# # tripwire.config # Generic version for BSDI # Tom Jennings 18 Aug 93 # # # This file contains a list of files and directories that System # Preener will scan. Information collected from these files will be # stored in the tripwire.database file. # # Format: [!|=] entry [ignore-flags] # # where: '!' signifies the entry is to be pruned (inclusive) from # the list of files to be scanned. # '=' signifies the entry is to be added, but if it is # a directory, then all its contents are pruned # (useful for /tmp). # # where: entry is the absolute pathname of a file or a directory # # where ignore-flags are in the format: # [template][ [+|-][pinugsam12] ... ] # # - : ignore the following atributes # + : do not ignore the following attributes # # p : permission and file mode bits a: access timestamp # i : inode number m: modification timestamp # n : number of links (ref count) c: inode creation timestamp # u : user id of owner 1: signature 1 # g : group id of owner 2: signature 2 # s : size of file # # # Ex: The following entry will scan all the files in /etc, and report # any changes in mode bits, inode number, reference count, uid, # gid, modification and creation timestamp, and the signatures. # However, it will ignore any changes in the access timestamp. # # /etc +pinugsm12-a # # The following templates have been pre-defined to make these long ignore # mask descriptions unecessary. # # Templates: (default) R : [R]ead-only (+pinugsm12-a) # L : [L]og file (+pinug-sam12) # N : ignore [N]othing (+pinusgsamc12) # E : ignore [E]verything (-pinusgsamc12) # # By default, Tripwire uses the R template -- it ignores # only the access timestamp. # # You can use templates with modifiers, like: # Ex: /etc/lp E+ug # # Example configuration file: # /etc R # all system files # !/etc/lp R # ...but not those logs # =/tmp N # just the directory, not its files # # Note the difference between pruning (via "!") and ignoring everything # (via "E" template): Ignoring everything in a directory still monitors # for added and deleted files. Pruning a directory will prevent Tripwire # from even looking in the specified directory. # # # Tripwire running slowly? Modify your tripwire.config entries to # ignore the (signature 2) attribute when this computationally-exorbitant # protection is not needed. (See README and design document for further # details.) # # First, root's "home" =/ L-a /root/.rhosts R-a # may not exist /root/.profile R-a # may not exist /root/.login R-a # may not exist /root/.exrc R-a # may not exist /root/.forward R-a # may not exist # Unix itself /bsd R /boot R # Now, some critical directories and files # Some exceptions are noted further down /etc R /usr/local/etc R /usr/local/etc/tripwire/tripwire R /usr/local/etc/tripwire/tw.config R !/usr/local/etc/tripwire/databases # named junk. !/etc/named/backup !/etc/named/secondary /etc/connect.log L-sam /etc/inetd.conf R /etc/services R /etc/rc R /etc/rc.local R /etc/netstart R /etc/fstab R /etc/ttys R /etc/dumpdates L-sam /etc/motd L-sam /etc/group R # changes should be infrequent # The next line may need to be replaced with /etc/security # if C2 is enabled /etc/master.passwd R /etc/passwd R /etc/pwd.db R /etc/spwd.db R /var R /var/mail L-ac # changes a lot /var/cron R /var/cron/log L-sam /var/cron/tabs R # devices, ignore group/owner/creation time /dev L-cug # Our additional partitions =/hell R /hell/cobol R =/u R-a =/usr R-2 =/usr/local/lib R /usr/X11/bin R-2sam # Checksumming the following is not so critical. However, # setuid/setgid files are special-cased further down. /bin R-2 /sbin R-2 # You may or may not have the following /u/ftp L-a /u/ftp/bin R-a /u/ftp/etc R-a # put entries for uucp if you need them =/tmp # Here are entries for setuid/setgid files. On these, we use # both signatures just to be sure. # # You may want/need to edit this list. Batteries not inc. /usr/bin/chfn R /usr/bin/chpass R /usr/bin/chsh R /usr/bin/crontab R /usr/bin/cu R /usr/bin/exrecover R /usr/bin/fstat R /usr/bin/lock R /usr/bin/login R /usr/bin/lpq R /usr/bin/lpr R /usr/bin/lprm R /usr/bin/mailq R /usr/bin/netstat R /usr/bin/newaliases R /usr/bin/nfsstat R /usr/bin/passwd R /usr/bin/ppp R /usr/bin/quota R /usr/bin/rundos R /usr/bin/su R /usr/bin/tip R /usr/bin/uptime R /usr/bin/uucp R /usr/bin/uuname R /usr/bin/uux R /usr/bin/vgafont R /usr/bin/w R /usr/bin/wall R /usr/bin/write R /usr/bin/rdist R /usr/bin/rlogin R /usr/bin/rsh R /usr/bin/register R /usr/contrib/bin/faxspooler R /usr/contrib/bin/kermit R /usr/contrib/bin/screen R /usr/libexec/bugfiler R /usr/libexec/expreserve R /usr/libexec/mail.local R /usr/libexec/uucico R /usr/libexec/uuparams R /usr/libexec/uusched R /usr/libexec/uuxqt R /usr/local/bin/elm R /usr/local/bin/filter R /usr/local/bin/ntpdate R /usr/local/bin/watcher R /usr/local/bin/autoreply R /usr/sbin/lpc R /usr/sbin/sendmail R /usr/sbin/arp R /usr/sbin/sliplogin R /usr/sbin/timedc R /usr/sbin/traceroute R /usr/sbin/trpt R /usr/sbin/trsp R /bin/df R /bin/ps R /bin/rcp R /sbin/disklabel R /sbin/disksetup R /sbin/dmesg R /sbin/dump R /sbin/restore R /sbin/route R /sbin/shutdown R /sbin/ping R /sbin/rdump R /sbin/rrestore R /hell/X11/bin/X R /hell/X11/bin/X386-SGCS R /hell/X11/bin/Xbsdi386 R /hell/X11/bin/xload R /hell/X11/bin/xterm R