshrc                       -> $(SEC_CONFIG) ;
     /root/.tcshrc                      -> $(SEC_CONFIG) ;
     /root/.Xresources                  -> $(SEC_CONFIG) ;
}

################################
# Critical configuration files #
################################
(
  rulename = "Critical configuration files",
  severity = $(SIG_HI)
)
{
     /etc/crontab                      -> $(SEC_BIN) ;
     /etc/cron.hourly                  -> $(SEC_BIN) ;
     /etc/cron.daily                   -> $(SEC_BIN) ;
     /etc/cron.weekly                  -> $(SEC_BIN) ;
     /etc/cron.monthly                 -> $(SEC_BIN) ;
     /etc/default                      -> $(SEC_BIN) ;
     /etc/fstab                        -> $(SEC_BIN) ;
     /etc/exports                      -> $(SEC_BIN) ;
     /etc/group-                       -> $(SEC_BIN) ;  # changes should be infrequent
     /etc/host.conf                    -> $(SEC_BIN) ;
     /etc/hosts.allow                  -> $(SEC_BIN) ;
     /etc/hosts.deny                   -> $(SEC_BIN) ;
     /etc/httpd/conf                   -> $(SEC_BIN) ;  # changes should be infrequent
     /etc/protocols                    -> $(SEC_BIN) ;
     /etc/services                     -> $(SEC_BIN) ;
     /etc/mail.rc                      -> $(SEC_BIN) ;
     /etc/modules.conf                 -> $(SEC_BIN) ;
     #/etc/motd                         -> $(SEC_BIN) ;
     #/etc/named.conf                   -> $(SEC_BIN) ;
     /etc/passwd                       -> $(SEC_CONFIG) ;
     /etc/passwd-                      -> $(SEC_CONFIG) ;
     /etc/profile.d                    -> $(SEC_BIN) ;
     #/var/lib/nfs/rmtab                -> $(SEC_BIN) ;
     /etc/rpc                          -> $(SEC_BIN) ;
     /etc/sysconfig                    -> $(SEC_BIN) ;
     #/etc/samba/smb.conf               -> $(SEC_CONFIG) ;
     #/etc/gettydefs                    -> $(SEC_BIN) ;
     /etc/nsswitch.conf                -> $(SEC_BIN) ;
     /etc/yp.conf                      -> $(SEC_BIN) ;
     /etc/hosts                        -> $(SEC_CONFIG) ;
     /etc/xinetd.conf                  -> $(SEC_CONFIG) ;
     /etc/inittab                      -> $(SEC_CONFIG) ;
     /etc/resolv.conf                  -> $(SEC_CONFIG) ;
     /etc/syslog.conf                  -> $(SEC_CONFIG) ;
}

##################
# System Devices #
##################
(
  rulename = "System devices",
  severity = $(SIG_HI),
  recurse = true
)
{
     /dev                              -> $(Device) ;
     #/proc                             -> $(Device) ;
}

#perl

print <<__EOF__;
***********************************************
NOTE: Remember to run twadmin -m P twpol.txt!!!
***********************************************
__EOF__
"";
#lrep
