The /usr/TSS/policy/twpol.txt
is the text policy file of Tripwire where you specify what files and directories, to check. Note that extensive testing and experience are necessary when editing this policy file
before you get a working file report. The following is a working example from where you can start your own customization.
You must modify the default policy file, or create your own. The policyguide.txt
file under /usr/TSS/policy
directory can help you. Open the policy
file twpol.txt
with a text editor, vi /usr/TSS/policy/twpol.txt
and change it to fit your needs:
@@section GLOBAL TWROOT="/usr"; TWBIN="/usr/bin"; TWPOL="/usr/TSS/policy"; TWDB="/usr/TSS/db"; TWSKEY="/usr/TSS/key"; TWLKEY="/usr/TSS/key"; TWREPORT="/usr/TSS/report"; HOSTNAME=deep.openna.com; @@section FS SEC_CRIT = $(IgnoreNone)-SHa; # Critical files - we can't afford to miss any changes. SEC_SUID = $(IgnoreNone)-SHa; # Binaries with the SUID or SGID flags set. SEC_TCB = $(ReadOnly); # Members of the Trusted Computing Base. SEC_BIN = $(ReadOnly); # Binaries that shouldn't change SEC_CONFIG = $(Dynamic); # Config files that are changed infrequently but accessed often. SEC_LOG = $(Growing); # Files that grow, but that should never change ownership. SEC_INVARIANT = +pug; # Directories that should never change permission or ownership. SIG_LOW = 33; # Non-critical files that are of minimal security impact SIG_MED = 66; # Non-critical files that are of significant security impact SIG_HI = 100; # Critical files that are significant points of vulnerability # Tripwire Binaries (emailto = admin@openna.com, rulename = "Tripwire Binaries", severity = $(SIG_HI)) { $(TWBIN)/siggen -> $(ReadOnly); $(TWBIN)/tripwire -> $(ReadOnly); $(TWBIN)/twadmin -> $(ReadOnly); $(TWBIN)/twprint -> $(ReadOnly); } # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases (emailto = admin@openna.com, rulename = "Tripwire Data Files", severity = $(SIG_HI)) { # NOTE: Removing the inode attribute because when Tripwire creates a backup # it does so by renaming the old file and creating a new one (which will # have a new inode number). Leaving inode turned on for keys, which shouldn't # ever change. # NOTE: this rule will trigger on the first integrity check after database # initialization, and each integrity check afterward until a database update # is run, since the database file will not exist before that point. $(TWDB) -> $(Dynamic) -i; $(TWPOL)/tw.pol -> $(SEC_BIN) -i; $(TWBIN)/tw.cfg -> $(SEC_BIN) -i; $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; $(TWSKEY)/site.key -> $(SEC_BIN) ; #don't scan the individual reports $(TWREPORT) -> $(Dynamic) (recurse=0); } # These files are critical to a correct system boot. (emailto = admin@openna.com, rulename = "Critical system boot files", severity = 100) { /boot -> $(SEC_CRIT) ; !/boot/System.map ; !/boot/module-info ; } # These files change the behavior of the root account (emailto = admin@openna.com, rulename = "Root config files", severity = 100) { /root -> $(SEC_CRIT) ; /root/.bash_history -> $(SEC_LOG) ; } # Commonly accessed directories that should remain static with regards to owner and group (emailto = admin@openna.com, rulename = "Invariant Directories", severity = $(SIG_MED)) { / -> $(SEC_INVARIANT) (recurse = 0); /home -> $(SEC_INVARIANT) (recurse = 0); /etc -> $(SEC_INVARIANT) (recurse = 0); /chroot -> $(SEC_INVARIANT) (recurse = 0); /cache -> $(SEC_INVARIANT) (recurse = 0); } (emailto = admin@openna.com, rulename = "Shell Binaries") { /bin/bsh -> $(SEC_BIN); /bin/csh -> $(SEC_BIN); /bin/sh -> $(SEC_BIN); } # Rest of critical system binaries (emailto = admin@openna.com, rulename = "OS executables and libraries", severity = $(SIG_HI)) { /bin -> $(ReadOnly) ; /lib -> $(ReadOnly) ; } # Local files (emailto = admin@openna.com, rulename = "User binaries", severity = $(SIG_MED)) { /sbin -> $(SEC_BIN) (recurse = 1); /usr/sbin -> $(SEC_BIN) (recurse = 1); /usr/bin -> $(SEC_BIN) (recurse = 1); } # Temporary directories (emailto = admin@openna.com, rulename = "Temporary directories", recurse = false, severity = $(SIG_LOW)) { /usr/tmp -> $(SEC_INVARIANT); /var/tmp -> $(SEC_INVARIANT); /tmp -> $(SEC_INVARIANT); } # Libraries (emailto = admin@openna.com, rulename = "Libraries", severity = $(SIG_MED)) { /usr/lib -> $(SEC_BIN); } # Include (emailto = admin@openna.com, rulename = "OS Development Files", severity = $(SIG_MED)) { /usr/include -> $(SEC_BIN); } # Shared (emailto = admin@openna.com, rulename = "OS Shared Files", severity = $(SIG_MED)) { /usr/share -> $(SEC_BIN); } # Kernel headers files (emailto = admin@openna.com, rulename = "Kernel Headers Files", severity = $( SIG_HI)) { /usr/src/linux-2.2.14 -> $(SEC_BIN); } # setuid/setgid root programs (emailto = admin@openna.com, rulename = "setuid/setgid", severity = $(SIG_HI)) { /bin/su -> $(SEC_SUID); /sbin/pwdb_chkpwd -> $(SEC_SUID); /sbin/dump -> $(SEC_SUID); /sbin/restore -> $(SEC_SUID); /usr/bin/at -> $(SEC_SUID); /usr/bin/passwd -> $(SEC_SUID); /usr/bin/suidperl -> $(SEC_SUID); /usr/bin/crontab -> $(SEC_SUID); /usr/sbin/sendmail -> $(SEC_SUID); /usr/bin/man -> $(SEC_SUID); /usr/bin/sperl5.00503 -> $(SEC_SUID); /usr/bin/slocate -> $(SEC_SUID); /usr/sbin/utempter -> $(SEC_SUID); /sbin/netreport -> $(SEC_SUID); } (emailto = admin@openna.com, rulename = "Configuration Files") { /etc/hosts -> $(SEC_CONFIG); /etc/inetd.conf -> $(SEC_CONFIG); /etc/initlog.conf -> $(SEC_CONFIG); /etc/inittab -> $(SEC_CONFIG); /etc/resolv.conf -> $(SEC_CONFIG); /etc/syslog.conf -> $(SEC_CONFIG); } (emailto = admin@openna.com, rulename = "Security Control") { /etc/group -> $(SEC_CRIT); /etc/security/ -> $(SEC_CRIT); /lib/security/ -> $(SEC_CRIT); /var/spool/cron -> $(SEC_CRIT); } (emailto = admin@openna.com, rulename = "Login Scripts") { /etc/csh.login -> $(SEC_CONFIG); /etc/profile -> $(SEC_CONFIG); } # These files change every time the system boots (emailto = admin@openna.com, rulename = "System boot changes", severity = $(SIG_HI)) { /dev/log -> $(Dynamic) ; /dev/cua0 -> $(Dynamic) ; /dev/console -> $(Dynamic) ; /dev/tty2 -> $(Dynamic) ; # tty devices /dev/tty3 -> $(Dynamic) ; # are extremely /dev/tty4 -> $(Dynamic) ; # variable /dev/tty5 -> $(Dynamic) ; /dev/tty6 -> $(Dynamic) ; /dev/urandom -> $(Dynamic) ; /dev/initctl -> $(Dynamic) ; /var/lock/subsys -> $(Dynamic) ; /var/run -> $(Dynamic) ; # daemon PIDs /var/log -> $(Dynamic) ; /etc/ioctl.save -> $(Dynamic) ; /etc/.pwd.lock -> $(Dynamic) ; /etc/mtab -> $(Dynamic) ; /lib/modules -> $(Dynamic) ; } # Critical configuration files (emailto = admin@openna.com, rulename = "Critical configuration files", severity = $(SIG_HI)) { /etc/conf.modules -> $(ReadOnly) ; /etc/crontab -> $(ReadOnly) ; /etc/cron.hourly -> $(ReadOnly) ; /etc/cron.daily -> $(ReadOnly) ; /etc/cron.weekly -> $(ReadOnly) ; /etc/cron.monthly -> $(ReadOnly) ; /etc/default -> $(ReadOnly) ; /etc/fstab -> $(ReadOnly) ; /etc/group- -> $(ReadOnly) ; # changes should be infrequent /etc/host.conf -> $(ReadOnly) ; /etc/hosts.allow -> $(ReadOnly) ; /etc/hosts.deny -> $(ReadOnly) ; /etc/lilo.conf -> $(ReadOnly) ; /etc/logrotate.conf -> $(ReadOnly) ; /etc/pwdb.conf -> $(ReadOnly) ; /etc/securetty -> $(ReadOnly) ; /etc/sendmail.cf -> $(ReadOnly) ; /etc/protocols -> $(ReadOnly) ; /etc/services -> $(ReadOnly) ; /etc/rc.d/init.d -> $(ReadOnly) ; /etc/rc.d -> $(ReadOnly) ; /etc/motd -> $(ReadOnly) ; /etc/passwd -> $(ReadOnly) ; /etc/passwd- -> $(ReadOnly) ; /etc/profile.d -> $(ReadOnly) ; /etc/rpc -> $(ReadOnly) ; /etc/sysconfig -> $(ReadOnly) ; /etc/shells -> $(ReadOnly) ; /etc/nsswitch.conf -> $(ReadOnly) ; } # Critical devices (emailto = admin@openna.com, rulename = "Critical devices", severity = $(SIG_HI), recurse = false) { /dev/kmem -> $(Device) ; /dev/mem -> $(Device) ; /dev/null -> $(Device) ; /dev/zero -> $(Device) ; /proc/devices -> $(Device) ; /proc/net -> $(Device) ; /proc/tty -> $(Device) ; /proc/sys -> $(Device) ; /proc/cpuinfo -> $(Device) ; /proc/modules -> $(Device) ; /proc/mounts -> $(Device) ; /proc/dma -> $(Device) ; /proc/filesystems -> $(Device) ; /proc/ide -> $(Device) ; /proc/interrupts -> $(Device) ; /proc/ioports -> $(Device) ; /proc/scsi -> $(Device) ; /proc/kcore -> $(Device) ; /proc/self -> $(Device) ; /proc/kmsg -> $(Device) ; /proc/stat -> $(Device) ; /proc/ksyms -> $(Device) ; /proc/loadavg -> $(Device) ; /proc/uptime -> $(Device) ; /proc/locks -> $(Device) ; /proc/version -> $(Device) ; /proc/meminfo -> $(Device) ; /proc/cmdline -> $(Device) ; /proc/misc -> $(Device) ; }
This is an example policy file we provide you; of course, you must modify this file to fit your system files and specific needs.
Once you are ready to use your policy file for the first time, install it with the following command:
[root@deep] /#twadmin --create-polfile /usr/TSS/policy/twpol.txt
Please enter your site passphrase:
Wrote policy file: /usr/TSS/policy/tw.pol