17.4. Configure the /usr/TSS/policy/twpol.txt file

The /usr/TSS/policy/twpol.txt is the text policy file of Tripwire where you specify what files and directories, to check. Note that extensive testing and experience are necessary when editing this policy file before you get a working file report. The following is a working example from where you can start your own customization.

  1. You must modify the default policy file, or create your own. The policyguide.txt file under /usr/TSS/policy directory can help you. Open the policy file twpol.txt with a text editor, vi /usr/TSS/policy/twpol.txt and change it to fit your needs:
    
           @@section GLOBAL
               TWROOT="/usr";
               TWBIN="/usr/bin";
               TWPOL="/usr/TSS/policy";
               TWDB="/usr/TSS/db";
               TWSKEY="/usr/TSS/key";
               TWLKEY="/usr/TSS/key";
               TWREPORT="/usr/TSS/report";
               HOSTNAME=deep.openna.com;
    
               @@section FS
               SEC_CRIT      	= $(IgnoreNone)-SHa;	# Critical files - we can't afford to miss any changes.
               SEC_SUID      	= $(IgnoreNone)-SHa;	# Binaries with the SUID or SGID flags set.
               SEC_TCB       	= $(ReadOnly);	# Members of the Trusted Computing Base.
               SEC_BIN       	= $(ReadOnly);	# Binaries that shouldn't change
               SEC_CONFIG	= $(Dynamic);	# Config files that are changed infrequently but accessed often.
               SEC_LOG       	= $(Growing);	# Files that grow, but that should never change ownership.
               SEC_INVARIANT = +pug;	# Directories that should never change permission or ownership.
               SIG_LOW       	= 33;	# Non-critical files that are of minimal security impact
               SIG_MED       	= 66;	# Non-critical files that are of significant security impact
               SIG_HI        	= 100;	# Critical files that are significant points of vulnerability
    
    
               # Tripwire Binaries
               (emailto = [email protected], rulename = "Tripwire Binaries", severity = $(SIG_HI))
               {
               $(TWBIN)/siggen   	-> $(ReadOnly);
               $(TWBIN)/tripwire 	-> $(ReadOnly);
               $(TWBIN)/twadmin  	-> $(ReadOnly);
               $(TWBIN)/twprint  	-> $(ReadOnly);
               }
    
               # Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
               (emailto = [email protected], rulename = "Tripwire Data Files", severity = $(SIG_HI))
               {
               # NOTE: Removing the inode attribute because when Tripwire creates a backup
               # it does so by renaming the old file and creating a new one (which will
               # have a new inode number).  Leaving inode turned on for keys, which shouldn't
               # ever change.
    
               # NOTE: this rule will trigger on the first integrity check after database
               # initialization, and each integrity check afterward until a database update 
               # is run, since the database file will not exist before that point.
               $(TWDB)                           		-> $(Dynamic) -i;
               $(TWPOL)/tw.pol                   		-> $(SEC_BIN) -i;
               $(TWBIN)/tw.cfg                   		-> $(SEC_BIN) -i;
               $(TWLKEY)/$(HOSTNAME)-local.key   -> $(SEC_BIN) ;
               $(TWSKEY)/site.key                		-> $(SEC_BIN) ;
    
               #don't scan the individual reports
               $(TWREPORT)		-> $(Dynamic) (recurse=0);  
               }
    
               # These files are critical to a correct system boot.
               (emailto = [email protected], rulename = "Critical system boot files", severity = 100)
               {
               /boot                                 		-> $(SEC_CRIT)  ;
               !/boot/System.map			;
               !/boot/module-info			;
               }
    
               # These files change the behavior of the root account
               (emailto = [email protected], rulename = "Root config files", severity = 100)
               {
               /root                                 		-> $(SEC_CRIT)   ;
               /root/.bash_history		-> $(SEC_LOG)    ;
               }
    
               # Commonly accessed directories that should remain static with regards to owner and group
               (emailto = [email protected], rulename = "Invariant Directories", severity = $(SIG_MED))
               {
               /       						-> $(SEC_INVARIANT) (recurse = 0);
               /home   						-> $(SEC_INVARIANT) (recurse = 0); 
               /etc    						-> $(SEC_INVARIANT) (recurse = 0);
               /chroot 						-> $(SEC_INVARIANT) (recurse = 0);
               /cache						-> $(SEC_INVARIANT) (recurse = 0);
               }
    
               (emailto = [email protected], rulename = "Shell Binaries")
               {
               /bin/bsh            		-> $(SEC_BIN);
               /bin/csh            		-> $(SEC_BIN);
               /bin/sh             		-> $(SEC_BIN);
               }
    
               # Rest of critical system binaries
               (emailto = [email protected], rulename = "OS executables and libraries", severity = $(SIG_HI))
               {
               /bin                                  		-> $(ReadOnly)   ;
               /lib                                  		-> $(ReadOnly)   ;
               }
    
               # Local files
               (emailto = [email protected], rulename = "User binaries", severity = $(SIG_MED))
               {
               /sbin                       		-> $(SEC_BIN) (recurse = 1);
               /usr/sbin                   		-> $(SEC_BIN) (recurse = 1);
               /usr/bin                    		-> $(SEC_BIN) (recurse = 1);
               }
    
               # Temporary directories
               (emailto = [email protected], rulename = "Temporary directories", recurse = false, severity = $(SIG_LOW))
               {
               /usr/tmp                    		-> $(SEC_INVARIANT);
               /var/tmp                    		-> $(SEC_INVARIANT);
               /tmp                        		-> $(SEC_INVARIANT);
               }
    
               # Libraries
               (emailto = [email protected], rulename = "Libraries", severity = $(SIG_MED))
               {
               /usr/lib 						-> $(SEC_BIN);
               }
    
               # Include
               (emailto = [email protected], rulename = "OS Development Files", severity = $(SIG_MED))
               {
               /usr/include 					-> $(SEC_BIN);
               }
    
               # Shared
               (emailto = [email protected], rulename = "OS Shared Files", severity = $(SIG_MED))
               {
               /usr/share 					-> $(SEC_BIN);
               }
    
               # Kernel headers files
               (emailto = [email protected], rulename = "Kernel Headers Files", severity = $( SIG_HI))
               {
               /usr/src/linux-2.2.14 				-> $(SEC_BIN);
               }
    
               # setuid/setgid root programs
               (emailto = [email protected], rulename = "setuid/setgid", severity = $(SIG_HI))
               {
               /bin/su 						-> $(SEC_SUID);
               /sbin/pwdb_chkpwd 			-> $(SEC_SUID);
               /sbin/dump 					-> $(SEC_SUID);
               /sbin/restore 					-> $(SEC_SUID);
               /usr/bin/at 					-> $(SEC_SUID);
               /usr/bin/passwd 				-> $(SEC_SUID);
               /usr/bin/suidperl 				-> $(SEC_SUID);
               /usr/bin/crontab 				-> $(SEC_SUID);
               /usr/sbin/sendmail 				-> $(SEC_SUID);
               /usr/bin/man 					-> $(SEC_SUID);
               /usr/bin/sperl5.00503 			-> $(SEC_SUID);
               /usr/bin/slocate 				-> $(SEC_SUID);
               /usr/sbin/utempter 				-> $(SEC_SUID);
               /sbin/netreport 				-> $(SEC_SUID);
               }
    
               (emailto = [email protected], rulename = "Configuration Files")
               {
               /etc/hosts                 		-> $(SEC_CONFIG);
               /etc/inetd.conf            		-> $(SEC_CONFIG);
               /etc/initlog.conf		-> $(SEC_CONFIG);
               /etc/inittab               		-> $(SEC_CONFIG);
               /etc/resolv.conf           		-> $(SEC_CONFIG);
               /etc/syslog.conf           		-> $(SEC_CONFIG);
               }
    
               (emailto = [email protected], rulename = "Security Control")
               {
               /etc/group                		-> $(SEC_CRIT);
               /etc/security/            		-> $(SEC_CRIT);
               /lib/security/            		-> $(SEC_CRIT);
               /var/spool/cron           		-> $(SEC_CRIT);
               }
    
               (emailto = [email protected], rulename = "Login Scripts")
               {
               /etc/csh.login                         		-> $(SEC_CONFIG);
               /etc/profile                           		-> $(SEC_CONFIG);
               }
    
               # These files change every time the system boots
               (emailto = [email protected], rulename = "System boot changes", severity = $(SIG_HI))
               {
               /dev/log                              		-> $(Dynamic)   ;
               /dev/cua0                             		-> $(Dynamic)   ;
               /dev/console                          		-> $(Dynamic)   ;
               /dev/tty2                             		-> $(Dynamic)   ; # tty devices
               /dev/tty3                             		-> $(Dynamic)   ; # are extremely
               /dev/tty4                             		-> $(Dynamic)   ; # variable
               /dev/tty5                             		-> $(Dynamic)   ;
               /dev/tty6                             		-> $(Dynamic)   ;
               /dev/urandom                          		-> $(Dynamic)   ;
               /dev/initctl                          		-> $(Dynamic)   ;
               /var/lock/subsys                      		-> $(Dynamic)   ;
               /var/run                              		-> $(Dynamic)   ; # daemon PIDs
               /var/log                              		-> $(Dynamic)   ;
               /etc/ioctl.save                       		-> $(Dynamic)   ;
               /etc/.pwd.lock                        		-> $(Dynamic)   ;
               /etc/mtab                             		-> $(Dynamic)   ;
               /lib/modules                          		-> $(Dynamic)   ;
               }
    
               # Critical configuration files
               (emailto = [email protected], rulename = "Critical configuration files", severity = $(SIG_HI))
               {
               /etc/conf.modules                    	 	-> $(ReadOnly)   ;
               /etc/crontab                          		-> $(ReadOnly)   ;
               /etc/cron.hourly                      		-> $(ReadOnly)   ;
               /etc/cron.daily                       		-> $(ReadOnly)   ;
               /etc/cron.weekly                      		-> $(ReadOnly)   ;
               /etc/cron.monthly                     		-> $(ReadOnly)   ;
               /etc/default                          		-> $(ReadOnly)   ;
               /etc/fstab                            		-> $(ReadOnly)   ;
               /etc/group-         		-> $(ReadOnly) 	  ;  # changes should be infrequent
               /etc/host.conf                        		-> $(ReadOnly)   ;
               /etc/hosts.allow                      		-> $(ReadOnly)   ;
               /etc/hosts.deny                       		-> $(ReadOnly)   ;
               /etc/lilo.conf		-> $(ReadOnly)   ;
               /etc/logrotate.conf		-> $(ReadOnly)   ;
               /etc/pwdb.conf		-> $(ReadOnly)   ;
               /etc/securetty		-> $(ReadOnly)   ;
               /etc/sendmail.cf		-> $(ReadOnly)   ;
               /etc/protocols                        		-> $(ReadOnly)   ;
               /etc/services                         		-> $(ReadOnly)   ;
               /etc/rc.d/init.d                      		-> $(ReadOnly)   ;
               /etc/rc.d                             		-> $(ReadOnly)   ;
               /etc/motd                             		-> $(ReadOnly)   ;
               /etc/passwd                           		-> $(ReadOnly)   ;
               /etc/passwd-                          		-> $(ReadOnly)   ;
               /etc/profile.d                        		-> $(ReadOnly)   ;
               /etc/rpc                              		-> $(ReadOnly)   ;
               /etc/sysconfig                        		-> $(ReadOnly)   ;
               /etc/shells		-> $(ReadOnly)   ;
               /etc/nsswitch.conf                    		-> $(ReadOnly)   ;
               }
    
               # Critical devices
               (emailto = [email protected], rulename = "Critical devices", severity = $(SIG_HI), recurse = false)
               {
               /dev/kmem                             		-> $(Device)   ;
               /dev/mem                              		-> $(Device)   ;
               /dev/null                             		-> $(Device)   ;
               /dev/zero                             		-> $(Device)   ;
               /proc/devices                         		-> $(Device)   ;
               /proc/net                             		-> $(Device)   ;
               /proc/tty		-> $(Device)   ;
               /proc/sys                             		-> $(Device)   ;
               /proc/cpuinfo                         		-> $(Device)   ;
               /proc/modules                         		-> $(Device)   ;
               /proc/mounts                          		-> $(Device)   ;
               /proc/dma                             		-> $(Device)   ;
               /proc/filesystems                     		-> $(Device)   ;
               /proc/ide		-> $(Device)   ;
               /proc/interrupts                      		-> $(Device)   ;
               /proc/ioports                         		-> $(Device)   ;
               /proc/scsi                            		-> $(Device)   ;
               /proc/kcore                           		-> $(Device)   ;
               /proc/self                            		-> $(Device)   ;
               /proc/kmsg                            		-> $(Device)   ;
               /proc/stat                            		-> $(Device)   ;
               /proc/ksyms                           		-> $(Device)   ;
               /proc/loadavg                         		-> $(Device)   ;
               /proc/uptime                          		-> $(Device)   ;
               /proc/locks                           		-> $(Device)   ;
               /proc/version                         		-> $(Device)   ;
               /proc/meminfo                         		-> $(Device)   ;
               /proc/cmdline                         		-> $(Device)   ;
               /proc/misc                            		-> $(Device)   ;
               }
               

    Tip: This is an example policy file we provide you; of course, you must modify this file to fit your system files and specific needs.

  2. Once you are ready to use your policy file for the first time, install it with the following command:
    
           [root@deep] /#twadmin --create-polfile /usr/TSS/policy/twpol.txt
               
    
           Please enter your site passphrase:
               Wrote policy file: /usr/TSS/policy/tw.pol