twpolicy - Tripwire policy file reference
The policy file describes system objects to be monitored by Tripwire, and specifies what properties for each object should be collected and stored in the database file. Each object in the policy file is associated with a property mask, which describes what changes to the file or directory Tripwire should monitor, and which ones can safely be ignored. By customizing the various aspects of the policy file, the system administrator can very closely control how Tripwire checks the integrity of any system.
During installation, an encoded and signed policy file (tw.pol) will be created in the /etc/tripwire directory, and a plain text copy of this policy file (twpol.txt) will be generated in the same directory. An additional text file (policyguide.txt) illustrates all of the features of the policy language. Both of the text files are heavily commented and can be used as a reference during policy file creation.
A new policy file is first created using the twadmin --create-polfile command. With this command, the user can designate an existing plain text file as the current policy file. Using the current site key and passphrase, the new configuration file is encoded, signed and saved.
Once the initial policy file has been generated, any changes should be made with the tripwire --update-policy command, rather than by simply overwriting the policy file with the twadmin --create-polfile command. This is an important distinction--when a new policy file is created, the Tripwire database must be re-initialized. If an intruder has modified files since the last integrity check, these changes will not be detected, and will be included as part of the new "baseline" database.
# This is a comment. /bin -> $(ReadOnly); # A comment can go here, too.
1) Normal rules define which properties of a particular file or
directory tree Tripwire scans.
2) Stop points tell Tripwire not to scan a particular file or
directory.
where the object_name is the fully qualified pathname for a directory or file, and property_mask specifies what properties of an object to examine or ignore. The '->' token separates the pathname and the property mask. Whitespace must separate the object name and '->' token. A semicolon must terminate the rule. If the pathname specified is a directory, the directory and all of its descendants will be scanned with the indicated property mask. If the pathname refers to an individual file, only that file will be scanned with the specified property mask. Examples:
# Defines Tripwire behavior for entire /bin directory tree. /bin -> $(ReadOnly); # Defines Tripwire behavior for a single file. In this case, # Tripwire watches for all properties of hostname.hme0. /etc/hostname.hme0 -> $(IgnoreNone) -ar; # Scan the entire /etc directory tree using mask1, except the # file /etc/passwd, which should be scanned using mask2. /etc -> $(mask1); /etc/passwd -> $(mask2);
Only one rule may be associated with any given object. If any object has more than one rule in a policy file, Tripwire will print an error message and exit without scanning any files. For example:
# This is an example of an illegal construct. /usr/bin -> $(mask3); /usr/bin -> $(mask4);
/etc # valid object name. /etc/passwd # valid object name. $HOME # not valid.
+p # compare permissions. -p # ignore permissions.
Each rule in the policy file must have a property mask. Examples:
/etc -> $(IgnoreAll); #valid property mask. /etc -> +p-p; #valid property mask. /etc -> ; #invalid property mask.
Characters in a property mask without a preceding plus or minus sign are assumed to be plus. If a property is not specified in the property mask, it is ignored, which is equivalent to turning it off with the minus sign. Examples:
# Examine permissions and link count. # All three of the following are equivalent. +p+n pn pn-g
Characters used in property masks, with descriptions:
- Ignore the following properties + Record and check the following properties a Access timestamp b Number of blocks allocated c Inode timestamp (create/modify) d ID of device on which inode resides g File owner's group ID i Inode number l File is increasing in size (a "growing file") m Modification timestamp n Number of links (inode reference count) p Permissions and file mode bits r ID of device pointed to by inode (valid only for device objects)s File size t File type u File owner's user ID C CRC-32 hash value H Haval hash value M MD5 hash value S SHA hash value
! object_name ;For example:
!/etc/init.d; # The directory /etc/init.d will not be scanned. /etc -> $(ReadOnly); !/etc/rc.d; !/etc/mnttab; # Scan all of /etc, but do not scan two particular # files in the /etc hierarchy.
/usr/lib -> $(ReadOnly) (emailto = admin@foo.com, severity = 80); #This rule will notify the admin if any violations of the #rule occur and designate the severity as 80.
Rule attributes can also be specified for a group of rules,
using the format:
(attribute list)
{
rule list;
}
For example:
(emailto = admin@foo.com, severity = 80) { /usr/lib -> $(ReadOnly); }is equivalent to the attribute example above.
The following four rule attributes are supported by Tripwire:
/etc -> +ug (rulename=watchme);
/etc -> +ug (emailto=admin@domain.com);
/etc -> +ug (emailto="admin@foo.com;admin2@foo.com");
/etc -> +ug (severity=50);
/etc -> +ug (recurse=2);
@@ directive_name [arguments]
Where the directive name is one of the directives listed below:
@@section # Designates a section of the policy file. @@ifhost # Allow conditional interpretation @@else # of the policy file. @@endif @@print # Print a message to standard output. @@error # Print a message to standard output and then exit. @@end # Marks the logical end-of-file.
The @@section directive is used to designate sections of the policy file that are OS-specific. With Tripwire 2.3.1, valid arguments for the @@section directive are FS and GLOBAL. If no @@section directive is specified, FS will be assumed. If the argument to the @@section directive is either NTFS or NTREG (which have meaning only on Windows NT systems), Tripwire will skip all policy file text down to the next valid @@section directive. Any other argument will cause an error.
The @@ifhost, @@else, and @@endif directives are used to allow conditional interpretation of the policy file. With the @@ifhost directive, multiple hostnames can be expressed as arguments, but they must be separated by an '||', interpreted as the logical 'OR'. This example illustrates how one might employ directives to use one policy file with multiple hosts.
@@ifhost spock || kirk /bin -> $(ReadOnly); @@endif @@ifhost chekov || uhura /usr/bin -> +pinug; @@else /usr/bin -> +pinugsmC; @@endif
The @@print and @@error directives are intended for debugging and remote
diagnostics. The syntax for these commands is:
@@print "string" @@error "string"
The @@print directive prints string to stdout, while the @@error directive prints string to stdout and causes the calling program to exit with a non-zero status.
The @@end directive marks the end of the policy file. Any text appearing after this directive will be ignored by Tripwire.
variable = value;
Variable substitution is legal anywhere that a string could appear.
The syntax for variable substitution is:
$( variable )
Examples of variable definition and variable substitution on the left, right, and both sides of rules. Note that variable names are case sensitive.
param1 = +SMCH; # Set variable param1. dir1 = /etc/inet; # Set variable dir1. DIR1 = /etc/init.d; # Variables are case sensitive. $(dir1) -> +tbamc; # Left hand substitution. /etc/inet -> $(param1); # Right hand substitution. $(DIR1) -> $(param1); # Double substitution.
A number of variables are predefined by Tripwire and may not be changed. These variables represent different ways that files can change, and can be used on the right side of rules to design a policy file quickly.
Permission is granted to copy and distribute modified versions of this man page under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one.
Permission is granted to copy and distribute translations of this man page into another language, under the above conditions for modified versions, except that this permission notice may be stated in a translation approved by Tripwire, Inc.
Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. in the United States and other countries. All rights reserved.
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |