荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: Lg (创造人生的传奇), 信区: Linux
标 题: suse.txt
发信站: BBS 荔园晨风站 (Thu Mar 16 22:08:16 2000), 站内信件
@@section GLOBAL
TWROOT="/usr/TSS";
TWBIN="/usr/TSS/bin";
TWPOL="/usr/TSS/policy";
TWDB="/usr/TSS/db";
TWSKEY="/usr/TSS/key";
TWLKEY="/usr/TSS/key";
TWREPORT="/usr/TSS/report";
HOSTNAME=YourHostname;
@@section FS
SEC_CRIT = $(IgnoreNone)-SHa; # Critical files - we can't afford to miss
any changes.
SEC_SUID = $(IgnoreNone)-SHa; # Binaries with the SUID or SGID flags set.
SEC_TCB = $(ReadOnly); # Members of the Trusted Computing Base.
SEC_BIN = $(ReadOnly); # Binaries that shouldn't change
SEC_CONFIG = $(Dynamic); # Config files that are changed
infrequently but accessed often.
SEC_LOG = $(Growing); # Files that grow, but that should never
change ownership.
SEC_INVARIANT = +pug; # Directories that should never change
permission or ownership.
SIG_LOW = 33; # Non-critical files that are of minimal
security impact
SIG_MED = 66; # Non-critical files that are of
significant security impact
SIG_HI = 100; # Critical files that are significant
points of vulnerability
# Tripwire Binaries
(rulename = "Tripwire Binaries", severity = $(SIG_HI))
{
$(TWBIN)/siggen -> $(ReadOnly);
$(TWBIN)/tripwire -> $(ReadOnly);
$(TWBIN)/twadmin -> $(ReadOnly);
$(TWBIN)/twprint -> $(ReadOnly);
}
# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports,
Databases
(rulename = "Tripwire Data Files", severity = $(SIG_HI))
{
# NOTE: Removing the inode attribute because when Tripwire creates a backup
# it does so by renaming the old file and creating a new one (which will
# have a new inode number). Leaving inode turned on for keys, which shouldn't
# ever change.
# NOTE: this rule will trigger on the first integrity check after database
# initialization, and each integrity check afterward until a database update
# is run, since the database file will not exist before that point.
$(TWDB) -> $(Dynamic) -i;
$(TWPOL)/tw.pol -> $(SEC_BIN) -i;
$(TWBIN)/tw.cfg -> $(SEC_BIN) -i;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWSKEY)/site.key -> $(SEC_BIN) ;
#don't scan the individual reports
$(TWREPORT) -> $(Dynamic) (recurse=0);
}
# Commonly accessed directories that should remain static with regards to owner
and group
(rulename = "Invariant Directories", severity = $(SIG_MED))
{
/ -> $(SEC_INVARIANT) (recurse = 0);
/home -> $(SEC_INVARIANT) (recurse = 0);
/etc -> $(SEC_INVARIANT) (recurse = 0);
}
# setuid/setgid root programs
(rulename = "setuid/setgid", severity = $(SIG_HI))
{
/bin/su -> $(SEC_SUID);
/bin/mount -> $(SEC_SUID);
/bin/umount -> $(SEC_SUID);
/bin/ping -> $(SEC_SUID);
/bin/login -> $(SEC_SUID);
/sbin/dump -> $(SEC_SUID);
/sbin/restore -> $(SEC_SUID);
/sbin/cardctl -> $(SEC_SUID);
/usr/X11R6/bin/Xwrapper -> $(SEC_SUID);
/usr/X11R6/bin/xterm -> $(SEC_SUID);
/usr/X11R6/bin/XConsole -> $(SEC_SUID);
/usr/X11R6/bin/xscreensaver -> $(SEC_SUID);
/usr/bin/at -> $(SEC_SUID);
/usr/bin/chage -> $(SEC_SUID);
/usr/bin/gpasswd -> $(SEC_SUID);
/usr/bin/lpq -> $(SEC_SUID);
/usr/bin/lpr -> $(SEC_SUID);
/usr/bin/lprm -> $(SEC_SUID);
/usr/bin/passwd -> $(SEC_SUID);
/usr/bin/suidperl -> $(SEC_SUID);
/usr/bin/procmail -> $(SEC_SUID);
/usr/bin/rcp -> $(SEC_SUID);
/usr/bin/rlogin -> $(SEC_SUID);
/usr/bin/screen -> $(SEC_SUID);
/usr/bin/chfn -> $(SEC_SUID);
/usr/bin/chsh -> $(SEC_SUID);
/usr/bin/newgrp -> $(SEC_SUID);
/usr/bin/cu -> $(SEC_SUID);
/usr/bin/uucp -> $(SEC_SUID);
/usr/bin/uuname -> $(SEC_SUID);
/usr/bin/uustat -> $(SEC_SUID);
/usr/bin/uux -> $(SEC_SUID);
/usr/bin/crontab -> $(SEC_SUID);
/usr/bin/zgv -> $(SEC_SUID);
/usr/sbin/sendmail -> $(SEC_SUID);
/usr/sbin/traceroute -> $(SEC_SUID);
/usr/sbin/uucico -> $(SEC_SUID);
/usr/sbin/uuxqt -> $(SEC_SUID);
}
# Temporary directories
(rulename = "Temporary directories", recurse = false, severity = $(SIG_LOW))
{
/usr/tmp -> $(SEC_INVARIANT);
/var/tmp -> $(SEC_INVARIANT);
/tmp -> $(SEC_INVARIANT);
}
# Local files
(rulename = "User binaries", severity = $(SIG_MED))
{
/usr/local/bin -> $(SEC_BIN) (recurse = 1);
/sbin -> $(SEC_BIN) (recurse = 1);
/usr/sbin -> $(SEC_BIN) (recurse = 1);
/usr/bin -> $(SEC_BIN) (recurse = 1);
}
(rulename = "Configuration Files")
{
/etc/hosts -> $(SEC_CONFIG);
/etc/inetd.conf -> $(SEC_CONFIG);
/etc/inittab -> $(SEC_CONFIG);
/etc/resolv.conf -> $(SEC_CONFIG);
/etc/syslog.conf -> $(SEC_CONFIG);
/etc/smb.conf -> $(SEC_CONFIG);
}
(rulename = "Shell Binaries")
{
/bin/bash -> $(SEC_BIN);
/bin/csh -> $(SEC_BIN);
/bin/ksh -> $(SEC_BIN);
#/bin/psh -> $(SEC_BIN);
#/bin/rsh -> $(SEC_SUID);
#/bin/Rsh -> $(SEC_BIN);
/bin/sh -> $(SEC_BIN);
/bin/tcsh -> $(SEC_BIN);
#/local/bin/bash -> $(SEC_BIN);
#/local/bin/tcsh -> $(SEC_BIN);
}
(rulename = "Security Control")
{
/etc/group -> $(SEC_CRIT);
/etc/security/ -> $(SEC_CRIT);
/var/adm/ -> $(SEC_CRIT);
}
(rulename = "Boot Scripts")
{
/etc/rc.d/rc -> $(SEC_CONFIG);
/etc/rc.d/network -> $(SEC_CONFIG);
/etc/rc.d/serial -> $(SEC_CONFIG);
/etc/rc.d/nfs -> $(SEC_CONFIG);
/etc/rc.d/powerfail -> $(SEC_CONFIG);
}
(rulename = "Login Scripts")
{
/etc/csh.cshrc -> $(SEC_CONFIG);
/etc/csh.login -> $(SEC_CONFIG);
/etc/profile -> $(SEC_CONFIG);
}
# Libraries
(rulename = "Libraries", severity = $(SIG_MED))
{
/usr/lib -> $(SEC_BIN);
/usr/local/lib -> $(SEC_BIN);
}
# These files are critical to a correct system boot.
(rulename = "Critical system boot files", severity = 100)
{
# the kernel files
/boot -> $(SEC_CRIT) ;
!/boot/System.map ;
!/boot/module-info ;
# other boot files may exist. Look for:
# /ufsboot -> $(SEC_CRIT) ;
}
# These files change every time the system boots
(rulename = "System boot changes", severity = $(SIG_HI))
{
!/root/.gnome;
!/root/.enlightenment;
/dev/log -> $(Dynamic) ;
/dev/cua0 -> $(Dynamic) ;
/dev/tty2 -> $(Dynamic) ; # tty devices
/dev/tty3 -> $(Dynamic) ; # are extremely
/dev/tty4 -> $(Dynamic) ; # variable
/dev/tty5 -> $(Dynamic) ;
/dev/tty6 -> $(Dynamic) ;
/dev/urandom -> $(Dynamic) ;
/dev/initctl -> $(Dynamic) ;
/var/lock/subsys -> $(Dynamic) ;
/var/lock/subsys/httpd -> $(Dynamic) ;
/var/run -> $(Dynamic) ; # daemon PIDs
/var/spool/lpd/lpd.lock -> $(Dynamic) ;
/var/log -> $(Dynamic) ;
/etc/issue.net -> $(Dynamic) ;
/etc/ioctl.save -> $(Dynamic) ;
/etc/issue -> $(Dynamic) ;
/etc/.pwd.lock -> $(Dynamic) ;
/etc/mtab -> $(Dynamic) ;
/lib/modules -> $(Dynamic) ;
}
# These files change the behavior of the root account
(rulename = "Root config files", severity = 100)
{
# /.profile -> $(SEC_CRIT) ;
# /.kshrc -> $(SEC_CRIT) ;
# /.cshrc -> $(SEC_CRIT) ;
/root -> $(SEC_CRIT) ;
}
# Critical configuration files
(rulename = "Critical configuration files", severity = $(SIG_HI))
{
/etc/conf.modules -> $(ReadOnly) ;
/etc/crontab -> $(ReadOnly) ;
/etc/cron.hourly -> $(ReadOnly) ;
/etc/cron.daily -> $(ReadOnly) ;
/etc/cron.weekly -> $(ReadOnly) ;
/etc/cron.monthly -> $(ReadOnly) ;
/etc/default -> $(ReadOnly) ;
/etc/fstab -> $(ReadOnly) ;
/etc/exports -> $(ReadOnly) ;
/etc/group- -> $(ReadOnly) ; # changes should be infrequent
/etc/host.conf -> $(ReadOnly) ;
/etc/hosts.allow -> $(ReadOnly) ;
/etc/hosts.deny -> $(ReadOnly) ;
/etc/httpd/httpd.conf -> $(ReadOnly) ; # changes should be infrequent
/etc/protocols -> $(ReadOnly) ;
/etc/services -> $(ReadOnly) ;
/etc/rc.d/init.d -> $(ReadOnly) ;
/etc/rc.d -> $(ReadOnly) ;
/etc/motd -> $(ReadOnly) ;
# /etc/named.boot -> $(ReadOnly) ;
/etc/passwd -> $(ReadOnly) ;
/etc/passwd- -> $(ReadOnly) ;
/etc/profile.d -> $(ReadOnly) ;
/etc/rpc -> $(ReadOnly) ;
/etc/nsswitch.conf -> $(ReadOnly) ;
}
# Critical devices
(rulename = "Critical devices", severity = $(SIG_HI), recurse = false)
{
/dev/kmem -> $(Device) ;
/dev/mem -> $(Device) ;
/dev/null -> $(Device) ;
/dev/zero -> $(Device) ;
/proc/devices -> $(Device) ;
/proc/net -> $(Device) ;
/proc/sys -> $(Device) ;
/proc/cpuinfo -> $(Device) ;
/proc/modules -> $(Device) ;
/proc/mounts -> $(Device) ;
/proc/dma -> $(Device) ;
/proc/filesystems -> $(Device) ;
/proc/pci -> $(Device) ;
/proc/interrupts -> $(Device) ;
/proc/rtc -> $(Device) ;
/proc/ioports -> $(Device) ;
/proc/scsi -> $(Device) ;
/proc/kcore -> $(Device) ;
/proc/self -> $(Device) ;
/proc/kmsg -> $(Device) ;
/proc/stat -> $(Device) ;
/proc/ksyms -> $(Device) ;
/proc/loadavg -> $(Device) ;
/proc/uptime -> $(Device) ;
/proc/locks -> $(Device) ;
/proc/version -> $(Device) ;
/proc/mdstat -> $(Device) ;
/proc/meminfo -> $(Device) ;
/proc/cmdline -> $(Device) ;
/proc/misc -> $(Device) ;
}
# Rest of critical system binaries
(rulename = "OS executables and libraries", severity = $(SIG_HI))
{
/bin -> $(ReadOnly) ;
/lib -> $(ReadOnly) ;
}
--
☆ 来源:.BBS 荔园晨风站 bbs.szu.edu.cn.[FROM: bbs@210.39.3.97]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店