## /secure/tripwire/tw.config.SunOS ## ## Tripwire config for testing integrity for firewall machines ## ## = Exclusive prune: Don't prune entry, but prune children ## ! Inclusive prune: prune subdirs & files also ################################################ # tripwire attributes: # - ignore the following attributes # + record and check the following attri- # butes # p permission and file mode bits # i inode number # n number of links (i.e., inode reference count) # u user id of owner # g group id of owner # s size of file # a access timestamp # m modification timestamp # c inode creation/modification timestamp # 0 signature 0 - null signature # 1 signature 1 - MD5, the RSA Data Secu- # rity, Inc. Message Digesting Algorithm. # 2 signature 2 - Snefru, the Xerox Secure # Hash Function. # 3 signature 3 - CRC-32, POSIX 1003.2 com- # pliant 32-bit Cyclic Redundancy Check. # 4 signature 4 - CRC-16, the standard # (non-CCITT) 16-bit Cyclic Redundancy # Check. # 5 signature 5 - MD4, the RSA Data Secu- # rity, Inc. Message Digesting Algorithm. # 6 signature 6 - MD2, the RSA Data Secu- # rity, Inc. Message Digesting Algorithm. # 7 signature 7 - SHA, the NIST Secure Hash # Algorithm (NIST FIPS 180) # 8 signature 8 - Haval, a strong 128-bit # signature algorithm # # The following templates have been pre-defined to make these # long select-masks descriptions unnecessary. # R [R]ead-only (+pinugsm12-ac3456789) (default) # L [L]og file (+pinug-sacm123456789) # N ignore [N]othing (+pinusgsamc123456789) # E ignore [E]verything (-pinusgsamc123456789) # > monotonically growing file (+pinug>-samc1233456789) # # Notes: We disable the snerfu "2" algorithm for speeed in most rules. # ################################################################## # the kernel files /kernel R-2 /ufsboot R-2 /etc/cron.d R-2cm # change /etc/cron.d/FIFO L /etc/mail/sendmail.pid L /etc/saf/zsmon/_pmpipe L /etc/saf/zsmon/_pid L /etc/saf/_sacpipe L /etc/mnttab L /etc/nsswitch.conf L /etc/lp/Systems L /etc/initpipe L /etc/.mnttab.lock L /etc/syslog.pid L /etc/utmppipe L # /.cpr_config L # /var/snmp/snmpdx.st .L # /var/snmp/snmpdx.st.old L /var/statmon/state L ## Root account /.profile R-2 /.cshrc R-2 /.logout R-2 /.login R-2 /.shosts R-2 /.kshrc R-2 /.exrc R-2 /.dtprofile R-2 =/.dt/ R-2 /.dt/dtwmrc R-2 /.dt/prewsmenu.dtwmrc R-2 /.dt/wsmenu.dtwmrc R-2 /.dt/types R-2 /.dt/C R-2 /.dt/sessions/ R-2 /.dt/sessions/dtwmfp.session R-2 /.dt/sessions/home R-2 /.dt/Desktop R-2 /.dt/palettes R-2 /.ssh R-2 # Critical configuration files /etc R-2cm /etc/default R-2 /etc/dfs/dfstab R-2 /etc/dfs/sharetab R-2 /etc/dumpdates R-2 /etc/group R-2 # changes should be infrequent /etc/hosts.equiv R-2 /etc/hostname.le0 R-2 /etc/hostname.hme0 R-2 /etc/hosts R-2 /etc/inet/inetd.conf R-2 /etc/inet/protocols R-2 /etc/inet/services R-2 /etc/init.d R-2 /etc/motd R-2 /etc/named.boot R-2 /etc/named.pid L /etc/opt R-2 /etc/passwd R-2 /etc/profile R-2 /etc/remote R-2 /etc/rmtab R-2 /etc/rpc R-2 =/etc/saf R-2 /etc/shadow R-2 /etc/system R-2 /etc/ttydefs R-2 /etc/ttysrch R-2 # Added for SSH: sb, 8.11.99 /etc/ssh_random_seed L /.ssh/random_seed L /etc/ssh.pid L /etc/ssh_config R-2 /etc/ssh_host_key R-2 /etc/ssh_host_key.pub R-2 /etc/ssh_known_hosts R-2 /etc/sshd_config R-2 /usr/local/bin/ssh R-2 /usr/local/bin/ssh-add R-2 /usr/local/bin/ssh-add1 R-2 /usr/local/bin/ssh-agent R-2 /usr/local/bin/ssh-agent1 R-2 /usr/local/bin/ssh-askpass R-2 /usr/local/bin/ssh-askpass1 R-2 /usr/local/bin/ssh-keygen R-2 /usr/local/bin/ssh-keygen1 R-2 /usr/local/bin/ssh1 R-2 /usr/local/bin/scp R-2 /usr/local/bin/scp1 R-2 ## secure tools /secure R-2casm =/secure/tripwire L !/secure/tw # check permission & ownership only /secure/logcheck/.logcheck.hacking +pug /secure/logcheck/.logcheck.ignore +pug /secure/logcheck/.logcheck.violations +pug /secure/logcheck/.logcheck.violations.ignore +pug ## Email # Check dir, but not contents =/usr/local/imap/spool/user L =/usr/local/imap/proc L =/usr/local/imap/quota L =/usr/local/qmail/queue L # check permission & ownership only /usr/local/qmail/alias/Mailbox +pug # Critical devices /dev/dsk R-2 /dev/rdsk R-2 =/devices R-2 !/devices/pseudo !/dev/kmem R-2 !/dev/mem R-2 /dev/null R-2 /dev/zero R-2 !/devices/pseudo/mm@0:kmem R-2 !/devices/pseudo/mm@0:mem R-2 /devices/pseudo/mm@0:null R-2m # What is this? /devices/pseudo/mm@0:zero R-2m # Rest of critical system binaries =/ R-2 /bin R-2 /sbin R-2 /usr/bin R-2 /usr/sbin R-2 /usr/ucb R-2 /lib R-2 /usr/lib R-2 /usr/local R-2 /opt R-2 /var R-2 # setuid/setgid root programs /sbin/su R-2 /usr/lib/uucp/remote.unknown R-2 /usr/lib/uucp/uucico R-2 /usr/lib/uucp/uusched R-2 /usr/lib/uucp/uuxqt R-2 /usr/bin/at R-2 /usr/bin/atq R-2 /usr/bin/atrm R-2 /usr/bin/chkey R-2 /usr/bin/crontab R-2 /usr/bin/eject R-2 /usr/bin/fdformat R-2 /usr/bin/login R-2 /usr/bin/mail R-2 /usr/bin/mailx R-2 /usr/bin/netstat R-2 /usr/bin/newgrp R-2 /usr/bin/nfsstat R-2 /usr/bin/passwd R-2 /usr/bin/ps R-2 /usr/bin/rcp R-2 /usr/bin/rdist R-2 /usr/bin/rlogin R-2 /usr/bin/rsh R-2 /usr/bin/su R-2 /usr/bin/tip R-2 /usr/bin/uptime R-2 /usr/bin/write R-2 /usr/bin/w R-2 /usr/bin/yppasswd R-2 /usr/bin/volcheck R-2 /usr/bin/admintool R-2 /usr/bin/ct R-2 /usr/bin/cu R-2 /usr/bin/uucp R-2 /usr/bin/uuglist R-2 /usr/bin/uuname R-2 /usr/bin/uustat R-2 /usr/bin/uux R-2 /usr/bin/ipcs R-2 /usr/bin/nispasswd R-2 /usr/lib/exrecover R-2 /usr/lib/pt_chmod R-2 /usr/lib/sendmail R-2 /usr/lib/utmp_update R-2 /etc/lp/alerts/printer R-2 /usr/lib/fs/ufs/quota R-2 /usr/lib/fs/ufs/ufsdump R-2 /usr/lib/fs/ufs/ufsrestore R-2 /usr/vmsys/bin/chkperm R-2 /usr/platform/sun4u/sbin/eeprom R-2 /usr/platform/sun4u/sbin/prtdiag R-2 /usr/dt/bin/dtaction R-2 /usr/dt/bin/dtappgather R-2 /usr/dt/bin/dtsession R-2 /usr/dt/bin/dtmail R-2 /usr/dt/bin/dtmailpr R-2 /usr/dt/bin/dtprintinfo R-2 /usr/dt/bin/sdtcm_convert R-2 /usr/lib/acct/accton R-2 /usr/openwin/bin/Xsun R-2 /usr/openwin/bin/xlock R-2 /usr/openwin/bin/wsinfo R-2 /usr/openwin/bin/ff.core R-2 /usr/openwin/bin/mailtool R-2 /usr/openwin/bin/kcms_configure R-2 /usr/openwin/bin/kcms_calibrate R-2 /usr/openwin/bin/xload R-2 /usr/sbin/allocate R-2 /usr/sbin/arp R-2 /usr/sbin/fusage R-2 /usr/sbin/mkdevalloc R-2 /usr/sbin/mkdevmaps R-2 /usr/sbin/ping R-2 /usr/sbin/prtconf R-2 /usr/sbin/sacadm R-2 /usr/sbin/swap R-2 /usr/sbin/sysdef R-2 /usr/sbin/wall R-2 /usr/sbin/whodo R-2 /usr/sbin/deallocate R-2 /usr/sbin/list_devices R-2 /usr/sbin/dmesg R-2 /usr/sbin/ffbconfig R-2 /usr/openwin/lib/mkcookie R-2 /usr/sbin/static/rcp R-2 /usr/proc/bin/ptree R-2 /usr/proc/bin/pwait R-2 /usr/ucb/ps R-2 # skip loopback filesystems !/proc !/xfn # Temp dirs =/usr/tmp L =/usr/aset/tmp L =/usr/oasys/tmp L =/var/spool/lp/tmp L =/var/tmp L =/var/dt/tmp L =/tmp L #/tmp L # Homes =/export/home R-2 =/home R-2 =/usr/home R-2 # Low impact /usr/lib/locale R-2 /usr/lib/font R-2 /usr/openwin/lib/locale R-2 /usr/openwin/lib/X11/fonts R-2 /usr/openwin/lib/X11/locale R-2 /usr/openwin/lib/xil/locale R-2 /usr/openwin/share/man R-2 /usr/openwin/share/locale R-2 /usr/openwin/share/images R-2 /usr/openwin/share/src R-2 /usr/openwin/demo R-2 /usr/share/man R-2 /usr/share/lib/terminfo R-2 # /usr/share/lib/sgml/locale R-2 /usr/share/src R-2 /usr/dt/share/examples R-2 /usr/dt/share/man R-2 /usr/dt/dthelp R-2 /usr/demo R-2 /usr/snadm/classes/locale R-2 /var/sadm/pkg R-2 /var/sadm/patch R-2 ## More logs /var/cron/log L-i # rotated weekly, leave inode /var/adm/wtmpx L /var/adm/wtmp L /var/adm/utmpx L /var/adm/lastlog L # skip the rest in cron and adm. =/var/saf L =/var/cron L =/var/adm L =/var/lp/logs L =/var/log L # /var/log/weekly.out L /var/spool/locks L ## Emails =/var/spool/mqueue L @@ifhost server 1 # ACE /opt/ace/data/sdserv.db L =/opt/ace/data L /etc/inet/hosts.master L-i @@endif @@ifhost syslog_host /var/log/acelog L-i # rotated weekly, leave /var/log/alertlog L-i # rotated weekly, leave /var/log/authlog L-i # rotated weekly, leave /var/log/cronlog L-i # rotated weekly, leave /var/log/daemonlog L-i # rotated weekly, leave /var/log/kernlog L-i # rotated weekly, leave /var/log/local0log L-i # rotated weekly, leave /var/log/local2log L-i # rotated weekly, leave /var/log/local5log L-i # rotated weekly, leave /var/log/lprlog L-i # rotated weekly, leave /var/log/maillog L-i # rotated weekly, leave /var/log/newslog L-i # rotated weekly, leave /var/log/userlog L-i # rotated weekly, leave @@endif @@ifhost mailgateway # Mail gateways only: /etc/mail/aliases L-i /etc/mail/aliases.dir L-i /etc/mail/aliases.pag L-i /etc/mail/aliases.master L-i /etc/mail/aliases.master.noinc L-i =/var/spool/smap L @@endif @@ifhost proxy1 # Netscape proxy =/var/netscape_cache L /opt/netscape/admin-serv/logs/changelog L /opt/netscape/admin-serv/logs/errors L /opt/netscape/admin-serv/logs/access L /opt/netscape/admin-serv/logs/changelog.offset L-imc !/var/netscape_proxy/cmon-mem.80 =/opt/netscape/proxy-gdv050/logs L =/opt/netscape/proxy-gdv999/logs L @@endif #eof