# # tw.config: Manel Marin tripwire config for Linux/Debian machines # # Based in tw.config of Debian Potato # thanks to Alexis Roda and to Hue-Bond for their help ;-) # # 8.12.2000 I update this file to avoid false positives and allow easy # customization of signatures using (@@R) -- Manel3 # # 7.1.2001 I add complete/minimal check entries, root environment, and I # remove /usr/lib/tripwire where the floppy mounts... -- Manel3 # # 30.1.2001 Added samples of use, @@KERNEL_VERSION, better grouping and # replace "no check" by "no checksum but check for added files" -- Manel3 ########################################################################### # SAMPLES OF USE: # /usr = check /usr/* # !/mnt = do not check /mnt neither their contens # =/home = check /home but not /home/* # /root E+ugp = check only user, group, permissions and addition of files # # R = +ugpinsm12-ac3456789 # L = +ugpin-sm12ac3456789 # E = -ugpinsm12ac3456789 # # u = user # g = group # p = permissions # i = inode # n = number of links # s = size # m = modification time # a = access time # c = inode creation/modification time # # 1 = MD5 # 2 = Snefru # 3 = CRC32 # 7 = SHA # 8 = Haval ########################################################################### # EDIT THIS TO MATCH YOUR KERNEL (/lib/modules/@@KERNEL_VERSION/modules.dep) # --- This is because /lib/modules/*/modules.dep _DOES NOT_ work in tripwire --- @@define KERNEL_VERSION 2.2.17 # CHOOSE SIGNATURES # Add here any signature you want further to 1 and 2, e.g: R+37 = 1,2,3,7 # or R-2 = 1 (only MD5) if space is a problem @@define R R-2 # --- DO NOT EDIT THIS --- # Define variables for searching devices, tmp directories, and logfiles @@define DEVSEARCH E+insugp # Added test ugp -- Manel3 @@define TMPSEARCH E+ugp @@define LOGSEARCH L-i # THIS IS TO DO A COMPLETE CHECK # --- Please verify all your partitions are in this and the next list!!! --- / @@R /usr @@R /usr/local @@R /root @@R /dev @@DEVSEARCH /var/lib/dpkg/info @@R # debsums stores md5sums of installed packets # DIRS NOT TESTED # --- For a COMPLETE TEST these dirs not tested must be in another partition --- # --- and mounted as "nosuid" and if it is possible as "noexec" --- =/mnt E+ugp # check permissions of dir -- Manel3 =/home @@R =/var @@R =/tmp @@TMPSEARCH # OPTIONAL # --- Check log files: --- #/var/log @@LOGSEARCH #/var/account @@LOGSEARCH # DOC # No checksums for less important files (documentation, word lists): # --- but _DOING_ test of added files --- #/usr/share/doc E+ugp #/usr/share/dict E+ugp #/usr/share/info E+ugp #/usr/share/man E+ugp #/usr/X11R6/man E+ugp # SOURCES #/usr/src E+ugp # --- but do check the kernel sources --- #/usr/src/linux @@R # THIS IS TO DO A MINIMAL CHECK (kernel, config, binaries, libraries) #/boot @@R #/dev @@DEVSEARCH #/etc @@R #/root @@R #/bin @@R #/sbin @@R #/lib @@R #/usr/bin @@R #/usr/sbin @@R #/usr/lib @@R # This can be *BIG* #/usr/games @@R #/usr/X11R6/bin @@R #/usr/X11R6/lib @@R #/usr/local/bin @@R #/usr/local/sbin @@R #/usr/local/lib @@R #/var/lib/dpkg/info @@R # debsums stores md5sums of installed packets # TO AVOID FALSE POSITIVES # MODIFIED BY TRIPWIRE !/usr/lib/tripwire # Modified mounting floppy here !/usr/lib/tripwire/databases # Modified by tripwire /etc/tripwire/tw.fifo @@R-mc # Modified by ztripwire # CHANGES IN EVERY START /lib/modules/@@KERNEL_VERSION/modules.dep @@R-mc # Reloaded every start /etc @@R-mc # Changes when modifying something inside /etc/motd @@R-imc /etc/ioctl.save @@R-mc /etc/adjtime E+ugp # Test only user, group, and perms /etc/mtab E+ugp # CHANGES IN PIPES /dev/xconsole @@DEVSEARCH-s # This does not stop growing /dev/log @@DEVSEARCH-i # Inode of this pipe changes # CHANGES DURING MOUNT =/floppy E+ugp # Test only user, group, and perms =/cdrom E+ugp # MODIFIED BY OTHER PROGRAMS /etc/samba/smbpasswd @@R-c # Modified by samba # NORMAL CHANGES IN ROOT # As some /root files (.bash_profile, .bashrc, forward) must be monitored # is better to test anything an discard what changes normally... /root/.bash_history E+ugp # This changes when using root acount # --- No checksums for dirs used by mc, but _DOING_ test of added files --- /root/.mc E+ugp # Dir used by mc when we are root /root/.cedit E+ugp # Dir used by mc when we are root