509 lines
17 KiB
HTML
509 lines
17 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Configure the /usr/TSS/policy/twpol.txt file</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.60"><LINK
|
|
REL="HOME"
|
|
TITLE="Securing and Optimizing Linux"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Software -Securities/System Integrity"
|
|
HREF="sysintegrity.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Configuration files"
|
|
HREF="chap17sec138.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Securing Tripwire for Linux"
|
|
HREF="chap17sec140.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Securing and Optimizing Linux: RedHat Edition -A Hands on Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="chap17sec138.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 17. Software -Securities/System Integrity</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="chap17sec140.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="AEN9454"
|
|
>17.4. Configure the <TT
|
|
CLASS="filename"
|
|
>/usr/TSS/policy/twpol.txt</TT
|
|
> file</A
|
|
></H1
|
|
><P
|
|
> The <TT
|
|
CLASS="filename"
|
|
>/usr/TSS/policy/twpol.txt</TT
|
|
> is the text policy file of Tripwire where you specify what files and directories, to check. Note that extensive testing and experience are necessary when editing this policy file
|
|
before you get a working file report. The following is a working example from where you can start your own customization.
|
|
</P
|
|
><DIV
|
|
CLASS="procedure"
|
|
><OL
|
|
TYPE="1"
|
|
><LI
|
|
><P
|
|
> You must modify the default policy file, or create your own. The <TT
|
|
CLASS="filename"
|
|
>policyguide.txt</TT
|
|
> file under <TT
|
|
CLASS="filename"
|
|
>/usr/TSS/policy</TT
|
|
> directory can help you. Open the policy
|
|
file <TT
|
|
CLASS="filename"
|
|
>twpol.txt</TT
|
|
> with a text editor, <B
|
|
CLASS="command"
|
|
>vi</B
|
|
> <TT
|
|
CLASS="filename"
|
|
>/usr/TSS/policy/twpol.txt</TT
|
|
> and change it to fit your needs:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> @@section GLOBAL
|
|
TWROOT="/usr";
|
|
TWBIN="/usr/bin";
|
|
TWPOL="/usr/TSS/policy";
|
|
TWDB="/usr/TSS/db";
|
|
TWSKEY="/usr/TSS/key";
|
|
TWLKEY="/usr/TSS/key";
|
|
TWREPORT="/usr/TSS/report";
|
|
HOSTNAME=deep.openna.com;
|
|
|
|
@@section FS
|
|
SEC_CRIT = $(IgnoreNone)-SHa; # Critical files - we can't afford to miss any changes.
|
|
SEC_SUID = $(IgnoreNone)-SHa; # Binaries with the SUID or SGID flags set.
|
|
SEC_TCB = $(ReadOnly); # Members of the Trusted Computing Base.
|
|
SEC_BIN = $(ReadOnly); # Binaries that shouldn't change
|
|
SEC_CONFIG = $(Dynamic); # Config files that are changed infrequently but accessed often.
|
|
SEC_LOG = $(Growing); # Files that grow, but that should never change ownership.
|
|
SEC_INVARIANT = +pug; # Directories that should never change permission or ownership.
|
|
SIG_LOW = 33; # Non-critical files that are of minimal security impact
|
|
SIG_MED = 66; # Non-critical files that are of significant security impact
|
|
SIG_HI = 100; # Critical files that are significant points of vulnerability
|
|
|
|
|
|
# Tripwire Binaries
|
|
(emailto = admin@openna.com, rulename = "Tripwire Binaries", severity = $(SIG_HI))
|
|
{
|
|
$(TWBIN)/siggen -> $(ReadOnly);
|
|
$(TWBIN)/tripwire -> $(ReadOnly);
|
|
$(TWBIN)/twadmin -> $(ReadOnly);
|
|
$(TWBIN)/twprint -> $(ReadOnly);
|
|
}
|
|
|
|
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
|
|
(emailto = admin@openna.com, rulename = "Tripwire Data Files", severity = $(SIG_HI))
|
|
{
|
|
# NOTE: Removing the inode attribute because when Tripwire creates a backup
|
|
# it does so by renaming the old file and creating a new one (which will
|
|
# have a new inode number). Leaving inode turned on for keys, which shouldn't
|
|
# ever change.
|
|
|
|
# NOTE: this rule will trigger on the first integrity check after database
|
|
# initialization, and each integrity check afterward until a database update
|
|
# is run, since the database file will not exist before that point.
|
|
$(TWDB) -> $(Dynamic) -i;
|
|
$(TWPOL)/tw.pol -> $(SEC_BIN) -i;
|
|
$(TWBIN)/tw.cfg -> $(SEC_BIN) -i;
|
|
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
|
|
$(TWSKEY)/site.key -> $(SEC_BIN) ;
|
|
|
|
#don't scan the individual reports
|
|
$(TWREPORT) -> $(Dynamic) (recurse=0);
|
|
}
|
|
|
|
# These files are critical to a correct system boot.
|
|
(emailto = admin@openna.com, rulename = "Critical system boot files", severity = 100)
|
|
{
|
|
/boot -> $(SEC_CRIT) ;
|
|
!/boot/System.map ;
|
|
!/boot/module-info ;
|
|
}
|
|
|
|
# These files change the behavior of the root account
|
|
(emailto = admin@openna.com, rulename = "Root config files", severity = 100)
|
|
{
|
|
/root -> $(SEC_CRIT) ;
|
|
/root/.bash_history -> $(SEC_LOG) ;
|
|
}
|
|
|
|
# Commonly accessed directories that should remain static with regards to owner and group
|
|
(emailto = admin@openna.com, rulename = "Invariant Directories", severity = $(SIG_MED))
|
|
{
|
|
/ -> $(SEC_INVARIANT) (recurse = 0);
|
|
/home -> $(SEC_INVARIANT) (recurse = 0);
|
|
/etc -> $(SEC_INVARIANT) (recurse = 0);
|
|
/chroot -> $(SEC_INVARIANT) (recurse = 0);
|
|
/cache -> $(SEC_INVARIANT) (recurse = 0);
|
|
}
|
|
|
|
(emailto = admin@openna.com, rulename = "Shell Binaries")
|
|
{
|
|
/bin/bsh -> $(SEC_BIN);
|
|
/bin/csh -> $(SEC_BIN);
|
|
/bin/sh -> $(SEC_BIN);
|
|
}
|
|
|
|
# Rest of critical system binaries
|
|
(emailto = admin@openna.com, rulename = "OS executables and libraries", severity = $(SIG_HI))
|
|
{
|
|
/bin -> $(ReadOnly) ;
|
|
/lib -> $(ReadOnly) ;
|
|
}
|
|
|
|
# Local files
|
|
(emailto = admin@openna.com, rulename = "User binaries", severity = $(SIG_MED))
|
|
{
|
|
/sbin -> $(SEC_BIN) (recurse = 1);
|
|
/usr/sbin -> $(SEC_BIN) (recurse = 1);
|
|
/usr/bin -> $(SEC_BIN) (recurse = 1);
|
|
}
|
|
|
|
# Temporary directories
|
|
(emailto = admin@openna.com, rulename = "Temporary directories", recurse = false, severity = $(SIG_LOW))
|
|
{
|
|
/usr/tmp -> $(SEC_INVARIANT);
|
|
/var/tmp -> $(SEC_INVARIANT);
|
|
/tmp -> $(SEC_INVARIANT);
|
|
}
|
|
|
|
# Libraries
|
|
(emailto = admin@openna.com, rulename = "Libraries", severity = $(SIG_MED))
|
|
{
|
|
/usr/lib -> $(SEC_BIN);
|
|
}
|
|
|
|
# Include
|
|
(emailto = admin@openna.com, rulename = "OS Development Files", severity = $(SIG_MED))
|
|
{
|
|
/usr/include -> $(SEC_BIN);
|
|
}
|
|
|
|
# Shared
|
|
(emailto = admin@openna.com, rulename = "OS Shared Files", severity = $(SIG_MED))
|
|
{
|
|
/usr/share -> $(SEC_BIN);
|
|
}
|
|
|
|
# Kernel headers files
|
|
(emailto = admin@openna.com, rulename = "Kernel Headers Files", severity = $( SIG_HI))
|
|
{
|
|
/usr/src/linux-2.2.14 -> $(SEC_BIN);
|
|
}
|
|
|
|
# setuid/setgid root programs
|
|
(emailto = admin@openna.com, rulename = "setuid/setgid", severity = $(SIG_HI))
|
|
{
|
|
/bin/su -> $(SEC_SUID);
|
|
/sbin/pwdb_chkpwd -> $(SEC_SUID);
|
|
/sbin/dump -> $(SEC_SUID);
|
|
/sbin/restore -> $(SEC_SUID);
|
|
/usr/bin/at -> $(SEC_SUID);
|
|
/usr/bin/passwd -> $(SEC_SUID);
|
|
/usr/bin/suidperl -> $(SEC_SUID);
|
|
/usr/bin/crontab -> $(SEC_SUID);
|
|
/usr/sbin/sendmail -> $(SEC_SUID);
|
|
/usr/bin/man -> $(SEC_SUID);
|
|
/usr/bin/sperl5.00503 -> $(SEC_SUID);
|
|
/usr/bin/slocate -> $(SEC_SUID);
|
|
/usr/sbin/utempter -> $(SEC_SUID);
|
|
/sbin/netreport -> $(SEC_SUID);
|
|
}
|
|
|
|
(emailto = admin@openna.com, rulename = "Configuration Files")
|
|
{
|
|
/etc/hosts -> $(SEC_CONFIG);
|
|
/etc/inetd.conf -> $(SEC_CONFIG);
|
|
/etc/initlog.conf -> $(SEC_CONFIG);
|
|
/etc/inittab -> $(SEC_CONFIG);
|
|
/etc/resolv.conf -> $(SEC_CONFIG);
|
|
/etc/syslog.conf -> $(SEC_CONFIG);
|
|
}
|
|
|
|
(emailto = admin@openna.com, rulename = "Security Control")
|
|
{
|
|
/etc/group -> $(SEC_CRIT);
|
|
/etc/security/ -> $(SEC_CRIT);
|
|
/lib/security/ -> $(SEC_CRIT);
|
|
/var/spool/cron -> $(SEC_CRIT);
|
|
}
|
|
|
|
(emailto = admin@openna.com, rulename = "Login Scripts")
|
|
{
|
|
/etc/csh.login -> $(SEC_CONFIG);
|
|
/etc/profile -> $(SEC_CONFIG);
|
|
}
|
|
|
|
# These files change every time the system boots
|
|
(emailto = admin@openna.com, rulename = "System boot changes", severity = $(SIG_HI))
|
|
{
|
|
/dev/log -> $(Dynamic) ;
|
|
/dev/cua0 -> $(Dynamic) ;
|
|
/dev/console -> $(Dynamic) ;
|
|
/dev/tty2 -> $(Dynamic) ; # tty devices
|
|
/dev/tty3 -> $(Dynamic) ; # are extremely
|
|
/dev/tty4 -> $(Dynamic) ; # variable
|
|
/dev/tty5 -> $(Dynamic) ;
|
|
/dev/tty6 -> $(Dynamic) ;
|
|
/dev/urandom -> $(Dynamic) ;
|
|
/dev/initctl -> $(Dynamic) ;
|
|
/var/lock/subsys -> $(Dynamic) ;
|
|
/var/run -> $(Dynamic) ; # daemon PIDs
|
|
/var/log -> $(Dynamic) ;
|
|
/etc/ioctl.save -> $(Dynamic) ;
|
|
/etc/.pwd.lock -> $(Dynamic) ;
|
|
/etc/mtab -> $(Dynamic) ;
|
|
/lib/modules -> $(Dynamic) ;
|
|
}
|
|
|
|
# Critical configuration files
|
|
(emailto = admin@openna.com, rulename = "Critical configuration files", severity = $(SIG_HI))
|
|
{
|
|
/etc/conf.modules -> $(ReadOnly) ;
|
|
/etc/crontab -> $(ReadOnly) ;
|
|
/etc/cron.hourly -> $(ReadOnly) ;
|
|
/etc/cron.daily -> $(ReadOnly) ;
|
|
/etc/cron.weekly -> $(ReadOnly) ;
|
|
/etc/cron.monthly -> $(ReadOnly) ;
|
|
/etc/default -> $(ReadOnly) ;
|
|
/etc/fstab -> $(ReadOnly) ;
|
|
/etc/group- -> $(ReadOnly) ; # changes should be infrequent
|
|
/etc/host.conf -> $(ReadOnly) ;
|
|
/etc/hosts.allow -> $(ReadOnly) ;
|
|
/etc/hosts.deny -> $(ReadOnly) ;
|
|
/etc/lilo.conf -> $(ReadOnly) ;
|
|
/etc/logrotate.conf -> $(ReadOnly) ;
|
|
/etc/pwdb.conf -> $(ReadOnly) ;
|
|
/etc/securetty -> $(ReadOnly) ;
|
|
/etc/sendmail.cf -> $(ReadOnly) ;
|
|
/etc/protocols -> $(ReadOnly) ;
|
|
/etc/services -> $(ReadOnly) ;
|
|
/etc/rc.d/init.d -> $(ReadOnly) ;
|
|
/etc/rc.d -> $(ReadOnly) ;
|
|
/etc/motd -> $(ReadOnly) ;
|
|
/etc/passwd -> $(ReadOnly) ;
|
|
/etc/passwd- -> $(ReadOnly) ;
|
|
/etc/profile.d -> $(ReadOnly) ;
|
|
/etc/rpc -> $(ReadOnly) ;
|
|
/etc/sysconfig -> $(ReadOnly) ;
|
|
/etc/shells -> $(ReadOnly) ;
|
|
/etc/nsswitch.conf -> $(ReadOnly) ;
|
|
}
|
|
|
|
# Critical devices
|
|
(emailto = admin@openna.com, rulename = "Critical devices", severity = $(SIG_HI), recurse = false)
|
|
{
|
|
/dev/kmem -> $(Device) ;
|
|
/dev/mem -> $(Device) ;
|
|
/dev/null -> $(Device) ;
|
|
/dev/zero -> $(Device) ;
|
|
/proc/devices -> $(Device) ;
|
|
/proc/net -> $(Device) ;
|
|
/proc/tty -> $(Device) ;
|
|
/proc/sys -> $(Device) ;
|
|
/proc/cpuinfo -> $(Device) ;
|
|
/proc/modules -> $(Device) ;
|
|
/proc/mounts -> $(Device) ;
|
|
/proc/dma -> $(Device) ;
|
|
/proc/filesystems -> $(Device) ;
|
|
/proc/ide -> $(Device) ;
|
|
/proc/interrupts -> $(Device) ;
|
|
/proc/ioports -> $(Device) ;
|
|
/proc/scsi -> $(Device) ;
|
|
/proc/kcore -> $(Device) ;
|
|
/proc/self -> $(Device) ;
|
|
/proc/kmsg -> $(Device) ;
|
|
/proc/stat -> $(Device) ;
|
|
/proc/ksyms -> $(Device) ;
|
|
/proc/loadavg -> $(Device) ;
|
|
/proc/uptime -> $(Device) ;
|
|
/proc/locks -> $(Device) ;
|
|
/proc/version -> $(Device) ;
|
|
/proc/meminfo -> $(Device) ;
|
|
/proc/cmdline -> $(Device) ;
|
|
/proc/misc -> $(Device) ;
|
|
}
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
<DIV
|
|
CLASS="tip"
|
|
><BLOCKQUOTE
|
|
CLASS="tip"
|
|
><P
|
|
><B
|
|
><SPAN
|
|
CLASS="inlinemediaobject"
|
|
><IMG
|
|
SRC="./images/Tip.gif"
|
|
ALT="Tip"
|
|
></IMG
|
|
></SPAN
|
|
>: </B
|
|
>
|
|
This is an example policy file we provide you; of course, you must modify this file to fit your system files and specific needs.
|
|
</P
|
|
></BLOCKQUOTE
|
|
></DIV
|
|
>
|
|
</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
> Once you are ready to use your policy file for the first time, install it with the following command:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /#<B
|
|
CLASS="command"
|
|
>twadmin</B
|
|
> --create-polfile /usr/TSS/policy/twpol.txt
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="literallayout"
|
|
><TT
|
|
CLASS="computeroutput"
|
|
> Please enter your site passphrase:
|
|
Wrote policy file: /usr/TSS/policy/tw.pol
|
|
</TT
|
|
></PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></LI
|
|
></OL
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="chap17sec138.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="chap17sec140.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Configuration files</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="sysintegrity.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Securing Tripwire for Linux</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |