#
# tripwire.config
# Generic version for SunOS 5.x (i.e, Solaris2.*)
# Preliminary version by Bob Cunningham (bob@soest.hawaii.edu) 24June1993
# Will need editing...see comments below
#
# This file contains a list of files and directories that System 
# Preener will scan.  Information collected from these files will be 
# stored in the tripwire.database file.
#
# Format: 			[!|=] entry [ignore-flags]
#
# where:	 '!' signifies the entry is to be pruned (inclusive) from
#				the list of files to be scanned.
#		 '=' signifies the entry is to be added, but if it is
#				a directory, then all its contents are pruned
#				(useful for /tmp).
#
# where:	entry is the absolute pathname of a file or a directory
#
# where ignore-flags are in the format:
#		[template][ [+|-][pinugsam12] ... ]
#
# 	- :  ignore the following atributes
#	+ :  do not ignore the following attributes
#
#	p :  permission and file mode bits 	a: access timestamp
#	i :  inode number			m: modification timestamp
#	n :  number of links (ref count)	c: inode creation timestamp
#	u :  user id of owner			1: signature 1
#	g :  group id of owner			2: signature 2
#	s :  size of file
#
#
# Ex:   The following entry will scan all the files in /etc, and report
#	any changes in mode bits, inode number, reference count, uid,
#	gid, modification and creation timestamp, and the signatures.
#	However, it will ignore any changes in the access timestamp.
#
#	/etc	+pinugsm12-a
#
# The following templates have been pre-defined to make these long ignore
# mask descriptions unecessary.
#
# Templates: 	(default)	R :  [R]ead-only (+pinugsm12-a)
#				L :  [L]og file (+pinug-sam12)
#				N :  ignore [N]othing (+pinusgsamc12)
#				E :  ignore [E]verything (-pinusgsamc12)
#
# By default, Tripwire uses the R template -- it ignores
# only the access timestamp.
#
# You can use templates with modifiers, like:
#	Ex:  /etc/lp	E+ug
#
#	Example configuration file:
#		/etc		R	# all system files
#		!/etc/lp	R	# ...but not those logs
#		=/tmp		N	# just the directory, not its files
#
# Note the difference between pruning (via "!") and ignoring everything
# (via "E" template):  Ignoring everything in a directory still monitors
# for added and deleted files.  Pruning a directory will prevent Tripwire
# from even looking in the specified directory.
#
#
# Tripwire running slowly?  Modify your tripwire.config entries to
# ignore the (signature 2) attribute when this computationally-exorbitant 
# protection is not needed.  (See README and design document for further
# details.)
#

#  First, root's "home"

=/			L
/.rhosts		R	# may not exist
/.profile		R	# may not exist
/.cshrc			R	# may not exist
/.login			R	# may not exist
#/.exrc			R	# may not exist
/.logout		R	# may not exist
#/.emacs		R	# may not exist
/.forward		R	# may not exist
/.netrc			R	# may not exist
#/.mailrc		R	# may not exist

# Unix itself

/kernel/unix		R

# Now, some critical directories and files
#  Some exceptions are noted further down

/dev			L
/devices		L
=/devices/pseudo	L

/etc			R
/etc/default		R
/etc/dfs/dfstab		R
/etc/dfs/sharetab	R
/etc/dumpdates		L
/etc/group		R	# changes should be infrequent
/etc/hosts.equiv	R
/etc/inet/inetd.conf	R
/etc/inet/protocols	R
/etc/inet/services	R
/etc/init.d		R
/etc/motd		L
#/etc/named.boot	R	# may not exist
/etc/opt		R
/etc/passwd		L
/etc/profile		R
/etc/remote		R
/etc/rmtab		L
/etc/rpc		R
=/etc/saf		L
/etc/shadow		L
/etc/system		R
/etc/ttydefs		L
/etc/ttysrch		R

/hsfsboot		R

/kernel			R

/opt			R

/sbin			R

/ufsboot		R

/usr/sbin		R

=/var			L
=/var/adm		L
/var/adm/utmp		L
/var/adm/wtmp		L
/var/adm/wtmpx		L
/var/adm/sulog		L
=/var/adm/sa		L
=/var/spool		L

# Checksumming the following is not so critical.  However,
#  setuid/setgid files are special-cased further down.

=/usr			L
/usr/aset		R-2
/usr/bin		R-2
/usr/ccs		R-2
/usr/kernel		R-2
/usr/lib		R-2
/usr/ucb		R-2
/usr/openwin/bin	R-2

# You may or may not have the following
#/usr/ftp		L
#/usr/ftp/bin		R
#/usr/ftp/etc		R

# put entries in for /var/yp if you need it
# put entries for uucp if you need them
# put entries for /var/adm if you need it

=/tmp			L
=/var/tmp		L
=/proc			L

#  Here are entries for setuid/setgid files.  On these, we use
#  both signatures just to be sure.
#
#  You may want/need to edit this list.  Batteries not inc.

/usr/bin/at			R
/usr/bin/atq			R
/usr/bin/atrm			R
/usr/bin/chkey			R
/usr/bin/crontab		R
/usr/bin/ct			R
/usr/bin/cu			R
/usr/bin/eject			R
/usr/bin/login			R
/usr/bin/mail			R
/usr/bin/mailx			R
/usr/bin/netstat		R
/usr/bin/newgrp			R
/usr/bin/nfsstat		R
/usr/bin/passwd			R
/usr/bin/ps			R
/usr/bin/rcp			R
/usr/bin/rsh			R
/usr/bin/rdist			R
/usr/bin/rlogin			R
/usr/bin/su			R
/usr/bin/tip			R
/usr/bin/uucp			R
/usr/bin/uuglist		R
/usr/bin/uuname			R
/usr/bin/uustat			R
/usr/bin/uux			R
/usr/bin/volcheck		R
/usr/bin/w			R
/usr/bin/write			R
/usr/bin/yppasswd		R
/usr/ucb/ps			R

# Some other /usr/bin programs you may also wish to check
/usr/bin/csh			R
/usr/bin/jsh			R
/usr/bin/kdestroy		R
/usr/bin/keylogin		R
/usr/bin/keylogout		R
/usr/bin/kinit			R
/usr/bin/klist			R
/usr/bin/ksh			R
/usr/bin/ksrvtgt		R
/usr/bin/rksh			R
/usr/bin/sh			R