This page lists useful rules to add to your default tripwire policy file.

Tripwire should notify you when critical files change.

Tripwire is far from perfect or even good.

IntegratedIntrusionDetectionSystem is a project to create a truly useful IDS for everybody. This page is part of that effort.

Please add, remove and edit rules. As of right now they aren't that useful.

Client

Firefox

# Info on why this is a critical file/directory and should be checked
# Info on what to look for
# Info on when this file/directory changes by activities of the user himself and how to verify
(
  rulename = "Invariant Firefox Folder",
  severity = $(SIG_HI)
)
{
     /home/username/.mozilla/firefox/        -> $(SEC_INVARIANT) (recurse = 0) ;
}

Sources.list

(
  rulename = "Sources.list",
  severity = $(SIG_HI)
)
{
     /etc/apt/sources.list   -> $(SEC_BIN) ;
}

Compiler

(
  rulename = "Compiler",
  severity = $(SIG_HI)
)
{
     /usr/bin/as        -> $(SEC_BIN) ;
     /usr/bin/g++    -> $(SEC_BIN) ;
     /usr/bin/g++-6  -> $(SEC_BIN) ;
     /usr/bin/gcc    -> $(SEC_BIN) ;
     /usr/bin/gcc-6  -> $(SEC_BIN) ;
}

GRUB

(
  rulename = "GRUB",
  severity = $(SIG_HI)
)
{
        /etc/grub.d/00_header        -> $(SEC_BIN) ;
     /etc/grub.d/10_linux    -> $(SEC_BIN) ;
     /etc/grub.d/30_os-prober        -> $(SEC_BIN) ;
}

Installs/Updates

(
  rulename = "Installs/Updates",
  severity = $(SIG_HI)
)
{
     /var/log/apt/history.log        -> $(SEC_BIN) ;
}

Software folder

(
  rulename = "Software",
  severity = $(SIG_HI)
)
{
     /home/username/software-folder/ -> $(SEC_BIN) ;
}

Sudoers

(
  rulename = "Sudoers",
  severity = $(SIG_HI)
)
{
     /etc/sudoers    -> $(SEC_BIN) ;
}

Shadow

(
  rulename = "Shadow",
  severity = $(SIG_HI)
)
{
     /etc/shadow     -> $(SEC_BIN) ;
}

Profile

(
  rulename = "Profile",
  severity = $(SIG_HI)
)
{
     /etc/profile    -> $(SEC_BIN) ;
}

Sysctl.conf

(
  rulename = "Sysctl",
  severity = $(SIG_HI)
)
{
     /etc/sysctl.conf        -> $(SEC_BIN) ;
}

Iptables

(
  rulename = "Iptables",
  severity = $(SIG_HI)
)
{
     /etc/iptables.conf      -> $(SEC_BIN) ;
     /etc/iptables/rules.v4 -> $(SEC_BIN) ;
     /etc/iptables/rules.v6 -> $(SEC_BIN) ;
}

Limits.conf

(
  rulename = "Limits.conf",
  severity = $(SIG_HI)
)
{
     /etc/security/limits.conf       -> $(SEC_BIN) ;
}

Cupsd

(
  rulename = "Cupsd",
  severity = $(SIG_HI)
)
{
     /etc/cups/cupsd.conf    -> $(SEC_BIN) ;
}

Hosts

(
  rulename = "Hosts",
  severity = $(SIG_HI)
)
{
     /etc/hosts      -> $(SEC_BIN) ;
}

Ca-certificates.crt

(
  rulename = "Ca-certificates.crt",
  severity = $(SIG_HI)
)
{
     /etc/ssl/certs/ca-certificates.crt      -> $(SEC_BIN) ;
}

Command-line activities

(
  rulename = "Activities",
  severity = $(SIG_LOW)
)
{
     /home/username/.bash_history    -> $(SEC_BIN) ;
}

Server