# tw.config - brief tripwire configuration to check for backdoors # # This file contains a list of key files which should be watched # for changes due to hackers inserting trojan/back-door versions. # Keep the list small for speed, focus on files, not whole directories. # # For use by Ivan and Nigel. Copy to /usr/local/adm (or wherever you # run Nigel and Ivan) as tw.config # See man tw.config(5) for an explanation of the format of this file. # # Eric Myers - 21 May 1998 # Department of Physics, University of Michigan, Ann Arbor # Copyright (C) 1998 by Eric Myers, all rights reserved. # @(#) $Id: tw.config.Nigel,v 3.13 2000/10/03 03:21:27 myers Exp myers $ ###################################################################### ## # Key binaries - stuff to always check for changes # (selected from experience from break-ins and CERT reports) ## /bin/du R /bin/find R /bin/login R /bin/ls R /bin/passwd R /bin/ps R /bin/sh R /bin/tar R /bin/netstat R /usr/sbin/ifconfig R /usr/sbin/inetd R /usr/sbin/named R /usr/sbin/sendmail R /usr/sbin/syslogd R /usr/sbin/tcpd R /usr/sbin/in.fingerd /usr/lib/sendmail R /usr/lib/lanscan R /usr/etc/ifconfig R /usr/etc/in.named R /usr/etc/in.rshd R /usr/etc/inetd R /usr/etc/named R /usr/etc/syslogd R /usr/etc/tcpd R /usr/bin/chfn R /usr/bin/chsh R /usr/bin/csh R /usr/bin/du R /usr/bin/find R /usr/bin/ftp R /usr/bin/ksh R /usr/bin/login R /usr/bin/ls R /usr/bin/netstat R /usr/bin/newgrp R /usr/bin/passwd R /usr/bin/ps R /usr/bin/rdist R /usr/bin/remsh R /usr/bin/rksh R /usr/bin/rsh R /usr/bin/sh R /usr/bin/su R /usr/bin/telnet R /usr/bin/top R /sbin/ifconfig R /sbin/ls R /sbin/sh R /etc/ifconfig R /etc/inetd R /usr/local/etc/tcpd R /usr/local/etc/ftpd R /usr/local/etc/smrsh R /usr/local/etc/httpd/httpd R /usr/local/bin/tripwire R ## # Configuration Files ## /.rhosts R /etc/csh.login R /etc/exports R /etc/group R /etc/hosts.allow R /etc/hosts.equiv R /etc/inetd.conf R /etc/nsswitch.conf R /etc/profile R /etc/resolv.conf R /etc/shells R /etc/syslog.conf R /etc/securetty R ## # Libraries (just watch for new links, etc) ## =/usr/lib R =/usr/bin R =/usr/sbin R =/bin R =/sbin R =/lib R ## # HP-UX stuff: ## /usr/bin/X11/hpterm R /usr/bin/bdf R /usr/bin/landiag R /usr/bin/mediainit R /usr/bin/ppl R /usr/bin/top R /etc/lanscan R /etc/linkloop R /etc/mediainit R ## # BSD (Sun/NeXT): ## /usr/ucb/ftp R /usr/ucb/netstat R /usr/ucb/telnet R /usr/kvm/ps R ## # Linux: ## /bin/netstat R /sbin/ifconfig R /sbin/init R /root/.rhosts R /root/.shosts R ## # Hackers also like to hide things in /dev and spool areas ## =/dev L # /dev changes due to pty's =/dev/rmt R =/dev/dsk R =/dev/rdsk R !/dev/pty !/dev/ptym !/dev/ttype =/var/spool R =/var/spool/cron L-n =/var/spool/mqueue L-n =/var/spool/cron/tmp L-n =/tmp L-n =/var/tmp L-n ## # SUID root files: some duplications, but be sure to check all # Use `find / -user root -perm -4000 -print >tw.config.suid` to list # all suid root. Running Ivan will also create this list. /var/adm/tw.config.suid @@include /var/adm/tw.config.suid ##