  ##############################################################################
 #                                                                            ##
############################################################################## #
#                                                                            # #
#                        Policy file for AIX 5.X                             # #
#                                                                            ##
##############################################################################

  ##############################################################################
 #                                                                            ##
############################################################################## #
#                                                                            # #
# Global Variable Definitions                                                # #
#                                                                            # #
# These are defined at install time by the installation script.  You may     # #
# Manually edit these if you are using this file directly and not from the   # #
# installation script itself.                                                # #
#                                                                            ##
##############################################################################

@@section GLOBAL
TWDOCS=;
TWROOT=;
TWBIN=;
TWPOL=;
TWDB=;
TWSKEY=;
TWLKEY=;
TWREPORT=;
HOSTNAME=;

  ##############################################################################
 #  Predefined Variables                                                      #
##############################################################################
#
#  Property Masks
#
#  -  ignore the following properties
#  +  check the following properties
#
#  a  access timestamp (mutually exclusive with +CMSH)
#  b  number of blocks allocated
#  c  inode creation/modification timestamp
#  d  ID of device on which inode resides
#  g  group id of owner
#  i  inode number
#  l  growing files (logfiles for example)
#  m  modification timestamp
#  n  number of links
#  p  permission and file mode bits
#  r  ID of device pointed to by inode (valid only for device objects)
#  s  file size
#  t  file type
#  u  user id of owner
#
#  C  CRC-32 hash
#  H  HAVAL hash
#  M  MD5 hash
#  S  SHA hash
#
##############################################################################

SEC_DEVICE        = +pugsdr-intlbamcCMSH ;
SEC_DYNAMIC       = +pinugtd-srlbamcCMSH ;
SEC_GROWING       = +pinugtdl-srbamcCMSH ;
SEC_IGNORE_ALL    = -pinugtsdrlbamcCMSH ;
SEC_IGNORE_NONE   = +pinugtsdrbamcCMSH-l ;
SEC_READONLY      = +pinugtsdbmCM-rlacSH ;
SEC_TEMPORARY     = +pugt ;


@@section FS 

  ########################################
 #                                      ##
######################################## #
#                                      # #
#  Tripwire Binaries and Data Files    # #
#                                      ##
########################################

# Tripwire Binaries
(
  rulename = "Tripwire Binaries",
)
{
  $(TWBIN)/siggen                      -> $(SEC_READONLY) ;
  $(TWBIN)/tripwire                    -> $(SEC_READONLY) ;
  $(TWBIN)/twadmin                     -> $(SEC_READONLY) ;
  $(TWBIN)/twprint                     -> $(SEC_READONLY) ;
}

# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
(
  rulename = "Tripwire Data Files",
)
{
  # NOTE: We remove the inode attribute because when Tripwire creates a backup,
  # it does so by renaming the old file and creating a new one (which will
  # have a new inode number).  Inode is left turned on for keys, which shouldn't
  # ever change.

  # NOTE: The first integrity check triggers this rule and each integrity check
  # afterward triggers this rule until a database update is run, since the
  # database file does not exist before that point.

  $(TWDB)                              -> $(SEC_DYNAMIC) -i ;
  $(TWPOL)/tw.pol                      -> $(SEC_READONLY) -i ;
  $(TWPOL)/tw.cfg                      -> $(SEC_READONLY) -i ;
  $(TWLKEY)/$(HOSTNAME)-local.key      -> $(SEC_READONLY) ;
  $(TWSKEY)/site.key                   -> $(SEC_READONLY) ;

  # don't scan the individual reports
  $(TWREPORT)                          -> $(SEC_DYNAMIC) (recurse=0) ;
}

  ################################################
 #                                              ##
################################################ #
#                                              # #
#  OS Boot and Configuration Files             # #
#                                              ##
################################################
(
  rulename = "OS Boot and Configuration Files",
)
{
  /etc                          -> $(SEC_IGNORE_NONE) -SHa ;
}

  ###################################################
 #                                                 ##
################################################### #
#                                                 # #
#  Mount Points                                   # #
#                                                 ##
###################################################
(
  rulename = "Mount Points",
)
{
  /                             -> $(SEC_READONLY) ;
  /usr                          -> $(SEC_READONLY) ;
  /var                          -> $(SEC_READONLY) ;
}

  ###################################################
 #                                                 ##
################################################### #
#                                                 # #
#  Misc Top-Level Directories                     # #
#                                                 ##
###################################################
(
  rulename = "Misc Top-Level Directories",
)
{
  /lost+found                   -> $(SEC_READONLY) ;
  /hacmplocal                   -> $(SEC_READONLY) ;
  /homelocal                    -> $(SEC_READONLY) ;
  /opt                          -> $(SEC_READONLY) ;
  !/var/adm/csd	;
}

  ################################################
 #                                              ##
################################################ #
#                                              # #
#   System Devices                             # #
#                                              ##
################################################
(
  rulename = "System Devices",
)
{
  /dev                          -> $(SEC_DEVICE) ;
}

  ################################################
 #                                              ##
################################################ #
#                                              # #
#  OS Binaries and Libraries                   # #   
#                                              ##
################################################
(
  rulename = "OS Binaries and Libraries",
)
{
  /sbin                         -> $(SEC_READONLY) ;
  /usr/bin                      -> $(SEC_READONLY) ;
  /usr/lib                      -> $(SEC_READONLY) ;
  /usr/sbin                     -> $(SEC_READONLY) ;
}

  ################################################
 #                                              ##
################################################ #
#                                              # #
#  Root Directory and Files                    # #
#                                              ##
################################################
(
  rulename = "Root Directory and Files",
)
{
  #/.dtprofile                    -> $(SEC_DYNAMIC) ;
  ! /.netscape/cache ; 
  /.netscape/history.dat         -> $(SEC_DYNAMIC) ;
  /.sh_history                   -> $(SEC_DYNAMIC) ;
  #/.Xauthority                   -> $(SEC_READONLY) ;
}

  ################################################
 #                                              ##
################################################ #
#                                              # #
#  Temporary Directories                       # #
#                                              ##
################################################
(
  rulename = "Temporary Directories",
)
{
  /tmp                          -> $(SEC_TEMPORARY) ;
  /var/tmp                      -> $(SEC_TEMPORARY) ;
}

  ################################################
 #                                              ##
################################################ #
#                                              # #
#  Directories to Ignore                       # #
#                                              ##
################################################
(
  rulename = "Directories to Ignore",
)
{
  !/proc ;
}


  ################################################
 #                                              ##
################################################ #
#                                              # #
#  System and Boot Changes                     # #
#                                              ##
################################################
(
  rulename = "System and Boot Changes",
)
{
  /etc/es/objrepos		-> $(SEC_READONLY) -SHacm ;
  /etc/es/objrepos/HACMPresource -> $(SEC_READONLY) -SHCMcm ;
  /etc/lpp/diagnostics/data 	-> $(SEC_READONLY) -SHCMacm ;
  /etc/ntp.drift		-> $(SEC_READONLY) -SHiacm ;
  !/etc/objrepos ;
  /etc/security			-> $(SEC_READONLY) -SHacm ;
  /usr/es/adm/cluster.log	-> $(SEC_READONLY) -SHCMsbm ;
  /usr/es/sbin/cluster/etc/objrepos/active -> $(SEC_READONLY) -SHim ;
  !/usr/etc/sbin/cluster/history ;
  /usr/share/lib/objrepos      -> $(SEC_READONLY) -m ;
  /usr/lib/objrepos      -> $(SEC_READONLY) -m ;
  !/var/adm/SPlogs ;
  /var/ha/log                      -> $(SEC_GROWING) -i ;
  !/var/adm ;
  !/var/ct ;

  #/var/backups                    -> $(SEC_DYNAMIC) -i ;
  #/var/db/host.random             -> $(SEC_READONLY) -mCM ;
  #/var/db/locate.database         -> $(SEC_READONLY) -misCM ;
  #/var/cron                       -> $(SEC_GROWING) -i ;
  #/var/log                        -> $(SEC_GROWING) -i ;
  #/var/run                        -> $(SEC_DYNAMIC) -i ;
  #/var/mail                       -> $(SEC_GROWING) ;
  #/var/msgs/bounds                -> $(SEC_READONLY) -smbCM ;
  #/var/spool/clientmqueue         -> $(SEC_TEMPORARY) ;
  #/var/spool/mqueue               -> $(SEC_TEMPORARY) ;
  #!/var/tmp/vi.recover ;           # perl script periodically removes this
}
