
#
# Standard Debian Tripwire configuration
#
#
# This configuration covers the contents of all 'Essential: yes'
# packages along with any packages necessary for access to an internet
# or system availability, e.g. name services, mail services, PCMCIA
# support, RAID support, and backup/restore support.
#

#
# Global Variable Definitions
#
# These definitions override those in to configuration file.  Do not
# change them unless you understand what you're doing.
#

@@section GLOBAL
TWBIN = /usr/sbin;
TWETC = /etc/tripwire;
TWVAR = /var/lib/tripwire;

#
# File System Definitions
#
@@section FS

#
# First, some variables to make configuration easier
#
SEC_CRIT      = $(IgnoreNone)-SHa ; # Critical files that cannot change

SEC_BIN       = $(ReadOnly) ;        # Binaries that should not change

SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed
                        # infrequently but accessed
                        # often

SEC_LOG       = $(Growing) ;         # Files that grow, but that
                                     # should never change ownership

SEC_INVARIANT = +tpug ;              # Directories that should never
                        # change permission or ownership

SIG_LOW       = 33 ;                 # Non-critical files that are of
                                     # minimal security impact

SIG_MED       = 66 ;                 # Non-critical files that are of
                                     # significant security impact

SIG_HI        = 100 ;                # Critical files that are
                                     # significant points of
                                     # vulnerability

#
# Tripwire Binaries
#
(
  rulename = "Tripwire Binaries",
  severity = $(SIG_HI)
)
{
        $(TWBIN)/siggen                 -> $(SEC_BIN) ;
        $(TWBIN)/tripwire               -> $(SEC_BIN) ;
        $(TWBIN)/twadmin                -> $(SEC_BIN) ;
        $(TWBIN)/twprint                -> $(SEC_BIN) ;
}

#
# Tripwire Data Files - Configuration Files, Policy Files, Keys,
# Reports, Databases
#

# NOTE: We remove the inode attribute because when Tripwire creates a
# backup, it does so by renaming the old file and creating a new one
# (which will have a new inode number).  Inode is left turned on for
# keys, which shouldn't ever change.

# NOTE: The first integrity check triggers this rule and each
# integrity check afterward triggers this rule until a database update
# is run, since the database file does not exist before that point.
(
  rulename = "Tripwire Data Files",
  severity = $(SIG_HI)
)
{
        $(TWVAR)/$(HOSTNAME).twd        -> $(SEC_CONFIG) -i ;
        $(TWETC)/tw.pol                 -> $(SEC_BIN) -i ;
        $(TWETC)/tw.cfg                 -> $(SEC_BIN) -i ;
        $(TWETC)/$(HOSTNAME)-local.key  -> $(SEC_BIN) ;
        $(TWETC)/site.key               -> $(SEC_BIN) ;

        #don't scan the individual reports
        $(TWVAR)/report                 -> $(SEC_CONFIG) (recurse=0) ;
}

#
# Critical System Boot Files
# These files are critical to a correct system boot.
#
(
  rulename = "Critical system boot files",
  severity = $(SIG_HI)
)
{
        /boot                   -> $(SEC_CRIT) ;
        /lib/modules            -> $(SEC_CRIT) ;
}

(
  rulename = "Boot Scripts",
  severity = $(SIG_HI)
)
{
        /etc/init.d             -> $(SEC_BIN) ;
        /etc/rc.boot            -> $(SEC_BIN) ;
        /etc/rcS.d              -> $(SEC_BIN) ;
        /etc/rc0.d              -> $(SEC_BIN) ;
        /etc/rc1.d              -> $(SEC_BIN) ;
        /etc/rc2.d              -> $(SEC_BIN) ;
        /etc/rc3.d              -> $(SEC_BIN) ;
        /etc/rc4.d              -> $(SEC_BIN) ;
        /etc/rc5.d              -> $(SEC_BIN) ;
        /etc/rc6.d              -> $(SEC_BIN) ;
}


#
# Critical executables
#
(
  rulename = "Root file-system executables",
  severity = $(SIG_HI)
)
{
        /bin                    -> $(SEC_BIN) ;
        /sbin                   -> $(SEC_BIN) ;
}

#
# Critical Libraries
#
(
  rulename = "Root file-system libraries",
  severity = $(SIG_HI)
)
{
        /lib                    -> $(SEC_BIN) ;
}


#
# Login and Privilege Raising Programs
#
(
  rulename = "Security Control",
  severity = $(SIG_MED)
)
{
        /etc/passwd             -> $(SEC_CONFIG) ;
        /etc/shadow             -> $(SEC_CONFIG) ;
}




#
# These files change every time the system boots
#
(
  rulename = "System boot changes",
  severity = $(SIG_HI)
)
{
        /var/lock               -> $(SEC_CONFIG) ;
        /var/run                -> $(SEC_CONFIG) ; # daemon PIDs
        /var/log                -> $(SEC_CONFIG) ;
}

# These files change the behavior of the root account
(
  rulename = "Root config files",
  severity = 100
)
{
        /root                           -> $(SEC_CRIT) ; # Catch all additions to /root
#       /root/mail                      -> $(SEC_CONFIG) ;
#       /root/Mail                      -> $(SEC_CONFIG) ;
#       /root/.xsession-errors          -> $(SEC_CONFIG) ;
        /root/.xauth                    -> $(SEC_CONFIG) ;
        /root/.tcshrc                   -> $(SEC_CONFIG) ;
#       /root/.sawfish                  -> $(SEC_CONFIG) ;
#       /root/.pinerc                   -> $(SEC_CONFIG) ;
#       /root/.mc                       -> $(SEC_CONFIG) ;
#       /root/.gnome_private            -> $(SEC_CONFIG) ;
#       /root/.gnome-desktop            -> $(SEC_CONFIG) ;
#       /root/.gnome                    -> $(SEC_CONFIG) ;
#       /root/.esd_auth                 -> $(SEC_CONFIG) ;
#       /root/.elm                      -> $(SEC_CONFIG) ;
#       /root/.cshrc                    -> $(SEC_CONFIG) ;
#       /root/.bashrc                   -> $(SEC_CONFIG) ;
#       /root/.bash_profile             -> $(SEC_CONFIG) ;
#       /root/.bash_logout              -> $(SEC_CONFIG) ;
#       /root/.bash_history             -> $(SEC_CONFIG) ;
#       /root/.amandahosts              -> $(SEC_CONFIG) ;
#       /root/.addressbook.lu           -> $(SEC_CONFIG) ;
#       /root/.addressbook              -> $(SEC_CONFIG) ;
#       /root/.Xresources               -> $(SEC_CONFIG) ;
#       /root/.Xauthority               -> $(SEC_CONFIG) -i ; # Changes Inode number on login
#       /root/.ICEauthority                 -> $(SEC_CONFIG) ;
}

#
# Critical devices
#
(
  rulename = "Devices & Kernel information",
  severity = $(SIG_HI),
)
{
#       /dev            -> $(Device) ;
#       /proc           -> $(Device) ;
}

#
# Other configuration files
#
(
  rulename = "Other configuration files",
  severity = $(SIG_MED)
)
{
        /etc            -> $(SEC_BIN) ;
}

#
# Binaries
#
(
  rulename = "Other binaries",
  severity = $(SIG_MED)
)
{
        /usr/local/sbin -> $(SEC_BIN) ;
        /usr/local/bin  -> $(SEC_BIN) ;
        /usr/sbin       -> $(SEC_BIN) ;
        /usr/bin        -> $(SEC_BIN) ;
}

#
# Libraries
#
(
  rulename = "Other libraries",
  severity = $(SIG_MED)
)
{
        /usr/local/lib  -> $(SEC_BIN) ;
        /usr/lib        -> $(SEC_BIN) ;
}

#
# Commonly accessed directories that should remain static with regards
# to owner and group
#
(
  rulename = "Invariant Directories",
  severity = $(SIG_MED)
)
{
        /               -> $(SEC_INVARIANT) (recurse = 0) ;
        /home           -> $(SEC_INVARIANT) (recurse = 0) ;
        /tmp            -> $(SEC_INVARIANT) (recurse = 0) ;
        /usr            -> $(SEC_INVARIANT) (recurse = 0) ;
        /var            -> $(SEC_INVARIANT) (recurse = 0) ;
        /var/tmp        -> $(SEC_INVARIANT) (recurse = 0) ;
}

