Securing-Optimizing-RH-Linux-1_2_198
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
198
$(TWPOL)/tw.pol
-> $(SEC_BIN) -i;
$(TWBIN)/tw.cfg
-> $(SEC_BIN) -i;
$(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
$(TWSKEY)/site.key
-> $(SEC_BIN) ;
#don't scan the individual reports
$(TWREPORT)
-> $(Dynamic) (recurse=0);
}
# These files are critical to a correct system boot.
(emailto = admin@openarch.com, rulename = "Critical system boot files", severity = 100)
{
/boot
-> $(SEC_CRIT) ;
!/boot/System.map
;
!/boot/module-info
;
}
# These files change the behavior of the root account
(emailto = admin@openarch.com, rulename = "Root config files", severity = 100)
{
/root
-> $(SEC_CRIT) ;
/root/.bash_history
-> $(SEC_LOG) ;
}
# Commonly accessed directories that should remain static with regards to owner and group
(emailto = admin@openarch.com, rulename = "Invariant Directories", severity = $(SIG_MED))
{
/
-> $(SEC_INVARIANT) (recurse = 0);
/home
-> $(SEC_INVARIANT) (recurse = 0);
/etc
-> $(SEC_INVARIANT) (recurse = 0);
/chroot
-> $(SEC_INVARIANT) (recurse = 0);
/cache
-> $(SEC_INVARIANT) (recurse = 0);
}
(emailto = admin@openarch.com, rulename = "Shell Binaries")
{
/bin/bsh
-> $(SEC_BIN);
/bin/csh
-> $(SEC_BIN);
/bin/sh
-> $(SEC_BIN);
}
# Rest of critical system binaries
(emailto = admin@openarch.com, rulename = "OS executables and libraries", severity = $(SIG_HI))
{
/bin
-> $(ReadOnly) ;
/lib
-> $(ReadOnly) ;
}
# Local files
(emailto = admin@openarch.com, rulename = "User binaries", severity = $(SIG_MED))
{
/sbin
-> $(SEC_BIN) (recurse = 1);
/usr/sbin
-> $(SEC_BIN) (recurse = 1);
/usr/bin
-> $(SEC_BIN) (recurse = 1);
}
# Temporary directories
(emailto = admin@openarch.com, rulename = "Temporary directories", recurse = false, severity =
$(SIG_LOW))
{
/usr/tmp
-> $(SEC_INVARIANT);
/var/tmp
-> $(SEC_INVARIANT);