# @(#) tw.config for Linux ######################################################################## # This file contains a list of files and directories that tripwire # will scan. Date, size, and signature information for these files # will be stored in the tripwire database file and used for later # comparions. # # This version of the tw.config file was tuned using Red Hat 5.2, # Red Hat 6.1, and Slackware 3.4 - you may need to adjust it if you # are running something else, but hopefully not by much. # # See the man page for tw.config(5) for more information about the # format of this file, or look for a file called tw.config.format # # In order to check /usr/local you will need to add your host name # to the list at the bottom of the file, or take out the selectivity. # # Eric Myers # Department of Physics, University of Michigan, Ann Arbor, MI USA # @(#) $Id: tw.config.Linux,v 1.48 2005/03/27 14:30:01 myers Exp myers $ ######################################################################## # The usual definitions for different file tests @@define MODS +pugmc-ansi12345678 # protection/date change @@define LOG +pinug-samc12345678 # log files (no signatures) @@define STAT +pug-cmansi12345678 # Just check protection bits @@define MD5 +pugcmnsi1-a2345678 # Check signatures 1 only @@define SIGS +pugcmnsi12-a345678 # Check signatures 1&2 # Run tripwire with -DNODATES to ignore change/modificaiton dates # and inode numbers - useful for after restoring from backup tapes @@ifdef NODATES @@define MODS +pug-cmansi12345678 @@define LOG +pung-cmasi12345678 @@define STAT +pug-cmansi12345678 @@define MD5 +pung1-camis2345678 @@define SIGS +pung12-camis345678 @@endif ## Linux kernel and boot directory /vmlinuz @@SIGS # Linux kernel - Slackware /boot/vmlinuz @@SIGS # Linux kernel - Red Hat /boot @@SIGS # boot information & other kernels /boot/System.map @@STAT # RedHat makes these links /boot/module-info @@STAT # at boot time, so they may change ## Binary executables /sbin @@SIGS # single user binaries /bin @@SIGS # general binaries /usr/bin @@SIGS # general binaries /usr/sbin @@SIGS # special binaries (network stuff?) /usr/lib/yp @@SIGS # NIS management ## Root account: =/root @@STAT # just status of root account /root/.login @@SIGS # and any changes to these files /root/.cshrc @@SIGS /root/.bashrc @@SIGS /root/.tcshrc @@SIGS /root/.emacs @@SIGS /root/.mushrc @@SIGS ## Device files: pay attention to link counts, they can signal # an added directory =/dev @@LOG # /dev changes due to pty's ## Some critical directories and files ## (exceptions are noted further down) /etc @@SIGS /etc/motd @@SIGS /etc/issue @@SIGS /etc/issue.net @@SIGS /etc/mail.rc @@SIGS /etc/shells @@SIGS # changes should be infrequent /etc/hosts @@SIGS # changes should be infrequent /etc/group @@SIGS # changes should be infrequent /etc/skel @@SIGS /etc/profile @@SIGS /etc/csh.login @@SIGS /etc/profile @@SIGS /etc/dhcpc @@STAT # contents will change /etc/resolv.conf @@STAT # contents will change on a laptop /etc/.aumixrc @@STAT # contents will change /lib/security @@SIGS /etc/grid-security/certificates R-m # mod times will change /usr/sbin/inetd @@SIGS /etc/inetd.conf @@SIGS /etc/hosts.equiv @@SIGS /etc/resolv.conf @@SIGS /etc/nsswitch.conf @@SIGS /etc/syslog.conf @@SIGS /etc/exports @@SIGS /etc/gettydefs @@SIGS /etc/passwd @@LOG-i # i-node often changes /etc/shadow @@LOG-i # ditto? /etc/rmtab @@LOG /etc/utmp @@LOG /etc/sendmail.cf @@MD5 /etc/sendmail.st @@LOG /etc/hosts.deny @@LOG /etc/hosts.allow @@LOG /etc/dumpdates @@LOG /etc/samba/secrets.tdb @@LOG # AFS /usr/lib/afs @@SIGS # AFS libraries /usr/vice @@SIGS # AFS client /usr/afs @@SIGS # AFS server /usr/afs/logs @@STAT # AFS server logs =/usr/vice/cache @@STAT # ignore AFS cache =/usr/afs/db @@STAT # ignore AFS server db status # Kerberos /usr/kerberos @@SIGS # # The contents of these change often so just check file modes /etc/mtab @@STAT /etc/ntp.drift @@STAT /etc/ntp/drift @@STAT /etc/ssh_random_seed @@STAT /etc/ld.so.cache @@STAT /etc/ioctl.save @@STAT /etc/adjtime @@STAT ################ # Using a single hash is enough for these. # However setuid/setgid files are special-cased further down. # Specific libraries are listed so that you can say "Y" to them # and skip/update the whole lot of 'em. Also, /usr/lib/ is just # getting too full to check every subdirectory recursively. =/usr @@STAT /usr/etc @@SIGS-2 =/usr/lib @@SIGS-2 /usr/lib/gcc-lib @@SIGS-2 /usr/lib/glib @@SIGS-2 /usr/lib/glib-2.0 @@SIGS-2 /usr/lib/gnupg @@SIGS-2 /usr/lib/php4 @@SIGS-2 /usr/lib/qt3 @@SIGS-2 /usr/lib/apsfilter @@SIGS-2 /usr/lib/X11 @@SIGS-2 /usr/lib/lilo @@SIGS-2 /usr/lib/RealPlayer8 @@SIGS-2 /usr/lib/linuxconf @@SIGS-2 /usr/lib/perl5 @@SIGS-2 /usr/lib/sendmail @@SIGS-2 /usr/lib/lib* @@SIGS-2 =/usr/lib/rhs/glint =/usr/lib/sendmail-cf =/var/spool @@MODS =/var/spool/mail @@STAT =/var/spool/cron @@STAT =/var/spool/mqueue @@STAT /etc/rc.d @@MODS /etc/aliases.db @@STAT /etc/news @@SIGS-2 /etc/mail @@SIGS-2 /etc/mail/statistics @@STAT !/etc/mail/access.db @@STAT !/etc/mail/mailertable.db !/etc/mail/virtusertable.db !/etc/mail/domaintable.db !/etc/ppp/connect-errors @@LOG =/etc/X11/xdm/authdir/authfiles @@STAT =/tmp @@STAT =/var/tmp @@STAT =/usr/msgs @@STAT ################ # SUID files: use both signatures just to be sure. # # Use `find / -user root -perm -4000 -print >tw.config.suid` to list # all suid root files (See man find(1) for use on multiple filesystems.) # Or allow Ivan to create this list for you. @@include /var/adm/tw.config.suid ################################## ### Local files: # Only the machine which hosts/exports /usr/local should check it # (Modify for your own site here!) @@ifhost linat1 || gibbs || noether /usr/local/bin @@SIGS /usr/local/sbin @@SIGS /usr/local/etc @@SIGS =/usr/local/lib @@SIGS =/usr/local/lib/perl5 @@SIGS /usr/local/lib/X11 @@SIGS /usr/local/lib/ftpd @@SIGS /usr/local/lib/libexec @@SIGS /usr/local/lib/pgp @@SIGS =/usr/local/share @@SIGS-2 !/usr/local/share/texmf @@LOG # changes often due to fonts =/usr/local/etc/httpd/logs @@LOG # web server logs change constantly =/usr/local/etc/httpd/icons @@LOG # so does the icon collection =/usr/local/apache/logs @@LOG # web server logs change constantly =/usr/local/apache/icons @@LOG # so does the icon collection @@endif ##EOF tw.config