From owner-freebsd-security@FreeBSD.ORG Tue Oct 11 14:33:38 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72D6216A42F for ; Tue, 11 Oct 2005 14:33:38 +0000 (GMT) (envelope-from vaida.bogdan@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBA7943D48 for ; Tue, 11 Oct 2005 14:33:37 +0000 (GMT) (envelope-from vaida.bogdan@gmail.com) Received: by zproxy.gmail.com with SMTP id z31so346909nzd for ; Tue, 11 Oct 2005 07:33:37 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=a2ifJcCtSDnwA1DpN0GoBPOeMhQEdbsBZ8MTJMdz9Imh3YbFymAeNnazfLm94IVqjRGkC56zzYVhuVuQyM0IH8MUxWK7TgNAqfxYLnVfgZjyl5Nc+2fqJfjnaw2PnGv8rfHECzZgUgOnVG3/tBzYrzg1Zwj22Arc9sDmXrm+zZY= Received: by 10.36.227.26 with SMTP id z26mr1119864nzg; Tue, 11 Oct 2005 07:33:37 -0700 (PDT) Received: by 10.36.251.23 with HTTP; Tue, 11 Oct 2005 07:33:37 -0700 (PDT) Message-ID: <12848a3b0510110733y552771b4l5c332a59fd835ec3@mail.gmail.com> Date: Tue, 11 Oct 2005 14:33:37 +0000 From: Vaida Bogdan To: Bret Walker In-Reply-To: <4339E416.8050300@northwestern.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4337A962.6020600@gmail.com> <4339E416.8050300@northwestern.edu> Cc: freebsd-security Subject: Re: 5.X Tripwire Policy File X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2005 14:33:38 -0000 I would be interested in the answer too. An unofficial freebsd tripwire file posted somewhere + a forum to discuss changes would be also interesting. On 9/28/05, Bret Walker wrote: > Hello all. > > I am just setting up my first 5.X box, and I'm in the process of fine > tuning my tripwire policy file. > > I am much more familiar with 4.X than I am with 5, so I'm worried that I > may be missing a critical element of 5.X in my policy file. Cy (the > tripwire port maintainer) updated the policy file to a certain extent, > but I would appreciate it if those on the security list would provide > some more feedback as to what should definitely be in a tripwire policy > file for a 5.X box. > > I know most good sysadmins use tripwire, so I think it would be good to > have a well thought out policy file for 5.X that others may use as well. > > I've attached mine to this message. > > Thanks, > Bret > > > # > # Policy file for FreeBSD > # > # $FreeBSD: ports/security/tripwire/files/twpol.txt,v 1.3 2005/08/09 18:2= 4:15 cy Exp $ > > > # > # This is the example Tripwire Policy file. It is intended as a place to > # start creating your own custom Tripwire Policy file. Referring to it a= s > # well as the Tripwire Policy Guide should give you enough information to > # make a good custom Tripwire Policy file that better covers your > # configuration and security needs. A text version of this policy file i= s > # called twpol.txt. > # > # Note that this file is tuned to an install of FreeBSD using > # buildworld. If run unmodified, this file should create no errors on > # database creation, or violations on a subsiquent integrity check. > # However it is impossible for there to be one policy file for all machin= es, > # so this existing one errs on the side of security. Your FreeBSD > # configuration will most likey differ from the one our policy file was > # tuned to, and will therefore require some editing of the default > # Tripwire Policy file. > # > # The example policy file is best run with 'Loose Directory Checking' > # enabled. Set LOOSEDIRECTORYCHECKING=3DTRUE in the Tripwire Configuratio= n > # file. > # > # Email support is not included and must be added to this file. > # Add the 'emailto=3D' to the rule directive section of each rule (add a = comma > # after the 'severity=3D' line and add an 'emailto=3D' and include the em= ail > # addresses you want the violation reports to go to). Addresses are > # semi-colon delimited. > # > > > > # > # Global Variable Definitions > # > # These are defined at install time by the installation script. You may > # Manually edit these if you are using this file directly and not from th= e > # installation script itself. > # > > @@section GLOBAL > TWDOCS=3D"/usr/local/share/doc/tripwire"; > TWBIN=3D"/usr/local/sbin"; > TWPOL=3D"/usr/local/etc/tripwire"; > TWDB=3D"/var/db/tripwire"; > TWSKEY=3D"/usr/local/etc/tripwire"; > TWLKEY=3D"/usr/local/etc/tripwire"; > TWREPORT=3D"/var/db/tripwire/report"; > HOSTNAME=3Dspeedy.medill.northwestern.edu; > > @@section FS > SEC_CRIT =3D $(IgnoreNone)-SHa ; # Critical files that cannot chang= e > SEC_SUID =3D $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID f= lags set > SEC_BIN =3D $(ReadOnly) ; # Binaries that should not change > SEC_CONFIG =3D $(Dynamic) ; # Config files that are changed in= frequently but accessed often > SEC_TTY =3D $(Dynamic)-ugp ; # Tty files that change ownership = at login > SEC_LOG =3D $(Growing) ; # Files that grow, but that should= never change ownership > SEC_INVARIANT =3D +tpug ; # Directories that should never ch= ange permission or ownership > SIG_LOW =3D 33 ; # Non-critical files that are of m= inimal security impact > SIG_MED =3D 66 ; # Non-critical files that are of s= ignificant security impact > SIG_HI =3D 100 ; # Critical files that are signific= ant points of vulnerability > > > # Tripwire Binaries > ( > rulename =3D "Tripwire Binaries", > severity =3D $(SIG_HI) > ) > { > $(TWBIN)/siggen -> $(SEC_BIN) ; > $(TWBIN)/tripwire -> $(SEC_BIN) ; > $(TWBIN)/twadmin -> $(SEC_BIN) ; > $(TWBIN)/twprint -> $(SEC_BIN) ; > } > > # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports,= Databases > ( > rulename =3D "Tripwire Data Files", > severity =3D $(SIG_HI) > ) > { > # NOTE: We remove the inode attribute because when Tripwire creates a b= ackup, > # it does so by renaming the old file and creating a new one (which wil= l > # have a new inode number). Inode is left turned on for keys, which sh= ouldn't > # ever change. > > # NOTE: The first integrity check triggers this rule and each integrity= check > # afterward triggers this rule until a database update is run, since th= e > # database file does not exist before that point. > > $(TWDB) -> $(SEC_CONFIG) -i ; > $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; > $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; > $(TWPOL)/twcfg.txt -> $(SEC_BIN) ; > $(TWPOL)/twpol.txt -> $(SEC_BIN) ; > $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; > $(TWSKEY)/site.key -> $(SEC_BIN) ; > > #don't scan the individual reports > $(TWREPORT) -> $(SEC_CONFIG) (recurse=3D0) ; > } > > > # Tripwire HQ Connector Binaries > #( > # rulename =3D "Tripwire HQ Connector Binaries", > # severity =3D $(SIG_HI) > #) > #{ > # $(TWBIN)/hqagent -> $(SEC_BIN) ; > #} > # > # Tripwire HQ Connector - Configuration Files, Keys, and Logs > > # > # Note: File locations here are different than in a stock HQ Connector > # installation. This is because Tripwire 2.3 uses a different path > # structure than Tripwire 2.2.1. > # > # You may need to update your HQ Agent configuation file (or this policy > # file) to correct the paths. We have attempted to support the FHS stand= ard > # here by placing the HQ Agent files similarly to the way Tripwire 2.3 > # places them. > # > > #( > # rulename =3D "Tripwire HQ Connector Data Files", > # severity =3D $(SIG_HI) > #) > #{ > # > # # NOTE: Removing the inode attribute because when Tripwire creates a ba= ckup > # # it does so by renaming the old file and creating a new one (which wil= l > # # have a new inode number). Leaving inode turned on for keys, which > # # shouldn't ever change. > # > # > # $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; > # $(TWLKEY)/authentication.key -> $(SEC_BIN) ; > # $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; > # $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; > # > # # Uncomment if you have agent logging enabled. > # #/var/log/tripwire/agent.log -> $(SEC_LOG) ; > #} > > > > # Commonly accessed directories that should remain static with regards to= owner and group > ( > rulename =3D "Invariant Directories", > severity =3D $(SIG_MED) > ) > { > / -> $(SEC_INVARIANT) (recurse =3D f= alse) ; > /home -> $(SEC_INVARIANT) (recurse =3D f= alse) ; > } > > # > # First, root's "home" > # > > ( > rulename =3D "Root's home", > severity =3D $(SIG_HI) > ) > { > # /.rhosts -> $(SEC_CRIT) ; > /.profile -> $(SEC_CRIT) ; > /.cshrc -> $(SEC_CRIT) ; > # /.login -> $(SEC_CRIT) ; > # /.exrc -> $(SEC_CRIT) ; > # /.logout -> $(SEC_CRIT) ; > # /.forward -> $(SEC_CRIT) ; > /root -> $(SEC_CRIT) (recurse =3D true)= ; > !/root/.history ; > !/root/.bash_history ; > # !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed > } > > > # > # FreeBSD Kernel > # > > ( > rulename =3D "FreeBSD Kernel", > severity =3D $(SIG_HI) > ) > { > # /boot is used by FreeBSD 5.X+ > /boot -> $(SEC_CRIT) ; > # /kernel is used by FreeBSD 4.X > # /kernel -> $(SEC_CRIT) ; > # /kernel.old -> $(SEC_CRIT) ; > # /kernel.GENERIC -> $(SEC_CRIT) ; > } > > > # > # FreeBSD Modules > # > > ( > rulename =3D "FreeBSD Modules", > severity =3D $(SIG_HI) > ) > { > # /modules is used by FreeBSD 4.X > # /modules -> $(SEC_CRIT) (recurse =3D true)= ; > # /modules.old -> $(SEC_CRIT) (recurse =3D true)= ; > # /lkm is used by FreeBSD 2.X and 3.X > # /lkm -> $(SEC_CRIT) (recurse =3D true)= ; # uncomment if using lkm kld > } > > > # > # System Administration Programs > # > > ( > rulename =3D "System Administration Programs", > severity =3D $(SIG_HI) > ) > { > /sbin -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/sbin -> $(SEC_CRIT) (recurse =3D true)= ; > } > > > # > # User Utilities > # > > ( > rulename =3D "User Utilities", > severity =3D $(SIG_HI) > ) > { > /bin -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/bin -> $(SEC_CRIT) (recurse =3D true)= ; > } > > > # > # /dev > # > > ( > rulename =3D "/dev", > severity =3D $(SIG_HI) > ) > { > # XXX Do we really need to verify the integrity of /dev on 5.X? > # /dev -> $(Device) (recurse =3D true) ; > # !/dev/vga ; > # !/dev/dri ; > # /dev/console -> $(SEC_TTY) ; > # /dev/ttyv0 -> $(SEC_TTY) ; > # /dev/ttyv1 -> $(SEC_TTY) ; > # /dev/ttyv2 -> $(SEC_TTY) ; > # /dev/ttyv3 -> $(SEC_TTY) ; > # /dev/ttyv4 -> $(SEC_TTY) ; > # /dev/ttyv5 -> $(SEC_TTY) ; > # /dev/ttyv6 -> $(SEC_TTY) ; > # /dev/ttyv7 -> $(SEC_TTY) ; > # /dev/ttyp0 -> $(SEC_TTY) ; > # /dev/ttyp1 -> $(SEC_TTY) ; > # /dev/ttyp2 -> $(SEC_TTY) ; > # /dev/ttyp3 -> $(SEC_TTY) ; > # /dev/ttyp4 -> $(SEC_TTY) ; > # /dev/ttyp5 -> $(SEC_TTY) ; > # /dev/ttyp6 -> $(SEC_TTY) ; > # /dev/ttyp7 -> $(SEC_TTY) ; > # /dev/ttyp8 -> $(SEC_TTY) ; > # /dev/ttyp9 -> $(SEC_TTY) ; > # /dev/ttypa -> $(SEC_TTY) ; > # /dev/ttypb -> $(SEC_TTY) ; > # /dev/ttypc -> $(SEC_TTY) ; > # /dev/ttypd -> $(SEC_TTY) ; > # /dev/ttype -> $(SEC_TTY) ; > # /dev/ttypf -> $(SEC_TTY) ; > # /dev/ttypg -> $(SEC_TTY) ; > # /dev/ttyph -> $(SEC_TTY) ; > # /dev/ttypi -> $(SEC_TTY) ; > # /dev/ttypj -> $(SEC_TTY) ; > # /dev/ttypl -> $(SEC_TTY) ; > # /dev/ttypm -> $(SEC_TTY) ; > # /dev/ttypn -> $(SEC_TTY) ; > # /dev/ttypo -> $(SEC_TTY) ; > # /dev/ttypp -> $(SEC_TTY) ; > # /dev/ttypq -> $(SEC_TTY) ; > # /dev/ttypr -> $(SEC_TTY) ; > # /dev/ttyps -> $(SEC_TTY) ; > # /dev/ttypt -> $(SEC_TTY) ; > # /dev/ttypu -> $(SEC_TTY) ; > # /dev/ttypv -> $(SEC_TTY) ; > # /dev/cuaa0 -> $(SEC_TTY) ; # modem > } > > > # > # /etc > # > > ( > rulename =3D "/etc", > severity =3D $(SIG_HI) > ) > { > /etc -> $(SEC_CRIT) (recurse =3D true)= ; > # /etc/mail/aliases -> $(SEC_CONFIG) ; > /etc/dumpdates -> $(SEC_CONFIG) ; > /etc/motd -> $(SEC_CONFIG) ; > !/etc/ppp/connect-errors ; > # /etc/skeykeys -> $(SEC_CONFIG) ; > # Uncomment the following 4 lines if your password file does not change > # /etc/passwd -> $(SEC_CONFIG) ; > # /etc/master.passwd -> $(SEC_CONFIG) ; > # /etc/pwd.db -> $(SEC_CONFIG) ; > # /etc/spwd.db -> $(SEC_CONFIG) ; > } > > > # > # Copatibility (Linux) > # > > ( > rulename =3D "Linux Compatibility", > severity =3D $(SIG_HI) > ) > { > /compat -> $(SEC_CRIT) (recurse =3D true)= ; > # > # Uncomment the following if Linux compatibility is used. Replace > # HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port > # installed. > # > #@@ifhost HOSTNAME1 || HOSTNAME2 > # /compat/linux/etc -> $(SEC_INVARIANT) (recurse =3D = false) ; > # /compat/linux/etc/X11 -> $(SEC_CONFIG) (recurse= =3D true) ; > # /compat/linux/etc/pam.d -> $(SEC_CONFIG) (recurse =3D tru= e) ; > # /compat/linux/etc/profile.d -> $(SEC_CONFIG) (recurse =3D tru= e) ; > # /compat/linux/etc/real -> $(SEC_CONFIG) (recurse =3D tru= e) ; > # /compat/linux/etc/bashrc -> $(SEC_CONFIG) ; > # /compat/linux/etc/csh.login -> $(SEC_CONFIG) ; > # /compat/linux/etc/host.conf -> $(SEC_CONFIG) ; > # /compat/linux/etc/hosts.allow -> $(SEC_CONFIG) ; > # /compat/linux/etc/hosts.deny -> $(SEC_CONFIG) ; > # /compat/linux/etc/info-dir -> $(SEC_CONFIG) ; > # /compat/linux/etc/inputrc -> $(SEC_CONFIG) ; > # /compat/linux/etc/ld.so.conf -> $(SEC_CONFIG) ; > # /compat/linux/etc/nsswitch.conf -> $(SEC_CONFIG) ; > # /compat/linux/etc/profile -> $(SEC_CONFIG) ; > # /compat/linux/etc/redhat-release -> $(SEC_CONFIG) ; > # /compat/linux/etc/rpc -> $(SEC_CONFIG) ; > # /compat/linux/etc/securetty -> $(SEC_CONFIG) ; > # /compat/linux/etc/shells -> $(SEC_CONFIG) ; > # /compat/linux/etc/termcap -> $(SEC_CONFIG) ; > # /compat/linux/etc/yp.conf -> $(SEC_CONFIG) ; > # !/compat/linux/etc/ld.so.cache ; > # !/compat/linux/var/spool/mail ; > #@@endif > } > > > # > # Libraries, include files, and other system files > # > > ( > rulename =3D "Libraries, include files, and other system files", > severity =3D $(SIG_HI) > ) > { > /usr/include -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/lib -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/libdata -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/libexec -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/share -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/share/man -> $(SEC_CONFIG) ; > !/usr/share/man/whatis ; > !/usr/share/man/.glimpse_filenames ; > !/usr/share/man/.glimpse_filenames_index ; > !/usr/share/man/.glimpse_filetimes ; > !/usr/share/man/.glimpse_filters ; > !/usr/share/man/.glimpse_index ; > !/usr/share/man/.glimpse_messages ; > !/usr/share/man/.glimpse_partitions ; > !/usr/share/man/.glimpse_statistics ; > !/usr/share/man/.glimpse_turbo ; > /usr/share/man/man1 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/share/man/man2 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/share/man/man3 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/share/man/man4 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/share/man/man5 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/share/man/man6 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/share/man/man7 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/share/man/man8 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/share/man/man9 -> $(SEC_CRIT) (recurse =3D true)= ; > # /usr/share/man/mann -> $(SEC_CRIT) (recurse =3D true)= ; > ! /usr/share/man/cat1 ; > ! /usr/share/man/cat2 ; > ! /usr/share/man/cat3 ; > ! /usr/share/man/cat4 ; > ! /usr/share/man/cat5 ; > ! /usr/share/man/cat6 ; > ! /usr/share/man/cat7 ; > ! /usr/share/man/cat8 ; > ! /usr/share/man/cat9 ; > ! /usr/share/man/catl ; > ! /usr/share/man/catn ; > # /usr/share/perl/man -> $(SEC_CONFIG) ; > !/usr/share/perl/man/whatis ; > !/usr/share/perl/man/.glimpse_filenames ; > !/usr/share/perl/man/.glimpse_filenames_index ; > !/usr/share/perl/man/.glimpse_filetimes ; > !/usr/share/perl/man/.glimpse_filters ; > !/usr/share/perl/man/.glimpse_index ; > !/usr/share/perl/man/.glimpse_messages ; > !/usr/share/perl/man/.glimpse_partitions ; > !/usr/share/perl/man/.glimpse_statistics ; > !/usr/share/perl/man/.glimpse_turbo ; > # /usr/share/perl/man/man3 -> $(SEC_CRIT) (recurse =3D true)= ; > ! /usr/share/perl/man/cat3 ; > # /usr/local/lib/perl5/5.00503/man -> $(SEC_CONFIG) ; > ! /usr/local/lib/perl5/5.00503/man/whatis ; > ! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ; > ! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ; > ! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ; > ! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ; > ! /usr/local/lib/perl5/5.00503/man/.glimpse_index ; > ! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ; > ! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ; > ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ; > ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ; > # /usr/local/lib/perl5/5.00503/man/man3 -> $(SEC_CRIT) (r= ecurse =3D true) ; > ! /usr/local/lib/perl5/5.00503/man/cat3 ; > } > > > # > # X11R6 > # > > ( > rulename =3D "X11R6", > severity =3D $(SIG_HI) > ) > { > /usr/X11R6 -> $(SEC_CRIT) (recurse =3D true)= ; > # /usr/X11R6/lib/X11/xdm -> $(SEC_CONFIG) (recurse =3D tru= e) ; > !/usr/X11R6/lib/X11/xdm/xdm-errors ; > !/usr/X11R6/lib/X11/xdm/authdir/authfiles ; > !/usr/X11R6/lib/X11/xdm/xdm-pid ; > # /usr/X11R6/lib/X11/xkb/compiled -> $(SEC_CONFIG) (recurse =3D tru= e) ; > /usr/X11R6/man -> $(SEC_CONFIG) ; > !/usr/X11R6/man/whatis ; > !/usr/X11R6/man/.glimpse_filenames ; > !/usr/X11R6/man/.glimpse_filenames_index ; > !/usr/X11R6/man/.glimpse_filetimes ; > !/usr/X11R6/man/.glimpse_filters ; > !/usr/X11R6/man/.glimpse_index ; > !/usr/X11R6/man/.glimpse_messages ; > !/usr/X11R6/man/.glimpse_partitions ; > !/usr/X11R6/man/.glimpse_statistics ; > !/usr/X11R6/man/.glimpse_turbo ; > /usr/X11R6/man/man1 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/X11R6/man/man2 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/X11R6/man/man3 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/X11R6/man/man4 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/X11R6/man/man5 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/X11R6/man/man6 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/X11R6/man/man7 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/X11R6/man/man8 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/X11R6/man/man9 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/X11R6/man/manl -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/X11R6/man/mann -> $(SEC_CRIT) (recurse =3D true)= ; > ! /usr/X11R6/man/cat1 ; > ! /usr/X11R6/man/cat2 ; > ! /usr/X11R6/man/cat3 ; > ! /usr/X11R6/man/cat4 ; > ! /usr/X11R6/man/cat5 ; > ! /usr/X11R6/man/cat6 ; > ! /usr/X11R6/man/cat7 ; > ! /usr/X11R6/man/cat8 ; > ! /usr/X11R6/man/cat9 ; > ! /usr/X11R6/man/catl ; > ! /usr/X11R6/man/catn ; > } > > > # > # sources > # > > ( > rulename =3D "Sources", > severity =3D $(SIG_HI) > ) > { > /usr/src -> $(SEC_CRIT) (recurse =3D true)= ; > # /usr/src/sys/compile -> $(SEC_CONFIG) (recurse =3D fal= se) ; > } > > > # > # NIS > # > > ( > rulename =3D "NIS", > severity =3D $(SIG_HI) > ) > { > /var/yp -> $(SEC_CRIT) (recurse =3D true)= ; > !/var/yp/binding ; > } > > > # > # Temporary directories > # > ( > rulename =3D "Temporary directories", > recurse =3D false, > severity =3D $(SIG_LOW) > ) > { > # /usr/tmp -> $(SEC_INVARIANT) ; > /var/tmp -> $(SEC_INVARIANT) ; > /var/preserve -> $(SEC_INVARIANT) ; > /tmp -> $(SEC_INVARIANT) ; > } > > # > # Local files > # > > ( > rulename =3D "Local files", > severity =3D $(SIG_MED) > ) > { > /usr/local/bin -> $(SEC_BIN) (recurse =3D true) = ; > /usr/local/sbin -> $(SEC_BIN) (recurse =3D true) = ; > /usr/local/etc -> $(SEC_BIN) (recurse =3D true) = ; > /usr/local/lib -> $(SEC_BIN) (recurse =3D true )= ; > /usr/local/libexec -> $(SEC_BIN) (recurse =3D true )= ; > /usr/local/share -> $(SEC_BIN) (recurse =3D true )= ; > /usr/local/man -> $(SEC_CONFIG) ; > !/usr/local/man/whatis ; > !/usr/local/man/.glimpse_filenames ; > !/usr/local/man/.glimpse_filenames_index ; > !/usr/local/man/.glimpse_filetimes ; > !/usr/local/man/.glimpse_filters ; > !/usr/local/man/.glimpse_index ; > !/usr/local/man/.glimpse_messages ; > !/usr/local/man/.glimpse_partitions ; > !/usr/local/man/.glimpse_statistics ; > !/usr/local/man/.glimpse_turbo ; > /usr/local/man/man1 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/local/man/man2 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/local/man/man3 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/local/man/man4 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/local/man/man5 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/local/man/man6 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/local/man/man7 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/local/man/man8 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/local/man/man9 -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/local/man/manl -> $(SEC_CRIT) (recurse =3D true)= ; > /usr/local/man/mann -> $(SEC_CRIT) (recurse =3D true)= ; > ! /usr/local/man/cat1 ; > ! /usr/local/man/cat2 ; > ! /usr/local/man/cat3 ; > ! /usr/local/man/cat4 ; > ! /usr/local/man/cat5 ; > ! /usr/local/man/cat6 ; > ! /usr/local/man/cat7 ; > ! /usr/local/man/cat8 ; > ! /usr/local/man/cat9 ; > ! /usr/local/man/catl ; > ! /usr/local/man/catn ; > # /usr/local/krb5 -> $(SEC_CRIT) (recurse =3D true)= ; > # /usr/local/krb5/man -> $(SEC_CONFIG) ; > !/usr/local/krb5/man/whatis ; > !/usr/local/krb5/man/.glimpse_filenames ; > !/usr/local/krb5/man/.glimpse_filenames_index ; > !/usr/local/krb5/man/.glimpse_filetimes ; > !/usr/local/krb5/man/.glimpse_filters ; > !/usr/local/krb5/man/.glimpse_index ; > !/usr/local/krb5/man/.glimpse_messages ; > !/usr/local/krb5/man/.glimpse_partitions ; > !/usr/local/krb5/man/.glimpse_statistics ; > !/usr/local/krb5/man/.glimpse_turbo ; > # /usr/local/krb5/man/man1 -> $(SEC_CRIT) (recurse = =3D true) ; > # /usr/local/krb5/man/man2 -> $(SEC_CRIT) (recurse = =3D true) ; > # /usr/local/krb5/man/man3 -> $(SEC_CRIT) (recurse = =3D true) ; > # /usr/local/krb5/man/man4 -> $(SEC_CRIT) (recurse = =3D true) ; > # /usr/local/krb5/man/man5 -> $(SEC_CRIT) (recurse = =3D true) ; > # /usr/local/krb5/man/man6 -> $(SEC_CRIT) (recurse = =3D true) ; > # /usr/local/krb5/man/man7 -> $(SEC_CRIT) (recurse = =3D true) ; > # /usr/local/krb5/man/man8 -> $(SEC_CRIT) (recurse = =3D true) ; > # /usr/local/krb5/man/man9 -> $(SEC_CRIT) (recurse = =3D true) ; > # /usr/local/krb5/man/manl -> $(SEC_CRIT) (recurse = =3D true) ; > # /usr/local/krb5/man/mann -> $(SEC_CRIT) (recurse = =3D true) ; > ! /usr/local/krb5/man/cat1 ; > ! /usr/local/krb5/man/cat2 ; > ! /usr/local/krb5/man/cat3 ; > ! /usr/local/krb5/man/cat4 ; > ! /usr/local/krb5/man/cat5 ; > ! /usr/local/krb5/man/cat6 ; > ! /usr/local/krb5/man/cat7 ; > ! /usr/local/krb5/man/cat8 ; > ! /usr/local/krb5/man/cat9 ; > ! /usr/local/krb5/man/catl ; > ! /usr/local/krb5/man/catn ; > /usr/local/www -> $(SEC_CONFIG) (recurse =3D tru= e) ; > } > > > ( > rulename =3D "Security Control", > severity =3D $(SIG_HI) > ) > { > /etc/group -> $(SEC_CRIT) ; > /etc/crontab -> $(SEC_CRIT) ; > } > > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > # > # Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tri= pwire, > # Inc. in the United States and other countries. All rights reserved. > # > # FreeBSD is a registered trademark of the FreeBSD Project Inc. > # > # UNIX is a registered trademark of The Open Group. > # > #=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > # > # Permission is granted to make and distribute verbatim copies of this do= cument > # provided the copyright notice and this permission notice are preserved = on all > # copies. > # > # Permission is granted to copy and distribute modified versions of this > # document under the conditions for verbatim copying, provided that the e= ntire > # resulting derived work is distributed under the terms of a permission n= otice > # identical to this one. > # > # Permission is granted to copy and distribute translations of this docum= ent > # into another language, under the above conditions for modified versions= , > # except that this permission notice may be stated in a translation appro= ved by > # Tripwire, Inc. > # > # DCM > > > >