# tw.config for HP-UX
########################################################################
#
# This file contains a list of files and directories that tripwire
# will scan.  Date, size,  and signature information for these files
# will be stored in the tripwire database file and used for later comparions.
#
# This version of the tw.config file was tuned for HP-UX 10.20.
# You may need to adjust it if you are running something else, but
# hopefully not by much. 
#
# See the man page for tw.config(5) for more information about the
# format of this file, or look for a file called tw.config.format
#
# Eric Myers <myers@umich.edu> 
# Department of Physics, University of Michigan, Ann Arbor, MI USA
# @(#) $Id: tw.config.HPUX,v 2.14 1999/10/24 22:02:20 myers Exp myers $
########################################################################
# The usual definitions for different file tests

@@define STAT  +pug-cmansi12345678     # Just check protection bits
@@define MODS  +pugmc-ansi12345678     # protection|date change
@@define LOG   +pinug-samc12345678     # log files (no signatures)
@@define MD5   +pugcmnsi1-a2345678     # Check signatures 1 only
@@define SIGS  +pugcmnsi12-a345678     # Check signatures 1&2

# Run tripwire with -DNODATES to ignore change/modificaiton dates
# and inode numbers - useful for after restoring from backup tapes

@@ifdef NODATES
@@define MODS  +pug-cmansi12345678
@@define LOG   +pung-cmasi12345678
@@define STAT  +pug-cmansi12345678
@@define MD5   +pung1-camis2345678
@@define SIGS  +pung12-camis345678
@@endif

## HPUX System and tools:

/stand			@@SIGS	# kernel and configuration
/sbin			@@SIGS	# single user binaries
/usr/lbin		@@SIGS	# networking tools, check carefully
/usr/lbin/bootpd	@@SIGS	# boot server
/usr/lbin/telnetd	@@SIGS	# telnet daemon

!/stand/rootconf	@@MODS	# changes between reboots (ignore)
!/usr/sbin/stm		@@LOG	# optional diagnostics (ignore)

#  Check root's "home"
=/		@@SIGS
/.rhosts	@@SIGS	# may not exist
/.forward	@@SIGS	# may not exist
/.profile	@@SIGS	# may not exist
/.cshrc		@@SIGS	# may not exist
/.tcshrc	@@SIGS	# may not exist
!/.vue		@@STAT	# may not exist (HP/UX 10.x)
/.vueprofile	@@SIGS	# may not exist (HP/UX 10.x)
/.login		@@SIGS	# may not exist
/.logout	@@SIGS	# may not exist
/.emacs		@@SIGS	# may not exist
/.mailrc	@@SIGS	# may not exist
/.exrc		@@SIGS	# may not exist
/.netrc		@@SIGS	# should not exist!

## Some critical directories and files
##  (exceptions are noted further down)

/etc			@@MD5
/etc/inetd.conf		@@SIGS
/usr/sbin/inetd		@@SIGS
/etc/hosts.equiv	@@SIGS
/etc/resolv.conf	@@SIGS
/etc/nsswitch.conf	@@SIGS
/etc/syslog.conf	@@SIGS
/etc/exports		@@SIGS
/etc/gettydefs		@@SIGS
/etc/csh.login		@@SIGS 
/etc/profile		@@SIGS
/etc/shells		@@SIGS  # changes should be infrequent
/etc/hosts		@@SIGS  # changes should be infrequent
/etc/group		@@SIGS	# changes should be infrequent
/etc/skel 		@@SIGS 


/etc/mail		@@MODS
/etc/mail/sendmail.st	@@MODS
/etc/mail/sendmail.cf	@@MD5
/etc/mail/aliases	@@MODS
/etc/mail/mailcap	@@MD5
/etc/mail/sendmail.pid	@@STAT	# changes between reboots
/etc/mail/aliases.db	@@STAT	# rebuilt every week here


/etc/motd		@@SIGS	# may not exist
/etc/issue		@@SIGS	# may not exist
/etc/issue.net		@@SIGS	# may not exist

/etc/passwd		@@STAT	# maybe something else with shadow pw?
/etc/shadow		@@STAT	# maybe something else with shadow pw?
/etc/xtab		@@STAT
/etc/ssh_random_seed	@@STAT
/etc/ntp.drift		@@STAT

/etc/rmtab		@@LOG
/etc/utmp		@@LOG
/etc/utmpx		@@LOG
/etc/dumpdates		@@LOG
/etc/hosts.deny  	@@LOG
/etc/hosts.allow 	@@LOG

/etc/kbdlang		@@MODS
/etc/ioctl.syscon	@@MODS

=/etc/lp		@@MODS


# Ignore these

!/etc/mnttab		@@LOG
!/etc/checklist		@@SIGS # (no longer used in HP-UX 10.x)
!/etc/ntp.keys           
!/etc/pfs_mtab
!/etc/temp_mtab
!/etc/rc.log		@@MODS
!/etc/auto_parms.log	@@MODS
!/etc/shutdownlog	@@MODS
!/etc/rc.log.old		E
!/etc/auto_parms.log.old	E
!/etc/hpC2400			E

!/etc/vue/config/types	# VUE configuration
!/etc/vue/config/panels # VUE configuration

## Device files (tty's can change)

=/dev			@@LOG	# /dev changes due to pty's
=/dev/rmt		@@SIGS
=/dev/dsk		@@SIGS
=/dev/rdsk		@@SIGS

!/dev/pty
!/dev/ptym
!/dev/ttype


################
# Checksumming the following is not so critical.  However,
#  setuid/setgid files are special cases further down.


=/opt			@@MD5
=/usr			@@SIGS
=/usr/contrib		@@MD5
=/usr/lib		@@SIGS 
=/usr/lib/nls		@@MD5

/bin			@@MD5
/usr/bin		@@MD5
/usr/sbin		@@MD5
/usr/etc		@@MD5

/usr/lib/lanscan	@@SIGS	# network devices important to watch!
/usr/lib/cron		@@MD5
/usr/lib/mail		@@MD5
/usr/lib/pa1.1		@@MD5
/usr/lib/netsvc		@@MD5
/usr/lib/netls		@@MD5

=/var/spool		@@SIGS
=/var/mail		@@MODS
=/var/spool/cron	@@MODS
=/var/spool/mqueue	@@MODS
=/var/spool/cron/tmp	@@MODS

=/tmp			@@MODS
=/var/tmp		@@MODS
=/usr/msgs		@@MODS


################
#  SUID files: use both signatures just to be sure.
#
#  Use  `find / -user root -perm -4000 -print >tw.config.suid` to list
#  all suid root files (See man find(1) for use on multiple filesystems.)
#  Or allow Ivan to create this list.
#
#@@include /var/adm/tw.config.suid

/usr/bin/mediainit      @@SIGS
/usr/bin/bdf            @@SIGS
/usr/bin/rcp            @@SIGS
/usr/bin/nfsstat        @@SIGS
/usr/bin/at             @@SIGS
/usr/bin/crontab        @@SIGS
/usr/bin/mail           @@SIGS
/usr/bin/rmail          @@SIGS
/usr/bin/chfn           @@SIGS
/usr/bin/chsh           @@SIGS
/usr/bin/newgrp         @@SIGS
/usr/bin/dcnodes        @@SIGS
/usr/bin/df             @@SIGS
/usr/bin/login          @@SIGS
/usr/bin/passwd         @@SIGS
/usr/bin/su             @@SIGS
/usr/bin/ppl            @@SIGS
/usr/bin/rdist          @@SIGS
/usr/bin/remsh          @@SIGS
/usr/bin/rlogin         @@SIGS
/usr/bin/rexec          @@SIGS
/usr/bin/X11/hpterm     @@SIGS
/usr/bin/X11/xterm      @@SIGS
/usr/bin/X11/gwind      @@SIGS
/usr/bin/lp             @@SIGS
/usr/bin/lpalt          @@SIGS
/usr/bin/ct             @@SIGS
/usr/bin/cu             @@SIGS
/usr/bin/landiag        @@SIGS

/usr/etc/nfsstat        @@SIGS

/etc/vgscan             @@SIGS
/etc/vgremove           @@SIGS
/etc/vgreduce           @@SIGS
/etc/vgimport           @@SIGS
/etc/vgextend           @@SIGS
/etc/vgexport           @@SIGS
/etc/vgdisplay          @@SIGS
/etc/vgcreate           @@SIGS
/etc/vgchange           @@SIGS
/etc/vgcfgrestore       @@SIGS
/etc/vgcfgbackup        @@SIGS
/etc/pvmove             @@SIGS
/etc/pvdisplay          @@SIGS
/etc/pvcreate           @@SIGS
/etc/pvchange           @@SIGS
/etc/ping               @@SIGS
/etc/mediainit          @@SIGS
/etc/lvrmboot           @@SIGS
/etc/lvremove           @@SIGS
/etc/lvreduce           @@SIGS
/etc/lvlnboot           @@SIGS
/etc/lvextend           @@SIGS
/etc/lvdisplay          @@SIGS
/etc/lvcreate           @@SIGS
/etc/lvchange           @@SIGS
/etc/linkloop           @@SIGS
/etc/lanscan            @@SIGS
/etc/arp                @@SIGS


##################################
### Local files:

 /usr/local/bin                 @@SIGS
 /usr/local/sbin                @@SIGS
 /usr/local/etc                 @@SIGS
=/usr/local/lib/                @@SIGS
=/usr/local/lib/perl5           @@SIGS
=/usr/local/share		@@SIGS
!/usr/local/share/texmf		@@LOG	# changes often due to fonts
 /usr/local/lib/ftpd            @@SIGS
 /usr/local/lib/libexec         @@SIGS

=/usr/local/etc/httpd/logs      @@LOG     # web server logs change constantly
=/usr/local/etc/httpd/icons     @@LOG     # so does icon collection

##EOF tw.config