Lines 1-926
Link Here
|
1 |
############################################################################## |
1 |
############################################################################## |
2 |
# ## |
2 |
# ## |
3 |
############################################################################## # |
3 |
############################################################################## # |
4 |
# # # |
4 |
# # # |
5 |
# Policy file for RedHat Linux 7.0 # # |
5 |
# Policy file for Gentoo Linux # # |
6 |
# V1.0.0 # # |
6 |
# tripwire-2.3.1.2-r1 # # |
7 |
# July 18, 2000 # # |
7 |
# December 6, 2004 # # |
8 |
# ## |
8 |
# ## |
9 |
############################################################################## |
9 |
############################################################################## |
10 |
|
10 |
|
11 |
|
11 |
|
12 |
############################################################################## |
12 |
############################################################################## |
13 |
# ## |
13 |
# ## |
14 |
############################################################################## # |
14 |
############################################################################## # |
15 |
# # # |
15 |
# # # |
16 |
# This is the example Tripwire Policy file. It is intended as a place to # # |
16 |
# This is the example Tripwire Policy file. It is intended as a place to # # |
17 |
# start creating your own custom Tripwire Policy file. Referring to it as # # |
17 |
# start creating your own custom Tripwire Policy file. Referring to it as # # |
18 |
# well as the Tripwire Policy Guide should give you enough information to # # |
18 |
# well as the Tripwire Policy Guide should give you enough information to # # |
19 |
# make a good custom Tripwire Policy file that better covers your # # |
19 |
# make a good custom Tripwire Policy file that better covers your # # |
20 |
# configuration and security needs. A text version of this policy file is # # |
20 |
# configuration and security needs. A text version of this policy file is # # |
21 |
# called twpol.txt. # # |
21 |
# called twpol.txt. # # |
22 |
# # # |
22 |
# # # |
23 |
# Note that this file is tuned to an 'everything' install of RedHat Linux # # |
23 |
# Note that this file is tuned to an 'default' install Gentoo Linux. # # |
24 |
# 7.0. If run unmodified, this file should create no errors on database # # |
24 |
# If run unmodified, this file should create no errors on database # # |
25 |
# creation, or violations on a subsiquent integrity check. However, it is # # |
25 |
# creation, or violations on a subsequent integrity check. However, it is # # |
26 |
# impossible for there to be one policy file for all machines, so this # # |
26 |
# impossible for there to be one policy file for all machines, so this # # |
27 |
# existing one errs on the side of security. Your Linux configuration will # # |
27 |
# existing one errs on the side of security. Your Linux configuration will # # |
28 |
# most likey differ from the one our policy file was tuned to, and will # # |
28 |
# most likey differ from the one our policy file was tuned to, and will # # |
29 |
# therefore require some editing of the default Tripwire Policy file. # # |
29 |
# therefore require some editing of the default Tripwire Policy file. # # |
30 |
# # # |
30 |
# # # |
31 |
# The example policy file is best run with 'Loose Directory Checking' # # |
31 |
# The example policy file is best run with 'Loose Directory Checking' # # |
32 |
# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # # |
32 |
# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # # |
33 |
# file. # # |
33 |
# file. # # |
34 |
# # # |
34 |
# # # |
35 |
# Email support is not included and must be added to this file. # # |
35 |
# Email support is not included and must be added to this file. # # |
36 |
# Add the 'emailto=' to the rule directive section of each rule (add a comma # # |
36 |
# Add the 'emailto=' to the rule directive section of each rule (add a comma # # |
37 |
# after the 'severity=' line and add an 'emailto=' and include the email # # |
37 |
# after the 'severity=' line and add an 'emailto=' and include the email # # |
38 |
# addresses you want the violation reports to go to). Addresses are # # |
38 |
# addresses you want the violation reports to go to). Addresses are # # |
39 |
# semi-colon delimited. # # |
39 |
# semi-colon delimited. # # |
40 |
# ## |
40 |
# ## |
41 |
############################################################################## |
41 |
############################################################################## |
42 |
|
42 |
|
43 |
|
43 |
|
44 |
|
44 |
|
45 |
############################################################################## |
45 |
############################################################################## |
46 |
# ## |
46 |
# ## |
47 |
############################################################################## # |
47 |
############################################################################## # |
48 |
# # # |
48 |
# # # |
49 |
# Global Variable Definitions # # |
49 |
# Global Variable Definitions # # |
50 |
# # # |
50 |
# # # |
51 |
# These are defined at install time by the installation script. You may # # |
51 |
# These are defined at install time by the installation script. You may # # |
52 |
# Manually edit these if you are using this file directly and not from the # # |
52 |
# Manually edit these if you are using this file directly and not from the # # |
53 |
# installation script itself. # # |
53 |
# installation script itself. # # |
54 |
# ## |
54 |
# ## |
55 |
############################################################################## |
55 |
############################################################################## |
56 |
|
56 |
|
57 |
@@section GLOBAL |
57 |
@@section GLOBAL |
58 |
TWROOT=; |
58 |
TWROOT=/usr/sbin; |
59 |
TWBIN=; |
59 |
TWBIN=/usr/sbin; |
60 |
TWPOL=; |
60 |
TWPOL="/etc/tripwire"; |
61 |
TWDB=; |
61 |
TWDB="/var/lib/tripwire"; |
62 |
TWSKEY=; |
62 |
TWSKEY="/etc/tripwire"; |
63 |
TWLKEY=; |
63 |
TWLKEY="/etc/tripwire"; |
64 |
TWREPORT=; |
64 |
TWREPORT="/var/lib/tripwire/report"; |
65 |
HOSTNAME=; |
65 |
HOSTNAME=vyvyan; |
66 |
|
66 |
|
67 |
@@section FS |
67 |
@@section FS |
68 |
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change |
68 |
SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change |
69 |
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set |
69 |
SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set |
70 |
SEC_BIN = $(ReadOnly) ; # Binaries that should not change |
70 |
SEC_BIN = $(ReadOnly) ; # Binaries that should not change |
71 |
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often |
71 |
SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often |
72 |
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership |
72 |
SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership |
73 |
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership |
73 |
SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership |
74 |
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact |
74 |
SIG_LOW = 33 ; # Non-critical files that are of minimal security impact |
75 |
SIG_MED = 66 ; # Non-critical files that are of significant security impact |
75 |
SIG_MED = 66 ; # Non-critical files that are of significant security impact |
76 |
SIG_HI = 100 ; # Critical files that are significant points of vulnerability |
76 |
SIG_HI = 100 ; # Critical files that are significant points of vulnerability |
77 |
|
77 |
|
78 |
|
78 |
|
79 |
# Tripwire Binaries |
79 |
# Tripwire Binaries |
80 |
( |
80 |
( |
81 |
rulename = "Tripwire Binaries", |
81 |
rulename = "Tripwire Binaries", |
82 |
severity = $(SIG_HI) |
82 |
severity = $(SIG_HI) |
83 |
) |
83 |
) |
84 |
{ |
84 |
{ |
85 |
$(TWBIN)/siggen -> $(SEC_BIN) ; |
85 |
$(TWBIN)/siggen -> $(SEC_BIN) ; |
86 |
$(TWBIN)/tripwire -> $(SEC_BIN) ; |
86 |
$(TWBIN)/tripwire -> $(SEC_BIN) ; |
87 |
$(TWBIN)/twadmin -> $(SEC_BIN) ; |
87 |
$(TWBIN)/twadmin -> $(SEC_BIN) ; |
88 |
$(TWBIN)/twprint -> $(SEC_BIN) ; |
88 |
$(TWBIN)/twprint -> $(SEC_BIN) ; |
89 |
} |
89 |
} |
90 |
|
90 |
|
91 |
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases |
91 |
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases |
92 |
( |
92 |
( |
93 |
rulename = "Tripwire Data Files", |
93 |
rulename = "Tripwire Data Files", |
94 |
severity = $(SIG_HI) |
94 |
severity = $(SIG_HI) |
95 |
) |
95 |
) |
96 |
{ |
96 |
{ |
97 |
# NOTE: We remove the inode attribute because when Tripwire creates a backup, |
97 |
# NOTE: We remove the inode attribute because when Tripwire creates a backup, |
98 |
# it does so by renaming the old file and creating a new one (which will |
98 |
# it does so by renaming the old file and creating a new one (which will |
99 |
# have a new inode number). Inode is left turned on for keys, which shouldn't |
99 |
# have a new inode number). Inode is left turned on for keys, which shouldn't |
100 |
# ever change. |
100 |
# ever change. |
101 |
|
101 |
|
102 |
# NOTE: The first integrity check triggers this rule and each integrity check |
102 |
# NOTE: The first integrity check triggers this rule and each integrity check |
103 |
# afterward triggers this rule until a database update is run, since the |
103 |
# afterward triggers this rule until a database update is run, since the |
104 |
# database file does not exist before that point. |
104 |
# database file does not exist before that point. |
105 |
|
105 |
|
106 |
$(TWDB) -> $(SEC_CONFIG) -i ; |
106 |
$(TWDB) -> $(SEC_CONFIG) -i ; |
107 |
$(TWPOL)/tw.pol -> $(SEC_BIN) -i ; |
107 |
$(TWPOL)/tw.pol -> $(SEC_BIN) -i ; |
108 |
$(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; |
108 |
$(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; |
109 |
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; |
109 |
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; |
110 |
$(TWSKEY)/site.key -> $(SEC_BIN) ; |
110 |
$(TWSKEY)/site.key -> $(SEC_BIN) ; |
111 |
|
111 |
|
112 |
#don't scan the individual reports |
112 |
#don't scan the individual reports |
113 |
$(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; |
113 |
$(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; |
114 |
} |
114 |
} |
115 |
|
115 |
|
116 |
|
116 |
|
117 |
# Tripwire HQ Connector Binaries |
117 |
# Tripwire HQ Connector Binaries |
118 |
#( |
118 |
#( |
119 |
# rulename = "Tripwire HQ Connector Binaries", |
119 |
# rulename = "Tripwire HQ Connector Binaries", |
120 |
# severity = $(SIG_HI) |
120 |
# severity = $(SIG_HI) |
121 |
#) |
121 |
#) |
122 |
#{ |
122 |
#{ |
123 |
# $(TWBIN)/hqagent -> $(SEC_BIN) ; |
123 |
# $(TWBIN)/hqagent -> $(SEC_BIN) ; |
124 |
#} |
124 |
#} |
125 |
# |
125 |
# |
126 |
# Tripwire HQ Connector - Configuration Files, Keys, and Logs |
126 |
# Tripwire HQ Connector - Configuration Files, Keys, and Logs |
127 |
|
127 |
|
128 |
############################################################################## |
128 |
############################################################################## |
129 |
# ## |
129 |
# ## |
130 |
############################################################################## # |
130 |
############################################################################## # |
131 |
# # # |
131 |
# # # |
132 |
# Note: File locations here are different than in a stock HQ Connector # # |
132 |
# Note: File locations here are different than in a stock HQ Connector # # |
133 |
# installation. This is because Tripwire 2.3 uses a different path # # |
133 |
# installation. This is because Tripwire 2.3 uses a different path # # |
134 |
# structure than Tripwire 2.2.1. # # |
134 |
# structure than Tripwire 2.2.1. # # |
135 |
# # # |
135 |
# # # |
136 |
# You may need to update your HQ Agent configuation file (or this policy # # |
136 |
# You may need to update your HQ Agent configuation file (or this policy # # |
137 |
# file) to correct the paths. We have attempted to support the FHS standard # # |
137 |
# file) to correct the paths. We have attempted to support the FHS standard # # |
138 |
# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # # |
138 |
# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # # |
139 |
# places them. # # |
139 |
# places them. # # |
140 |
# ## |
140 |
# ## |
141 |
############################################################################## |
141 |
############################################################################## |
142 |
|
142 |
|
143 |
#( |
143 |
#( |
144 |
# rulename = "Tripwire HQ Connector Data Files", |
144 |
# rulename = "Tripwire HQ Connector Data Files", |
145 |
# severity = $(SIG_HI) |
145 |
# severity = $(SIG_HI) |
146 |
#) |
146 |
#) |
147 |
#{ |
147 |
#{ |
148 |
# ############################################################################# |
148 |
# ############################################################################# |
149 |
# ############################################################################## |
149 |
# ############################################################################## |
150 |
# # NOTE: Removing the inode attribute because when Tripwire creates a backup ## |
150 |
# # NOTE: Removing the inode attribute because when Tripwire creates a backup ## |
151 |
# # it does so by renaming the old file and creating a new one (which will ## |
151 |
# # it does so by renaming the old file and creating a new one (which will ## |
152 |
# # have a new inode number). Leaving inode turned on for keys, which ## |
152 |
# # have a new inode number). Leaving inode turned on for keys, which ## |
153 |
# # shouldn't ever change. ## |
153 |
# # shouldn't ever change. ## |
154 |
# ############################################################################# |
154 |
# ############################################################################# |
155 |
# |
155 |
# |
156 |
# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; |
156 |
# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; |
157 |
# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; |
157 |
# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; |
158 |
# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; |
158 |
# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; |
159 |
# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; |
159 |
# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; |
160 |
# |
160 |
# |
161 |
# # Uncomment if you have agent logging enabled. |
161 |
# # Uncomment if you have agent logging enabled. |
162 |
# #/var/log/tripwire/agent.log -> $(SEC_LOG) ; |
162 |
# #/var/log/tripwire/agent.log -> $(SEC_LOG) ; |
163 |
#} |
163 |
#} |
164 |
|
164 |
|
165 |
|
165 |
|
166 |
|
166 |
|
167 |
# Commonly accessed directories that should remain static with regards to owner and group |
167 |
# Commonly accessed directories that should remain static with regards to owner and group |
168 |
( |
168 |
( |
169 |
rulename = "Invariant Directories", |
169 |
rulename = "Invariant Directories", |
170 |
severity = $(SIG_MED) |
170 |
severity = $(SIG_MED) |
171 |
) |
171 |
) |
172 |
{ |
172 |
{ |
173 |
/ -> $(SEC_INVARIANT) (recurse = 0) ; |
173 |
/ -> $(SEC_INVARIANT) (recurse = 0) ; |
174 |
/home -> $(SEC_INVARIANT) (recurse = 0) ; |
174 |
/home -> $(SEC_INVARIANT) (recurse = 0) ; |
175 |
/etc -> $(SEC_INVARIANT) (recurse = 0) ; |
175 |
/etc -> $(SEC_INVARIANT) (recurse = 0) ; |
176 |
} |
176 |
} |
177 |
################################################ |
177 |
################################################ |
178 |
# ## |
178 |
# ## |
179 |
################################################ # |
179 |
################################################ # |
180 |
# # # |
180 |
# # # |
181 |
# File System and Disk Administration Programs # # |
181 |
# File System and Disk Administration Programs # # |
182 |
# ## |
182 |
# ## |
183 |
################################################ |
183 |
################################################ |
184 |
|
184 |
|
185 |
( |
185 |
( |
186 |
rulename = "File System and Disk Administraton Programs", |
186 |
rulename = "File System and Disk Administraton Programs", |
187 |
severity = $(SIG_HI) |
187 |
severity = $(SIG_HI) |
188 |
) |
188 |
) |
189 |
{ |
189 |
{ |
190 |
/sbin/accton -> $(SEC_CRIT) ; |
190 |
# /sbin/accton -> $(SEC_CRIT) ; |
191 |
/sbin/badblocks -> $(SEC_CRIT) ; |
191 |
/sbin/badblocks -> $(SEC_CRIT) ; |
192 |
/sbin/dosfsck -> $(SEC_CRIT) ; |
192 |
# /sbin/busybox -> $(SEC_CRIT) ; |
193 |
/sbin/e2fsck -> $(SEC_CRIT) ; |
193 |
# /sbin/busybox.anaconda -> $(SEC_CRIT) ; |
194 |
/sbin/debugfs -> $(SEC_CRIT) ; |
194 |
# /sbin/convertquota -> $(SEC_CRIT) ; |
195 |
/sbin/dumpe2fs -> $(SEC_CRIT) ; |
195 |
# /sbin/dosfsck -> $(SEC_CRIT) ; |
196 |
/sbin/dump -> $(SEC_CRIT) ; |
196 |
/sbin/debugfs -> $(SEC_CRIT) ; |
197 |
/sbin/dump.static -> $(SEC_CRIT) ; |
197 |
# /sbin/debugreiserfs -> $(SEC_CRIT) ; |
198 |
/sbin/e2label -> $(SEC_CRIT) ; |
198 |
/sbin/dumpe2fs -> $(SEC_CRIT) ; |
199 |
/sbin/fdisk -> $(SEC_CRIT) ; |
199 |
# /sbin/dump -> $(SEC_CRIT) ; |
200 |
/sbin/fsck -> $(SEC_CRIT) ; |
200 |
# /sbin/dump.static -> $(SEC_CRIT) ; |
201 |
/sbin/fsck.ext2 -> $(SEC_CRIT) ; |
201 |
# /sbin/e2fsadm -> $(SEC_CRIT) ; tune2fs? |
202 |
/sbin/fsck.minix -> $(SEC_CRIT) ; |
202 |
/sbin/e2fsck -> $(SEC_CRIT) ; |
203 |
/sbin/fsck.msdos -> $(SEC_CRIT) ; |
203 |
/sbin/e2label -> $(SEC_CRIT) ; |
204 |
/sbin/ftl_check -> $(SEC_CRIT) ; |
204 |
/sbin/fdisk -> $(SEC_CRIT) ; |
205 |
/sbin/ftl_format -> $(SEC_CRIT) ; |
205 |
/sbin/fsck -> $(SEC_CRIT) ; |
206 |
/sbin/hdparm -> $(SEC_CRIT) ; |
206 |
/sbin/fsck.ext2 -> $(SEC_CRIT) ; |
207 |
/sbin/mkbootdisk -> $(SEC_CRIT) ; |
207 |
/sbin/fsck.ext3 -> $(SEC_CRIT) ; |
208 |
/sbin/mkdosfs -> $(SEC_CRIT) ; |
208 |
/sbin/fsck.minix -> $(SEC_CRIT) ; |
209 |
/sbin/mke2fs -> $(SEC_CRIT) ; |
209 |
# /sbin/fsck.msdos -> $(SEC_CRIT) ; |
210 |
/sbin/mkfs -> $(SEC_CRIT) ; |
210 |
# /sbin/fsck.vfat -> $(SEC_CRIT) ; |
211 |
/sbin/mkfs.ext2 -> $(SEC_CRIT) ; |
211 |
# /sbin/ftl_check -> $(SEC_CRIT) ; |
212 |
/sbin/mkfs.minix -> $(SEC_CRIT) ; |
212 |
# /sbin/ftl_format -> $(SEC_CRIT) ; |
213 |
/sbin/mkfs.msdos -> $(SEC_CRIT) ; |
213 |
/sbin/hdparm -> $(SEC_CRIT) ; |
214 |
/sbin/mkinitrd -> $(SEC_CRIT) ; |
214 |
#/sbin/lvchange -> $(SEC_CRIT) ; |
215 |
/sbin/mkpv -> $(SEC_CRIT) ; |
215 |
#/sbin/lvcreate -> $(SEC_CRIT) ; |
216 |
/sbin/mkraid -> $(SEC_CRIT) ; |
216 |
#/sbin/lvdisplay -> $(SEC_CRIT) ; |
217 |
/sbin/mkswap -> $(SEC_CRIT) ; |
217 |
#/sbin/lvextend -> $(SEC_CRIT) ; |
218 |
/sbin/mtx -> $(SEC_CRIT) ; |
218 |
#/sbin/lvmchange -> $(SEC_CRIT) ; |
219 |
/sbin/parted -> $(SEC_CRIT) ; |
219 |
#/sbin/lvmcreate_initrd -> $(SEC_CRIT) ; |
220 |
/sbin/pcinitrd -> $(SEC_CRIT) ; |
220 |
#/sbin/lvmdiskscan -> $(SEC_CRIT) ; |
221 |
/sbin/quotacheck -> $(SEC_CRIT) ; |
221 |
#/sbin/lvmsadc -> $(SEC_CRIT) ; |
222 |
/sbin/quotaon -> $(SEC_CRIT) ; |
222 |
#/sbin/lvmsar -> $(SEC_CRIT) ; |
223 |
/sbin/raidstart -> $(SEC_CRIT) ; |
223 |
#/sbin/lvreduce -> $(SEC_CRIT) ; |
224 |
/sbin/resize2fs -> $(SEC_CRIT) ; |
224 |
#/sbin/lvremove -> $(SEC_CRIT) ; |
225 |
/sbin/restore -> $(SEC_CRIT) ; |
225 |
#/sbin/lvrename -> $(SEC_CRIT) ; |
226 |
/sbin/restore.static -> $(SEC_CRIT) ; |
226 |
#/sbin/lvscan -> $(SEC_CRIT) ; |
227 |
/sbin/scsi_info -> $(SEC_CRIT) ; |
227 |
# /sbin/mkbootdisk -> $(SEC_CRIT) ; |
228 |
/sbin/sfdisk -> $(SEC_CRIT) ; |
228 |
# /sbin/mkdosfs -> $(SEC_CRIT) ; |
229 |
/sbin/tapeinfo -> $(SEC_CRIT) ; |
229 |
/sbin/mke2fs -> $(SEC_CRIT) ; |
230 |
/sbin/tune2fs -> $(SEC_CRIT) ; |
230 |
/sbin/mkfs -> $(SEC_CRIT) ; |
231 |
/sbin/update -> $(SEC_CRIT) ; |
231 |
/sbin/mkfs.bfs -> $(SEC_CRIT) ; |
232 |
/bin/mount -> $(SEC_CRIT) ; |
232 |
/sbin/mkfs.ext2 -> $(SEC_CRIT) ; |
233 |
/bin/umount -> $(SEC_CRIT) ; |
233 |
/sbin/mkfs.minix -> $(SEC_CRIT) ; |
234 |
/bin/touch -> $(SEC_CRIT) ; |
234 |
# /sbin/mkfs.msdos -> $(SEC_CRIT) ; |
235 |
/bin/mkdir -> $(SEC_CRIT) ; |
235 |
# /sbin/mkfs.vfat -> $(SEC_CRIT) ; |
236 |
/bin/mknod -> $(SEC_CRIT) ; |
236 |
# /sbin/mkinitrd -> $(SEC_CRIT) ; |
237 |
/bin/mktemp -> $(SEC_CRIT) ; |
237 |
#/sbin/mkpv -> $(SEC_CRIT) ; |
238 |
/bin/rm -> $(SEC_CRIT) ; |
238 |
# /sbin/mkraid -> $(SEC_CRIT) ; |
239 |
/bin/rmdir -> $(SEC_CRIT) ; |
239 |
# /sbin/mkreiserfs -> $(SEC_CRIT) ; |
240 |
/bin/chgrp -> $(SEC_CRIT) ; |
240 |
/sbin/mkswap -> $(SEC_CRIT) ; |
241 |
/bin/chmod -> $(SEC_CRIT) ; |
241 |
#/sbin/mtx -> $(SEC_CRIT) ; |
242 |
/bin/chown -> $(SEC_CRIT) ; |
242 |
# /sbin/pam_console_apply -> $(SEC_CRIT) ; |
243 |
/bin/cp -> $(SEC_CRIT) ; |
243 |
# /sbin/parted -> $(SEC_CRIT) ; |
244 |
/bin/cpio -> $(SEC_CRIT) ; |
244 |
# /sbin/pcinitrd -> $(SEC_CRIT) ; |
245 |
} |
245 |
#/sbin/pvchange -> $(SEC_CRIT) ; |
246 |
|
246 |
#/sbin/pvcreate -> $(SEC_CRIT) ; |
247 |
################################## |
247 |
#/sbin/pvdata -> $(SEC_CRIT) ; |
248 |
# ## |
248 |
#/sbin/pvdisplay -> $(SEC_CRIT) ; |
249 |
################################## # |
249 |
#/sbin/pvmove -> $(SEC_CRIT) ; |
250 |
# # # |
250 |
#/sbin/pvscan -> $(SEC_CRIT) ; |
251 |
# Kernel Administration Programs # # |
251 |
# /sbin/quotacheck -> $(SEC_CRIT) ; |
252 |
# ## |
252 |
# /sbin/quotaon -> $(SEC_CRIT) ; |
253 |
################################## |
253 |
# /sbin/raidstart -> $(SEC_CRIT) ; |
254 |
|
254 |
# /sbin/reiserfsck -> $(SEC_CRIT) ; |
255 |
( |
255 |
/sbin/resize2fs -> $(SEC_CRIT) ; |
256 |
rulename = "Kernel Administration Programs", |
256 |
# /sbin/resize_reiserfs -> $(SEC_CRIT) ; |
257 |
severity = $(SIG_HI) |
257 |
# /sbin/restore -> $(SEC_CRIT) ; |
258 |
) |
258 |
# /sbin/restore.static -> $(SEC_CRIT) ; |
259 |
{ |
259 |
# /sbin/scsi_info -> $(SEC_CRIT) ; |
260 |
/sbin/depmod -> $(SEC_CRIT) ; |
260 |
/sbin/sfdisk -> $(SEC_CRIT) ; |
261 |
/sbin/adjtimex -> $(SEC_CRIT) ; |
261 |
#/usr/sbin/stinit -> $(SEC_CRIT) ; |
262 |
/sbin/ctrlaltdel -> $(SEC_CRIT) ; |
262 |
#/sbin/tapeinfo -> $(SEC_CRIT) ; |
263 |
/sbin/insmod -> $(SEC_CRIT) ; |
263 |
/sbin/tune2fs -> $(SEC_CRIT) ; |
264 |
/sbin/insmod.static -> $(SEC_CRIT) ; |
264 |
# /sbin/unpack -> $(SEC_CRIT) ; |
265 |
/sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ; |
265 |
# /sbin/update -> $(SEC_CRIT) ; |
266 |
/sbin/klogd -> $(SEC_CRIT) ; |
266 |
#/sbin/vgcfgbackup -> $(SEC_CRIT) ; |
267 |
/sbin/ldconfig -> $(SEC_CRIT) ; |
267 |
#/sbin/vgcfgrestore -> $(SEC_CRIT) ; |
268 |
/sbin/minilogd -> $(SEC_CRIT) ; |
268 |
#/sbin/vgchange -> $(SEC_CRIT) ; |
269 |
/sbin/modinfo -> $(SEC_CRIT) ; |
269 |
#/sbin/vgck -> $(SEC_CRIT) ; |
270 |
/sbin/sysctl -> $(SEC_CRIT) ; |
270 |
#/sbin/vgcreate -> $(SEC_CRIT) ; |
271 |
} |
271 |
#/sbin/vgdisplay -> $(SEC_CRIT) ; |
272 |
|
272 |
#/sbin/vgexport -> $(SEC_CRIT) ; |
273 |
####################### |
273 |
#/sbin/vgextend -> $(SEC_CRIT) ; |
274 |
# ## |
274 |
#/sbin/vgimport -> $(SEC_CRIT) ; |
275 |
####################### # |
275 |
#/sbin/vgmerge -> $(SEC_CRIT) ; |
276 |
# # # |
276 |
#/sbin/vgmknodes -> $(SEC_CRIT) ; |
277 |
# Networking Programs # # |
277 |
#/sbin/vgreduce -> $(SEC_CRIT) ; |
278 |
# ## |
278 |
#/sbin/vgremove -> $(SEC_CRIT) ; |
279 |
####################### |
279 |
#/sbin/vgrename -> $(SEC_CRIT) ; |
280 |
|
280 |
#/sbin/vgscan -> $(SEC_CRIT) ; |
281 |
( |
281 |
#/sbin/vgsplit -> $(SEC_CRIT) ; |
282 |
rulename = "Networking Programs", |
282 |
/bin/chgrp -> $(SEC_CRIT) ; |
283 |
severity = $(SIG_HI) |
283 |
/bin/chmod -> $(SEC_CRIT) ; |
284 |
) |
284 |
/bin/chown -> $(SEC_CRIT) ; |
285 |
{ |
285 |
/bin/cp -> $(SEC_CRIT) ; |
286 |
/sbin/arp -> $(SEC_CRIT) ; |
286 |
# /bin/cpio -> $(SEC_CRIT) ; |
287 |
/sbin/dhcpcd -> $(SEC_CRIT) ; |
287 |
/bin/mount -> $(SEC_CRIT) ; |
288 |
/sbin/getty -> $(SEC_CRIT) ; |
288 |
/bin/umount -> $(SEC_CRIT) ; |
289 |
/sbin/ifcfg -> $(SEC_CRIT) ; |
289 |
/bin/mkdir -> $(SEC_CRIT) ; |
290 |
/sbin/ifconfig -> $(SEC_CRIT) ; |
290 |
/bin/mknod -> $(SEC_CRIT) ; |
291 |
/sbin/ifdown -> $(SEC_CRIT) ; |
291 |
/bin/mktemp -> $(SEC_CRIT) ; |
292 |
/sbin/ifenslave -> $(SEC_CRIT) ; |
292 |
/bin/rm -> $(SEC_CRIT) ; |
293 |
/sbin/ifport -> $(SEC_CRIT) ; |
293 |
/bin/rmdir -> $(SEC_CRIT) ; |
294 |
/sbin/ifup -> $(SEC_CRIT) ; |
294 |
/bin/touch -> $(SEC_CRIT) ; |
295 |
/sbin/ifuser -> $(SEC_CRIT) ; |
295 |
} |
296 |
/sbin/ip -> $(SEC_CRIT) ; |
296 |
|
297 |
/sbin/ipchains -> $(SEC_CRIT) ; |
297 |
################################## |
298 |
/sbin/ipchains-restore -> $(SEC_CRIT) ; |
298 |
# ## |
299 |
/sbin/ipchains-save -> $(SEC_CRIT) ; |
299 |
################################## # |
300 |
/sbin/ipfwadm -> $(SEC_CRIT) ; |
300 |
# # # |
301 |
/sbin/ipmaddr -> $(SEC_CRIT) ; |
301 |
# Kernel Administration Programs # # |
302 |
/sbin/iptables -> $(SEC_CRIT) ; |
302 |
# ## |
303 |
/sbin/iptunnel -> $(SEC_CRIT) ; |
303 |
################################## |
304 |
/sbin/ipx_configure -> $(SEC_CRIT) ; |
304 |
|
305 |
/sbin/ipx_interface -> $(SEC_CRIT) ; |
305 |
( |
306 |
/sbin/ipx_internal_net -> $(SEC_CRIT) ; |
306 |
rulename = "Kernel Administration Programs", |
307 |
/sbin/iwconfig -> $(SEC_CRIT) ; |
307 |
severity = $(SIG_HI) |
308 |
/sbin/iwpriv -> $(SEC_CRIT) ; |
308 |
) |
309 |
/sbin/iwspy -> $(SEC_CRIT) ; |
309 |
{ |
310 |
/sbin/netreport -> $(SEC_CRIT) ; |
310 |
# /sbin/adjtimex -> $(SEC_CRIT) ; |
311 |
/sbin/plipconfig -> $(SEC_CRIT) ; |
311 |
/sbin/ctrlaltdel -> $(SEC_CRIT) ; |
312 |
/sbin/portmap -> $(SEC_CRIT) ; |
312 |
/sbin/depmod -> $(SEC_CRIT) ; |
313 |
/sbin/ppp-watch -> $(SEC_CRIT) ; |
313 |
/sbin/insmod -> $(SEC_CRIT) ; |
314 |
/sbin/rarp -> $(SEC_CRIT) ; |
314 |
/sbin/insmod.static -> $(SEC_CRIT) ; |
315 |
/sbin/route -> $(SEC_CRIT) ; |
315 |
/sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ; |
316 |
/sbin/slattach -> $(SEC_CRIT) ; |
316 |
# /sbin/klogd -> $(SEC_CRIT) ; |
317 |
/sbin/uugetty -> $(SEC_CRIT) ; |
317 |
/sbin/ldconfig -> $(SEC_CRIT) ; |
318 |
/sbin/vgetty -> $(SEC_CRIT) ; |
318 |
# /sbin/minilogd -> $(SEC_CRIT) ; |
319 |
/sbin/ypbind -> $(SEC_CRIT) ; |
319 |
/sbin/modinfo -> $(SEC_CRIT) ; |
320 |
/bin/ping -> $(SEC_CRIT) ; |
320 |
#/sbin/nuactlun -> $(SEC_CRIT) ; |
321 |
} |
321 |
#/sbin/nuscsitcpd -> $(SEC_CRIT) ; |
322 |
|
322 |
/sbin/pivot_root -> $(SEC_CRIT) ; |
323 |
################################## |
323 |
# /sbin/sndconfig -> $(SEC_CRIT) ; |
324 |
# ## |
324 |
/sbin/sysctl -> $(SEC_CRIT) ; |
325 |
################################## # |
325 |
} |
326 |
# # # |
326 |
|
327 |
# System Administration Programs # # |
327 |
####################### |
328 |
# ## |
328 |
# ## |
329 |
################################## |
329 |
####################### # |
330 |
|
330 |
# # # |
331 |
( |
331 |
# Networking Programs # # |
332 |
rulename = "System Administration Programs", |
332 |
# ## |
333 |
severity = $(SIG_HI) |
333 |
####################### |
334 |
) |
334 |
|
335 |
{ |
335 |
( |
336 |
/sbin/chkconfig -> $(SEC_CRIT) ; |
336 |
rulename = "Networking Programs", |
337 |
/sbin/fuser -> $(SEC_CRIT) ; |
337 |
severity = $(SIG_HI) |
338 |
/sbin/halt -> $(SEC_CRIT) ; |
338 |
) |
339 |
/sbin/init -> $(SEC_CRIT) ; |
339 |
{ |
340 |
/sbin/initlog -> $(SEC_CRIT) ; |
340 |
|
341 |
/sbin/killall5 -> $(SEC_CRIT) ; |
341 |
/bin/ping -> $(SEC_CRIT) ; |
342 |
/sbin/linuxconf -> $(SEC_CRIT) ; |
342 |
/sbin/agetty -> $(SEC_CRIT) ; |
343 |
/sbin/linuxconf-auth -> $(SEC_CRIT) ; |
343 |
/sbin/arp -> $(SEC_CRIT) ; |
344 |
/sbin/pwdb_chkpwd -> $(SEC_CRIT) ; |
344 |
/sbin/arping -> $(SEC_CRIT) ; |
345 |
/sbin/remadmin -> $(SEC_CRIT) ; |
345 |
/sbin/dhcpcd -> $(SEC_CRIT) ; |
346 |
/sbin/rescuept -> $(SEC_CRIT) ; |
346 |
/usr/sbin/ether-wake -> $(SEC_CRIT) ; |
347 |
/sbin/rmt -> $(SEC_CRIT) ; |
347 |
#/sbin/getty -> $(SEC_CRIT) ; |
348 |
/sbin/rpc.lockd -> $(SEC_CRIT) ; |
348 |
# /sbin/ifcfg -> $(SEC_CRIT) ; |
349 |
/sbin/rpc.statd -> $(SEC_CRIT) ; |
349 |
/sbin/ifconfig -> $(SEC_CRIT) ; |
350 |
/sbin/rpcdebug -> $(SEC_CRIT) ; |
350 |
# /sbin/ifdown -> $(SEC_CRIT) ; |
351 |
/sbin/service -> $(SEC_CRIT) ; |
351 |
# /sbin/ifenslave -> $(SEC_CRIT) ; |
352 |
/sbin/setsysfont -> $(SEC_CRIT) ; |
352 |
# /sbin/ifport -> $(SEC_CRIT) ; |
353 |
/sbin/shutdown -> $(SEC_CRIT) ; |
353 |
# /sbin/ifup -> $(SEC_CRIT) ; |
354 |
/sbin/sulogin -> $(SEC_CRIT) ; |
354 |
# /sbin/ifuser -> $(SEC_CRIT) ; |
355 |
/sbin/swapon -> $(SEC_CRIT) ; |
355 |
# /sbin/ip -> $(SEC_CRIT) ; |
356 |
/sbin/syslogd -> $(SEC_CRIT) ; |
356 |
#/sbin/ip6tables -> $(SEC_CRIT) ; |
357 |
/sbin/unix_chkpwd -> $(SEC_CRIT) ; |
357 |
# /sbin/ipchains -> $(SEC_CRIT) ; |
358 |
/bin/pwd -> $(SEC_CRIT) ; |
358 |
# /sbin/ipchains-restore -> $(SEC_CRIT) ; |
359 |
/bin/uname -> $(SEC_CRIT) ; |
359 |
# /sbin/ipchains-save -> $(SEC_CRIT) ; |
360 |
} |
360 |
# /sbin/ipfwadm -> $(SEC_CRIT) ; |
361 |
|
361 |
/sbin/ipmaddr -> $(SEC_CRIT) ; |
362 |
######################################## |
362 |
/sbin/iptables -> $(SEC_CRIT) ; |
363 |
# ## |
363 |
/sbin/iptables-restore -> $(SEC_CRIT) ; |
364 |
######################################## # |
364 |
/sbin/iptables-save -> $(SEC_CRIT) ; |
365 |
# # # |
365 |
/sbin/iptunnel -> $(SEC_CRIT) ; |
366 |
# Hardware and Device Control Programs # # |
366 |
# /sbin/ipvsadm -> $(SEC_CRIT) ; |
367 |
# ## |
367 |
# /sbin/ipvsadm-restore -> $(SEC_CRIT) ; |
368 |
######################################## |
368 |
# /sbin/ipvsadm-save -> $(SEC_CRIT) ; |
369 |
( |
369 |
# /sbin/ipx_configure -> $(SEC_CRIT) ; |
370 |
rulename = "Hardware and Device Control Programs", |
370 |
# /sbin/ipx_interface -> $(SEC_CRIT) ; |
371 |
severity = $(SIG_HI) |
371 |
# /sbin/ipx_internal_net -> $(SEC_CRIT) ; |
372 |
) |
372 |
# /sbin/iwconfig -> $(SEC_CRIT) ; |
373 |
{ |
373 |
# /sbin/iwgetid -> $(SEC_CRIT) ; |
374 |
/sbin/cardctl -> $(SEC_CRIT) ; |
374 |
# /sbin/iwlist -> $(SEC_CRIT) ; |
375 |
/sbin/cardmgr -> $(SEC_CRIT) ; |
375 |
# /sbin/iwpriv -> $(SEC_CRIT) ; |
376 |
/sbin/hwclock -> $(SEC_CRIT) ; |
376 |
# /sbin/iwspy -> $(SEC_CRIT) ; |
377 |
/sbin/isapnp -> $(SEC_CRIT) ; |
377 |
# /sbin/mgetty -> $(SEC_CRIT) ; |
378 |
/sbin/kbdrate -> $(SEC_CRIT) ; |
378 |
# /sbin/mingetty -> $(SEC_CRIT) ; |
379 |
/sbin/losetup -> $(SEC_CRIT) ; |
379 |
/sbin/nameif -> $(SEC_CRIT) ; |
380 |
/sbin/lspci -> $(SEC_CRIT) ; |
380 |
# /sbin/netreport -> $(SEC_CRIT) ; |
381 |
/sbin/pnpdump -> $(SEC_CRIT) ; |
381 |
/sbin/plipconfig -> $(SEC_CRIT) ; |
382 |
/sbin/probe -> $(SEC_CRIT) ; |
382 |
# /sbin/portmap -> $(SEC_CRIT) ; |
383 |
/sbin/pump -> $(SEC_CRIT) ; |
383 |
# /sbin/ppp-watch -> $(SEC_CRIT) ; |
384 |
/sbin/setpci -> $(SEC_CRIT) ; |
384 |
#/sbin/rarp -> $(SEC_CRIT) ; |
385 |
/sbin/shapecfg -> $(SEC_CRIT) ; |
385 |
/sbin/route -> $(SEC_CRIT) ; |
386 |
} |
386 |
/sbin/slattach -> $(SEC_CRIT) ; |
387 |
|
387 |
# /sbin/tc -> $(SEC_CRIT) ; |
388 |
############################### |
388 |
#/sbin/uugetty -> $(SEC_CRIT) ; |
389 |
# ## |
389 |
# /sbin/vgetty -> $(SEC_CRIT) ; |
390 |
############################### # |
390 |
# /sbin/ypbind -> $(SEC_CRIT) ; |
391 |
# # # |
391 |
} |
392 |
# System Information Programs # # |
392 |
|
393 |
# ## |
393 |
################################## |
394 |
############################### |
394 |
# ## |
395 |
( |
395 |
################################## # |
396 |
rulename = "System Information Programs", |
396 |
# # # |
397 |
severity = $(SIG_HI) |
397 |
# System Administration Programs # # |
398 |
) |
398 |
# ## |
399 |
{ |
399 |
################################## |
400 |
/sbin/consoletype -> $(SEC_CRIT) ; |
400 |
|
401 |
/sbin/kernelversion -> $(SEC_CRIT) ; |
401 |
( |
402 |
/sbin/runlevel -> $(SEC_CRIT) ; |
402 |
rulename = "System Administration Programs", |
403 |
} |
403 |
severity = $(SIG_HI) |
404 |
|
404 |
) |
405 |
#################################### |
405 |
{ |
406 |
# ## |
406 |
# /sbin/chkconfig -> $(SEC_CRIT) ; |
407 |
#################################### # |
407 |
/bin/fuser -> $(SEC_CRIT) ; |
408 |
# # # |
408 |
/sbin/halt -> $(SEC_CRIT) ; |
409 |
# Application Information Programs # # |
409 |
/sbin/init -> $(SEC_CRIT) ; |
410 |
# ## |
410 |
# /sbin/initlog -> $(SEC_CRIT) ; |
411 |
#################################### |
411 |
/usr/bin/install-info -> $(SEC_CRIT) ; |
412 |
|
412 |
/sbin/killall5 -> $(SEC_CRIT) ; |
413 |
( |
413 |
#/sbin/linuxconf -> $(SEC_CRIT) ; |
414 |
rulename = "Application Information Programs", |
414 |
#/sbin/linuxconf-auth -> $(SEC_CRIT) ; |
415 |
severity = $(SIG_HI) |
415 |
/sbin/pam_tally -> $(SEC_CRIT) ; |
416 |
) |
416 |
#/usr/sbin/pwdb_chkpwd -> $(SEC_CRIT) ; |
417 |
{ |
417 |
#/sbin/remadmin -> $(SEC_CRIT) ; |
418 |
/sbin/genksyms -> $(SEC_CRIT) ; |
418 |
# /sbin/rescuept -> $(SEC_CRIT) ; |
419 |
/sbin/rtmon -> $(SEC_CRIT) ; |
419 |
/usr/sbin/rmt -> $(SEC_CRIT) ; |
420 |
/sbin/sln -> $(SEC_CRIT) ; |
420 |
# /sbin/rpc.lockd -> $(SEC_CRIT) ; |
421 |
} |
421 |
# /sbin/rpc.statd -> $(SEC_CRIT) ; |
422 |
|
422 |
# /sbin/rpcdebug -> $(SEC_CRIT) ; |
423 |
########################## |
423 |
# /sbin/service -> $(SEC_CRIT) ; |
424 |
# ## |
424 |
# /sbin/setsysfont -> $(SEC_CRIT) ; |
425 |
########################## # |
425 |
/sbin/shutdown -> $(SEC_CRIT) ; |
426 |
# # # |
426 |
/sbin/sulogin -> $(SEC_CRIT) ; |
427 |
# Shell Related Programs # # |
427 |
/sbin/swapon -> $(SEC_CRIT) ; |
428 |
# ## |
428 |
# /sbin/syslogd -> $(SEC_CRIT) ; |
429 |
########################## |
429 |
# /sbin/unix_chkpwd -> $(SEC_CRIT) ; |
430 |
( |
430 |
/bin/pwd -> $(SEC_CRIT) ; |
431 |
rulename = "Shell Releated Programs", |
431 |
/bin/uname -> $(SEC_CRIT) ; |
432 |
severity = $(SIG_HI) |
432 |
/usr/bin/emerge -> $(SEC_CRIT) ; |
433 |
) |
433 |
|
434 |
{ |
434 |
} |
435 |
/sbin/getkey -> $(SEC_CRIT) ; |
435 |
|
436 |
/sbin/sash -> $(SEC_CRIT) ; |
436 |
######################################## |
437 |
} |
437 |
# ## |
438 |
|
438 |
######################################## # |
439 |
|
439 |
# # # |
440 |
################ |
440 |
# Hardware and Device Control Programs # # |
441 |
# ## |
441 |
# ## |
442 |
################ # |
442 |
######################################## |
443 |
# # # |
443 |
( |
444 |
# OS Utilities # # |
444 |
rulename = "Hardware and Device Control Programs", |
445 |
# ## |
445 |
severity = $(SIG_HI) |
446 |
################ |
446 |
) |
447 |
( |
447 |
{ |
448 |
rulename = "Operating System Utilities", |
448 |
#/bin/setserial -> $(SEC_CRIT) ; |
449 |
severity = $(SIG_HI) |
449 |
# /bin/sfxload -> $(SEC_CRIT) ; |
450 |
) |
450 |
/sbin/blockdev -> $(SEC_CRIT) ; |
451 |
{ |
451 |
# /sbin/cardctl -> $(SEC_CRIT) ; |
452 |
/bin/cat -> $(SEC_CRIT) ; |
452 |
# /sbin/cardmgr -> $(SEC_CRIT) ; |
453 |
/bin/date -> $(SEC_CRIT) ; |
453 |
# /sbin/cbq -> $(SEC_CRIT) ; |
454 |
/bin/dd -> $(SEC_CRIT) ; |
454 |
# /sbin/dump_cis -> $(SEC_CRIT) ; |
455 |
/bin/df -> $(SEC_CRIT) ; |
455 |
/sbin/elvtune -> $(SEC_CRIT) ; |
456 |
/bin/echo -> $(SEC_CRIT) ; |
456 |
# /sbin/hotplug -> $(SEC_CRIT) ; |
457 |
/bin/egrep -> $(SEC_CRIT) ; |
457 |
/sbin/hwclock -> $(SEC_CRIT) ; |
458 |
/bin/false -> $(SEC_CRIT) ; |
458 |
# /sbin/ide_info -> $(SEC_CRIT) ; |
459 |
/bin/fgrep -> $(SEC_CRIT) ; |
459 |
#/sbin/isapnp -> $(SEC_CRIT) ; |
460 |
/bin/gawk -> $(SEC_CRIT) ; |
460 |
#/sbin/kbdrate -> $(SEC_CRIT) ; |
461 |
/bin/gawk-3.0.4 -> $(SEC_CRIT) ; |
461 |
/sbin/losetup -> $(SEC_CRIT) ; |
462 |
/bin/grep -> $(SEC_CRIT) ; |
462 |
# /sbin/lspci -> $(SEC_CRIT) ; |
463 |
/bin/true -> $(SEC_CRIT) ; |
463 |
# /sbin/lspnp -> $(SEC_CRIT) ; |
464 |
/bin/arch -> $(SEC_CRIT) ; |
464 |
/sbin/mii-tool -> $(SEC_CRIT) ; |
465 |
/bin/ash -> $(SEC_CRIT) ; |
465 |
# /sbin/pack_cis -> $(SEC_CRIT) ; |
466 |
/bin/ash.static -> $(SEC_CRIT) ; |
466 |
#/sbin/pnpdump -> $(SEC_CRIT) ; |
467 |
/bin/aumix-minimal -> $(SEC_CRIT) ; |
467 |
# /sbin/probe -> $(SEC_CRIT) ; |
468 |
/bin/basename -> $(SEC_CRIT) ; |
468 |
#/sbin/pump -> $(SEC_CRIT) ; |
469 |
/bin/consolechars -> $(SEC_CRIT) ; |
469 |
# /sbin/setpci -> $(SEC_CRIT) ; |
470 |
/bin/dmesg -> $(SEC_CRIT) ; |
470 |
# /sbin/shapecfg -> $(SEC_CRIT) ; |
471 |
/bin/doexec -> $(SEC_CRIT) ; |
471 |
} |
472 |
/bin/ed -> $(SEC_CRIT) ; |
472 |
|
473 |
/bin/gunzip -> $(SEC_CRIT) ; |
473 |
############################### |
474 |
/bin/gzip -> $(SEC_CRIT) ; |
474 |
# ## |
475 |
/bin/hostname -> $(SEC_CRIT) ; |
475 |
############################### # |
476 |
/bin/igawk -> $(SEC_CRIT) ; |
476 |
# # # |
477 |
/bin/ipcalc -> $(SEC_CRIT) ; |
477 |
# System Information Programs # # |
478 |
/bin/kill -> $(SEC_CRIT) ; |
478 |
# ## |
479 |
/bin/ln -> $(SEC_CRIT) ; |
479 |
############################### |
480 |
/bin/loadkeys -> $(SEC_CRIT) ; |
480 |
( |
481 |
/bin/login -> $(SEC_CRIT) ; |
481 |
rulename = "System Information Programs", |
482 |
/bin/ls -> $(SEC_CRIT) ; |
482 |
severity = $(SIG_HI) |
483 |
/bin/mail -> $(SEC_CRIT) ; |
483 |
) |
484 |
/bin/more -> $(SEC_CRIT) ; |
484 |
{ |
485 |
/bin/mt -> $(SEC_CRIT) ; |
485 |
/sbin/consoletype -> $(SEC_CRIT) ; |
486 |
/bin/mv -> $(SEC_CRIT) ; |
486 |
/sbin/kernelversion -> $(SEC_CRIT) ; |
487 |
/bin/netstat -> $(SEC_CRIT) ; |
487 |
/sbin/runlevel -> $(SEC_CRIT) ; |
488 |
/bin/nice -> $(SEC_CRIT) ; |
488 |
} |
489 |
/bin/ps -> $(SEC_CRIT) ; |
489 |
|
490 |
/bin/rpm -> $(SEC_CRIT) ; |
490 |
#################################### |
491 |
/bin/sed -> $(SEC_CRIT) ; |
491 |
# ## |
492 |
/bin/setserial -> $(SEC_CRIT) ; |
492 |
#################################### # |
493 |
/bin/sfxload -> $(SEC_CRIT) ; |
493 |
# # # |
494 |
/bin/sleep -> $(SEC_CRIT) ; |
494 |
# Application Information Programs # # |
495 |
/bin/sort -> $(SEC_CRIT) ; |
495 |
# ## |
496 |
/bin/stty -> $(SEC_CRIT) ; |
496 |
#################################### |
497 |
/bin/su -> $(SEC_CRIT) ; |
497 |
|
498 |
/bin/sync -> $(SEC_CRIT) ; |
498 |
( |
499 |
/bin/tar -> $(SEC_CRIT) ; |
499 |
rulename = "Application Information Programs", |
500 |
/bin/usleep -> $(SEC_CRIT) ; |
500 |
severity = $(SIG_HI) |
501 |
/bin/vi -> $(SEC_CRIT) ; |
501 |
) |
502 |
/bin/vimtutor -> $(SEC_CRIT) ; |
502 |
{ |
503 |
/bin/zcat -> $(SEC_CRIT) ; |
503 |
/sbin/genksyms -> $(SEC_CRIT) ; |
504 |
/bin/zsh -> $(SEC_CRIT) ; |
504 |
#/sbin/genksyms.old -> $(SEC_CRIT) ; |
505 |
/bin/zsh-3.0.8 -> $(SEC_CRIT) ; |
505 |
# /sbin/rtmon -> $(SEC_CRIT) ; |
506 |
} |
506 |
} |
507 |
|
507 |
|
508 |
############################## |
508 |
########################## |
509 |
# ## |
509 |
# ## |
510 |
############################## # |
510 |
########################## # |
511 |
# # # |
511 |
# # # |
512 |
# Critical Utility Sym-Links # # |
512 |
# Shell Related Programs # # |
513 |
# ## |
513 |
# ## |
514 |
############################## |
514 |
########################## |
515 |
( |
515 |
( |
516 |
rulename = "Critical Utility Sym-Links", |
516 |
rulename = "Shell Related Programs", |
517 |
severity = $(SIG_HI) |
517 |
severity = $(SIG_HI) |
518 |
) |
518 |
) |
519 |
{ |
519 |
{ |
520 |
/sbin/askrunlevel -> $(SEC_CRIT) ; |
520 |
# /sbin/getkey -> $(SEC_CRIT) ; |
521 |
/sbin/clock -> $(SEC_CRIT) ; |
521 |
# /sbin/nash -> $(SEC_CRIT) ; |
522 |
/sbin/dnsconf -> $(SEC_CRIT) ; |
522 |
/bin/sash -> $(SEC_CRIT) ; |
523 |
/sbin/fixperm -> $(SEC_CRIT) ; |
523 |
} |
524 |
/sbin/fsconf -> $(SEC_CRIT) ; |
524 |
|
525 |
/sbin/ipfwadm-wrapper -> $(SEC_CRIT) ; |
525 |
|
526 |
/sbin/kallsyms -> $(SEC_CRIT) ; |
526 |
################ |
527 |
/sbin/ksyms -> $(SEC_CRIT) ; |
527 |
# ## |
528 |
/sbin/mailconf -> $(SEC_CRIT) ; |
528 |
################ # |
529 |
/sbin/managerpm -> $(SEC_CRIT) ; |
529 |
# # # |
530 |
/sbin/modemconf -> $(SEC_CRIT) ; |
530 |
# OS Utilities # # |
531 |
/sbin/lsmod -> $(SEC_CRIT) ; |
531 |
# ## |
532 |
/sbin/modprobe -> $(SEC_CRIT) ; |
532 |
################ |
533 |
/sbin/mount.ncp -> $(SEC_CRIT) ; |
533 |
( |
534 |
/sbin/mount.ncpfs -> $(SEC_CRIT) ; |
534 |
rulename = "Operating System Utilities", |
535 |
/sbin/mount.smb -> $(SEC_CRIT) ; |
535 |
severity = $(SIG_HI) |
536 |
/sbin/mount.smbfs -> $(SEC_CRIT) ; |
536 |
) |
537 |
/sbin/netconf -> $(SEC_CRIT) ; |
537 |
{ |
538 |
/sbin/pidof -> $(SEC_CRIT) ; |
538 |
/bin/arch -> $(SEC_CRIT) ; |
539 |
/sbin/poweroff -> $(SEC_CRIT) ; |
539 |
# /bin/ash -> $(SEC_CRIT) ; |
540 |
/sbin/quotaoff -> $(SEC_CRIT) ; |
540 |
# /bin/ash.static -> $(SEC_CRIT) ; |
541 |
/sbin/raid0run -> $(SEC_CRIT) ; |
541 |
# /bin/aumix-minimal -> $(SEC_CRIT) ; |
542 |
/sbin/raidhotadd -> $(SEC_CRIT) ; |
542 |
/bin/basename -> $(SEC_CRIT) ; |
543 |
/sbin/raidhotremove -> $(SEC_CRIT) ; |
543 |
/bin/cat -> $(SEC_CRIT) ; |
544 |
/sbin/raidstop -> $(SEC_CRIT) ; |
544 |
#/bin/consolechars -> $(SEC_CRIT) ; |
545 |
/sbin/rdump.static -> $(SEC_CRIT) ; |
545 |
/bin/cut -> $(SEC_CRIT) ; |
546 |
/sbin/rrestore -> $(SEC_CRIT) ; |
546 |
/bin/date -> $(SEC_CRIT) ; |
547 |
/sbin/rrestore.static -> $(SEC_CRIT) ; |
547 |
/bin/dd -> $(SEC_CRIT) ; |
548 |
/sbin/swapoff -> $(SEC_CRIT) ; |
548 |
/bin/df -> $(SEC_CRIT) ; |
549 |
/sbin/rdump -> $(SEC_CRIT) ; |
549 |
/bin/dmesg -> $(SEC_CRIT) ; |
550 |
/sbin/reboot -> $(SEC_CRIT) ; |
550 |
# /bin/doexec -> $(SEC_CRIT) ; |
551 |
/sbin/rmmod -> $(SEC_CRIT) ; |
551 |
/bin/echo -> $(SEC_CRIT) ; |
552 |
/sbin/telinit -> $(SEC_CRIT) ; |
552 |
/bin/ed -> $(SEC_CRIT) ; |
553 |
/sbin/userconf -> $(SEC_CRIT) ; |
553 |
/bin/egrep -> $(SEC_CRIT) ; |
554 |
/sbin/uucpconf -> $(SEC_CRIT) ; |
554 |
/bin/false -> $(SEC_CRIT) ; |
555 |
/bin/awk -> $(SEC_CRIT) ; |
555 |
/bin/fgrep -> $(SEC_CRIT) ; |
556 |
/bin/dnsdomainname -> $(SEC_CRIT) ; |
556 |
/bin/gawk -> $(SEC_CRIT) ; |
557 |
/bin/domainname -> $(SEC_CRIT) ; |
557 |
# /bin/gawk-3.1.0 -> $(SEC_CRIT) ; |
558 |
/bin/ex -> $(SEC_CRIT) ; |
558 |
# /bin/gettext -> $(SEC_CRIT) ; |
559 |
/bin/gtar -> $(SEC_CRIT) ; |
559 |
/bin/grep -> $(SEC_CRIT) ; |
560 |
/bin/nisdomainname -> $(SEC_CRIT) ; |
560 |
/bin/gunzip -> $(SEC_CRIT) ; |
561 |
/bin/red -> $(SEC_CRIT) ; |
561 |
/bin/gzip -> $(SEC_CRIT) ; |
562 |
/bin/rvi -> $(SEC_CRIT) ; |
562 |
/bin/hostname -> $(SEC_CRIT) ; |
563 |
/bin/rview -> $(SEC_CRIT) ; |
563 |
/bin/igawk -> $(SEC_CRIT) ; |
564 |
/bin/view -> $(SEC_CRIT) ; |
564 |
# /bin/ipcalc -> $(SEC_CRIT) ; |
565 |
/bin/xnmap -> $(SEC_CRIT) ; |
565 |
/bin/kill -> $(SEC_CRIT) ; |
566 |
/bin/ypdomainname -> $(SEC_CRIT) ; |
566 |
/bin/ln -> $(SEC_CRIT) ; |
567 |
} |
567 |
/bin/loadkeys -> $(SEC_CRIT) ; |
568 |
|
568 |
/bin/login -> $(SEC_CRIT) ; |
569 |
|
569 |
/bin/ls -> $(SEC_CRIT) ; |
570 |
######################### |
570 |
# /bin/mail -> $(SEC_CRIT) ; |
571 |
# ## |
571 |
/bin/more -> $(SEC_CRIT) ; |
572 |
######################### # |
572 |
# /bin/mt -> $(SEC_CRIT) ; |
573 |
# # # |
573 |
/bin/mv -> $(SEC_CRIT) ; |
574 |
# Temporary directories # # |
574 |
/bin/netstat -> $(SEC_CRIT) ; |
575 |
# ## |
575 |
/bin/nice -> $(SEC_CRIT) ; |
576 |
######################### |
576 |
/bin/pgawk -> $(SEC_CRIT) ; |
577 |
( |
577 |
/bin/ps -> $(SEC_CRIT) ; |
578 |
rulename = "Temporary directories", |
578 |
# /bin/rpm -> $(SEC_CRIT) ; |
579 |
recurse = false, |
579 |
/bin/sed -> $(SEC_CRIT) ; |
580 |
severity = $(SIG_LOW) |
580 |
/bin/sleep -> $(SEC_CRIT) ; |
581 |
) |
581 |
/bin/sort -> $(SEC_CRIT) ; |
582 |
{ |
582 |
/bin/stty -> $(SEC_CRIT) ; |
583 |
/usr/tmp -> $(SEC_INVARIANT) ; |
583 |
/bin/su -> $(SEC_CRIT) ; |
584 |
/var/tmp -> $(SEC_INVARIANT) ; |
584 |
/bin/sync -> $(SEC_CRIT) ; |
585 |
/tmp -> $(SEC_INVARIANT) ; |
585 |
/bin/tar -> $(SEC_CRIT) ; |
586 |
} |
586 |
/bin/true -> $(SEC_CRIT) ; |
587 |
|
587 |
# /bin/usleep -> $(SEC_CRIT) ; |
588 |
############### |
588 |
# /bin/vi -> $(SEC_CRIT) ; |
589 |
# ## |
589 |
/bin/zcat -> $(SEC_CRIT) ; |
590 |
############### # |
590 |
# /bin/zsh -> $(SEC_CRIT) ; |
591 |
# # # |
591 |
# /bin/zsh-4.0.2 -> $(SEC_CRIT) ; |
592 |
# Local files # # |
592 |
/sbin/sln -> $(SEC_CRIT) ; |
593 |
# ## |
593 |
# /usr/bin/vimtutor -> $(SEC_CRIT) ; |
594 |
############### |
594 |
} |
595 |
( |
595 |
|
596 |
rulename = "User binaries", |
596 |
############################## |
597 |
severity = $(SIG_MED) |
597 |
# ## |
598 |
) |
598 |
############################## # |
599 |
{ |
599 |
# # # |
600 |
/sbin -> $(SEC_BIN) (recurse = 1) ; |
600 |
# Critical Utility Sym-Links # # |
601 |
/usr/local/bin -> $(SEC_BIN) (recurse = 1) ; |
601 |
# ## |
602 |
/usr/sbin -> $(SEC_BIN) (recurse = 1) ; |
602 |
############################## |
603 |
/usr/bin -> $(SEC_BIN) (recurse = 1) ; |
603 |
( |
604 |
} |
604 |
rulename = "Critical Utility Sym-Links", |
605 |
|
605 |
severity = $(SIG_HI) |
606 |
( |
606 |
) |
607 |
rulename = "Shell Binaries", |
607 |
{ |
608 |
severity = $(SIG_HI) |
608 |
#/sbin/askrunlevel -> $(SEC_CRIT) ; |
609 |
) |
609 |
# /sbin/clock -> $(SEC_CRIT) ; |
610 |
{ |
610 |
#/sbin/fixperm -> $(SEC_CRIT) ; |
611 |
/bin/bsh -> $(SEC_BIN) ; |
611 |
# /sbin/fsck.reiserfs -> $(SEC_CRIT) ; |
612 |
/bin/csh -> $(SEC_BIN) ; |
612 |
#/sbin/fsconf -> $(SEC_CRIT) ; |
613 |
/bin/ksh -> $(SEC_BIN) ; |
613 |
# /sbin/ipfwadm-wrapper -> $(SEC_CRIT) ; |
614 |
# /bin/psh -> $(SEC_BIN) ; # No longer used? |
614 |
/sbin/kallsyms -> $(SEC_CRIT) ; |
615 |
/usr/kerberos/bin/rsh -> $(SEC_SUID) ; |
615 |
/sbin/ksyms -> $(SEC_CRIT) ; |
616 |
# /bin/Rsh -> $(SEC_BIN) ; # No longer used? |
616 |
/sbin/lsmod -> $(SEC_CRIT) ; |
617 |
/bin/sh -> $(SEC_BIN) ; |
617 |
#/sbin/mailconf -> $(SEC_CRIT) ; |
618 |
# /bin/shell -> $(SEC_SUID) ; # No longer used? |
618 |
# /sbin/mkfs.reiserfs -> $(SEC_CRIT) ; |
619 |
# /bin/tsh -> $(SEC_BIN) ; # No longer used? |
619 |
#/sbin/modemconf -> $(SEC_CRIT) ; |
620 |
/bin/bash -> $(SEC_BIN) ; |
620 |
/sbin/modprobe -> $(SEC_CRIT) ; |
621 |
/bin/tcsh -> $(SEC_BIN) ; |
621 |
# /sbin/mount.ncp -> $(SEC_CRIT) ; |
622 |
/bin/bash2 -> $(SEC_BIN) ; |
622 |
# /sbin/mount.ncpfs -> $(SEC_CRIT) ; |
623 |
} |
623 |
# /sbin/mount.smb -> $(SEC_CRIT) ; |
624 |
|
624 |
# /sbin/mount.smbfs -> $(SEC_CRIT) ; |
625 |
( |
625 |
#/sbin/netconf -> $(SEC_CRIT) ; |
626 |
rulename = "Security Control", |
626 |
/sbin/pidof -> $(SEC_CRIT) ; |
627 |
severity = $(SIG_HI) |
627 |
/sbin/poweroff -> $(SEC_CRIT) ; |
628 |
) |
628 |
# /sbin/quotaoff -> $(SEC_CRIT) ; |
629 |
{ |
629 |
# /sbin/raid0run -> $(SEC_CRIT) ; |
630 |
/etc/group -> $(SEC_CRIT) ; |
630 |
# /sbin/raidhotadd -> $(SEC_CRIT) ; |
631 |
/etc/security/ -> $(SEC_CRIT) ; |
631 |
# /sbin/raidhotgenerateerror -> $(SEC_CRIT) ; |
632 |
#/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists |
632 |
# /sbin/raidhotremove -> $(SEC_CRIT) ; |
633 |
} |
633 |
# /sbin/raidstop -> $(SEC_CRIT) ; |
634 |
|
634 |
# /sbin/rdump -> $(SEC_CRIT) ; |
635 |
#( |
635 |
# /sbin/rdump.static -> $(SEC_CRIT) ; |
636 |
# rulename = "Boot Scripts", |
636 |
/sbin/reboot -> $(SEC_CRIT) ; |
637 |
# severity = $(SIG_HI) |
637 |
/sbin/rmmod -> $(SEC_CRIT) ; |
638 |
#) |
638 |
# /sbin/rrestore -> $(SEC_CRIT) ; |
639 |
#{ |
639 |
# /sbin/rrestore.static -> $(SEC_CRIT) ; |
640 |
# /etc/rc -> $(SEC_CONFIG) ; |
640 |
/sbin/swapoff -> $(SEC_CRIT) ; |
641 |
# /etc/rc.bsdnet -> $(SEC_CONFIG) ; |
641 |
/sbin/telinit -> $(SEC_CRIT) ; |
642 |
# /etc/rc.dt -> $(SEC_CONFIG) ; |
642 |
#/sbin/userconf -> $(SEC_CRIT) ; |
643 |
# /etc/rc.net -> $(SEC_CONFIG) ; |
643 |
#/sbin/uucpconf -> $(SEC_CRIT) ; |
644 |
# /etc/rc.net.serial -> $(SEC_CONFIG) ; |
644 |
#/sbin/vregistry -> $(SEC_CRIT) ; |
645 |
# /etc/rc.nfs -> $(SEC_CONFIG) ; |
645 |
/bin/awk -> $(SEC_CRIT) ; |
646 |
# /etc/rc.powerfail -> $(SEC_CONFIG) ; |
646 |
# /bin/bash2 -> $(SEC_CRIT) ; |
647 |
# /etc/rc.tcpip -> $(SEC_CONFIG) ; |
647 |
# /bin/bsh -> $(SEC_CRIT) ; |
648 |
# /etc/trcfmt.Z -> $(SEC_CONFIG) ; |
648 |
# /bin/csh -> $(SEC_CRIT) ; |
649 |
#} |
649 |
/bin/dnsdomainname -> $(SEC_CRIT) ; |
650 |
|
650 |
/bin/domainname -> $(SEC_CRIT) ; |
651 |
( |
651 |
# /bin/ex -> $(SEC_CRIT) ; |
652 |
rulename = "Login Scripts", |
652 |
# /bin/gtar -> $(SEC_CRIT) ; |
653 |
severity = $(SIG_HI) |
653 |
/bin/nisdomainname -> $(SEC_CRIT) ; |
654 |
) |
654 |
/bin/red -> $(SEC_CRIT) ; |
655 |
{ |
655 |
# /bin/rvi -> $(SEC_CRIT) ; |
656 |
/etc/csh.cshrc -> $(SEC_CONFIG) ; |
656 |
# /bin/rview -> $(SEC_CRIT) ; |
657 |
/etc/csh.login -> $(SEC_CONFIG) ; |
657 |
# /bin/view -> $(SEC_CRIT) ; |
658 |
# /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists |
658 |
/bin/ypdomainname -> $(SEC_CRIT) ; |
659 |
/etc/profile -> $(SEC_CONFIG) ; |
659 |
} |
660 |
} |
660 |
|
661 |
|
661 |
|
662 |
# Libraries |
662 |
######################### |
663 |
( |
663 |
# ## |
664 |
rulename = "Libraries", |
664 |
######################### # |
665 |
severity = $(SIG_MED) |
665 |
# # # |
666 |
) |
666 |
# Temporary directories # # |
667 |
{ |
667 |
# ## |
668 |
/usr/lib -> $(SEC_BIN) ; |
668 |
######################### |
669 |
/usr/local/lib -> $(SEC_BIN) ; |
669 |
( |
670 |
} |
670 |
rulename = "Temporary directories", |
671 |
|
671 |
recurse = false, |
672 |
|
672 |
severity = $(SIG_LOW) |
673 |
###################################################### |
673 |
) |
674 |
# ## |
674 |
{ |
675 |
###################################################### # |
675 |
/usr/tmp -> $(SEC_INVARIANT) ; |
676 |
# # # |
676 |
/var/tmp -> $(SEC_INVARIANT) ; |
677 |
# Critical System Boot Files # # |
677 |
/tmp -> $(SEC_INVARIANT) ; |
678 |
# These files are critical to a correct system boot. # # |
678 |
} |
679 |
# ## |
679 |
|
680 |
###################################################### |
680 |
############### |
681 |
|
681 |
# ## |
682 |
( |
682 |
############### # |
683 |
rulename = "Critical system boot files", |
683 |
# # # |
684 |
severity = $(SIG_HI) |
684 |
# Local files # # |
685 |
) |
685 |
# ## |
686 |
{ |
686 |
############### |
687 |
/boot -> $(SEC_CRIT) ; |
687 |
( |
688 |
/sbin/lilo -> $(SEC_CRIT) ; |
688 |
rulename = "User binaries", |
689 |
!/boot/System.map ; |
689 |
severity = $(SIG_MED) |
690 |
!/boot/module-info ; |
690 |
) |
691 |
|
691 |
{ |
692 |
# other boot files may exist. Look for: |
692 |
/sbin -> $(SEC_BIN) (recurse = 1) ; |
693 |
#/ufsboot -> $(SEC_CRIT) ; |
693 |
/usr/bin -> $(SEC_BIN) (recurse = 1) ; |
694 |
} |
694 |
/usr/sbin -> $(SEC_BIN) (recurse = 1) ; |
695 |
################################################## |
695 |
/usr/local/bin -> $(SEC_BIN) (recurse = 1) ; |
696 |
################################################### |
696 |
} |
697 |
# These files change every time the system boots ## |
697 |
|
698 |
################################################## |
698 |
( |
699 |
( |
699 |
rulename = "Shell Binaries", |
700 |
rulename = "System boot changes", |
700 |
severity = $(SIG_HI) |
701 |
severity = $(SIG_HI) |
701 |
) |
702 |
) |
702 |
{ |
703 |
{ |
703 |
/bin/bash -> $(SEC_BIN) ; |
704 |
!/var/run/ftp.pids-all ; # Comes and goes on reboot. |
704 |
# /bin/ksh -> $(SEC_BIN) ; |
705 |
!/root/.enlightenment ; |
705 |
# /bin/psh -> $(SEC_BIN) ; # No longer used? |
706 |
/dev/log -> $(SEC_CONFIG) ; |
706 |
# /bin/Rsh -> $(SEC_BIN) ; # No longer used? |
707 |
/dev/cua0 -> $(SEC_CONFIG) ; |
707 |
/bin/sh -> $(SEC_BIN) ; |
708 |
# /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device |
708 |
# /bin/shell -> $(SEC_SUID) ; # No longer used? |
709 |
/dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. |
709 |
# /bin/tsh -> $(SEC_BIN) ; # No longer used? |
710 |
#/dev/tty2 -> $(SEC_CONFIG) ; # tty devices |
710 |
# /bin/tcsh -> $(SEC_BIN) ; |
711 |
/dev/tty3 -> $(SEC_CONFIG) ; # are extremely |
711 |
# /sbin/nologin -> $(SEC_BIN) ; |
712 |
/dev/tty4 -> $(SEC_CONFIG) ; # variable |
712 |
} |
713 |
/dev/tty5 -> $(SEC_CONFIG) ; |
713 |
|
714 |
/dev/tty6 -> $(SEC_CONFIG) ; |
714 |
( |
715 |
/dev/urandom -> $(SEC_CONFIG) ; |
715 |
rulename = "Security Control", |
716 |
/dev/initctl -> $(SEC_CONFIG) ; |
716 |
severity = $(SIG_HI) |
717 |
/var/lock/subsys -> $(SEC_CONFIG) ; |
717 |
) |
718 |
/var/lock/subsys/random -> $(SEC_CONFIG) ; |
718 |
{ |
719 |
/var/lock/subsys/network -> $(SEC_CONFIG) ; |
719 |
/etc/group -> $(SEC_CRIT) ; |
720 |
/var/lock/subsys/portmap -> $(SEC_CONFIG) ; |
720 |
/etc/security -> $(SEC_CRIT) ; |
721 |
# /var/lock/subsys/nfsfs -> $(SEC_CONFIG) ; #Uncomment when this file exists |
721 |
#/var/spool/cron/crontabs -> $(SEC_CRIT) ; # Uncomment when this file exists |
722 |
/var/lock/subsys/nfslock -> $(SEC_CONFIG) ; |
722 |
} |
723 |
/var/lock/subsys/syslog -> $(SEC_CONFIG) ; |
723 |
|
724 |
/var/lock/subsys/atd -> $(SEC_CONFIG) ; |
724 |
( |
725 |
/var/lock/subsys/crond -> $(SEC_CONFIG) ; |
725 |
rulename = "Init Scripts", |
726 |
# /var/lock/subsys/inet -> $(SEC_CONFIG) ; #Uncomment when this file exists |
726 |
severity = $(SIG_HI) |
727 |
# /var/lock/subsys/named -> $(SEC_CONFIG) ; #Uncomment when this file exists |
727 |
) |
728 |
/var/lock/subsys/lpd -> $(SEC_CONFIG) ; |
728 |
{ |
729 |
# /var/lock/subsys/nfs -> $(SEC_CONFIG) ; #Uncomment when this file exists |
729 |
/etc/init.d/bootmisc -> $(SEC_CONFIG) ; |
730 |
/var/lock/subsys/sendmail -> $(SEC_CONFIG) ; |
730 |
/etc/init.d/checkfs -> $(SEC_CONFIG) ; |
731 |
/var/lock/subsys/gpm -> $(SEC_CONFIG) ; |
731 |
/etc/init.d/checkroot -> $(SEC_CONFIG) ; |
732 |
/var/lock/subsys/httpd -> $(SEC_CONFIG) ; |
732 |
/etc/init.d/clock -> $(SEC_CONFIG) ; |
733 |
# /var/lock/subsys/sound -> $(SEC_CONFIG) ; #Uncomment when this file exists |
733 |
/etc/init.d/consolefont -> $(SEC_CONFIG) ; |
734 |
# /var/lock/subsys/smb -> $(SEC_CONFIG) ; #Uncomment when this file exists |
734 |
/etc/init.d/crypto-loop -> $(SEC_CONFIG) ; |
735 |
/var/lock/subsys/anacron -> $(SEC_CONFIG) ; |
735 |
/etc/init.d/depscan.sh -> $(SEC_CONFIG) -i ; |
736 |
/var/lock/subsys/autofs -> $(SEC_CONFIG) ; |
736 |
/etc/init.d/domainname -> $(SEC_CONFIG) ; |
737 |
/var/lock/subsys/canna -> $(SEC_CONFIG) ; |
737 |
/etc/init.d/functions.sh -> $(SEC_CONFIG) ; |
738 |
/var/lock/subsys/firewall -> $(SEC_CONFIG) ; |
738 |
/etc/init.d/halt.sh -> $(SEC_CONFIG) ; |
739 |
/var/lock/subsys/identd -> $(SEC_CONFIG) ; |
739 |
/etc/init.d/hostname -> $(SEC_CONFIG) ; |
740 |
/var/lock/subsys/jserver -> $(SEC_CONFIG) ; |
740 |
/etc/init.d/keymaps -> $(SEC_CONFIG) ; |
741 |
/var/lock/subsys/keytable -> $(SEC_CONFIG) ; |
741 |
/etc/init.d/local -> $(SEC_CONFIG) ; |
742 |
/var/lock/subsys/kudzu -> $(SEC_CONFIG) ; |
742 |
/etc/init.d/localmount -> $(SEC_CONFIG) ; |
743 |
/var/lock/subsys/netfs -> $(SEC_CONFIG) ; |
743 |
/etc/init.d/modules -> $(SEC_CONFIG) ; |
744 |
/var/lock/subsys/reconfig -> $(SEC_CONFIG) ; |
744 |
/etc/init.d/net.eth0 -> $(SEC_CONFIG) ; |
745 |
/var/lock/subsys/xfs -> $(SEC_CONFIG) ; |
745 |
/etc/init.d/net.lo -> $(SEC_CONFIG) ; |
746 |
/var/lock/subsys/xinetd -> $(SEC_CONFIG) ; |
746 |
/etc/init.d/netmount -> $(SEC_CONFIG) ; |
747 |
/var/lock/subsys/ypbind -> $(SEC_CONFIG) ; |
747 |
/etc/init.d/nscd -> $(SEC_CONFIG) ; |
748 |
/var/run -> $(SEC_CONFIG) ; # daemon PIDs |
748 |
/etc/init.d/numlock -> $(SEC_CONFIG) ; |
749 |
#/var/spool/lpd/lpd.lock -> $(SEC_CONFIG) ; #Uncomment when this file exists |
749 |
/etc/init.d/reboot.sh -> $(SEC_CONFIG) ; |
750 |
/var/log -> $(SEC_CONFIG) ; |
750 |
/etc/init.d/rmnologin -> $(SEC_CONFIG) ; |
751 |
/etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes |
751 |
/etc/init.d/rsyncd -> $(SEC_CONFIG) ; |
752 |
/etc/ioctl.save -> $(SEC_CONFIG) ; |
752 |
/etc/init.d/runscript.sh -> $(SEC_CONFIG) -i ; |
753 |
/etc/issue -> $(SEC_CONFIG) ; |
753 |
/etc/init.d/serial -> $(SEC_CONFIG) ; |
754 |
/etc/.pwd.lock -> $(SEC_CONFIG) ; |
754 |
/etc/init.d/shutdown.sh -> $(SEC_CONFIG) ; |
755 |
/etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount |
755 |
/etc/init.d/sshd -> $(SEC_CONFIG) ; |
756 |
/lib/modules -> $(SEC_CONFIG) ; |
756 |
/etc/init.d/syslog-ng -> $(SEC_CONFIG) ; |
757 |
# /lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists |
757 |
/etc/init.d/urandom -> $(SEC_CONFIG) ; |
758 |
} |
758 |
/etc/init.d/vixie-cron -> $(SEC_CONFIG) ; |
759 |
|
759 |
|
760 |
# These files change the behavior of the root account |
760 |
} |
761 |
( |
761 |
|
762 |
rulename = "Root config files", |
762 |
( |
763 |
severity = 100 |
763 |
rulename = "Login Scripts", |
764 |
) |
764 |
severity = $(SIG_HI) |
765 |
{ |
765 |
) |
766 |
/root -> $(SEC_CRIT) ; # Catch all additions to /root |
766 |
{ |
767 |
/root/mail -> $(SEC_CONFIG) ; |
767 |
# /etc/bashrc -> $(SEC_CONFIG) ; |
768 |
/root/Mail -> $(SEC_CONFIG) ; |
768 |
# /etc/csh.cshrc -> $(SEC_CONFIG) ; |
769 |
/root/.xsession-errors -> $(SEC_CONFIG) ; |
769 |
/etc/csh.env -> $(SEC_CONFIG) ; |
770 |
/root/.xauth -> $(SEC_CONFIG) ; |
770 |
/etc/inputrc -> $(SEC_CONFIG) ; |
771 |
/root/.tcshrc -> $(SEC_CONFIG) ; |
771 |
# /etc/tsh_profile -> $(SEC_CONFIG) ; #Uncomment when this file exists |
772 |
/root/.sawfish -> $(SEC_CONFIG) ; |
772 |
/etc/profile -> $(SEC_CONFIG) ; |
773 |
/root/.pinerc -> $(SEC_CONFIG) ; |
773 |
} |
774 |
/root/.mc -> $(SEC_CONFIG) ; |
774 |
|
775 |
/root/.gnome_private -> $(SEC_CONFIG) ; |
775 |
# Libraries |
776 |
/root/.gnome-desktop -> $(SEC_CONFIG) ; |
776 |
( |
777 |
/root/.gnome -> $(SEC_CONFIG) ; |
777 |
rulename = "Libraries", |
778 |
/root/.esd_auth -> $(SEC_CONFIG) ; |
778 |
severity = $(SIG_MED) |
779 |
/root/.elm -> $(SEC_CONFIG) ; |
779 |
) |
780 |
/root/.cshrc -> $(SEC_CONFIG) ; |
780 |
{ |
781 |
/root/.bashrc -> $(SEC_CONFIG) ; |
781 |
/usr/lib -> $(SEC_BIN) ; |
782 |
/root/.bash_profile -> $(SEC_CONFIG) ; |
782 |
/usr/local/lib -> $(SEC_BIN) ; |
783 |
/root/.bash_logout -> $(SEC_CONFIG) ; |
783 |
} |
784 |
/root/.bash_history -> $(SEC_CONFIG) ; |
784 |
|
785 |
/root/.amandahosts -> $(SEC_CONFIG) ; |
785 |
|
786 |
/root/.addressbook.lu -> $(SEC_CONFIG) ; |
786 |
###################################################### |
787 |
/root/.addressbook -> $(SEC_CONFIG) ; |
787 |
# ## |
788 |
/root/.Xresources -> $(SEC_CONFIG) ; |
788 |
###################################################### # |
789 |
/root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login |
789 |
# # # |
790 |
/root/.ICEauthority -> $(SEC_CONFIG) ; |
790 |
# Critical System Boot Files # # |
791 |
} |
791 |
# These files are critical to a correct system boot. # # |
792 |
|
792 |
# ## |
793 |
################################ |
793 |
###################################################### |
794 |
# ## |
794 |
|
795 |
################################ # |
795 |
( |
796 |
# # # |
796 |
rulename = "Critical system boot files", |
797 |
# Critical configuration files # # |
797 |
severity = $(SIG_HI) |
798 |
# ## |
798 |
) |
799 |
################################ |
799 |
{ |
800 |
( |
800 |
/boot -> $(SEC_CRIT) ; |
801 |
rulename = "Critical configuration files", |
801 |
#/sbin/devfsd -> $(SEC_CRIT) ; |
802 |
severity = $(SIG_HI) |
802 |
/sbin/grub -> $(SEC_CRIT) ; |
803 |
) |
803 |
/sbin/grub-install -> $(SEC_CRIT) ; |
804 |
{ |
804 |
/sbin/grub-md5-crypt -> $(SEC_CRIT) ; |
805 |
/etc/conf.linuxconf -> $(SEC_BIN) ; |
805 |
/sbin/installkernel -> $(SEC_CRIT) ; |
806 |
# /etc/conf.modules -> $(SEC_BIN) ; # No longer used? |
806 |
# /sbin/lilo -> $(SEC_CRIT) ; |
807 |
/etc/crontab -> $(SEC_BIN) ; |
807 |
# /sbin/mkkerneldoth -> $(SEC_CRIT) ; |
808 |
/etc/cron.hourly -> $(SEC_BIN) ; |
808 |
!/boot/System.map ; |
809 |
/etc/cron.daily -> $(SEC_BIN) ; |
809 |
!/boot/module-info ; |
810 |
/etc/cron.weekly -> $(SEC_BIN) ; |
810 |
/usr/lib/grub/grub/i386-pc/e2fs_stage1_5 -> $(SEC_CRIT) ; |
811 |
/etc/cron.monthly -> $(SEC_BIN) ; |
811 |
/usr/lib/grub/grub/i386-pc/fat_stage1_5 -> $(SEC_CRIT) ; |
812 |
/etc/default -> $(SEC_BIN) ; |
812 |
/usr/lib/grub/grub/i386-pc/ffs_stage1_5 -> $(SEC_CRIT) ; |
813 |
/etc/fstab -> $(SEC_BIN) ; |
813 |
/usr/lib/grub/grub/i386-pc/minix_stage1_5 -> $(SEC_CRIT) ; |
814 |
/etc/exports -> $(SEC_BIN) ; |
814 |
/usr/lib/grub/grub/i386-pc/reiserfs_stage1_5 -> $(SEC_CRIT) ; |
815 |
/etc/group- -> $(SEC_BIN) ; # changes should be infrequent |
815 |
/usr/lib/grub/grub/i386-pc/stage1 -> $(SEC_CRIT) ; |
816 |
/etc/host.conf -> $(SEC_BIN) ; |
816 |
/usr/lib/grub/grub/i386-pc/stage2 -> $(SEC_CRIT) ; |
817 |
/etc/hosts.allow -> $(SEC_BIN) ; |
817 |
/usr/lib/grub/grub/i386-pc/vstafs_stage1_5 -> $(SEC_CRIT) ; |
818 |
/etc/hosts.deny -> $(SEC_BIN) ; |
818 |
# other boot files may exist. Look for: |
819 |
/etc/httpd/conf -> $(SEC_BIN) ; # changes should be infrequent |
819 |
#/ufsboot -> $(SEC_CRIT) ; |
820 |
/etc/protocols -> $(SEC_BIN) ; |
820 |
} |
821 |
/etc/services -> $(SEC_BIN) ; |
821 |
################################################## |
822 |
/etc/rc.d/init.d -> $(SEC_BIN) ; |
822 |
################################################### |
823 |
/etc/rc.d -> $(SEC_BIN) ; |
823 |
# These files change every time the system boots ## |
824 |
/etc/mail.rc -> $(SEC_BIN) ; |
824 |
################################################## |
825 |
/etc/motd -> $(SEC_BIN) ; |
825 |
( |
826 |
# /etc/named.boot -> $(SEC_BIN) ; |
826 |
rulename = "System boot changes", |
827 |
/etc/passwd -> $(SEC_CONFIG) ; |
827 |
severity = $(SIG_HI) |
828 |
/etc/passwd- -> $(SEC_CONFIG) ; |
828 |
) |
829 |
/etc/profile.d -> $(SEC_BIN) ; |
829 |
{ |
830 |
/var/lib/nfs/rmtab -> $(SEC_BIN) ; |
830 |
!/var/run/ftp.pids-all ; # Comes and goes on reboot. |
831 |
/usr/sbin/fixrmtab -> $(SEC_BIN) ; |
831 |
!/root/.enlightenment ; |
832 |
/etc/rpc -> $(SEC_BIN) ; |
832 |
/dev/log -> $(SEC_CONFIG) ; |
833 |
/etc/sysconfig -> $(SEC_BIN) ; |
833 |
# /dev/cua0 -> $(SEC_CONFIG) ; |
834 |
/etc/smb.conf -> $(SEC_CONFIG) ; |
834 |
# /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device |
835 |
/etc/gettydefs -> $(SEC_BIN) ; |
835 |
/dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. |
836 |
/etc/nsswitch.conf -> $(SEC_BIN) ; |
836 |
/dev/tty1 -> $(SEC_CONFIG) ; # tty devices |
837 |
/etc/yp.conf -> $(SEC_BIN) ; |
837 |
/dev/tty2 -> $(SEC_CONFIG) ; # tty devices |
838 |
/etc/hosts -> $(SEC_CONFIG) ; |
838 |
/dev/tty3 -> $(SEC_CONFIG) ; # are extremely |
839 |
/etc/inetd.conf -> $(SEC_CONFIG) ; |
839 |
/dev/tty4 -> $(SEC_CONFIG) ; # variable |
840 |
/etc/inittab -> $(SEC_CONFIG) ; |
840 |
/dev/tty5 -> $(SEC_CONFIG) ; |
841 |
/etc/resolv.conf -> $(SEC_CONFIG) ; |
841 |
/dev/tty6 -> $(SEC_CONFIG) ; |
842 |
/etc/syslog.conf -> $(SEC_CONFIG) ; |
842 |
/dev/urandom -> $(SEC_CONFIG) ; |
843 |
|
843 |
/dev/initctl -> $(SEC_CONFIG) ; |
844 |
} |
844 |
/var/lock/subsys -> $(SEC_CONFIG) ; |
845 |
|
845 |
# /var/lock/subsys/amd -> $(SEC_CONFIG) ; |
846 |
#################### |
846 |
# /var/lock/subsys/anacron -> $(SEC_CONFIG) ; |
847 |
# ## |
847 |
# /var/lock/subsys/apmd -> $(SEC_CONFIG) ; |
848 |
#################### # |
848 |
# /var/lock/subsys/arpwatch -> $(SEC_CONFIG) ; |
849 |
# # # |
849 |
# /var/lock/subsys/atd -> $(SEC_CONFIG) ; |
850 |
# Critical devices # # |
850 |
# /var/lock/subsys/autofs -> $(SEC_CONFIG) ; |
851 |
# ## |
851 |
# /var/lock/subsys/bcm5820 -> $(SEC_CONFIG) ; |
852 |
#################### |
852 |
# /var/lock/subsys/bgpd -> $(SEC_CONFIG) ; |
853 |
( |
853 |
# /var/lock/subsys/bootparamd -> $(SEC_CONFIG) ; |
854 |
rulename = "Critical devices", |
854 |
# /var/lock/subsys/canna -> $(SEC_CONFIG) ; |
855 |
severity = $(SIG_HI), |
855 |
# /var/lock/subsys/crond -> $(SEC_CONFIG) ; |
856 |
recurse = false |
856 |
# /var/lock/subsys/cWnn -> $(SEC_CONFIG) ; |
857 |
) |
857 |
# /var/lock/subsys/dhcpd -> $(SEC_CONFIG) ; |
858 |
{ |
858 |
# /var/lock/subsys/firewall -> $(SEC_CONFIG) ; |
859 |
/dev/kmem -> $(Device) ; |
859 |
# /var/lock/subsys/freeWnn -> $(SEC_CONFIG) ; |
860 |
/dev/mem -> $(Device) ; |
860 |
# /var/lock/subsys/gated -> $(SEC_CONFIG) ; |
861 |
/dev/null -> $(Device) ; |
861 |
# /var/lock/subsys/gpm -> $(SEC_CONFIG) ; |
862 |
/dev/zero -> $(Device) ; |
862 |
# /var/lock/subsys/httpd -> $(SEC_CONFIG) ; |
863 |
/proc/devices -> $(Device) ; |
863 |
# /var/lock/subsys/identd -> $(SEC_CONFIG) ; |
864 |
/proc/net -> $(Device) ; |
864 |
# /var/lock/subsys/innd -> $(SEC_CONFIG) ; |
865 |
/proc/sys -> $(Device) ; |
865 |
# /var/lock/subsys/ipchains -> $(SEC_CONFIG) ; |
866 |
/proc/cpuinfo -> $(Device) ; |
866 |
# /var/lock/subsys/iptables -> $(SEC_CONFIG) ; |
867 |
/proc/modules -> $(Device) ; |
867 |
# /var/lock/subsys/ipvsadm -> $(SEC_CONFIG) ; |
868 |
/proc/mounts -> $(Device) ; |
868 |
# /var/lock/subsys/irda -> $(SEC_CONFIG) ; |
869 |
/proc/dma -> $(Device) ; |
869 |
# /var/lock/subsys/iscsi -> $(SEC_CONFIG) ; |
870 |
/proc/filesystems -> $(Device) ; |
870 |
# /var/lock/subsys/isdn -> $(SEC_CONFIG) ; |
871 |
/proc/pci -> $(Device) ; |
871 |
# /var/lock/subsys/junkbuster -> $(SEC_CONFIG) ; |
872 |
/proc/interrupts -> $(Device) ; |
872 |
# /var/lock/subsys/kadmin -> $(SEC_CONFIG) ; |
873 |
/proc/rtc -> $(Device) ; |
873 |
# /var/lock/subsys/keytable -> $(SEC_CONFIG) ; |
874 |
/proc/ioports -> $(Device) ; |
874 |
# /var/lock/subsys/kprop -> $(SEC_CONFIG) ; |
875 |
/proc/scsi -> $(Device) ; |
875 |
# /var/lock/subsys/krb524 -> $(SEC_CONFIG) ; |
876 |
/proc/kcore -> $(Device) ; |
876 |
# /var/lock/subsys/krb5kdc -> $(SEC_CONFIG) ; |
877 |
/proc/self -> $(Device) ; |
877 |
# /var/lock/subsys/kudzu -> $(SEC_CONFIG) ; |
878 |
/proc/kmsg -> $(Device) ; |
878 |
# /var/lock/subsys/kWnn -> $(SEC_CONFIG) ; |
879 |
/proc/stat -> $(Device) ; |
879 |
# /var/lock/subsys/ldap -> $(SEC_CONFIG) ; |
880 |
/proc/ksyms -> $(Device) ; |
880 |
# /var/lock/subsys/linuxconf -> $(SEC_CONFIG) ; |
881 |
/proc/loadavg -> $(Device) ; |
881 |
# /var/lock/subsys/lpd -> $(SEC_CONFIG) ; |
882 |
/proc/uptime -> $(Device) ; |
882 |
# /var/lock/subsys/mars_nwe -> $(SEC_CONFIG) ; |
883 |
/proc/locks -> $(Device) ; |
883 |
# /var/lock/subsys/mcserv -> $(SEC_CONFIG) ; |
884 |
/proc/version -> $(Device) ; |
884 |
# /var/lock/subsys/mysqld -> $(SEC_CONFIG) ; |
885 |
/proc/mdstat -> $(Device) ; |
885 |
# /var/lock/subsys/named -> $(SEC_CONFIG) ; |
886 |
/proc/meminfo -> $(Device) ; |
886 |
# /var/lock/subsys/netfs -> $(SEC_CONFIG) ; |
887 |
/proc/cmdline -> $(Device) ; |
887 |
# /var/lock/subsys/network -> $(SEC_CONFIG) ; |
888 |
/proc/misc -> $(Device) ; |
888 |
# /var/lock/subsys/nfs -> $(SEC_CONFIG) ; |
889 |
} |
889 |
# /var/lock/subsys/nfslock -> $(SEC_CONFIG) ; |
890 |
|
890 |
# /var/lock/subsys/nscd -> $(SEC_CONFIG) ; |
891 |
# Rest of critical system binaries |
891 |
# /var/lock/subsys/ntpd -> $(SEC_CONFIG) ; |
892 |
( |
892 |
# /var/lock/subsys/ospf6d -> $(SEC_CONFIG) ; |
893 |
rulename = "OS executables and libraries", |
893 |
# /var/lock/subsys/ospfd -> $(SEC_CONFIG) ; |
894 |
severity = $(SIG_HI) |
894 |
# /var/lock/subsys/pcmcia -> $(SEC_CONFIG) ; |
895 |
) |
895 |
# /var/lock/subsys/portmap -> $(SEC_CONFIG) ; |
896 |
{ |
896 |
# /var/lock/subsys/postgresql -> $(SEC_CONFIG) ; |
897 |
/bin -> $(SEC_BIN) ; |
897 |
# /var/lock/subsys/pxe -> $(SEC_CONFIG) ; |
898 |
/lib -> $(SEC_BIN) ; |
898 |
# /var/lock/subsys/radvd -> $(SEC_CONFIG) ; |
899 |
} |
899 |
# /var/lock/subsys/random -> $(SEC_CONFIG) ; |
900 |
|
900 |
# /var/lock/subsys/rarpd -> $(SEC_CONFIG) ; |
901 |
#============================================================================= |
901 |
# /var/lock/subsys/reconfig -> $(SEC_CONFIG) ; |
902 |
# |
902 |
# /var/lock/subsys/rhnsd -> $(SEC_CONFIG) ; |
903 |
# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, |
903 |
# /var/lock/subsys/ripd -> $(SEC_CONFIG) ; |
904 |
# Inc. in the United States and other countries. All rights reserved. |
904 |
# /var/lock/subsys/ripngd -> $(SEC_CONFIG) ; |
905 |
# |
905 |
# /var/lock/subsys/routed -> $(SEC_CONFIG) ; |
906 |
# Linux is a registered trademark of Linus Torvalds. |
906 |
# /var/lock/subsys/rstatd -> $(SEC_CONFIG) ; |
907 |
# |
907 |
# /var/lock/subsys/rusersd -> $(SEC_CONFIG) ; |
908 |
# UNIX is a registered trademark of The Open Group. |
908 |
# /var/lock/subsys/rwalld -> $(SEC_CONFIG) ; |
909 |
# |
909 |
# /var/lock/subsys/rwhod -> $(SEC_CONFIG) ; |
910 |
#============================================================================= |
910 |
# /var/lock/subsys/sendmail -> $(SEC_CONFIG) ; |
911 |
# |
911 |
# /var/lock/subsys/smb -> $(SEC_CONFIG) ; |
912 |
# Permission is granted to make and distribute verbatim copies of this document |
912 |
# /var/lock/subsys/snmpd -> $(SEC_CONFIG) ; |
913 |
# provided the copyright notice and this permission notice are preserved on all |
913 |
# /var/lock/subsys/squid -> $(SEC_CONFIG) ; |
914 |
# copies. |
914 |
# /var/lock/subsys/sshd -> $(SEC_CONFIG) ; |
915 |
# |
915 |
# /var/lock/subsys/syslog -> $(SEC_CONFIG) ; |
916 |
# Permission is granted to copy and distribute modified versions of this |
916 |
# /var/lock/subsys/tux -> $(SEC_CONFIG) ; |
917 |
# document under the conditions for verbatim copying, provided that the entire |
917 |
# /var/lock/subsys/tWnn -> $(SEC_CONFIG) ; |
918 |
# resulting derived work is distributed under the terms of a permission notice |
918 |
# /var/lock/subsys/ups -> $(SEC_CONFIG) ; |
919 |
# identical to this one. |
919 |
# /var/lock/subsys/vncserver -> $(SEC_CONFIG) ; |
920 |
# |
920 |
# /var/lock/subsys/wine -> $(SEC_CONFIG) ; |
921 |
# Permission is granted to copy and distribute translations of this document |
921 |
# /var/lock/subsys/xfs -> $(SEC_CONFIG) ; |
922 |
# into another language, under the above conditions for modified versions, |
922 |
# /var/lock/subsys/xinetd -> $(SEC_CONFIG) ; |
923 |
# except that this permission notice may be stated in a translation approved by |
923 |
# /var/lock/subsys/ypbind -> $(SEC_CONFIG) ; |
924 |
# Tripwire, Inc. |
924 |
# /var/lock/subsys/yppasswdd -> $(SEC_CONFIG) ; |
925 |
# |
925 |
# /var/lock/subsys/ypserv -> $(SEC_CONFIG) ; |
926 |
# DCM |
926 |
# /var/lock/subsys/ypxfrd -> $(SEC_CONFIG) ; |
|
|
927 |
# /var/lock/subsys/zebra -> $(SEC_CONFIG) ; |
928 |
/var/run -> $(SEC_CONFIG) ; |
929 |
/var/log -> $(SEC_CONFIG) ; |
930 |
/etc/ioctl.save -> $(SEC_CONFIG) ; |
931 |
/etc/issue.logo -> $(SEC_CONFIG) -i ; # Inode number changes |
932 |
/etc/issue -> $(SEC_CONFIG) ; |
933 |
/etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount |
934 |
/lib/modules -> $(SEC_CONFIG) ; |
935 |
/etc/.pwd.lock -> $(SEC_CONFIG) ; |
936 |
# /lib/modules/preferred -> $(SEC_CONFIG) ; #Uncomment when this file exists |
937 |
} |
938 |
|
939 |
# These files change the behavior of the root account |
940 |
( |
941 |
rulename = "Root config files", |
942 |
severity = 100 |
943 |
) |
944 |
{ |
945 |
/root -> $(SEC_CRIT) ; # Catch all additions to /root |
946 |
# /root/.Xresources -> $(SEC_CONFIG) ; |
947 |
# /root/.bashrc -> $(SEC_CONFIG) ; |
948 |
# /root/.bash_profile -> $(SEC_CONFIG) ; |
949 |
# /root/.bash_logout -> $(SEC_CONFIG) ; |
950 |
# /root/.cshrc -> $(SEC_CONFIG) ; |
951 |
# /root/.tcshrc -> $(SEC_CONFIG) ; |
952 |
# /root/Mail -> $(SEC_CONFIG) ; |
953 |
# /root/mail -> $(SEC_CONFIG) ; |
954 |
# /root/.amandahosts -> $(SEC_CONFIG) ; |
955 |
# /root/.addressbook.lu -> $(SEC_CONFIG) ; |
956 |
# /root/.addressbook -> $(SEC_CONFIG) ; |
957 |
# /root/.bash_history -> $(SEC_CONFIG) ; |
958 |
# /root/.elm -> $(SEC_CONFIG) ; |
959 |
# /root/.esd_auth -> $(SEC_CONFIG) ; |
960 |
# /root/.gnome_private -> $(SEC_CONFIG) ; |
961 |
# /root/.gnome-desktop -> $(SEC_CONFIG) ; |
962 |
# /root/.gnome -> $(SEC_CONFIG) ; |
963 |
# /root/.ICEauthority -> $(SEC_CONFIG) ; |
964 |
# /root/.mc -> $(SEC_CONFIG) ; |
965 |
# /root/.pinerc -> $(SEC_CONFIG) ; |
966 |
# /root/.sawfish -> $(SEC_CONFIG) ; |
967 |
# /root/.Xauthority -> $(SEC_CONFIG) -i ; # Changes Inode number on login |
968 |
# /root/.xauth -> $(SEC_CONFIG) ; |
969 |
# /root/.xsession-errors -> $(SEC_CONFIG) ; |
970 |
} |
971 |
|
972 |
################################ |
973 |
# ## |
974 |
################################ # |
975 |
# # # |
976 |
# Critical configuration files # # |
977 |
# ## |
978 |
################################ |
979 |
( |
980 |
rulename = "Critical configuration files", |
981 |
severity = $(SIG_HI) |
982 |
) |
983 |
{ |
984 |
# /etc/conf.linuxconf -> $(SEC_BIN) ; |
985 |
# /etc/apache2 -> $(SEC_CONFIG) ; |
986 |
/etc/conf.d -> $(SEC_CONFIG) ; |
987 |
/etc/crontab -> $(SEC_BIN) ; |
988 |
/etc/cron.hourly -> $(SEC_BIN) ; |
989 |
/etc/cron.daily -> $(SEC_BIN) ; |
990 |
/etc/cron.weekly -> $(SEC_BIN) ; |
991 |
/etc/cron.monthly -> $(SEC_BIN) ; |
992 |
/etc/cron.deny -> $(SEC_BIN) ; |
993 |
/etc/default -> $(SEC_BIN) ; |
994 |
/etc/devfs.d -> $(SEC_BIN) ; |
995 |
/etc/devfsd.conf -> $(SEC_BIN) ; |
996 |
/etc/dispatch-conf.conf -> $(SEC_BIN) ; |
997 |
/etc/distcc -> $(SEC_BIN) ; |
998 |
/etc/dnsdomainname -> $(SEC_BIN) ; |
999 |
/etc/env.d -> $(SEC_BIN) ; |
1000 |
/etc/etc-update.conf -> $(SEC_BIN) ; |
1001 |
# /etc/exports -> $(SEC_BIN) ; |
1002 |
/etc/fdprm -> $(SEC_BIN) ; |
1003 |
/etc/filesystems -> $(SEC_BIN) -i ; |
1004 |
/etc/fstab -> $(SEC_BIN) ; |
1005 |
/etc/group- -> $(SEC_BIN) ; # changes should be infrequent |
1006 |
/etc/hosts -> $(SEC_CONFIG) ; |
1007 |
/etc/hostname -> $(SEC_CONFIG) ; |
1008 |
# /etc/host.conf -> $(SEC_BIN) ; |
1009 |
# /etc/hosts.allow -> $(SEC_BIN) ; |
1010 |
# /etc/hosts.deny -> $(SEC_BIN) ; |
1011 |
/etc/init.d -> $(SEC_BIN) ; |
1012 |
/etc/inittab -> $(SEC_CONFIG) ; |
1013 |
/etc/ld.so.conf -> $(SEC_CONFIG) ; |
1014 |
/etc/mail.rc -> $(SEC_BIN) ; |
1015 |
/etc/make.conf -> $(SEC_CONFIG) ; |
1016 |
/etc/modules.conf -> $(SEC_BIN) ; |
1017 |
/etc/modprobe.conf -> $(SEC_BIN) ; |
1018 |
/etc/modprobe.devfs -> $(SEC_CONFIG) ; |
1019 |
# /etc/modules.autoload.d -> $(SEC_BIN) ; |
1020 |
# /etc/modules.d -> $(SEC_CONFIG) ; |
1021 |
# /etc/motd -> $(SEC_BIN) ; |
1022 |
# /etc/named.conf -> $(SEC_BIN) ; |
1023 |
/etc/pam.d -> $(SEC_BIN) ; |
1024 |
/etc/passwd -> $(SEC_CONFIG) ; |
1025 |
/etc/passwd- -> $(SEC_CONFIG) ; |
1026 |
/etc/profile.env -> $(SEC_BIN) ; |
1027 |
/etc/protocols -> $(SEC_BIN) ; |
1028 |
/etc/rc.conf -> $(SEC_BIN) ; |
1029 |
/etc/resolv.conf -> $(SEC_CONFIG) ; |
1030 |
/etc/rpc -> $(SEC_BIN) ; |
1031 |
/etc/runlevels -> $(SEC_BIN) ; |
1032 |
/etc/securetty -> $(SEC_BIN) ; |
1033 |
/etc/services -> $(SEC_BIN) ; |
1034 |
/etc/ssh -> $(SEC_BIN) ; |
1035 |
/etc/ssl -> $(SEC_BIN) ; |
1036 |
/etc/sysctl.conf -> $(SEC_BIN) ; |
1037 |
# /etc/samba/smb.conf -> $(SEC_CONFIG) ; |
1038 |
/etc/nsswitch.conf -> $(SEC_BIN) ; |
1039 |
/etc/yp.conf -> $(SEC_BIN) ; |
1040 |
#/etc/xinetd.conf -> $(SEC_CONFIG) ; |
1041 |
|
1042 |
} |
1043 |
|
1044 |
#################### |
1045 |
# ## |
1046 |
#################### # |
1047 |
# # # |
1048 |
# Critical devices # # |
1049 |
# ## |
1050 |
#################### |
1051 |
( |
1052 |
rulename = "Critical devices", |
1053 |
severity = $(SIG_HI), |
1054 |
recurse = false |
1055 |
) |
1056 |
{ |
1057 |
/dev/kmem -> $(Device) ; |
1058 |
/dev/kmsg -> $(Device) ; |
1059 |
/dev/tty -> $(Device) ; |
1060 |
/dev/random -> $(Device) ; |
1061 |
/dev/mem -> $(Device) ; |
1062 |
/dev/null -> $(Device) ; |
1063 |
/dev/zero -> $(Device) ; |
1064 |
/proc/devices -> $(Device) ; |
1065 |
/proc/net -> $(Device) ; |
1066 |
/proc/sys -> $(Device) ; |
1067 |
/proc/cpuinfo -> $(Device) ; |
1068 |
/proc/modules -> $(Device) ; |
1069 |
/proc/mounts -> $(Device) ; |
1070 |
/proc/dma -> $(Device) ; |
1071 |
/proc/filesystems -> $(Device) ; |
1072 |
/proc/pci -> $(Device) ; |
1073 |
/proc/interrupts -> $(Device) ; |
1074 |
# /proc/driver/rtc -> $(Device) ; |
1075 |
/proc/ioports -> $(Device) ; |
1076 |
#/proc/scsi -> $(Device) ; |
1077 |
#/proc/kcore -> $(Device) ; |
1078 |
/proc/self -> $(Device) ; |
1079 |
/proc/kmsg -> $(Device) ; |
1080 |
/proc/stat -> $(Device) ; |
1081 |
#/proc/ksyms -> $(Device) ; |
1082 |
/proc/loadavg -> $(Device) ; |
1083 |
/proc/uptime -> $(Device) ; |
1084 |
/proc/locks -> $(Device) ; |
1085 |
/proc/version -> $(Device) ; |
1086 |
# /proc/mdstat -> $(Device) ; |
1087 |
/proc/meminfo -> $(Device) ; |
1088 |
/proc/cmdline -> $(Device) ; |
1089 |
/proc/misc -> $(Device) ; |
1090 |
} |
1091 |
|
1092 |
# Rest of critical system binaries |
1093 |
( |
1094 |
rulename = "OS executables and libraries", |
1095 |
severity = $(SIG_HI) |
1096 |
) |
1097 |
{ |
1098 |
/bin -> $(SEC_BIN) ; |
1099 |
/lib -> $(SEC_BIN) ; |
1100 |
} |
1101 |
|
1102 |
#============================================================================= |
1103 |
# |
1104 |
# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, |
1105 |
# Inc. in the United States and other countries. All rights reserved. |
1106 |
# |
1107 |
# Linux is a registered trademark of Linus Torvalds. |
1108 |
# |
1109 |
# UNIX is a registered trademark of The Open Group. |
1110 |
# |
1111 |
#============================================================================= |
1112 |
# |
1113 |
# Permission is granted to make and distribute verbatim copies of this document |
1114 |
# provided the copyright notice and this permission notice are preserved on all |
1115 |
# copies. |
1116 |
# |
1117 |
# Permission is granted to copy and distribute modified versions of this |
1118 |
# document under the conditions for verbatim copying, provided that the entire |
1119 |
# resulting derived work is distributed under the terms of a permission notice |
1120 |
# identical to this one. |
1121 |
# |
1122 |
# Permission is granted to copy and distribute translations of this document |
1123 |
# into another language, under the above conditions for modified versions, |
1124 |
# except that this permission notice may be stated in a translation approved by |
1125 |
# Tripwire, Inc. |
1126 |
# |
1127 |
# DCM |
1128 |
|
1129 |
|
1130 |
|