Differences between revisions 1 and 2
Revision 1 as of 2017-09-03 12:52:15
Size: 4423
Editor: ?Average-User-Prototype
Comment: please improve the rules
Revision 2 as of 2017-09-04 11:55:58
Size: 4437
Editor: Diego Alonso
Comment: added "#language en"
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
#language en

This page lists useful rules to add to your default tripwire policy file.

Tripwire should notify you when critical files change.

Tripwire is far from perfect or even good.

IntegratedIntrusionDetectionSystem is a project to create a truly useful IDS for everybody. This page is part of that effort.

Please add, remove and edit rules. As of right now they aren't that useful.

Client

Firefox

# Info on why this is a critical file/directory and should be checked
# Info on what to look for
# Info on when this file/directory changes by activities of the user himself and how to verify
(
  rulename = "Invariant Firefox Folder",
  severity = $(SIG_HI)
)
{
     /home/username/.mozilla/firefox/        -> $(SEC_INVARIANT) (recurse = 0) ;
}

Sources.list

(
  rulename = "Sources.list",
  severity = $(SIG_HI)
)
{
     /etc/apt/sources.list   -> $(SEC_BIN) ;
}

Compiler

(
  rulename = "Compiler",
  severity = $(SIG_HI)
)
{
     /usr/bin/as        -> $(SEC_BIN) ;
     /usr/bin/g++    -> $(SEC_BIN) ;
     /usr/bin/g++-6  -> $(SEC_BIN) ;
     /usr/bin/gcc    -> $(SEC_BIN) ;
     /usr/bin/gcc-6  -> $(SEC_BIN) ;
}

GRUB

(
  rulename = "GRUB",
  severity = $(SIG_HI)
)
{
        /etc/grub.d/00_header        -> $(SEC_BIN) ;
     /etc/grub.d/10_linux    -> $(SEC_BIN) ;
     /etc/grub.d/30_os-prober        -> $(SEC_BIN) ;
}

Installs/Updates

(
  rulename = "Installs/Updates",
  severity = $(SIG_HI)
)
{
     /var/log/apt/history.log        -> $(SEC_BIN) ;
}

Software folder

(
  rulename = "Software",
  severity = $(SIG_HI)
)
{
     /home/username/software-folder/ -> $(SEC_BIN) ;
}

Sudoers

(
  rulename = "Sudoers",
  severity = $(SIG_HI)
)
{
     /etc/sudoers    -> $(SEC_BIN) ;
}

Shadow

(
  rulename = "Shadow",
  severity = $(SIG_HI)
)
{
     /etc/shadow     -> $(SEC_BIN) ;
}

Profile

(
  rulename = "Profile",
  severity = $(SIG_HI)
)
{
     /etc/profile    -> $(SEC_BIN) ;
}

Sysctl.conf

(
  rulename = "Sysctl",
  severity = $(SIG_HI)
)
{
     /etc/sysctl.conf        -> $(SEC_BIN) ;
}

Iptables

(
  rulename = "Iptables",
  severity = $(SIG_HI)
)
{
     /etc/iptables.conf      -> $(SEC_BIN) ;
     /etc/iptables/rules.v4 -> $(SEC_BIN) ;
     /etc/iptables/rules.v6 -> $(SEC_BIN) ;
}

Limits.conf

(
  rulename = "Limits.conf",
  severity = $(SIG_HI)
)
{
     /etc/security/limits.conf       -> $(SEC_BIN) ;
}

Cupsd

(
  rulename = "Cupsd",
  severity = $(SIG_HI)
)
{
     /etc/cups/cupsd.conf    -> $(SEC_BIN) ;
}

Hosts

(
  rulename = "Hosts",
  severity = $(SIG_HI)
)
{
     /etc/hosts      -> $(SEC_BIN) ;
}

Ca-certificates.crt

(
  rulename = "Ca-certificates.crt",
  severity = $(SIG_HI)
)
{
     /etc/ssl/certs/ca-certificates.crt      -> $(SEC_BIN) ;
}

Command-line activities

(
  rulename = "Activities",
  severity = $(SIG_LOW)
)
{
     /home/username/.bash_history    -> $(SEC_BIN) ;
}

Server