#
# Policy file for Caldera systems
# - Douglas Hunley (root@hunley.homeip.net)

# GLOBAL Variable Definitions
@@section GLOBAL
TWDOCS="/usr/doc/tripwire";
TWBIN="/usr/sbin";
TWPOL="/etc/tripwire";
TWDB="/var/lib/tripwire";
TWSKEY="/etc/tripwire";
TWLKEY="/etc/tripwire";
TWREPORT="/var/lib/tripwire/report";
# Change this to your hostname
HOSTNAME=hunley.homeip.net;
MAILTO=root;

# The Filesystem section
@@section FS

# Critical files that cannot change
SEC_CRIT=$(IgnoreNone)-SHa;
# Binaries w/ SUIG/SGID flags set
SEC_SUID=$(IgnoreNone)-SHa;
# Binaries that should not change
SEC_BIN=$(ReadOnly);
# Config files that are changed infrequently but accessed often
SEC_CONFIG=$(Dynamic);
# Files that grow, but that should never change ownership
SEC_LOG=$(Growing);
# Directories that should never change perms or ownership
SEC_INVARIANT=+tpug;
# Non-critical files that are of minimal security impact
SEC_LOW=33;
# Non-critical files that are of significan security impact
SEC_MED=66;
# Critical files that are significant points of vulnerability
SEC_HI=100;

# Tripwire itself
(
  rulename="Tripwire Binaries",
  severity=$(SEC_HI),
  emailto=$(MAILTO)
)
{
  $(TWBIN)/siggen -> $(SEC_BIN);
  $(TWBIN)/tripwire -> $(SEC_BIN);
  $(TWBIN)/twadmin -> $(SEC_BIN);
  $(TWBIN)/twprint -> $(SEC_BIN);
}
(
  rulename="Tripwire Config/Data Files",
  severity=$(SEC_HI),
  emailto=$(MAILTO)
)
{
  # We don't check the inodes cause of the way Tripwire handles its backups..
  $(TWDB) -> $(SEC_CONFIG) -i;
  $(TWPOL)/tw.pol -> $(SEC_BIN) -i;
  $(TWPOL)/tw.cfg -> $(SEC_BIN) -i;
  # Keys should NEVER change, so we check all attributes
  $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN);
  $(TWSKEY)/site.key -> $(SEC_BIN);

  # Don't scan the Tripwire reports cause that'd be sily ;)
  $(TWREPORT) -> $(SEC_CONFIG) (recurse=0);
}

# Now, on to the system stuff

# Directories that are commonly accessed, but shouldn't be changing
# owners or groups
(
  rulename="Invariant Directories",
  severity=$(SEC_MED),
  emailto=$(MAILTO)
)
{
  / -> $(SEC_INVARIANT) (recurse=1);
  !/mp3;
  !/var;
  /home -> $(SEC_INVARIANT) (recurse=1);
}

# Temp directories
(
  rulename="Temporary directories",
  severity=$(SEC_LOW),
  recurse=true,
  emailto=$(MAILTO)
)
{
  /tmp -> $(SEC_INVARIANT);
}

# Directories that contain logfiles
(
  rulename="System Logs",
  severity=$(SEC_HI),
  recurse=true,
  emailto=$(MAILTO)
)
{
  /install -> $(SEC_LOG);
}

# Directories with our critical binaries
(
  rulename="Critical System Binaries",
  severity=$(SEC_HI),
  emailto=$(MAILTO)
)
{
  /boot -> $(SEC_CRIT);
  !/boot/map;
  /sbin -> $(SEC_CRIT);
  !/sbin/siggen;
  !/sbin/tripwire;
  !/sbin/twadmin;
  !/sbin/twprint;
  /usr/libexec -> $(SEC_CRIT) (recurse=true);
}

# Device files
(
  rulename="Device Files",
  severity=$(SEC_HI),
  recurse=true,
  emailto=$(MAILTO)
)
{
  /dev -> $(Device);
  !/dev/pts;
  /dev-state -> $(Device);	# for those using devfs
}

# System Binaries
(
  rulename="System Binaries",
  severity=$(SEC_HI),
  emailto=$(MAILTO)
)
{
  /bin -> $(SEC_BIN);
  /usr/bin -> $(SEC_BIN);
  /usr/sbin -> $(SEC_BIN);
  /usr/X11R6/bin -> $(SEC_BIN);
}

# System libs
(
  rulename="System Libraries",
  severity=$(SEC_HI),
  recurse=true,
  emailto=$(MAILTO)
)
{
  /lib -> $(SEC_BIN);
  /usr/lib -> $(SEC_BIN);
  /usr/openwin/lib -> $(SEC_BIN);
  /usr/X11R6/lib -> $(SEC_BIN);
}

# Configuration Files
(
  rulename="System Configuration Files",
  severity=$(SEC_MED),
  recurse=true,
  emailto=$(MAILTO)
)
{
  /etc -> $(SEC_CONFIG);
  /opt/apache/conf -> $(SEC_CONFIG);
  /opt/gnome/etc -> $(SEC_CONFIG);
  /opt/kde/share/config -> $(SEC_CONFIG);
  /opt/kde2/share/config -> $(SEC_CONFIG);
  /opt/www/htdig/conf -> $(SEC_CONFIG);
}

# Local and optional binaries
(
  rulename="Local/Optional Binaries",
  severity=$(SEC_MED),
  emailto=$(MAILTO)
)
{
  /usr/local/bin -> $(SEC_BIN);
  /usr/local/sbin -> $(SEC_BIN);
  /opt/apache/bin -> $(SEC_BIN);
  /opt/gnome/bin -> $(SEC_BIN);
  /opt/kde/bin -> $(SEC_BIN);
  /opt/kde2/bin -> $(SEC_BIN);
  /opt/teTeX/bin -> $(SEC_BIN);
  /opt/wine/bin -> $(SEC_BIN);
  /opt/www/cgi-bin -> $(SEC_BIN);
  /opt/www/htdig/bin -> $(SEC_BIN);
}

# Local and optional libraries
(
  rulename="Local/Optional Libraries",
  severity=$(SEC_MED),
  recurse=true,
  emailto=$(MAILTO)
)
{
  /usr/local/lib -> $(SEC_BIN);
  /opt/gnome/lib -> $(SEC_BIN);
  /opt/kde/lib -> $(SEC_BIN);
  /opt/kde2/lib -> $(SEC_BIN);
  /opt/teTeX/lib -> $(SEC_BIN);
  /opt/wine/lib -> $(SEC_BIN);
}

# You don't really _need_ this rule, as these files *should* be covered
# by the above rules..

# SUID/SGID files
(
  rulename="SUID/SGID Files",
  severity=$(SEC_HI),
  emailto=$(MAILTO)
)
{
  /bin/mail -> $(SEC_SUID);
  /bin/mount -> $(SEC_SUID);
  /bin/ping -> $(SEC_SUID);
  /bin/su -> $(SEC_SUID);
  /bin/umount -> $(SEC_SUID);
  /opt/apache/bin/suexec -> $(SEC_SUID);
  /opt/gnome/bin/glines -> $(SEC_SUID);
  /opt/gnome/bin/gnibbles -> $(SEC_SUID);
  /opt/gnome/bin/gnobots2 -> $(SEC_SUID);
  /opt/gnome/bin/gnome-stones -> $(SEC_SUID);
  /opt/gnome/bin/gnome-xbill -> $(SEC_SUID);
  /opt/gnome/bin/gnometris -> $(SEC_SUID);
  /opt/gnome/bin/gnomine -> $(SEC_SUID);
  /opt/gnome/bin/gnotravex -> $(SEC_SUID);
  /opt/gnome/bin/gnotski -> $(SEC_SUID);
  /opt/gnome/bin/gtali -> $(SEC_SUID);
  /opt/gnome/bin/gturing -> $(SEC_SUID);
  /opt/gnome/bin/iagno -> $(SEC_SUID);
  /opt/gnome/bin/mahjongg -> $(SEC_SUID);
  /opt/gnome/bin/same-gnome -> $(SEC_SUID);
  /opt/gnome/lib/mc/bin/cons.saver -> $(SEC_SUID);
  /opt/gnome/sbin/gnome-pty-helper -> $(SEC_SUID);
  /opt/kde/bin/kcheckpass -> $(SEC_SUID);
  /opt/kde/bin/kisdn -> $(SEC_SUID);
  /opt/kde2/bin/kcheckpass -> $(SEC_SUID);
  /usr/X11R6/bin/XFree86 -> $(SEC_SUID);
  /usr/X11R6/bin/Xwrapper -> $(SEC_SUID);
  /usr/X11R6/bin/v4l-conf -> $(SEC_SUID);
  /usr/X11R6/bin/xload -> $(SEC_SUID);
  /usr/X11R6/bin/xterm -> $(SEC_SUID);
  /usr/bin/at -> $(SEC_SUID);
  /usr/bin/chage -> $(SEC_SUID);
  /usr/bin/chfn -> $(SEC_SUID);
  /usr/bin/chsh -> $(SEC_SUID);
  /usr/bin/crontab -> $(SEC_SUID);
  /usr/bin/expiry -> $(SEC_SUID);
  /usr/bin/gnuplot -> $(SEC_SUID);
  /usr/bin/gpasswd -> $(SEC_SUID);
  /usr/bin/kdesu -> $(SEC_SUID);
  /usr/bin/lockfile -> $(SEC_SUID);
  /usr/bin/lpq -> $(SEC_SUID);
  /usr/bin/lpr -> $(SEC_SUID);
  /usr/bin/lprm -> $(SEC_SUID);
  /usr/bin/mutt_dotlock -> $(SEC_SUID);
  /usr/bin/passwd -> $(SEC_SUID);
  /usr/bin/procmail -> $(SEC_SUID);
  /usr/bin/slocate -> $(SEC_SUID);
  /usr/bin/sperl5.00503 -> $(SEC_SUID);
  /usr/bin/suidperl -> $(SEC_SUID);
  /usr/bin/wall -> $(SEC_SUID);
  /usr/bin/write -> $(SEC_SUID);
  /usr/local/bin/elm -> $(SEC_SUID);
  /usr/local/bin/ssh-signer2 -> $(SEC_SUID);
  /usr/local/bin/ssh1 -> $(SEC_SUID);
  /usr/sbin/lpc -> $(SEC_SUID);
  /usr/sbin/sendmail -> $(SEC_SUID);
  /usr/sbin/traceroute -> $(SEC_SUID);
  /usr/sbin/utempter -> $(SEC_SUID);
}

# End of policy file