diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2002-03-01 01:47:15 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2002-03-01 01:47:15 +0000 |
| commit | a6459ea267edc65be49643d7dbaf21aef748a6b9 (patch) | |
| tree | 95c3922ca5d84f1fd08078adc3c6a6a1b808cccc /security/tripwire/files/twpol.m4 | |
| parent | 61a0b70bc93ba108f14eb356a1f4cb516d2bcbbc (diff) | |
Update from 1.2 (academic source release) to 2.3.1-2 (open source Linux
release). In relation to Tripwire 1.x, 2.x is a complete rewrite.
PR: ports/29137
Submitted by: nectar (first review), cjc (second review)
Notes
Notes:
svn path=/head/; revision=55363
Diffstat (limited to 'security/tripwire/files/twpol.m4')
| -rw-r--r-- | security/tripwire/files/twpol.m4 | 655 |
1 files changed, 655 insertions, 0 deletions
diff --git a/security/tripwire/files/twpol.m4 b/security/tripwire/files/twpol.m4 new file mode 100644 index 000000000000..ec60af2535da --- /dev/null +++ b/security/tripwire/files/twpol.m4 @@ -0,0 +1,655 @@ +# +# Policy file for FreeBSD +# +$FreeBSD$ + + +# +# This is the example Tripwire Policy file. It is intended as a place to +# start creating your own custom Tripwire Policy file. Referring to it as +# well as the Tripwire Policy Guide should give you enough information to +# make a good custom Tripwire Policy file that better covers your +# configuration and security needs. A text version of this policy file is +# called twpol.txt. +# +# Note that this file is tuned to an install of FreeBSD using +# buildworld. If run unmodified, this file should create no errors on +# database creation, or violations on a subsiquent integrity check. +# However it is impossible for there to be one policy file for all machines, +# so this existing one errs on the side of security. Your FreeBSD +# configuration will most likey differ from the one our policy file was +# tuned to, and will therefore require some editing of the default +# Tripwire Policy file. +# +# The example policy file is best run with 'Loose Directory Checking' +# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration +# file. +# +# Email support is not included and must be added to this file. +# Add the 'emailto=' to the rule directive section of each rule (add a comma +# after the 'severity=' line and add an 'emailto=' and include the email +# addresses you want the violation reports to go to). Addresses are +# semi-colon delimited. +# + + + +# +# Global Variable Definitions +# +# These are defined at install time by the installation script. You may +# Manually edit these if you are using this file directly and not from the +# installation script itself. +# + +@@section GLOBAL +TWROOT=; +TWBIN=; +TWPOL=; +TWDB=; +TWSKEY=; +TWLKEY=; +TWREPORT=; +HOSTNAME=; + +@@section FS +SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change +SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set +SEC_BIN = $(ReadOnly) ; # Binaries that should not change +SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often +SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login +SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership +SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership +SIG_LOW = 33 ; # Non-critical files that are of minimal security impact +SIG_MED = 66 ; # Non-critical files that are of significant security impact +SIG_HI = 100 ; # Critical files that are significant points of vulnerability + + +# Tripwire Binaries +( + rulename = "Tripwire Binaries", + severity = $(SIG_HI) +) +{ + $(TWBIN)/siggen -> $(SEC_BIN) ; + $(TWBIN)/tripwire -> $(SEC_BIN) ; + $(TWBIN)/twadmin -> $(SEC_BIN) ; + $(TWBIN)/twprint -> $(SEC_BIN) ; +} + +# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases +( + rulename = "Tripwire Data Files", + severity = $(SIG_HI) +) +{ + # NOTE: We remove the inode attribute because when Tripwire creates a backup, + # it does so by renaming the old file and creating a new one (which will + # have a new inode number). Inode is left turned on for keys, which shouldn't + # ever change. + + # NOTE: The first integrity check triggers this rule and each integrity check + # afterward triggers this rule until a database update is run, since the + # database file does not exist before that point. + + $(TWDB) -> $(SEC_CONFIG) -i ; + $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; + $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; + $(TWPOL)/twcfg.txt -> $(SEC_BIN) ; + $(TWPOL)/twpol.txt -> $(SEC_BIN) ; + $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; + $(TWSKEY)/site.key -> $(SEC_BIN) ; + + #don't scan the individual reports + $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; +} + + +# Tripwire HQ Connector Binaries +#( +# rulename = "Tripwire HQ Connector Binaries", +# severity = $(SIG_HI) +#) +#{ +# $(TWBIN)/hqagent -> $(SEC_BIN) ; +#} +# +# Tripwire HQ Connector - Configuration Files, Keys, and Logs + +# +# Note: File locations here are different than in a stock HQ Connector +# installation. This is because Tripwire 2.3 uses a different path +# structure than Tripwire 2.2.1. +# +# You may need to update your HQ Agent configuation file (or this policy +# file) to correct the paths. We have attempted to support the FHS standard +# here by placing the HQ Agent files similarly to the way Tripwire 2.3 +# places them. +# + +#( +# rulename = "Tripwire HQ Connector Data Files", +# severity = $(SIG_HI) +#) +#{ +# +# # NOTE: Removing the inode attribute because when Tripwire creates a backup +# # it does so by renaming the old file and creating a new one (which will +# # have a new inode number). Leaving inode turned on for keys, which +# # shouldn't ever change. +# +# +# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; +# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; +# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; +# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; +# +# # Uncomment if you have agent logging enabled. +# #/var/log/tripwire/agent.log -> $(SEC_LOG) ; +#} + + + +# Commonly accessed directories that should remain static with regards to owner and group +( + rulename = "Invariant Directories", + severity = $(SIG_MED) +) +{ + / -> $(SEC_INVARIANT) (recurse = false) ; + /home -> $(SEC_INVARIANT) (recurse = false) ; +} + +# +# First, root's "home" +# + +( + rulename = "Root's home", + severity = $(SIG_HI) +) +{ + # /.rhosts -> $(SEC_CRIT) ; + /.profile -> $(SEC_CRIT) ; + /.cshrc -> $(SEC_CRIT) ; + /.login -> $(SEC_CRIT) ; + # /.exrc -> $(SEC_CRIT) ; + # /.logout -> $(SEC_CRIT) ; + # /.forward -> $(SEC_CRIT) ; + /root -> $(SEC_CRIT) (recurse = true) ; + !/root/.history ; + !/root/.bash_history ; + # !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed +} + + +# +# FreeBSD Kernel +# + +( + rulename = "FreeBSD Kernel", + severity = $(SIG_HI) +) +{ + /kernel -> $(SEC_CRIT) ; + /kernel.old -> $(SEC_CRIT) ; + /kernel.GENERIC -> $(SEC_CRIT) ; +} + + +# +# FreeBSD Modules +# + +( + rulename = "FreeBSD Modules", + severity = $(SIG_HI) +) +{ + /modules -> $(SEC_CRIT) (recurse = true) ; + /modules.old -> $(SEC_CRIT) (recurse = true) ; + # /lkm -> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld +} + + +# +# System Administration Programs +# + +( + rulename = "System Administration Programs", + severity = $(SIG_HI) +) +{ + /sbin -> $(SEC_CRIT) (recurse = true) ; + /usr/sbin -> $(SEC_CRIT) (recurse = true) ; +} + + +# +# User Utilities +# + +( + rulename = "User Utilities", + severity = $(SIG_HI) +) +{ + /bin -> $(SEC_CRIT) (recurse = true) ; + /usr/bin -> $(SEC_CRIT) (recurse = true) ; +} + + +# +# /dev +# + +( + rulename = "/dev", + severity = $(SIG_HI) +) +{ + /dev -> $(Device) (recurse = true) ; + !/dev/vga ; + !/dev/dri ; + /dev/console -> $(SEC_TTY) ; + /dev/ttyv0 -> $(SEC_TTY) ; + /dev/ttyv1 -> $(SEC_TTY) ; + /dev/ttyv2 -> $(SEC_TTY) ; + /dev/ttyv3 -> $(SEC_TTY) ; + /dev/ttyv4 -> $(SEC_TTY) ; + /dev/ttyv5 -> $(SEC_TTY) ; + /dev/ttyv6 -> $(SEC_TTY) ; + /dev/ttyv7 -> $(SEC_TTY) ; + /dev/ttyp0 -> $(SEC_TTY) ; + /dev/ttyp1 -> $(SEC_TTY) ; + /dev/ttyp2 -> $(SEC_TTY) ; + /dev/ttyp3 -> $(SEC_TTY) ; + /dev/ttyp4 -> $(SEC_TTY) ; + /dev/ttyp5 -> $(SEC_TTY) ; + /dev/ttyp6 -> $(SEC_TTY) ; + /dev/ttyp7 -> $(SEC_TTY) ; + /dev/ttyp8 -> $(SEC_TTY) ; + /dev/ttyp9 -> $(SEC_TTY) ; + /dev/ttypa -> $(SEC_TTY) ; + /dev/ttypb -> $(SEC_TTY) ; + /dev/ttypc -> $(SEC_TTY) ; + /dev/ttypd -> $(SEC_TTY) ; + /dev/ttype -> $(SEC_TTY) ; + /dev/ttypf -> $(SEC_TTY) ; + /dev/ttypg -> $(SEC_TTY) ; + /dev/ttyph -> $(SEC_TTY) ; + /dev/ttypi -> $(SEC_TTY) ; + /dev/ttypj -> $(SEC_TTY) ; + /dev/ttypl -> $(SEC_TTY) ; + /dev/ttypm -> $(SEC_TTY) ; + /dev/ttypn -> $(SEC_TTY) ; + /dev/ttypo -> $(SEC_TTY) ; + /dev/ttypp -> $(SEC_TTY) ; + /dev/ttypq -> $(SEC_TTY) ; + /dev/ttypr -> $(SEC_TTY) ; + /dev/ttyps -> $(SEC_TTY) ; + /dev/ttypt -> $(SEC_TTY) ; + /dev/ttypu -> $(SEC_TTY) ; + /dev/ttypv -> $(SEC_TTY) ; + /dev/cuaa0 -> $(SEC_TTY) ; # modem +} + + +# +# /etc +# + +( + rulename = "/etc", + severity = $(SIG_HI) +) +{ + /etc -> $(SEC_CRIT) (recurse = true) ; + # /etc/mail/aliases -> $(SEC_CONFIG) ; + /etc/dumpdates -> $(SEC_CONFIG) ; + /etc/motd -> $(SEC_CONFIG) ; + !/etc/ppp/connect-errors ; + /etc/skeykeys -> $(SEC_CONFIG) ; + # Uncomment the following 4 lines if your password file does not change + # /etc/passwd -> $(SEC_CONFIG) ; + # /etc/master.passwd -> $(SEC_CONFIG) ; + # /etc/pwd.db -> $(SEC_CONFIG) ; + # /etc/spwd.db -> $(SEC_CONFIG) ; +} + + +# +# Copatibility (Linux) +# + +( + rulename = "Linux Compatibility", + severity = $(SIG_HI) +) +{ + /compat -> $(SEC_CRIT) (recurse = true) ; +# +# Uncomment the following if Linux compatibility is used. Replace +# HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port +# installed. +# +#@@ifhost HOSTNAME1 || HOSTNAME2 +# /compat/linux/etc -> $(SEC_INVARIANT) (recurse = false) ; +# /compat/linux/etc/X11 -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/pam.d -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/profile.d -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/real -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/bashrc -> $(SEC_CONFIG) ; +# /compat/linux/etc/csh.login -> $(SEC_CONFIG) ; +# /compat/linux/etc/host.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/hosts.allow -> $(SEC_CONFIG) ; +# /compat/linux/etc/hosts.deny -> $(SEC_CONFIG) ; +# /compat/linux/etc/info-dir -> $(SEC_CONFIG) ; +# /compat/linux/etc/inputrc -> $(SEC_CONFIG) ; +# /compat/linux/etc/ld.so.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/nsswitch.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/profile -> $(SEC_CONFIG) ; +# /compat/linux/etc/redhat-release -> $(SEC_CONFIG) ; +# /compat/linux/etc/rpc -> $(SEC_CONFIG) ; +# /compat/linux/etc/securetty -> $(SEC_CONFIG) ; +# /compat/linux/etc/shells -> $(SEC_CONFIG) ; +# /compat/linux/etc/termcap -> $(SEC_CONFIG) ; +# /compat/linux/etc/yp.conf -> $(SEC_CONFIG) ; +# !/compat/linux/etc/ld.so.cache ; +# !/compat/linux/var/spool/mail ; +#@@endif +} + + +# +# Libraries, include files, and other system files +# + +( + rulename = "Libraries, include files, and other system files", + severity = $(SIG_HI) +) +{ + /usr/include -> $(SEC_CRIT) (recurse = true) ; + /usr/lib -> $(SEC_CRIT) (recurse = true) ; + /usr/libdata -> $(SEC_CRIT) (recurse = true) ; + /usr/libexec -> $(SEC_CRIT) (recurse = true) ; + /usr/share -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man -> $(SEC_CONFIG) ; + !/usr/share/man/whatis ; + !/usr/share/man/.glimpse_filenames ; + !/usr/share/man/.glimpse_filenames_index ; + !/usr/share/man/.glimpse_filetimes ; + !/usr/share/man/.glimpse_filters ; + !/usr/share/man/.glimpse_index ; + !/usr/share/man/.glimpse_messages ; + !/usr/share/man/.glimpse_partitions ; + !/usr/share/man/.glimpse_statistics ; + !/usr/share/man/.glimpse_turbo ; + /usr/share/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/share/man/cat1 ; + ! /usr/share/man/cat2 ; + ! /usr/share/man/cat3 ; + ! /usr/share/man/cat4 ; + ! /usr/share/man/cat5 ; + ! /usr/share/man/cat6 ; + ! /usr/share/man/cat7 ; + ! /usr/share/man/cat8 ; + ! /usr/share/man/cat9 ; + ! /usr/share/man/catl ; + ! /usr/share/man/catn ; + /usr/share/perl/man -> $(SEC_CONFIG) ; + !/usr/share/perl/man/whatis ; + !/usr/share/perl/man/.glimpse_filenames ; + !/usr/share/perl/man/.glimpse_filenames_index ; + !/usr/share/perl/man/.glimpse_filetimes ; + !/usr/share/perl/man/.glimpse_filters ; + !/usr/share/perl/man/.glimpse_index ; + !/usr/share/perl/man/.glimpse_messages ; + !/usr/share/perl/man/.glimpse_partitions ; + !/usr/share/perl/man/.glimpse_statistics ; + !/usr/share/perl/man/.glimpse_turbo ; + /usr/share/perl/man/man3 -> $(SEC_CRIT) (recurse = true) ; + ! /usr/share/perl/man/cat3 ; + /usr/local/lib/perl5/5.00503/man -> $(SEC_CONFIG) ; + ! /usr/local/lib/perl5/5.00503/man/whatis ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_index ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ; + /usr/local/lib/perl5/5.00503/man/man3 -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/lib/perl5/5.00503/man/cat3 ; +} + + +# +# X11R6 +# + +( + rulename = "X11R6", + severity = $(SIG_HI) +) +{ + /usr/X11R6 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/lib/X11/xdm -> $(SEC_CONFIG) (recurse = true) ; + !/usr/X11R6/lib/X11/xdm/xdm-errors ; + !/usr/X11R6/lib/X11/xdm/authdir/authfiles ; + !/usr/X11R6/lib/X11/xdm/xdm-pid ; + /usr/X11R6/lib/X11/xkb/compiled -> $(SEC_CONFIG) (recurse = true) ; + /usr/X11R6/man -> $(SEC_CONFIG) ; + !/usr/X11R6/man/whatis ; + !/usr/X11R6/man/.glimpse_filenames ; + !/usr/X11R6/man/.glimpse_filenames_index ; + !/usr/X11R6/man/.glimpse_filetimes ; + !/usr/X11R6/man/.glimpse_filters ; + !/usr/X11R6/man/.glimpse_index ; + !/usr/X11R6/man/.glimpse_messages ; + !/usr/X11R6/man/.glimpse_partitions ; + !/usr/X11R6/man/.glimpse_statistics ; + !/usr/X11R6/man/.glimpse_turbo ; + /usr/X11R6/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/X11R6/man/cat1 ; + ! /usr/X11R6/man/cat2 ; + ! /usr/X11R6/man/cat3 ; + ! /usr/X11R6/man/cat4 ; + ! /usr/X11R6/man/cat5 ; + ! /usr/X11R6/man/cat6 ; + ! /usr/X11R6/man/cat7 ; + ! /usr/X11R6/man/cat8 ; + ! /usr/X11R6/man/cat9 ; + ! /usr/X11R6/man/catl ; + ! /usr/X11R6/man/catn ; +} + + +# +# sources +# + +( + rulename = "Sources", + severity = $(SIG_HI) +) +{ + /usr/src -> $(SEC_CRIT) (recurse = true) ; + /usr/src/sys/compile -> $(SEC_CONFIG) (recurse = false) ; +} + + +# +# NIS +# + +( + rulename = "NIS", + severity = $(SIG_HI) +) +{ + /var/yp -> $(SEC_CRIT) (recurse = true) ; + !/var/yp/binding ; +} + + +# +# Temporary directories +# +( + rulename = "Temporary directories", + recurse = false, + severity = $(SIG_LOW) +) +{ + /usr/tmp -> $(SEC_INVARIANT) ; + /var/tmp -> $(SEC_INVARIANT) ; + /var/preserve -> $(SEC_INVARIANT) ; + /tmp -> $(SEC_INVARIANT) ; +} + +# +# Local files +# + +( + rulename = "Local files", + severity = $(SIG_MED) +) +{ + /usr/local/bin -> $(SEC_BIN) (recurse = true) ; + /usr/local/sbin -> $(SEC_BIN) (recurse = true) ; + /usr/local/etc -> $(SEC_BIN) (recurse = true) ; + /usr/local/lib -> $(SEC_BIN) (recurse = true ) ; + /usr/local/libexec -> $(SEC_BIN) (recurse = true ) ; + /usr/local/share -> $(SEC_BIN) (recurse = true ) ; + /usr/local/man -> $(SEC_CONFIG) ; + !/usr/local/man/whatis ; + !/usr/local/man/.glimpse_filenames ; + !/usr/local/man/.glimpse_filenames_index ; + !/usr/local/man/.glimpse_filetimes ; + !/usr/local/man/.glimpse_filters ; + !/usr/local/man/.glimpse_index ; + !/usr/local/man/.glimpse_messages ; + !/usr/local/man/.glimpse_partitions ; + !/usr/local/man/.glimpse_statistics ; + !/usr/local/man/.glimpse_turbo ; + /usr/local/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/man/cat1 ; + ! /usr/local/man/cat2 ; + ! /usr/local/man/cat3 ; + ! /usr/local/man/cat4 ; + ! /usr/local/man/cat5 ; + ! /usr/local/man/cat6 ; + ! /usr/local/man/cat7 ; + ! /usr/local/man/cat8 ; + ! /usr/local/man/cat9 ; + ! /usr/local/man/catl ; + ! /usr/local/man/catn ; + /usr/local/krb5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man -> $(SEC_CONFIG) ; + !/usr/local/krb5/man/whatis ; + !/usr/local/krb5/man/.glimpse_filenames ; + !/usr/local/krb5/man/.glimpse_filenames_index ; + !/usr/local/krb5/man/.glimpse_filetimes ; + !/usr/local/krb5/man/.glimpse_filters ; + !/usr/local/krb5/man/.glimpse_index ; + !/usr/local/krb5/man/.glimpse_messages ; + !/usr/local/krb5/man/.glimpse_partitions ; + !/usr/local/krb5/man/.glimpse_statistics ; + !/usr/local/krb5/man/.glimpse_turbo ; + /usr/local/krb5/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/krb5/man/cat1 ; + ! /usr/local/krb5/man/cat2 ; + ! /usr/local/krb5/man/cat3 ; + ! /usr/local/krb5/man/cat4 ; + ! /usr/local/krb5/man/cat5 ; + ! /usr/local/krb5/man/cat6 ; + ! /usr/local/krb5/man/cat7 ; + ! /usr/local/krb5/man/cat8 ; + ! /usr/local/krb5/man/cat9 ; + ! /usr/local/krb5/man/catl ; + ! /usr/local/krb5/man/catn ; + /usr/local/www -> $(SEC_CONFIG) (recurse = true) ; +} + + +( + rulename = "Security Control", + severity = $(SIG_HI) +) +{ + /etc/group -> $(SEC_CRIT) ; + /etc/crontab -> $(SEC_CRIT) ; +} + +#============================================================================= +# +# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, +# Inc. in the United States and other countries. All rights reserved. +# +# FreeBSD is a registered trademark of the FreeBSD Project Inc. +# +# UNIX is a registered trademark of The Open Group. +# +#============================================================================= +# +# Permission is granted to make and distribute verbatim copies of this document +# provided the copyright notice and this permission notice are preserved on all +# copies. +# +# Permission is granted to copy and distribute modified versions of this +# document under the conditions for verbatim copying, provided that the entire +# resulting derived work is distributed under the terms of a permission notice +# identical to this one. +# +# Permission is granted to copy and distribute translations of this document +# into another language, under the above conditions for modified versions, +# except that this permission notice may be stated in a translation approved by +# Tripwire, Inc. +# +# DCM |