Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 253551 Details for
Bug 344577
app-admin/tripwire: new helper script to generate tripwire policy file - twpol.txt
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Bash script to generate a twpol.txt file from lists of gentoo packages and lists of files
mktripwire.sh (text/plain), 25.22 KB, created by
c.cboldt
on 2010-11-07 19:28:22 UTC
(
hide
)
Description:
Bash script to generate a twpol.txt file from lists of gentoo packages and lists of files
Filename:
MIME Type:
Creator:
c.cboldt
Created:
2010-11-07 19:28:22 UTC
Size:
25.22 KB
patch
obsolete
>#! /bin/bash > ># /root/bin/mktripwire.sh ># /etc/tripwire/mktripwire.sh > ># A Gentoo-oriented Tripwire Policy Generator ># This script outputs tripwire policy against a Gentoo configuration ># This script depends on equery (from gentoolkit) ># This script probably only runs under a bash shell ># As of 07 Nov 2010, this script is a work in progress ># c.cboldt at gmail.com > ># 0.0.1 # 101106 Sent to http://bugs.gentoo.org/show_bug.cgi?id=34662 >VERSION=0.0.2 # Added invocation parameters, help and version messages > # Added option to take RULENAME[], etc. from separate config file > # Added SEC_MOD variable array > # Added FILELIST_x[], REMARKS_x[], and SEC_MOD_x[] arrays > # Replaced XWINLIST[] and SKIPINOD[] arrays with FILELIST_x[] arrays > # Tripwire update mode default changed to not display > # Added options for terse and verbose progress reporting > # Added "hidden" debug mode (the word "debug" followed by optional rulenumber) > # Added default rules for Database (e.g., mysql) and Programming > # Added default rule for /var/log/*[g] filelist > # Added warning: default generated policy does not check /var/log directory > ># TMP_FILE captures output of `equery -q files $packagename` command. ># This to avoid redundant invocations of `equery -q files` against each packagename. > >TMP_FILE=/tmp/mktripwire.tmp > ># Generated layout is based on work by Darren Kirby <bulliver at badcomputer.org> ># File: tripwire.pol.gentoo September 5, 2006 ># http://bugs.gentoo.org/show_bug.cgi?id=34662 ># ># Darren Kirby's file was based on a tripwire policy for RedHat systems ># Policy file for Red Hat Linux : V1.2.0rh : August 9, 2001 > ># Improvements? rationalize the footer / copyright message ># rationalize categories and security level settings ># confirm operation of emailto function ># more complete/useful packages lists ># better help messages and comments ># better error and condition checking ># - needs bash, maybe some grep issues ># maybe more excludelists ># maybe automate creation of available package lists ># (but categorization here is radically different from Gentoo's "categories") > ># PACKAGES[] lists can contain any non-ambiguous package name ># FILELIST[] lists can contain any file name, including wildcards ># The script checks whether or not a listed package or file exists. > ># RULENAME[] Unique Rule Name ># PACKAGES[] Optional list of Gentoo package names under this Rule Name ># FILELIST[] Optional lists of individual file names (wildcards okay) ># REMARKS[] Optional Remarks associated with individual FileLists ># IGNORLST[] Optional list of files to ignore under this Rule Name ># EMAILTO[] defaults to empty - written rule-by-rule ># SEVERITY[] defaults to SIG_HI = severity=100 ># ># BINSECVALUE[] defaults to SEC_CRIT = $(IgnoreNone)-SHa ># ETCSECVALUE[] defaults to SEC_CONFIG = $(Dynamic) ># LOGSECVALUE[] defaults to SEC_LOG = $(Growing) ># RECURSE[] defaults to empty - written file-by-file, applies only to directories ># SEC_MOD[] defaults to empty - written file-by-file, DOES NOT APPLY TO DIRECTORIES > >##### Start of Package and File Lists >##### Package Lists and Multiple File Lists may be combined under one rule > >RULENAME[0]='Tripwire Program Files' >PACKAGES[0]='aide osiris tripwire' >BINSECVALUE[0]=SEC_BIN > >RULENAME[1]='Invariant Directories' >FILELIST[1]='/ /home /etc' >REMARKS[1]='Commonly accessed directories that should remain static with regards to owner and group' >SEVERITY[1]='SIG_MED' >ETCSECVALUE[1]='SEC_INVARIANT' >RECURSE[1]='(recurse = 0) ' > >RULENAME[2]='Temporary Directories' >FILELIST[2]='/usr/tmp /var/tmp /tmp' >SEVERITY[2]='SIG_LOW' >ETCSECVALUE[2]='SEC_INVARIANT' >RECURSE[2]='(recurse = 0) ' > >RULENAME[3]='[core|diff|find]utils procps' >PACKAGES[3]='coreutils diffutils findutils procps' > >RULENAME[4]='Compression/Archiving Programs' >PACKAGES[4]='tar bzip2 gzip zip unzip' > >RULENAME[5]='Networking Programs' >PACKAGES[5]='net-tools iproute2 iputils iptables mgetty mingetty ppp wireshark nmap' > >RULENAME[6]='Miscellaneous Network Programs' >PACKAGES[6]="tcpdump tcp-wrappers rsync samba distcc dhcpcd dnsmasq bind bind-tools \ > knock telnet-bsd" >ETCSECVALUE[6]=SEC_CRIT > >RULENAME[7]='Hardware and Device Programs' >PACKAGES[7]="udev pciutils util-linux sysvinit psmisc kbd hdparm smartmontools \ > lshw ethtool hotplug-base module-init-tools setserial dmraid" > >RULENAME[8]='Filesystem Programs' >PACKAGES[8]="e2fsprogs progsreiserfs reiserfsprogs reiser4progs xfs nfs jfs \ > pax-utils sysfsutils autofs lvm2 mdadm" > >RULENAME[9]='Miscellaneous File Programs' >PACKAGES[9]="gawk grep patch cpio file lsof gettext groff less man ncurses slang \ > sed slocate patchutils debianutils" > >RULENAME[10]='Toolchain Programs' >PACKAGES[10]='gcc binutils glibc make autoconf automake' > >RULENAME[11]='Security Related Programs' >PACKAGES[11]='shadow pam openssl openssh gnupg chkrootkit rkhunter' >EMAILTO[11]='"root@localhost"' > >RULENAME[12]='Database Related Programs' >PACKAGES[12]='mysql postgresql-server sqlite' > >RULENAME[13]='Programming Language Files' >PACKAGES[13]='perl php python ruby swig tcl tk' > >RULENAME[14]='MTA Related Programs' >PACKAGES[14]='sendmail postfix ssmtp mailx procmail dovecot clamav spamassassin' > >RULENAME[15]='P2P Related Programs' >PACKAGES[15]='ejabberd jabberd jabberd2 mu-conference' > >RULENAME[16]='WWW Related Programs' >PACKAGES[16]='apache bozohttpd lighttpd mini_httpd thttpd' > >RULENAME[17]='Shell Programs' >PACKAGES[17]='bash zsh csh tcsh sash busybox screen' >BINSECVALUE[17]=SEC_BIN > >RULENAME[18]='Editor Programs' >PACKAGES[18]='nano joe vim ed emacs' > >RULENAME[19]='System Action and Logging' >PACKAGES[19]="anacron bcron cronie dcron fcron incron vixie-cron xinetd \ > newsyslog rsyslog syslog-ng logrotate" > >RULENAME[20]='Boot Selector Programs' >PACKAGES[20]='grub lilo' >FILELIST[20]='/boot/* /lib/modules' >REMARKS[20]='Contents of /boot directory are safer on an unmounted partition' > ># some Gentoo packages install files in /lib/rcscripts/{awk,conf.d,net,sh} >RULENAME[21]='Gentoo Specific Programs' >PACKAGES[21]='portage portage-utils gentoolkit baselayout eix paludis' > >##### End of package lists ##### >##### Some File Lists cribbed from RedHat policy file > ># Some local config files can be found with this code snippet ># for i in `locate etc*[lL]ocal` ># do [ -z "`equery -q belongs -e $i`" ] && echo " $i \\" ># done > ># find / -group kmem -perm -2000 -print # Finds SGID files, owned by kmem ># find / -user root -perm -4000 -print # Finds SUID files, owned by root > >RULENAME[22]='Local Config Files' >FILELIST[22]="/etc/bash/bashrc.local \ > /etc/dnsmasq-local.conf \ > /etc/host-local-block \ > /etc/host-banner-ads \ > /etc/hosts \ > /etc/hosts.allow \ > /etc/hosts.deny \ > /etc/dovecot/dovecot-local.conf \ > /etc/lilo.conf \ > /etc/lynx/lynx-site.cfg \ > /etc/ppp/chap-secrets \ > /etc/ppp/ip-up.d/00-local.sh \ > /etc/ppp/ip-down.d/00-local.sh \ > /etc/rkhunter.conf.local \ > /etc/screenrc-local \ > /etc/syslog-ng/syslog-local.conf \ > /etc/udev/rules.d/10-local.rules \ > /etc/env.d/00Local" > ># Policy generator deals with interest in not opening devices (recursion) ># by applying the $(Device) policy for block and character special devices ># See "select_policy" routine > >RULENAME[23]='Critical Devices' >FILELIST[23]="/dev/kmem /dev/mem /dev/null /dev/zero \ > /dev/log /dev/cua0 /dev/console \ > /dev/tty[123456789] /dev/tty1[012] \ > /dev/urandom /dev/initctl /proc/*" >REMARKS[23]='RedHat config noted kmem, mem, null, zero. Also was recurse=false' > >RULENAME[24]='User Libraries' >FILELIST[24]='/usr/lib /usr/local/lib' >REMARKS[24]='Remainder of system libraries and binaries' >SEVERITY[24]=SIG_MED >BINSECVALUE[24]=SEC_BIN > >RULENAME[25]='Other OS Bin and Lib' >FILELIST[25]='/bin /lib' >BINSECVALUE[25]=SEC_BIN > >RULENAME[26]='User Bin Directories' >FILELIST[26]='/sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin' >SEVERITY[26]=SIG_MED >RECURSE[26]='(recurse = 1) ' > >RULENAME[27]='Log Files' >FILELIST[27]='/var/log/*g' >REMARKS[27]='Looking only at filenames that end with the letter "g"' >SEVERITY[27]=SIG_MED >SEC_MOD[27]='-il ' > ># Root User Directory Rule uses multiple filelists ># FILELIST_x variable names MUST be sequential, starting with "x" = "2" ># Available correlated variables are REMARKS_x and SEC_MOD_x ># Output approximately resembles RedHat legacy policy file > >RULENAME[28]='Root User Directory' >REMARKS[28]='Config and files for console applications' >FILELIST[28]="/root /root/bin /root/.ssh /root/.gnupg \ > /root/.bashrc /root/.bash_profile /root/.bash_logout \ > /root/.cshrc /root/.tcshrc /root/.screenrc \ > /root/.mc /root/.ncftp \ > /root/Mail /root/mail \ > /root/.pinerc /root/.pinepwd /root/.mailcap \ > /root/.addressbook.lu /root/.addressbook \ > /root/.amandahosts /root/.elm \ > /root/.config /root/.fltk /root/.links \ > /root/.esd_auth" > >REMARKS_2[28]='X-Windows should not be run as Root User!' >FILELIST_2[28]="/root/.ICEauthority /root/.xsession-errors /root/.Xresources /root/.Xmodmap \ > /root/.fvwm /root/.fvwmrc \ > /root/.sawfish \ > /root/.gconf /root/.gconfd \ > /root/.gnome /root/.gnome_private /root/.gnome-desktop /root/.qt" > >REMARKS_3[28]='Files that change Inode number' >FILELIST_3[28]="/root/.Xauthority" >SEC_MOD_3[28]='-i ' > >IGNORLST[28]="/root/.lesshst /root/.bash_history \ > /root/.aumixrc /root/.calc_history \ > /root/.enlightenment \ > /root/.fonts.cache-1 \ > /root/.lynx_cookies \ > /root/.sc_history \ > /root/.stack.wcd /root/.treedata.wcd /root/bin/wcd.go" > >RULENAME[29]='System Boot Changes' >REMARKS[29]='Legacy from RedHat Policy File : These files change every time the system boots' >FILELIST[29]='/var/lock/subsys /var/run /etc/ioctl.save /etc/.pwd.lock' >REMARKS_2[29]='Files that change inode number' >FILELIST_2[29]='/etc/mtab' >SEC_MOD_2[29]='-i ' > >RULENAME[30]='Security Control File' >FILELIST[30]='/etc/security' >ETCSECVALUE[30]='SEC_CRIT' > >########### End Default Package Lists and RuleName Definitions > ># "select_policy" routine runs each filename through a gauntlet, picking up ># a $Filetype handle depending on which attribute it matches last. > >select_policy () >{ > Filetype=Config > [ -n "`expr $targetfile : '\(/etc/\)'`" ] && Filetype=Config > [ -n "`expr $targetfile : '\(/lib/\)'`" ] && Filetype=Lib > [ -n "`expr $targetfile : '\(/var/log\)'`" ] && Filetype=Log > [ -n "`expr $targetfile : '\(/root/\)'`" ] && Filetype=RootFile > [ -n "`expr $targetfile : '\(/lib/modules\)'`" ] && Filetype=Kernel > [ -n "`file -b $targetfile | grep kernel`" ] && Filetype=Kernel > [ -n "`expr $targetfile : '\(/dev/tty\)'`" ] && Filetype=Tty > [ -x $targetfile ] && Filetype=Bin > [ -b $targetfile ] && Filetype=Block > [ -c $targetfile ] && Filetype=Char > [ -d $targetfile ] && Filetype=Dir > [ $targetfile == "/root" ] && Filetype=RootDir > [ -u $targetfile ] && Filetype=SUID > >case $Filetype in > SUID ) echo "-> \$(SEC_SUID) ;" ;; > RootDir ) echo "-> \$(SEC_CRIT) ; # Catch all additions to /root" ;; > RootFile ) echo "-> \$(${ETCSECVALUE[$i]:-SEC_CONFIG}) ${SEC_MOD[$i]};" ;; > Dir ) echo "-> \$(${ETCSECVALUE[$i]:-SEC_CONFIG}) ${RECURSE[$i]};" ;; > Bin ) echo "-> \$(${BINSECVALUE[$i]:-SEC_CRIT}) ${SEC_MOD[$i]};" ;; > Kernel ) echo "-> \$(${BINSECVALUE[$i]:-SEC_CRIT}) ${SEC_MOD[$i]};" ;; > Tty ) echo "-> \$(${BINSECVALUE[$i]:-SEC_TTY}) ${SEC_MOD[$i]};" ;; > Log ) echo "-> \$(${LOGSECVALUE[$i]:-SEC_LOG}) ${SEC_MOD[$i]};" ;; > Lib ) echo "-> \$(${BINSECVALUE[$i]:-SEC_CRIT}) ${SEC_MOD[$i]};" ;; > Config ) echo "-> \$(${ETCSECVALUE[$i]:-SEC_CONFIG}) ${SEC_MOD[$i]};" ;; > Char ) echo "-> \$(Device) ;" ;; > Block ) echo "-> \$(Device) ;" ;; >esac >} > >make_header () >{ >echo >echo " #########################################################################" >echo " # #" >echo " # Tripwire Policy File for Gentoo Linux #" >echo " # #" >echo " #########################################################################" >echo >echo >echo " # Generated by $0 Version $VERSION" >echo " # `date '+%B %e, %Y at %R'`" >echo " # http://bugs.gentoo.org/show_bug.cgi?id=34662" >echo >echo >echo " #########################################################################" >echo " # #" >echo " # Global Variable Definitions #" >echo " # Established at install by portage/emerge #" >echo " # #" >echo " #########################################################################" >echo >echo '@@section GLOBAL' >echo 'TWROOT="/usr/sbin" ;' >echo 'TWBIN="/usr/sbin" ;' >echo 'TWPOL="/etc/tripwire" ;' >echo 'TWDB="/var/lib/tripwire" ;' >echo 'TWSKEY="/etc/tripwire" ;' >echo 'TWLKEY="/etc/tripwire" ;' >echo 'TWREPORT="/var/lib/tripwire/report" ;' >echo "HOSTNAME=\"`hostname`\" ; # Should be the hostname of this system" >echo >echo '@@section FS' >echo 'SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change' >echo 'SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set' >echo 'SEC_BIN = $(ReadOnly) ; # Binaries that should not change' >echo 'SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently' >echo 'SEC_TTY = $(Dynamic)-ugp ; # Tty files change ownership at login' >echo 'SEC_LOG = $(Growing) ; # Files that grow, should never change ownership' >echo 'SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership' >echo 'SIG_LOW = 33 ; # Non-critical files of minimal security impact' >echo 'SIG_MED = 66 ; # Non-critical files of significant security impact' >echo 'SIG_HI = 100 ; # Critical files - significant points of vulnerability' >echo >echo '# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases' >echo '(' >echo ' rulename = "Tripwire Data Files",' >echo ' severity = $(SIG_HI)' >echo ')' >echo '{' >echo ' # NOTE: inode attribute removed on policy and config files.' >echo ' # When Tripwire creates a backup, it does so by renaming the old' >echo ' # file and creating a new one (which will have a new inode number).' >echo ' # Inode is left turned on for encryption key files.' >echo >echo ' # NOTE: Integrity checks will trigger this rule until a database' >echo ' # update is run, because the database file does not exist before that point.' >echo >echo ' $(TWDB) -> $(SEC_CONFIG) -i ;' >echo ' $(TWPOL)/tw.pol -> $(SEC_BIN) -i ;' >echo ' $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;' >echo ' $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;' >echo ' $(TWSKEY)/site.key -> $(SEC_BIN) ;' >echo >echo ' # Do not scan the individual reports' >echo ' $(TWREPORT) -> $(SEC_CONFIG) (recurse = 0) ;' >echo '}' >} > >make_footer () >{ >echo >echo '#=============================================================================' >echo '#' >echo '# Parts are Copyright 2000 Tripwire, Inc.' >echo '# Tripwire is a registered trademark of Tripwire,Inc.' >echo '# (in the United States and other countries)' >echo '# All rights reserved.' >echo '#' >echo '# Linux is a registered trademark of Linus Torvalds.' >echo '#' >echo '#=============================================================================' >echo '#' >echo '# Permission is granted to make and distribute verbatim copies of this document' >echo '# provided the copyright notice and this permission notice are preserved on all' >echo '# copies.' >echo '#' >echo '# Permission is granted to copy and distribute modified versions of this' >echo '# document under the conditions for verbatim copying, provided that the entire' >echo '# resulting derived work is distributed under the terms of a permission notice' >echo '# identical to this one.' >echo '#' >echo '######### END of tripwire Policy Text File #########' >} > ># ------- Cycle through RULENAME variables > ># "make_tripwire_rules" routine cycles each RULENAME[*] list through "list_files" > >make_tripwire_rules () >{ >count=${#RULENAME[@]} > [ "$UPDATETW" == "Yes" -a "$PROGRESS" == "Yes" -a -z "$VERBOSE" ] && \ > echo -n "${count} Rules:" >&2 >for (( i = 0 ; i < count ; i++ )) >do > [ "$UPDATETW" == "Yes" -a "$PROGRESS" == "Yes" -a -z "$VERBOSE" ] && \ > echo -n " $i" >&2 ># echo -n " $[(10#${count}-$i)]" >&2 > list_files >done >} > ># "list_files" routine runs once for each RULENAME[] ># - make the header for the tripewire rule, including optional "emailto" field ># - print ignorefiles, if any ># - forward package names, if installed, to extract_package_filenames ># - forward filelists, if any, to process_filelist > >list_files () >{ >echo >echo "################################################################" >echo "# RuleName: ${RULENAME[$i]}" >[ -n "${PACKAGES[$i]}" ] && echo "# Packages: ${PACKAGES[$i]}" >[ -n "${FILELIST[$i]}" ] && echo "# FileNames: ${FILELIST[$i]}" >echo "################################################################" >echo \( >echo " rulename = \"${RULENAME[$i]}\"," >echo -n " severity = \$(${SEVERITY[$i]:-SIG_HI})" >[ -n "${EMAILTO[$i]}" ] && echo -e ",\\n emailto = ${EMAILTO[$i]}" || echo >echo \) >echo \{ > >[ -n "${IGNORLST[$i]}" ] && echo -e "\\n# ${RULENAME[$i]}: Ignore changes to these files" >for targetfile in ${IGNORLST[$i]} > do [ -e "$targetfile" ] && echo " !$targetfile ;" >done > >for package in ${PACKAGES[$i]} > do equery -q files $package > $TMP_FILE > [ -s "$TMP_FILE" ] && extract_package_filenames >done > >[ -n "${FILELIST[$i]}" ] && process_filelist > ># Pseudo-two-dimesional array ># FLST, RMKS, and SCMD hold specific variable names. E.g., FILELIST_2[26] ># The specific variable names are then indirectly expanded > >for j in {2..100}; do > FLST=FILELIST_$j[$i] > RMKS=REMARKS_$j[$i] > SCMD=SEC_MOD_$j[$i] > FILELIST[$i]="${!FLST}" > REMARKS[$i]="${!RMKS}" > SEC_MOD[$i]="${!SCMD}" > [ -n "${FILELIST[$i]}" ] && process_filelist || break >done > >echo \} >} > ># "process_filelist" routine is used only for filelists. ># - outputs remarks for the list, if any ># - calls for printing each filename and tripwire policy ># - blocks listing of directory entries from the /proc/* wildcard > >process_filelist () >{ >echo -e "\\n# ${RULENAME[$i]}: ${REMARKS[$i]}" >for targetfile in ${FILELIST[$i]} > do if [ -d "$targetfile" -a -n "`expr $targetfile : '\(/proc/\)'`" ]; then > true > elif [ -d "$targetfile" -a -n "`expr $targetfile : '\(/lost+found\)'`" ]; then > true > elif [ -e $targetfile ]; then > output_line > select_policy > fi >done >} > ># "extract_package_filenames" routine is used only for package names. ># `equery` was used previously to obtain a list of all files installed by the package. ># ># Only filenames with "bin/", "/etc/", or "/var/log/" are included in output. ># Adding "/lib/.*[.]s[ho]" adds substantial bulk to the generated policy file. ># Adding "/lib/rcscripts/[acns]" is Gentoo-centric (awk|conf.d|net|sh) ># Directory names and zero-size files are excluded from output. > >extract_package_filenames () >{ >echo >echo "# ${RULENAME[$i]}: $package" >echo > >for targetfile in `grep -e /etc/ -e bin/ -e /var/log/ $TMP_FILE` > do [ ! -d $targetfile -a -s $targetfile ] && > { > output_line > select_policy > } >done >} > ># "output_line" routine adds a variable number of tabs to obtain alignment ># The width of the targetfile name is increased by 2 to account for indent ># The maximum number of additional tabs is the digit after "10#" ># The width of the TAB is taken as 8 characters > >output_line () >{ > MAKE_TABS=$[(10#4-(${#targetfile}+2)/8)] # Calculate number of TABs > echo -n " $targetfile" > echo -e -n \\t # Output at least one TAB > for (( z = 0 ; z < MAKE_TABS ; z++ )) # Up to five TABs > do > echo -e -n \\t > done >} > >################################################################# ># Top Routine for Generating Policies # >################################################################# > >make_policy_text_file () >{ >make_header >make_tripwire_rules >make_footer >} > >################################################################# ># Routines for the user interface ># Structure and functions should be clear on inspection >################################################################# > >equery_error_exit () >{ >echo >echo This script depends on equery to obtain meaningful output. >echo On Gentoo, \`emerge gentoolkit\` >exit 1 >} > >tripwire_error_exit () >{ >echo >echo "This script has no known function aside from tripwire." >&2 >echo " On Gentoo, \`emerge tripwire\`" >&2 >echo "Continuing even though tripwire is not found on this system ..." >&2 >echo >[ "$DEBUGME" == "y" ] || sleep 5 >} > >var_log_warning () >{ >echo >echo " ########### !!!! WARNING !!!! ##############" >echo " # Rules do NOT Watch /var/log directory #" >echo " # One rule watches /var/log/*[g] files #" >echo " #########################################################" >echo >} > >recite_ver () >{ >echo >echo "This is `basename $0` version $VERSION" >echo "A Gentoo-oriented Tripwire Policy Generator" >echo >} > >recite_help () >{ >recite_ver >echo "When invoked with no command-line parameter:" >echo " - output from `basename $0` is directed to STDOUT" >echo >echo "When invoked with -u command line parameter:" >echo " - output from `basename $0` is directed to a file in the /etc/tripwire directory" >echo " - the command \`tripwire --update-policy\` is run using that file" >echo " - the command \`tripwire --check --interactive\` is run" >echo >echo "Usage: `basename $0` [-c configfile] [-u[-p|-v]] [-h] [-V]" >echo " -c Read RULENAME[], PACKAGELIST[] and FILELIST[] from configfile" >echo " -u Invoke tripwire update after generating policy text file" >echo " -p Progress - display countdown as rulesets are processed" >echo " -v Verbose - display policy text generation" >echo " -h output this version and help information" >echo " -V output version information" >echo >exit >} > >read_external_config () >{ >if [ -e "$CONFIG_FILE" ]; then > unset RULENAME > unset PACKAGES > unset FILELIST > unset REMARKS > unset IGNORLST > unset SEC_MOD > source "$CONFIG_FILE" >else > echo > echo "External configuration file, $CONFIG_FILE, does not exist ... exiting $0" > exit 2 >fi >} > >mode_auto_update () >{ >TRIPWIRE_CFG=/etc/tripwire/twpol-`date +%s`.txt > >if [ ! -d /etc/tripwire ]; then > echo Tripwire update function depends on existence of the directory /etc/tripwire > echo Running `basename $0` with no parameters generates tripwire policy to STDOUT > echo Exiting. > exit 1 >fi > >if [ "$VERBOSE" == "Yes" ]; then > echo > echo Showing generation of $TRIPWIRE_CFG > echo > echo After the policy file is generated, you will be prompted to > echo invoke tripwire to update the encrypted policy and database > echo > echo Sleeping 10 seconds ... > [ "$DEBUGME" == "y" ] || sleep 10 > make_policy_text_file | tee $TRIPWIRE_CFG >else > echo Generated tripwire policy being directed to $TRIPWIRE_CFG > echo This may take up to a few minutes ... > make_policy_text_file > $TRIPWIRE_CFG >fi > >echo >echo Completed generation of $TRIPWIRE_CFG >echo >echo To update encrypted tripwire policy file /etc/tripwire/tw.pol, run >echo tripwire --update-policy --secure-mode low $TRIPWIRE_CFG >echo >echo Then to acknowledge/accept resulting change to /etc/tripwire/tw.pol file, run >echo tripwire --check --interactive >echo >echo -n "Take those steps now? [y/N]: " >read RUN_TRIPWIRE >if [ "${RUN_TRIPWIRE,Y}" == "y" ]; then > echo > tripwire --update-policy --secure-mode low $TRIPWIRE_CFG > echo > echo Policy and Database files updated by \`tripwire --update-policy\` command > echo Starting interactive integrity check using \`tripwire --check --interactive\` > echo > tripwire --check --interactive >else > echo Skipping tripwire policy update and check operations. Goodbye. >fi >} > ># When invoked without the -u parameter, the message below is sent to STDERR ># This message won't appear in redirected output: mktripwire.sh > twpol.txt > >mode_echo_policy () >{ >echo "`basename $0` v. $VERSION" >&2 >echo "Run `basename $0` with -u parameter to automate updating." >&2 >echo "Sleeping 5 seconds ..." >&2 >echo >[ "$DEBUGME" == "y" ] || sleep 5 >make_policy_text_file >} > >user_interface () >{ > >if [ "$UPDATETW" == "Yes" ]; then > mode_auto_update >else mode_echo_policy >fi >} > >################################################################# ># Invocation enters here >################################################################# > ># Process command line input > >while getopts :c:upvhV OPTION >do > case $OPTION in > c ) CONFIG_FILE=$OPTARG ;; > u ) UPDATETW=Yes ;; > p ) PROGRESS=Yes ;; > v ) VERBOSE=Yes ;; > h ) recite_help ;; > V ) recite_ver; exit ;; > * ) recite_help ;; > esac >done >shift $(($OPTIND - 1)) > ># If the user claims use of a config file, test and read it ># Otherwise, show the waring that no default rule watches /var/log > >[ -n "$CONFIG_FILE" ] && read_external_config || var_log_warning > ># If the user has called for debugging of a rule, ># generate output for just that rule, then exit > >[ "$1" == "debug" ] && >{ >DEBUGME=y >DEBUG_RULE_NUMBER=${2:-0} # optional selection of rulename to process >i=$DEBUG_RULE_NUMBER >echo >echo " !! WARNING !! `basename $0` is in DEBUG Mode!" >echo " !! WARNING !! Processing --ONLY-- RULENAME[${DEBUG_RULE_NUMBER}]" >echo >list_files >echo >echo " !! WARNING !! `basename $0` was in DEBUG Mode!" >echo " !! WARNING !! Processed --ONLY-- RULENAME[${DEBUG_RULE_NUMBER}]" >exit >} > ># Test for presence of the programs "equery" and "tripwire" ># Run the program > >for init_error_type in equery tripwire; do > hash $init_error_type 2> /dev/null || ${init_error_type}_error_exit >done >user_interface > >################################################################# >################################################################# ># Nothing But Junk Below ># Routine Might be Used to Create List of Package Names >################################################################# > >SYSTEM_FILE_LIST=/root/system-files.txt > >list_system_files () >{ >for i in `EMERGE_DEFAULT_OPTS="" emerge -peq system | cut -d"]" -f2`; do > echo $i > # equery files $i >done >} > >#echo Making list of system files ... >#list_system_files > $SYSTEM_FILE_LIST
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 344577
:
253551
|
255079
|
255377
|
258758
|
259103