Ran into tripwire during experimenting with security tools. Looked for a Gentoo-centered twpol.txt policy file, and found only bug reports, etc. Made a tripwire policy file generating script for my own use. The generated policy file is accepted by tripwire config. Might be reinventing the wheel here.
Created attachment 253551 [details] Bash script to generate a twpol.txt file from lists of gentoo packages and lists of files
Created attachment 255079 [details] Bash script to generate a twpol.txt file from lists of gentoo packages and lists of files Significant, but incremental improvements to script. Faster, by far, using qlist instead of equery. Adjustments to policies made based on testing, including through reboot on one system.
Created attachment 255377 [details] Bash script to generate a twpol.txt file from lists of gentoo packages and lists of files Same helper script as mktripwire.sh, renamed to better indicate its function. Fixed a few bugs, rearranged to (hopefully) simplify use. The script will call twinstall.sh if the wrong order of script invocation is attempted. Reads tw.cfg for most local variables, falls back to twcfg.txt file if tw.cfg is absent and the user hasn't deleted the plain text configuration file. Added more substance around the facility to adapt the script to other package managers. Provided a bit more flexibility in rules, added notice of softlinks.
The policy-generating script, mktwpol.sh 0.0.4, has a few bugs itself. In addition to fixing what I find broken, I'm still tinkering with various aspects of the script. I've found it takes a day or more to obtain alarms relating to routine system activity. As alarms surface, I'm adjusting the script to write policies to accommodate routine system activity. Rather than upload a series of revised scripts, I'm just noting that it's still evolving. I'll provide a current/revised script either on request, or on my own volition when the pace of changes slows.
(In reply to comment #4) > The policy-generating script, mktwpol.sh 0.0.4, has a few bugs itself. In > addition to fixing what I find broken... > Thanks for this great script. There is a bug that creates two entry for the file "/etc/hosts" in generated twpol.txt. Thus this leads to fail updating policy file. One entry is is created under : # Gentoo Specific Programs: baselayout /etc/hosts -> $(Dynamic) ; and the other entry is under: # Local Config Files: /etc/hosts -> $(ReadOnly) ;
(In reply to comment #5) > Thanks for this great script. There is a bug that creates two entry for the > file "/etc/hosts" in generated twpol.txt. Thus this leads to fail updating > policy file. > One entry is is created under : > # Gentoo Specific Programs: baselayout > /etc/hosts -> $(Dynamic) ; Thank you for the compliment and note. What version of baselayout have you installed? baselayout-1.12.14-r1 doesn't install an /etc/hosts file, which is probably why I manually put one in under "Local Config Files." It puts an example at /usr/share/baselayout/hosts. The "current edition" of the script checks for dupes, but I think it would miss this one because dupe checking is against package-names (and separately, individually listed filenames), not against the contents of package names. The "current edition" forked into two scripts, one with all sorts of bells and whistles. The bloated one tends to addition of a tmpwatch routine associated with running tripwire (ostensibly in /etc/cron.daily/tripwire.cron, to keep the report directory pruned), tolerates operation before running "twinstall.sh," and is designed to be extensible to package managers like rpm, pacman (Arch Linux), dpkg (Debian) and pkg_info (FreeBSD). The other version skips the front-end "installation related" error checking, adding the tmpwatch routine, and flexibility across package managers. No longer depending on "qlist," it looks directly at the /var/db/pkg/${package}-[0-9]*/CONTENTS files, installed by Gentoo's package manager. Both versions have a number of significant "speedup" changes, and both versions now resort to a config file if one exists, even if not named on the command line At some point, I was fixing to upload one or the other, maybe both. I've not made many changes in the last two weeks.
(In reply to comment #6) > What version of baselayout have you installed? sys-apps/baselayout-2.0.1-r1
(In reply to comment #7) > (In reply to comment #6) > > What version of baselayout have you installed? > sys-apps/baselayout-2.0.1-r1 Both versions involved, 1.12.14-r1 and 2.0.1-r1, have an /etc/hosts file in the package. If I'm getting the ebuild file logic, 1.12.14-r1 unconditionally relocates that file, and a few others, to /usr/share/baselayout. The move reproduced below happens before the "install" moves files from portage working directories to the system working directories: # Install some files to /usr/share/baselayout instead of /etc to keep from # (1) overwriting the user's settings, (2) screwing things up when # attempting to merge files, (3) accidentally packaging up personal files # with quickpkg mv "${D}"/etc/{passwd,shadow,group,fstab,hosts,issue.devfix} "${D}"/usr/share/baselayout ... Later, the ebuild will conditionally copy /usr/share/baselayout/hosts to /etc, with the condition being absence of an /etc/hosts file. I don't fully follow the logic in baselayout-2.0.1-r1.ebuild, but it does not single out /etc/hosts, even where the script handles a few basic config files: for x in master.passwd passwd shadow group fstab ; do [ -e "${ROOT}etc/${x}" ] && continue ... So, under 1.12.14-r1, /etc/hosts might originate with baselayout, and might not. Under 2.0.1-r1, I think /etc/hosts originates with baselayout - maybe unintentionally (a bug), but regardless, it seems the intention is to allow baselayout to install /etc/hosts if none exists. My inclination is to add a test so that installation of /etc/hosts by a package is ignored; meaning the /etc/hosts file has to be listed in a FILELIST[] variable; as it is now under "Local Configuration Files." That would resolve the duplication, and would impose the more strict tripwire test appearing under "Local Configuration Files." Thanks again for the bug report.
Created attachment 258758 [details] Bash script to generate a twpol.txt file from lists of gentoo packages and lists of files # Fixed bug affecting QUERY_PACKAGE commands having three or more words # Fixed bug where SUID/SGID directory forced a rule with complete recursion # Added check for duplicate entries in PACKAGES[] and FILELIST[] # Numerous changes to comments, progress output, etc. # Temporary working data moved from TMP_FILE to tmp_array[] variable # Reads tw.cfg (or twcfg.txt) just one time to obtain the tripwire variables # Eliminated most "sleep" pauses. User can scroll up if inclined. # Directed most `echo` output to STDERR to keep it visible to user # Changed logic relating to script configuration file(s) # - with no config line parm, seeks (optional) $TWCFG_DIR/mktwpol.cfg # - keep default RULENAME[] suite if config file does not set a RULENAME # - keep default RULENAME[] suite if config file asserts KEEP_DEFAULT_RULES # Added ${FOLD} variable for text-wrap command. Defaults to "fmt -u" # Added "Skip packages" switch to skip looking for package contents # Added EXCEPT[] and SEC_EX[] facility to cherry-pick files from wildcard # Substituted bash script equivalent for grep, in process_packagename # Forked into "mktwpol.sh" and "mktwpol-generic.sh" # - mktwpol-generic.sh is bloated, adaptable to systems other than Gentoo # Separated "query_distro" into its own subroutine # Added working QUERY_PACKAGE command for paludis # More informative output when QUERY_PACKAGE program is not found # Directed STDERR of QUERY_PACKAGE command to /dev/null # Added "Append tmpwatch to cronjob" function and switch # Added ${TMPWATCH_AGE} variable. Defaults to "168" (hours) # - mktwpol.sh reads Gentoo /var/lib/db/*/*/CONTENTS files # - mktwpol.sh eliminates interaction with twinstall, many comments Posted just the short version, mktwpol.sh, with version (03JAN11) based on date instead of number. Hopefully resolves the issue with duplicate /etc/hosts entries - script ignores /etc/hosts as installed by a package.
(In reply to comment #9) > Created an attachment (id=258758) [details] > ...Posted just the short version, mktwpol.sh, with version (03JAN11) based on date > instead of number. Hopefully resolves the issue with duplicate /etc/hosts > entries - script ignores /etc/hosts as installed by a package. > Now there is another bug that creates two entry for the file "/etc/env.d/20php5.3" in generated twpol.txt. Thus this leads to fail updating policy file. One entry is is created under : # Programming Languages: */php /etc/env.d/20php5.3 -> $(Dynamic) ; and the other entry is under: # WWW Related Programs: dev-lang/php /etc/env.d/20php5.3 -> $(Dynamic) ;
(In reply to comment #10) > (In reply to comment #9) > > Created an attachment (id=258758) [details] [details] > > ...Posted just the short version, mktwpol.sh, with version (03JAN11) ... > Now there is another bug that creates two entry for the > file "/etc/env.d/20php5.3" in generated twpol.txt. Thus this leads to fail > updating policy file. > One entry is is created under : > # Programming Languages: */php > /etc/env.d/20php5.3 -> $(Dynamic) ; > > and the other entry is under: > # WWW Related Programs: dev-lang/php > /etc/env.d/20php5.3 -> $(Dynamic) ; Guess you can tell I don't have PHP installed. I removed the entry under "Programming Languages." In the script, this is the revised line: PACKAGES[13]='perl dev-lang/python ruby swig tcl tk' Built-in dupe checker doesn't catch it, because one entry was "php", and the other is "dev-lang/php"
Created attachment 259103 [details] Bash script to generate a twpol.txt file from lists of gentoo packages and lists of files Version 06JAN11 Removed duplicate "php" entries Changed method of filtering "/etc/hosts" from package files
(In reply to comment #12) > Created an attachment (id=259103) [details]... > Version 06JAN11 Thanks. Now it works great. No more duplicate entries.
CC'ing new maintainers / proxies. @Security, is there a reason this is assigned to you? If not I'll change it to one of us.
(In reply to comment #14) > @Security, is there a reason this is assigned to you? If not I'll change it to > one of us. No reason. It is all yours. Thank you.
Noting a bit of activity as maintainers shift around, I want to let you know that the helper scripts have undergone some slight evolution since they were last posted. If, at some future point in time, there is an intention to include a helper script in the tripwire ebuild, let me know and I'll upload whatever I have currently running on my system. Changes since January: Added "Include Executables" command line switch Added some, corrected some, shuffled some package names
Marking this bug as duplicate of bug 34662. c.cboldt@gmail.com: Thanks for your script. Can you post the last version in bug 34662?
*** This bug has been marked as a duplicate of bug 34662 ***