#!/var/cfengine/bin/cfagent -qKf control: actionsequence = ( files ) # cfengine-policy-description: detect files which have purely non-alphanumeric filenames. The files are then marked with a suffix .cf-nonalpha and are rendered visible. These files can then be tidied by searching for the suffix. Note that alphanumeric means ascii codes less than 32 and greater than 126. NonAlphaNumFiles = ( on ) # cfengine-policy-description: look for traces of malware while scanning files/directories (look for suspicious file names) SuspiciousNames = ( .mo lrk3 lkr3 nuke rootkit cloak zap icepick toneloc .ek wzap clnlog sniff.pid sp.pl ) files: # cfengine-policy-description: check dir ownership and perms: /var/cfengine and /var/log/ufr # If the database isn't secure, nothing is secure... /var/cfengine/ mode=700 owner=root group=root action=fixall recurse=inf inform=off # cfengine-policy-description: on Linux, check: /bin, /sbin, /usr/bin, /usr/sbin/, /usr/local/bin, /usr/local/sbin. check md5 checksums, ownership, and permissions. linux:: /bin mode=o-w owner=0,rpm group=0,mail,rpm action=warnall recurse=inf checksum=md5 linux:: /usr/bin mode=o-w owner=0,rpm group=0,tty,rpm,slocate,mail,nobody,uucp action=warnall recurse=inf checksum=md5 linux:: /sbin mode=o-w owner=0 group=0 action=warnall recurse=inf checksum=md5 linux:: /usr/sbin mode=o-w owner=0 group=0,utmp,lock,smmsp,apache action=warnall recurse=inf checksum=md5 linux:: /usr/local/bin/ mode=o-w owner=0 group=0 action=warnall recurse=inf checksum=md5 linux:: /usr/local/sbin/ mode=o-w owner=0 group=0 action=warnall recurse=inf checksum=md5 # cfengine-policy-description: scan /home and report any files with setuid/setgid bit --- disabled # linux:: /home mode=-6000 action=warnall recurse=inf # cfengine-policy-description: check individual file ownership and perms any:: /etc/passwd mode=644 owner=root action=fixall # master sudoers file mynodename:: /admin/sudoers mode=440 owner=root action=fixall linux:: /etc/shadow mode=400 owner=root action=fixall /etc/sudoers mode=440 owner=root action=fixall hpux:: /opt/iexpress/sudo/etc/sudoers mode=440 owner=bin action=fixall files: # cfengine-policy-description: check for world writable files under / except in specified dirs / recurse=inf ignore=/dev ignore=/tmp ignore=/proc ignore=/var/run ignore=/var/spool ignore=/var/tmp action=warnall mode=o-w