# $Id: tw.config,v 1.4 1993/11/22 06:38:06 genek Exp $ # # tw.config # # cd /var/spool/tripwire # tripwire -initialize # tripwire -update /etc/newly.installed.file # # 17-Mar-98 amo Take out /dev DEVM # 20-Oct-98 amo Modified for Linux-Consulting # 25-Oct-98 amo Watch the /usr/local/{bin,sbin} binaries # # # This file contains a list of files and directories that System # Preener will scan. Information collected from these files will be # stored in the tw.database file. # # Format: [!|=] entry [ignore-flags] # # where: '!' signifies the entry is to be pruned (inclusive) from # the list of files to be scanned. # '=' signifies the entry is to be added, but if it is # a directory, then all its contents are pruned # (useful for /tmp). # # where: entry is the absolute pathname of a file or a directory # # where ignore-flags are in the format: # [template][ [+|-][pinugsam12] ... ] # # - : ignore the following atributes # + : do not ignore the following attributes # # p : permission and file mode bits a: access timestamp # i : inode number m: modification timestamp # n : number of links (ref count) c: inode creation timestamp # u : user id of owner 1: signature 1 # g : group id of owner 2: signature 2 # s : size of file # Modes we want: # Log file @@define LOGFILEM E+pugn # Config file @@define CONFM E+pinugc # Binary @@define BINM E+pnugsci12 # Directory @@define DIRM E+pnug # Data file (same as BIN_M currently) @@define DATAM E+pnugsci12 # Device files @@define DEVM E+pnugsci # # # Ex: The following entry will scan all the files in /etc, and report # any changes in mode bits, inode number, reference count, uid, # gid, modification and creation timestamp, and the signatures. # However, it will ignore any changes in the access timestamp. # # /etc +pinugsm12-a # # The following templates have been pre-defined to make these long ignore # mask descriptions unecessary. # # Templates: (default) R : [R]ead-only (+pinugsm12-a) # L : [L]og file (+pinug-sam12) # N : ignore [N]othing (+pinusgsamc12) # E : ignore [E]verything (-pinusgsamc12) # > : like [L], but ignore growing files # # By default, Tripwire uses the R template -- it ignores # only the access timestamp. # # You can use templates with modifiers, like: # Ex: /etc/lp E+ug # # Example configuration file: # /etc R # all system files # !/etc/lp R # ...but not those logs # =/tmp N # just the directory, not its files # # ==== # # Preprocessor directives: # # The following directives provide C-preprocessor and m4-like # functionality: # # @@ifhost hostname : included if (hostname) matches # @@ifhost hostname : included if (hostname) doesn't # match. # (both need matching @@endif) # # @@define x : defines (x) # @@undef x : undefines (x) # # @@ifdef x : included if (x) is defined. # @@ifndef x : included if (x) is not defined. # (both need matching @@endif) # # @@endif : closes up @@ifhost, @@ifdef, # and @@ifndef. # # Example: # A host-dependent inclusion can be specified many ways so tw.config # files can be shared among multiple machines. So, if the machine # "mentor.cc.purdue.edu" is the only machine that has a certain file, # you could use: # # @@ifhost mentor.cc.purdue.edu # /etc/tw.log.mentor R # @@endif # # exclude all of /proc =/proc E #=/dev @@DIRM # /dev @@DEVM #=/etc @@DIRM /etc @@CONFM # Binary directories #=/usr/sbin @@DIRM /usr/sbin @@BINM #=/usr/bin @@DIRM /usr/bin @@BINM #=/sbin @@DIRM /sbin @@BINM #=/bin @@DIRM /bin @@BINM #=/lib @@DIRM /lib @@BINM #=/usr/lib @@DIRM /usr/lib @@BINM # # 16-Apr-98 amo Added /usr/local # 25-Oct-98 amo Watch the binaries /usr/local @@BINM /usr/local/bin @@BINM /usr/local/sbin @@BINM =/usr/src E =/tmp @@DIRM # # # # # tw.config from /usr/src/Security/tripwire-1.2/contrib/README.linux # # # For checking, this command works reasonably well: # # ./tripwire -v -interactive -loosedir -d databases/tw.db1 -c tw.config # # # To Update with new files # # cd /var/spool/tripwire # tripwire -update New_File # # Get rid of silly linuxconf file that causes core dumps # ------------------------------------------------------ # cd /usr/lib/linuxconf/images # mv Exportova* Hyv* Ky* Lis* Nast* Od* Pot* Poz* Pr* Pub* Res* Sp* Te* Ul* Up* /tmp # mv Vl* Yh* Zm* ?no.gif ?lohy.gif /tmp # # end of file