Attachment 253551 Details for Bug 344577 – Bash script to generate a twpol.txt file from lists of gentoo packages and lists of files

Bash script to generate a twpol.txt file from lists of gentoo packages and lists of files

mktripwire.sh (text/plain), 25.22 KB, created by c.cboldt on 2010-11-07 19:28:22 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: c.cboldt

Created: 2010-11-07 19:28:22 UTC

Size: 25.22 KB

patch

obsolete

>#! /bin/bash
>
># /root/bin/mktripwire.sh
># /etc/tripwire/mktripwire.sh
>
># A Gentoo-oriented Tripwire Policy Generator
># This script outputs tripwire policy against a Gentoo configuration
># This script depends on equery (from gentoolkit)
># This script probably only runs under a bash shell
># As of 07 Nov 2010, this script is a work in progress
># c.cboldt at gmail.com
>
># 0.0.1		# 101106 Sent to http://bugs.gentoo.org/show_bug.cgi?id=34662
>VERSION=0.0.2	# Added invocation parameters, help and version messages
>		# Added option to take RULENAME[], etc. from separate config file
>		# Added SEC_MOD variable array
>		# Added FILELIST_x[], REMARKS_x[], and SEC_MOD_x[] arrays
>		# Replaced XWINLIST[] and SKIPINOD[] arrays with FILELIST_x[] arrays
>		# Tripwire update mode default changed to not display
>		# Added options for terse and verbose progress reporting
>		# Added "hidden" debug mode (the word "debug" followed by optional rulenumber)
>		# Added default rules for Database (e.g., mysql) and Programming
>		# Added default rule for /var/log/*[g] filelist
>		# Added warning: default generated policy does not check /var/log directory
>
># TMP_FILE captures output of `equery -q files $packagename` command.
># This to avoid redundant invocations of `equery -q files` against each packagename.
>
>TMP_FILE=/tmp/mktripwire.tmp
>
># Generated layout is based on work by Darren Kirby <bulliver at badcomputer.org>
># File: tripwire.pol.gentoo  September 5, 2006
># http://bugs.gentoo.org/show_bug.cgi?id=34662
>#
># Darren Kirby's file was based on a tripwire policy for RedHat systems
># Policy file for Red Hat Linux : V1.2.0rh : August 9, 2001
>
># Improvements?	rationalize the footer / copyright message
>#		rationalize categories and security level settings
>#		confirm operation of emailto function
>#		more complete/useful packages lists
>#		better help messages and comments
>#		better error and condition checking
>#		 - needs bash, maybe some grep issues
>#		maybe more excludelists
>#		maybe automate creation of available package lists
>#		(but categorization here is radically different from Gentoo's "categories")
>
># PACKAGES[] lists can contain any non-ambiguous package name
># FILELIST[] lists can contain any file name, including wildcards
># The script checks whether or not a listed package or file exists.
>
># RULENAME[]	Unique Rule Name
># PACKAGES[]	Optional list of Gentoo package names under this Rule Name
># FILELIST[]	Optional lists of individual file names (wildcards okay)
># REMARKS[]	Optional Remarks associated with individual FileLists
># IGNORLST[]	Optional list of files to ignore under this Rule Name
># EMAILTO[]	defaults to empty - written rule-by-rule
># SEVERITY[]	defaults to SIG_HI	= severity=100
>#
># BINSECVALUE[]	defaults to SEC_CRIT	= $(IgnoreNone)-SHa
># ETCSECVALUE[]	defaults to SEC_CONFIG	= $(Dynamic)
># LOGSECVALUE[]	defaults to SEC_LOG	= $(Growing)
># RECURSE[]	defaults to empty - written file-by-file, applies only to directories
># SEC_MOD[]	defaults to empty - written file-by-file, DOES NOT APPLY TO DIRECTORIES
>
>#####  Start of Package and File Lists
>#####  Package Lists and Multiple File Lists may be combined under one rule
>
>RULENAME[0]='Tripwire Program Files'
>PACKAGES[0]='aide osiris tripwire'
>BINSECVALUE[0]=SEC_BIN
>
>RULENAME[1]='Invariant Directories'
>FILELIST[1]='/ /home /etc'
>REMARKS[1]='Commonly accessed directories that should remain static with regards to owner and group'
>SEVERITY[1]='SIG_MED'
>ETCSECVALUE[1]='SEC_INVARIANT'
>RECURSE[1]='(recurse = 0) '
>
>RULENAME[2]='Temporary Directories'
>FILELIST[2]='/usr/tmp /var/tmp /tmp'
>SEVERITY[2]='SIG_LOW'
>ETCSECVALUE[2]='SEC_INVARIANT'
>RECURSE[2]='(recurse = 0) '
>
>RULENAME[3]='[core|diff|find]utils procps'
>PACKAGES[3]='coreutils diffutils findutils procps'
>
>RULENAME[4]='Compression/Archiving Programs'
>PACKAGES[4]='tar bzip2 gzip zip unzip'
>
>RULENAME[5]='Networking Programs'
>PACKAGES[5]='net-tools iproute2 iputils iptables mgetty mingetty ppp wireshark nmap'
>
>RULENAME[6]='Miscellaneous Network Programs'
>PACKAGES[6]="tcpdump tcp-wrappers rsync samba distcc dhcpcd dnsmasq bind bind-tools \
> knock telnet-bsd"
>ETCSECVALUE[6]=SEC_CRIT
>
>RULENAME[7]='Hardware and Device Programs'
>PACKAGES[7]="udev pciutils util-linux sysvinit psmisc kbd hdparm smartmontools \
> lshw ethtool hotplug-base module-init-tools setserial dmraid"
>
>RULENAME[8]='Filesystem Programs'
>PACKAGES[8]="e2fsprogs progsreiserfs reiserfsprogs reiser4progs xfs nfs jfs \
> pax-utils sysfsutils autofs lvm2 mdadm"
>
>RULENAME[9]='Miscellaneous File Programs'
>PACKAGES[9]="gawk grep patch cpio file lsof gettext groff less man ncurses slang \
> sed slocate patchutils debianutils"
>
>RULENAME[10]='Toolchain Programs'
>PACKAGES[10]='gcc binutils glibc make autoconf automake'
>
>RULENAME[11]='Security Related Programs'
>PACKAGES[11]='shadow pam openssl openssh gnupg chkrootkit rkhunter'
>EMAILTO[11]='"root@localhost"'
>
>RULENAME[12]='Database Related Programs'
>PACKAGES[12]='mysql postgresql-server sqlite'
>
>RULENAME[13]='Programming Language Files'
>PACKAGES[13]='perl php python ruby swig tcl tk'
>
>RULENAME[14]='MTA Related Programs'
>PACKAGES[14]='sendmail postfix ssmtp mailx procmail dovecot clamav spamassassin'
>
>RULENAME[15]='P2P Related Programs'
>PACKAGES[15]='ejabberd jabberd jabberd2 mu-conference'
>
>RULENAME[16]='WWW Related Programs'
>PACKAGES[16]='apache bozohttpd lighttpd mini_httpd thttpd'
>
>RULENAME[17]='Shell Programs'
>PACKAGES[17]='bash zsh csh tcsh sash busybox screen'
>BINSECVALUE[17]=SEC_BIN
>
>RULENAME[18]='Editor Programs'
>PACKAGES[18]='nano joe vim ed emacs'
>
>RULENAME[19]='System Action and Logging'
>PACKAGES[19]="anacron bcron cronie dcron fcron incron vixie-cron xinetd \
> newsyslog rsyslog syslog-ng logrotate"
>
>RULENAME[20]='Boot Selector Programs'
>PACKAGES[20]='grub lilo'
>FILELIST[20]='/boot/* /lib/modules'
>REMARKS[20]='Contents of /boot directory are safer on an unmounted partition'
>
># some Gentoo packages install files in /lib/rcscripts/{awk,conf.d,net,sh}
>RULENAME[21]='Gentoo Specific Programs'
>PACKAGES[21]='portage portage-utils gentoolkit baselayout eix paludis'
>
>#####  End of package lists  #####
>#####  Some File Lists cribbed from RedHat policy file
>
># Some local config files can be found with this code snippet
># for i in `locate etc*[lL]ocal`
>#   do [ -z "`equery -q belongs -e $i`" ] && echo " $i \\"
># done
>
># find / -group kmem -perm -2000 -print # Finds SGID files, owned by kmem
># find /  -user root -perm -4000 -print # Finds SUID files, owned by root
>
>RULENAME[22]='Local Config Files'
>FILELIST[22]="/etc/bash/bashrc.local \
> /etc/dnsmasq-local.conf \
> /etc/host-local-block \
> /etc/host-banner-ads \
> /etc/hosts \
> /etc/hosts.allow \
> /etc/hosts.deny \
> /etc/dovecot/dovecot-local.conf \
> /etc/lilo.conf \
> /etc/lynx/lynx-site.cfg \
> /etc/ppp/chap-secrets \
> /etc/ppp/ip-up.d/00-local.sh \
> /etc/ppp/ip-down.d/00-local.sh \
> /etc/rkhunter.conf.local \
> /etc/screenrc-local \
> /etc/syslog-ng/syslog-local.conf \
> /etc/udev/rules.d/10-local.rules \
> /etc/env.d/00Local"
>
># Policy generator deals with interest in not opening devices (recursion)
># by applying the $(Device) policy for block and character special devices
># See "select_policy" routine
>
>RULENAME[23]='Critical Devices'
>FILELIST[23]="/dev/kmem /dev/mem /dev/null /dev/zero \
> /dev/log /dev/cua0 /dev/console \
> /dev/tty[123456789] /dev/tty1[012] \
> /dev/urandom /dev/initctl /proc/*"
>REMARKS[23]='RedHat config noted kmem, mem, null, zero. Also was recurse=false'
>
>RULENAME[24]='User Libraries'
>FILELIST[24]='/usr/lib /usr/local/lib'
>REMARKS[24]='Remainder of system libraries and binaries'
>SEVERITY[24]=SIG_MED
>BINSECVALUE[24]=SEC_BIN
>
>RULENAME[25]='Other OS Bin and Lib'
>FILELIST[25]='/bin /lib'
>BINSECVALUE[25]=SEC_BIN
>
>RULENAME[26]='User Bin Directories'
>FILELIST[26]='/sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin'
>SEVERITY[26]=SIG_MED
>RECURSE[26]='(recurse = 1) '
>
>RULENAME[27]='Log Files'
>FILELIST[27]='/var/log/*g'
>REMARKS[27]='Looking only at filenames that end with the letter "g"'
>SEVERITY[27]=SIG_MED
>SEC_MOD[27]='-il '
>
># Root User Directory Rule uses multiple filelists
># FILELIST_x variable names MUST be sequential, starting with "x" = "2"
># Available correlated variables are REMARKS_x and SEC_MOD_x
># Output approximately resembles RedHat legacy policy file
>
>RULENAME[28]='Root User Directory'
>REMARKS[28]='Config and files for console applications'
>FILELIST[28]="/root /root/bin /root/.ssh /root/.gnupg \
> /root/.bashrc /root/.bash_profile /root/.bash_logout \
> /root/.cshrc /root/.tcshrc /root/.screenrc \
> /root/.mc /root/.ncftp \
> /root/Mail /root/mail \
> /root/.pinerc /root/.pinepwd /root/.mailcap \
> /root/.addressbook.lu /root/.addressbook \
> /root/.amandahosts /root/.elm \
> /root/.config /root/.fltk /root/.links \
> /root/.esd_auth"
>
>REMARKS_2[28]='X-Windows should not be run as Root User!'
>FILELIST_2[28]="/root/.ICEauthority /root/.xsession-errors /root/.Xresources /root/.Xmodmap \
> /root/.fvwm /root/.fvwmrc \
> /root/.sawfish \
> /root/.gconf /root/.gconfd \
> /root/.gnome /root/.gnome_private /root/.gnome-desktop /root/.qt"
>
>REMARKS_3[28]='Files that change Inode number'
>FILELIST_3[28]="/root/.Xauthority"
>SEC_MOD_3[28]='-i '
>
>IGNORLST[28]="/root/.lesshst /root/.bash_history \
> /root/.aumixrc /root/.calc_history \
> /root/.enlightenment \
> /root/.fonts.cache-1 \
> /root/.lynx_cookies \
> /root/.sc_history \
> /root/.stack.wcd /root/.treedata.wcd /root/bin/wcd.go"
>
>RULENAME[29]='System Boot Changes'
>REMARKS[29]='Legacy from RedHat Policy File : These files change every time the system boots'
>FILELIST[29]='/var/lock/subsys /var/run /etc/ioctl.save /etc/.pwd.lock'
>REMARKS_2[29]='Files that change inode number'
>FILELIST_2[29]='/etc/mtab'
>SEC_MOD_2[29]='-i '
>
>RULENAME[30]='Security Control File'
>FILELIST[30]='/etc/security'
>ETCSECVALUE[30]='SEC_CRIT'
>
>###########  End Default Package Lists and RuleName Definitions
>
># "select_policy" routine runs each filename through a gauntlet, picking up
># a $Filetype handle depending on which attribute it matches last.
>
>select_policy ()
>{
>							   Filetype=Config
>  [ -n "`expr $targetfile : '$/etc/$'`" ]		&& Filetype=Config
>  [ -n "`expr $targetfile : '$/lib/$'`" ]		&& Filetype=Lib
>  [ -n "`expr $targetfile : '$/var/log$'`" ]		&& Filetype=Log
>  [ -n "`expr $targetfile : '$/root/$'`" ]		&& Filetype=RootFile
>  [ -n "`expr $targetfile : '$/lib/modules$'`" ]	&& Filetype=Kernel
>  [ -n "`file -b $targetfile | grep kernel`" ]		&& Filetype=Kernel
>  [ -n "`expr $targetfile : '$/dev/tty$'`" ]		&& Filetype=Tty
>  [ -x $targetfile ] 					&& Filetype=Bin
>  [ -b $targetfile ]					&& Filetype=Block
>  [ -c $targetfile ]	 				&& Filetype=Char
>  [ -d $targetfile ]					&& Filetype=Dir
>  [ $targetfile == "/root" ]				&& Filetype=RootDir
>  [ -u $targetfile ]					&& Filetype=SUID
>
>case $Filetype in
>  SUID	   )	echo "-> \$(SEC_SUID) ;"					;;
>  RootDir  )	echo "-> \$(SEC_CRIT) ; # Catch all additions to /root"		;;
>  RootFile )	echo "-> \$(${ETCSECVALUE[$i]:-SEC_CONFIG}) ${SEC_MOD[$i]};"	;;
>  Dir	   )	echo "-> \$(${ETCSECVALUE[$i]:-SEC_CONFIG}) ${RECURSE[$i]};"	;;
>  Bin	   )	echo "-> \$(${BINSECVALUE[$i]:-SEC_CRIT}) ${SEC_MOD[$i]};"	;;
>  Kernel   )	echo "-> \$(${BINSECVALUE[$i]:-SEC_CRIT}) ${SEC_MOD[$i]};"	;;
>  Tty      )	echo "-> \$(${BINSECVALUE[$i]:-SEC_TTY}) ${SEC_MOD[$i]};"	;;
>  Log	   )	echo "-> \$(${LOGSECVALUE[$i]:-SEC_LOG}) ${SEC_MOD[$i]};"	;;
>  Lib	   )	echo "-> \$(${BINSECVALUE[$i]:-SEC_CRIT}) ${SEC_MOD[$i]};"	;;
>  Config   )	echo "-> \$(${ETCSECVALUE[$i]:-SEC_CONFIG}) ${SEC_MOD[$i]};"	;;
>  Char	   )	echo "-> \$(Device) ;"						;;
>  Block	   )	echo "-> \$(Device) ;"						;;
>esac
>}
>
>make_header ()
>{
>echo
>echo "	#########################################################################"
>echo "	#									#"
>echo "	#                Tripwire Policy File for Gentoo Linux			#"
>echo "	#									#"
>echo "	#########################################################################"
>echo
>echo
>echo "	#		Generated by $0  Version $VERSION"
>echo "	#		`date '+%B %e, %Y at %R'`"
>echo "	#		http://bugs.gentoo.org/show_bug.cgi?id=34662"
>echo
>echo
>echo "	#########################################################################"
>echo "	#									#"
>echo "	#			Global Variable Definitions			#"
>echo "	#		 Established at install by portage/emerge		#"
>echo "	#									#"
>echo "	#########################################################################"
>echo
>echo '@@section GLOBAL'
>echo 'TWROOT="/usr/sbin" ;'
>echo 'TWBIN="/usr/sbin" ;'
>echo 'TWPOL="/etc/tripwire" ;'
>echo 'TWDB="/var/lib/tripwire" ;'
>echo 'TWSKEY="/etc/tripwire" ;'
>echo 'TWLKEY="/etc/tripwire" ;'
>echo 'TWREPORT="/var/lib/tripwire/report" ;'
>echo "HOSTNAME=\"`hostname`\" ;			# Should be the hostname of this system"
>echo
>echo '@@section FS'
>echo 'SEC_CRIT	= $(IgnoreNone)-SHa ;	# Critical files that cannot change'
>echo 'SEC_SUID	= $(IgnoreNone)-SHa ;	# Binaries with the SUID or SGID flags set'
>echo 'SEC_BIN		= $(ReadOnly) ;		# Binaries that should not change'
>echo 'SEC_CONFIG	= $(Dynamic) ;		# Config files that are changed infrequently'
>echo 'SEC_TTY		= $(Dynamic)-ugp ;	# Tty files change ownership at login'
>echo 'SEC_LOG		= $(Growing) ;		# Files that grow, should never change ownership'
>echo 'SEC_INVARIANT	= +tpug ;		# Directories that should never change permission or ownership'
>echo 'SIG_LOW		= 33 ;			# Non-critical files of minimal security impact'
>echo 'SIG_MED		= 66 ;			# Non-critical files of significant security impact'
>echo 'SIG_HI		= 100 ;			# Critical files - significant points of vulnerability'
>echo
>echo '# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases'
>echo '('
>echo '  rulename = "Tripwire Data Files",'
>echo '  severity = $(SIG_HI)'
>echo ')'
>echo '{'
>echo '  # NOTE: inode attribute removed on policy and config files.'
>echo '  # When Tripwire creates a backup, it does so by renaming the old'
>echo '  # file and creating a new one (which will have a new inode number).'
>echo '  # Inode is left turned on for encryption key files.'
>echo
>echo '  # NOTE: Integrity checks will trigger this rule until a database'
>echo '  # update is run, because the database file does not exist before that point.'
>echo
>echo '  $(TWDB)				-> $(SEC_CONFIG) -i ;'
>echo '  $(TWPOL)/tw.pol			-> $(SEC_BIN) -i ;'
>echo '  $(TWPOL)/tw.cfg			-> $(SEC_BIN) -i ;'
>echo '  $(TWLKEY)/$(HOSTNAME)-local.key	-> $(SEC_BIN) ;'
>echo '  $(TWSKEY)/site.key			-> $(SEC_BIN) ;'
>echo
>echo '  # Do not scan the individual reports'
>echo '  $(TWREPORT)				-> $(SEC_CONFIG) (recurse = 0) ;'
>echo '}'
>}
>
>make_footer ()
>{
>echo
>echo '#============================================================================='
>echo '#'
>echo '# Parts are Copyright 2000 Tripwire, Inc.'
>echo '# Tripwire is a registered trademark of Tripwire,Inc.'
>echo '# (in the United States and other countries)'
>echo '# All rights reserved.'
>echo '#'
>echo '# Linux is a registered trademark of Linus Torvalds.'
>echo '#'
>echo '#============================================================================='
>echo '#'
>echo '# Permission is granted to make and distribute verbatim copies of this document'
>echo '# provided the copyright notice and this permission notice are preserved on all'
>echo '# copies.'
>echo '#'
>echo '# Permission is granted to copy and distribute modified versions of this'
>echo '# document under the conditions for verbatim copying, provided that the entire'
>echo '# resulting derived work is distributed under the terms of a permission notice'
>echo '# identical to this one.'
>echo '#'
>echo '#########      END of tripwire Policy Text File      #########'
>}
>
># -------   Cycle through RULENAME variables
>
># "make_tripwire_rules" routine cycles each RULENAME[*] list through "list_files"
>
>make_tripwire_rules ()
>{
>count=${#RULENAME[@]}
>  [ "$UPDATETW" == "Yes" -a "$PROGRESS" == "Yes" -a -z "$VERBOSE" ] && \
>  echo -n "${count} Rules:" >&2
>for (( i = 0 ; i < count ; i++ ))
>do
>  [ "$UPDATETW" == "Yes" -a "$PROGRESS" == "Yes" -a -z "$VERBOSE" ] && \
>  echo -n " $i" >&2
>#  echo -n " $[(10#${count}-$i)]" >&2
>  list_files
>done
>}
>
># "list_files" routine runs once for each RULENAME[]
>#   - make the header for the tripewire rule, including optional "emailto" field
>#   - print ignorefiles, if any
>#   - forward package names, if installed, to extract_package_filenames
>#   - forward filelists, if any, to process_filelist
>
>list_files ()
>{
>echo
>echo "################################################################"
>echo "# RuleName:  ${RULENAME[$i]}"
>[ -n "${PACKAGES[$i]}" ] && echo "# Packages:  ${PACKAGES[$i]}"
>[ -n "${FILELIST[$i]}" ] && echo "# FileNames: ${FILELIST[$i]}"
>echo "################################################################"
>echo $
>echo "  rulename = \"${RULENAME[$i]}\","
>echo -n "  severity = \$(${SEVERITY[$i]:-SIG_HI})"
>[ -n "${EMAILTO[$i]}" ] && echo -e ",\\n  emailto = ${EMAILTO[$i]}" || echo
>echo $
>echo \{
>
>[ -n "${IGNORLST[$i]}" ] && echo -e "\\n# ${RULENAME[$i]}: Ignore changes to these files"
>for targetfile in ${IGNORLST[$i]}
>  do [ -e "$targetfile" ] && echo "  !$targetfile ;"
>done
>
>for package in ${PACKAGES[$i]}
>  do equery -q files $package > $TMP_FILE
>  [ -s "$TMP_FILE" ] && extract_package_filenames
>done
>
>[ -n "${FILELIST[$i]}" ] && process_filelist
>
># Pseudo-two-dimesional array
># FLST, RMKS, and SCMD hold specific variable names.  E.g., FILELIST_2[26]
># The specific variable names are then indirectly expanded
>
>for j in {2..100}; do
>  FLST=FILELIST_$j[$i]
>  RMKS=REMARKS_$j[$i]
>  SCMD=SEC_MOD_$j[$i]
>  FILELIST[$i]="${!FLST}"
>  REMARKS[$i]="${!RMKS}"
>  SEC_MOD[$i]="${!SCMD}"
>  [ -n "${FILELIST[$i]}" ] && process_filelist  || break
>done
>
>echo \}
>}
>
># "process_filelist" routine is used only for filelists.
>#   - outputs remarks for the list, if any
>#   - calls for printing each filename and tripwire policy
>#   - blocks listing of directory entries from the /proc/* wildcard
>
>process_filelist ()
>{
>echo -e "\\n# ${RULENAME[$i]}: ${REMARKS[$i]}"
>for targetfile in ${FILELIST[$i]}
>  do  if [ -d "$targetfile" -a -n "`expr $targetfile : '$/proc/$'`" ]; then
>    true
>    elif [ -d "$targetfile" -a -n "`expr $targetfile : '$/lost+found$'`" ]; then
>    true
>    elif [ -e $targetfile ]; then
>    output_line
>    select_policy
>  fi
>done
>}
>
># "extract_package_filenames" routine is used only for package names.
># `equery` was used previously to obtain a list of all files installed by the package.
>#
># Only filenames with "bin/", "/etc/", or "/var/log/" are included in output.
># Adding "/lib/.*[.]s[ho]" adds substantial bulk to the generated policy file.
># Adding "/lib/rcscripts/[acns]" is Gentoo-centric (awk|conf.d|net|sh)
># Directory names and zero-size files are excluded from output.
>
>extract_package_filenames ()
>{
>echo
>echo "# ${RULENAME[$i]}: $package"
>echo
>
>for targetfile in `grep -e /etc/ -e bin/ -e /var/log/ $TMP_FILE`
>  do [ ! -d $targetfile -a -s $targetfile ] &&
>  {
>  output_line
>  select_policy
>  }
>done
>}
>
># "output_line" routine adds a variable number of tabs to obtain alignment
># The width of the targetfile name is increased by 2 to account for indent
># The maximum number of additional tabs is the digit after "10#"
># The width of the TAB is taken as 8 characters
>
>output_line ()
>{
>  MAKE_TABS=$[(10#4-(${#targetfile}+2)/8)]	# Calculate number of TABs
>  echo -n "  $targetfile"
>  echo -e -n \\t				# Output at least one TAB
>  for (( z = 0 ; z < MAKE_TABS ; z++ ))		# Up to five TABs
>  do
>    echo -e -n \\t
>  done
>}
>
>#################################################################
>#           Top Routine for Generating Policies			#
>#################################################################
>
>make_policy_text_file ()
>{
>make_header
>make_tripwire_rules
>make_footer
>}
>
>#################################################################
>#  Routines for the user interface
>#  Structure and functions should be clear on inspection
>#################################################################
>
>equery_error_exit ()
>{
>echo
>echo This script depends on equery to obtain meaningful output.
>echo On Gentoo, \`emerge gentoolkit\`
>exit 1
>}
>
>tripwire_error_exit ()
>{
>echo
>echo "This script has no known function aside from tripwire." 		>&2
>echo "         On Gentoo, \`emerge tripwire\`"				>&2
>echo "Continuing even though tripwire is not found on this system ..."	>&2
>echo
>[ "$DEBUGME" == "y" ] || sleep 5
>}
>
>var_log_warning ()
>{
>echo
>echo "   ###########       !!!!  WARNING  !!!!      ##############"
>echo "   #         Rules do NOT Watch /var/log directory         #"
>echo "   #         One rule watches /var/log/*[g] files          #"
>echo "   #########################################################"
>echo
>}
>
>recite_ver ()
>{
>echo
>echo "This is `basename $0` version $VERSION"
>echo "A Gentoo-oriented Tripwire Policy Generator"
>echo
>}
>
>recite_help ()
>{
>recite_ver
>echo "When invoked with no command-line parameter:"
>echo " - output from `basename $0` is directed to STDOUT"
>echo
>echo "When invoked with -u command line parameter:"
>echo " - output from `basename $0` is directed to a file in the /etc/tripwire directory"
>echo " - the command \`tripwire --update-policy\` is run using that file"
>echo " - the command \`tripwire --check --interactive\` is run"
>echo
>echo "Usage: `basename $0` [-c configfile] [-u[-p|-v]] [-h] [-V]"
>echo "	-c Read RULENAME[], PACKAGELIST[] and FILELIST[] from configfile"
>echo "	-u Invoke tripwire update after generating policy text file"
>echo "	-p Progress - display countdown as rulesets are processed"
>echo "	-v Verbose - display policy text generation"
>echo "	-h output this version and help information"
>echo "	-V output version information"
>echo
>exit
>}
>
>read_external_config ()
>{
>if [ -e "$CONFIG_FILE" ]; then
>  unset RULENAME
>  unset PACKAGES
>  unset FILELIST
>  unset REMARKS
>  unset IGNORLST
>  unset SEC_MOD
>  source "$CONFIG_FILE"
>else
>  echo
>  echo "External configuration file, $CONFIG_FILE, does not exist ... exiting $0"
>  exit 2
>fi
>}
>
>mode_auto_update ()
>{
>TRIPWIRE_CFG=/etc/tripwire/twpol-`date +%s`.txt
>
>if [ ! -d /etc/tripwire ]; then
>  echo Tripwire update function depends on existence of the directory /etc/tripwire
>  echo Running `basename $0` with no parameters generates tripwire policy to STDOUT
>  echo Exiting.
>  exit 1
>fi
>
>if [ "$VERBOSE" == "Yes" ]; then
>  echo
>  echo Showing generation of $TRIPWIRE_CFG
>  echo
>  echo After the policy file is generated, you will be prompted to
>  echo invoke tripwire to update the encrypted policy and database
>  echo
>  echo Sleeping 10 seconds ...
>  [ "$DEBUGME" == "y" ] || sleep 10
>  make_policy_text_file | tee $TRIPWIRE_CFG
>else
>  echo Generated tripwire policy being directed to $TRIPWIRE_CFG
>  echo This may take up to a few minutes ...
>  make_policy_text_file > $TRIPWIRE_CFG
>fi
>
>echo
>echo Completed generation of $TRIPWIRE_CFG
>echo
>echo To update encrypted tripwire policy file /etc/tripwire/tw.pol, run
>echo tripwire --update-policy --secure-mode low $TRIPWIRE_CFG
>echo
>echo Then to acknowledge/accept resulting change to /etc/tripwire/tw.pol file, run
>echo tripwire --check --interactive
>echo
>echo -n "Take those steps now? [y/N]: "
>read RUN_TRIPWIRE
>if [ "${RUN_TRIPWIRE,Y}" == "y" ]; then
>  echo
>  tripwire --update-policy --secure-mode low $TRIPWIRE_CFG
>  echo
>  echo Policy and Database files updated by \`tripwire --update-policy\` command
>  echo Starting interactive integrity check using \`tripwire --check --interactive\`
>  echo
>  tripwire --check --interactive
>else
>  echo Skipping tripwire policy update and check operations.  Goodbye.
>fi
>}
>
># When invoked without the -u parameter, the message below is sent to STDERR
># This message won't appear in redirected output: mktripwire.sh > twpol.txt
>
>mode_echo_policy ()
>{
>echo "`basename $0` v. $VERSION"					>&2
>echo "Run `basename $0` with -u parameter to automate updating."	>&2
>echo "Sleeping 5 seconds ..."						>&2
>echo
>[ "$DEBUGME" == "y" ] || sleep 5
>make_policy_text_file
>}
>
>user_interface ()
>{
>
>if [ "$UPDATETW" == "Yes" ]; then
>     mode_auto_update
>else mode_echo_policy
>fi
>}
>
>#################################################################
>#                   Invocation enters here
>#################################################################
>
># Process command line input
>
>while getopts :c:upvhV OPTION
>do
>  case $OPTION in
>    c	) CONFIG_FILE=$OPTARG	;;
>    u	) UPDATETW=Yes		;;
>    p	) PROGRESS=Yes		;;
>    v	) VERBOSE=Yes		;;
>    h	) recite_help		;;
>    V	) recite_ver; exit	;;
>    *	) recite_help		;;
>  esac
>done
>shift $(($OPTIND - 1))
>
># If the user claims use of a config file, test and read it
># Otherwise, show the waring that no default rule watches /var/log
>
>[ -n "$CONFIG_FILE" ] && read_external_config || var_log_warning
>
># If the user has called for debugging of a rule,
># generate output for just that rule, then exit
>
>[ "$1" == "debug" ] &&
>{
>DEBUGME=y
>DEBUG_RULE_NUMBER=${2:-0}		# optional selection of rulename to process
>i=$DEBUG_RULE_NUMBER
>echo
>echo "  !! WARNING !!  `basename $0` is in DEBUG Mode!"
>echo "  !! WARNING !!  Processing --ONLY-- RULENAME[${DEBUG_RULE_NUMBER}]"
>echo
>list_files
>echo
>echo "  !! WARNING !!  `basename $0` was in DEBUG Mode!"
>echo "  !! WARNING !!  Processed --ONLY-- RULENAME[${DEBUG_RULE_NUMBER}]"
>exit
>}
>
># Test for presence of the programs "equery" and "tripwire"
># Run the program
>
>for init_error_type in equery tripwire; do
>  hash $init_error_type 2> /dev/null || ${init_error_type}_error_exit
>done
>user_interface
>
>#################################################################
>#################################################################
>#		     Nothing But Junk Below
>#     Routine Might be Used to Create List of Package Names
>#################################################################
>
>SYSTEM_FILE_LIST=/root/system-files.txt
>
>list_system_files ()
>{
>for i in `EMERGE_DEFAULT_OPTS="" emerge -peq system | cut -d"]" -f2`; do
>  echo $i
>  # equery files $i
>done
>}
>
>#echo Making list of system files ...
>#list_system_files > $SYSTEM_FILE_LIST

Actions: View

Attachments on bug 344577: 253551 | 255079 | 255377 | 258758 | 259103