Chapter 21. cf.files

#!/var/cfengine/bin/cfagent -qKf

control:

    actionsequence = ( files )

       # cfengine-policy-description:  detect files which have purely non-alphanumeric filenames.  The files are then marked with a suffix .cf-nonalpha and are rendered visible.  These files can then be tidied by searching for the suffix. Note that  alphanumeric means ascii codes less than 32 and greater than 126.

       NonAlphaNumFiles = ( on )



    # cfengine-policy-description: look for traces of malware while scanning files/directories (look for suspicious file names)

    SuspiciousNames = ( .mo lrk3 lkr3 nuke rootkit cloak zap
    icepick toneloc .ek wzap clnlog sniff.pid sp.pl )  

files:

    # cfengine-policy-description: check dir ownership and perms: /var/cfengine and /var/log/ufr

    # If the database isn't secure, nothing is secure...  
    /var/cfengine/        mode=700 owner=root group=root action=fixall recurse=inf inform=off 


    # cfengine-policy-description: on Linux, check: /bin, /sbin, /usr/bin, /usr/sbin/, /usr/local/bin, /usr/local/sbin.  check md5 checksums, ownership, and permissions.

  
    linux:: /bin             mode=o-w owner=0,rpm group=0,mail,rpm action=warnall recurse=inf checksum=md5 
    linux:: /usr/bin             mode=o-w owner=0,rpm group=0,tty,rpm,slocate,mail,nobody,uucp action=warnall recurse=inf checksum=md5 
    linux:: /sbin             mode=o-w owner=0 group=0 action=warnall recurse=inf checksum=md5 
    linux:: /usr/sbin         mode=o-w owner=0 group=0,utmp,lock,smmsp,apache action=warnall recurse=inf checksum=md5 
    linux:: /usr/local/bin/   mode=o-w owner=0 group=0 action=warnall recurse=inf checksum=md5 
    linux:: /usr/local/sbin/  mode=o-w owner=0 group=0 action=warnall recurse=inf checksum=md5 



    # cfengine-policy-description: scan /home and report any files with setuid/setgid bit  --- disabled

    # linux:: /home mode=-6000 action=warnall recurse=inf 



    # cfengine-policy-description: check individual file ownership and perms


    any::

        /etc/passwd           mode=644 owner=root action=fixall

    # master sudoers file

    mynodename::

        /admin/sudoers        mode=440 owner=root action=fixall


    linux::

        /etc/shadow           mode=400 owner=root action=fixall

        /etc/sudoers          mode=440 owner=root action=fixall


    hpux::

       /opt/iexpress/sudo/etc/sudoers mode=440 owner=bin action=fixall



files:   

    # cfengine-policy-description: check for world writable files under / except in specified dirs
    /
    recurse=inf
    ignore=/dev
    ignore=/tmp    
    ignore=/proc
    ignore=/var/run
    ignore=/var/spool
    ignore=/var/tmp
    action=warnall
    mode=o-w