############################################################################## # ## ############################################################################## # # # # # Policy file for Gentoo Linux # # # By Darren Kirby # # # # # # September 5, 2006 # # # ## ############################################################################## ############################################################################## # ## ############################################################################## # # # # # This is the example Tripwire Policy file. It is intended as a place to # # # start creating your own custom Tripwire Policy file. Referring to it as # # # well as the Tripwire Policy Guide should give you enough information to # # # make a good custom Tripwire Policy file that better covers your # # # configuration and security needs. A text version of this policy file is # # # called twpol.txt. # # # # # # Note that this file is tuned to a 'basic' install of Gentoo Linux. # # # If run unmodified, this file should create no errors on database # # # creation, or violations on a subsiquent integrity check. However, it is # # # impossible for there to be one policy file for all machines, so this # # # existing one errs on the side of security. Your Linux configuration will # # # most likey differ from the one our policy file was tuned to, and will # # # therefore require some editing of the default Tripwire Policy file. # # # # # # The example policy file is best run with 'Loose Directory Checking' # # # enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # # # file. # # # # # # Email support is not included and must be added to this file. # # # Add the 'emailto=' to the rule directive section of each rule (add a comma # # # after the 'severity=' line and add an 'emailto=' and include the email # # # addresses you want the violation reports to go to). Addresses are # # # semi-colon delimited. # # # ## ############################################################################## ############################################################################## # ## ############################################################################## # # # # # Global Variable Definitions # # # # # # These are defined at install time by the installation script. You may # # # Manually edit these if you are using this file directly and not from the # # # installation script itself. # # # ## ############################################################################## @@section GLOBAL TWROOT=/usr/sbin; TWBIN=/usr/sbin; TWPOL="/etc/tripwire"; TWDB="/var/lib/tripwire"; TWSKEY="/etc/tripwire"; TWLKEY="/etc/tripwire"; TWREPORT="/var/lib/tripwire/report"; HOSTNAME=localhost; # change to your real hostname ie: 'echo $HOSTNAME' # added for gentoo GCCVERSION="3.4.6"; # change to your gcc version BINUTILSVERSION="2.16.1"; # change to your binutils version @@section FS SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership SIG_LOW = 33 ; # Non-critical files that are of minimal security impact SIG_MED = 66 ; # Non-critical files that are of significant security impact SIG_HI = 100 ; # Critical files that are significant points of vulnerability # Tripwire Binaries ( rulename = "Tripwire Binaries", severity = $(SIG_HI) ) { $(TWBIN)/siggen -> $(SEC_BIN) ; $(TWBIN)/tripwire -> $(SEC_BIN) ; $(TWBIN)/twadmin -> $(SEC_BIN) ; $(TWBIN)/twprint -> $(SEC_BIN) ; } # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases ( rulename = "Tripwire Data Files", severity = $(SIG_HI) ) { # NOTE: We remove the inode attribute because when Tripwire creates a backup, # it does so by renaming the old file and creating a new one (which will # have a new inode number). Inode is left turned on for keys, which shouldn't # ever change. # NOTE: The first integrity check triggers this rule and each integrity check # afterward triggers this rule until a database update is run, since the # database file does not exist before that point. $(TWDB) -> $(SEC_CONFIG) -i ; $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; $(TWSKEY)/site.key -> $(SEC_BIN) ; #don't scan the individual reports $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; } # Tripwire HQ Connector Binaries #( # rulename = "Tripwire HQ Connector Binaries", # severity = $(SIG_HI) #) #{ # $(TWBIN)/hqagent -> $(SEC_BIN) ; #} # # Tripwire HQ Connector - Configuration Files, Keys, and Logs ############################################################################## # ## ############################################################################## # # # # # Note: File locations here are different than in a stock HQ Connector # # # installation. This is because Tripwire 2.3 uses a different path # # # structure than Tripwire 2.2.1. # # # # # # You may need to update your HQ Agent configuation file (or this policy # # # file) to correct the paths. We have attempted to support the FHS standard # # # here by placing the HQ Agent files similarly to the way Tripwire 2.3 # # # places them. # # # ## ############################################################################## #( # rulename = "Tripwire HQ Connector Data Files", # severity = $(SIG_HI) #) #{ # ############################################################################# # ############################################################################## # # NOTE: Removing the inode attribute because when Tripwire creates a backup ## # # it does so by renaming the old file and creating a new one (which will ## # # have a new inode number). Leaving inode turned on for keys, which ## # # shouldn't ever change. ## # ############################################################################# # # $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; # $(TWLKEY)/authentication.key -> $(SEC_BIN) ; # $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; # $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; # # # Uncomment if you have agent logging enabled. # #/var/log/tripwire/agent.log -> $(SEC_LOG) ; #} # Commonly accessed directories that should remain static with regards to owner and group ( rulename = "Invariant Directories", severity = $(SIG_MED) ) { / -> $(SEC_INVARIANT) (recurse = 0) ; /home -> $(SEC_INVARIANT) (recurse = 0) ; /etc -> $(SEC_INVARIANT) (recurse = 0) ; } ##################################################################### # # # For gentoo, I realized the best way to write this file is to # # group binaries/files based on package, rather than by function # # as in the Redhat default policy file. This way, the sysadmin # # can simply comment out the rules for packages that are not # # installed. All packages are delimited by commented text ie: # # # # The 'coreutils' binaries # # # # shows files following that are installed by the coreutils package.# # # ##################################################################### ################################################ # # # coreutils - diffutils - findutils - procps # # # ################################################ ( rulename = "[core|diff|find]utils and procps binaries", severity = $(SIG_HI) ) { # # The 'coreutils' binaries # /bin/chgrp -> $(SEC_CRIT) ; /bin/chown -> $(SEC_CRIT) ; /bin/chmod -> $(SEC_CRIT) ; /bin/cp -> $(SEC_CRIT) ; /bin/dd -> $(SEC_CRIT) ; /bin/dircolors -> $(SEC_CRIT) ; /bin/du -> $(SEC_CRIT) ; /bin/install -> $(SEC_CRIT) ; /bin/link -> $(SEC_CRIT) ; /bin/ln -> $(SEC_CRIT) ; /bin/dir -> $(SEC_CRIT) ; /bin/vdir -> $(SEC_CRIT) ; /bin/ls -> $(SEC_CRIT) ; /bin/mkdir -> $(SEC_CRIT) ; /bin/mkfifo -> $(SEC_CRIT) ; /bin/mknod -> $(SEC_CRIT) ; /bin/mv -> $(SEC_CRIT) ; /bin/nohup -> $(SEC_CRIT) ; /bin/readlink -> $(SEC_CRIT) ; /bin/rm -> $(SEC_CRIT) ; /bin/rmdir -> $(SEC_CRIT) ; /bin/stat -> $(SEC_CRIT) ; /bin/sync -> $(SEC_CRIT) ; /bin/touch -> $(SEC_CRIT) ; /bin/unlink -> $(SEC_CRIT) ; /bin/cat -> $(SEC_CRIT) ; /bin/cksum -> $(SEC_CRIT) ; /bin/comm -> $(SEC_CRIT) ; /bin/cut -> $(SEC_CRIT) ; /bin/head -> $(SEC_CRIT) ; /bin/ptx -> $(SEC_CRIT) ; /bin/sort -> $(SEC_CRIT) ; /bin/split -> $(SEC_CRIT) ; /bin/tr -> $(SEC_CRIT) ; /bin/uniq -> $(SEC_CRIT) ; /bin/wc -> $(SEC_CRIT) ; /bin/basename -> $(SEC_CRIT) ; /bin/date -> $(SEC_CRIT) ; /bin/dirname -> $(SEC_CRIT) ; /bin/echo -> $(SEC_CRIT) ; /bin/env -> $(SEC_CRIT) ; /bin/expr -> $(SEC_CRIT) ; /bin/false -> $(SEC_CRIT) ; /bin/id -> $(SEC_CRIT) ; /bin/logname -> $(SEC_CRIT) ; /bin/printenv -> $(SEC_CRIT) ; /bin/pwd -> $(SEC_CRIT) ; /bin/seq -> $(SEC_CRIT) ; /bin/sleep -> $(SEC_CRIT) ; /bin/tee -> $(SEC_CRIT) ; /bin/true -> $(SEC_CRIT) ; /bin/tty -> $(SEC_CRIT) ; /bin/whoami -> $(SEC_CRIT) ; /bin/yes -> $(SEC_CRIT) ; /bin/uname -> $(SEC_CRIT) ; /bin/chroot -> $(SEC_CRIT) ; /bin/hostid -> $(SEC_CRIT) ; /bin/nice -> $(SEC_CRIT) ; /bin/who -> $(SEC_CRIT) ; /bin/stty -> $(SEC_CRIT) ; /bin/df -> $(SEC_CRIT) ; /usr/bin/csplit -> $(SEC_CRIT) ; /usr/bin/expand -> $(SEC_CRIT) ; /usr/bin/factor -> $(SEC_CRIT) ; /usr/bin/fmt -> $(SEC_CRIT) ; /usr/bin/fold -> $(SEC_CRIT) ; /usr/bin/join -> $(SEC_CRIT) ; /usr/bin/md5sum -> $(SEC_CRIT) ; /usr/bin/nl -> $(SEC_CRIT) ; /usr/bin/od -> $(SEC_CRIT) ; /usr/bin/paste -> $(SEC_CRIT) ; /usr/bin/pathchk -> $(SEC_CRIT) ; /usr/bin/pinky -> $(SEC_CRIT) ; /usr/bin/pr -> $(SEC_CRIT) ; /usr/bin/printf -> $(SEC_CRIT) ; /usr/bin/sha1sum -> $(SEC_CRIT) ; /usr/bin/shred -> $(SEC_CRIT) ; /usr/bin/sum -> $(SEC_CRIT) ; /usr/bin/tac -> $(SEC_CRIT) ; /usr/bin/tail -> $(SEC_CRIT) ; /usr/bin/test -> $(SEC_CRIT) ; /usr/bin/[ -> $(SEC_CRIT) ; /usr/bin/tsort -> $(SEC_CRIT) ; /usr/bin/unexpand -> $(SEC_CRIT) ; /usr/bin/users -> $(SEC_CRIT) ; /usr/bin/basename -> $(SEC_CRIT) ; /usr/bin/cat -> $(SEC_CRIT) ; /usr/bin/chgrp -> $(SEC_CRIT) ; /usr/bin/chmod -> $(SEC_CRIT) ; /usr/bin/chown -> $(SEC_CRIT) ; /usr/bin/chroot -> $(SEC_CRIT) ; /usr/bin/cksum -> $(SEC_CRIT) ; /usr/bin/comm -> $(SEC_CRIT) ; /usr/bin/cp -> $(SEC_CRIT) ; /usr/bin/cut -> $(SEC_CRIT) ; /usr/bin/date -> $(SEC_CRIT) ; /usr/bin/dd -> $(SEC_CRIT) ; /usr/bin/df -> $(SEC_CRIT) ; /usr/bin/dir -> $(SEC_CRIT) ; /usr/bin/dircolors -> $(SEC_CRIT) ; /usr/bin/dirname -> $(SEC_CRIT) ; /usr/bin/du -> $(SEC_CRIT) ; /usr/bin/echo -> $(SEC_CRIT) ; /usr/bin/env -> $(SEC_CRIT) ; /usr/bin/expr -> $(SEC_CRIT) ; /usr/bin/false -> $(SEC_CRIT) ; /usr/bin/head -> $(SEC_CRIT) ; /usr/bin/hostid -> $(SEC_CRIT) ; /usr/bin/id -> $(SEC_CRIT) ; /usr/bin/install -> $(SEC_CRIT) ; /usr/bin/link -> $(SEC_CRIT) ; /usr/bin/ln -> $(SEC_CRIT) ; /usr/bin/logname -> $(SEC_CRIT) ; /usr/bin/ls -> $(SEC_CRIT) ; /usr/bin/mkdir -> $(SEC_CRIT) ; /usr/bin/mkfifo -> $(SEC_CRIT) ; /usr/bin/mknod -> $(SEC_CRIT) ; /usr/bin/mv -> $(SEC_CRIT) ; /usr/bin/nice -> $(SEC_CRIT) ; /usr/bin/nohup -> $(SEC_CRIT) ; /usr/bin/printenv -> $(SEC_CRIT) ; /usr/bin/ptx -> $(SEC_CRIT) ; /usr/bin/pwd -> $(SEC_CRIT) ; /usr/bin/readlink -> $(SEC_CRIT) ; /usr/bin/rm -> $(SEC_CRIT) ; /usr/bin/rmdir -> $(SEC_CRIT) ; /usr/bin/seq -> $(SEC_CRIT) ; /usr/bin/sleep -> $(SEC_CRIT) ; /usr/bin/sort -> $(SEC_CRIT) ; /usr/bin/split -> $(SEC_CRIT) ; /usr/bin/stat -> $(SEC_CRIT) ; /usr/bin/stty -> $(SEC_CRIT) ; /usr/bin/sync -> $(SEC_CRIT) ; /usr/bin/tee -> $(SEC_CRIT) ; /usr/bin/touch -> $(SEC_CRIT) ; /usr/bin/tr -> $(SEC_CRIT) ; /usr/bin/true -> $(SEC_CRIT) ; /usr/bin/tty -> $(SEC_CRIT) ; /usr/bin/uname -> $(SEC_CRIT) ; /usr/bin/uniq -> $(SEC_CRIT) ; /usr/bin/unlink -> $(SEC_CRIT) ; /usr/bin/vdir -> $(SEC_CRIT) ; /usr/bin/wc -> $(SEC_CRIT) ; /usr/bin/who -> $(SEC_CRIT) ; /usr/bin/whoami -> $(SEC_CRIT) ; /usr/bin/yes -> $(SEC_CRIT) ; # # The diffutils binaries # /usr/bin/cmp -> $(SEC_CRIT) ; /usr/bin/diff -> $(SEC_CRIT) ; /usr/bin/diff3 -> $(SEC_CRIT) ; /usr/bin/sdiff -> $(SEC_CRIT) ; # # The findutils binaries # /usr/bin/find -> $(SEC_CRIT) ; /usr/bin/oldfind -> $(SEC_CRIT) ; /usr/bin/xargs -> $(SEC_CRIT) ; # # The procps binaries # /usr/bin/uptime -> $(SEC_CRIT) ; /usr/bin/tload -> $(SEC_CRIT) ; /usr/bin/free -> $(SEC_CRIT) ; /usr/bin/w -> $(SEC_CRIT) ; /usr/bin/top -> $(SEC_CRIT) ; /usr/bin/vmstat -> $(SEC_CRIT) ; /usr/bin/watch -> $(SEC_CRIT) ; /usr/bin/skill -> $(SEC_CRIT) ; /usr/bin/snice -> $(SEC_CRIT) ; /usr/bin/pmap -> $(SEC_CRIT) ; /usr/bin/pgrep -> $(SEC_CRIT) ; /usr/bin/pkill -> $(SEC_CRIT) ; /usr/bin/slabtop -> $(SEC_CRIT) ; /usr/bin/pwdx -> $(SEC_CRIT) ; /bin/kill -> $(SEC_CRIT) ; /bin/ps -> $(SEC_CRIT) ; /sbin/sysctl -> $(SEC_CRIT) ; } ################################## # # # Compression/Archiving tools # # # ################################## ( rulename = "Compression/Archiving Programs", severity = $(SIG_HI) ) { # # The 'tar' binaries # /bin/tar -> $(SEC_CRIT) ; /usr/bin/tar -> $(SEC_CRIT) ; /usr/sbin/rmt -> $(SEC_CRIT) ; /usr/sbin/restore-tar -> $(SEC_CRIT) ; /usr/sbin/backup-tar -> $(SEC_CRIT) ; /usr/sbin/backup.sh -> $(SEC_CRIT) ; /usr/sbin/dump-remind -> $(SEC_CRIT) ; # # The 'bzip2' binaries # /bin/bzip2recover -> $(SEC_CRIT) ; /bin/bzip2 -> $(SEC_CRIT) ; /bin/bunzip2 -> $(SEC_CRIT) ; /bin/bzcat -> $(SEC_CRIT) ; /bin/bzcmp -> $(SEC_CRIT) ; /bin/bzdiff -> $(SEC_CRIT) ; /bin/bzless -> $(SEC_CRIT) ; /bin/bzmore -> $(SEC_CRIT) ; /bin/bzfgrep -> $(SEC_CRIT) ; /bin/bzegrep -> $(SEC_CRIT) ; /bin/bzgrep -> $(SEC_CRIT) ; # # The 'gzip' binaries # /bin/gzip -> $(SEC_CRIT) ; /bin/zcat -> $(SEC_CRIT) ; /bin/zcmp -> $(SEC_CRIT) ; /bin/znew -> $(SEC_CRIT) ; /bin/gzcat -> $(SEC_CRIT) ; /bin/gzexe -> $(SEC_CRIT) ; /bin/zdiff -> $(SEC_CRIT) ; /bin/zgrep -> $(SEC_CRIT) ; /bin/zless -> $(SEC_CRIT) ; /bin/zmore -> $(SEC_CRIT) ; /bin/gunzip -> $(SEC_CRIT) ; /bin/zegrep -> $(SEC_CRIT) ; /bin/zfgrep -> $(SEC_CRIT) ; /bin/zforce -> $(SEC_CRIT) ; # # The 'zip' and 'unzip' binaries # # /usr/bin/zip -> $(SEC_CRIT) ; # /usr/bin/zipnote -> $(SEC_CRIT) ; # /usr/bin/zipcloak -> $(SEC_CRIT) ; # /usr/bin/zipsplit -> $(SEC_CRIT) ; # /usr/bin/unzip -> $(SEC_CRIT) ; # /usr/bin/zipgrep -> $(SEC_CRIT) ; # /usr/bin/zipinfo -> $(SEC_CRIT) ; # /usr/bin/unzipsfx -> $(SEC_CRIT) ; # /usr/bin/funzip -> $(SEC_CRIT) ; } ####################### # # # Networking Programs # # # ####################### ( rulename = "Networking Programs", severity = $(SIG_HI) ) { # # The 'net-tools' binaries # /bin/domainname -> $(SEC_CRIT) ; /bin/netstat -> $(SEC_CRIT) ; /bin/hostname -> $(SEC_CRIT) ; /bin/nisdomainname -> $(SEC_CRIT) ; /bin/dnsdomainname -> $(SEC_CRIT) ; /bin/ypdomainname -> $(SEC_CRIT) ; /usr/bin/hostname -> $(SEC_CRIT) ; /usr/sbin/ether-wake -> $(SEC_CRIT) ; /sbin/arp -> $(SEC_CRIT) ; /sbin/rarp -> $(SEC_CRIT) ; /sbin/route -> $(SEC_CRIT) ; /sbin/iptunnel -> $(SEC_CRIT) ; /sbin/plipconfig -> $(SEC_CRIT) ; /sbin/mii-tool -> $(SEC_CRIT) ; /sbin/slattach -> $(SEC_CRIT) ; /sbin/nameif -> $(SEC_CRIT) ; /sbin/ifconfig -> $(SEC_CRIT) ; /sbin/ipmaddr -> $(SEC_CRIT) ; # # The 'iproute2' binaries # /usr/sbin/arpd -> $(SEC_CRIT) ; /sbin/ip -> $(SEC_CRIT) ; /sbin/tc -> $(SEC_CRIT) ; /sbin/ss -> $(SEC_CRIT) ; /sbin/rtpr -> $(SEC_CRIT) ; /sbin/ifcfg -> $(SEC_CRIT) ; /sbin/nstat -> $(SEC_CRIT) ; /sbin/rtmon -> $(SEC_CRIT) ; /sbin/ctstat -> $(SEC_CRIT) ; /sbin/ifstat -> $(SEC_CRIT) ; /sbin/lnstat -> $(SEC_CRIT) ; /sbin/routef -> $(SEC_CRIT) ; /sbin/routel -> $(SEC_CRIT) ; /sbin/rtacct -> $(SEC_CRIT) ; /sbin/rtstat -> $(SEC_CRIT) ; # # The iputils binaries # /bin/ping -> $(SEC_CRIT) ; /usr/bin/setkey -> $(SEC_CRIT) ; /usr/sbin/ipg -> $(SEC_CRIT) ; /usr/sbin/rarpd -> $(SEC_CRIT) ; /usr/sbin/rdisc -> $(SEC_CRIT) ; /usr/sbin/tftpd -> $(SEC_CRIT) ; /usr/sbin/clockdiff -> $(SEC_CRIT) ; /usr/sbin/tracepath -> $(SEC_CRIT) ; /sbin/arping -> $(SEC_CRIT) ; # # The 'iptables' binaries # /sbin/iptables-save -> $(SEC_CRIT) ; /sbin/iptables-restore -> $(SEC_CRIT) ; /sbin/iptables -> $(SEC_CRIT) ; } ################################## # # # Miscellaneous Network Apps # # # ################################## ( rulename = "Miscellaneous Network Programs", severity = $(SIG_HI) ) { # # The 'tcpdump' binary # /usr/sbin/tcpdump -> $(SEC_CRIT) ; # # The 'tcp-wrappers' binaries # /usr/sbin/tcpd -> $(SEC_CRIT) ; /usr/sbin/tcpdmatch -> $(SEC_CRIT) ; /usr/sbin/safe_finger -> $(SEC_CRIT) ; /usr/sbin/try-from -> $(SEC_CRIT) ; /usr/sbin/tcpdchk -> $(SEC_CRIT) ; # # The 'rsync' binary/configs # /usr/bin/rsync -> $(SEC_CRIT) ; /etc/conf.d/rsyncd -> $(SEC_CRIT) ; /etc/init.d/rsyncd -> $(SEC_CRIT) ; /etc/rsyncd.conf -> $(SEC_CRIT) ; # # The 'distcc' binaries # /usr/bin/distccd -> $(SEC_CRIT) ; # /usr/bin/distccmon-gui -> $(SEC_CRIT) ; /usr/bin/distcc -> $(SEC_CRIT) ; /usr/bin/distccmon-text -> $(SEC_CRIT) ; /usr/bin/distcc-config -> $(SEC_CRIT) ; # /usr/bin/distccmon-gnome -> $(SEC_CRIT) ; # # The 'dhcpcd' binary # /sbin/dhcpcd -> $(SEC_CRIT) ; # # The 'bind-tools' binaries # /usr/bin/dig -> $(SEC_CRIT) ; /usr/bin/host -> $(SEC_CRIT) ; /usr/bin/nslookup -> $(SEC_CRIT) ; /usr/bin/nsupdate -> $(SEC_CRIT) ; # # The 'telnet-bsd' binaries # # /usr/bin/telnet -> $(SEC_CRIT) ; # /usr/sbin/in.telnetd -> $(SEC_CRIT) ; } ######################################## # # # Hardware and Arch Programs # # # ######################################## ( rulename = "Hardware and Device Control Programs", severity = $(SIG_HI) ) { # # The 'udev' binaries # /usr/bin/udevmonitor -> $(SEC_CRIT) ; /usr/bin/udevinfo -> $(SEC_CRIT) ; /usr/bin/udevtest -> $(SEC_CRIT) ; /sbin/udev -> $(SEC_CRIT) ; /sbin/udevd -> $(SEC_CRIT) ; /sbin/scsi_id -> $(SEC_CRIT) ; /sbin/firmware_helper -> $(SEC_CRIT) ; /sbin/ata_id -> $(SEC_CRIT) ; /sbin/create_floppy_devices -> $(SEC_CRIT) ; /sbin/udevsend -> $(SEC_CRIT) ; /sbin/usb_id -> $(SEC_CRIT) ; /sbin/vol_id -> $(SEC_CRIT) ; /sbin/path_id -> $(SEC_CRIT) ; /sbin/udev_run_hotplugd -> $(SEC_CRIT) ; /sbin/udevcontrol -> $(SEC_CRIT) ; /sbin/udev_run_devd -> $(SEC_CRIT) ; /sbin/udevstart -> $(SEC_CRIT) ; /sbin/cdrom_id -> $(SEC_CRIT) ; # # The pciutils binaries # /usr/sbin/pcimodules -> $(SEC_CRIT) ; /usr/sbin/lspci -> $(SEC_CRIT) ; /usr/sbin/update-pciids -> $(SEC_CRIT) ; /usr/sbin/setpci -> $(SEC_CRIT) ; # # The 'util-linux' binaries # /bin/arch -> $(SEC_CRIT) ; /bin/more -> $(SEC_CRIT) ; /bin/dmesg -> $(SEC_CRIT) ; /bin/mount -> $(SEC_CRIT) ; /bin/umount -> $(SEC_CRIT) ; /usr/bin/pg -> $(SEC_CRIT) ; /usr/bin/ul -> $(SEC_CRIT) ; /usr/bin/cal -> $(SEC_CRIT) ; /usr/bin/col -> $(SEC_CRIT) ; /usr/bin/raw -> $(SEC_CRIT) ; /usr/bin/rev -> $(SEC_CRIT) ; /usr/bin/ipcs -> $(SEC_CRIT) ; /usr/bin/line -> $(SEC_CRIT) ; /usr/bin/look -> $(SEC_CRIT) ; /usr/bin/ddate -> $(SEC_CRIT) ; /usr/bin/colrm -> $(SEC_CRIT) ; /usr/bin/flock -> $(SEC_CRIT) ; /usr/bin/ipcrm -> $(SEC_CRIT) ; /usr/bin/namei -> $(SEC_CRIT) ; /usr/bin/tailf -> $(SEC_CRIT) ; /usr/bin/write -> $(SEC_CRIT) ; /usr/bin/setterm -> $(SEC_CRIT) ; /usr/bin/mcookie -> $(SEC_CRIT) ; /usr/bin/colcrt -> $(SEC_CRIT) ; /usr/bin/column -> $(SEC_CRIT) ; /usr/bin/cytune -> $(SEC_CRIT) ; /usr/bin/getopt -> $(SEC_CRIT) ; /usr/bin/fdformat -> $(SEC_CRIT) ; /usr/bin/logger -> $(SEC_CRIT) ; /usr/bin/chkdupexe -> $(SEC_CRIT) ; /usr/bin/rename -> $(SEC_CRIT) ; /usr/bin/renice -> $(SEC_CRIT) ; /usr/bin/hexdump -> $(SEC_CRIT) ; /usr/bin/script -> $(SEC_CRIT) ; /usr/bin/setsid -> $(SEC_CRIT) ; /usr/bin/setfdprm -> $(SEC_CRIT) ; /usr/bin/whereis -> $(SEC_CRIT) ; /usr/bin/isosize -> $(SEC_CRIT) ; /usr/sbin/rdev -> $(SEC_CRIT) ; /usr/sbin/ramsize -> $(SEC_CRIT) ; /usr/sbin/delpart -> $(SEC_CRIT) ; /usr/sbin/partx -> $(SEC_CRIT) ; /usr/sbin/rootflags -> $(SEC_CRIT) ; /usr/sbin/addpart -> $(SEC_CRIT) ; /usr/sbin/readprofile -> $(SEC_CRIT) ; /usr/sbin/tunelp -> $(SEC_CRIT) ; /usr/sbin/vidmode -> $(SEC_CRIT) ; /sbin/mkfs -> $(SEC_CRIT) ; /sbin/fsck.cramfs -> $(SEC_CRIT) ; /sbin/fdisk -> $(SEC_CRIT) ; /sbin/elvtune -> $(SEC_CRIT) ; /sbin/losetup -> $(SEC_CRIT) ; /sbin/agetty -> $(SEC_CRIT) ; /sbin/cfdisk -> $(SEC_CRIT) ; /sbin/blockdev -> $(SEC_CRIT) ; /sbin/swapoff -> $(SEC_CRIT) ; /sbin/mkswap -> $(SEC_CRIT) ; /sbin/ctrlaltdel -> $(SEC_CRIT) ; /sbin/pivot_root -> $(SEC_CRIT) ; /sbin/sfdisk -> $(SEC_CRIT) ; /sbin/swapon -> $(SEC_CRIT) ; /sbin/mkfs.cramfs -> $(SEC_CRIT) ; /sbin/mkfs.bfs -> $(SEC_CRIT) ; /sbin/hwclock -> $(SEC_CRIT) ; /sbin/fsck.minix -> $(SEC_CRIT) ; /sbin/mkfs.minix -> $(SEC_CRIT) ; # # The 'sysvinit' binaries # /bin/pidof -> $(SEC_CRIT) ; /usr/bin/last -> $(SEC_CRIT) ; /usr/bin/mesg -> $(SEC_CRIT) ; /usr/bin/wall -> $(SEC_CRIT) ; /usr/bin/utmpdump -> $(SEC_CRIT) ; /usr/bin/lastb -> $(SEC_CRIT) ; /sbin/halt -> $(SEC_CRIT) ; /sbin/init -> $(SEC_CRIT) ; /sbin/shutdown -> $(SEC_CRIT) ; /sbin/killall5 -> $(SEC_CRIT) ; /sbin/telinit -> $(SEC_CRIT) ; /sbin/runlevel -> $(SEC_CRIT) ; /sbin/sulogin -> $(SEC_CRIT) ; /sbin/poweroff -> $(SEC_CRIT) ; /sbin/reboot -> $(SEC_CRIT) ; /sbin/change_console -> $(SEC_CRIT) ; /sbin/bootlogd -> $(SEC_CRIT) ; # # The 'psmisc' Binaries # /bin/oldfuser -> $(SEC_CRIT) ; /bin/killall -> $(SEC_CRIT) ; /bin/fuser -> $(SEC_CRIT) ; /bin/pstree.x11 -> $(SEC_CRIT) ; /bin/pstree -> $(SEC_CRIT) ; /usr/bin/oldfuser -> $(SEC_CRIT) ; /usr/bin/killall -> $(SEC_CRIT) ; /usr/bin/fuser -> $(SEC_CRIT) ; /usr/bin/pstree.x11 -> $(SEC_CRIT) ; /usr/bin/pstree -> $(SEC_CRIT) ; # # The 'kbd' binaries # /bin/loadkeys -> $(SEC_CRIT) ; /bin/setfont -> $(SEC_CRIT) ; /usr/bin/dumpkeys -> $(SEC_CRIT) ; /usr/bin/showkey -> $(SEC_CRIT) ; /usr/bin/showconsolefont -> $(SEC_CRIT) ; /usr/bin/setleds -> $(SEC_CRIT) ; /usr/bin/setmetamode -> $(SEC_CRIT) ; /usr/bin/kbd_mode -> $(SEC_CRIT) ; /usr/bin/chvt -> $(SEC_CRIT) ; /usr/bin/deallocvt -> $(SEC_CRIT) ; /usr/bin/psfxtable -> $(SEC_CRIT) ; /usr/bin/kbdrate -> $(SEC_CRIT) ; /usr/bin/fgconsole -> $(SEC_CRIT) ; /usr/bin/getkeycodes -> $(SEC_CRIT) ; /usr/bin/setkeycodes -> $(SEC_CRIT) ; /usr/bin/resizecons -> $(SEC_CRIT) ; /usr/bin/mapscrn -> $(SEC_CRIT) ; /usr/bin/loadunimap -> $(SEC_CRIT) ; /usr/bin/openvt -> $(SEC_CRIT) ; /usr/bin/setfont -> $(SEC_CRIT) ; /usr/bin/psfstriptable -> $(SEC_CRIT) ; /usr/bin/psfgettable -> $(SEC_CRIT) ; /usr/bin/psfaddtable -> $(SEC_CRIT) ; /usr/bin/unicode_stop -> $(SEC_CRIT) ; /usr/bin/unicode_start -> $(SEC_CRIT) ; # # The 'hdparm' binaries # /sbin/hdparm -> $(SEC_CRIT) ; /sbin/idectl -> $(SEC_CRIT) ; # # The 'lshw' binaries # # /usr/sbin/lshw -> $(SEC_CRIT) ; # /usr/sbin/gtk-lshw -> $(SEC_CRIT) ; # # The 'ethtool' binary # /usr/sbin/ethtool -> $(SEC_CRIT) ; # # The 'hotplug-base' binary # /sbin/hotplug -> $(SEC_CRIT) ; # # The 'module-init-tools' binaries # /bin/lsmod -> $(SEC_CRIT) ; /bin/lsmod.old -> $(SEC_CRIT) ; /sbin/modprobe.old -> $(SEC_CRIT) ; /sbin/ksyms -> $(SEC_CRIT) ; /sbin/lsmod -> $(SEC_CRIT) ; /sbin/rmmod -> $(SEC_CRIT) ; /sbin/insmod.static.old -> $(SEC_CRIT) ; /sbin/kallsyms -> $(SEC_CRIT) ; /sbin/kallsyms.static -> $(SEC_CRIT) ; /sbin/modprobe -> $(SEC_CRIT) ; /sbin/depmod.old -> $(SEC_CRIT) ; /sbin/genksyms -> $(SEC_CRIT) ; /sbin/insmod.static -> $(SEC_CRIT) ; /sbin/depmod -> $(SEC_CRIT) ; /sbin/modinfo -> $(SEC_CRIT) ; /sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ; /sbin/insmod.old -> $(SEC_CRIT) ; /sbin/rmmod.static -> $(SEC_CRIT) ; /sbin/insmod -> $(SEC_CRIT) ; /sbin/ksyms.static -> $(SEC_CRIT) ; /sbin/generate-modprobe.conf -> $(SEC_CRIT) ; /sbin/rmmod.old -> $(SEC_CRIT) ; /sbin/lsmod.static -> $(SEC_CRIT) ; /sbin/lsmod.old -> $(SEC_CRIT) ; /sbin/kernelversion -> $(SEC_CRIT) ; /sbin/modinfo.old -> $(SEC_CRIT) ; /sbin/modprobe.static -> $(SEC_CRIT) ; } ############################### # # # Filesystem Programs # # # ############################### ( rulename = "Filesystem Programs", severity = $(SIG_HI) ) { # # The 'e2fsprogs' binaries # /bin/chattr -> $(SEC_CRIT) ; /bin/lsattr -> $(SEC_CRIT) ; /bin/uuidgen -> $(SEC_CRIT) ; /usr/sbin/mklost+found -> $(SEC_CRIT) ; /sbin/fsck -> $(SEC_CRIT) ; /sbin/debugfs -> $(SEC_CRIT) ; /sbin/blkid -> $(SEC_CRIT) ; /sbin/logsave -> $(SEC_CRIT) ; /sbin/filefrag -> $(SEC_CRIT) ; /sbin/e2fsck -> $(SEC_CRIT) ; /sbin/mkfs.ext2 -> $(SEC_CRIT) ; /sbin/mkfs.ext3 -> $(SEC_CRIT) ; /sbin/findfs -> $(SEC_CRIT) ; /sbin/e2image -> $(SEC_CRIT) ; /sbin/e2label -> $(SEC_CRIT) ; /sbin/mke2fs -> $(SEC_CRIT) ; /sbin/tune2fs -> $(SEC_CRIT) ; /sbin/resize2fs -> $(SEC_CRIT) ; /sbin/badblocks -> $(SEC_CRIT) ; /sbin/fsck.ext2 -> $(SEC_CRIT) ; /sbin/fsck.ext3 -> $(SEC_CRIT) ; /sbin/dumpe2fs -> $(SEC_CRIT) ; # # The 'reiserfs' binaries # /sbin/mkfs.reiserfs -> $(SEC_CRIT) ; /sbin/reiserfstune -> $(SEC_CRIT) ; /sbin/reiserfsck -> $(SEC_CRIT) ; /sbin/fsck.reiserfs -> $(SEC_CRIT) ; /sbin/debugreiserfs -> $(SEC_CRIT) ; /sbin/resize_reiserfs -> $(SEC_CRIT) ; /sbin/mkreiserfs -> $(SEC_CRIT) ; # # The 'xfs' binaries # # Not sure -- don't use (dk) # # Ths 'jfs' binaries # # Not sure -- don't use (dk) # # The 'pax-utils' binaries # /usr/bin/pspax -> $(SEC_CRIT) ; /usr/bin/scanelf -> $(SEC_CRIT) ; /usr/bin/dumpelf -> $(SEC_CRIT) ; # # The sysfsutils binaries # /usr/bin/get_bus_devices_list -> $(SEC_CRIT) ; /usr/bin/write_attr -> $(SEC_CRIT) ; /usr/bin/get_device -> $(SEC_CRIT) ; /usr/bin/get_driver -> $(SEC_CRIT) ; /usr/bin/get_class_dev -> $(SEC_CRIT) ; /usr/bin/systool -> $(SEC_CRIT) ; /usr/bin/testlibsysfs -> $(SEC_CRIT) ; /usr/bin/get_classdev_parent -> $(SEC_CRIT) ; } #################################### # # # Other assorted file programs # # # #################################### ( rulename = "Miscellaneous file Programs", severity = $(SIG_HI) ) { # # The 'gawk' binaries # /usr/bin/awk -> $(SEC_CRIT) ; /usr/bin/gawk -> $(SEC_CRIT) ; /usr/bin/igawk -> $(SEC_CRIT) ; /usr/bin/pgawk -> $(SEC_CRIT) ; /bin/awk -> $(SEC_CRIT) ; /bin/igawk -> $(SEC_CRIT) ; /bin/pgawk -> $(SEC_CRIT) ; /bin/gawk -> $(SEC_CRIT) ; # # The 'grep' binaries # /bin/grep -> $(SEC_CRIT) ; /bin/egrep -> $(SEC_CRIT) ; /bin/fgrep -> $(SEC_CRIT) ; # # The 'patch' binary # /usr/bin/patch -> $(SEC_CRIT) ; # # The 'cpio' binary # /bin/cpio -> $(SEC_CRIT) ; # # The 'file' binary # /usr/bin/file -> $(SEC_CRIT) ; # # The 'lsof' binary # /usr/sbin/lsof -> $(SEC_CRIT) ; # # The 'gettext' binaries # /usr/bin/msgen -> $(SEC_CRIT) ; /usr/bin/msgattrib -> $(SEC_CRIT) ; /usr/bin/msgfilter -> $(SEC_CRIT) ; /usr/bin/gettext.sh -> $(SEC_CRIT) ; /usr/bin/gettextize -> $(SEC_CRIT) ; /usr/bin/gettext -> $(SEC_CRIT) ; /usr/bin/msgcomm -> $(SEC_CRIT) ; /usr/bin/msgconv -> $(SEC_CRIT) ; /usr/bin/msgexec -> $(SEC_CRIT) ; /usr/bin/msggrep -> $(SEC_CRIT) ; /usr/bin/msginit -> $(SEC_CRIT) ; /usr/bin/msguniq -> $(SEC_CRIT) ; /usr/bin/msgcat -> $(SEC_CRIT) ; /usr/bin/msgcmp -> $(SEC_CRIT) ; /usr/bin/msgfmt -> $(SEC_CRIT) ; /usr/bin/gmsgfmt -> $(SEC_CRIT) ; /usr/bin/envsubst -> $(SEC_CRIT) ; /usr/bin/autopoint -> $(SEC_CRIT) ; /usr/bin/ngettext -> $(SEC_CRIT) ; /usr/bin/xgettext -> $(SEC_CRIT) ; /usr/bin/msgmerge -> $(SEC_CRIT) ; /usr/bin/msgunfmt -> $(SEC_CRIT) ; # # The 'groff' binaries # /usr/bin/eqn -> $(SEC_CRIT) ; /usr/bin/grn -> $(SEC_CRIT) ; /usr/bin/pic -> $(SEC_CRIT) ; /usr/bin/tbl -> $(SEC_CRIT) ; /usr/bin/geqn -> $(SEC_CRIT) ; /usr/bin/grog -> $(SEC_CRIT) ; /usr/bin/gtbl -> $(SEC_CRIT) ; /usr/bin/neqn -> $(SEC_CRIT) ; /usr/bin/addftinfo -> $(SEC_CRIT) ; /usr/bin/groff -> $(SEC_CRIT) ; /usr/bin/grops -> $(SEC_CRIT) ; /usr/bin/lkbib -> $(SEC_CRIT) ; /usr/bin/nroff -> $(SEC_CRIT) ; /usr/bin/refer -> $(SEC_CRIT) ; /usr/bin/troff -> $(SEC_CRIT) ; /usr/bin/grap2graph -> $(SEC_CRIT) ; /usr/bin/pre-grohtml -> $(SEC_CRIT) ; /usr/bin/post-grohtml -> $(SEC_CRIT) ; /usr/bin/lookbib -> $(SEC_CRIT) ; /usr/bin/tfmtodit -> $(SEC_CRIT) ; /usr/bin/zsoelim -> $(SEC_CRIT) ; /usr/bin/grodvi -> $(SEC_CRIT) ; /usr/bin/grolbp -> $(SEC_CRIT) ; /usr/bin/grolj4 -> $(SEC_CRIT) ; /usr/bin/grotty -> $(SEC_CRIT) ; /usr/bin/hpftodit -> $(SEC_CRIT) ; /usr/bin/gxditview -> $(SEC_CRIT) ; /usr/bin/mmroff -> $(SEC_CRIT) ; /usr/bin/groffer -> $(SEC_CRIT) ; /usr/bin/soelim -> $(SEC_CRIT) ; /usr/bin/pfbtops -> $(SEC_CRIT) ; /usr/bin/pic2graph -> $(SEC_CRIT) ; /usr/bin/indxbib -> $(SEC_CRIT) ; /usr/bin/eqn2graph -> $(SEC_CRIT) ; /usr/bin/afmtodit -> $(SEC_CRIT) ; # # The 'less' binaries # /usr/bin/less -> $(SEC_CRIT) ; /usr/bin/lesskey -> $(SEC_CRIT) ; /usr/bin/lessecho -> $(SEC_CRIT) ; /usr/bin/code2color -> $(SEC_CRIT) ; /usr/bin/lesspipe.sh -> $(SEC_CRIT) ; # # The 'man' binaries # /usr/bin/man -> $(SEC_CRIT) ; /usr/bin/man2dvi -> $(SEC_CRIT) ; /usr/bin/manpath -> $(SEC_CRIT) ; /usr/bin/man2html -> $(SEC_CRIT) ; /usr/bin/whatis -> $(SEC_CRIT) ; /usr/bin/apropos -> $(SEC_CRIT) ; /usr/sbin/makewhatis -> $(SEC_CRIT) ; # # The 'ncurses' binaries # /usr/bin/tic -> $(SEC_CRIT) ; /usr/bin/toe -> $(SEC_CRIT) ; /usr/bin/infotocap -> $(SEC_CRIT) ; /usr/bin/tack -> $(SEC_CRIT) ; /usr/bin/tput -> $(SEC_CRIT) ; /usr/bin/tset -> $(SEC_CRIT) ; /usr/bin/clear -> $(SEC_CRIT) ; /usr/bin/reset -> $(SEC_CRIT) ; /usr/bin/captoinfo -> $(SEC_CRIT) ; /usr/bin/infocmp -> $(SEC_CRIT) ; # # The 'sed' binary # /bin/sed -> $(SEC_CRIT) ; # # The 'slocate' binaries # /usr/bin/slocate -> $(SEC_CRIT) ; /usr/bin/updatedb -> $(SEC_CRIT) ; /usr/bin/locate -> $(SEC_CRIT) ; # # The patchutils binaries # /usr/bin/editdiff -> $(SEC_CRIT) ; /usr/bin/recountdiff -> $(SEC_CRIT) ; /usr/bin/grepdiff -> $(SEC_CRIT) ; /usr/bin/espdiff -> $(SEC_CRIT) ; /usr/bin/dehtmldiff -> $(SEC_CRIT) ; /usr/bin/unwrapdiff -> $(SEC_CRIT) ; /usr/bin/filterdiff -> $(SEC_CRIT) ; /usr/bin/lsdiff -> $(SEC_CRIT) ; /usr/bin/fixcvsdiff -> $(SEC_CRIT) ; /usr/bin/rediff -> $(SEC_CRIT) ; /usr/bin/flipdiff -> $(SEC_CRIT) ; /usr/bin/combinediff -> $(SEC_CRIT) ; /usr/bin/splitdiff -> $(SEC_CRIT) ; /usr/bin/interdiff -> $(SEC_CRIT) ; # # The debianutils binaries # /bin/tempfile -> $(SEC_CRIT) ; /bin/mktemp -> $(SEC_CRIT) ; /bin/run-parts -> $(SEC_CRIT) ; /usr/sbin/savelog -> $(SEC_CRIT) ; /usr/sbin/mkboot -> $(SEC_CRIT) ; /sbin/installkernel -> $(SEC_CRIT) ; } ################################ # # # Toolchain # # # ################################ ( rulename = "Toolchain Programs", severity = $(SIG_HI) ) { # # The 'gcc' binaries # #GCCVERSION="3.4.6" /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/gcov -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/gccbug -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/i686-pc-linux-gnu-c++ -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/i686-pc-linux-gnu-g++ -> $(SEC_CRIT) ; # /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/i686-pc-linux-gnu-g77 -> $(SEC_CRIT) ; # fortran compiler? /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/i686-pc-linux-gnu-cpp -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/i686-pc-linux-gnu-gcc -> $(SEC_CRIT) ; /sbin/fix_libtool_files.sh -> $(SEC_CRIT) ; /usr/bin/i686-pc-linux-gnu-cpp-$(GCCVERSION) -> $(SEC_CRIT) ; /usr/bin/i686-pc-linux-gnu-c++-$(GCCVERSION) -> $(SEC_CRIT) ; /usr/bin/cpp-$(GCCVERSION) -> $(SEC_CRIT) ; /usr/bin/i686-pc-linux-gnu-g++-$(GCCVERSION) -> $(SEC_CRIT) ; /usr/bin/i686-pc-linux-gnu-gcc-$(GCCVERSION) -> $(SEC_CRIT) ; # /usr/bin/i686-pc-linux-gnu-g77-$(GCCVERSION) -> $(SEC_CRIT) ; # fortran... /usr/bin/c++-$(GCCVERSION) -> $(SEC_CRIT) ; /usr/bin/g++-$(GCCVERSION) -> $(SEC_CRIT) ; /usr/bin/gcc-$(GCCVERSION) -> $(SEC_CRIT) ; # /usr/bin/g77-$(GCCVERSION) -> $(SEC_CRIT) ; # fortran... /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/c++ -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/g++ -> $(SEC_CRIT) ; # /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/g77 -> $(SEC_CRIT) ; # fortran... /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/cpp -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/gcc -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/i686-pc-linux-gnu-gcc-$(GCCVERSION) -> $(SEC_CRIT) ; # # The 'binutils' binaries # #BINUTILSVERSION="2.16.1" /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/ar -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/as -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/ld -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/nm -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/size -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/c++filt -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/readelf -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/gprof -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/strip -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/addr2line -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/strings -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/objcopy -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/objdump -> $(SEC_CRIT) ; /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/ranlib -> $(SEC_CRIT) ; # # The 'glibc' binaries # /usr/bin/ldd -> $(SEC_CRIT) ; /usr/bin/lddlibc4 -> $(SEC_CRIT) ; /usr/bin/iconv -> $(SEC_CRIT) ; /usr/bin/sprof -> $(SEC_CRIT) ; /usr/bin/getconf -> $(SEC_CRIT) ; /usr/bin/gencat -> $(SEC_CRIT) ; /usr/bin/getent -> $(SEC_CRIT) ; /usr/bin/locale -> $(SEC_CRIT) ; /usr/bin/mtrace -> $(SEC_CRIT) ; /usr/bin/pcprofiledump -> $(SEC_CRIT) ; /usr/bin/rpcgen -> $(SEC_CRIT) ; /usr/bin/localedef -> $(SEC_CRIT) ; /usr/bin/catchsegv -> $(SEC_CRIT) ; /usr/bin/xtrace -> $(SEC_CRIT) ; /usr/sbin/nscd -> $(SEC_CRIT) ; /usr/sbin/nscd_nischeck -> $(SEC_CRIT) ; /usr/sbin/rpcinfo -> $(SEC_CRIT) ; /usr/sbin/iconvconfig -> $(SEC_CRIT) ; /usr/sbin/locale-gen -> $(SEC_CRIT) ; /sbin/sln -> $(SEC_CRIT) ; /sbin/ldconfig -> $(SEC_CRIT) ; # # The 'make' binaries # /usr/bin/gmake -> $(SEC_CRIT) ; /usr/bin/make -> $(SEC_CRIT) ; # # The 'autoconf' binaries # # too many versions - edit manually ;) /usr/bin/autoupdate-2.59 -> $(SEC_CRIT) ; /usr/bin/autoscan-2.59 -> $(SEC_CRIT) ; /usr/bin/ifnames-2.59 -> $(SEC_CRIT) ; /usr/bin/autoreconf-2.59 -> $(SEC_CRIT) ; /usr/bin/autoheader-2.59 -> $(SEC_CRIT) ; /usr/bin/autoconf-2.59 -> $(SEC_CRIT) ; /usr/bin/autom4te-2.59 -> $(SEC_CRIT) ; /usr/bin/ifnames-2.13 -> $(SEC_CRIT) ; /usr/bin/autoheader-2.13 -> $(SEC_CRIT) ; /usr/bin/autoreconf-2.13 -> $(SEC_CRIT) ; /usr/bin/autoconf-2.13 -> $(SEC_CRIT) ; /usr/bin/autoupdate-2.13 -> $(SEC_CRIT) ; /usr/bin/autoscan-2.13 -> $(SEC_CRIT) ; # # The 'automake' binaries # # too many versions - edit manually ;) /usr/bin/automake-1.7 -> $(SEC_CRIT) ; /usr/bin/aclocal-1.7 -> $(SEC_CRIT) ; /usr/bin/automake-1.8 -> $(SEC_CRIT) ; /usr/bin/aclocal-1.8 -> $(SEC_CRIT) ; /usr/bin/automake-1.9 -> $(SEC_CRIT) ; /usr/bin/aclocal-1.9 -> $(SEC_CRIT) ; /usr/bin/automake-1.5 -> $(SEC_CRIT) ; /usr/bin/aclocal-1.5 -> $(SEC_CRIT) ; /usr/bin/automake-1.4 -> $(SEC_CRIT) ; /usr/bin/aclocal-1.4 -> $(SEC_CRIT) ; /usr/bin/automake-1.6 -> $(SEC_CRIT) ; /usr/bin/aclocal-1.6 -> $(SEC_CRIT) ; } ################################ # # # Security Related Programs # # # ################################ ( rulename = "Security Related Programs", severity = $(SIG_HI) ) { # # The 'shadow' binaries/configs # /bin/su -> $(SEC_CRIT) ; /bin/login -> $(SEC_CRIT) ; /bin/groups -> $(SEC_CRIT) ; /bin/passwd -> $(SEC_CRIT) ; /usr/bin/sg -> $(SEC_CRIT) ; /usr/bin/chfn -> $(SEC_CRIT) ; /usr/bin/chsh -> $(SEC_CRIT) ; /usr/bin/chage -> $(SEC_CRIT) ; /usr/bin/lastlog -> $(SEC_CRIT) ; /usr/bin/faillog -> $(SEC_CRIT) ; /usr/bin/expiry -> $(SEC_CRIT) ; /usr/bin/newgrp -> $(SEC_CRIT) ; /usr/bin/passwd -> $(SEC_CRIT) ; /usr/bin/gpasswd -> $(SEC_CRIT) ; /usr/sbin/pwck -> $(SEC_CRIT) ; /usr/sbin/vigr -> $(SEC_CRIT) ; /usr/sbin/vipw -> $(SEC_CRIT) ; /usr/sbin/grpck -> $(SEC_CRIT) ; /usr/sbin/chgpasswd -> $(SEC_CRIT) ; /usr/sbin/groupadd -> $(SEC_CRIT) ; /usr/sbin/groupdel -> $(SEC_CRIT) ; /usr/sbin/groupmod -> $(SEC_CRIT) ; /usr/sbin/logoutd -> $(SEC_CRIT) ; /usr/sbin/chpasswd -> $(SEC_CRIT) ; /usr/sbin/adduser -> $(SEC_CRIT) ; /usr/sbin/pwunconv -> $(SEC_CRIT) ; /usr/sbin/nologin -> $(SEC_CRIT) ; /usr/sbin/pwconv -> $(SEC_CRIT) ; /usr/sbin/grpconv -> $(SEC_CRIT) ; /usr/sbin/useradd -> $(SEC_CRIT) ; /usr/sbin/userdel -> $(SEC_CRIT) ; /usr/sbin/usermod -> $(SEC_CRIT) ; /usr/sbin/newusers -> $(SEC_CRIT) ; /usr/sbin/grpunconv -> $(SEC_CRIT) ; /etc/default/useradd -> $(SEC_CRIT) ; /etc/securetty -> $(SEC_CRIT) ; /etc/pam.d/su -> $(SEC_CRIT) ; /etc/pam.d/chfn -> $(SEC_CRIT) ; /etc/pam.d/chsh -> $(SEC_CRIT) ; /etc/pam.d/chage -> $(SEC_CRIT) ; /etc/pam.d/login -> $(SEC_CRIT) ; /etc/pam.d/groupadd -> $(SEC_CRIT) ; /etc/pam.d/groupdel -> $(SEC_CRIT) ; /etc/pam.d/groupmod -> $(SEC_CRIT) ; /etc/pam.d/chpasswd -> $(SEC_CRIT) ; /etc/pam.d/passwd -> $(SEC_CRIT) ; /etc/pam.d/shadow -> $(SEC_CRIT) ; /etc/pam.d/useradd -> $(SEC_CRIT) ; /etc/pam.d/userdel -> $(SEC_CRIT) ; /etc/pam.d/usermod -> $(SEC_CRIT) ; /etc/pam.d/newusers -> $(SEC_CRIT) ; # # The 'pam' binaries/configs # /usr/sbin/pam_tally -> $(SEC_CRIT) ; /usr/sbin/unix_chkpwd -> $(SEC_CRIT) ; /etc/pam.d/system-auth -> $(SEC_CRIT) ; /etc/pam.d/other -> $(SEC_CRIT) ; /etc/security/pam_env.conf -> $(SEC_CRIT) ; /etc/security/time.conf -> $(SEC_CRIT) ; /etc/security/limits.conf -> $(SEC_CRIT) ; /etc/security/group.conf -> $(SEC_CRIT) ; /etc/security/access.conf -> $(SEC_CRIT) ; # # The 'openssl' binaries # /usr/bin/c_rehash -> $(SEC_CRIT) ; /usr/bin/fipsld -> $(SEC_CRIT) ; /usr/bin/openssl -> $(SEC_CRIT) ; # # The 'openssh' binaries/configs # /usr/bin/scp -> $(SEC_CRIT) ; /usr/bin/ssh -> $(SEC_CRIT) ; /usr/bin/sftp -> $(SEC_CRIT) ; /usr/bin/ssh-agent -> $(SEC_CRIT) ; /usr/bin/ssh-add -> $(SEC_CRIT) ; /usr/bin/slogin -> $(SEC_CRIT) ; /usr/bin/ssh-copy-id -> $(SEC_CRIT) ; /usr/bin/ssh-keyscan -> $(SEC_CRIT) ; /usr/bin/ssh-keygen -> $(SEC_CRIT) ; /usr/sbin/sshd -> $(SEC_CRIT) ; /etc/ssh/ssh_config -> $(SEC_CRIT) ; /etc/ssh/sshd_config -> $(SEC_CRIT) ; /etc/ssh/moduli -> $(SEC_CRIT) ; /etc/pam.d/sshd -> $(SEC_CRIT) ; /etc/conf.d/sshd -> $(SEC_CRIT) ; /etc/init.d/sshd -> $(SEC_CRIT) ; # # The 'gnupg' binaries # /usr/bin/gpg -> $(SEC_CRIT) ; /usr/bin/gpgv -> $(SEC_CRIT) ; /usr/bin/gpg-zip -> $(SEC_CRIT) ; /usr/bin/gpgsplit -> $(SEC_CRIT) ; /usr/bin/kbxutil -> $(SEC_CRIT) ; /usr/bin/symcryptrun -> $(SEC_CRIT) ; /usr/bin/gpgsm -> $(SEC_CRIT) ; /usr/bin/gpgparsemail -> $(SEC_CRIT) ; /usr/bin/gpg-agent -> $(SEC_CRIT) ; /usr/bin/gpgsm-gencert.sh -> $(SEC_CRIT) ; /usr/bin/gpg-connect-agent -> $(SEC_CRIT) ; /usr/bin/gpgkey2ssh -> $(SEC_CRIT) ; /usr/bin/gpgconf -> $(SEC_CRIT) ; /usr/bin/watchgnupg -> $(SEC_CRIT) ; /usr/sbin/addgnupghome -> $(SEC_CRIT) ; } ############################## # # # Shells/Scripting Languages # # # ############################## ( rulename = "Shell binaries", severity = $(SIG_HI) ) { # # The bash binaries # /bin/sh -> $(SEC_CRIT) ; /bin/bash -> $(SEC_CRIT) ; /bin/rbash -> $(SEC_CRIT) ; /usr/bin/bashbug -> $(SEC_CRIT) ; # # The 'zsh' binaries # /bin/zsh -> $(SEC_CRIT) ; # # The 'sash' binary # /bin/sash -> $(SEC_CRIT) ; # # The 'busybox' binary # /bin/bb -> $(SEC_CRIT) ; /bin/busybox -> $(SEC_CRIT) ; # # The 'perl' binaries # /usr/bin/a2p -> $(SEC_CRIT) ; /usr/bin/s2p -> $(SEC_CRIT) ; /usr/bin/pstruct -> $(SEC_CRIT) ; /usr/bin/c2ph -> $(SEC_CRIT) ; /usr/bin/h2ph -> $(SEC_CRIT) ; /usr/bin/h2xs -> $(SEC_CRIT) ; /usr/bin/cpan -> $(SEC_CRIT) ; /usr/bin/psed -> $(SEC_CRIT) ; /usr/bin/libnetcfg -> $(SEC_CRIT) ; /usr/bin/pod2html -> $(SEC_CRIT) ; /usr/bin/pod2text -> $(SEC_CRIT) ; /usr/bin/pl2pm -> $(SEC_CRIT) ; /usr/bin/dprofpp -> $(SEC_CRIT) ; /usr/bin/find2perl -> $(SEC_CRIT) ; /usr/bin/perl5.8.8 -> $(SEC_CRIT) ; /usr/bin/enc2xs -> $(SEC_CRIT) ; /usr/bin/pod2latex -> $(SEC_CRIT) ; /usr/bin/perlcc -> $(SEC_CRIT) ; /usr/bin/piconv -> $(SEC_CRIT) ; /usr/bin/splain -> $(SEC_CRIT) ; /usr/bin/xsubpp -> $(SEC_CRIT) ; /usr/bin/perlbug -> $(SEC_CRIT) ; /usr/bin/perldoc -> $(SEC_CRIT) ; /usr/bin/perlivp -> $(SEC_CRIT) ; /usr/bin/pod2man -> $(SEC_CRIT) ; /usr/bin/instmodsh -> $(SEC_CRIT) ; /usr/bin/perl -> $(SEC_CRIT) ; # # The 'python' binaries # /usr/bin/idle -> $(SEC_CRIT) ; /usr/bin/pydoc -> $(SEC_CRIT) ; /usr/bin/python -> $(SEC_CRIT) ; /usr/bin/python2.4 -> $(SEC_CRIT) ; /usr/bin/python-config -> $(SEC_CRIT) ; /usr/bin/smtpd.py -> $(SEC_CRIT) ; /usr/sbin/python-updater -> $(SEC_CRIT) ; # # The 'ruby' binaries # /usr/bin/ri18 -> $(SEC_CRIT) ; /usr/bin/erb18 -> $(SEC_CRIT) ; /usr/bin/irb18 -> $(SEC_CRIT) ; /usr/bin/testrb18 -> $(SEC_CRIT) ; /usr/bin/rdoc18 -> $(SEC_CRIT) ; /usr/bin/ruby18 -> $(SEC_CRIT) ; } ################ # # # Editors # # # ################ ( rulename = "Editor programs", severity = $(SIG_HI) ) { # # The 'nano' binaries # /bin/nano -> $(SEC_CRIT) ; /bin/rnano -> $(SEC_CRIT) ; /usr/bin/nano -> $(SEC_CRIT) ; # # The 'vim' binaries # /usr/bin/ex -> $(SEC_CRIT) ; /usr/bin/vim -> $(SEC_CRIT) ; /usr/bin/rvim -> $(SEC_CRIT) ; /usr/bin/view -> $(SEC_CRIT) ; /usr/bin/rview -> $(SEC_CRIT) ; /usr/bin/vimdiff -> $(SEC_CRIT) ; # # The 'ed' binaries # /bin/ed -> $(SEC_CRIT) ; /bin/red -> $(SEC_CRIT) ; # # The 'emacs' binaries # # dunno -- don't use (dk) } ######################### # # # Gentoo Specific # # # ######################### ( rulename = "Gentoo Specific Binaries", severity = $(SIG_HI) ) { # # The 'portage' binaries # /usr/bin/xpak -> $(SEC_CRIT) ; /usr/bin/repoman -> $(SEC_CRIT) ; /usr/bin/portageq -> $(SEC_CRIT) ; /usr/bin/ebuild -> $(SEC_CRIT) ; /usr/bin/emerge -> $(SEC_CRIT) ; /usr/bin/tbz2tool -> $(SEC_CRIT) ; /usr/lib/portage/bin/fixpackages -> $(SEC_CRIT) ; /usr/lib/portage/bin/domo -> $(SEC_CRIT) ; /usr/lib/portage/bin/xpak -> $(SEC_CRIT) ; /usr/lib/portage/bin/fix-db.py -> $(SEC_CRIT) ; /usr/lib/portage/bin/dolib.so -> $(SEC_CRIT) ; /usr/lib/portage/bin/donewins -> $(SEC_CRIT) ; /usr/lib/portage/bin/env-update -> $(SEC_CRIT) ; /usr/lib/portage/bin/fixdbentries -> $(SEC_CRIT) ; /usr/lib/portage/bin/repoman -> $(SEC_CRIT) ; /usr/lib/portage/bin/dobin -> $(SEC_CRIT) ; /usr/lib/portage/bin/dodir -> $(SEC_CRIT) ; /usr/lib/portage/bin/dodoc -> $(SEC_CRIT) ; /usr/lib/portage/bin/doexe -> $(SEC_CRIT) ; /usr/lib/portage/bin/dojar -> $(SEC_CRIT) ; /usr/lib/portage/bin/doins -> $(SEC_CRIT) ; /usr/lib/portage/bin/dolib -> $(SEC_CRIT) ; /usr/lib/portage/bin/doman -> $(SEC_CRIT) ; /usr/lib/portage/bin/dosed -> $(SEC_CRIT) ; /usr/lib/portage/bin/dosym -> $(SEC_CRIT) ; /usr/lib/portage/bin/emake -> $(SEC_CRIT) ; /usr/lib/portage/bin/etc-update -> $(SEC_CRIT) ; /usr/lib/portage/bin/portage_gpg_update.sh -> $(SEC_CRIT) ; /usr/lib/portage/bin/doconfd -> $(SEC_CRIT) ; /usr/lib/portage/bin/doinitd -> $(SEC_CRIT) ; /usr/lib/portage/bin/dolib.a -> $(SEC_CRIT) ; /usr/lib/portage/bin/emerge-webrsync -> $(SEC_CRIT) ; /usr/lib/portage/bin/regenworld -> $(SEC_CRIT) ; /usr/lib/portage/bin/chkcontents -> $(SEC_CRIT) ; /usr/lib/portage/bin/portageq -> $(SEC_CRIT) ; /usr/lib/portage/bin/clean_locks -> $(SEC_CRIT) ; /usr/lib/portage/bin/prepstrip -> $(SEC_CRIT) ; /usr/lib/portage/bin/archive-conf -> $(SEC_CRIT) ; /usr/lib/portage/bin/ebuild -> $(SEC_CRIT) ; /usr/lib/portage/bin/doenvd -> $(SEC_CRIT) ; /usr/lib/portage/bin/dohard -> $(SEC_CRIT) ; /usr/lib/portage/bin/dohtml -> $(SEC_CRIT) ; /usr/lib/portage/bin/doinfo -> $(SEC_CRIT) ; /usr/lib/portage/bin/dosbin -> $(SEC_CRIT) ; /usr/lib/portage/bin/emaint -> $(SEC_CRIT) ; /usr/lib/portage/bin/emerge -> $(SEC_CRIT) ; /usr/lib/portage/bin/fowners -> $(SEC_CRIT) ; /usr/lib/portage/bin/fperms -> $(SEC_CRIT) ; /usr/lib/portage/bin/newenvd -> $(SEC_CRIT) ; /usr/lib/portage/bin/newsbin -> $(SEC_CRIT) ; /usr/lib/portage/bin/prepallman -> $(SEC_CRIT) ; /usr/lib/portage/bin/pkgmerge.new -> $(SEC_CRIT) ; /usr/lib/portage/bin/newbin -> $(SEC_CRIT) ; /usr/lib/portage/bin/newdoc -> $(SEC_CRIT) ; /usr/lib/portage/bin/newexe -> $(SEC_CRIT) ; /usr/lib/portage/bin/newins -> $(SEC_CRIT) ; /usr/lib/portage/bin/newman -> $(SEC_CRIT) ; /usr/lib/portage/bin/dispatch-conf -> $(SEC_CRIT) ; /usr/lib/portage/bin/md5check.py -> $(SEC_CRIT) ; /usr/lib/portage/bin/md5check.sh -> $(SEC_CRIT) ; /usr/lib/portage/bin/ebuild.sh -> $(SEC_CRIT) ; /usr/lib/portage/bin/pkgmerge -> $(SEC_CRIT) ; /usr/lib/portage/bin/prepinfo -> $(SEC_CRIT) ; /usr/lib/portage/bin/isolated-functions.sh -> $(SEC_CRIT) ; /usr/lib/portage/bin/prepallstrip -> $(SEC_CRIT) ; /usr/lib/portage/bin/newconfd -> $(SEC_CRIT) ; /usr/lib/portage/bin/newinitd -> $(SEC_CRIT) ; /usr/lib/portage/bin/newlib.a -> $(SEC_CRIT) ; /usr/lib/portage/bin/quickpkg -> $(SEC_CRIT) ; /usr/lib/portage/bin/prepalldocs -> $(SEC_CRIT) ; /usr/lib/portage/bin/prepallinfo -> $(SEC_CRIT) ; /usr/lib/portage/bin/env-update.sh -> $(SEC_CRIT) ; /usr/lib/portage/bin/pkgname -> $(SEC_CRIT) ; /usr/lib/portage/bin/newlib.so -> $(SEC_CRIT) ; /usr/lib/portage/bin/find-requires -> $(SEC_CRIT) ; /usr/lib/portage/bin/tbz2tool -> $(SEC_CRIT) ; /usr/lib/portage/bin/misc-functions.sh -> $(SEC_CRIT) ; /usr/lib/portage/bin/prepall -> $(SEC_CRIT) ; /usr/lib/portage/bin/preplib -> $(SEC_CRIT) ; /usr/lib/portage/bin/prepman -> $(SEC_CRIT) ; /usr/lib/portage/pym/getbinpkg.py -> $(SEC_CRIT) ; /usr/sbin/fixpackages -> $(SEC_CRIT) ; /usr/sbin/env-update -> $(SEC_CRIT) ; /usr/sbin/etc-update -> $(SEC_CRIT) ; /usr/sbin/emerge-webrsync -> $(SEC_CRIT) ; /usr/sbin/regenworld -> $(SEC_CRIT) ; /usr/sbin/archive-conf -> $(SEC_CRIT) ; /usr/sbin/emaint -> $(SEC_CRIT) ; /usr/sbin/dispatch-conf -> $(SEC_CRIT) ; /usr/sbin/quickpkg -> $(SEC_CRIT) ; # # The 'gentoolkit' binaries # /usr/bin/euse -> $(SEC_CRIT) ; /usr/bin/revdep-rebuild -> $(SEC_CRIT) ; /usr/bin/eclean-dist -> $(SEC_CRIT) ; /usr/bin/glsa-check -> $(SEC_CRIT) ; /usr/bin/eclean -> $(SEC_CRIT) ; /usr/bin/equery -> $(SEC_CRIT) ; /usr/bin/eclean-pkg -> $(SEC_CRIT) ; /usr/lib/gentoolkit/bin/find_pkgs.py -> $(SEC_CRIT) ; /usr/lib/gentoolkit/bin/genpkgindex -> $(SEC_CRIT) ; # # The 'baselayout' binaries # /bin/rc-status -> $(SEC_CRIT) ; /usr/sbin/update-modules -> $(SEC_CRIT) ; /usr/sbin/MAKEDEV -> $(SEC_CRIT) ; /sbin/rc -> $(SEC_CRIT) ; /sbin/runscript.sh -> $(SEC_CRIT) ; /sbin/depscan.sh -> $(SEC_CRIT) ; /sbin/functions.sh -> $(SEC_CRIT) ; /sbin/update-modules -> $(SEC_CRIT) ; /sbin/MAKEDEV -> $(SEC_CRIT) ; /sbin/start-stop-daemon -> $(SEC_CRIT) ; /sbin/rc-update -> $(SEC_CRIT) ; /sbin/consoletype -> $(SEC_CRIT) ; /sbin/runscript -> $(SEC_CRIT) ; /sbin/env-update.sh -> $(SEC_CRIT) ; /sbin/modules-update -> $(SEC_CRIT) ; } ######################### # # # Temporary directories # # # ######################### ( rulename = "Temporary directories", recurse = false, severity = $(SIG_LOW) ) { /usr/tmp -> $(SEC_INVARIANT) ; # link to /var/tmp /var/tmp -> $(SEC_INVARIANT) ; /tmp -> $(SEC_INVARIANT) ; } ###################################################### # # # Critical System Boot Files # # These files are critical to a correct system boot. # # # ###################################################### ( rulename = "Critical system boot files", severity = $(SIG_HI) ) { /boot -> $(SEC_CRIT) ; # # 'grub' files # /bin/mbchk -> $(SEC_CRIT) ; /lib/grub/i386-pc/e2fs_stage1_5 -> $(SEC_CRIT) ; /lib/grub/i386-pc/stage2_eltorito -> $(SEC_CRIT) ; /lib/grub/i386-pc/ufs2_stage1_5 -> $(SEC_CRIT) ; /lib/grub/i386-pc/iso9660_stage1_5 -> $(SEC_CRIT) ; /lib/grub/i386-pc/jfs_stage1_5 -> $(SEC_CRIT) ; /lib/grub/i386-pc/xfs_stage1_5 -> $(SEC_CRIT) ; /lib/grub/i386-pc/minix_stage1_5 -> $(SEC_CRIT) ; /lib/grub/i386-pc/fat_stage1_5 -> $(SEC_CRIT) ; /lib/grub/i386-pc/vstafs_stage1_5 -> $(SEC_CRIT) ; /lib/grub/i386-pc/stage1 -> $(SEC_CRIT) ; /lib/grub/i386-pc/stage2 -> $(SEC_CRIT) ; /lib/grub/i386-pc/reiserfs_stage1_5 -> $(SEC_CRIT) ; /lib/grub/i386-pc/ffs_stage1_5 -> $(SEC_CRIT) ; /sbin/grub -> $(SEC_CRIT) ; /sbin/grub-md5-crypt -> $(SEC_CRIT) ; /sbin/grub-terminfo -> $(SEC_CRIT) ; /sbin/grub-install -> $(SEC_CRIT) ; /sbin/grub-set-default -> $(SEC_CRIT) ; # # 'lilo' files # # dunno --- } ################################################## # These files change every time the system boots # ################################################## ( rulename = "System boot changes", severity = $(SIG_HI) ) { !/var/run/ftp.pids-all ; # Comes and goes on reboot. !/root/.enlightenment ; /dev/log -> $(SEC_CONFIG) ; /dev/cua0 -> $(SEC_CONFIG) ; # /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. /dev/tty1 -> $(SEC_CONFIG) ; # tty devices /dev/tty2 -> $(SEC_CONFIG) ; # tty devices /dev/tty3 -> $(SEC_CONFIG) ; # are extremely /dev/tty4 -> $(SEC_CONFIG) ; # variable /dev/tty5 -> $(SEC_CONFIG) ; /dev/tty6 -> $(SEC_CONFIG) ; /dev/urandom -> $(SEC_CONFIG) ; /dev/initctl -> $(SEC_CONFIG) ; /var/lock/subsys -> $(SEC_CONFIG) ; /var/run -> $(SEC_CONFIG) ; /var/log -> $(SEC_CONFIG) ; /etc/ioctl.save -> $(SEC_CONFIG) ; /etc/issue -> $(SEC_CONFIG) ; /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount /lib/modules -> $(SEC_CONFIG) ; /etc/.pwd.lock -> $(SEC_CONFIG) ; } # These files change the behavior of the root account ( rulename = "Root config files", severity = 100 ) { /root -> $(SEC_CRIT) ; # Catch all additions to /root } ################################ # # # Critical configuration files # # # ################################ ( rulename = "Critical configuration files", severity = $(SIG_HI) ) { /etc/conf.d -> $(SEC_BIN) ; /etc/crontab -> $(SEC_CONFIG) ; /etc/cron.deny -> $(SEC_CONFIG) ; /etc/cron.hourly -> $(SEC_BIN) ; /etc/cron.daily -> $(SEC_BIN) ; /etc/cron.weekly -> $(SEC_BIN) ; /etc/cron.monthly -> $(SEC_BIN) ; /etc/default -> $(SEC_BIN) ; /etc/dev.d -> $(SEC_BIN) ; /etc/env.d -> $(SEC_BIN) ; /etc/fstab -> $(SEC_CONFIG) ; # /etc/exports -> $(SEC_CONFIG) ; # uncomment for NFS /etc/group -> $(SEC_CRIT) ; /etc/group- -> $(SEC_CRIT) ; # /etc/gshadow -> $(SEC_CRIT) ; # uncomment for group shadow # /etc/gshadow- -> $(SEC_CRIT) ; # " " " " /etc/hotplug.d -> $(SEC_BIN) ; /etc/host.conf -> $(SEC_BIN) ; # /etc/hosts.allow -> $(SEC_BIN) ; # uncomment for tcpwrappers # /etc/hosts.deny -> $(SEC_BIN) ; # " " " /etc/protocols -> $(SEC_BIN) ; /etc/services -> $(SEC_BIN) ; /etc/init.d -> $(SEC_BIN) ; /etc/pam.d -> $(SEC_BIN) ; /etc/mail -> $(SEC_BIN) ; /etc/modules.autoload.d -> $(SEC_BIN) ; /etc/modules.d -> $(SEC_BIN) ; /etc/modprobe.conf -> $(SEC_CONFIG) ; /etc/modules.conf -> $(SEC_BIN) ; /etc/passwd -> $(SEC_CRIT) ; /etc/passwd- -> $(SEC_CRIT) ; /etc/shadow -> $(SEC_CRIT) ; /etc/shadow- -> $(SEC_CRIT) ; /etc/rpc -> $(SEC_BIN) ; # /etc/samba/smb.conf -> $(SEC_CONFIG) ; # uncomment for samba /etc/login.defs -> $(SEC_BIN) ; /etc/login.access -> $(SEC_BIN) ; /etc/nsswitch.conf -> $(SEC_BIN) ; /etc/yp.conf -> $(SEC_BIN) ; /etc/hosts -> $(SEC_CONFIG) ; /etc/inittab -> $(SEC_CONFIG) ; /etc/resolv.conf -> $(SEC_CONFIG) ; /etc/sysctl.conf -> $(SEC_CONFIG) ; # Gentoo specific /etc/rc.conf -> $(SEC_CONFIG) ; /etc/make.conf -> $(SEC_CONFIG) ; /etc/make.globals -> $(SEC_CONFIG) ; /etc/make.profile -> $(SEC_CONFIG) ; } #################### # # # Critical devices # # # #################### ( rulename = "Critical devices", severity = $(SIG_HI), recurse = false ) { # # /dev devices # /dev/kmem -> $(Device) ; /dev/mem -> $(Device) ; /dev/null -> $(Device) ; /dev/zero -> $(Device) ; # # /proc files # /proc/devices -> $(Device) ; /proc/buddyinfo -> $(Device) ; /proc/slabinfo -> $(Device) ; /proc/fb -> $(Device) ; /proc/execdomains -> $(Device) ; /proc/diskstats -> $(Device) ; /proc/iomem -> $(Device) ; /proc/vmstat -> $(Device) ; /proc/net -> $(Device) ; /proc/sys -> $(Device) ; /proc/cpuinfo -> $(Device) ; /proc/modules -> $(Device) ; /proc/mounts -> $(Device) ; /proc/dma -> $(Device) ; /proc/filesystems -> $(Device) ; /proc/pci -> $(Device) ; /proc/interrupts -> $(Device) ; /proc/ioports -> $(Device) ; /proc/scsi -> $(Device) ; /proc/kcore -> $(Device) ; /proc/self -> $(Device) ; /proc/kmsg -> $(Device) ; /proc/stat -> $(Device) ; /proc/kallsyms -> $(Device) ; /proc/loadavg -> $(Device) ; /proc/uptime -> $(Device) ; /proc/locks -> $(Device) ; /proc/version -> $(Device) ; /proc/zoneinfo -> $(Device) ; /proc/meminfo -> $(Device) ; /proc/cmdline -> $(Device) ; /proc/misc -> $(Device) ; } # Rest of critical system binaries # Libraries ( rulename = "Libraries", severity = $(SIG_MED) ) { /usr/lib -> $(SEC_BIN) ; /usr/local/lib -> $(SEC_BIN) ; } ( rulename = "OS executables and libraries", severity = $(SIG_HI) ) { /bin -> $(SEC_BIN) ; /lib -> $(SEC_BIN) ; } ( rulename = "User binaries", severity = $(SIG_MED) ) { /sbin -> $(SEC_BIN) (recurse = 1) ; /usr/bin -> $(SEC_BIN) (recurse = 1) ; /usr/sbin -> $(SEC_BIN) (recurse = 1) ; /usr/local/bin -> $(SEC_BIN) (recurse = 1) ; } ( rulename = "Security Control", severity = $(SIG_HI) ) { /etc/security -> $(SEC_CRIT) ; } #============================================================================= # # Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, # Inc. in the United States and other countries. All rights reserved. # # Linux is a registered trademark of Linus Torvalds. # # UNIX is a registered trademark of The Open Group. # #============================================================================= # # Permission is granted to make and distribute verbatim copies of this document # provided the copyright notice and this permission notice are preserved on all # copies. # # Permission is granted to copy and distribute modified versions of this # document under the conditions for verbatim copying, provided that the entire # resulting derived work is distributed under the terms of a permission notice # identical to this one. # # Permission is granted to copy and distribute translations of this document # into another language, under the above conditions for modified versions, # except that this permission notice may be stated in a translation approved by # Tripwire, Inc. # # DCM