#! /bin/bash # /root/bin/mktripwire.sh # /etc/tripwire/mktripwire.sh # A Gentoo-oriented Tripwire Policy Generator # This script outputs tripwire policy against a Gentoo configuration # This script depends on equery (from gentoolkit) # This script probably only runs under a bash shell # As of 07 Nov 2010, this script is a work in progress # c.cboldt at gmail.com # 0.0.1 # 101106 Sent to http://bugs.gentoo.org/show_bug.cgi?id=34662 VERSION=0.0.2 # Added invocation parameters, help and version messages # Added option to take RULENAME[], etc. from separate config file # Added SEC_MOD variable array # Added FILELIST_x[], REMARKS_x[], and SEC_MOD_x[] arrays # Replaced XWINLIST[] and SKIPINOD[] arrays with FILELIST_x[] arrays # Tripwire update mode default changed to not display # Added options for terse and verbose progress reporting # Added "hidden" debug mode (the word "debug" followed by optional rulenumber) # Added default rules for Database (e.g., mysql) and Programming # Added default rule for /var/log/*[g] filelist # Added warning: default generated policy does not check /var/log directory # TMP_FILE captures output of `equery -q files $packagename` command. # This to avoid redundant invocations of `equery -q files` against each packagename. TMP_FILE=/tmp/mktripwire.tmp # Generated layout is based on work by Darren Kirby # File: tripwire.pol.gentoo September 5, 2006 # http://bugs.gentoo.org/show_bug.cgi?id=34662 # # Darren Kirby's file was based on a tripwire policy for RedHat systems # Policy file for Red Hat Linux : V1.2.0rh : August 9, 2001 # Improvements? rationalize the footer / copyright message # rationalize categories and security level settings # confirm operation of emailto function # more complete/useful packages lists # better help messages and comments # better error and condition checking # - needs bash, maybe some grep issues # maybe more excludelists # maybe automate creation of available package lists # (but categorization here is radically different from Gentoo's "categories") # PACKAGES[] lists can contain any non-ambiguous package name # FILELIST[] lists can contain any file name, including wildcards # The script checks whether or not a listed package or file exists. # RULENAME[] Unique Rule Name # PACKAGES[] Optional list of Gentoo package names under this Rule Name # FILELIST[] Optional lists of individual file names (wildcards okay) # REMARKS[] Optional Remarks associated with individual FileLists # IGNORLST[] Optional list of files to ignore under this Rule Name # EMAILTO[] defaults to empty - written rule-by-rule # SEVERITY[] defaults to SIG_HI = severity=100 # # BINSECVALUE[] defaults to SEC_CRIT = $(IgnoreNone)-SHa # ETCSECVALUE[] defaults to SEC_CONFIG = $(Dynamic) # LOGSECVALUE[] defaults to SEC_LOG = $(Growing) # RECURSE[] defaults to empty - written file-by-file, applies only to directories # SEC_MOD[] defaults to empty - written file-by-file, DOES NOT APPLY TO DIRECTORIES ##### Start of Package and File Lists ##### Package Lists and Multiple File Lists may be combined under one rule RULENAME[0]='Tripwire Program Files' PACKAGES[0]='aide osiris tripwire' BINSECVALUE[0]=SEC_BIN RULENAME[1]='Invariant Directories' FILELIST[1]='/ /home /etc' REMARKS[1]='Commonly accessed directories that should remain static with regards to owner and group' SEVERITY[1]='SIG_MED' ETCSECVALUE[1]='SEC_INVARIANT' RECURSE[1]='(recurse = 0) ' RULENAME[2]='Temporary Directories' FILELIST[2]='/usr/tmp /var/tmp /tmp' SEVERITY[2]='SIG_LOW' ETCSECVALUE[2]='SEC_INVARIANT' RECURSE[2]='(recurse = 0) ' RULENAME[3]='[core|diff|find]utils procps' PACKAGES[3]='coreutils diffutils findutils procps' RULENAME[4]='Compression/Archiving Programs' PACKAGES[4]='tar bzip2 gzip zip unzip' RULENAME[5]='Networking Programs' PACKAGES[5]='net-tools iproute2 iputils iptables mgetty mingetty ppp wireshark nmap' RULENAME[6]='Miscellaneous Network Programs' PACKAGES[6]="tcpdump tcp-wrappers rsync samba distcc dhcpcd dnsmasq bind bind-tools \ knock telnet-bsd" ETCSECVALUE[6]=SEC_CRIT RULENAME[7]='Hardware and Device Programs' PACKAGES[7]="udev pciutils util-linux sysvinit psmisc kbd hdparm smartmontools \ lshw ethtool hotplug-base module-init-tools setserial dmraid" RULENAME[8]='Filesystem Programs' PACKAGES[8]="e2fsprogs progsreiserfs reiserfsprogs reiser4progs xfs nfs jfs \ pax-utils sysfsutils autofs lvm2 mdadm" RULENAME[9]='Miscellaneous File Programs' PACKAGES[9]="gawk grep patch cpio file lsof gettext groff less man ncurses slang \ sed slocate patchutils debianutils" RULENAME[10]='Toolchain Programs' PACKAGES[10]='gcc binutils glibc make autoconf automake' RULENAME[11]='Security Related Programs' PACKAGES[11]='shadow pam openssl openssh gnupg chkrootkit rkhunter' EMAILTO[11]='"root@localhost"' RULENAME[12]='Database Related Programs' PACKAGES[12]='mysql postgresql-server sqlite' RULENAME[13]='Programming Language Files' PACKAGES[13]='perl php python ruby swig tcl tk' RULENAME[14]='MTA Related Programs' PACKAGES[14]='sendmail postfix ssmtp mailx procmail dovecot clamav spamassassin' RULENAME[15]='P2P Related Programs' PACKAGES[15]='ejabberd jabberd jabberd2 mu-conference' RULENAME[16]='WWW Related Programs' PACKAGES[16]='apache bozohttpd lighttpd mini_httpd thttpd' RULENAME[17]='Shell Programs' PACKAGES[17]='bash zsh csh tcsh sash busybox screen' BINSECVALUE[17]=SEC_BIN RULENAME[18]='Editor Programs' PACKAGES[18]='nano joe vim ed emacs' RULENAME[19]='System Action and Logging' PACKAGES[19]="anacron bcron cronie dcron fcron incron vixie-cron xinetd \ newsyslog rsyslog syslog-ng logrotate" RULENAME[20]='Boot Selector Programs' PACKAGES[20]='grub lilo' FILELIST[20]='/boot/* /lib/modules' REMARKS[20]='Contents of /boot directory are safer on an unmounted partition' # some Gentoo packages install files in /lib/rcscripts/{awk,conf.d,net,sh} RULENAME[21]='Gentoo Specific Programs' PACKAGES[21]='portage portage-utils gentoolkit baselayout eix paludis' ##### End of package lists ##### ##### Some File Lists cribbed from RedHat policy file # Some local config files can be found with this code snippet # for i in `locate etc*[lL]ocal` # do [ -z "`equery -q belongs -e $i`" ] && echo " $i \\" # done # find / -group kmem -perm -2000 -print # Finds SGID files, owned by kmem # find / -user root -perm -4000 -print # Finds SUID files, owned by root RULENAME[22]='Local Config Files' FILELIST[22]="/etc/bash/bashrc.local \ /etc/dnsmasq-local.conf \ /etc/host-local-block \ /etc/host-banner-ads \ /etc/hosts \ /etc/hosts.allow \ /etc/hosts.deny \ /etc/dovecot/dovecot-local.conf \ /etc/lilo.conf \ /etc/lynx/lynx-site.cfg \ /etc/ppp/chap-secrets \ /etc/ppp/ip-up.d/00-local.sh \ /etc/ppp/ip-down.d/00-local.sh \ /etc/rkhunter.conf.local \ /etc/screenrc-local \ /etc/syslog-ng/syslog-local.conf \ /etc/udev/rules.d/10-local.rules \ /etc/env.d/00Local" # Policy generator deals with interest in not opening devices (recursion) # by applying the $(Device) policy for block and character special devices # See "select_policy" routine RULENAME[23]='Critical Devices' FILELIST[23]="/dev/kmem /dev/mem /dev/null /dev/zero \ /dev/log /dev/cua0 /dev/console \ /dev/tty[123456789] /dev/tty1[012] \ /dev/urandom /dev/initctl /proc/*" REMARKS[23]='RedHat config noted kmem, mem, null, zero. Also was recurse=false' RULENAME[24]='User Libraries' FILELIST[24]='/usr/lib /usr/local/lib' REMARKS[24]='Remainder of system libraries and binaries' SEVERITY[24]=SIG_MED BINSECVALUE[24]=SEC_BIN RULENAME[25]='Other OS Bin and Lib' FILELIST[25]='/bin /lib' BINSECVALUE[25]=SEC_BIN RULENAME[26]='User Bin Directories' FILELIST[26]='/sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin' SEVERITY[26]=SIG_MED RECURSE[26]='(recurse = 1) ' RULENAME[27]='Log Files' FILELIST[27]='/var/log/*g' REMARKS[27]='Looking only at filenames that end with the letter "g"' SEVERITY[27]=SIG_MED SEC_MOD[27]='-il ' # Root User Directory Rule uses multiple filelists # FILELIST_x variable names MUST be sequential, starting with "x" = "2" # Available correlated variables are REMARKS_x and SEC_MOD_x # Output approximately resembles RedHat legacy policy file RULENAME[28]='Root User Directory' REMARKS[28]='Config and files for console applications' FILELIST[28]="/root /root/bin /root/.ssh /root/.gnupg \ /root/.bashrc /root/.bash_profile /root/.bash_logout \ /root/.cshrc /root/.tcshrc /root/.screenrc \ /root/.mc /root/.ncftp \ /root/Mail /root/mail \ /root/.pinerc /root/.pinepwd /root/.mailcap \ /root/.addressbook.lu /root/.addressbook \ /root/.amandahosts /root/.elm \ /root/.config /root/.fltk /root/.links \ /root/.esd_auth" REMARKS_2[28]='X-Windows should not be run as Root User!' FILELIST_2[28]="/root/.ICEauthority /root/.xsession-errors /root/.Xresources /root/.Xmodmap \ /root/.fvwm /root/.fvwmrc \ /root/.sawfish \ /root/.gconf /root/.gconfd \ /root/.gnome /root/.gnome_private /root/.gnome-desktop /root/.qt" REMARKS_3[28]='Files that change Inode number' FILELIST_3[28]="/root/.Xauthority" SEC_MOD_3[28]='-i ' IGNORLST[28]="/root/.lesshst /root/.bash_history \ /root/.aumixrc /root/.calc_history \ /root/.enlightenment \ /root/.fonts.cache-1 \ /root/.lynx_cookies \ /root/.sc_history \ /root/.stack.wcd /root/.treedata.wcd /root/bin/wcd.go" RULENAME[29]='System Boot Changes' REMARKS[29]='Legacy from RedHat Policy File : These files change every time the system boots' FILELIST[29]='/var/lock/subsys /var/run /etc/ioctl.save /etc/.pwd.lock' REMARKS_2[29]='Files that change inode number' FILELIST_2[29]='/etc/mtab' SEC_MOD_2[29]='-i ' RULENAME[30]='Security Control File' FILELIST[30]='/etc/security' ETCSECVALUE[30]='SEC_CRIT' ########### End Default Package Lists and RuleName Definitions # "select_policy" routine runs each filename through a gauntlet, picking up # a $Filetype handle depending on which attribute it matches last. select_policy () { Filetype=Config [ -n "`expr $targetfile : '\(/etc/\)'`" ] && Filetype=Config [ -n "`expr $targetfile : '\(/lib/\)'`" ] && Filetype=Lib [ -n "`expr $targetfile : '\(/var/log\)'`" ] && Filetype=Log [ -n "`expr $targetfile : '\(/root/\)'`" ] && Filetype=RootFile [ -n "`expr $targetfile : '\(/lib/modules\)'`" ] && Filetype=Kernel [ -n "`file -b $targetfile | grep kernel`" ] && Filetype=Kernel [ -n "`expr $targetfile : '\(/dev/tty\)'`" ] && Filetype=Tty [ -x $targetfile ] && Filetype=Bin [ -b $targetfile ] && Filetype=Block [ -c $targetfile ] && Filetype=Char [ -d $targetfile ] && Filetype=Dir [ $targetfile == "/root" ] && Filetype=RootDir [ -u $targetfile ] && Filetype=SUID case $Filetype in SUID ) echo "-> \$(SEC_SUID) ;" ;; RootDir ) echo "-> \$(SEC_CRIT) ; # Catch all additions to /root" ;; RootFile ) echo "-> \$(${ETCSECVALUE[$i]:-SEC_CONFIG}) ${SEC_MOD[$i]};" ;; Dir ) echo "-> \$(${ETCSECVALUE[$i]:-SEC_CONFIG}) ${RECURSE[$i]};" ;; Bin ) echo "-> \$(${BINSECVALUE[$i]:-SEC_CRIT}) ${SEC_MOD[$i]};" ;; Kernel ) echo "-> \$(${BINSECVALUE[$i]:-SEC_CRIT}) ${SEC_MOD[$i]};" ;; Tty ) echo "-> \$(${BINSECVALUE[$i]:-SEC_TTY}) ${SEC_MOD[$i]};" ;; Log ) echo "-> \$(${LOGSECVALUE[$i]:-SEC_LOG}) ${SEC_MOD[$i]};" ;; Lib ) echo "-> \$(${BINSECVALUE[$i]:-SEC_CRIT}) ${SEC_MOD[$i]};" ;; Config ) echo "-> \$(${ETCSECVALUE[$i]:-SEC_CONFIG}) ${SEC_MOD[$i]};" ;; Char ) echo "-> \$(Device) ;" ;; Block ) echo "-> \$(Device) ;" ;; esac } make_header () { echo echo " #########################################################################" echo " # #" echo " # Tripwire Policy File for Gentoo Linux #" echo " # #" echo " #########################################################################" echo echo echo " # Generated by $0 Version $VERSION" echo " # `date '+%B %e, %Y at %R'`" echo " # http://bugs.gentoo.org/show_bug.cgi?id=34662" echo echo echo " #########################################################################" echo " # #" echo " # Global Variable Definitions #" echo " # Established at install by portage/emerge #" echo " # #" echo " #########################################################################" echo echo '@@section GLOBAL' echo 'TWROOT="/usr/sbin" ;' echo 'TWBIN="/usr/sbin" ;' echo 'TWPOL="/etc/tripwire" ;' echo 'TWDB="/var/lib/tripwire" ;' echo 'TWSKEY="/etc/tripwire" ;' echo 'TWLKEY="/etc/tripwire" ;' echo 'TWREPORT="/var/lib/tripwire/report" ;' echo "HOSTNAME=\"`hostname`\" ; # Should be the hostname of this system" echo echo '@@section FS' echo 'SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change' echo 'SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set' echo 'SEC_BIN = $(ReadOnly) ; # Binaries that should not change' echo 'SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently' echo 'SEC_TTY = $(Dynamic)-ugp ; # Tty files change ownership at login' echo 'SEC_LOG = $(Growing) ; # Files that grow, should never change ownership' echo 'SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership' echo 'SIG_LOW = 33 ; # Non-critical files of minimal security impact' echo 'SIG_MED = 66 ; # Non-critical files of significant security impact' echo 'SIG_HI = 100 ; # Critical files - significant points of vulnerability' echo echo '# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases' echo '(' echo ' rulename = "Tripwire Data Files",' echo ' severity = $(SIG_HI)' echo ')' echo '{' echo ' # NOTE: inode attribute removed on policy and config files.' echo ' # When Tripwire creates a backup, it does so by renaming the old' echo ' # file and creating a new one (which will have a new inode number).' echo ' # Inode is left turned on for encryption key files.' echo echo ' # NOTE: Integrity checks will trigger this rule until a database' echo ' # update is run, because the database file does not exist before that point.' echo echo ' $(TWDB) -> $(SEC_CONFIG) -i ;' echo ' $(TWPOL)/tw.pol -> $(SEC_BIN) -i ;' echo ' $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;' echo ' $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;' echo ' $(TWSKEY)/site.key -> $(SEC_BIN) ;' echo echo ' # Do not scan the individual reports' echo ' $(TWREPORT) -> $(SEC_CONFIG) (recurse = 0) ;' echo '}' } make_footer () { echo echo '#=============================================================================' echo '#' echo '# Parts are Copyright 2000 Tripwire, Inc.' echo '# Tripwire is a registered trademark of Tripwire,Inc.' echo '# (in the United States and other countries)' echo '# All rights reserved.' echo '#' echo '# Linux is a registered trademark of Linus Torvalds.' echo '#' echo '#=============================================================================' echo '#' echo '# Permission is granted to make and distribute verbatim copies of this document' echo '# provided the copyright notice and this permission notice are preserved on all' echo '# copies.' echo '#' echo '# Permission is granted to copy and distribute modified versions of this' echo '# document under the conditions for verbatim copying, provided that the entire' echo '# resulting derived work is distributed under the terms of a permission notice' echo '# identical to this one.' echo '#' echo '######### END of tripwire Policy Text File #########' } # ------- Cycle through RULENAME variables # "make_tripwire_rules" routine cycles each RULENAME[*] list through "list_files" make_tripwire_rules () { count=${#RULENAME[@]} [ "$UPDATETW" == "Yes" -a "$PROGRESS" == "Yes" -a -z "$VERBOSE" ] && \ echo -n "${count} Rules:" >&2 for (( i = 0 ; i < count ; i++ )) do [ "$UPDATETW" == "Yes" -a "$PROGRESS" == "Yes" -a -z "$VERBOSE" ] && \ echo -n " $i" >&2 # echo -n " $[(10#${count}-$i)]" >&2 list_files done } # "list_files" routine runs once for each RULENAME[] # - make the header for the tripewire rule, including optional "emailto" field # - print ignorefiles, if any # - forward package names, if installed, to extract_package_filenames # - forward filelists, if any, to process_filelist list_files () { echo echo "################################################################" echo "# RuleName: ${RULENAME[$i]}" [ -n "${PACKAGES[$i]}" ] && echo "# Packages: ${PACKAGES[$i]}" [ -n "${FILELIST[$i]}" ] && echo "# FileNames: ${FILELIST[$i]}" echo "################################################################" echo \( echo " rulename = \"${RULENAME[$i]}\"," echo -n " severity = \$(${SEVERITY[$i]:-SIG_HI})" [ -n "${EMAILTO[$i]}" ] && echo -e ",\\n emailto = ${EMAILTO[$i]}" || echo echo \) echo \{ [ -n "${IGNORLST[$i]}" ] && echo -e "\\n# ${RULENAME[$i]}: Ignore changes to these files" for targetfile in ${IGNORLST[$i]} do [ -e "$targetfile" ] && echo " !$targetfile ;" done for package in ${PACKAGES[$i]} do equery -q files $package > $TMP_FILE [ -s "$TMP_FILE" ] && extract_package_filenames done [ -n "${FILELIST[$i]}" ] && process_filelist # Pseudo-two-dimesional array # FLST, RMKS, and SCMD hold specific variable names. E.g., FILELIST_2[26] # The specific variable names are then indirectly expanded for j in {2..100}; do FLST=FILELIST_$j[$i] RMKS=REMARKS_$j[$i] SCMD=SEC_MOD_$j[$i] FILELIST[$i]="${!FLST}" REMARKS[$i]="${!RMKS}" SEC_MOD[$i]="${!SCMD}" [ -n "${FILELIST[$i]}" ] && process_filelist || break done echo \} } # "process_filelist" routine is used only for filelists. # - outputs remarks for the list, if any # - calls for printing each filename and tripwire policy # - blocks listing of directory entries from the /proc/* wildcard process_filelist () { echo -e "\\n# ${RULENAME[$i]}: ${REMARKS[$i]}" for targetfile in ${FILELIST[$i]} do if [ -d "$targetfile" -a -n "`expr $targetfile : '\(/proc/\)'`" ]; then true elif [ -d "$targetfile" -a -n "`expr $targetfile : '\(/lost+found\)'`" ]; then true elif [ -e $targetfile ]; then output_line select_policy fi done } # "extract_package_filenames" routine is used only for package names. # `equery` was used previously to obtain a list of all files installed by the package. # # Only filenames with "bin/", "/etc/", or "/var/log/" are included in output. # Adding "/lib/.*[.]s[ho]" adds substantial bulk to the generated policy file. # Adding "/lib/rcscripts/[acns]" is Gentoo-centric (awk|conf.d|net|sh) # Directory names and zero-size files are excluded from output. extract_package_filenames () { echo echo "# ${RULENAME[$i]}: $package" echo for targetfile in `grep -e /etc/ -e bin/ -e /var/log/ $TMP_FILE` do [ ! -d $targetfile -a -s $targetfile ] && { output_line select_policy } done } # "output_line" routine adds a variable number of tabs to obtain alignment # The width of the targetfile name is increased by 2 to account for indent # The maximum number of additional tabs is the digit after "10#" # The width of the TAB is taken as 8 characters output_line () { MAKE_TABS=$[(10#4-(${#targetfile}+2)/8)] # Calculate number of TABs echo -n " $targetfile" echo -e -n \\t # Output at least one TAB for (( z = 0 ; z < MAKE_TABS ; z++ )) # Up to five TABs do echo -e -n \\t done } ################################################################# # Top Routine for Generating Policies # ################################################################# make_policy_text_file () { make_header make_tripwire_rules make_footer } ################################################################# # Routines for the user interface # Structure and functions should be clear on inspection ################################################################# equery_error_exit () { echo echo This script depends on equery to obtain meaningful output. echo On Gentoo, \`emerge gentoolkit\` exit 1 } tripwire_error_exit () { echo echo "This script has no known function aside from tripwire." >&2 echo " On Gentoo, \`emerge tripwire\`" >&2 echo "Continuing even though tripwire is not found on this system ..." >&2 echo [ "$DEBUGME" == "y" ] || sleep 5 } var_log_warning () { echo echo " ########### !!!! WARNING !!!! ##############" echo " # Rules do NOT Watch /var/log directory #" echo " # One rule watches /var/log/*[g] files #" echo " #########################################################" echo } recite_ver () { echo echo "This is `basename $0` version $VERSION" echo "A Gentoo-oriented Tripwire Policy Generator" echo } recite_help () { recite_ver echo "When invoked with no command-line parameter:" echo " - output from `basename $0` is directed to STDOUT" echo echo "When invoked with -u command line parameter:" echo " - output from `basename $0` is directed to a file in the /etc/tripwire directory" echo " - the command \`tripwire --update-policy\` is run using that file" echo " - the command \`tripwire --check --interactive\` is run" echo echo "Usage: `basename $0` [-c configfile] [-u[-p|-v]] [-h] [-V]" echo " -c Read RULENAME[], PACKAGELIST[] and FILELIST[] from configfile" echo " -u Invoke tripwire update after generating policy text file" echo " -p Progress - display countdown as rulesets are processed" echo " -v Verbose - display policy text generation" echo " -h output this version and help information" echo " -V output version information" echo exit } read_external_config () { if [ -e "$CONFIG_FILE" ]; then unset RULENAME unset PACKAGES unset FILELIST unset REMARKS unset IGNORLST unset SEC_MOD source "$CONFIG_FILE" else echo echo "External configuration file, $CONFIG_FILE, does not exist ... exiting $0" exit 2 fi } mode_auto_update () { TRIPWIRE_CFG=/etc/tripwire/twpol-`date +%s`.txt if [ ! -d /etc/tripwire ]; then echo Tripwire update function depends on existence of the directory /etc/tripwire echo Running `basename $0` with no parameters generates tripwire policy to STDOUT echo Exiting. exit 1 fi if [ "$VERBOSE" == "Yes" ]; then echo echo Showing generation of $TRIPWIRE_CFG echo echo After the policy file is generated, you will be prompted to echo invoke tripwire to update the encrypted policy and database echo echo Sleeping 10 seconds ... [ "$DEBUGME" == "y" ] || sleep 10 make_policy_text_file | tee $TRIPWIRE_CFG else echo Generated tripwire policy being directed to $TRIPWIRE_CFG echo This may take up to a few minutes ... make_policy_text_file > $TRIPWIRE_CFG fi echo echo Completed generation of $TRIPWIRE_CFG echo echo To update encrypted tripwire policy file /etc/tripwire/tw.pol, run echo tripwire --update-policy --secure-mode low $TRIPWIRE_CFG echo echo Then to acknowledge/accept resulting change to /etc/tripwire/tw.pol file, run echo tripwire --check --interactive echo echo -n "Take those steps now? [y/N]: " read RUN_TRIPWIRE if [ "${RUN_TRIPWIRE,Y}" == "y" ]; then echo tripwire --update-policy --secure-mode low $TRIPWIRE_CFG echo echo Policy and Database files updated by \`tripwire --update-policy\` command echo Starting interactive integrity check using \`tripwire --check --interactive\` echo tripwire --check --interactive else echo Skipping tripwire policy update and check operations. Goodbye. fi } # When invoked without the -u parameter, the message below is sent to STDERR # This message won't appear in redirected output: mktripwire.sh > twpol.txt mode_echo_policy () { echo "`basename $0` v. $VERSION" >&2 echo "Run `basename $0` with -u parameter to automate updating." >&2 echo "Sleeping 5 seconds ..." >&2 echo [ "$DEBUGME" == "y" ] || sleep 5 make_policy_text_file } user_interface () { if [ "$UPDATETW" == "Yes" ]; then mode_auto_update else mode_echo_policy fi } ################################################################# # Invocation enters here ################################################################# # Process command line input while getopts :c:upvhV OPTION do case $OPTION in c ) CONFIG_FILE=$OPTARG ;; u ) UPDATETW=Yes ;; p ) PROGRESS=Yes ;; v ) VERBOSE=Yes ;; h ) recite_help ;; V ) recite_ver; exit ;; * ) recite_help ;; esac done shift $(($OPTIND - 1)) # If the user claims use of a config file, test and read it # Otherwise, show the waring that no default rule watches /var/log [ -n "$CONFIG_FILE" ] && read_external_config || var_log_warning # If the user has called for debugging of a rule, # generate output for just that rule, then exit [ "$1" == "debug" ] && { DEBUGME=y DEBUG_RULE_NUMBER=${2:-0} # optional selection of rulename to process i=$DEBUG_RULE_NUMBER echo echo " !! WARNING !! `basename $0` is in DEBUG Mode!" echo " !! WARNING !! Processing --ONLY-- RULENAME[${DEBUG_RULE_NUMBER}]" echo list_files echo echo " !! WARNING !! `basename $0` was in DEBUG Mode!" echo " !! WARNING !! Processed --ONLY-- RULENAME[${DEBUG_RULE_NUMBER}]" exit } # Test for presence of the programs "equery" and "tripwire" # Run the program for init_error_type in equery tripwire; do hash $init_error_type 2> /dev/null || ${init_error_type}_error_exit done user_interface ################################################################# ################################################################# # Nothing But Junk Below # Routine Might be Used to Create List of Package Names ################################################################# SYSTEM_FILE_LIST=/root/system-files.txt list_system_files () { for i in `EMERGE_DEFAULT_OPTS="" emerge -peq system | cut -d"]" -f2`; do echo $i # equery files $i done } #echo Making list of system files ... #list_system_files > $SYSTEM_FILE_LIST