Tripwire Policy

So, I got sick of the default policy that came with Red Hat and Fedora tripwire packages. A policy that attempts to define and categorize every file that could possibly be installed from the distribution media seems to me to be a little security unconscious. Rather than hunt through the policy file by hand, removing the file definitions that are causing errors (simply because the target file is not installed), I decided to define a set of directories (/bin, /etc, /lib, /usr) and then add any exceptions that I encountered.

Here is a link to the following tripwire policy. You will probably end up placing it in /etc/tripwire. Edit the file and fix “HOSTNAME=localhost;” at line 74 with your hostname (uname -n), and run “/usr/sbin/tripwire -m p /etc/tripwire/twpol.txt“. You may need the “-Z low” flag, too. There is also a version for EL4, EL5, and FC12 (x86_64)/FC12 (powerpc).


# /etc/tripwire/twpol.txt
#
# $Id: twpol.txt,v 1.12 2005/07/20 13:59:00 mike Exp $
#
# This config assumes use on Fedora Core 2, Core 3, or possibly RHEL 4 and
# is tuned for a server install.  You will want to remove the sections
# marked WORKSTATION if this box will have any hardware added or removed
# on a regular basis (like hotplug).
#
# man twpolicy
#
# A number of variables are predefined by Tripwire and may not be
# changed.  These variables represent different ways that files can
# change, and can be used on the right side of rules to design a policy
# file quickly.
#
# ReadOnly       ReadOnly is good for files that are widely available
#                but are intended to be read-only.
#                Value: +pinugtsdbmCM-rlacSH
#
# Dynamic        Dynamic is good for monitoring user directories and
#                files that tend to be dynamic in behavior.
#                Value: +pinugtd-srlbamcCMSH
#
# Growing        The Growing variable is intended for files that should
#                only get larger.
#                Value: +pinugtdl-srbamcCMSH
#
# Device         Device is good for devices or other files that Tripwire
#                should not attempt to open.
#                Value: +pugsdr-intlbamcCMSH
#
# IgnoreAll      IgnoreAll tracks a file's presence or absence, but
#                doesn't check any other properties.
#                Value: -pinugtsdrlbamcCMSH
#
# IgnoreNone     IgnoreNone turns on all properties and provides a con-
#                venient starting point for defining your own property
#                masks.  (For example, mymask = $(IgnoreNone) -ar;)
#                Value: +pinugtsdrbamcCMSH-l
#
# Characters used in property masks, with descriptions:
#   -     Ignore the following properties
#   +     Record and check the following properties
#   a     Access timestamp
#   b     Number of blocks allocated
#   c     Inode timestamp (create/modify)
#   d     ID of device on which inode resides
#   g     File owner's group ID
#   i     Inode number
#   l     File is increasing in size (a "growing file")
#   m     Modification timestamp
#   n     Number of links (inode reference count)
#   p     Permissions and file mode bits
#   r     ID of device pointed to by inode
#         (valid only for device objects)
#   s     File size
#   t     File type
#   u     File owner's user ID
#   C     CRC-32 hash value
#   H     Haval hash value
#   M     MD5 hash value
#   S     SHA hash value

# Global Variable Definitions
@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL="/etc/tripwire";
TWDB="/var/lib/tripwire";
TWSKEY="/etc/tripwire";
TWLKEY="/etc/tripwire";
TWREPORT="/var/lib/tripwire/report";
HOSTNAME=localhost;

@@section FS
SEC_CRIT      = $(IgnoreNone)-SHa ;  # Critical files that cannot change
SEC_BIN       = $(ReadOnly) ;        # Binaries that should not change
SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed infrequently but accessed often
SEC_LOG       = $(Growing) ;         # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ;              # Directories that should never change permission or ownership

SEV_LOW       = 33 ;                 # Non-critical files that are of minimal security impact
SEV_MED       = 66 ;                 # Non-critical files that are of significant security impact
SEV_HI        = 100 ;                # Critical files that are significant points of vulnerability

# Tripwire Binaries
(
  rulename = "Tripwire Binaries",
  recurse = true,
  severity = $(SEV_HI)
)
{
  $(TWBIN)/siggen                      -> $(SEC_CRIT) ;
  $(TWBIN)/tripwire                    -> $(SEC_CRIT) ;
  $(TWBIN)/twadmin                     -> $(SEC_CRIT) ;
  $(TWBIN)/twprint                     -> $(SEC_CRIT) ;
}

# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(
  rulename = "Tripwire Data Files",
  recurse = true,
  severity = $(SEV_HI)
)
{
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.

  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.
  $(TWDB)                              -> $(Dynamic) -i ;
  $(TWPOL)/tw.pol                      -> $(ReadOnly) -i ;
  $(TWPOL)/tw.cfg                      -> $(ReadOnly) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_CRIT) ;
  $(TWSKEY)/site.key                   -> $(SEC_CRIT) ;
  # Don't scan the individual reports
  $(TWREPORT)                          -> $(Dynamic) (recurse=0) ;
}

# Commonly accessed directories that should remain static with  regards
# to owner and group.
(
  rulename = "Invariant Directories",
  recurse = false,
  severity = $(SEV_LOW)
)
{
  /                                    -> $(SEC_INVARIANT) ;
  /home/                               -> $(SEC_INVARIANT) ;
  /tmp/                                -> $(SEC_INVARIANT) ;
  /usr/tmp/                            -> $(SEC_INVARIANT) ;
  /var/                                -> $(SEC_INVARIANT) ;
  /var/tmp/                            -> $(SEC_INVARIANT) ;
}

# Add-on application software packages
(
  rulename = "Add-on application software",
  recurse = true,
  severity = $(SEV_MED)
)
{
  /opt/                                -> $(ReadOnly) ;
}

# System software
(
  rulename = "System software",
  recurse = true,
  severity = $(SEV_MED)
)
{
  /usr/                                -> $(ReadOnly) ;
  !/usr/share/doc/ ; # Prune out all the documentation.
  !/usr/share/man/ ; # Prune out all the documentation.
}

# System binaries
(
  rulename = "OS executables",
  recurse = true,
  severity = $(SEV_HI)
)
{
  /bin/                                -> $(ReadOnly) ;
  /sbin/                               -> $(ReadOnly) ;
  /usr/bin/                            -> $(ReadOnly) ;
  /usr/libexec/                        -> $(ReadOnly) ;
  /usr/sbin/                           -> $(ReadOnly) ;
  /usr/local/bin/                      -> $(ReadOnly) ;
  /usr/local/libexec/                  -> $(ReadOnly) ;
  /usr/local/sbin/                     -> $(ReadOnly) ;
  /usr/X11R6/bin/                      -> $(ReadOnly) ;
}

# Libraries
(
  rulename = "Libraries",
  recurse = true,
  severity = $(SEV_MED)
)
{
  /lib/                                -> $(ReadOnly) ;
  /usr/lib/                            -> $(ReadOnly) ;
  /usr/local/lib/                      -> $(ReadOnly) ;
  /usr/X11R6/lib/                      -> $(ReadOnly) ;
}

# Configuration files.
(
  rulename = "Configuration files",
  recurse = true,
  severity = $(SEV_HI)
)
{
  # Due to all the cron and other activity, modification time on /etc
  # is not monitored.
  /etc/                                -> $(ReadOnly) -m ;
  /etc/group                           -> $(SEC_CRIT) ;
  /etc/group-                          -> $(SEC_CRIT) ;
  /etc/gshadow                         -> $(SEC_CRIT) ;
  /etc/gshadow-                        -> $(SEC_CRIT) ;
  /etc/pam.d/                          -> $(SEC_CRIT) ;
  /etc/passwd                          -> $(SEC_CRIT) ;
  /etc/passwd-                         -> $(SEC_CRIT) ;
  /etc/shadow                          -> $(SEC_CRIT) ;
  /etc/shadow-                         -> $(SEC_CRIT) ;
  /etc/securetty                       -> $(SEC_CRIT) ;
  /etc/security/                       -> $(SEC_CRIT) ;
  /etc/selinux/                        -> $(SEC_CRIT) ;
  /usr/local/etc/                      -> $(ReadOnly) ;
}

# Critical System Boot Files.
# These files are critical to a correct system boot.
(
  rulename = "Critical system boot files",
  recurse = true,
  severity = $(SEV_HI)
)
{
  /boot/                               -> $(SEC_CRIT) ;
  !/boot/System.map ;
  !/boot/module-info ;
  /sbin/installkernel                  -> $(SEC_CRIT) ;
  # GRUB
  /sbin/grub                           -> $(SEC_CRIT) ;
  /sbin/grub-install                   -> $(SEC_CRIT) ;
  /sbin/grub-md5-crypt                 -> $(SEC_CRIT) ;
  /sbin/grub-terminfo                  -> $(SEC_CRIT) ;
  /usr/share/grub/                     -> $(SEC_CRIT) ;
  # LILO
 #/sbin/lilo                           -> $(SEC_CRIT) ;
}

# These files change the behavior of the root account
(
  rulename = "Root config files",
  recurse = true,
  severity = $(SEV_HI)
)
{
  # Catch all additions to /root
  /root/                               -> $(SEC_CRIT) ;
  /root/.bash_history                  -> $(Dynamic) -s ;
  # So, you like to login as root, eh?
  # Changes Inode number on login
 #/root/.Xauthority                    -> $(Dynamic) -i ;
}

# SElinux kernel working files and devices.
(
  rulename = "SElinux devices",
  recurse = true,
  severity = $(SEV_HI)
)
{
  # The ctime and mtime on these directories and files will change on
  # every reboot if using SElinux on kernel >= 2.6.
  /selinux/                            -> $(Device) ;
}

# These files change every time the system boots or at certain intervals.
# If tripwire complains that any given file does not exits, then comment out
# it's entry in this section.
(
  rulename = "System boot changes",
  recurse = true,
  severity = $(SEV_HI)
)
{
  # hwclock writes to this file on system shutdown.
  /etc/adjtime                         -> $(Dynamic) ;
  # Created by blkid in e2fsprogs
  /etc/blkid.tab                       -> $(Dynamic) -i ;
  /etc/blkid.tab.old                   -> $(Dynamic) -i ;
  # This file is created if the console is on a serial port and the system
  # switches to runlevel 1.
  /etc/ioctl.save                      -> $(Dynamic) ;
  # Changes on reboot by kudzu
  /etc/fstab                           -> $(Dynamic) -i ;
  /etc/sysconfig/hwconf                -> $(Dynamic) ;
  # Package installs can rebuild this cache:
  /etc/ld.so.cache                     -> $(Dynamic) ;
  # LVM rebuilds this file:
  /etc/lvm/.cache                      -> $(Dynamic) ;
  # Inode number changes on any mount/unmount.
  /etc/mtab                            -> $(Dynamic) -i ;
  # Cron jobs run to rebuild this cache:
  /etc/prelink.cache                   -> $(Dynamic) -i ;
  # dhclient will modify these unless told not to.
  /etc/ntp.conf                        -> $(Dynamic) ;
  /etc/ntp/step-tickers                -> $(Dynamic) ;
  /etc/resolv.conf                     -> $(Dynamic) ;
  /etc/yp.conf                         -> $(Dynamic) ;
  # cups touches these files every night:
  /etc/cups/certs                      -> $(ReadOnly) -m ;
  /etc/cups/certs/0                    -> $(Dynamic) -i ;
  /etc/printcap                        -> $(ReadOnly) -m ;
  # Sendmail saves statistics data here:
  /etc/mail/statistics                 -> $(Dynamic) ;
  # Rebuilt every time sendmail starts:
  /etc/aliases.db                      -> $(Dynamic) ;
  # Postfix touches this file every time it uses encryption.
  /etc/postfix/prng_exch               -> $(Dynamic) ;
  # Older ntp versions keep the drift file in /etc.
  /etc/ntp                             -> $(ReadOnly) -m ;
  /etc/ntp/drift                       -> $(Dynamic) ;
  # Older MRTG versions keep the .ok file in /etc.
  /etc/mrtg                            -> $(ReadOnly) -m ;
  /etc/mrtg/mrtg.ok                    -> $(Dynamic) ;
}

# WORKSTATION
# If you have a workstation or system that will be loading/unloading
# kernel modules, you may want to uncomment the next line.
#@@end

# Devices.
(
  rulename = "Devices",
  recurse = false,
  severity = $(SEV_MED)
)
{
  # The ctime and mtime on these directories and files will change on
  # every reboot if using udev on kernel >= 2.6.
  /dev/                                -> $(Device) (recurse=true) ;
  /dev/ttyS0                           -> $(Device) -ug ;
  /dev/tty1                            -> $(Device) -ug ;
  /dev/tty2                            -> $(Device) -ug ;
  /dev/tty3                            -> $(Device) -ug ;
  /dev/tty4                            -> $(Device) -ug ;
  /dev/tty5                            -> $(Device) -ug ;
  /dev/tty6                            -> $(Device) -ug ;
  !/dev/pts ;
  !/dev/shm ;
  # Files in /sys will be added/removed depending on what kernel
  # modules are loaded.
  /sys/                                -> $(Device) (recurse=true) ;
  /proc/buddyinfo                      -> $(Device) ;
  /proc/cmdline                        -> $(Device) ;
  /proc/cpuinfo                        -> $(Device) ;
  /proc/crypto                         -> $(Device) ;
  /proc/devices                        -> $(Device) ;
  /proc/diskstats                      -> $(Device) ;
  /proc/dma                            -> $(Device) ;
  /proc/driver/rtc                     -> $(Device) ;
  /proc/execdomains                    -> $(Device) ;
  /proc/fb                             -> $(Device) ;
  /proc/filesystems                    -> $(Device) ;
  /proc/interrupts                     -> $(Device) ;
  /proc/iomem                          -> $(Device) ;
  /proc/ioports                        -> $(Device) ;
  /proc/kallsyms                       -> $(Device) ;
  /proc/kcore                          -> $(Device) ;
  /proc/kmsg                           -> $(Device) ;
  /proc/loadavg                        -> $(Device) ;
  /proc/locks                          -> $(Device) ;
  /proc/mdstat                         -> $(Device) ;
  /proc/meminfo                        -> $(Device) ;
  /proc/misc                           -> $(Device) ;
  /proc/modules                        -> $(Device) ;
  /proc/mounts                         -> $(Device) ;
  /proc/mtrr                           -> $(Device) ;
  /proc/net                            -> $(Device) ;
  /proc/partitions                     -> $(Device) ;
  /proc/pci                            -> $(Device) ;
  /proc/scsi                           -> $(Device) ;
  /proc/self                           -> $(Device) ;
  /proc/slabinfo                       -> $(Device) ;
  /proc/stat                           -> $(Device) ;
  /proc/swaps                          -> $(Device) ;
  /proc/sys                            -> $(Device) ;
  /proc/uptime                         -> $(Device) ;
  /proc/version                        -> $(Device) ;
  /proc/vmstat                         -> $(Device) ;
}

@@end

Links:

Advertisements

About Michael Arnold
This is where I write about all of my unix hacking experiences so that you may be able to learn from my troubles.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: