diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2002-03-01 01:47:15 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2002-03-01 01:47:15 +0000 |
| commit | a6459ea267edc65be49643d7dbaf21aef748a6b9 (patch) | |
| tree | 95c3922ca5d84f1fd08078adc3c6a6a1b808cccc /security | |
| parent | First step towards a working port. (diff) | |
Update from 1.2 (academic source release) to 2.3.1-2 (open source Linux
release). In relation to Tripwire 1.x, 2.x is a complete rewrite.
PR: ports/29137
Submitted by: nectar (first review), cjc (second review)
Notes
Notes:
svn path=/head/; revision=55363
Diffstat (limited to 'security')
21 files changed, 1653 insertions, 645 deletions
diff --git a/security/tripwire/Makefile b/security/tripwire/Makefile index da6b7a126b8c..88386a14a4f8 100644 --- a/security/tripwire/Makefile +++ b/security/tripwire/Makefile @@ -1,61 +1,105 @@ -# New ports collection makefile for: tripwire -# Date created: 31 Mar 1997 -# Whom: Joe Greco <jgreco@ns.sol.net> +# New ports collection makefile for: tripwire 2.3.1 +# Date created: Tue Mar 6 06:57:58 PST 2001 +# Whom: Cy Schubert <Cy.Schubert@uumail.gov.bc.ca> # # $FreeBSD$ # PORTNAME= tripwire -PORTVERSION= 1.2 +PORTVERSION= 2.3.1.2 CATEGORIES= security -MASTER_SITES= ftp://ftp.fu-berlin.de/unix/security/tripwire/ -EXTRACT_SUFX= .tar.Z +MASTER_SITES= http://download.sourceforge.net/tripwire/ +DISTNAME= tripwire-2.3.1-2 -MAINTAINER= jgreco@ns.sol.net +MAINTAINER= Cy.Schubert@osg.gov.bc.ca -MAN5= tw.config.5 -MAN8= siggen.8 tripwire.8 -NO_CDROM= "cannot be redistributed for more than the cost of duplication" +MAN5= twfiles.5 twconfig.5 twpolicy.5 +MAN8= siggen.8 tripwire.8 twadmin.8 twintro.8 twprint.8 NO_PACKAGE= "requires local database to be built" RESTRICTED= "contains crypto class algorithms" +WRKSRC= ${WRKDIR}/${DISTNAME} +BUILD_WRKSRC= ${WRKSRC}/src +USE_GMAKE= yes +ALL_TARGET= release +MAKE_ARGS= SYSPRE=${ARCH}-unknown-freebsd +IS_INTERACTIVE= yes -TWCONFIG?= ${FILESDIR}/tw.conf.freebsd2 +# Tripwire config files are stored in TWCFG +TWCFG?= /usr/local/etc/tripwire +# Tripwire policy files are stored in TWPOLICY. +TWPOLICY?= ${TWCFG} +# The Tripwire site key files are stored in TWSITEKEYDIR. +TWSITEKEYDIR?= ${TWPOLICY} +# The Tripwire local key files are stored in TWLOCALKEYDIR. +TWLOCALKEYDIR?= ${TWPOLICY} +# Tripwire database files are stored in TWDB. +TWDB?= /var/db/tripwire +# Tripwire report files are stored in TWREPORT. +TWREPORT?= ${TWDB}/report +# This sets the default text editor for Tripwire. +TWEDITOR?= /usr/bin/vi +# This sets the location of the twpol.txt file that is to be installed +TWPOL_TXT?= ${FILESDIR}/twpol.txt +# Other variables that are used: +TRIPWIRE_CLOBBER?= NO +# If TRIPWIRE_CLOBBER is set to YES, the install script clobbers +# previously installed config files. -post-extract: - @ (cd ${WRKDIR}; tar xpf T1.2.tar) - -post-patch: - @${PERL} -pi -e 's|/secureplace/bin|${PREFIX}/bin|g;' \ - -e 's|/usr/man|${PREFIX}/man|g;' ${WRKSRC}/Makefile +.include <bsd.port.pre.mk> pre-configure: - @ ${CP} ${FILESDIR}/conf-freebsd2.h ${WRKSRC}/configs - @ ${SED} s%/kernel%`sysctl -bn kern.bootfile`% \ - < ${TWCONFIG} \ - > ${WRKSRC}/configs/tw.conf.freebsd2 - -post-install: - @ ${MKDIR} /var/adm/tcheck - @ ${CP} ${TWCONFIG} /var/adm/tcheck/tw.config - # Creating tripwire database + @ ${CP} ${TWPOL_TXT} ${WRKSRC}/policy/twpol.txt + @ ${MV} ${WRKSRC}/src/core/stdcore.h ${WRKSRC}/src/core/stdcore.h.orig + @ ${SED} 's%^# define CONFIG_FILE_ROOT "/usr/local/etc/tripwire"%# define CONFIG_FILE_ROOT "${TWCFG}"%' ${WRKSRC}/src/core/stdcore.h.orig > ${WRKSRC}/src/core/stdcore.h + @ ${MV} ${WRKSRC}/man/man4/twconfig.4 ${WRKSRC}/man/man5/twconfig.5 + @ ${MV} ${WRKSRC}/man/man4/twpolicy.4 ${WRKSRC}/man/man5/twpolicy.5 + +install-software: + @ ${ECHO_CMD} TWPOLICY=${TWPOLICY} >> ${WRKSRC}/install/install.cfg + @ ${ECHO_CMD} TWSITEKEYDIR=${TWSITEKEYDIR} >> ${WRKSRC}/install/install.cfg + @ ${ECHO_CMD} TWLOCALKEYDIR=${TWLOCALKEYDIR} >> ${WRKSRC}/install/install.cfg + @ ${ECHO_CMD} TWDB=${TWDB} >> ${WRKSRC}/install/install.cfg + @ ${ECHO_CMD} TWREPORT=${TWREPORT} >> ${WRKSRC}/install/install.cfg + @ ${ECHO_CMD} TWEDITOR=${TWEDITOR} >> ${WRKSRC}/install/install.cfg + @ ${ECHO_CMD} TWPOL_TXT=${TWPOL_TXT} >> ${WRKSRC}/install/install.cfg + @ cd ${WRKSRC} && ${LN} -sf install/install.cfg install/install.sh . +.if ( defined(TRIPWIRE_CLOBBER) && ${TRIPWIRE_CLOBBER} == "YES" ) || \ + ( defined(TRIPWIRE_CLOBBER) && ${TRIPWIRE_CLOBBER} == "yes" ) + @ cd ${WRKSRC} && PREFIX=${PREFIX} ./install.sh -f +.else + @ cd ${WRKSRC} && PREFIX=${PREFIX} ./install.sh +.endif + +create-database: .ifndef NO_DB_BUILD - @ (cd /var/adm/tcheck; tripwire -initialize) -.if defined(TRIPWIRE_FLOPPY) && ${TRIPWIRE_FLOPPY} == YES - # preparing the floppy + @ ${MKDIR} -p ${TWCFG} ${TWPOLICY} ${TWSITEKEYDIR} ${TWLOCALKEYDIR} \ + ${TWDB} ${TWREPORT} + @ ${ECHO} Creating tripwire database + @ cd ${TWCFG} && ${PREFIX}/sbin/tripwire --init + @ ${ECHO} To create a floppy backup of your tripwire database + @ ${ECHO} run \"make floppy\". The default database will not + @ ${ECHO} fit on a floppy, however with the removal of objects + @ ${ECHO} from the database, it can be made to fit on a 1.44 MB + @ ${ECHO} floppy disk. + @ ${ECHO_CMD} + @ ${ECHO} The tripwire database, configuration file and + @ ${ECHO} policy file are signed using the local and site keys, + @ ${ECHO} therefore according to the support staff at + @ ${ECHO} tripwiresecurity.com, creating a floppy is not necessary. + +.endif + +floppy: @ disklabel -w -B /dev/rfd0c fd1440 @ newfs -u 0 -t 0 -i 196608 -m 0 -T minimum -o space /dev/rfd0c - mount /dev/fd0c /mnt - # transferring things to the floppy - @ ${CP} -p /var/adm/tcheck/tw.config /mnt/tw.config - @ ${GZIP_CMD} < /var/adm/tcheck/databases/tw.db_`hostname` \ - > /mnt/tw.db_`hostname`.gz - @ ${CP} -p ${FILESDIR}/twcheck /usr/bin/gunzip \ - ${PREFIX}/bin/tripwire \ - /mnt/ - @ ${CHMOD} 555 /mnt/tripwire /mnt/gunzip /mnt/twcheck + @ mount /dev/fd0c /mnt + @ ${CP} -p ${PREFIX}/sbin/tripwire /mnt/tripwire + @ ${CP} -p ${TWCFG}/* /mnt + @ ${SH} -c "${CP} -p ${TWDB}/* /mnt || exit 0" + @ ${CHMOD} 555 /mnt/tripwire @ umount /mnt - # Do not forget to remove and write-protect the floppy. -.endif -.endif + @ ${ECHO} Do not forget to remove and write-protect the floppy. + +do-install: install-software create-database -.include <bsd.port.mk> +.include <bsd.port.post.mk> diff --git a/security/tripwire/distinfo b/security/tripwire/distinfo index 99144795d9b7..6c678a7f1d14 100644 --- a/security/tripwire/distinfo +++ b/security/tripwire/distinfo @@ -1 +1 @@ -MD5 (tripwire-1.2.tar.Z) = c82e0327e0caa1821e3e564fa1938d88 +MD5 (tripwire-2.3.1-2.tar.gz) = 6a15fe110565cef9ed33c1c7e070355e diff --git a/security/tripwire/files/conf-freebsd2.h b/security/tripwire/files/conf-freebsd2.h deleted file mode 100644 index d8f2942118e3..000000000000 --- a/security/tripwire/files/conf-freebsd2.h +++ /dev/null @@ -1,55 +0,0 @@ -/* $FreeBSD$ */ - -/* - * conf-freebsd2.h - * - * Tripwire configuration file - * - * Joe Greco - * sol.net Network Services - * Derived from the other BSD config.h's - */ - -/*** - *** Operating System specifics - *** - *** If the answer to a question in the comment is "Yes", then - *** change the corresponding "#undef" to a "#define" - ***/ - -/* - * is your OS a System V derivitive? if so, what version? - * (e.g., define SYSV 4) - */ - -#undef SYSV - -/* - * does your system have a <malloc.h> like System V? - */ - -#undef MALLOCH - -/* - * does your system have a <stdlib.h> like POSIX says you should? - */ - -#define STDLIBH - -/* - * does your system use readdir(3) that returns (struct dirent *)? - */ - -#define DIRENT - -/* - * is #include <string.h> ok? (as opposed to <strings.h>) - */ - -#define STRINGH - -/* - * does your system have gethostname(2) (instead of uname(2))? - */ - -#define GETHOSTNAME diff --git a/security/tripwire/files/patch-aa b/security/tripwire/files/patch-aa deleted file mode 100644 index 81238bf9ae3a..000000000000 --- a/security/tripwire/files/patch-aa +++ /dev/null @@ -1,38 +0,0 @@ -*** include/config.h.orig Fri Jul 15 06:02:52 1994 ---- include/config.h Sun Dec 31 18:56:20 1989 -*************** -*** 17,23 **** - *** file that corresponds with your operating system. - ***/ - -! #include "../configs/conf-svr4.h" - - #ifdef TW_TYPE32 - typedef TW_TYPE32 int32; ---- 17,23 ---- - *** file that corresponds with your operating system. - ***/ - -! #include "../configs/conf-freebsd2.h" - - #ifdef TW_TYPE32 - typedef TW_TYPE32 int32; -*************** -*** 103,110 **** - #endif - */ - -! #define CONFIG_PATH "/tmp/genek" -! #define DATABASE_PATH "/tmp/genek" - - /******* name of Tripwire files ************************************** - * ---- 103,110 ---- - #endif - */ - -! # define CONFIG_PATH "/var/adm/tcheck" -! # define DATABASE_PATH "/var/adm/tcheck/databases" - - /******* name of Tripwire files ************************************** - * diff --git a/security/tripwire/files/patch-ab b/security/tripwire/files/patch-ab deleted file mode 100644 index 7dcf3348984f..000000000000 --- a/security/tripwire/files/patch-ab +++ /dev/null @@ -1,62 +0,0 @@ -*** Makefile Mon Jul 25 10:59:41 1994 ---- Makefile Thu Jan 2 12:04:35 1997 -*************** -*** 34,36 **** - # you can use ANSI C if you like, but K&R is equally fine. -! CC = cc # common - #CC = gcc # also common ---- 34,36 ---- - # you can use ANSI C if you like, but K&R is equally fine. -! #CC = cc # common - #CC = gcc # also common -*************** -*** 38,40 **** - -! CFLAGS = -O # common - #CFLAGS = -g # common ---- 38,40 ---- - -! #CFLAGS = -O # common - #CFLAGS = -g # common -*************** -*** 60,66 **** - #CPP = /lib/cpp # on older systems - - # make sure libraries are not linked dynamically (as a security measure) -! LDFLAGS= # common - #LDFLAGS= -non_shared # OSF/1 - #LDFLAGS= -Bstatic # SunOS 4 (cannot statically link tripwire - # on Solaris 2.3) ---- 60,67 ---- - #CPP = /lib/cpp # on older systems - - # make sure libraries are not linked dynamically (as a security measure) -! LDFLAGS= -static -! #LDFLAGS= # common - #LDFLAGS= -non_shared # OSF/1 - #LDFLAGS= -Bstatic # SunOS 4 (cannot statically link tripwire - # on Solaris 2.3) - - ---- src/Makefile.orig Mon Jul 25 10:40:54 1994 -+++ src/Makefile Sun May 28 15:52:25 2000 -@@ -3,7 +3,7 @@ - # Tripwire build - # - --CFLAGS = -O -+#CFLAGS = -O - - OFILES = config.parse.o main.o list.o ignorevec.o dbase.build.o \ - utils.o preen.o preen.interp.o preen.report.o \ -@@ -103,8 +103,9 @@ - .c.o: - $(CC) $(CFLAGS) -c $< - --install: tripwire -+install: tripwire siggen - $(INSTALL) tripwire $(DESTDIR) -+ $(INSTALL) siggen $(DESTDIR) - - clean: - -rm -f $(OFILES) config.lex.c config.pre.c y.tab.c lex.yy.c help.c \ diff --git a/security/tripwire/files/patch-ac b/security/tripwire/files/patch-ac deleted file mode 100644 index bad090157860..000000000000 --- a/security/tripwire/files/patch-ac +++ /dev/null @@ -1,16 +0,0 @@ -This patch eliminates a compiler warning about LITTLE_ENDIAN begin -redefined. - -*** sigs/sha/sha.c.orig Mon Jul 25 08:46:45 1994 ---- sigs/sha/sha.c Mon Mar 31 19:55:23 1997 -*************** -*** 47,52 **** ---- 47,54 ---- - #include "sha.h" - - #if BYTEORDER == 0x1234 -+ #undef BIG_ENDIAN -+ #undef LITTLE_ENDIAN - #define LITTLE_ENDIAN - #endif - diff --git a/security/tripwire/files/patch-install::install.sh b/security/tripwire/files/patch-install::install.sh new file mode 100644 index 000000000000..6e7ecf08eec0 --- /dev/null +++ b/security/tripwire/files/patch-install::install.sh @@ -0,0 +1,70 @@ +--- install/install.sh.orig Fri Oct 27 17:26:26 2000 ++++ install/install.sh Fri Feb 22 07:34:55 2002 +@@ -3,7 +3,7 @@ + ######################################################### + ######################################################### + ## +-## Tripwire(R) 2.3 Open Source for LINUX install script ++## Tripwire(R) 2.3 Open Source for FreeBSD install script + ## + ######################################################### + ######################################################### +@@ -252,12 +252,14 @@ + unamVER=`uname -v -r` + if ((echo "$unamOS" | $GREP -i "Linux" > /dev/null) || + (echo "$unamOS" | $GREP -i "HP-UX" > /dev/null) || ++ (echo "$unamOS" | $GREP -i "FreeBSD" > /dev/null) || + (echo "$unamOS" | $GREP -i "AIX" > /dev/null)); then + unamHW=`uname -m` + else + unamHW=`uname -p` + fi +- if (echo "$unamOS" | $GREP -i "Linux" > /dev/null); then ++ if (echo "$unamOS" | $GREP -i "Linux" > /dev/null) || ++ (echo "$unamOS" | $GREP -i "FreeBSD" > /dev/null); then + osokay=1 + fi + if [ "$osokay" -eq 0 ] ; then +@@ -488,7 +490,11 @@ + BASE_DIR=`echo $0 | sed s/$BASE_DIR\$//` + if [ ! -z "$BASE_DIR" ] ; then + TAR_DIR="${BASE_DIR}" +- BIN_DIR="${BASE_DIR}bin/i686-pc-linux_r" ++ if (echo "$unamOS" | $GREP -i "FreeBSD" > /dev/null); then ++ BIN_DIR="${BASE_DIR}bin/${unamHW}-unknown-freebsd_r" ++ else ++ BIN_DIR="${BASE_DIR}bin/i686-pc-linux_r" ++ fi + else + TAR_DIR="${BASE_DIR}" + fi +@@ -621,15 +627,22 @@ + f1=' ff=$README ; d="" ; dd=$TWDOCS ; rr=0444 ' + f2=' ff=$REL_NOTES ; d="" ; dd=$TWDOCS ; rr=0444 ' + f3=' ff=$TWLICENSEFILE ; d="" ; dd=$TWDOCS ; rr=0444 ' +-f4=' ff=tripwire ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 ' +-f5=' ff=twadmin ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 ' +-f6=' ff=twprint ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 ' +-f7=' ff=siggen ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 ' ++if (echo "$unamOS" | $GREP -i "Linux" > /dev/null); then ++ f4=' ff=tripwire ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 ' ++ f5=' ff=twadmin ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 ' ++ f6=' ff=twprint ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 ' ++ f7=' ff=siggen ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 ' ++elif (echo "$unamOS" | $GREP -i "FreeBSD" > /dev/null); then ++ f4=' ff=tripwire ; d="/bin/${unamHW}-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 ' ++ f5=' ff=twadmin ; d="/bin/${unamHW}-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 ' ++ f6=' ff=twprint ; d="/bin/${unamHW}-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 ' ++ f7=' ff=siggen ; d="/bin/${unamHW}-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 ' ++fi + f8=' ff=TRADEMARK ; d="" ; dd=$TWDOCS ; rr=0444 ' +-f9=' ff=policyguide.txt ; d="" ; dd=$TWDOCS ; rr=0444 ' ++f9=' ff=policyguide.txt ; d="/policy/" ; dd=$TWDOCS ; rr=0444 ' + f10=' ff=twpol.txt ; d="/policy/" ; dd=$TWPOLICY ; rr=0640 ' +-f11=' ff=twpolicy.4 ; d="/man/man4" ; dd=$TWMAN/man4 ; rr=0444 ' +-f12=' ff=twconfig.4 ; d="/man/man4" ; dd=$TWMAN/man4 ; rr=0444 ' ++f11=' ff=twpolicy.5 ; d="/man/man5" ; dd=$TWMAN/man5 ; rr=0444 ' ++f12=' ff=twconfig.5 ; d="/man/man5" ; dd=$TWMAN/man5 ; rr=0444 ' + f13=' ff=twfiles.5 ; d="/man/man5" ; dd=$TWMAN/man5 ; rr=0444 ' + f14=' ff=siggen.8 ; d="/man/man8" ; dd=$TWMAN/man8 ; rr=0444 ' + f15=' ff=tripwire.8 ; d="/man/man8" ; dd=$TWMAN/man8 ; rr=0444 ' diff --git a/security/tripwire/files/patch-man::man4::twconfig.4 b/security/tripwire/files/patch-man::man4::twconfig.4 new file mode 100644 index 000000000000..409f5190bf6e --- /dev/null +++ b/security/tripwire/files/patch-man::man4::twconfig.4 @@ -0,0 +1,20 @@ +--- man/man4/twconfig.4.orig Sat Mar 3 16:28:39 2001 ++++ man/man4/twconfig.4 Sat Feb 23 13:49:52 2002 +@@ -35,7 +35,7 @@ + .. + .nh + .ad l +-.TH TWCONFIG 4 "1 July 2000" ++.TH TWCONFIG 5 "1 July 2000" + .SH NAME + twconfig \- \fITripwire\fP configuration file reference + .SH DESCRIPTION +@@ -293,7 +293,7 @@ + .BR twadmin (8), + .BR twprint (8), + .BR siggen (8), +-.BR twpolicy (4), ++.BR twpolicy (5), + .BR twfiles (5), + .BR sendmail (1), + .BR vi (1), diff --git a/security/tripwire/files/patch-man::man4::twpolicy.4 b/security/tripwire/files/patch-man::man4::twpolicy.4 new file mode 100644 index 000000000000..0d6ab39a39dd --- /dev/null +++ b/security/tripwire/files/patch-man::man4::twpolicy.4 @@ -0,0 +1,18 @@ +--- man/man4/twpolicy.4.orig Sat Mar 3 16:28:30 2001 ++++ man/man4/twpolicy.4 Sat Feb 23 13:50:10 2002 +@@ -36,7 +36,7 @@ + .\" + .nh + .ad l +-.TH TWPOLICY 4 "1 July 2000" ++.TH TWPOLICY 5 "1 July 2000" + .SH NAME + twpolicy \- \fITripwire\fP policy file reference + .SH DESCRIPTION +@@ -544,5 +544,5 @@ + .BR twadmin (8), + .BR twprint (8), + .BR siggen (8), +-.BR twconfig (4), ++.BR twconfig (5), + .BR twfiles (5) diff --git a/security/tripwire/files/patch-mktemp b/security/tripwire/files/patch-mktemp deleted file mode 100644 index 3e871d4b6e5b..000000000000 --- a/security/tripwire/files/patch-mktemp +++ /dev/null @@ -1,239 +0,0 @@ -This patches replace all uses of the (potentially insecure) mktemp(3) -with a much safer tmpfile(3). - ---- src/config.parse.c Wed Jul 20 21:03:26 1994 -+++ src/config.parse.c Wed May 17 17:30:22 2000 -@@ -55,7 +55,6 @@ - #endif - - /* prototypes */ --char *mktemp(); - static void configfile_descend(); - - #ifndef L_tmpnam -@@ -86,7 +85,6 @@ - char ignorestring[1024]; - char s[MAXPATHLEN+1024]; - char configfile[MAXPATHLEN+512]; -- char *tmpfilename; - char number[128]; - int entrynum = 0; - int err; -@@ -98,18 +96,6 @@ - if (!printpreprocess && !quietmode) - fputs("### Phase 1: Reading configuration file\n", stderr); - -- /* generate temporary file name */ -- if ((tmpfilename = (char *) malloc(L_tmpnam + MAXPATHLEN)) == NULL) { -- perror("configfile_read: malloc()"); -- exit(1); -- }; -- (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); -- -- if ((char *) mktemp(tmpfilename) == NULL) { -- perror("configfile_read: mktemp()"); -- exit(1); -- } -- - /* generate configuration file name */ - if (specified_configmode != SPECIFIED_FILE) - sprintf(configfile, "%s/%s", config_path, config_file); -@@ -149,25 +135,17 @@ - - err = umask(077); /* to protect the tempfile */ - -- if ((fpout = fopen(tmpfilename, "w+")) == NULL) { -- sprintf(s, "tripwire: Couldn't open config file '%s'", configfile); -- perror(s); -- exit(1); -- } -- (void) umask(err); /* return it to its former state */ -- -- /* The following unlink accomplishes two things: -+ /* The use of tmpfile(3) accomplishes two things: - * 1) if the program terminates, we won't leave a temp - * file sitting around with potentially sensitive names - * in it. - * 2) the file is "hidden" while we run - */ -- if (unlink(tmpfilename) < 0) { -- perror("configfile_read: unlink()"); -+ if ((fpout = tmpfile()) == NULL) { -+ perror("tmpfile"); - exit(1); - } -- free(tmpfilename); -- -+ (void) umask(err); /* return it to its former state */ - - /* - * pass 0: preprocess file ---- src/dbase.build.c Mon Jul 25 11:24:09 1994 -+++ src/dbase.build.c Wed May 17 18:22:14 2000 -@@ -66,7 +66,6 @@ - int files_scanned_num = 0; - - /* prototypes */ --char *mktemp(); - static void database_record_write(); - - char backupfile[MAXPATHLEN+256]; -@@ -125,17 +124,7 @@ - - /* where do we write the new database? */ - if (mode == DBASE_TEMPORARY) { -- char *tmpfilename = (char *) malloc(strlen(TEMPFILE_TEMPLATE)+1); -- if (tmpfilename == NULL) -- die_with_err("malloc() failed in database_build", (char *) NULL); -- (void) strcpy(tmpfilename, TEMPFILE_TEMPLATE); -- -- if ((char *) mktemp(tmpfilename) == NULL) -- die_with_err("database_build: mktemp()", (char *) NULL); -- -- (void) strcpy(tempdatabase_file, tmpfilename); -- (void) strcpy(database, tempdatabase_file); -- free(tmpfilename); -+ /* do nothing */ - } /* end if temporary database */ - else if (mode == DBASE_UPDATE) { - sprintf(database, "./databases/%s", database_file); -@@ -224,6 +213,12 @@ - } - - /* rebuild the database */ -+ if (mode == DBASE_TEMPORARY) { -+ fpw = tmpfile(); -+ if (fpw == NULL) -+ die_with_err("call tmpfile(3) failed. Check your TMPDIR setting", -+ NULL); -+ } else - if ((fpw = fopen(database, "w")) == NULL) - die_with_err("Hint: Maybe the database directory '%s' doesn't exist? fopen()", database); - -@@ -369,6 +364,6 @@ - -- /* we don't want to allow anyone to spoof the temporary file in /tmp */ -+ /* if the database was temporary, the file was opened by tmpfile(3) -- -+ as such, it can not be accessed by anything but this process */ - if (mode == DBASE_TEMPORARY) { -- if ((fptempdbase = freopen(database, "r", fpw)) == NULL) -- die_with_err("temporary database file disappeared?!?", database); -+ fptempdbase = fpw; - rewind(fptempdbase); ---- src/main.c Fri Aug 26 04:23:03 1994 -+++ src/main.c Wed May 17 18:01:00 2000 -@@ -108,7 +108,6 @@ - char *database_path = DATABASE_PATH; - char *config_path = CONFIG_PATH; - --char tempdatabase_file[MAXPATHLEN+256]; - FILE *fptempdbase; - - char *defaultignore = DEFAULTIGNORE; ---- src/preen.c Mon Jul 25 11:24:11 1994 -+++ src/preen.c Wed May 17 18:22:22 2000 -@@ -37,7 +37,6 @@ - static int numentriesread = 0; /* running count of @@contents */ - - /* prototypes */ --char *mktemp(); - static void olddbasefile_load(); - - char *updatemodes[] = { -@@ -97,9 +96,6 @@ - preen_report(interactive, ppp_updateentries); - if (!specified_configmode) - (void) fclose(fp_in); -- -- /* remove the temporary database file */ -- (void) unlink(tempdatabase_file); - - SPDEBUG(3) printf("*** leaving update_gather()\n"); - ---- src/siggen.c Mon Jul 25 11:24:12 1994 -+++ src/siggen.c Wed May 17 18:36:51 2000 -@@ -52,7 +52,6 @@ - - extern int optind; - int debuglevel = 0; --char *mktemp(); - - int (*pf_signatures [NUM_SIGS]) () = { - SIG0FUNC, -@@ -84,7 +83,6 @@ - }; - int verbosity = 0; - int quietmode = 0; --char *tmpfilename = NULL; - int readstdin = 0; - - -@@ -167,19 +167,6 @@ - FILE *fpout; -- /* generate temporary file name */ -- if ((tmpfilename = (char *) malloc(L_tmpnam + MAXPATHLEN)) == NULL) { -- perror("main: malloc()"); -- exit(1); -- }; -- (void) strcpy(tmpfilename, "/tmp/twzXXXXXX"); -- -- if ((char *) mktemp(tmpfilename) == NULL) { -- perror("siggen: mktemp()"); -- exit(1); -- } - - /* output */ -- if (!(fpout = fopen(tmpfilename, "w"))) { -- char err[1024]; -- sprintf(err, "main: fopen(%s)", tmpfilename); -- perror(err); -+ if (!(fpout = tmpfile())) { -+ perror("tmpfile()"); - exit(1); -@@ -189,12 +176,6 @@ - putc(c, fpout); -- fclose(fpout); -- if ((fd = open(tmpfilename, O_RDONLY)) < 0) { -- perror("siggen: open"); -- exit(1); -- } -- if (siggen(fd) < 0) -+ rewind(fpout); -+ if (siggen(fileno(fpout)) < 0) - errors++; - -- if (fd) -- close(fd); -+ close(fd); -- unlink(tmpfilename); ---- src/utils.c Mon Jul 25 12:23:16 1994 -+++ src/utils.c Wed May 17 18:21:38 2000 -@@ -785,23 +785,15 @@ - int - fd_tempfilename_generate() - { -- char tmp[MAXPATHLEN+256]; -- int fd; -+ FILE *tmp; - -- (void) strcpy(tmp, TEMPFILE_TEMPLATE); -- if ((char *) mktemp(tmp) == NULL) { -- perror("tempfilename_generate: mktemp()"); -+ tmp = tmpfile(); -+ if (tmp == NULL) { -+ perror("tempfilename_generate: tmpfile()"); - exit(1); - } - -- if ((fd = open(tmp, O_RDWR | O_CREAT, 0600)) < 0) { -- perror("tempfilename_generate: open()"); -- exit(1); -- } -- /* unlink right away to make sure no one can tamper with our file */ -- unlink(tmp); -- -- return fd; -+ return fileno(tmp); - } - - /* diff --git a/security/tripwire/files/patch-src::Makefile b/security/tripwire/files/patch-src::Makefile new file mode 100644 index 000000000000..d49c5079587c --- /dev/null +++ b/security/tripwire/files/patch-src::Makefile @@ -0,0 +1,35 @@ +--- src/Makefile.orig Sat Mar 3 20:03:52 2001 ++++ src/Makefile Fri Feb 22 07:48:44 2002 +@@ -5,15 +5,16 @@ + # + # This makefile handles different platforms targets through the use of the + # makefile variable "SYSPRE". To configure the make process for your specific +-# platform edit the SYSPRE variable in the Configuration section below to match your +-# setup. ++# platform edit the SYSPRE variable in the Configuration section below to match ++# your setup. + # + # During the build process this makefile recursively calls gmake using this + # file (Makefile) or one of the subdirectory makefiles (e.g. core/core.mak) + # as the makefile. When it does this it passes the SYSPRE definition along + # by using the directive "SYSPRE=$(SYSPRE)". + # +-# Comments that start with '#=' are echoed to the screen by the default target, help. ++# Comments that start with '#=' are echoed to the screen by the default target, ++# help. + #= *** Build Commands + #= + #= Please note that all Tripwire makefiles require GNU make (gmake) to build! +@@ -77,9 +78,11 @@ + # + # i686-pc-linux == Linux Intel x86 + # sparc-linux == Linux Sparc (not fully implemented) ++# i386-unknown-freebsd == FreeBSD Intel x86 ++# alpha-unknown-freebsd == FreeBSD Compaq Alpha + # + +-SYSPRE = i686-pc-linux ++#SYSPRE = i686-pc-linux + #SYSPRE = sparc-linux + #SYSPRE = i386-unknown-freebsd + #SYSPRE = i386-unknown-openbsd diff --git a/security/tripwire/files/patch-src::core::msystem.h b/security/tripwire/files/patch-src::core::msystem.h new file mode 100644 index 000000000000..1bb9e29934e2 --- /dev/null +++ b/security/tripwire/files/patch-src::core::msystem.h @@ -0,0 +1,15 @@ +--- src/core/msystem.h.orig Fri Oct 27 18:15:20 2000 ++++ src/core/msystem.h Fri Feb 22 13:53:33 2002 +@@ -114,7 +114,11 @@ + # define GID_RESET -2 /* reset EGID to RGID */ + #endif + #ifndef DEF_PATH +-# define DEF_PATH "PATH=/bin:/usr/bin:/usr/ucb" /* default search path */ ++#ifdef __FreeBSD_cc_version ++# define DEF_PATH "PATH=/sbin:/usr/sbin:/bin:/usr/bin" /* default search path */ ++#else ++# define DEF_PATH "PATH=/bin:/usr/bin:/usr/ucb" /* default search path */ ++#endif + #endif + #ifndef DEF_SHELL + # define DEF_SHELL "SHELL=/bin/sh" /* default shell */ diff --git a/security/tripwire/files/patch-src::core::unix::file_unix.cpp b/security/tripwire/files/patch-src::core::unix::file_unix.cpp new file mode 100644 index 000000000000..d43cca7f771c --- /dev/null +++ b/security/tripwire/files/patch-src::core::unix::file_unix.cpp @@ -0,0 +1,45 @@ +--- src/core/unix/file_unix.cpp Sat Oct 28 04:15:21 2000 ++++ src/core/unix/file_unix.cpp Wed Jun 13 09:29:07 2001 +@@ -155,10 +155,15 @@ + if( flags & OPEN_CREATE ) + perm |= O_CREAT; + ++ mode_t openmode = 0664; ++ if ( flags & OPEN_EXCLUSIVE ) { ++ perm |= O_CREAT | O_EXCL; ++ openmode = (mode_t) 0600; // Make sure only root can read the file ++ } + // + // actually open the file + // +- int fh = _topen( sFileName.c_str(), perm, 0664 ); ++ int fh = _topen( sFileName.c_str(), perm, openmode ); + if( fh == -1 ) + { + throw( eFileOpen( sFileName, iFSServices::GetInstance()->GetErrString() ) ); +--- src/core/file.h Sat Oct 28 04:15:20 2000 ++++ src/core/file.h Wed Jun 13 09:07:20 2001 +@@ -96,7 +96,8 @@ + OPEN_LOCKED_TEMP = 0x00000004, // the file should not be readable by other processes and should be removed when closed + OPEN_TRUNCATE = 0x00000008, // opens an empty file. creates it if it doesn't exist. Doesn't make much sense without OF_WRITE + OPEN_CREATE = 0x00000010, // create the file if it doesn't exist; this is implicit if OF_TRUNCATE is set +- OPEN_TEXT = 0x00000020 ++ OPEN_TEXT = 0x00000020, ++ OPEN_EXCLUSIVE = 0x0000040 // Use O_CREAT | O_EXCL + }; + + //Ctor, Dtor, CpyCtor, Operator=: +--- src/core/archive.cpp Sat Feb 24 21:02:12 2001 ++++ src/core/archive.cpp Wed Jun 13 09:15:25 2001 +@@ -896,8 +896,9 @@ + // create file + + // set up flags +- uint32 flags = cFile::OPEN_WRITE | cFile::OPEN_LOCKED_TEMP | cFile::OPEN_CREATE; +- if ( openFlags & FA_OPEN_TRUNCATE ) ++ uint32 flags = cFile::OPEN_WRITE | cFile::OPEN_LOCKED_TEMP | cFile::OPEN_CREATE | cFile::OPEN_EXCLUSIVE; ++ ++ if ( openFlags & FA_OPEN_TRUNCATE ) + flags |= cFile::OPEN_TRUNCATE; + if ( openFlags & FA_OPEN_TEXT ) + flags |= cFile::OPEN_TEXT; diff --git a/security/tripwire/files/patch-src::core::unix::unixfsservices.cpp b/security/tripwire/files/patch-src::core::unix::unixfsservices.cpp new file mode 100644 index 000000000000..14919a9e3ee0 --- /dev/null +++ b/security/tripwire/files/patch-src::core::unix::unixfsservices.cpp @@ -0,0 +1,31 @@ +--- src/core/unix/unixfsservices.cpp.orig Sat Feb 24 11:02:12 2001 ++++ src/core/unix/unixfsservices.cpp Tue Jul 10 21:40:37 2001 +@@ -243,6 +243,7 @@ + { + char* pchTempFileName; + char szTemplate[MAXPATHLEN]; ++ int fd; + + #ifdef _UNICODE + // convert template from wide character to multi-byte string +@@ -253,13 +254,14 @@ + strcpy( szTemplate, strName.c_str() ); + #endif + +- // create temp filename +- pchTempFileName = mktemp( szTemplate ); ++ // create temp filename and check to see if mkstemp failed ++ if ((fd = mkstemp( szTemplate )) == -1) { ++ throw eFSServicesGeneric( strName ); ++ } else { ++ close(fd); ++ } ++ pchTempFileName = szTemplate; + +- //check to see if mktemp failed +- if ( pchTempFileName == NULL || strlen(pchTempFileName) == 0) { +- throw eFSServicesGeneric( strName ); +- } + + // change name so that it has the XXXXXX part filled in + #ifdef _UNICODE diff --git a/security/tripwire/files/patch-src::tripwire::mailmessage.cpp b/security/tripwire/files/patch-src::tripwire::mailmessage.cpp new file mode 100644 index 000000000000..f5566a087aa7 --- /dev/null +++ b/security/tripwire/files/patch-src::tripwire::mailmessage.cpp @@ -0,0 +1,11 @@ +--- src/tripwire/mailmessage.cpp.orig Thu Jul 5 05:16:34 2001 ++++ src/tripwire/mailmessage.cpp Thu Jul 5 05:16:47 2001 +@@ -241,7 +241,7 @@ + time_t current_time = time(NULL); + tm = localtime ( ¤t_time ); + +- const TCHAR* szFormat = _T("%a %d %b %Y %H:%M:%S %z"); ++ const TCHAR* szFormat = _T("%a, %d %b %Y %H:%M:%S %z"); + + size_t numChars = _tcsftime( szDate, countof( szDate ), szFormat, tm ); + diff --git a/security/tripwire/files/patch-warnings b/security/tripwire/files/patch-warnings deleted file mode 100644 index ddd14eff68c6..000000000000 --- a/security/tripwire/files/patch-warnings +++ /dev/null @@ -1,33 +0,0 @@ -This patches remove some of the warnings produced by the compiler. - ---- src/siggen.c Mon Jul 25 11:24:12 1994 -+++ src/siggen.c Wed May 17 19:15:29 2000 -@@ -15,2 +15,3 @@ - #include "../include/config.h" -+#include <unistd.h> - #include <stdio.h> -@@ -104,4 +104,6 @@ -+ -+/* forward declaration, to avoid compiler warnings */ -+int siggen(int); - - int - main(argc, argv) ---- aux/byteorder.c Fri Jul 15 07:02:36 1994 -+++ aux/byteorder.c Wed May 17 19:12:42 2000 -@@ -22,3 +22,3 @@ - --void -+int - main() -@@ -34,2 +34,3 @@ - -+#warning "the shift-width warning below can be ignored" - if (sizeof(int32) > 4) ---- aux/types.c Sun Dec 12 23:02:27 1993 -+++ aux/types.c Wed May 17 19:23:21 2000 -@@ -24,3 +24,3 @@ - --void -+int - main(argc, argv) diff --git a/security/tripwire/files/tw.conf.freebsd2 b/security/tripwire/files/tw.conf.freebsd2 deleted file mode 100644 index c195f38872e2..000000000000 --- a/security/tripwire/files/tw.conf.freebsd2 +++ /dev/null @@ -1,154 +0,0 @@ -# $FreeBSD$ -# -# tripwire.config -# Generic version for FreeBSD -# Will need editing...see comments below -# -# This file contains a list of files and directories that System -# Preener will scan. Information collected from these files will be -# stored in the tripwire.database file. -# -# Format: [!|=] entry [ignore-flags] -# -# where: '!' signifies the entry is to be pruned (inclusive) from -# the list of files to be scanned. -# '=' signifies the entry is to be added, but if it is -# a directory, then all its contents are pruned -# (useful for /tmp). -# -# where: entry is the absolute pathname of a file or a directory -# -# where ignore-flags are in the format: -# [template][ [+|-][pinugsam12] ... ] -# -# - : ignore the following atributes -# + : do not ignore the following attributes -# -# p : permission and file mode bits a: access timestamp -# i : inode number m: modification timestamp -# n : number of links (ref count) c: inode creation timestamp -# u : user id of owner 1: signature 1 -# g : group id of owner 2: signature 2 -# s : size of file -# -# -# Ex: The following entry will scan all the files in /etc, and report -# any changes in mode bits, inode number, reference count, uid, -# gid, modification and creation timestamp, and the signatures. -# However, it will ignore any changes in the access timestamp. -# -# /etc +pinugsm12-a -# -# The following templates have been pre-defined to make these long ignore -# mask descriptions unecessary. -# -# Templates: (default) R : [R]ead-only (+pinugsm12-a) -# L : [L]og file (+pinug-sam12) -# N : ignore [N]othing (+pinusgsamc12) -# E : ignore [E]verything (-pinusgsamc12) -# -# By default, Tripwire uses the R template -- it ignores -# only the access timestamp. -# -# You can use templates with modifiers, like: -# Ex: /etc/lp E+ug -# -# Example configuration file: -# /etc R # all system files -# !/etc/lp R # ...but not those logs -# =/tmp N # just the directory, not its files -# -# Note the difference between pruning (via "!") and ignoring everything -# (via "E" template): Ignoring everything in a directory still monitors -# for added and deleted files. Pruning a directory will prevent Tripwire -# from even looking in the specified directory. -# -# -# Tripwire running slowly? Modify your tripwire.config entries to -# ignore the (signature 2) attribute when this computationally-exorbitant -# protection is not needed. (See README and design document for further -# details.) -# - -# First, root's traditional "home". Note that FreeBSD's root's home (/root) -# is protected by R-2 protections in the default config file. -=/ L -/.rhosts R # may not exist -/.profile R # may not exist -/.cshrc R # may not exist -/.login R # may not exist -/.exrc R # may not exist -/.logout R # may not exist -/.forward R # may not exist - -# Unix itself -/kernel R - -# /bin -/bin R-2 - -# /dev -/dev L - -# /etc -/etc R-2 -/etc/aliases L -/etc/dumpdates L -/etc/motd L - -# my passwd database should be static at time of system build. yours may -# not be, if not, uncomment the lines below. - -# /etc/passwd L -# /etc/master.passwd L -# /etc/pwd.db L -# /etc/spwd.db L - -# /home -=/home - -# /lkm and /modules -/lkm R-2 -/modules R-2 - -# /boot -/boot R-2 - -# /root -/root R-2 -/root/.history L - -# /sbin -/sbin R-2 - -# /stand -/stand R-2 - -# /usr/bin -/usr/bin R-2 - -/usr/include R-12 - -/usr/lib R-2 - -/usr/libdata R-2 - -/usr/libexec R-2 - -/usr/local/bin R-2 - -/usr/local/etc L - -/usr/local/lib R-2 - -/usr/local/libexec R-2 - -/usr/local/sbin R-2 - -/usr/local/share R-2 - -/usr/sbin R-2 - -/usr/share R-2 - -########################################### diff --git a/security/tripwire/files/twcheck b/security/tripwire/files/twcheck deleted file mode 100644 index a4dffd2b61c9..000000000000 --- a/security/tripwire/files/twcheck +++ /dev/null @@ -1,3 +0,0 @@ -#! /bin/sh - - -./gunzip < tw.db_`hostname`.gz | ./tripwire -dfd 0 -c tw.config diff --git a/security/tripwire/files/twpol.m4 b/security/tripwire/files/twpol.m4 new file mode 100644 index 000000000000..ec60af2535da --- /dev/null +++ b/security/tripwire/files/twpol.m4 @@ -0,0 +1,655 @@ +# +# Policy file for FreeBSD +# +$FreeBSD$ + + +# +# This is the example Tripwire Policy file. It is intended as a place to +# start creating your own custom Tripwire Policy file. Referring to it as +# well as the Tripwire Policy Guide should give you enough information to +# make a good custom Tripwire Policy file that better covers your +# configuration and security needs. A text version of this policy file is +# called twpol.txt. +# +# Note that this file is tuned to an install of FreeBSD using +# buildworld. If run unmodified, this file should create no errors on +# database creation, or violations on a subsiquent integrity check. +# However it is impossible for there to be one policy file for all machines, +# so this existing one errs on the side of security. Your FreeBSD +# configuration will most likey differ from the one our policy file was +# tuned to, and will therefore require some editing of the default +# Tripwire Policy file. +# +# The example policy file is best run with 'Loose Directory Checking' +# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration +# file. +# +# Email support is not included and must be added to this file. +# Add the 'emailto=' to the rule directive section of each rule (add a comma +# after the 'severity=' line and add an 'emailto=' and include the email +# addresses you want the violation reports to go to). Addresses are +# semi-colon delimited. +# + + + +# +# Global Variable Definitions +# +# These are defined at install time by the installation script. You may +# Manually edit these if you are using this file directly and not from the +# installation script itself. +# + +@@section GLOBAL +TWROOT=; +TWBIN=; +TWPOL=; +TWDB=; +TWSKEY=; +TWLKEY=; +TWREPORT=; +HOSTNAME=; + +@@section FS +SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change +SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set +SEC_BIN = $(ReadOnly) ; # Binaries that should not change +SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often +SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login +SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership +SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership +SIG_LOW = 33 ; # Non-critical files that are of minimal security impact +SIG_MED = 66 ; # Non-critical files that are of significant security impact +SIG_HI = 100 ; # Critical files that are significant points of vulnerability + + +# Tripwire Binaries +( + rulename = "Tripwire Binaries", + severity = $(SIG_HI) +) +{ + $(TWBIN)/siggen -> $(SEC_BIN) ; + $(TWBIN)/tripwire -> $(SEC_BIN) ; + $(TWBIN)/twadmin -> $(SEC_BIN) ; + $(TWBIN)/twprint -> $(SEC_BIN) ; +} + +# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases +( + rulename = "Tripwire Data Files", + severity = $(SIG_HI) +) +{ + # NOTE: We remove the inode attribute because when Tripwire creates a backup, + # it does so by renaming the old file and creating a new one (which will + # have a new inode number). Inode is left turned on for keys, which shouldn't + # ever change. + + # NOTE: The first integrity check triggers this rule and each integrity check + # afterward triggers this rule until a database update is run, since the + # database file does not exist before that point. + + $(TWDB) -> $(SEC_CONFIG) -i ; + $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; + $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; + $(TWPOL)/twcfg.txt -> $(SEC_BIN) ; + $(TWPOL)/twpol.txt -> $(SEC_BIN) ; + $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; + $(TWSKEY)/site.key -> $(SEC_BIN) ; + + #don't scan the individual reports + $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; +} + + +# Tripwire HQ Connector Binaries +#( +# rulename = "Tripwire HQ Connector Binaries", +# severity = $(SIG_HI) +#) +#{ +# $(TWBIN)/hqagent -> $(SEC_BIN) ; +#} +# +# Tripwire HQ Connector - Configuration Files, Keys, and Logs + +# +# Note: File locations here are different than in a stock HQ Connector +# installation. This is because Tripwire 2.3 uses a different path +# structure than Tripwire 2.2.1. +# +# You may need to update your HQ Agent configuation file (or this policy +# file) to correct the paths. We have attempted to support the FHS standard +# here by placing the HQ Agent files similarly to the way Tripwire 2.3 +# places them. +# + +#( +# rulename = "Tripwire HQ Connector Data Files", +# severity = $(SIG_HI) +#) +#{ +# +# # NOTE: Removing the inode attribute because when Tripwire creates a backup +# # it does so by renaming the old file and creating a new one (which will +# # have a new inode number). Leaving inode turned on for keys, which +# # shouldn't ever change. +# +# +# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; +# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; +# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; +# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; +# +# # Uncomment if you have agent logging enabled. +# #/var/log/tripwire/agent.log -> $(SEC_LOG) ; +#} + + + +# Commonly accessed directories that should remain static with regards to owner and group +( + rulename = "Invariant Directories", + severity = $(SIG_MED) +) +{ + / -> $(SEC_INVARIANT) (recurse = false) ; + /home -> $(SEC_INVARIANT) (recurse = false) ; +} + +# +# First, root's "home" +# + +( + rulename = "Root's home", + severity = $(SIG_HI) +) +{ + # /.rhosts -> $(SEC_CRIT) ; + /.profile -> $(SEC_CRIT) ; + /.cshrc -> $(SEC_CRIT) ; + /.login -> $(SEC_CRIT) ; + # /.exrc -> $(SEC_CRIT) ; + # /.logout -> $(SEC_CRIT) ; + # /.forward -> $(SEC_CRIT) ; + /root -> $(SEC_CRIT) (recurse = true) ; + !/root/.history ; + !/root/.bash_history ; + # !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed +} + + +# +# FreeBSD Kernel +# + +( + rulename = "FreeBSD Kernel", + severity = $(SIG_HI) +) +{ + /kernel -> $(SEC_CRIT) ; + /kernel.old -> $(SEC_CRIT) ; + /kernel.GENERIC -> $(SEC_CRIT) ; +} + + +# +# FreeBSD Modules +# + +( + rulename = "FreeBSD Modules", + severity = $(SIG_HI) +) +{ + /modules -> $(SEC_CRIT) (recurse = true) ; + /modules.old -> $(SEC_CRIT) (recurse = true) ; + # /lkm -> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld +} + + +# +# System Administration Programs +# + +( + rulename = "System Administration Programs", + severity = $(SIG_HI) +) +{ + /sbin -> $(SEC_CRIT) (recurse = true) ; + /usr/sbin -> $(SEC_CRIT) (recurse = true) ; +} + + +# +# User Utilities +# + +( + rulename = "User Utilities", + severity = $(SIG_HI) +) +{ + /bin -> $(SEC_CRIT) (recurse = true) ; + /usr/bin -> $(SEC_CRIT) (recurse = true) ; +} + + +# +# /dev +# + +( + rulename = "/dev", + severity = $(SIG_HI) +) +{ + /dev -> $(Device) (recurse = true) ; + !/dev/vga ; + !/dev/dri ; + /dev/console -> $(SEC_TTY) ; + /dev/ttyv0 -> $(SEC_TTY) ; + /dev/ttyv1 -> $(SEC_TTY) ; + /dev/ttyv2 -> $(SEC_TTY) ; + /dev/ttyv3 -> $(SEC_TTY) ; + /dev/ttyv4 -> $(SEC_TTY) ; + /dev/ttyv5 -> $(SEC_TTY) ; + /dev/ttyv6 -> $(SEC_TTY) ; + /dev/ttyv7 -> $(SEC_TTY) ; + /dev/ttyp0 -> $(SEC_TTY) ; + /dev/ttyp1 -> $(SEC_TTY) ; + /dev/ttyp2 -> $(SEC_TTY) ; + /dev/ttyp3 -> $(SEC_TTY) ; + /dev/ttyp4 -> $(SEC_TTY) ; + /dev/ttyp5 -> $(SEC_TTY) ; + /dev/ttyp6 -> $(SEC_TTY) ; + /dev/ttyp7 -> $(SEC_TTY) ; + /dev/ttyp8 -> $(SEC_TTY) ; + /dev/ttyp9 -> $(SEC_TTY) ; + /dev/ttypa -> $(SEC_TTY) ; + /dev/ttypb -> $(SEC_TTY) ; + /dev/ttypc -> $(SEC_TTY) ; + /dev/ttypd -> $(SEC_TTY) ; + /dev/ttype -> $(SEC_TTY) ; + /dev/ttypf -> $(SEC_TTY) ; + /dev/ttypg -> $(SEC_TTY) ; + /dev/ttyph -> $(SEC_TTY) ; + /dev/ttypi -> $(SEC_TTY) ; + /dev/ttypj -> $(SEC_TTY) ; + /dev/ttypl -> $(SEC_TTY) ; + /dev/ttypm -> $(SEC_TTY) ; + /dev/ttypn -> $(SEC_TTY) ; + /dev/ttypo -> $(SEC_TTY) ; + /dev/ttypp -> $(SEC_TTY) ; + /dev/ttypq -> $(SEC_TTY) ; + /dev/ttypr -> $(SEC_TTY) ; + /dev/ttyps -> $(SEC_TTY) ; + /dev/ttypt -> $(SEC_TTY) ; + /dev/ttypu -> $(SEC_TTY) ; + /dev/ttypv -> $(SEC_TTY) ; + /dev/cuaa0 -> $(SEC_TTY) ; # modem +} + + +# +# /etc +# + +( + rulename = "/etc", + severity = $(SIG_HI) +) +{ + /etc -> $(SEC_CRIT) (recurse = true) ; + # /etc/mail/aliases -> $(SEC_CONFIG) ; + /etc/dumpdates -> $(SEC_CONFIG) ; + /etc/motd -> $(SEC_CONFIG) ; + !/etc/ppp/connect-errors ; + /etc/skeykeys -> $(SEC_CONFIG) ; + # Uncomment the following 4 lines if your password file does not change + # /etc/passwd -> $(SEC_CONFIG) ; + # /etc/master.passwd -> $(SEC_CONFIG) ; + # /etc/pwd.db -> $(SEC_CONFIG) ; + # /etc/spwd.db -> $(SEC_CONFIG) ; +} + + +# +# Copatibility (Linux) +# + +( + rulename = "Linux Compatibility", + severity = $(SIG_HI) +) +{ + /compat -> $(SEC_CRIT) (recurse = true) ; +# +# Uncomment the following if Linux compatibility is used. Replace +# HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port +# installed. +# +#@@ifhost HOSTNAME1 || HOSTNAME2 +# /compat/linux/etc -> $(SEC_INVARIANT) (recurse = false) ; +# /compat/linux/etc/X11 -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/pam.d -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/profile.d -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/real -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/bashrc -> $(SEC_CONFIG) ; +# /compat/linux/etc/csh.login -> $(SEC_CONFIG) ; +# /compat/linux/etc/host.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/hosts.allow -> $(SEC_CONFIG) ; +# /compat/linux/etc/hosts.deny -> $(SEC_CONFIG) ; +# /compat/linux/etc/info-dir -> $(SEC_CONFIG) ; +# /compat/linux/etc/inputrc -> $(SEC_CONFIG) ; +# /compat/linux/etc/ld.so.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/nsswitch.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/profile -> $(SEC_CONFIG) ; +# /compat/linux/etc/redhat-release -> $(SEC_CONFIG) ; +# /compat/linux/etc/rpc -> $(SEC_CONFIG) ; +# /compat/linux/etc/securetty -> $(SEC_CONFIG) ; +# /compat/linux/etc/shells -> $(SEC_CONFIG) ; +# /compat/linux/etc/termcap -> $(SEC_CONFIG) ; +# /compat/linux/etc/yp.conf -> $(SEC_CONFIG) ; +# !/compat/linux/etc/ld.so.cache ; +# !/compat/linux/var/spool/mail ; +#@@endif +} + + +# +# Libraries, include files, and other system files +# + +( + rulename = "Libraries, include files, and other system files", + severity = $(SIG_HI) +) +{ + /usr/include -> $(SEC_CRIT) (recurse = true) ; + /usr/lib -> $(SEC_CRIT) (recurse = true) ; + /usr/libdata -> $(SEC_CRIT) (recurse = true) ; + /usr/libexec -> $(SEC_CRIT) (recurse = true) ; + /usr/share -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man -> $(SEC_CONFIG) ; + !/usr/share/man/whatis ; + !/usr/share/man/.glimpse_filenames ; + !/usr/share/man/.glimpse_filenames_index ; + !/usr/share/man/.glimpse_filetimes ; + !/usr/share/man/.glimpse_filters ; + !/usr/share/man/.glimpse_index ; + !/usr/share/man/.glimpse_messages ; + !/usr/share/man/.glimpse_partitions ; + !/usr/share/man/.glimpse_statistics ; + !/usr/share/man/.glimpse_turbo ; + /usr/share/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/share/man/cat1 ; + ! /usr/share/man/cat2 ; + ! /usr/share/man/cat3 ; + ! /usr/share/man/cat4 ; + ! /usr/share/man/cat5 ; + ! /usr/share/man/cat6 ; + ! /usr/share/man/cat7 ; + ! /usr/share/man/cat8 ; + ! /usr/share/man/cat9 ; + ! /usr/share/man/catl ; + ! /usr/share/man/catn ; + /usr/share/perl/man -> $(SEC_CONFIG) ; + !/usr/share/perl/man/whatis ; + !/usr/share/perl/man/.glimpse_filenames ; + !/usr/share/perl/man/.glimpse_filenames_index ; + !/usr/share/perl/man/.glimpse_filetimes ; + !/usr/share/perl/man/.glimpse_filters ; + !/usr/share/perl/man/.glimpse_index ; + !/usr/share/perl/man/.glimpse_messages ; + !/usr/share/perl/man/.glimpse_partitions ; + !/usr/share/perl/man/.glimpse_statistics ; + !/usr/share/perl/man/.glimpse_turbo ; + /usr/share/perl/man/man3 -> $(SEC_CRIT) (recurse = true) ; + ! /usr/share/perl/man/cat3 ; + /usr/local/lib/perl5/5.00503/man -> $(SEC_CONFIG) ; + ! /usr/local/lib/perl5/5.00503/man/whatis ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_index ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ; + /usr/local/lib/perl5/5.00503/man/man3 -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/lib/perl5/5.00503/man/cat3 ; +} + + +# +# X11R6 +# + +( + rulename = "X11R6", + severity = $(SIG_HI) +) +{ + /usr/X11R6 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/lib/X11/xdm -> $(SEC_CONFIG) (recurse = true) ; + !/usr/X11R6/lib/X11/xdm/xdm-errors ; + !/usr/X11R6/lib/X11/xdm/authdir/authfiles ; + !/usr/X11R6/lib/X11/xdm/xdm-pid ; + /usr/X11R6/lib/X11/xkb/compiled -> $(SEC_CONFIG) (recurse = true) ; + /usr/X11R6/man -> $(SEC_CONFIG) ; + !/usr/X11R6/man/whatis ; + !/usr/X11R6/man/.glimpse_filenames ; + !/usr/X11R6/man/.glimpse_filenames_index ; + !/usr/X11R6/man/.glimpse_filetimes ; + !/usr/X11R6/man/.glimpse_filters ; + !/usr/X11R6/man/.glimpse_index ; + !/usr/X11R6/man/.glimpse_messages ; + !/usr/X11R6/man/.glimpse_partitions ; + !/usr/X11R6/man/.glimpse_statistics ; + !/usr/X11R6/man/.glimpse_turbo ; + /usr/X11R6/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/X11R6/man/cat1 ; + ! /usr/X11R6/man/cat2 ; + ! /usr/X11R6/man/cat3 ; + ! /usr/X11R6/man/cat4 ; + ! /usr/X11R6/man/cat5 ; + ! /usr/X11R6/man/cat6 ; + ! /usr/X11R6/man/cat7 ; + ! /usr/X11R6/man/cat8 ; + ! /usr/X11R6/man/cat9 ; + ! /usr/X11R6/man/catl ; + ! /usr/X11R6/man/catn ; +} + + +# +# sources +# + +( + rulename = "Sources", + severity = $(SIG_HI) +) +{ + /usr/src -> $(SEC_CRIT) (recurse = true) ; + /usr/src/sys/compile -> $(SEC_CONFIG) (recurse = false) ; +} + + +# +# NIS +# + +( + rulename = "NIS", + severity = $(SIG_HI) +) +{ + /var/yp -> $(SEC_CRIT) (recurse = true) ; + !/var/yp/binding ; +} + + +# +# Temporary directories +# +( + rulename = "Temporary directories", + recurse = false, + severity = $(SIG_LOW) +) +{ + /usr/tmp -> $(SEC_INVARIANT) ; + /var/tmp -> $(SEC_INVARIANT) ; + /var/preserve -> $(SEC_INVARIANT) ; + /tmp -> $(SEC_INVARIANT) ; +} + +# +# Local files +# + +( + rulename = "Local files", + severity = $(SIG_MED) +) +{ + /usr/local/bin -> $(SEC_BIN) (recurse = true) ; + /usr/local/sbin -> $(SEC_BIN) (recurse = true) ; + /usr/local/etc -> $(SEC_BIN) (recurse = true) ; + /usr/local/lib -> $(SEC_BIN) (recurse = true ) ; + /usr/local/libexec -> $(SEC_BIN) (recurse = true ) ; + /usr/local/share -> $(SEC_BIN) (recurse = true ) ; + /usr/local/man -> $(SEC_CONFIG) ; + !/usr/local/man/whatis ; + !/usr/local/man/.glimpse_filenames ; + !/usr/local/man/.glimpse_filenames_index ; + !/usr/local/man/.glimpse_filetimes ; + !/usr/local/man/.glimpse_filters ; + !/usr/local/man/.glimpse_index ; + !/usr/local/man/.glimpse_messages ; + !/usr/local/man/.glimpse_partitions ; + !/usr/local/man/.glimpse_statistics ; + !/usr/local/man/.glimpse_turbo ; + /usr/local/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/man/cat1 ; + ! /usr/local/man/cat2 ; + ! /usr/local/man/cat3 ; + ! /usr/local/man/cat4 ; + ! /usr/local/man/cat5 ; + ! /usr/local/man/cat6 ; + ! /usr/local/man/cat7 ; + ! /usr/local/man/cat8 ; + ! /usr/local/man/cat9 ; + ! /usr/local/man/catl ; + ! /usr/local/man/catn ; + /usr/local/krb5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man -> $(SEC_CONFIG) ; + !/usr/local/krb5/man/whatis ; + !/usr/local/krb5/man/.glimpse_filenames ; + !/usr/local/krb5/man/.glimpse_filenames_index ; + !/usr/local/krb5/man/.glimpse_filetimes ; + !/usr/local/krb5/man/.glimpse_filters ; + !/usr/local/krb5/man/.glimpse_index ; + !/usr/local/krb5/man/.glimpse_messages ; + !/usr/local/krb5/man/.glimpse_partitions ; + !/usr/local/krb5/man/.glimpse_statistics ; + !/usr/local/krb5/man/.glimpse_turbo ; + /usr/local/krb5/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/krb5/man/cat1 ; + ! /usr/local/krb5/man/cat2 ; + ! /usr/local/krb5/man/cat3 ; + ! /usr/local/krb5/man/cat4 ; + ! /usr/local/krb5/man/cat5 ; + ! /usr/local/krb5/man/cat6 ; + ! /usr/local/krb5/man/cat7 ; + ! /usr/local/krb5/man/cat8 ; + ! /usr/local/krb5/man/cat9 ; + ! /usr/local/krb5/man/catl ; + ! /usr/local/krb5/man/catn ; + /usr/local/www -> $(SEC_CONFIG) (recurse = true) ; +} + + +( + rulename = "Security Control", + severity = $(SIG_HI) +) +{ + /etc/group -> $(SEC_CRIT) ; + /etc/crontab -> $(SEC_CRIT) ; +} + +#============================================================================= +# +# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, +# Inc. in the United States and other countries. All rights reserved. +# +# FreeBSD is a registered trademark of the FreeBSD Project Inc. +# +# UNIX is a registered trademark of The Open Group. +# +#============================================================================= +# +# Permission is granted to make and distribute verbatim copies of this document +# provided the copyright notice and this permission notice are preserved on all +# copies. +# +# Permission is granted to copy and distribute modified versions of this +# document under the conditions for verbatim copying, provided that the entire +# resulting derived work is distributed under the terms of a permission notice +# identical to this one. +# +# Permission is granted to copy and distribute translations of this document +# into another language, under the above conditions for modified versions, +# except that this permission notice may be stated in a translation approved by +# Tripwire, Inc. +# +# DCM diff --git a/security/tripwire/files/twpol.txt b/security/tripwire/files/twpol.txt new file mode 100644 index 000000000000..ec60af2535da --- /dev/null +++ b/security/tripwire/files/twpol.txt @@ -0,0 +1,655 @@ +# +# Policy file for FreeBSD +# +$FreeBSD$ + + +# +# This is the example Tripwire Policy file. It is intended as a place to +# start creating your own custom Tripwire Policy file. Referring to it as +# well as the Tripwire Policy Guide should give you enough information to +# make a good custom Tripwire Policy file that better covers your +# configuration and security needs. A text version of this policy file is +# called twpol.txt. +# +# Note that this file is tuned to an install of FreeBSD using +# buildworld. If run unmodified, this file should create no errors on +# database creation, or violations on a subsiquent integrity check. +# However it is impossible for there to be one policy file for all machines, +# so this existing one errs on the side of security. Your FreeBSD +# configuration will most likey differ from the one our policy file was +# tuned to, and will therefore require some editing of the default +# Tripwire Policy file. +# +# The example policy file is best run with 'Loose Directory Checking' +# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration +# file. +# +# Email support is not included and must be added to this file. +# Add the 'emailto=' to the rule directive section of each rule (add a comma +# after the 'severity=' line and add an 'emailto=' and include the email +# addresses you want the violation reports to go to). Addresses are +# semi-colon delimited. +# + + + +# +# Global Variable Definitions +# +# These are defined at install time by the installation script. You may +# Manually edit these if you are using this file directly and not from the +# installation script itself. +# + +@@section GLOBAL +TWROOT=; +TWBIN=; +TWPOL=; +TWDB=; +TWSKEY=; +TWLKEY=; +TWREPORT=; +HOSTNAME=; + +@@section FS +SEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change +SEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set +SEC_BIN = $(ReadOnly) ; # Binaries that should not change +SEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often +SEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login +SEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership +SEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership +SIG_LOW = 33 ; # Non-critical files that are of minimal security impact +SIG_MED = 66 ; # Non-critical files that are of significant security impact +SIG_HI = 100 ; # Critical files that are significant points of vulnerability + + +# Tripwire Binaries +( + rulename = "Tripwire Binaries", + severity = $(SIG_HI) +) +{ + $(TWBIN)/siggen -> $(SEC_BIN) ; + $(TWBIN)/tripwire -> $(SEC_BIN) ; + $(TWBIN)/twadmin -> $(SEC_BIN) ; + $(TWBIN)/twprint -> $(SEC_BIN) ; +} + +# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases +( + rulename = "Tripwire Data Files", + severity = $(SIG_HI) +) +{ + # NOTE: We remove the inode attribute because when Tripwire creates a backup, + # it does so by renaming the old file and creating a new one (which will + # have a new inode number). Inode is left turned on for keys, which shouldn't + # ever change. + + # NOTE: The first integrity check triggers this rule and each integrity check + # afterward triggers this rule until a database update is run, since the + # database file does not exist before that point. + + $(TWDB) -> $(SEC_CONFIG) -i ; + $(TWPOL)/tw.pol -> $(SEC_BIN) -i ; + $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ; + $(TWPOL)/twcfg.txt -> $(SEC_BIN) ; + $(TWPOL)/twpol.txt -> $(SEC_BIN) ; + $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ; + $(TWSKEY)/site.key -> $(SEC_BIN) ; + + #don't scan the individual reports + $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ; +} + + +# Tripwire HQ Connector Binaries +#( +# rulename = "Tripwire HQ Connector Binaries", +# severity = $(SIG_HI) +#) +#{ +# $(TWBIN)/hqagent -> $(SEC_BIN) ; +#} +# +# Tripwire HQ Connector - Configuration Files, Keys, and Logs + +# +# Note: File locations here are different than in a stock HQ Connector +# installation. This is because Tripwire 2.3 uses a different path +# structure than Tripwire 2.2.1. +# +# You may need to update your HQ Agent configuation file (or this policy +# file) to correct the paths. We have attempted to support the FHS standard +# here by placing the HQ Agent files similarly to the way Tripwire 2.3 +# places them. +# + +#( +# rulename = "Tripwire HQ Connector Data Files", +# severity = $(SIG_HI) +#) +#{ +# +# # NOTE: Removing the inode attribute because when Tripwire creates a backup +# # it does so by renaming the old file and creating a new one (which will +# # have a new inode number). Leaving inode turned on for keys, which +# # shouldn't ever change. +# +# +# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ; +# $(TWLKEY)/authentication.key -> $(SEC_BIN) ; +# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ; +# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ; +# +# # Uncomment if you have agent logging enabled. +# #/var/log/tripwire/agent.log -> $(SEC_LOG) ; +#} + + + +# Commonly accessed directories that should remain static with regards to owner and group +( + rulename = "Invariant Directories", + severity = $(SIG_MED) +) +{ + / -> $(SEC_INVARIANT) (recurse = false) ; + /home -> $(SEC_INVARIANT) (recurse = false) ; +} + +# +# First, root's "home" +# + +( + rulename = "Root's home", + severity = $(SIG_HI) +) +{ + # /.rhosts -> $(SEC_CRIT) ; + /.profile -> $(SEC_CRIT) ; + /.cshrc -> $(SEC_CRIT) ; + /.login -> $(SEC_CRIT) ; + # /.exrc -> $(SEC_CRIT) ; + # /.logout -> $(SEC_CRIT) ; + # /.forward -> $(SEC_CRIT) ; + /root -> $(SEC_CRIT) (recurse = true) ; + !/root/.history ; + !/root/.bash_history ; + # !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed +} + + +# +# FreeBSD Kernel +# + +( + rulename = "FreeBSD Kernel", + severity = $(SIG_HI) +) +{ + /kernel -> $(SEC_CRIT) ; + /kernel.old -> $(SEC_CRIT) ; + /kernel.GENERIC -> $(SEC_CRIT) ; +} + + +# +# FreeBSD Modules +# + +( + rulename = "FreeBSD Modules", + severity = $(SIG_HI) +) +{ + /modules -> $(SEC_CRIT) (recurse = true) ; + /modules.old -> $(SEC_CRIT) (recurse = true) ; + # /lkm -> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld +} + + +# +# System Administration Programs +# + +( + rulename = "System Administration Programs", + severity = $(SIG_HI) +) +{ + /sbin -> $(SEC_CRIT) (recurse = true) ; + /usr/sbin -> $(SEC_CRIT) (recurse = true) ; +} + + +# +# User Utilities +# + +( + rulename = "User Utilities", + severity = $(SIG_HI) +) +{ + /bin -> $(SEC_CRIT) (recurse = true) ; + /usr/bin -> $(SEC_CRIT) (recurse = true) ; +} + + +# +# /dev +# + +( + rulename = "/dev", + severity = $(SIG_HI) +) +{ + /dev -> $(Device) (recurse = true) ; + !/dev/vga ; + !/dev/dri ; + /dev/console -> $(SEC_TTY) ; + /dev/ttyv0 -> $(SEC_TTY) ; + /dev/ttyv1 -> $(SEC_TTY) ; + /dev/ttyv2 -> $(SEC_TTY) ; + /dev/ttyv3 -> $(SEC_TTY) ; + /dev/ttyv4 -> $(SEC_TTY) ; + /dev/ttyv5 -> $(SEC_TTY) ; + /dev/ttyv6 -> $(SEC_TTY) ; + /dev/ttyv7 -> $(SEC_TTY) ; + /dev/ttyp0 -> $(SEC_TTY) ; + /dev/ttyp1 -> $(SEC_TTY) ; + /dev/ttyp2 -> $(SEC_TTY) ; + /dev/ttyp3 -> $(SEC_TTY) ; + /dev/ttyp4 -> $(SEC_TTY) ; + /dev/ttyp5 -> $(SEC_TTY) ; + /dev/ttyp6 -> $(SEC_TTY) ; + /dev/ttyp7 -> $(SEC_TTY) ; + /dev/ttyp8 -> $(SEC_TTY) ; + /dev/ttyp9 -> $(SEC_TTY) ; + /dev/ttypa -> $(SEC_TTY) ; + /dev/ttypb -> $(SEC_TTY) ; + /dev/ttypc -> $(SEC_TTY) ; + /dev/ttypd -> $(SEC_TTY) ; + /dev/ttype -> $(SEC_TTY) ; + /dev/ttypf -> $(SEC_TTY) ; + /dev/ttypg -> $(SEC_TTY) ; + /dev/ttyph -> $(SEC_TTY) ; + /dev/ttypi -> $(SEC_TTY) ; + /dev/ttypj -> $(SEC_TTY) ; + /dev/ttypl -> $(SEC_TTY) ; + /dev/ttypm -> $(SEC_TTY) ; + /dev/ttypn -> $(SEC_TTY) ; + /dev/ttypo -> $(SEC_TTY) ; + /dev/ttypp -> $(SEC_TTY) ; + /dev/ttypq -> $(SEC_TTY) ; + /dev/ttypr -> $(SEC_TTY) ; + /dev/ttyps -> $(SEC_TTY) ; + /dev/ttypt -> $(SEC_TTY) ; + /dev/ttypu -> $(SEC_TTY) ; + /dev/ttypv -> $(SEC_TTY) ; + /dev/cuaa0 -> $(SEC_TTY) ; # modem +} + + +# +# /etc +# + +( + rulename = "/etc", + severity = $(SIG_HI) +) +{ + /etc -> $(SEC_CRIT) (recurse = true) ; + # /etc/mail/aliases -> $(SEC_CONFIG) ; + /etc/dumpdates -> $(SEC_CONFIG) ; + /etc/motd -> $(SEC_CONFIG) ; + !/etc/ppp/connect-errors ; + /etc/skeykeys -> $(SEC_CONFIG) ; + # Uncomment the following 4 lines if your password file does not change + # /etc/passwd -> $(SEC_CONFIG) ; + # /etc/master.passwd -> $(SEC_CONFIG) ; + # /etc/pwd.db -> $(SEC_CONFIG) ; + # /etc/spwd.db -> $(SEC_CONFIG) ; +} + + +# +# Copatibility (Linux) +# + +( + rulename = "Linux Compatibility", + severity = $(SIG_HI) +) +{ + /compat -> $(SEC_CRIT) (recurse = true) ; +# +# Uncomment the following if Linux compatibility is used. Replace +# HOSTNAME1 and HOSTNAME2 with the hosts that have Linux emulation port +# installed. +# +#@@ifhost HOSTNAME1 || HOSTNAME2 +# /compat/linux/etc -> $(SEC_INVARIANT) (recurse = false) ; +# /compat/linux/etc/X11 -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/pam.d -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/profile.d -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/real -> $(SEC_CONFIG) (recurse = true) ; +# /compat/linux/etc/bashrc -> $(SEC_CONFIG) ; +# /compat/linux/etc/csh.login -> $(SEC_CONFIG) ; +# /compat/linux/etc/host.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/hosts.allow -> $(SEC_CONFIG) ; +# /compat/linux/etc/hosts.deny -> $(SEC_CONFIG) ; +# /compat/linux/etc/info-dir -> $(SEC_CONFIG) ; +# /compat/linux/etc/inputrc -> $(SEC_CONFIG) ; +# /compat/linux/etc/ld.so.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/nsswitch.conf -> $(SEC_CONFIG) ; +# /compat/linux/etc/profile -> $(SEC_CONFIG) ; +# /compat/linux/etc/redhat-release -> $(SEC_CONFIG) ; +# /compat/linux/etc/rpc -> $(SEC_CONFIG) ; +# /compat/linux/etc/securetty -> $(SEC_CONFIG) ; +# /compat/linux/etc/shells -> $(SEC_CONFIG) ; +# /compat/linux/etc/termcap -> $(SEC_CONFIG) ; +# /compat/linux/etc/yp.conf -> $(SEC_CONFIG) ; +# !/compat/linux/etc/ld.so.cache ; +# !/compat/linux/var/spool/mail ; +#@@endif +} + + +# +# Libraries, include files, and other system files +# + +( + rulename = "Libraries, include files, and other system files", + severity = $(SIG_HI) +) +{ + /usr/include -> $(SEC_CRIT) (recurse = true) ; + /usr/lib -> $(SEC_CRIT) (recurse = true) ; + /usr/libdata -> $(SEC_CRIT) (recurse = true) ; + /usr/libexec -> $(SEC_CRIT) (recurse = true) ; + /usr/share -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man -> $(SEC_CONFIG) ; + !/usr/share/man/whatis ; + !/usr/share/man/.glimpse_filenames ; + !/usr/share/man/.glimpse_filenames_index ; + !/usr/share/man/.glimpse_filetimes ; + !/usr/share/man/.glimpse_filters ; + !/usr/share/man/.glimpse_index ; + !/usr/share/man/.glimpse_messages ; + !/usr/share/man/.glimpse_partitions ; + !/usr/share/man/.glimpse_statistics ; + !/usr/share/man/.glimpse_turbo ; + /usr/share/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/share/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/share/man/cat1 ; + ! /usr/share/man/cat2 ; + ! /usr/share/man/cat3 ; + ! /usr/share/man/cat4 ; + ! /usr/share/man/cat5 ; + ! /usr/share/man/cat6 ; + ! /usr/share/man/cat7 ; + ! /usr/share/man/cat8 ; + ! /usr/share/man/cat9 ; + ! /usr/share/man/catl ; + ! /usr/share/man/catn ; + /usr/share/perl/man -> $(SEC_CONFIG) ; + !/usr/share/perl/man/whatis ; + !/usr/share/perl/man/.glimpse_filenames ; + !/usr/share/perl/man/.glimpse_filenames_index ; + !/usr/share/perl/man/.glimpse_filetimes ; + !/usr/share/perl/man/.glimpse_filters ; + !/usr/share/perl/man/.glimpse_index ; + !/usr/share/perl/man/.glimpse_messages ; + !/usr/share/perl/man/.glimpse_partitions ; + !/usr/share/perl/man/.glimpse_statistics ; + !/usr/share/perl/man/.glimpse_turbo ; + /usr/share/perl/man/man3 -> $(SEC_CRIT) (recurse = true) ; + ! /usr/share/perl/man/cat3 ; + /usr/local/lib/perl5/5.00503/man -> $(SEC_CONFIG) ; + ! /usr/local/lib/perl5/5.00503/man/whatis ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_index ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ; + ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ; + /usr/local/lib/perl5/5.00503/man/man3 -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/lib/perl5/5.00503/man/cat3 ; +} + + +# +# X11R6 +# + +( + rulename = "X11R6", + severity = $(SIG_HI) +) +{ + /usr/X11R6 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/lib/X11/xdm -> $(SEC_CONFIG) (recurse = true) ; + !/usr/X11R6/lib/X11/xdm/xdm-errors ; + !/usr/X11R6/lib/X11/xdm/authdir/authfiles ; + !/usr/X11R6/lib/X11/xdm/xdm-pid ; + /usr/X11R6/lib/X11/xkb/compiled -> $(SEC_CONFIG) (recurse = true) ; + /usr/X11R6/man -> $(SEC_CONFIG) ; + !/usr/X11R6/man/whatis ; + !/usr/X11R6/man/.glimpse_filenames ; + !/usr/X11R6/man/.glimpse_filenames_index ; + !/usr/X11R6/man/.glimpse_filetimes ; + !/usr/X11R6/man/.glimpse_filters ; + !/usr/X11R6/man/.glimpse_index ; + !/usr/X11R6/man/.glimpse_messages ; + !/usr/X11R6/man/.glimpse_partitions ; + !/usr/X11R6/man/.glimpse_statistics ; + !/usr/X11R6/man/.glimpse_turbo ; + /usr/X11R6/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/X11R6/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/X11R6/man/cat1 ; + ! /usr/X11R6/man/cat2 ; + ! /usr/X11R6/man/cat3 ; + ! /usr/X11R6/man/cat4 ; + ! /usr/X11R6/man/cat5 ; + ! /usr/X11R6/man/cat6 ; + ! /usr/X11R6/man/cat7 ; + ! /usr/X11R6/man/cat8 ; + ! /usr/X11R6/man/cat9 ; + ! /usr/X11R6/man/catl ; + ! /usr/X11R6/man/catn ; +} + + +# +# sources +# + +( + rulename = "Sources", + severity = $(SIG_HI) +) +{ + /usr/src -> $(SEC_CRIT) (recurse = true) ; + /usr/src/sys/compile -> $(SEC_CONFIG) (recurse = false) ; +} + + +# +# NIS +# + +( + rulename = "NIS", + severity = $(SIG_HI) +) +{ + /var/yp -> $(SEC_CRIT) (recurse = true) ; + !/var/yp/binding ; +} + + +# +# Temporary directories +# +( + rulename = "Temporary directories", + recurse = false, + severity = $(SIG_LOW) +) +{ + /usr/tmp -> $(SEC_INVARIANT) ; + /var/tmp -> $(SEC_INVARIANT) ; + /var/preserve -> $(SEC_INVARIANT) ; + /tmp -> $(SEC_INVARIANT) ; +} + +# +# Local files +# + +( + rulename = "Local files", + severity = $(SIG_MED) +) +{ + /usr/local/bin -> $(SEC_BIN) (recurse = true) ; + /usr/local/sbin -> $(SEC_BIN) (recurse = true) ; + /usr/local/etc -> $(SEC_BIN) (recurse = true) ; + /usr/local/lib -> $(SEC_BIN) (recurse = true ) ; + /usr/local/libexec -> $(SEC_BIN) (recurse = true ) ; + /usr/local/share -> $(SEC_BIN) (recurse = true ) ; + /usr/local/man -> $(SEC_CONFIG) ; + !/usr/local/man/whatis ; + !/usr/local/man/.glimpse_filenames ; + !/usr/local/man/.glimpse_filenames_index ; + !/usr/local/man/.glimpse_filetimes ; + !/usr/local/man/.glimpse_filters ; + !/usr/local/man/.glimpse_index ; + !/usr/local/man/.glimpse_messages ; + !/usr/local/man/.glimpse_partitions ; + !/usr/local/man/.glimpse_statistics ; + !/usr/local/man/.glimpse_turbo ; + /usr/local/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/local/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/man/cat1 ; + ! /usr/local/man/cat2 ; + ! /usr/local/man/cat3 ; + ! /usr/local/man/cat4 ; + ! /usr/local/man/cat5 ; + ! /usr/local/man/cat6 ; + ! /usr/local/man/cat7 ; + ! /usr/local/man/cat8 ; + ! /usr/local/man/cat9 ; + ! /usr/local/man/catl ; + ! /usr/local/man/catn ; + /usr/local/krb5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man -> $(SEC_CONFIG) ; + !/usr/local/krb5/man/whatis ; + !/usr/local/krb5/man/.glimpse_filenames ; + !/usr/local/krb5/man/.glimpse_filenames_index ; + !/usr/local/krb5/man/.glimpse_filetimes ; + !/usr/local/krb5/man/.glimpse_filters ; + !/usr/local/krb5/man/.glimpse_index ; + !/usr/local/krb5/man/.glimpse_messages ; + !/usr/local/krb5/man/.glimpse_partitions ; + !/usr/local/krb5/man/.glimpse_statistics ; + !/usr/local/krb5/man/.glimpse_turbo ; + /usr/local/krb5/man/man1 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man2 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man3 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man4 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man5 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man6 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man7 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man8 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/man9 -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/manl -> $(SEC_CRIT) (recurse = true) ; + /usr/local/krb5/man/mann -> $(SEC_CRIT) (recurse = true) ; + ! /usr/local/krb5/man/cat1 ; + ! /usr/local/krb5/man/cat2 ; + ! /usr/local/krb5/man/cat3 ; + ! /usr/local/krb5/man/cat4 ; + ! /usr/local/krb5/man/cat5 ; + ! /usr/local/krb5/man/cat6 ; + ! /usr/local/krb5/man/cat7 ; + ! /usr/local/krb5/man/cat8 ; + ! /usr/local/krb5/man/cat9 ; + ! /usr/local/krb5/man/catl ; + ! /usr/local/krb5/man/catn ; + /usr/local/www -> $(SEC_CONFIG) (recurse = true) ; +} + + +( + rulename = "Security Control", + severity = $(SIG_HI) +) +{ + /etc/group -> $(SEC_CRIT) ; + /etc/crontab -> $(SEC_CRIT) ; +} + +#============================================================================= +# +# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, +# Inc. in the United States and other countries. All rights reserved. +# +# FreeBSD is a registered trademark of the FreeBSD Project Inc. +# +# UNIX is a registered trademark of The Open Group. +# +#============================================================================= +# +# Permission is granted to make and distribute verbatim copies of this document +# provided the copyright notice and this permission notice are preserved on all +# copies. +# +# Permission is granted to copy and distribute modified versions of this +# document under the conditions for verbatim copying, provided that the entire +# resulting derived work is distributed under the terms of a permission notice +# identical to this one. +# +# Permission is granted to copy and distribute translations of this document +# into another language, under the above conditions for modified versions, +# except that this permission notice may be stated in a translation approved by +# Tripwire, Inc. +# +# DCM diff --git a/security/tripwire/pkg-plist b/security/tripwire/pkg-plist index f34115341fbe..7e28d1b87285 100644 --- a/security/tripwire/pkg-plist +++ b/security/tripwire/pkg-plist @@ -1,2 +1,11 @@ -bin/siggen -bin/tripwire +sbin/tripwire +sbin/twadmin +sbin/twprint +sbin/siggen +share/doc/tripwire/README +share/doc/tripwire/Release_Notes +share/doc/tripwire/COPYING +share/doc/tripwire/TRADEMARK +share/doc/tripwire/policyguide.txt +@dirrm share/doc/tripwire +@unexec echo If permanently deleting this package, /usr/local/etc/tripwire and /var/db/tripwire must be removed manually |