Tripewire Policy file which works out of the box for SuSE 9?
Hi everybody, Since I am a lazy person and always happy to thrive on the work of other people I was wondering whether SuSE had prepared a thoughtful Tripwire policy file which works out of the box with a SuSE 9 standard installation. I only found the example configuration for Red Hat 7 this simply doesn't fit SuSE 9 without major modifications. And frankly speaking: I think creating a Tripwire policy file from scratch is slave labour ;-) So is there a working template for SuSE 9 to start from or do I have to be my own vi monkey and make the changes myself? cheers, Tobias W. -- *************************************************** ____ _____ | _ \| ____| Tobias Weisserth | | | | _| tobias@weisserth.[de|com|net|org] _| |_| | |___ http://www.weisserth.org (_)____/|_____| Encrypted mail is welcome. Key and fingerprint: http://imprint.weisserth.org ***************************************************
Quoting Tobias Weisserth <tobias@weisserth.de>:
Since I am a lazy person and always happy to thrive on the work of other people I was wondering whether SuSE had prepared a thoughtful Tripwire policy file which works out of the box with a SuSE 9 standard installation.
I only found the example configuration for Red Hat 7 this simply doesn't fit SuSE 9 without major modifications. And frankly speaking: I think creating a Tripwire policy file from scratch is slave labour ;-)
So is there a working template for SuSE 9 to start from or do I have to be my own vi monkey and make the changes myself?
Attached is one of mine. It's pretty basic, I just stripped down the redhat one and moved some things... no big deal, but it covers the basics...
Hi, Am Fr, den 02.04.2004 schrieb suse@rio.vg um 23:43:
Attached is one of mine. It's pretty basic, I just stripped down the redhat one and moved some things... no big deal, but it covers the basics...
You mean it *had* been attached ;-) Obviously, attachment filtering on mailing lists has its downsides too... But thanks anyway ;-) cheers, Tobias -- *************************************************** ____ _____ | _ \| ____| Tobias Weisserth | | | | _| tobias@weisserth.[de|com|net|org] _| |_| | |___ http://www.weisserth.org (_)____/|_____| Encrypted mail is welcome. Key and fingerprint: http://imprint.weisserth.org ***************************************************
Quoting Tobias Weisserth <tobias@weisserth.de>:
Am Fr, den 02.04.2004 schrieb suse@rio.vg um 23:43:
Attached is one of mine. It's pretty basic, I just stripped down the redhat one and moved some things... no big deal, but it covers the basics...
You mean it *had* been attached ;-) Obviously, attachment filtering on mailing lists has its downsides too...
But thanks anyway ;-)
OK, time to do this the old-fashioned way... ############################################################################## # ## ############################################################################## # # # # # Global Variable Definitions # # # # # # These are defined at install time by the installation script. You may # # # Manually edit these if you are using this file directly and not from the # # # installation script itself. # # # ## ############################################################################## @@section GLOBAL TWROOT=/usr/sbin; TWBIN=/usr/sbin; TWPOL="/etc/tripwire"; TWDB="/var/lib/tripwire"; TWSKEY="/etc/tripwire"; TWLKEY="/etc/tripwire"; TWREPORT="/var/lib/tripwire/report"; HOSTNAME=shoggoth; @@section FS SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set SEC_BIN = $(ReadOnly) ; # Binaries that should not change SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership SIG_LOW = 33 ; # Non-critical files that are of minimal security impact SIG_MED = 66 ; # Non-critical files that are of significant security impact SIG_HI = 100 ; # Critical files that are significant points of vulnerability # Tripwire Binaries ( rulename = "Tripwire Binaries", severity = $(SIG_HI) ) { $(TWBIN)/siggen -> $(SEC_BIN) ; $(TWBIN)/tripwire -> $(SEC_BIN) ; $(TWBIN)/twadmin -> $(SEC_BIN) ; $(TWBIN)/twprint -> $(SEC_BIN) ; } # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases ( rulename = "Tripwire Data Files", severity = $(SIG_HI) ) { # NOTE: We remove the inode attribute because when Tripwire creates a backup, # it does so by renaming the old file and creating a new one (which will # have a new inode number). Inode is left turned on for keys, which shouldn't # ever change. # NOTE: The first integrity check triggers this rule and each integrity check # afterward triggers this rule until a database update is run, since the # database file does not exist before that point. $(TWDB) -> $(SEC_CONFIG) -i ; $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; $(TWSKEY)/site.key -> $(SEC_BIN) ; #don't scan the individual reports $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; } # Tripwire HQ Connector Binaries #( # rulename = "Tripwire HQ Connector Binaries", # severity = $(SIG_HI) #) #{ # $(TWBIN)/hqagent -> $(SEC_BIN) ; #} # # Tripwire HQ Connector - Configuration Files, Keys, and Logs ############################################################################## # ## ############################################################################## # # # # # Note: File locations here are different than in a stock HQ Connector # # # installation. This is because Tripwire 2.3 uses a different path # # # structure than Tripwire 2.2.1. # # # # # # You may need to update your HQ Agent configuation file (or this policy # # # file) to correct the paths. We have attempted to support the FHS standard # # # here by placing the HQ Agent files similarly to the way Tripwire 2.3 # # # places them. # # # ## ############################################################################## #( # rulename = "Tripwire HQ Connector Data Files", # severity = $(SIG_HI) #) #{ # ############################################################################# # ############################################################################## # # NOTE: Removing the inode attribute because when Tripwire creates a backup ## # # it does so by renaming the old file and creating a new one (which will ## # # have a new inode number). Leaving inode turned on for keys, which ## # # shouldn't ever change. ## # ############################################################################# # # $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; # $(TWLKEY)/authentication.key -> $(SEC_BIN) ; # $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; # $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; # # # Uncomment if you have agent logging enabled. # #/var/log/tripwire/agent.log -> $(SEC_LOG) ; #} # Commonly accessed directories that should remain static with regards to owner and group ( rulename = "Invariant Directories", severity = $(SIG_MED) ) { / -> $(SEC_INVARIANT) (recurse = 0) ; } ################################################ # ## ################################################ # # # # # File System and Disk Administration Programs # # # ## ################################################ ( rulename = "System Binaries", severity = $(SIG_HI) ) { /sbin -> $(SEC_CRIT) (recurse = 1) ; /bin -> $(SEC_CRIT) (recurse = 1) ; } ######################### # ## ######################### # # # # # Temporary directories # # # ## ######################### ( rulename = "Temporary directories", recurse = false, severity = $(SIG_LOW) ) { /usr/tmp -> $(SEC_INVARIANT) ; /var/tmp -> $(SEC_INVARIANT) ; /tmp -> $(SEC_INVARIANT) ; } ############### # ## ############### # # # # # Local files # # # ## ############### ( rulename = "User binaries", severity = $(SIG_MED) ) { /usr/bin -> $(SEC_BIN) (recurse = 1) ; /usr/sbin -> $(SEC_BIN) (recurse = 1) ; /usr/local/bin -> $(SEC_BIN) (recurse = 1) ; /usr/local/sbin -> $(SEC_BIN) (recurse = 1) ; } ( rulename = "Root & Configs", severity = $(SIG_HI) ) { /etc -> $(SEC_CRIT) (recurse = 1) ; /boot -> $(SEC_CRIT) (recurse = 1) ; /root -> $(SEC_CRIT) (recurse = 1) ; # Catch all additions t o /root } # Libraries ( rulename = "Libraries", severity = $(SIG_HI) ) { /lib -> $(SEC_BIN) (recurse = 1) ; /usr/lib -> $(SEC_BIN) (recurse = 1) ; /usr/local/lib -> $(SEC_BIN) (recurse = 1) ; } ################################################## ################################################### # These files change every time the system boots ## ################################################## ( rulename = "System boot changes", severity = $(SIG_HI) ) { !/var/run/ftp.pids-all ; # Comes and goes on reboot. /dev/log -> $(SEC_CONFIG) ; /dev/cua0 -> $(SEC_CONFIG) ; /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. /dev/tty1 -> $(SEC_CONFIG) ; # tty devices /dev/tty2 -> $(SEC_CONFIG) ; # tty devices /dev/tty3 -> $(SEC_CONFIG) ; # are extremely /dev/tty4 -> $(SEC_CONFIG) ; # variable /dev/tty5 -> $(SEC_CONFIG) ; /dev/tty6 -> $(SEC_CONFIG) ; /dev/urandom -> $(SEC_CONFIG) ; /dev/initctl -> $(SEC_CONFIG) ; /etc/issue.net -> $(SEC_CONFIG) -i ; # Inode number changes /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mo unt/unmount } #################### # ## #################### # # # # # Critical devices # # # ## #################### ( rulename = "Critical devices", severity = $(SIG_HI), recurse = false ) { /dev/kmem -> $(Device) ; /dev/mem -> $(Device) ; /dev/null -> $(Device) ; /dev/zero -> $(Device) ; /proc/devices -> $(Device) ; /proc/net -> $(Device) ; /proc/sys -> $(Device) ; /proc/cpuinfo -> $(Device) ; /proc/modules -> $(Device) ; /proc/mounts -> $(Device) ; /proc/dma -> $(Device) ; /proc/filesystems -> $(Device) ; /proc/pci -> $(Device) ; /proc/interrupts -> $(Device) ; /proc/driver/rtc -> $(Device) ; /proc/ioports -> $(Device) ; #/proc/scsi -> $(Device) ; /proc/kcore -> $(Device) ; /proc/self -> $(Device) ; /proc/kmsg -> $(Device) ; /proc/stat -> $(Device) ; /proc/ksyms -> $(Device) ; /proc/loadavg -> $(Device) ; /proc/uptime -> $(Device) ; /proc/locks -> $(Device) ; /proc/version -> $(Device) ; /proc/mdstat -> $(Device) ; /proc/meminfo -> $(Device) ; /proc/cmdline -> $(Device) ; /proc/misc -> $(Device) ; }
Hi, Am Fr, den 02.04.2004 schrieb suse@rio.vg um 23:55: ...
OK, time to do this the old-fashioned way...
Many thanks :-) I'll see if I can extend it a little bit and post it here in return. Thanks, Tobias -- *************************************************** ____ _____ | _ \| ____| Tobias Weisserth | | | | _| tobias@weisserth.[de|com|net|org] _| |_| | |___ http://www.weisserth.org (_)____/|_____| Encrypted mail is welcome. Key and fingerprint: http://imprint.weisserth.org ***************************************************
Hi everybody, Google has been on my side again :-) I haven't tried it yet but it looks promising: http://www.tripwire.com/servlet/OsChoose I'd appreciate example policies for SuSE nonetheless though ;-) cheers, Tobias -- *************************************************** ____ _____ | _ \| ____| Tobias Weisserth | | | | _| tobias@weisserth.[de|com|net|org] _| |_| | |___ http://www.weisserth.org (_)____/|_____| Encrypted mail is welcome. Key and fingerprint: http://imprint.weisserth.org ***************************************************
participants (2)
-
suse@rio.vg
-
Tobias Weisserth