Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 96211 Details for
Bug 34662
twpol.txt in ebuild app-admin/tripwire 2.3.1.2 contains redhat specific references, both in remarks and config
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
New complete policy file
tripwire.pol.gentoo (text/plain), 77.85 KB, created by
Darren Kirby
on 2006-09-06 13:34:34 UTC
(
hide
)
Description:
New complete policy file
Filename:
MIME Type:
Creator:
Darren Kirby
Created:
2006-09-06 13:34:34 UTC
Size:
77.85 KB
patch
obsolete
> ############################################################################## > # ## >############################################################################## # ># # # ># Policy file for Gentoo Linux # # ># By Darren Kirby # # ># <bulliver@badcomputer.org> # # ># September 5, 2006 # # ># ## >############################################################################## > > > ############################################################################## > # ## >############################################################################## # ># # # ># This is the example Tripwire Policy file. It is intended as a place to # # ># start creating your own custom Tripwire Policy file. Referring to it as # # ># well as the Tripwire Policy Guide should give you enough information to # # ># make a good custom Tripwire Policy file that better covers your # # ># configuration and security needs. A text version of this policy file is # # ># called twpol.txt. # # ># # # ># Note that this file is tuned to a 'basic' install of Gentoo Linux. # # ># If run unmodified, this file should create no errors on database # # ># creation, or violations on a subsiquent integrity check. However, it is # # ># impossible for there to be one policy file for all machines, so this # # ># existing one errs on the side of security. Your Linux configuration will # # ># most likey differ from the one our policy file was tuned to, and will # # ># therefore require some editing of the default Tripwire Policy file. # # ># # # ># The example policy file is best run with 'Loose Directory Checking' # # ># enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # # ># file. # # ># # # ># Email support is not included and must be added to this file. # # ># Add the 'emailto=' to the rule directive section of each rule (add a comma # # ># after the 'severity=' line and add an 'emailto=' and include the email # # ># addresses you want the violation reports to go to). Addresses are # # ># semi-colon delimited. # # ># ## >############################################################################## > > > > ############################################################################## > # ## >############################################################################## # ># # # ># Global Variable Definitions # # ># # # ># These are defined at install time by the installation script. You may # # ># Manually edit these if you are using this file directly and not from the # # ># installation script itself. # # ># ## >############################################################################## > >@@section GLOBAL >TWROOT=/usr/sbin; >TWBIN=/usr/sbin; >TWPOL="/etc/tripwire"; >TWDB="/var/lib/tripwire"; >TWSKEY="/etc/tripwire"; >TWLKEY="/etc/tripwire"; >TWREPORT="/var/lib/tripwire/report"; >HOSTNAME=localhost; # change to your real hostname ie: 'echo $HOSTNAME' > ># added for gentoo >GCCVERSION="3.4.6"; # change to your gcc version >BINUTILSVERSION="2.16.1"; # change to your binutils version > >@@section FS >SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change >SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set >SEC_BIN = $(ReadOnly) ; # Binaries that should not change >SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often >SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership >SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership >SIG_LOW = 33 ; # Non-critical files that are of minimal security impact >SIG_MED = 66 ; # Non-critical files that are of significant security impact >SIG_HI = 100 ; # Critical files that are significant points of vulnerability > > ># Tripwire Binaries >( > rulename = "Tripwire Binaries", > severity = $(SIG_HI) >) >{ > $(TWBIN)/siggen -> $(SEC_BIN) ; > $(TWBIN)/tripwire -> $(SEC_BIN) ; > $(TWBIN)/twadmin -> $(SEC_BIN) ; > $(TWBIN)/twprint -> $(SEC_BIN) ; >} > ># Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases >( > rulename = "Tripwire Data Files", > severity = $(SIG_HI) >) >{ > # NOTE: We remove the inode attribute because when Tripwire creates a backup, > # it does so by renaming the old file and creating a new one (which will > # have a new inode number). Inode is left turned on for keys, which shouldn't > # ever change. > > # NOTE: The first integrity check triggers this rule and each integrity check > # afterward triggers this rule until a database update is run, since the > # database file does not exist before that point. > > $(TWDB) -> $(SEC_CONFIG) -i ; > $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; > $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; > $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; > $(TWSKEY)/site.key -> $(SEC_BIN) ; > > #don't scan the individual reports > $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; >} > > ># Tripwire HQ Connector Binaries >#( ># rulename = "Tripwire HQ Connector Binaries", ># severity = $(SIG_HI) >#) >#{ ># $(TWBIN)/hqagent -> $(SEC_BIN) ; >#} ># ># Tripwire HQ Connector - Configuration Files, Keys, and Logs > > ############################################################################## > # ## >############################################################################## # ># # # ># Note: File locations here are different than in a stock HQ Connector # # ># installation. This is because Tripwire 2.3 uses a different path # # ># structure than Tripwire 2.2.1. # # ># # # ># You may need to update your HQ Agent configuation file (or this policy # # ># file) to correct the paths. We have attempted to support the FHS standard # # ># here by placing the HQ Agent files similarly to the way Tripwire 2.3 # # ># places them. # # ># ## >############################################################################## > >#( ># rulename = "Tripwire HQ Connector Data Files", ># severity = $(SIG_HI) >#) >#{ ># ############################################################################# ># ############################################################################## ># # NOTE: Removing the inode attribute because when Tripwire creates a backup ## ># # it does so by renaming the old file and creating a new one (which will ## ># # have a new inode number). Leaving inode turned on for keys, which ## ># # shouldn't ever change. ## ># ############################################################################# ># ># $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; ># $(TWLKEY)/authentication.key -> $(SEC_BIN) ; ># $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; ># $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; ># ># # Uncomment if you have agent logging enabled. ># #/var/log/tripwire/agent.log -> $(SEC_LOG) ; >#} > > > ># Commonly accessed directories that should remain static with regards to owner and group >( > rulename = "Invariant Directories", > severity = $(SIG_MED) >) >{ > / -> $(SEC_INVARIANT) (recurse = 0) ; > /home -> $(SEC_INVARIANT) (recurse = 0) ; > /etc -> $(SEC_INVARIANT) (recurse = 0) ; >} > > >##################################################################### ># # ># For gentoo, I realized the best way to write this file is to # ># group binaries/files based on package, rather than by function # ># as in the Redhat default policy file. This way, the sysadmin # ># can simply comment out the rules for packages that are not # ># installed. All packages are delimited by commented text ie: # ># # ># The 'coreutils' binaries # ># # ># shows files following that are installed by the coreutils package.# ># # >##################################################################### > > >################################################ ># # ># coreutils - diffutils - findutils - procps # ># # >################################################ > >( > rulename = "[core|diff|find]utils and procps binaries", > severity = $(SIG_HI) >) >{ > ># ># The 'coreutils' binaries ># > > /bin/chgrp -> $(SEC_CRIT) ; > /bin/chown -> $(SEC_CRIT) ; > /bin/chmod -> $(SEC_CRIT) ; > /bin/cp -> $(SEC_CRIT) ; > /bin/dd -> $(SEC_CRIT) ; > /bin/dircolors -> $(SEC_CRIT) ; > /bin/du -> $(SEC_CRIT) ; > /bin/install -> $(SEC_CRIT) ; > /bin/link -> $(SEC_CRIT) ; > /bin/ln -> $(SEC_CRIT) ; > /bin/dir -> $(SEC_CRIT) ; > /bin/vdir -> $(SEC_CRIT) ; > /bin/ls -> $(SEC_CRIT) ; > /bin/mkdir -> $(SEC_CRIT) ; > /bin/mkfifo -> $(SEC_CRIT) ; > /bin/mknod -> $(SEC_CRIT) ; > /bin/mv -> $(SEC_CRIT) ; > /bin/nohup -> $(SEC_CRIT) ; > /bin/readlink -> $(SEC_CRIT) ; > /bin/rm -> $(SEC_CRIT) ; > /bin/rmdir -> $(SEC_CRIT) ; > /bin/stat -> $(SEC_CRIT) ; > /bin/sync -> $(SEC_CRIT) ; > /bin/touch -> $(SEC_CRIT) ; > /bin/unlink -> $(SEC_CRIT) ; > /bin/cat -> $(SEC_CRIT) ; > /bin/cksum -> $(SEC_CRIT) ; > /bin/comm -> $(SEC_CRIT) ; > /bin/cut -> $(SEC_CRIT) ; > /bin/head -> $(SEC_CRIT) ; > /bin/ptx -> $(SEC_CRIT) ; > /bin/sort -> $(SEC_CRIT) ; > /bin/split -> $(SEC_CRIT) ; > /bin/tr -> $(SEC_CRIT) ; > /bin/uniq -> $(SEC_CRIT) ; > /bin/wc -> $(SEC_CRIT) ; > /bin/basename -> $(SEC_CRIT) ; > /bin/date -> $(SEC_CRIT) ; > /bin/dirname -> $(SEC_CRIT) ; > /bin/echo -> $(SEC_CRIT) ; > /bin/env -> $(SEC_CRIT) ; > /bin/expr -> $(SEC_CRIT) ; > /bin/false -> $(SEC_CRIT) ; > /bin/id -> $(SEC_CRIT) ; > /bin/logname -> $(SEC_CRIT) ; > /bin/printenv -> $(SEC_CRIT) ; > /bin/pwd -> $(SEC_CRIT) ; > /bin/seq -> $(SEC_CRIT) ; > /bin/sleep -> $(SEC_CRIT) ; > /bin/tee -> $(SEC_CRIT) ; > /bin/true -> $(SEC_CRIT) ; > /bin/tty -> $(SEC_CRIT) ; > /bin/whoami -> $(SEC_CRIT) ; > /bin/yes -> $(SEC_CRIT) ; > /bin/uname -> $(SEC_CRIT) ; > /bin/chroot -> $(SEC_CRIT) ; > /bin/hostid -> $(SEC_CRIT) ; > /bin/nice -> $(SEC_CRIT) ; > /bin/who -> $(SEC_CRIT) ; > /bin/stty -> $(SEC_CRIT) ; > /bin/df -> $(SEC_CRIT) ; > /usr/bin/csplit -> $(SEC_CRIT) ; > /usr/bin/expand -> $(SEC_CRIT) ; > /usr/bin/factor -> $(SEC_CRIT) ; > /usr/bin/fmt -> $(SEC_CRIT) ; > /usr/bin/fold -> $(SEC_CRIT) ; > /usr/bin/join -> $(SEC_CRIT) ; > /usr/bin/md5sum -> $(SEC_CRIT) ; > /usr/bin/nl -> $(SEC_CRIT) ; > /usr/bin/od -> $(SEC_CRIT) ; > /usr/bin/paste -> $(SEC_CRIT) ; > /usr/bin/pathchk -> $(SEC_CRIT) ; > /usr/bin/pinky -> $(SEC_CRIT) ; > /usr/bin/pr -> $(SEC_CRIT) ; > /usr/bin/printf -> $(SEC_CRIT) ; > /usr/bin/sha1sum -> $(SEC_CRIT) ; > /usr/bin/shred -> $(SEC_CRIT) ; > /usr/bin/sum -> $(SEC_CRIT) ; > /usr/bin/tac -> $(SEC_CRIT) ; > /usr/bin/tail -> $(SEC_CRIT) ; > /usr/bin/test -> $(SEC_CRIT) ; > /usr/bin/[ -> $(SEC_CRIT) ; > /usr/bin/tsort -> $(SEC_CRIT) ; > /usr/bin/unexpand -> $(SEC_CRIT) ; > /usr/bin/users -> $(SEC_CRIT) ; > /usr/bin/basename -> $(SEC_CRIT) ; > /usr/bin/cat -> $(SEC_CRIT) ; > /usr/bin/chgrp -> $(SEC_CRIT) ; > /usr/bin/chmod -> $(SEC_CRIT) ; > /usr/bin/chown -> $(SEC_CRIT) ; > /usr/bin/chroot -> $(SEC_CRIT) ; > /usr/bin/cksum -> $(SEC_CRIT) ; > /usr/bin/comm -> $(SEC_CRIT) ; > /usr/bin/cp -> $(SEC_CRIT) ; > /usr/bin/cut -> $(SEC_CRIT) ; > /usr/bin/date -> $(SEC_CRIT) ; > /usr/bin/dd -> $(SEC_CRIT) ; > /usr/bin/df -> $(SEC_CRIT) ; > /usr/bin/dir -> $(SEC_CRIT) ; > /usr/bin/dircolors -> $(SEC_CRIT) ; > /usr/bin/dirname -> $(SEC_CRIT) ; > /usr/bin/du -> $(SEC_CRIT) ; > /usr/bin/echo -> $(SEC_CRIT) ; > /usr/bin/env -> $(SEC_CRIT) ; > /usr/bin/expr -> $(SEC_CRIT) ; > /usr/bin/false -> $(SEC_CRIT) ; > /usr/bin/head -> $(SEC_CRIT) ; > /usr/bin/hostid -> $(SEC_CRIT) ; > /usr/bin/id -> $(SEC_CRIT) ; > /usr/bin/install -> $(SEC_CRIT) ; > /usr/bin/link -> $(SEC_CRIT) ; > /usr/bin/ln -> $(SEC_CRIT) ; > /usr/bin/logname -> $(SEC_CRIT) ; > /usr/bin/ls -> $(SEC_CRIT) ; > /usr/bin/mkdir -> $(SEC_CRIT) ; > /usr/bin/mkfifo -> $(SEC_CRIT) ; > /usr/bin/mknod -> $(SEC_CRIT) ; > /usr/bin/mv -> $(SEC_CRIT) ; > /usr/bin/nice -> $(SEC_CRIT) ; > /usr/bin/nohup -> $(SEC_CRIT) ; > /usr/bin/printenv -> $(SEC_CRIT) ; > /usr/bin/ptx -> $(SEC_CRIT) ; > /usr/bin/pwd -> $(SEC_CRIT) ; > /usr/bin/readlink -> $(SEC_CRIT) ; > /usr/bin/rm -> $(SEC_CRIT) ; > /usr/bin/rmdir -> $(SEC_CRIT) ; > /usr/bin/seq -> $(SEC_CRIT) ; > /usr/bin/sleep -> $(SEC_CRIT) ; > /usr/bin/sort -> $(SEC_CRIT) ; > /usr/bin/split -> $(SEC_CRIT) ; > /usr/bin/stat -> $(SEC_CRIT) ; > /usr/bin/stty -> $(SEC_CRIT) ; > /usr/bin/sync -> $(SEC_CRIT) ; > /usr/bin/tee -> $(SEC_CRIT) ; > /usr/bin/touch -> $(SEC_CRIT) ; > /usr/bin/tr -> $(SEC_CRIT) ; > /usr/bin/true -> $(SEC_CRIT) ; > /usr/bin/tty -> $(SEC_CRIT) ; > /usr/bin/uname -> $(SEC_CRIT) ; > /usr/bin/uniq -> $(SEC_CRIT) ; > /usr/bin/unlink -> $(SEC_CRIT) ; > /usr/bin/vdir -> $(SEC_CRIT) ; > /usr/bin/wc -> $(SEC_CRIT) ; > /usr/bin/who -> $(SEC_CRIT) ; > /usr/bin/whoami -> $(SEC_CRIT) ; > /usr/bin/yes -> $(SEC_CRIT) ; > ># ># The diffutils binaries ># > > /usr/bin/cmp -> $(SEC_CRIT) ; > /usr/bin/diff -> $(SEC_CRIT) ; > /usr/bin/diff3 -> $(SEC_CRIT) ; > /usr/bin/sdiff -> $(SEC_CRIT) ; > ># ># The findutils binaries ># > > /usr/bin/find -> $(SEC_CRIT) ; > /usr/bin/oldfind -> $(SEC_CRIT) ; > /usr/bin/xargs -> $(SEC_CRIT) ; > ># ># The procps binaries ># > > /usr/bin/uptime -> $(SEC_CRIT) ; > /usr/bin/tload -> $(SEC_CRIT) ; > /usr/bin/free -> $(SEC_CRIT) ; > /usr/bin/w -> $(SEC_CRIT) ; > /usr/bin/top -> $(SEC_CRIT) ; > /usr/bin/vmstat -> $(SEC_CRIT) ; > /usr/bin/watch -> $(SEC_CRIT) ; > /usr/bin/skill -> $(SEC_CRIT) ; > /usr/bin/snice -> $(SEC_CRIT) ; > /usr/bin/pmap -> $(SEC_CRIT) ; > /usr/bin/pgrep -> $(SEC_CRIT) ; > /usr/bin/pkill -> $(SEC_CRIT) ; > /usr/bin/slabtop -> $(SEC_CRIT) ; > /usr/bin/pwdx -> $(SEC_CRIT) ; > /bin/kill -> $(SEC_CRIT) ; > /bin/ps -> $(SEC_CRIT) ; > /sbin/sysctl -> $(SEC_CRIT) ; > >} > >################################## ># # ># Compression/Archiving tools # ># # >################################## > >( > rulename = "Compression/Archiving Programs", > severity = $(SIG_HI) >) >{ > ># ># The 'tar' binaries ># > > /bin/tar -> $(SEC_CRIT) ; > /usr/bin/tar -> $(SEC_CRIT) ; > /usr/sbin/rmt -> $(SEC_CRIT) ; > /usr/sbin/restore-tar -> $(SEC_CRIT) ; > /usr/sbin/backup-tar -> $(SEC_CRIT) ; > /usr/sbin/backup.sh -> $(SEC_CRIT) ; > /usr/sbin/dump-remind -> $(SEC_CRIT) ; > ># ># The 'bzip2' binaries ># > > /bin/bzip2recover -> $(SEC_CRIT) ; > /bin/bzip2 -> $(SEC_CRIT) ; > /bin/bunzip2 -> $(SEC_CRIT) ; > /bin/bzcat -> $(SEC_CRIT) ; > /bin/bzcmp -> $(SEC_CRIT) ; > /bin/bzdiff -> $(SEC_CRIT) ; > /bin/bzless -> $(SEC_CRIT) ; > /bin/bzmore -> $(SEC_CRIT) ; > /bin/bzfgrep -> $(SEC_CRIT) ; > /bin/bzegrep -> $(SEC_CRIT) ; > /bin/bzgrep -> $(SEC_CRIT) ; > ># ># The 'gzip' binaries ># > > /bin/gzip -> $(SEC_CRIT) ; > /bin/zcat -> $(SEC_CRIT) ; > /bin/zcmp -> $(SEC_CRIT) ; > /bin/znew -> $(SEC_CRIT) ; > /bin/gzcat -> $(SEC_CRIT) ; > /bin/gzexe -> $(SEC_CRIT) ; > /bin/zdiff -> $(SEC_CRIT) ; > /bin/zgrep -> $(SEC_CRIT) ; > /bin/zless -> $(SEC_CRIT) ; > /bin/zmore -> $(SEC_CRIT) ; > /bin/gunzip -> $(SEC_CRIT) ; > /bin/zegrep -> $(SEC_CRIT) ; > /bin/zfgrep -> $(SEC_CRIT) ; > /bin/zforce -> $(SEC_CRIT) ; > ># ># The 'zip' and 'unzip' binaries ># > ># /usr/bin/zip -> $(SEC_CRIT) ; ># /usr/bin/zipnote -> $(SEC_CRIT) ; ># /usr/bin/zipcloak -> $(SEC_CRIT) ; ># /usr/bin/zipsplit -> $(SEC_CRIT) ; > ># /usr/bin/unzip -> $(SEC_CRIT) ; ># /usr/bin/zipgrep -> $(SEC_CRIT) ; ># /usr/bin/zipinfo -> $(SEC_CRIT) ; ># /usr/bin/unzipsfx -> $(SEC_CRIT) ; ># /usr/bin/funzip -> $(SEC_CRIT) ; > >} > >####################### ># # ># Networking Programs # ># # >####################### > >( > rulename = "Networking Programs", > severity = $(SIG_HI) >) >{ > ># ># The 'net-tools' binaries ># > > /bin/domainname -> $(SEC_CRIT) ; > /bin/netstat -> $(SEC_CRIT) ; > /bin/hostname -> $(SEC_CRIT) ; > /bin/nisdomainname -> $(SEC_CRIT) ; > /bin/dnsdomainname -> $(SEC_CRIT) ; > /bin/ypdomainname -> $(SEC_CRIT) ; > /usr/bin/hostname -> $(SEC_CRIT) ; > /usr/sbin/ether-wake -> $(SEC_CRIT) ; > /sbin/arp -> $(SEC_CRIT) ; > /sbin/rarp -> $(SEC_CRIT) ; > /sbin/route -> $(SEC_CRIT) ; > /sbin/iptunnel -> $(SEC_CRIT) ; > /sbin/plipconfig -> $(SEC_CRIT) ; > /sbin/mii-tool -> $(SEC_CRIT) ; > /sbin/slattach -> $(SEC_CRIT) ; > /sbin/nameif -> $(SEC_CRIT) ; > /sbin/ifconfig -> $(SEC_CRIT) ; > /sbin/ipmaddr -> $(SEC_CRIT) ; > ># ># The 'iproute2' binaries ># > > /usr/sbin/arpd -> $(SEC_CRIT) ; > /sbin/ip -> $(SEC_CRIT) ; > /sbin/tc -> $(SEC_CRIT) ; > /sbin/ss -> $(SEC_CRIT) ; > /sbin/rtpr -> $(SEC_CRIT) ; > /sbin/ifcfg -> $(SEC_CRIT) ; > /sbin/nstat -> $(SEC_CRIT) ; > /sbin/rtmon -> $(SEC_CRIT) ; > /sbin/ctstat -> $(SEC_CRIT) ; > /sbin/ifstat -> $(SEC_CRIT) ; > /sbin/lnstat -> $(SEC_CRIT) ; > /sbin/routef -> $(SEC_CRIT) ; > /sbin/routel -> $(SEC_CRIT) ; > /sbin/rtacct -> $(SEC_CRIT) ; > /sbin/rtstat -> $(SEC_CRIT) ; > ># ># The iputils binaries ># > > /bin/ping -> $(SEC_CRIT) ; > /usr/bin/setkey -> $(SEC_CRIT) ; > /usr/sbin/ipg -> $(SEC_CRIT) ; > /usr/sbin/rarpd -> $(SEC_CRIT) ; > /usr/sbin/rdisc -> $(SEC_CRIT) ; > /usr/sbin/tftpd -> $(SEC_CRIT) ; > /usr/sbin/clockdiff -> $(SEC_CRIT) ; > /usr/sbin/tracepath -> $(SEC_CRIT) ; > /sbin/arping -> $(SEC_CRIT) ; > ># ># The 'iptables' binaries ># > > /sbin/iptables-save -> $(SEC_CRIT) ; > /sbin/iptables-restore -> $(SEC_CRIT) ; > /sbin/iptables -> $(SEC_CRIT) ; > > >} > >################################## ># # ># Miscellaneous Network Apps # ># # >################################## > >( > rulename = "Miscellaneous Network Programs", > severity = $(SIG_HI) >) >{ > ># ># The 'tcpdump' binary ># > > /usr/sbin/tcpdump -> $(SEC_CRIT) ; > ># ># The 'tcp-wrappers' binaries ># > > /usr/sbin/tcpd -> $(SEC_CRIT) ; > /usr/sbin/tcpdmatch -> $(SEC_CRIT) ; > /usr/sbin/safe_finger -> $(SEC_CRIT) ; > /usr/sbin/try-from -> $(SEC_CRIT) ; > /usr/sbin/tcpdchk -> $(SEC_CRIT) ; > ># ># The 'rsync' binary/configs ># > > /usr/bin/rsync -> $(SEC_CRIT) ; > > /etc/conf.d/rsyncd -> $(SEC_CRIT) ; > /etc/init.d/rsyncd -> $(SEC_CRIT) ; > /etc/rsyncd.conf -> $(SEC_CRIT) ; > > ># ># The 'distcc' binaries ># > > /usr/bin/distccd -> $(SEC_CRIT) ; ># /usr/bin/distccmon-gui -> $(SEC_CRIT) ; > /usr/bin/distcc -> $(SEC_CRIT) ; > /usr/bin/distccmon-text -> $(SEC_CRIT) ; > /usr/bin/distcc-config -> $(SEC_CRIT) ; ># /usr/bin/distccmon-gnome -> $(SEC_CRIT) ; > ># ># The 'dhcpcd' binary ># > > /sbin/dhcpcd -> $(SEC_CRIT) ; > ># ># The 'bind-tools' binaries ># > > /usr/bin/dig -> $(SEC_CRIT) ; > /usr/bin/host -> $(SEC_CRIT) ; > /usr/bin/nslookup -> $(SEC_CRIT) ; > /usr/bin/nsupdate -> $(SEC_CRIT) ; > ># ># The 'telnet-bsd' binaries ># > ># /usr/bin/telnet -> $(SEC_CRIT) ; ># /usr/sbin/in.telnetd -> $(SEC_CRIT) ; > >} > >######################################## ># # ># Hardware and Arch Programs # ># # >######################################## >( > rulename = "Hardware and Device Control Programs", > severity = $(SIG_HI) >) >{ > ># ># The 'udev' binaries ># > > /usr/bin/udevmonitor -> $(SEC_CRIT) ; > /usr/bin/udevinfo -> $(SEC_CRIT) ; > /usr/bin/udevtest -> $(SEC_CRIT) ; > /sbin/udev -> $(SEC_CRIT) ; > /sbin/udevd -> $(SEC_CRIT) ; > /sbin/scsi_id -> $(SEC_CRIT) ; > /sbin/firmware_helper -> $(SEC_CRIT) ; > /sbin/ata_id -> $(SEC_CRIT) ; > /sbin/create_floppy_devices -> $(SEC_CRIT) ; > /sbin/udevsend -> $(SEC_CRIT) ; > /sbin/usb_id -> $(SEC_CRIT) ; > /sbin/vol_id -> $(SEC_CRIT) ; > /sbin/path_id -> $(SEC_CRIT) ; > /sbin/udev_run_hotplugd -> $(SEC_CRIT) ; > /sbin/udevcontrol -> $(SEC_CRIT) ; > /sbin/udev_run_devd -> $(SEC_CRIT) ; > /sbin/udevstart -> $(SEC_CRIT) ; > /sbin/cdrom_id -> $(SEC_CRIT) ; > ># ># The pciutils binaries ># > > /usr/sbin/pcimodules -> $(SEC_CRIT) ; > /usr/sbin/lspci -> $(SEC_CRIT) ; > /usr/sbin/update-pciids -> $(SEC_CRIT) ; > /usr/sbin/setpci -> $(SEC_CRIT) ; > ># ># The 'util-linux' binaries ># > > /bin/arch -> $(SEC_CRIT) ; > /bin/more -> $(SEC_CRIT) ; > /bin/dmesg -> $(SEC_CRIT) ; > /bin/mount -> $(SEC_CRIT) ; > /bin/umount -> $(SEC_CRIT) ; > /usr/bin/pg -> $(SEC_CRIT) ; > /usr/bin/ul -> $(SEC_CRIT) ; > /usr/bin/cal -> $(SEC_CRIT) ; > /usr/bin/col -> $(SEC_CRIT) ; > /usr/bin/raw -> $(SEC_CRIT) ; > /usr/bin/rev -> $(SEC_CRIT) ; > /usr/bin/ipcs -> $(SEC_CRIT) ; > /usr/bin/line -> $(SEC_CRIT) ; > /usr/bin/look -> $(SEC_CRIT) ; > /usr/bin/ddate -> $(SEC_CRIT) ; > /usr/bin/colrm -> $(SEC_CRIT) ; > /usr/bin/flock -> $(SEC_CRIT) ; > /usr/bin/ipcrm -> $(SEC_CRIT) ; > /usr/bin/namei -> $(SEC_CRIT) ; > /usr/bin/tailf -> $(SEC_CRIT) ; > /usr/bin/write -> $(SEC_CRIT) ; > /usr/bin/setterm -> $(SEC_CRIT) ; > /usr/bin/mcookie -> $(SEC_CRIT) ; > /usr/bin/colcrt -> $(SEC_CRIT) ; > /usr/bin/column -> $(SEC_CRIT) ; > /usr/bin/cytune -> $(SEC_CRIT) ; > /usr/bin/getopt -> $(SEC_CRIT) ; > /usr/bin/fdformat -> $(SEC_CRIT) ; > /usr/bin/logger -> $(SEC_CRIT) ; > /usr/bin/chkdupexe -> $(SEC_CRIT) ; > /usr/bin/rename -> $(SEC_CRIT) ; > /usr/bin/renice -> $(SEC_CRIT) ; > /usr/bin/hexdump -> $(SEC_CRIT) ; > /usr/bin/script -> $(SEC_CRIT) ; > /usr/bin/setsid -> $(SEC_CRIT) ; > /usr/bin/setfdprm -> $(SEC_CRIT) ; > /usr/bin/whereis -> $(SEC_CRIT) ; > /usr/bin/isosize -> $(SEC_CRIT) ; > /usr/sbin/rdev -> $(SEC_CRIT) ; > /usr/sbin/ramsize -> $(SEC_CRIT) ; > /usr/sbin/delpart -> $(SEC_CRIT) ; > /usr/sbin/partx -> $(SEC_CRIT) ; > /usr/sbin/rootflags -> $(SEC_CRIT) ; > /usr/sbin/addpart -> $(SEC_CRIT) ; > /usr/sbin/readprofile -> $(SEC_CRIT) ; > /usr/sbin/tunelp -> $(SEC_CRIT) ; > /usr/sbin/vidmode -> $(SEC_CRIT) ; > /sbin/mkfs -> $(SEC_CRIT) ; > /sbin/fsck.cramfs -> $(SEC_CRIT) ; > /sbin/fdisk -> $(SEC_CRIT) ; > /sbin/elvtune -> $(SEC_CRIT) ; > /sbin/losetup -> $(SEC_CRIT) ; > /sbin/agetty -> $(SEC_CRIT) ; > /sbin/cfdisk -> $(SEC_CRIT) ; > /sbin/blockdev -> $(SEC_CRIT) ; > /sbin/swapoff -> $(SEC_CRIT) ; > /sbin/mkswap -> $(SEC_CRIT) ; > /sbin/ctrlaltdel -> $(SEC_CRIT) ; > /sbin/pivot_root -> $(SEC_CRIT) ; > /sbin/sfdisk -> $(SEC_CRIT) ; > /sbin/swapon -> $(SEC_CRIT) ; > /sbin/mkfs.cramfs -> $(SEC_CRIT) ; > /sbin/mkfs.bfs -> $(SEC_CRIT) ; > /sbin/hwclock -> $(SEC_CRIT) ; > /sbin/fsck.minix -> $(SEC_CRIT) ; > /sbin/mkfs.minix -> $(SEC_CRIT) ; > ># ># The 'sysvinit' binaries ># > > /bin/pidof -> $(SEC_CRIT) ; > /usr/bin/last -> $(SEC_CRIT) ; > /usr/bin/mesg -> $(SEC_CRIT) ; > /usr/bin/wall -> $(SEC_CRIT) ; > /usr/bin/utmpdump -> $(SEC_CRIT) ; > /usr/bin/lastb -> $(SEC_CRIT) ; > /sbin/halt -> $(SEC_CRIT) ; > /sbin/init -> $(SEC_CRIT) ; > /sbin/shutdown -> $(SEC_CRIT) ; > /sbin/killall5 -> $(SEC_CRIT) ; > /sbin/telinit -> $(SEC_CRIT) ; > /sbin/runlevel -> $(SEC_CRIT) ; > /sbin/sulogin -> $(SEC_CRIT) ; > /sbin/poweroff -> $(SEC_CRIT) ; > /sbin/reboot -> $(SEC_CRIT) ; > /sbin/change_console -> $(SEC_CRIT) ; > /sbin/bootlogd -> $(SEC_CRIT) ; > ># ># The 'psmisc' Binaries ># > > /bin/oldfuser -> $(SEC_CRIT) ; > /bin/killall -> $(SEC_CRIT) ; > /bin/fuser -> $(SEC_CRIT) ; > /bin/pstree.x11 -> $(SEC_CRIT) ; > /bin/pstree -> $(SEC_CRIT) ; > /usr/bin/oldfuser -> $(SEC_CRIT) ; > /usr/bin/killall -> $(SEC_CRIT) ; > /usr/bin/fuser -> $(SEC_CRIT) ; > /usr/bin/pstree.x11 -> $(SEC_CRIT) ; > /usr/bin/pstree -> $(SEC_CRIT) ; > ># ># The 'kbd' binaries ># > > /bin/loadkeys -> $(SEC_CRIT) ; > /bin/setfont -> $(SEC_CRIT) ; > /usr/bin/dumpkeys -> $(SEC_CRIT) ; > /usr/bin/showkey -> $(SEC_CRIT) ; > /usr/bin/showconsolefont -> $(SEC_CRIT) ; > /usr/bin/setleds -> $(SEC_CRIT) ; > /usr/bin/setmetamode -> $(SEC_CRIT) ; > /usr/bin/kbd_mode -> $(SEC_CRIT) ; > /usr/bin/chvt -> $(SEC_CRIT) ; > /usr/bin/deallocvt -> $(SEC_CRIT) ; > /usr/bin/psfxtable -> $(SEC_CRIT) ; > /usr/bin/kbdrate -> $(SEC_CRIT) ; > /usr/bin/fgconsole -> $(SEC_CRIT) ; > /usr/bin/getkeycodes -> $(SEC_CRIT) ; > /usr/bin/setkeycodes -> $(SEC_CRIT) ; > /usr/bin/resizecons -> $(SEC_CRIT) ; > /usr/bin/mapscrn -> $(SEC_CRIT) ; > /usr/bin/loadunimap -> $(SEC_CRIT) ; > /usr/bin/openvt -> $(SEC_CRIT) ; > /usr/bin/setfont -> $(SEC_CRIT) ; > /usr/bin/psfstriptable -> $(SEC_CRIT) ; > /usr/bin/psfgettable -> $(SEC_CRIT) ; > /usr/bin/psfaddtable -> $(SEC_CRIT) ; > /usr/bin/unicode_stop -> $(SEC_CRIT) ; > /usr/bin/unicode_start -> $(SEC_CRIT) ; > ># ># The 'hdparm' binaries ># > > /sbin/hdparm -> $(SEC_CRIT) ; > /sbin/idectl -> $(SEC_CRIT) ; > ># ># The 'lshw' binaries ># > ># /usr/sbin/lshw -> $(SEC_CRIT) ; ># /usr/sbin/gtk-lshw -> $(SEC_CRIT) ; > ># ># The 'ethtool' binary ># > > /usr/sbin/ethtool -> $(SEC_CRIT) ; > ># ># The 'hotplug-base' binary ># > > /sbin/hotplug -> $(SEC_CRIT) ; > ># ># The 'module-init-tools' binaries ># > > /bin/lsmod -> $(SEC_CRIT) ; > /bin/lsmod.old -> $(SEC_CRIT) ; > /sbin/modprobe.old -> $(SEC_CRIT) ; > /sbin/ksyms -> $(SEC_CRIT) ; > /sbin/lsmod -> $(SEC_CRIT) ; > /sbin/rmmod -> $(SEC_CRIT) ; > /sbin/insmod.static.old -> $(SEC_CRIT) ; > /sbin/kallsyms -> $(SEC_CRIT) ; > /sbin/kallsyms.static -> $(SEC_CRIT) ; > /sbin/modprobe -> $(SEC_CRIT) ; > /sbin/depmod.old -> $(SEC_CRIT) ; > /sbin/genksyms -> $(SEC_CRIT) ; > /sbin/insmod.static -> $(SEC_CRIT) ; > /sbin/depmod -> $(SEC_CRIT) ; > /sbin/modinfo -> $(SEC_CRIT) ; > /sbin/insmod_ksymoops_clean -> $(SEC_CRIT) ; > /sbin/insmod.old -> $(SEC_CRIT) ; > /sbin/rmmod.static -> $(SEC_CRIT) ; > /sbin/insmod -> $(SEC_CRIT) ; > /sbin/ksyms.static -> $(SEC_CRIT) ; > /sbin/generate-modprobe.conf -> $(SEC_CRIT) ; > /sbin/rmmod.old -> $(SEC_CRIT) ; > /sbin/lsmod.static -> $(SEC_CRIT) ; > /sbin/lsmod.old -> $(SEC_CRIT) ; > /sbin/kernelversion -> $(SEC_CRIT) ; > /sbin/modinfo.old -> $(SEC_CRIT) ; > /sbin/modprobe.static -> $(SEC_CRIT) ; > >} > >############################### ># # ># Filesystem Programs # ># # >############################### >( > rulename = "Filesystem Programs", > severity = $(SIG_HI) >) >{ > ># ># The 'e2fsprogs' binaries ># > > /bin/chattr -> $(SEC_CRIT) ; > /bin/lsattr -> $(SEC_CRIT) ; > /bin/uuidgen -> $(SEC_CRIT) ; > /usr/sbin/mklost+found -> $(SEC_CRIT) ; > /sbin/fsck -> $(SEC_CRIT) ; > /sbin/debugfs -> $(SEC_CRIT) ; > /sbin/blkid -> $(SEC_CRIT) ; > /sbin/logsave -> $(SEC_CRIT) ; > /sbin/filefrag -> $(SEC_CRIT) ; > /sbin/e2fsck -> $(SEC_CRIT) ; > /sbin/mkfs.ext2 -> $(SEC_CRIT) ; > /sbin/mkfs.ext3 -> $(SEC_CRIT) ; > /sbin/findfs -> $(SEC_CRIT) ; > /sbin/e2image -> $(SEC_CRIT) ; > /sbin/e2label -> $(SEC_CRIT) ; > /sbin/mke2fs -> $(SEC_CRIT) ; > /sbin/tune2fs -> $(SEC_CRIT) ; > /sbin/resize2fs -> $(SEC_CRIT) ; > /sbin/badblocks -> $(SEC_CRIT) ; > /sbin/fsck.ext2 -> $(SEC_CRIT) ; > /sbin/fsck.ext3 -> $(SEC_CRIT) ; > /sbin/dumpe2fs -> $(SEC_CRIT) ; > ># ># The 'reiserfs' binaries ># > > /sbin/mkfs.reiserfs -> $(SEC_CRIT) ; > /sbin/reiserfstune -> $(SEC_CRIT) ; > /sbin/reiserfsck -> $(SEC_CRIT) ; > /sbin/fsck.reiserfs -> $(SEC_CRIT) ; > /sbin/debugreiserfs -> $(SEC_CRIT) ; > /sbin/resize_reiserfs -> $(SEC_CRIT) ; > /sbin/mkreiserfs -> $(SEC_CRIT) ; > ># ># The 'xfs' binaries ># > ># Not sure -- don't use (dk) > ># ># Ths 'jfs' binaries ># > ># Not sure -- don't use (dk) > ># ># The 'pax-utils' binaries ># > > /usr/bin/pspax -> $(SEC_CRIT) ; > /usr/bin/scanelf -> $(SEC_CRIT) ; > /usr/bin/dumpelf -> $(SEC_CRIT) ; > ># ># The sysfsutils binaries ># > > /usr/bin/get_bus_devices_list -> $(SEC_CRIT) ; > /usr/bin/write_attr -> $(SEC_CRIT) ; > /usr/bin/get_device -> $(SEC_CRIT) ; > /usr/bin/get_driver -> $(SEC_CRIT) ; > /usr/bin/get_class_dev -> $(SEC_CRIT) ; > /usr/bin/systool -> $(SEC_CRIT) ; > /usr/bin/testlibsysfs -> $(SEC_CRIT) ; > /usr/bin/get_classdev_parent -> $(SEC_CRIT) ; > >} > >#################################### ># # ># Other assorted file programs # ># # >#################################### > >( > rulename = "Miscellaneous file Programs", > severity = $(SIG_HI) >) >{ > ># ># The 'gawk' binaries ># > > /usr/bin/awk -> $(SEC_CRIT) ; > /usr/bin/gawk -> $(SEC_CRIT) ; > /usr/bin/igawk -> $(SEC_CRIT) ; > /usr/bin/pgawk -> $(SEC_CRIT) ; > /bin/awk -> $(SEC_CRIT) ; > /bin/igawk -> $(SEC_CRIT) ; > /bin/pgawk -> $(SEC_CRIT) ; > /bin/gawk -> $(SEC_CRIT) ; > ># ># The 'grep' binaries ># > > /bin/grep -> $(SEC_CRIT) ; > /bin/egrep -> $(SEC_CRIT) ; > /bin/fgrep -> $(SEC_CRIT) ; > ># ># The 'patch' binary ># > > /usr/bin/patch -> $(SEC_CRIT) ; > ># ># The 'cpio' binary ># > > /bin/cpio -> $(SEC_CRIT) ; > ># ># The 'file' binary ># > > /usr/bin/file -> $(SEC_CRIT) ; > ># ># The 'lsof' binary ># > > /usr/sbin/lsof -> $(SEC_CRIT) ; > ># ># The 'gettext' binaries ># > > /usr/bin/msgen -> $(SEC_CRIT) ; > /usr/bin/msgattrib -> $(SEC_CRIT) ; > /usr/bin/msgfilter -> $(SEC_CRIT) ; > /usr/bin/gettext.sh -> $(SEC_CRIT) ; > /usr/bin/gettextize -> $(SEC_CRIT) ; > /usr/bin/gettext -> $(SEC_CRIT) ; > /usr/bin/msgcomm -> $(SEC_CRIT) ; > /usr/bin/msgconv -> $(SEC_CRIT) ; > /usr/bin/msgexec -> $(SEC_CRIT) ; > /usr/bin/msggrep -> $(SEC_CRIT) ; > /usr/bin/msginit -> $(SEC_CRIT) ; > /usr/bin/msguniq -> $(SEC_CRIT) ; > /usr/bin/msgcat -> $(SEC_CRIT) ; > /usr/bin/msgcmp -> $(SEC_CRIT) ; > /usr/bin/msgfmt -> $(SEC_CRIT) ; > /usr/bin/gmsgfmt -> $(SEC_CRIT) ; > /usr/bin/envsubst -> $(SEC_CRIT) ; > /usr/bin/autopoint -> $(SEC_CRIT) ; > /usr/bin/ngettext -> $(SEC_CRIT) ; > /usr/bin/xgettext -> $(SEC_CRIT) ; > /usr/bin/msgmerge -> $(SEC_CRIT) ; > /usr/bin/msgunfmt -> $(SEC_CRIT) ; > ># ># The 'groff' binaries ># > > /usr/bin/eqn -> $(SEC_CRIT) ; > /usr/bin/grn -> $(SEC_CRIT) ; > /usr/bin/pic -> $(SEC_CRIT) ; > /usr/bin/tbl -> $(SEC_CRIT) ; > /usr/bin/geqn -> $(SEC_CRIT) ; > /usr/bin/grog -> $(SEC_CRIT) ; > /usr/bin/gtbl -> $(SEC_CRIT) ; > /usr/bin/neqn -> $(SEC_CRIT) ; > /usr/bin/addftinfo -> $(SEC_CRIT) ; > /usr/bin/groff -> $(SEC_CRIT) ; > /usr/bin/grops -> $(SEC_CRIT) ; > /usr/bin/lkbib -> $(SEC_CRIT) ; > /usr/bin/nroff -> $(SEC_CRIT) ; > /usr/bin/refer -> $(SEC_CRIT) ; > /usr/bin/troff -> $(SEC_CRIT) ; > /usr/bin/grap2graph -> $(SEC_CRIT) ; > /usr/bin/pre-grohtml -> $(SEC_CRIT) ; > /usr/bin/post-grohtml -> $(SEC_CRIT) ; > /usr/bin/lookbib -> $(SEC_CRIT) ; > /usr/bin/tfmtodit -> $(SEC_CRIT) ; > /usr/bin/zsoelim -> $(SEC_CRIT) ; > /usr/bin/grodvi -> $(SEC_CRIT) ; > /usr/bin/grolbp -> $(SEC_CRIT) ; > /usr/bin/grolj4 -> $(SEC_CRIT) ; > /usr/bin/grotty -> $(SEC_CRIT) ; > /usr/bin/hpftodit -> $(SEC_CRIT) ; > /usr/bin/gxditview -> $(SEC_CRIT) ; > /usr/bin/mmroff -> $(SEC_CRIT) ; > /usr/bin/groffer -> $(SEC_CRIT) ; > /usr/bin/soelim -> $(SEC_CRIT) ; > /usr/bin/pfbtops -> $(SEC_CRIT) ; > /usr/bin/pic2graph -> $(SEC_CRIT) ; > /usr/bin/indxbib -> $(SEC_CRIT) ; > /usr/bin/eqn2graph -> $(SEC_CRIT) ; > /usr/bin/afmtodit -> $(SEC_CRIT) ; > ># ># The 'less' binaries ># > > /usr/bin/less -> $(SEC_CRIT) ; > /usr/bin/lesskey -> $(SEC_CRIT) ; > /usr/bin/lessecho -> $(SEC_CRIT) ; > /usr/bin/code2color -> $(SEC_CRIT) ; > /usr/bin/lesspipe.sh -> $(SEC_CRIT) ; > ># ># The 'man' binaries ># > > /usr/bin/man -> $(SEC_CRIT) ; > /usr/bin/man2dvi -> $(SEC_CRIT) ; > /usr/bin/manpath -> $(SEC_CRIT) ; > /usr/bin/man2html -> $(SEC_CRIT) ; > /usr/bin/whatis -> $(SEC_CRIT) ; > /usr/bin/apropos -> $(SEC_CRIT) ; > /usr/sbin/makewhatis -> $(SEC_CRIT) ; > ># ># The 'ncurses' binaries ># > > /usr/bin/tic -> $(SEC_CRIT) ; > /usr/bin/toe -> $(SEC_CRIT) ; > /usr/bin/infotocap -> $(SEC_CRIT) ; > /usr/bin/tack -> $(SEC_CRIT) ; > /usr/bin/tput -> $(SEC_CRIT) ; > /usr/bin/tset -> $(SEC_CRIT) ; > /usr/bin/clear -> $(SEC_CRIT) ; > /usr/bin/reset -> $(SEC_CRIT) ; > /usr/bin/captoinfo -> $(SEC_CRIT) ; > /usr/bin/infocmp -> $(SEC_CRIT) ; > ># ># The 'sed' binary ># > > /bin/sed -> $(SEC_CRIT) ; > ># ># The 'slocate' binaries ># > > /usr/bin/slocate -> $(SEC_CRIT) ; > /usr/bin/updatedb -> $(SEC_CRIT) ; > /usr/bin/locate -> $(SEC_CRIT) ; > ># ># The patchutils binaries ># > > /usr/bin/editdiff -> $(SEC_CRIT) ; > /usr/bin/recountdiff -> $(SEC_CRIT) ; > /usr/bin/grepdiff -> $(SEC_CRIT) ; > /usr/bin/espdiff -> $(SEC_CRIT) ; > /usr/bin/dehtmldiff -> $(SEC_CRIT) ; > /usr/bin/unwrapdiff -> $(SEC_CRIT) ; > /usr/bin/filterdiff -> $(SEC_CRIT) ; > /usr/bin/lsdiff -> $(SEC_CRIT) ; > /usr/bin/fixcvsdiff -> $(SEC_CRIT) ; > /usr/bin/rediff -> $(SEC_CRIT) ; > /usr/bin/flipdiff -> $(SEC_CRIT) ; > /usr/bin/combinediff -> $(SEC_CRIT) ; > /usr/bin/splitdiff -> $(SEC_CRIT) ; > /usr/bin/interdiff -> $(SEC_CRIT) ; > ># ># The debianutils binaries ># > > /bin/tempfile -> $(SEC_CRIT) ; > /bin/mktemp -> $(SEC_CRIT) ; > /bin/run-parts -> $(SEC_CRIT) ; > /usr/sbin/savelog -> $(SEC_CRIT) ; > /usr/sbin/mkboot -> $(SEC_CRIT) ; > /sbin/installkernel -> $(SEC_CRIT) ; > >} >################################ ># # ># Toolchain # ># # >################################ > >( > rulename = "Toolchain Programs", > severity = $(SIG_HI) >) >{ > ># ># The 'gcc' binaries ># > >#GCCVERSION="3.4.6" > /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/gcov -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/gccbug -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/i686-pc-linux-gnu-c++ -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/i686-pc-linux-gnu-g++ -> $(SEC_CRIT) ; ># /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/i686-pc-linux-gnu-g77 -> $(SEC_CRIT) ; # fortran compiler? > /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/i686-pc-linux-gnu-cpp -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/i686-pc-linux-gnu-gcc -> $(SEC_CRIT) ; > /sbin/fix_libtool_files.sh -> $(SEC_CRIT) ; > /usr/bin/i686-pc-linux-gnu-cpp-$(GCCVERSION) -> $(SEC_CRIT) ; > /usr/bin/i686-pc-linux-gnu-c++-$(GCCVERSION) -> $(SEC_CRIT) ; > /usr/bin/cpp-$(GCCVERSION) -> $(SEC_CRIT) ; > /usr/bin/i686-pc-linux-gnu-g++-$(GCCVERSION) -> $(SEC_CRIT) ; > /usr/bin/i686-pc-linux-gnu-gcc-$(GCCVERSION) -> $(SEC_CRIT) ; ># /usr/bin/i686-pc-linux-gnu-g77-$(GCCVERSION) -> $(SEC_CRIT) ; # fortran... > /usr/bin/c++-$(GCCVERSION) -> $(SEC_CRIT) ; > /usr/bin/g++-$(GCCVERSION) -> $(SEC_CRIT) ; > /usr/bin/gcc-$(GCCVERSION) -> $(SEC_CRIT) ; ># /usr/bin/g77-$(GCCVERSION) -> $(SEC_CRIT) ; # fortran... > /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/c++ -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/g++ -> $(SEC_CRIT) ; ># /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/g77 -> $(SEC_CRIT) ; # fortran... > /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/cpp -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/gcc -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/gcc-bin/$(GCCVERSION)/i686-pc-linux-gnu-gcc-$(GCCVERSION) -> $(SEC_CRIT) ; > ># ># The 'binutils' binaries ># > >#BINUTILSVERSION="2.16.1" > /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/ar -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/as -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/ld -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/nm -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/size -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/c++filt -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/readelf -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/gprof -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/strip -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/addr2line -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/strings -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/objcopy -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/objdump -> $(SEC_CRIT) ; > /usr/i686-pc-linux-gnu/binutils-bin/$(BINUTILSVERSION)/ranlib -> $(SEC_CRIT) ; > ># ># The 'glibc' binaries ># > > /usr/bin/ldd -> $(SEC_CRIT) ; > /usr/bin/lddlibc4 -> $(SEC_CRIT) ; > /usr/bin/iconv -> $(SEC_CRIT) ; > /usr/bin/sprof -> $(SEC_CRIT) ; > /usr/bin/getconf -> $(SEC_CRIT) ; > /usr/bin/gencat -> $(SEC_CRIT) ; > /usr/bin/getent -> $(SEC_CRIT) ; > /usr/bin/locale -> $(SEC_CRIT) ; > /usr/bin/mtrace -> $(SEC_CRIT) ; > /usr/bin/pcprofiledump -> $(SEC_CRIT) ; > /usr/bin/rpcgen -> $(SEC_CRIT) ; > /usr/bin/localedef -> $(SEC_CRIT) ; > /usr/bin/catchsegv -> $(SEC_CRIT) ; > /usr/bin/xtrace -> $(SEC_CRIT) ; > /usr/sbin/nscd -> $(SEC_CRIT) ; > /usr/sbin/nscd_nischeck -> $(SEC_CRIT) ; > /usr/sbin/rpcinfo -> $(SEC_CRIT) ; > /usr/sbin/iconvconfig -> $(SEC_CRIT) ; > /usr/sbin/locale-gen -> $(SEC_CRIT) ; > /sbin/sln -> $(SEC_CRIT) ; > /sbin/ldconfig -> $(SEC_CRIT) ; > > > ># ># The 'make' binaries ># > > /usr/bin/gmake -> $(SEC_CRIT) ; > /usr/bin/make -> $(SEC_CRIT) ; > ># ># The 'autoconf' binaries ># > ># too many versions - edit manually ;) > > /usr/bin/autoupdate-2.59 -> $(SEC_CRIT) ; > /usr/bin/autoscan-2.59 -> $(SEC_CRIT) ; > /usr/bin/ifnames-2.59 -> $(SEC_CRIT) ; > /usr/bin/autoreconf-2.59 -> $(SEC_CRIT) ; > /usr/bin/autoheader-2.59 -> $(SEC_CRIT) ; > /usr/bin/autoconf-2.59 -> $(SEC_CRIT) ; > /usr/bin/autom4te-2.59 -> $(SEC_CRIT) ; > /usr/bin/ifnames-2.13 -> $(SEC_CRIT) ; > /usr/bin/autoheader-2.13 -> $(SEC_CRIT) ; > /usr/bin/autoreconf-2.13 -> $(SEC_CRIT) ; > /usr/bin/autoconf-2.13 -> $(SEC_CRIT) ; > /usr/bin/autoupdate-2.13 -> $(SEC_CRIT) ; > /usr/bin/autoscan-2.13 -> $(SEC_CRIT) ; > ># ># The 'automake' binaries ># > ># too many versions - edit manually ;) > > /usr/bin/automake-1.7 -> $(SEC_CRIT) ; > /usr/bin/aclocal-1.7 -> $(SEC_CRIT) ; > /usr/bin/automake-1.8 -> $(SEC_CRIT) ; > /usr/bin/aclocal-1.8 -> $(SEC_CRIT) ; > /usr/bin/automake-1.9 -> $(SEC_CRIT) ; > /usr/bin/aclocal-1.9 -> $(SEC_CRIT) ; > /usr/bin/automake-1.5 -> $(SEC_CRIT) ; > /usr/bin/aclocal-1.5 -> $(SEC_CRIT) ; > /usr/bin/automake-1.4 -> $(SEC_CRIT) ; > /usr/bin/aclocal-1.4 -> $(SEC_CRIT) ; > /usr/bin/automake-1.6 -> $(SEC_CRIT) ; > /usr/bin/aclocal-1.6 -> $(SEC_CRIT) ; > >} > > > >################################ ># # ># Security Related Programs # ># # >################################ > >( > rulename = "Security Related Programs", > severity = $(SIG_HI) >) > >{ > ># ># The 'shadow' binaries/configs ># > > /bin/su -> $(SEC_CRIT) ; > /bin/login -> $(SEC_CRIT) ; > /bin/groups -> $(SEC_CRIT) ; > /bin/passwd -> $(SEC_CRIT) ; > /usr/bin/sg -> $(SEC_CRIT) ; > /usr/bin/chfn -> $(SEC_CRIT) ; > /usr/bin/chsh -> $(SEC_CRIT) ; > /usr/bin/chage -> $(SEC_CRIT) ; > /usr/bin/lastlog -> $(SEC_CRIT) ; > /usr/bin/faillog -> $(SEC_CRIT) ; > /usr/bin/expiry -> $(SEC_CRIT) ; > /usr/bin/newgrp -> $(SEC_CRIT) ; > /usr/bin/passwd -> $(SEC_CRIT) ; > /usr/bin/gpasswd -> $(SEC_CRIT) ; > /usr/sbin/pwck -> $(SEC_CRIT) ; > /usr/sbin/vigr -> $(SEC_CRIT) ; > /usr/sbin/vipw -> $(SEC_CRIT) ; > /usr/sbin/grpck -> $(SEC_CRIT) ; > /usr/sbin/chgpasswd -> $(SEC_CRIT) ; > /usr/sbin/groupadd -> $(SEC_CRIT) ; > /usr/sbin/groupdel -> $(SEC_CRIT) ; > /usr/sbin/groupmod -> $(SEC_CRIT) ; > /usr/sbin/logoutd -> $(SEC_CRIT) ; > /usr/sbin/chpasswd -> $(SEC_CRIT) ; > /usr/sbin/adduser -> $(SEC_CRIT) ; > /usr/sbin/pwunconv -> $(SEC_CRIT) ; > /usr/sbin/nologin -> $(SEC_CRIT) ; > /usr/sbin/pwconv -> $(SEC_CRIT) ; > /usr/sbin/grpconv -> $(SEC_CRIT) ; > /usr/sbin/useradd -> $(SEC_CRIT) ; > /usr/sbin/userdel -> $(SEC_CRIT) ; > /usr/sbin/usermod -> $(SEC_CRIT) ; > /usr/sbin/newusers -> $(SEC_CRIT) ; > /usr/sbin/grpunconv -> $(SEC_CRIT) ; > > /etc/default/useradd -> $(SEC_CRIT) ; > /etc/securetty -> $(SEC_CRIT) ; > /etc/pam.d/su -> $(SEC_CRIT) ; > /etc/pam.d/chfn -> $(SEC_CRIT) ; > /etc/pam.d/chsh -> $(SEC_CRIT) ; > /etc/pam.d/chage -> $(SEC_CRIT) ; > /etc/pam.d/login -> $(SEC_CRIT) ; > /etc/pam.d/groupadd -> $(SEC_CRIT) ; > /etc/pam.d/groupdel -> $(SEC_CRIT) ; > /etc/pam.d/groupmod -> $(SEC_CRIT) ; > /etc/pam.d/chpasswd -> $(SEC_CRIT) ; > /etc/pam.d/passwd -> $(SEC_CRIT) ; > /etc/pam.d/shadow -> $(SEC_CRIT) ; > /etc/pam.d/useradd -> $(SEC_CRIT) ; > /etc/pam.d/userdel -> $(SEC_CRIT) ; > /etc/pam.d/usermod -> $(SEC_CRIT) ; > /etc/pam.d/newusers -> $(SEC_CRIT) ; > > ># ># The 'pam' binaries/configs ># > > /usr/sbin/pam_tally -> $(SEC_CRIT) ; > /usr/sbin/unix_chkpwd -> $(SEC_CRIT) ; > > /etc/pam.d/system-auth -> $(SEC_CRIT) ; > /etc/pam.d/other -> $(SEC_CRIT) ; > /etc/security/pam_env.conf -> $(SEC_CRIT) ; > /etc/security/time.conf -> $(SEC_CRIT) ; > /etc/security/limits.conf -> $(SEC_CRIT) ; > /etc/security/group.conf -> $(SEC_CRIT) ; > /etc/security/access.conf -> $(SEC_CRIT) ; > > ># ># The 'openssl' binaries ># > > /usr/bin/c_rehash -> $(SEC_CRIT) ; > /usr/bin/fipsld -> $(SEC_CRIT) ; > /usr/bin/openssl -> $(SEC_CRIT) ; > ># ># The 'openssh' binaries/configs ># > > /usr/bin/scp -> $(SEC_CRIT) ; > /usr/bin/ssh -> $(SEC_CRIT) ; > /usr/bin/sftp -> $(SEC_CRIT) ; > /usr/bin/ssh-agent -> $(SEC_CRIT) ; > /usr/bin/ssh-add -> $(SEC_CRIT) ; > /usr/bin/slogin -> $(SEC_CRIT) ; > /usr/bin/ssh-copy-id -> $(SEC_CRIT) ; > /usr/bin/ssh-keyscan -> $(SEC_CRIT) ; > /usr/bin/ssh-keygen -> $(SEC_CRIT) ; > /usr/sbin/sshd -> $(SEC_CRIT) ; > > /etc/ssh/ssh_config -> $(SEC_CRIT) ; > /etc/ssh/sshd_config -> $(SEC_CRIT) ; > /etc/ssh/moduli -> $(SEC_CRIT) ; > /etc/pam.d/sshd -> $(SEC_CRIT) ; > /etc/conf.d/sshd -> $(SEC_CRIT) ; > /etc/init.d/sshd -> $(SEC_CRIT) ; > > ># ># The 'gnupg' binaries ># > > /usr/bin/gpg -> $(SEC_CRIT) ; > /usr/bin/gpgv -> $(SEC_CRIT) ; > /usr/bin/gpg-zip -> $(SEC_CRIT) ; > /usr/bin/gpgsplit -> $(SEC_CRIT) ; > /usr/bin/kbxutil -> $(SEC_CRIT) ; > /usr/bin/symcryptrun -> $(SEC_CRIT) ; > /usr/bin/gpgsm -> $(SEC_CRIT) ; > /usr/bin/gpgparsemail -> $(SEC_CRIT) ; > /usr/bin/gpg-agent -> $(SEC_CRIT) ; > /usr/bin/gpgsm-gencert.sh -> $(SEC_CRIT) ; > /usr/bin/gpg-connect-agent -> $(SEC_CRIT) ; > /usr/bin/gpgkey2ssh -> $(SEC_CRIT) ; > /usr/bin/gpgconf -> $(SEC_CRIT) ; > /usr/bin/watchgnupg -> $(SEC_CRIT) ; > /usr/sbin/addgnupghome -> $(SEC_CRIT) ; > >} > >############################## ># # ># Shells/Scripting Languages # ># # >############################## >( > rulename = "Shell binaries", > severity = $(SIG_HI) >) >{ > ># ># The bash binaries ># > > /bin/sh -> $(SEC_CRIT) ; > /bin/bash -> $(SEC_CRIT) ; > /bin/rbash -> $(SEC_CRIT) ; > /usr/bin/bashbug -> $(SEC_CRIT) ; > ># ># The 'zsh' binaries ># > > /bin/zsh -> $(SEC_CRIT) ; > ># ># The 'sash' binary ># > > /bin/sash -> $(SEC_CRIT) ; > ># ># The 'busybox' binary ># > > /bin/bb -> $(SEC_CRIT) ; > /bin/busybox -> $(SEC_CRIT) ; > ># ># The 'perl' binaries ># > > /usr/bin/a2p -> $(SEC_CRIT) ; > /usr/bin/s2p -> $(SEC_CRIT) ; > /usr/bin/pstruct -> $(SEC_CRIT) ; > /usr/bin/c2ph -> $(SEC_CRIT) ; > /usr/bin/h2ph -> $(SEC_CRIT) ; > /usr/bin/h2xs -> $(SEC_CRIT) ; > /usr/bin/cpan -> $(SEC_CRIT) ; > /usr/bin/psed -> $(SEC_CRIT) ; > /usr/bin/libnetcfg -> $(SEC_CRIT) ; > /usr/bin/pod2html -> $(SEC_CRIT) ; > /usr/bin/pod2text -> $(SEC_CRIT) ; > /usr/bin/pl2pm -> $(SEC_CRIT) ; > /usr/bin/dprofpp -> $(SEC_CRIT) ; > /usr/bin/find2perl -> $(SEC_CRIT) ; > /usr/bin/perl5.8.8 -> $(SEC_CRIT) ; > /usr/bin/enc2xs -> $(SEC_CRIT) ; > /usr/bin/pod2latex -> $(SEC_CRIT) ; > /usr/bin/perlcc -> $(SEC_CRIT) ; > /usr/bin/piconv -> $(SEC_CRIT) ; > /usr/bin/splain -> $(SEC_CRIT) ; > /usr/bin/xsubpp -> $(SEC_CRIT) ; > /usr/bin/perlbug -> $(SEC_CRIT) ; > /usr/bin/perldoc -> $(SEC_CRIT) ; > /usr/bin/perlivp -> $(SEC_CRIT) ; > /usr/bin/pod2man -> $(SEC_CRIT) ; > /usr/bin/instmodsh -> $(SEC_CRIT) ; > /usr/bin/perl -> $(SEC_CRIT) ; > ># ># The 'python' binaries ># > > /usr/bin/idle -> $(SEC_CRIT) ; > /usr/bin/pydoc -> $(SEC_CRIT) ; > /usr/bin/python -> $(SEC_CRIT) ; > /usr/bin/python2.4 -> $(SEC_CRIT) ; > /usr/bin/python-config -> $(SEC_CRIT) ; > /usr/bin/smtpd.py -> $(SEC_CRIT) ; > /usr/sbin/python-updater -> $(SEC_CRIT) ; > ># ># The 'ruby' binaries ># > > /usr/bin/ri18 -> $(SEC_CRIT) ; > /usr/bin/erb18 -> $(SEC_CRIT) ; > /usr/bin/irb18 -> $(SEC_CRIT) ; > /usr/bin/testrb18 -> $(SEC_CRIT) ; > /usr/bin/rdoc18 -> $(SEC_CRIT) ; > /usr/bin/ruby18 -> $(SEC_CRIT) ; > >} > >################ ># # ># Editors # ># # >################ > >( > rulename = "Editor programs", > severity = $(SIG_HI) >) >{ > ># ># The 'nano' binaries ># > > /bin/nano -> $(SEC_CRIT) ; > /bin/rnano -> $(SEC_CRIT) ; > /usr/bin/nano -> $(SEC_CRIT) ; > ># ># The 'vim' binaries ># > > /usr/bin/ex -> $(SEC_CRIT) ; > /usr/bin/vim -> $(SEC_CRIT) ; > /usr/bin/rvim -> $(SEC_CRIT) ; > /usr/bin/view -> $(SEC_CRIT) ; > /usr/bin/rview -> $(SEC_CRIT) ; > /usr/bin/vimdiff -> $(SEC_CRIT) ; > ># ># The 'ed' binaries ># > > /bin/ed -> $(SEC_CRIT) ; > /bin/red -> $(SEC_CRIT) ; > ># ># The 'emacs' binaries ># > ># dunno -- don't use (dk) > >} > >######################### ># # ># Gentoo Specific # ># # >######################### > >( > rulename = "Gentoo Specific Binaries", > severity = $(SIG_HI) >) > >{ > ># ># The 'portage' binaries ># > > /usr/bin/xpak -> $(SEC_CRIT) ; > /usr/bin/repoman -> $(SEC_CRIT) ; > /usr/bin/portageq -> $(SEC_CRIT) ; > /usr/bin/ebuild -> $(SEC_CRIT) ; > /usr/bin/emerge -> $(SEC_CRIT) ; > /usr/bin/tbz2tool -> $(SEC_CRIT) ; > /usr/lib/portage/bin/fixpackages -> $(SEC_CRIT) ; > /usr/lib/portage/bin/domo -> $(SEC_CRIT) ; > /usr/lib/portage/bin/xpak -> $(SEC_CRIT) ; > /usr/lib/portage/bin/fix-db.py -> $(SEC_CRIT) ; > /usr/lib/portage/bin/dolib.so -> $(SEC_CRIT) ; > /usr/lib/portage/bin/donewins -> $(SEC_CRIT) ; > /usr/lib/portage/bin/env-update -> $(SEC_CRIT) ; > /usr/lib/portage/bin/fixdbentries -> $(SEC_CRIT) ; > /usr/lib/portage/bin/repoman -> $(SEC_CRIT) ; > /usr/lib/portage/bin/dobin -> $(SEC_CRIT) ; > /usr/lib/portage/bin/dodir -> $(SEC_CRIT) ; > /usr/lib/portage/bin/dodoc -> $(SEC_CRIT) ; > /usr/lib/portage/bin/doexe -> $(SEC_CRIT) ; > /usr/lib/portage/bin/dojar -> $(SEC_CRIT) ; > /usr/lib/portage/bin/doins -> $(SEC_CRIT) ; > /usr/lib/portage/bin/dolib -> $(SEC_CRIT) ; > /usr/lib/portage/bin/doman -> $(SEC_CRIT) ; > /usr/lib/portage/bin/dosed -> $(SEC_CRIT) ; > /usr/lib/portage/bin/dosym -> $(SEC_CRIT) ; > /usr/lib/portage/bin/emake -> $(SEC_CRIT) ; > /usr/lib/portage/bin/etc-update -> $(SEC_CRIT) ; > /usr/lib/portage/bin/portage_gpg_update.sh -> $(SEC_CRIT) ; > /usr/lib/portage/bin/doconfd -> $(SEC_CRIT) ; > /usr/lib/portage/bin/doinitd -> $(SEC_CRIT) ; > /usr/lib/portage/bin/dolib.a -> $(SEC_CRIT) ; > /usr/lib/portage/bin/emerge-webrsync -> $(SEC_CRIT) ; > /usr/lib/portage/bin/regenworld -> $(SEC_CRIT) ; > /usr/lib/portage/bin/chkcontents -> $(SEC_CRIT) ; > /usr/lib/portage/bin/portageq -> $(SEC_CRIT) ; > /usr/lib/portage/bin/clean_locks -> $(SEC_CRIT) ; > /usr/lib/portage/bin/prepstrip -> $(SEC_CRIT) ; > /usr/lib/portage/bin/archive-conf -> $(SEC_CRIT) ; > /usr/lib/portage/bin/ebuild -> $(SEC_CRIT) ; > /usr/lib/portage/bin/doenvd -> $(SEC_CRIT) ; > /usr/lib/portage/bin/dohard -> $(SEC_CRIT) ; > /usr/lib/portage/bin/dohtml -> $(SEC_CRIT) ; > /usr/lib/portage/bin/doinfo -> $(SEC_CRIT) ; > /usr/lib/portage/bin/dosbin -> $(SEC_CRIT) ; > /usr/lib/portage/bin/emaint -> $(SEC_CRIT) ; > /usr/lib/portage/bin/emerge -> $(SEC_CRIT) ; > /usr/lib/portage/bin/fowners -> $(SEC_CRIT) ; > /usr/lib/portage/bin/fperms -> $(SEC_CRIT) ; > /usr/lib/portage/bin/newenvd -> $(SEC_CRIT) ; > /usr/lib/portage/bin/newsbin -> $(SEC_CRIT) ; > /usr/lib/portage/bin/prepallman -> $(SEC_CRIT) ; > /usr/lib/portage/bin/pkgmerge.new -> $(SEC_CRIT) ; > /usr/lib/portage/bin/newbin -> $(SEC_CRIT) ; > /usr/lib/portage/bin/newdoc -> $(SEC_CRIT) ; > /usr/lib/portage/bin/newexe -> $(SEC_CRIT) ; > /usr/lib/portage/bin/newins -> $(SEC_CRIT) ; > /usr/lib/portage/bin/newman -> $(SEC_CRIT) ; > /usr/lib/portage/bin/dispatch-conf -> $(SEC_CRIT) ; > /usr/lib/portage/bin/md5check.py -> $(SEC_CRIT) ; > /usr/lib/portage/bin/md5check.sh -> $(SEC_CRIT) ; > /usr/lib/portage/bin/ebuild.sh -> $(SEC_CRIT) ; > /usr/lib/portage/bin/pkgmerge -> $(SEC_CRIT) ; > /usr/lib/portage/bin/prepinfo -> $(SEC_CRIT) ; > /usr/lib/portage/bin/isolated-functions.sh -> $(SEC_CRIT) ; > /usr/lib/portage/bin/prepallstrip -> $(SEC_CRIT) ; > /usr/lib/portage/bin/newconfd -> $(SEC_CRIT) ; > /usr/lib/portage/bin/newinitd -> $(SEC_CRIT) ; > /usr/lib/portage/bin/newlib.a -> $(SEC_CRIT) ; > /usr/lib/portage/bin/quickpkg -> $(SEC_CRIT) ; > /usr/lib/portage/bin/prepalldocs -> $(SEC_CRIT) ; > /usr/lib/portage/bin/prepallinfo -> $(SEC_CRIT) ; > /usr/lib/portage/bin/env-update.sh -> $(SEC_CRIT) ; > /usr/lib/portage/bin/pkgname -> $(SEC_CRIT) ; > /usr/lib/portage/bin/newlib.so -> $(SEC_CRIT) ; > /usr/lib/portage/bin/find-requires -> $(SEC_CRIT) ; > /usr/lib/portage/bin/tbz2tool -> $(SEC_CRIT) ; > /usr/lib/portage/bin/misc-functions.sh -> $(SEC_CRIT) ; > /usr/lib/portage/bin/prepall -> $(SEC_CRIT) ; > /usr/lib/portage/bin/preplib -> $(SEC_CRIT) ; > /usr/lib/portage/bin/prepman -> $(SEC_CRIT) ; > /usr/lib/portage/pym/getbinpkg.py -> $(SEC_CRIT) ; > /usr/sbin/fixpackages -> $(SEC_CRIT) ; > /usr/sbin/env-update -> $(SEC_CRIT) ; > /usr/sbin/etc-update -> $(SEC_CRIT) ; > /usr/sbin/emerge-webrsync -> $(SEC_CRIT) ; > /usr/sbin/regenworld -> $(SEC_CRIT) ; > /usr/sbin/archive-conf -> $(SEC_CRIT) ; > /usr/sbin/emaint -> $(SEC_CRIT) ; > /usr/sbin/dispatch-conf -> $(SEC_CRIT) ; > /usr/sbin/quickpkg -> $(SEC_CRIT) ; > ># ># The 'gentoolkit' binaries ># > > /usr/bin/euse -> $(SEC_CRIT) ; > /usr/bin/revdep-rebuild -> $(SEC_CRIT) ; > /usr/bin/eclean-dist -> $(SEC_CRIT) ; > /usr/bin/glsa-check -> $(SEC_CRIT) ; > /usr/bin/eclean -> $(SEC_CRIT) ; > /usr/bin/equery -> $(SEC_CRIT) ; > /usr/bin/eclean-pkg -> $(SEC_CRIT) ; > /usr/lib/gentoolkit/bin/find_pkgs.py -> $(SEC_CRIT) ; > /usr/lib/gentoolkit/bin/genpkgindex -> $(SEC_CRIT) ; > ># ># The 'baselayout' binaries ># > > /bin/rc-status -> $(SEC_CRIT) ; > /usr/sbin/update-modules -> $(SEC_CRIT) ; > /usr/sbin/MAKEDEV -> $(SEC_CRIT) ; > /sbin/rc -> $(SEC_CRIT) ; > /sbin/runscript.sh -> $(SEC_CRIT) ; > /sbin/depscan.sh -> $(SEC_CRIT) ; > /sbin/functions.sh -> $(SEC_CRIT) ; > /sbin/update-modules -> $(SEC_CRIT) ; > /sbin/MAKEDEV -> $(SEC_CRIT) ; > /sbin/start-stop-daemon -> $(SEC_CRIT) ; > /sbin/rc-update -> $(SEC_CRIT) ; > /sbin/consoletype -> $(SEC_CRIT) ; > /sbin/runscript -> $(SEC_CRIT) ; > /sbin/env-update.sh -> $(SEC_CRIT) ; > /sbin/modules-update -> $(SEC_CRIT) ; > >} > >######################### ># # ># Temporary directories # ># # >######################### >( > rulename = "Temporary directories", > recurse = false, > severity = $(SIG_LOW) >) >{ > /usr/tmp -> $(SEC_INVARIANT) ; # link to /var/tmp > /var/tmp -> $(SEC_INVARIANT) ; > /tmp -> $(SEC_INVARIANT) ; >} > >###################################################### ># # ># Critical System Boot Files # ># These files are critical to a correct system boot. # ># # >###################################################### > >( > rulename = "Critical system boot files", > severity = $(SIG_HI) >) >{ > /boot -> $(SEC_CRIT) ; > ># ># 'grub' files ># > /bin/mbchk -> $(SEC_CRIT) ; > /lib/grub/i386-pc/e2fs_stage1_5 -> $(SEC_CRIT) ; > /lib/grub/i386-pc/stage2_eltorito -> $(SEC_CRIT) ; > /lib/grub/i386-pc/ufs2_stage1_5 -> $(SEC_CRIT) ; > /lib/grub/i386-pc/iso9660_stage1_5 -> $(SEC_CRIT) ; > /lib/grub/i386-pc/jfs_stage1_5 -> $(SEC_CRIT) ; > /lib/grub/i386-pc/xfs_stage1_5 -> $(SEC_CRIT) ; > /lib/grub/i386-pc/minix_stage1_5 -> $(SEC_CRIT) ; > /lib/grub/i386-pc/fat_stage1_5 -> $(SEC_CRIT) ; > /lib/grub/i386-pc/vstafs_stage1_5 -> $(SEC_CRIT) ; > /lib/grub/i386-pc/stage1 -> $(SEC_CRIT) ; > /lib/grub/i386-pc/stage2 -> $(SEC_CRIT) ; > /lib/grub/i386-pc/reiserfs_stage1_5 -> $(SEC_CRIT) ; > /lib/grub/i386-pc/ffs_stage1_5 -> $(SEC_CRIT) ; > /sbin/grub -> $(SEC_CRIT) ; > /sbin/grub-md5-crypt -> $(SEC_CRIT) ; > /sbin/grub-terminfo -> $(SEC_CRIT) ; > /sbin/grub-install -> $(SEC_CRIT) ; > /sbin/grub-set-default -> $(SEC_CRIT) ; > ># ># 'lilo' files ># > ># dunno --- > >} > > ################################################## > # These files change every time the system boots # > ################################################## >( > rulename = "System boot changes", > severity = $(SIG_HI) >) >{ > !/var/run/ftp.pids-all ; # Comes and goes on reboot. > !/root/.enlightenment ; > /dev/log -> $(SEC_CONFIG) ; > /dev/cua0 -> $(SEC_CONFIG) ; > # /dev/printer -> $(SEC_CONFIG) ; # Uncomment if you have a printer device > /dev/console -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout. > /dev/tty1 -> $(SEC_CONFIG) ; # tty devices > /dev/tty2 -> $(SEC_CONFIG) ; # tty devices > /dev/tty3 -> $(SEC_CONFIG) ; # are extremely > /dev/tty4 -> $(SEC_CONFIG) ; # variable > /dev/tty5 -> $(SEC_CONFIG) ; > /dev/tty6 -> $(SEC_CONFIG) ; > /dev/urandom -> $(SEC_CONFIG) ; > /dev/initctl -> $(SEC_CONFIG) ; > /var/lock/subsys -> $(SEC_CONFIG) ; > /var/run -> $(SEC_CONFIG) ; > /var/log -> $(SEC_CONFIG) ; > /etc/ioctl.save -> $(SEC_CONFIG) ; > /etc/issue -> $(SEC_CONFIG) ; > /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount > /lib/modules -> $(SEC_CONFIG) ; > /etc/.pwd.lock -> $(SEC_CONFIG) ; > >} > ># These files change the behavior of the root account >( > rulename = "Root config files", > severity = 100 >) >{ > /root -> $(SEC_CRIT) ; # Catch all additions to /root > >} > >################################ ># # ># Critical configuration files # ># # >################################ >( > rulename = "Critical configuration files", > severity = $(SIG_HI) >) >{ > /etc/conf.d -> $(SEC_BIN) ; > /etc/crontab -> $(SEC_CONFIG) ; > /etc/cron.deny -> $(SEC_CONFIG) ; > /etc/cron.hourly -> $(SEC_BIN) ; > /etc/cron.daily -> $(SEC_BIN) ; > /etc/cron.weekly -> $(SEC_BIN) ; > /etc/cron.monthly -> $(SEC_BIN) ; > /etc/default -> $(SEC_BIN) ; > /etc/dev.d -> $(SEC_BIN) ; > /etc/env.d -> $(SEC_BIN) ; > /etc/fstab -> $(SEC_CONFIG) ; > # /etc/exports -> $(SEC_CONFIG) ; # uncomment for NFS > /etc/group -> $(SEC_CRIT) ; > /etc/group- -> $(SEC_CRIT) ; ># /etc/gshadow -> $(SEC_CRIT) ; # uncomment for group shadow ># /etc/gshadow- -> $(SEC_CRIT) ; # " " " " > /etc/hotplug.d -> $(SEC_BIN) ; > /etc/host.conf -> $(SEC_BIN) ; > # /etc/hosts.allow -> $(SEC_BIN) ; # uncomment for tcpwrappers > # /etc/hosts.deny -> $(SEC_BIN) ; # " " " > /etc/protocols -> $(SEC_BIN) ; > /etc/services -> $(SEC_BIN) ; > /etc/init.d -> $(SEC_BIN) ; > /etc/pam.d -> $(SEC_BIN) ; > /etc/mail -> $(SEC_BIN) ; > /etc/modules.autoload.d -> $(SEC_BIN) ; > /etc/modules.d -> $(SEC_BIN) ; > /etc/modprobe.conf -> $(SEC_CONFIG) ; > /etc/modules.conf -> $(SEC_BIN) ; > /etc/passwd -> $(SEC_CRIT) ; > /etc/passwd- -> $(SEC_CRIT) ; > /etc/shadow -> $(SEC_CRIT) ; > /etc/shadow- -> $(SEC_CRIT) ; > /etc/rpc -> $(SEC_BIN) ; > # /etc/samba/smb.conf -> $(SEC_CONFIG) ; # uncomment for samba > /etc/login.defs -> $(SEC_BIN) ; > /etc/login.access -> $(SEC_BIN) ; > /etc/nsswitch.conf -> $(SEC_BIN) ; > /etc/yp.conf -> $(SEC_BIN) ; > /etc/hosts -> $(SEC_CONFIG) ; > /etc/inittab -> $(SEC_CONFIG) ; > /etc/resolv.conf -> $(SEC_CONFIG) ; > /etc/sysctl.conf -> $(SEC_CONFIG) ; > > # Gentoo specific > /etc/rc.conf -> $(SEC_CONFIG) ; > /etc/make.conf -> $(SEC_CONFIG) ; > /etc/make.globals -> $(SEC_CONFIG) ; > /etc/make.profile -> $(SEC_CONFIG) ; >} > >#################### ># # ># Critical devices # ># # >#################### >( > rulename = "Critical devices", > severity = $(SIG_HI), > recurse = false >) >{ > ># ># /dev devices ># > /dev/kmem -> $(Device) ; > /dev/mem -> $(Device) ; > /dev/null -> $(Device) ; > /dev/zero -> $(Device) ; > ># ># /proc files ># > /proc/devices -> $(Device) ; > /proc/buddyinfo -> $(Device) ; > /proc/slabinfo -> $(Device) ; > /proc/fb -> $(Device) ; > /proc/execdomains -> $(Device) ; > /proc/diskstats -> $(Device) ; > /proc/iomem -> $(Device) ; > /proc/vmstat -> $(Device) ; > /proc/net -> $(Device) ; > /proc/sys -> $(Device) ; > /proc/cpuinfo -> $(Device) ; > /proc/modules -> $(Device) ; > /proc/mounts -> $(Device) ; > /proc/dma -> $(Device) ; > /proc/filesystems -> $(Device) ; > /proc/pci -> $(Device) ; > /proc/interrupts -> $(Device) ; > /proc/ioports -> $(Device) ; > /proc/scsi -> $(Device) ; > /proc/kcore -> $(Device) ; > /proc/self -> $(Device) ; > /proc/kmsg -> $(Device) ; > /proc/stat -> $(Device) ; > /proc/kallsyms -> $(Device) ; > /proc/loadavg -> $(Device) ; > /proc/uptime -> $(Device) ; > /proc/locks -> $(Device) ; > /proc/version -> $(Device) ; > /proc/zoneinfo -> $(Device) ; > /proc/meminfo -> $(Device) ; > /proc/cmdline -> $(Device) ; > /proc/misc -> $(Device) ; >} > ># Rest of critical system binaries ># Libraries >( > rulename = "Libraries", > severity = $(SIG_MED) >) >{ > /usr/lib -> $(SEC_BIN) ; > /usr/local/lib -> $(SEC_BIN) ; >} > >( > rulename = "OS executables and libraries", > severity = $(SIG_HI) >) >{ > /bin -> $(SEC_BIN) ; > /lib -> $(SEC_BIN) ; >} > >( > rulename = "User binaries", > severity = $(SIG_MED) >) >{ > /sbin -> $(SEC_BIN) (recurse = 1) ; > /usr/bin -> $(SEC_BIN) (recurse = 1) ; > /usr/sbin -> $(SEC_BIN) (recurse = 1) ; > /usr/local/bin -> $(SEC_BIN) (recurse = 1) ; >} > >( > rulename = "Security Control", > severity = $(SIG_HI) >) >{ > /etc/security -> $(SEC_CRIT) ; > >} > >#============================================================================= ># ># Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, ># Inc. in the United States and other countries. All rights reserved. ># ># Linux is a registered trademark of Linus Torvalds. ># ># UNIX is a registered trademark of The Open Group. ># >#============================================================================= ># ># Permission is granted to make and distribute verbatim copies of this document ># provided the copyright notice and this permission notice are preserved on all ># copies. ># ># Permission is granted to copy and distribute modified versions of this ># document under the conditions for verbatim copying, provided that the entire ># resulting derived work is distributed under the terms of a permission notice ># identical to this one. ># ># Permission is granted to copy and distribute translations of this document ># into another language, under the above conditions for modified versions, ># except that this permission notice may be stated in a translation approved by ># Tripwire, Inc. ># ># DCM
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 34662
:
21520
|
45412
| 96211 |
253369
|
269983
|
270715
|
301867
|
313109
|
357106