@@section GLOBAL
TWROOT=/usr/sbin;
TWBIN=/usr/sbin;
TWPOL="/var/ipfire/tripwire";
TWDB="/var/ipfire/tripwire";
TWSKEY="/var/ipfire/tripwire";
TWLKEY="/var/ipfire/tripwire";
TWREPORT="/var/ipfire/tripwire/report";
HOSTNAME=ipfire;

@@section FS
SEC_CRIT      = $(IgnoreNone)-SHa ;  # Critical files that cannot change
SEC_CONFIG    = $(Dynamic) ;         # Config files that are changed infrequently but accessed often
SEC_LOG       = $(Growing) ;         # Files that grow, but that should never change ownership
SEC_INVARIANT = +tpug ;              # Directories that should never change permission or ownership
SIG_LOW       = 33 ;                 # Non-critical files that are of minimal security impact
SIG_MED       = 66 ;                 # Non-critical files that are of significant security impact
SIG_HI        = 100 ;                # Critical files that are significant points of vulnerability

# System Files

(
  rulename = "System Files",
  severity = $(SIG_HI)
)
{
  $(TWDB)                          -> $(SEC_CRIT) ;
  $(TWPOL)/tw.pol                  -> $(SEC_CRIT) -i ;
  $(TWPOL)/tw.cfg                  -> $(SEC_CRIT) -i ;
  $(TWLKEY)/local.key              -> $(SEC_CRIT) ;
  $(TWSKEY)/site.key               -> $(SEC_CRIT) ;

  /bin		                         -> $(SEC_CRIT) ;
  /boot                            -> $(SEC_CRIT) ;
  /etc                             -> $(SEC_CRIT) ;
  /etc/snort/rules/                -> $(Dynamic)  ;
  /lib                             -> $(SEC_CRIT) ;
  /root                            -> $(SEC_CRIT) ;
  /root/.bash_history              -> $(Dynamic)  ;
  /sbin                            -> $(SEC_CRIT) ;
  /usr                             -> $(SEC_CRIT) ;
  /usr/share/clamav                -> $(Dynamic)  ;
  /etc/mtab                        -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount

  #don't scan the individual reports
  $(TWREPORT)                      -> $(SEC_CONFIG) (recurse=0) ;
}

# Commonly accessed directories that should remain static with regards to owner and group
(
  rulename = "Invariant Directories",
  severity = $(SIG_MED)
)
{
  /                               -> $(SEC_INVARIANT) (recurse = 0) ;
  /home                           -> $(SEC_INVARIANT) (recurse = 0) ;
  /tmp                            -> $(SEC_INVARIANT) ;
}

# Critical Devices

(
  rulename = "Critical devices",
  severity = $(SIG_HI),
  recurse = false
)
{
     /dev/console                 -> $(SEC_CONFIG) -u ; # User ID may change on console login/logout.
     /dev/initctl                 -> $(SEC_CONFIG) ;     /dev/log                     -> $(SEC_CONFIG) ;
     /proc/modules                -> $(Device) ;
     /proc/mounts                 -> $(Device) ;
     /proc/filesystems            -> $(Device) ;
     /proc/misc                   -> $(Device) ;
     /var/log                     -> $(SEC_LOG) ;
}
