
#
# Standard Debian Tripwire configuration
#
#
# This configuration covers the contents of all 'Essential: yes'
# packages along with any packages necessary for access to an internet
# or system availability, e.g. name services, mail services, PCMCIA
# support, RAID support, and backup/restore support.
#

#
# Global Variable Definitions
#
# These definitions override those in to configuration file.  Do not         
# change them unless you understand what you're doing.
#

@@section GLOBAL
TWBIN = /usr/sbin;
TWETC = /etc/tripwire;
TWVAR = /var/lib/tripwire;

#
# File System Definitions
#
@@section FS

#
# First, some variables to make configuration easier
#
SEC_CRIT      = $(IgnoreNone)-SHa ; # Critical files that cannot change

SEC_BIN       = $(ReadOnly) ;        # Binaries that should not change

SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed
		        # infrequently but accessed
		        # often

SEC_LOG       = $(Growing) ;         # Files that grow, but that
			             # should never change ownership

SEC_INVARIANT = +tpug ;              # Directories that should never
		        # change permission or ownership

SIG_LOW       = 33 ;                 # Non-critical files that are of
				     # minimal security impact

SIG_MED       = 66 ;                 # Non-critical files that are of
				     # significant security impact

SIG_HI        = 100 ;                # Critical files that are
				     # significant points of
				     # vulnerability

#
# Tripwire Binaries
#
(
  rulename = "Tripwire Binaries",
  severity = $(SIG_HI)
)
{
	$(TWBIN)/siggen			-> $(SEC_BIN) ;
	$(TWBIN)/tripwire		-> $(SEC_BIN) ;
	$(TWBIN)/twadmin		-> $(SEC_BIN) ;
	$(TWBIN)/twprint		-> $(SEC_BIN) ;
}

#
# Tripwire Data Files - Configuration Files, Policy Files, Keys,
# Reports, Databases
#

# NOTE: We remove the inode attribute because when Tripwire creates a
# backup, it does so by renaming the old file and creating a new one
# (which will have a new inode number).  Inode is left turned on for
# keys, which shouldn't ever change.

# NOTE: The first integrity check triggers this rule and each
# integrity check afterward triggers this rule until a database update
# is run, since the database file does not exist before that point.
(
  rulename = "Tripwire Data Files",
  severity = $(SIG_HI)
)
{
	$(TWVAR)/$(HOSTNAME).twd	-> $(SEC_CONFIG) -i ;
	$(TWETC)/tw.pol			-> $(SEC_BIN) -i ;
	$(TWETC)/tw.cfg			-> $(SEC_BIN) -i ;
	$(TWETC)/$(HOSTNAME)-local.key	-> $(SEC_BIN) ;
	$(TWETC)/site.key		-> $(SEC_BIN) ;

	#don't scan the individual reports
	$(TWVAR)/report			-> $(SEC_CONFIG) (recurse=0) ;
}

#
# Critical System Boot Files
# These files are critical to a correct system boot.
#
(
  rulename = "Critical system boot files",
  severity = $(SIG_HI)
)
{
	/boot			-> $(SEC_CRIT) ;
	/lib/modules		-> $(SEC_CRIT) ;
}

(
  rulename = "Boot Scripts",
  severity = $(SIG_HI)
)
{
	/etc/init.d		-> $(SEC_BIN) ;
	/etc/rc.boot		-> $(SEC_BIN) ;
	/etc/rcS.d		-> $(SEC_BIN) ;
	/etc/rc0.d		-> $(SEC_BIN) ;
	/etc/rc1.d		-> $(SEC_BIN) ;
	/etc/rc2.d		-> $(SEC_BIN) ;
	/etc/rc3.d		-> $(SEC_BIN) ;
	/etc/rc4.d		-> $(SEC_BIN) ;
	/etc/rc5.d		-> $(SEC_BIN) ;
	/etc/rc6.d		-> $(SEC_BIN) ;
}


#
# Critical executables
#
(
  rulename = "Root file-system executables",
  severity = $(SIG_HI)
)
{
	/bin			-> $(SEC_BIN) ;
	/sbin			-> $(SEC_BIN) ;
}

#
# Critical Libraries
#
(
  rulename = "Root file-system libraries",
  severity = $(SIG_HI)
)
{
	/lib			-> $(SEC_BIN) ;
}


#
# Login and Privilege Raising Programs
#
(
  rulename = "Security Control",
  severity = $(SIG_MED)
)
{
	/etc/passwd		-> $(SEC_CONFIG) ;
	/etc/shadow		-> $(SEC_CONFIG) ;
}




#
# These files change every time the system boots
#
(
  rulename = "System boot changes",
  severity = $(SIG_HI)
)
{
	/var/lock		-> $(SEC_CONFIG) ;
	/var/run		-> $(SEC_CONFIG) ; # daemon PIDs
	/var/log		-> $(SEC_CONFIG) ;
}

# These files change the behavior of the root account
(
  rulename = "Root config files",
  severity = 100
)
{
	/root				-> $(SEC_CRIT) ; # Catch all additions to /root
	/root/mail			-> $(SEC_CONFIG) ;
	/root/Mail			-> $(SEC_CONFIG) ;
	/root/.xsession-errors		-> $(SEC_CONFIG) ;
	/root/.xauth			-> $(SEC_CONFIG) ;
	/root/.tcshrc			-> $(SEC_CONFIG) ;
	/root/.sawfish			-> $(SEC_CONFIG) ;
	/root/.pinerc			-> $(SEC_CONFIG) ;
	/root/.mc			-> $(SEC_CONFIG) ;
	/root/.gnome_private		-> $(SEC_CONFIG) ;
	/root/.gnome-desktop		-> $(SEC_CONFIG) ;
	/root/.gnome			-> $(SEC_CONFIG) ;
	/root/.esd_auth			-> $(SEC_CONFIG) ;
	/root/.elm			-> $(SEC_CONFIG) ;
	/root/.cshrc		        -> $(SEC_CONFIG) ;
	/root/.bashrc			-> $(SEC_CONFIG) ;
	/root/.bash_profile		-> $(SEC_CONFIG) ;
	/root/.bash_logout		-> $(SEC_CONFIG) ;
	/root/.bash_history		-> $(SEC_CONFIG) ;
	/root/.amandahosts		-> $(SEC_CONFIG) ;
	/root/.addressbook.lu		-> $(SEC_CONFIG) ;
	/root/.addressbook		-> $(SEC_CONFIG) ;
	/root/.Xresources		-> $(SEC_CONFIG) ;
	/root/.Xauthority		-> $(SEC_CONFIG) -i ; # Changes Inode number on login
	/root/.ICEauthority		    -> $(SEC_CONFIG) ;
}

#
# Critical devices
#
(
  rulename = "Devices & Kernel information",
  severity = $(SIG_HI),
)
{
	/dev		-> $(Device) ;
	/proc		-> $(Device) ;
}

#
# Other configuration files
#
(
  rulename = "Other configuration files",
  severity = $(SIG_MED)
)
{
	/etc		-> $(SEC_BIN) ;
}

#
# Binaries
#
(
  rulename = "Other binaries",
  severity = $(SIG_MED)
)
{
	/usr/local/sbin	-> $(SEC_BIN) ;
	/usr/local/bin	-> $(SEC_BIN) ;
	/usr/sbin	-> $(SEC_BIN) ;
	/usr/bin	-> $(SEC_BIN) ;
}

#
# Libraries
#
(
  rulename = "Other libraries",
  severity = $(SIG_MED)
)
{
	/usr/local/lib	-> $(SEC_BIN) ;
	/usr/lib	-> $(SEC_BIN) ;
}

#
# Commonly accessed directories that should remain static with regards
# to owner and group
#
(
  rulename = "Invariant Directories",
  severity = $(SIG_MED)
)
{
	/		-> $(SEC_INVARIANT) (recurse = 0) ;
	/home		-> $(SEC_INVARIANT) (recurse = 0) ;
	/tmp		-> $(SEC_INVARIANT) (recurse = 0) ;
	/usr		-> $(SEC_INVARIANT) (recurse = 0) ;
	/var		-> $(SEC_INVARIANT) (recurse = 0) ;
	/var/tmp	-> $(SEC_INVARIANT) (recurse = 0) ;
}

