Date: Sat, 21 Jul 2001 22:10:31 -0700 (PDT) From: Cy.Schubert@uumail.gov.bc.ca To: FreeBSD-gnats-submit@freebsd.org Subject: ports/29137: Brand New Tripwire-2.3.1 Port Message-ID: <200107220510.f6M5AVU84580@cwsys.cwsent.com>
next in thread | raw e-mail | index | archive | help
>Number: 29137
>Category: ports
>Synopsis: Brand New Tripwire-2.3.1 Port
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Sat Jul 21 22:20:00 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator: Cy Schubert
>Release: FreeBSD 4.3-RELEASE i386
>Organization:
ITSD Province of BC
>Environment:
System: FreeBSD cwsys 4.3-RELEASE FreeBSD 4.3-RELEASE #9: Thu Jul 19 07:21:29 PDT 2001 root@cwsys:/opt/cvs-430r/src/sys/compile/CWSYS i386
>Description:
Finally, a FreeBSD Tripwire-2.3.1 port, in shar format.
# This is a shell archive. Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file". Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
# tripwire-231
# tripwire-231/files
# tripwire-231/files/patch-ac
# tripwire-231/files/patch-ab
# tripwire-231/files/patch-ae
# tripwire-231/files/twpol.txt
# tripwire-231/files/patch-ad
# tripwire-231/files/patch-aa
# tripwire-231/files/patch-ba
# tripwire-231/files/patch-mailmessage
# tripwire-231/files/patch-open
# tripwire-231/distinfo
# tripwire-231/pkg-comment
# tripwire-231/pkg-descr
# tripwire-231/pkg-plist
# tripwire-231/Makefile
#
echo c - tripwire-231
mkdir -p tripwire-231 > /dev/null 2>&1
echo c - tripwire-231/files
mkdir -p tripwire-231/files > /dev/null 2>&1
echo x - tripwire-231/files/patch-ac
sed 's/^X//' >tripwire-231/files/patch-ac << 'END-of-tripwire-231/files/patch-ac'
X--- install/install.cfg.orig Fri Oct 27 17:26:25 2000
X+++ install/install.cfg Wed Jul 11 20:33:05 2001
X@@ -24,19 +24,19 @@
X CLOBBER=false
X
X # Tripwire binaries are stored in TWBIN.
X-TWBIN="/usr/sbin"
X+TWBIN="${PREFIX}/sbin"
X
X # Tripwire policy files are stored in TWPOLICY.
X-TWPOLICY="/etc/tripwire"
X+TWPOLICY="/var/adm/tripwire/etc"
X
X # Tripwire manual pages are stored in TWMAN.
X-TWMAN="/usr/man"
X+TWMAN="${PREFIX}/man"
X
X # Tripwire database files are stored in TWDB.
X-TWDB="/var/lib/tripwire"
X+TWDB="/var/adm/tripwire/db"
X
X # Tripwire documents directory
X-TWDOCS="/usr/doc/tripwire"
X+TWDOCS="${PREFIX}/share/doc/tripwire"
X
X # The Tripwire site key files are stored in TWSITEKEYDIR.
X TWSITEKEYDIR="${TWPOLICY}"
X@@ -48,7 +48,7 @@
X TWREPORT="${TWDB}/report"
X
X # This sets the default text editor for Tripwire.
X-TWEDITOR="/bin/vi"
X+TWEDITOR="/usr/bin/vi"
X
X # TWLATEPROMTING controls the point when tripwire asks for a password.
X TWLATEPROMPTING=false
X@@ -85,7 +85,7 @@
X #####################################
X
X TWMAILMETHOD=SENDMAIL
X-TWMAILPROGRAM="/usr/lib/sendmail -oi -t"
X+TWMAILPROGRAM="/usr/sbin/sendmail -oi -t"
X
X #####################################
X # SMTP options
END-of-tripwire-231/files/patch-ac
echo x - tripwire-231/files/patch-ab
sed 's/^X//' >tripwire-231/files/patch-ab << 'END-of-tripwire-231/files/patch-ab'
X--- src/core/msystem.h.orig Fri Oct 27 18:15:20 2000
X+++ src/core/msystem.h Tue Mar 6 07:10:06 2001
X@@ -114,7 +114,7 @@
X # define GID_RESET -2 /* reset EGID to RGID */
X #endif
X #ifndef DEF_PATH
X-# define DEF_PATH "PATH=/bin:/usr/bin:/usr/ucb" /* default search path */
X+# define DEF_PATH "PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin" /* default search path */
X #endif
X #ifndef DEF_SHELL
X # define DEF_SHELL "SHELL=/bin/sh" /* default shell */
END-of-tripwire-231/files/patch-ab
echo x - tripwire-231/files/patch-ae
sed 's/^X//' >tripwire-231/files/patch-ae << 'END-of-tripwire-231/files/patch-ae'
X--- src/core/stdcore.h.orig Sat Feb 24 11:02:12 2001
X+++ src/core/stdcore.h Wed Jul 11 20:53:58 2001
X@@ -47,7 +47,7 @@
X
X //--Where the configuration file is to be found
X #if IS_BSD
X-# define CONFIG_FILE_ROOT "/usr/local/etc/tripwire"
X+# define CONFIG_FILE_ROOT "/var/adm/tripwire/etc"
X #elif defined(USE_FHS)
X # define CONFIG_FILE_ROOT "/etc/tripwire"
X #else
END-of-tripwire-231/files/patch-ae
echo x - tripwire-231/files/twpol.txt
sed 's/^X//' >tripwire-231/files/twpol.txt << 'END-of-tripwire-231/files/twpol.txt'
X ##############################################################################
X # ##
X############################################################################## #
X# # #
X# Policy file for FreeBSD 4.3 # #
X# V1.0.0 # #
X# June 18, 2001 # #
X# ##
X##############################################################################
X
X
X ##############################################################################
X # ##
X############################################################################## #
X# # #
X# This is the example Tripwire Policy file. It is intended as a place to # #
X# start creating your own custom Tripwire Policy file. Referring to it as # #
X# well as the Tripwire Policy Guide should give you enough information to # #
X# make a good custom Tripwire Policy file that better covers your # #
X# configuration and security needs. A text version of this policy file is # #
X# called twpol.txt. # #
X# # #
X# Note that this file is tuned to an install of FreeBSD 4.3 using # #
X# buildworld. If run unmodified, this file should create no errors on # #
X# database creation, or violations on a subsiquent integrity check. # #
X# However it is impossible for there to be one policy file for all machines, # #
X# so this existing one errs on the side of security. Your FreeBSD # #
X# configuration will most likey differ from the one our policy file was # #
X# tuned to, and will therefore require some editing of the default # #
X# Tripwire Policy file. # #
X# # #
X# The example policy file is best run with 'Loose Directory Checking' # #
X# enabled. Set LOOSEDIRECTORYCHECKING=TRUE in the Tripwire Configuration # #
X# file. # #
X# # #
X# Email support is not included and must be added to this file. # #
X# Add the 'emailto=' to the rule directive section of each rule (add a comma # #
X# after the 'severity=' line and add an 'emailto=' and include the email # #
X# addresses you want the violation reports to go to). Addresses are # #
X# semi-colon delimited. # #
X# ##
X##############################################################################
X
X
X
X ##############################################################################
X # ##
X############################################################################## #
X# # #
X# Global Variable Definitions # #
X# # #
X# These are defined at install time by the installation script. You may # #
X# Manually edit these if you are using this file directly and not from the # #
X# installation script itself. # #
X# ##
X##############################################################################
X
X@@section GLOBAL
XTWROOT=;
XTWBIN=;
XTWPOL=;
XTWDB=;
XTWSKEY=;
XTWLKEY=;
XTWREPORT=;
XHOSTNAME=;
X
X@@section FS
XSEC_CRIT = $(IgnoreNone)-SHa ; # Critical files that cannot change
XSEC_SUID = $(IgnoreNone)-SHa ; # Binaries with the SUID or SGID flags set
XSEC_BIN = $(ReadOnly) ; # Binaries that should not change
XSEC_CONFIG = $(Dynamic) ; # Config files that are changed infrequently but accessed often
XSEC_TTY = $(Dynamic)-ugp ; # Tty files that change ownership at login
XSEC_LOG = $(Growing) ; # Files that grow, but that should never change ownership
XSEC_INVARIANT = +tpug ; # Directories that should never change permission or ownership
XSIG_LOW = 33 ; # Non-critical files that are of minimal security impact
XSIG_MED = 66 ; # Non-critical files that are of significant security impact
XSIG_HI = 100 ; # Critical files that are significant points of vulnerability
X
X
X# Tripwire Binaries
X(
X rulename = "Tripwire Binaries",
X severity = $(SIG_HI)
X)
X{
X $(TWBIN)/siggen -> $(SEC_BIN) ;
X $(TWBIN)/tripwire -> $(SEC_BIN) ;
X $(TWBIN)/twadmin -> $(SEC_BIN) ;
X $(TWBIN)/twprint -> $(SEC_BIN) ;
X}
X
X# Tripwire Data Files - Configuration Files, Policy Files, Keys, Reports, Databases
X(
X rulename = "Tripwire Data Files",
X severity = $(SIG_HI)
X)
X{
X # NOTE: We remove the inode attribute because when Tripwire creates a backup,
X # it does so by renaming the old file and creating a new one (which will
X # have a new inode number). Inode is left turned on for keys, which shouldn't
X # ever change.
X
X # NOTE: The first integrity check triggers this rule and each integrity check
X # afterward triggers this rule until a database update is run, since the
X # database file does not exist before that point.
X
X $(TWDB) -> $(SEC_CONFIG) -i ;
X $(TWPOL)/tw.pol -> $(SEC_BIN) -i ;
X $(TWPOL)/tw.cfg -> $(SEC_BIN) -i ;
X $(TWPOL)/twcfg.txt -> $(SEC_BIN) ;
X $(TWPOL)/twpol.txt -> $(SEC_BIN) ;
X $(TWLKEY)/$(HOSTNAME)-local.key -> $(SEC_BIN) ;
X $(TWSKEY)/site.key -> $(SEC_BIN) ;
X
X #don't scan the individual reports
X $(TWREPORT) -> $(SEC_CONFIG) (recurse=0) ;
X}
X
X
X# Tripwire HQ Connector Binaries
X#(
X# rulename = "Tripwire HQ Connector Binaries",
X# severity = $(SIG_HI)
X#)
X#{
X# $(TWBIN)/hqagent -> $(SEC_BIN) ;
X#}
X#
X# Tripwire HQ Connector - Configuration Files, Keys, and Logs
X
X ##############################################################################
X # ##
X############################################################################## #
X# # #
X# Note: File locations here are different than in a stock HQ Connector # #
X# installation. This is because Tripwire 2.3 uses a different path # #
X# structure than Tripwire 2.2.1. # #
X# # #
X# You may need to update your HQ Agent configuation file (or this policy # #
X# file) to correct the paths. We have attempted to support the FHS standard # #
X# here by placing the HQ Agent files similarly to the way Tripwire 2.3 # #
X# places them. # #
X# ##
X##############################################################################
X
X#(
X# rulename = "Tripwire HQ Connector Data Files",
X# severity = $(SIG_HI)
X#)
X#{
X# #############################################################################
X# ##############################################################################
X# # NOTE: Removing the inode attribute because when Tripwire creates a backup ##
X# # it does so by renaming the old file and creating a new one (which will ##
X# # have a new inode number). Leaving inode turned on for keys, which ##
X# # shouldn't ever change. ##
X# #############################################################################
X#
X# $(TWBIN)/agent.cfg -> $(SEC_BIN) -i ;
X# $(TWLKEY)/authentication.key -> $(SEC_BIN) ;
X# $(TWDB)/tasks.dat -> $(SEC_CONFIG) ;
X# $(TWDB)/schedule.dat -> $(SEC_CONFIG) ;
X#
X# # Uncomment if you have agent logging enabled.
X# #/var/log/tripwire/agent.log -> $(SEC_LOG) ;
X#}
X
X
X
X# Commonly accessed directories that should remain static with regards to owner and group
X(
X rulename = "Invariant Directories",
X severity = $(SIG_MED)
X)
X{
X / -> $(SEC_INVARIANT) (recurse = false) ;
X /home -> $(SEC_INVARIANT) (recurse = false) ;
X}
X
X ########################
X # ##
X######################## #
X# # #
X# First, root's "home" # #
X# ##
X########################
X
X(
X rulename = "Root's home",
X severity = $(SIG_HI)
X)
X{
X # /.rhosts -> $(SEC_CRIT) ;
X /.profile -> $(SEC_CRIT) ;
X /.cshrc -> $(SEC_CRIT) ;
X /.login -> $(SEC_CRIT) ;
X # /.exrc -> $(SEC_CRIT) ;
X # /.logout -> $(SEC_CRIT) ;
X # /.forward -> $(SEC_CRIT) ;
X /root -> $(SEC_CRIT) (recurse = true) ;
X !/root/.history ;
X !/root/.bash_history ;
X # !/root/.lsof_SYSTEM_NAME ; # Uncomment if lsof is installed
X}
X
X
X ##################
X # ##
X################## #
X# # #
X# FreeBSD Kernel # #
X# ##
X##################
X
X(
X rulename = "FreeBSD Kernel",
X severity = $(SIG_HI)
X)
X{
X /kernel -> $(SEC_CRIT) ;
X /kernel.old -> $(SEC_CRIT) ;
X /kernel.GENERIC -> $(SEC_CRIT) ;
X}
X
X
X ###################
X # ##
X################### #
X# # #
X# FreeBSD Modules # #
X# ##
X###################
X
X(
X rulename = "FreeBSD Modules",
X severity = $(SIG_HI)
X)
X{
X /modules -> $(SEC_CRIT) (recurse = true) ;
X /modules.old -> $(SEC_CRIT) (recurse = true) ;
X # /lkm -> $(SEC_CRIT) (recurse = true) ; # uncomment if using lkm kld
X}
X
X
X ##################################
X # ##
X################################## #
X# # #
X# System Administration Programs # #
X# ##
X##################################
X
X(
X rulename = "System Administration Programs",
X severity = $(SIG_HI)
X)
X{
X /sbin -> $(SEC_CRIT) (recurse = true) ;
X /usr/sbin -> $(SEC_CRIT) (recurse = true) ;
X}
X
X
X ##################
X # ##
X################## #
X# # #
X# User Utilities # #
X# ##
X##################
X
X(
X rulename = "User Utilities",
X severity = $(SIG_HI)
X)
X{
X /bin -> $(SEC_CRIT) (recurse = true) ;
X /usr/bin -> $(SEC_CRIT) (recurse = true) ;
X}
X
X
X ########
X # ##
X######## #
X# # #
X# /dev # #
X# ##
X########
X
X(
X rulename = "/dev",
X severity = $(SIG_HI)
X)
X{
X /dev -> $(Device) (recurse = true) ;
X !/dev/vga ;
X !/dev/dri ;
X /dev/console -> $(SEC_TTY) ;
X /dev/ttyv0 -> $(SEC_TTY) ;
X /dev/ttyv1 -> $(SEC_TTY) ;
X /dev/ttyv2 -> $(SEC_TTY) ;
X /dev/ttyv3 -> $(SEC_TTY) ;
X /dev/ttyv4 -> $(SEC_TTY) ;
X /dev/ttyv5 -> $(SEC_TTY) ;
X /dev/ttyv6 -> $(SEC_TTY) ;
X /dev/ttyv7 -> $(SEC_TTY) ;
X /dev/ttyp0 -> $(SEC_TTY) ;
X /dev/ttyp1 -> $(SEC_TTY) ;
X /dev/ttyp2 -> $(SEC_TTY) ;
X /dev/ttyp3 -> $(SEC_TTY) ;
X /dev/ttyp4 -> $(SEC_TTY) ;
X /dev/ttyp5 -> $(SEC_TTY) ;
X /dev/ttyp6 -> $(SEC_TTY) ;
X /dev/ttyp7 -> $(SEC_TTY) ;
X /dev/ttyp8 -> $(SEC_TTY) ;
X /dev/ttyp9 -> $(SEC_TTY) ;
X /dev/ttypa -> $(SEC_TTY) ;
X /dev/ttypb -> $(SEC_TTY) ;
X /dev/ttypc -> $(SEC_TTY) ;
X /dev/ttypd -> $(SEC_TTY) ;
X /dev/ttype -> $(SEC_TTY) ;
X /dev/ttypf -> $(SEC_TTY) ;
X /dev/ttypg -> $(SEC_TTY) ;
X /dev/ttyph -> $(SEC_TTY) ;
X /dev/ttypi -> $(SEC_TTY) ;
X /dev/ttypj -> $(SEC_TTY) ;
X /dev/ttypl -> $(SEC_TTY) ;
X /dev/ttypm -> $(SEC_TTY) ;
X /dev/ttypn -> $(SEC_TTY) ;
X /dev/ttypo -> $(SEC_TTY) ;
X /dev/ttypp -> $(SEC_TTY) ;
X /dev/ttypq -> $(SEC_TTY) ;
X /dev/ttypr -> $(SEC_TTY) ;
X /dev/ttyps -> $(SEC_TTY) ;
X /dev/ttypt -> $(SEC_TTY) ;
X /dev/ttypu -> $(SEC_TTY) ;
X /dev/ttypv -> $(SEC_TTY) ;
X /dev/cuaa0 -> $(SEC_TTY) ; # modem
X}
X
X
X ########
X # ##
X######## #
X# # #
X# /etc # #
X# ##
X########
X
X(
X rulename = "/etc",
X severity = $(SIG_HI)
X)
X{
X /etc -> $(SEC_CRIT) (recurse = true) ;
X # /etc/mail/aliases -> $(SEC_CONFIG) ;
X /etc/dumpdates -> $(SEC_CONFIG) ;
X /etc/motd -> $(SEC_CONFIG) ;
X !/etc/ppp/connect-errors ;
X /etc/skeykeys -> $(SEC_CONFIG) ;
X # Uncomment the following 4 lines if your password file does not change
X # /etc/passwd -> $(SEC_CONFIG) ;
X # /etc/master.passwd -> $(SEC_CONFIG) ;
X # /etc/pwd.db -> $(SEC_CONFIG) ;
X # /etc/spwd.db -> $(SEC_CONFIG) ;
X}
X
X
X ########################
X # ##
X######################## #
X# # #
X# Copatibility (Linux) # #
X# ##
X########################
X
X(
X rulename = "Linux Compatibility",
X severity = $(SIG_HI)
X)
X{
X /compat -> $(SEC_CRIT) (recurse = true) ;
X !/compat/linux/etc/ld.so.cache ;
X !/compat/linux/var/spool/mail ;
X}
X
X
X ####################################################
X # ##
X#################################################### #
X# # #
X# Libraries, include files, and other system files # #
X# ##
X####################################################
X
X(
X rulename = "Libraries, include files, and other system files",
X severity = $(SIG_HI)
X)
X{
X /usr/include -> $(SEC_CRIT) (recurse = true) ;
X /usr/lib -> $(SEC_CRIT) (recurse = true) ;
X /usr/libdata -> $(SEC_CRIT) (recurse = true) ;
X /usr/libexec -> $(SEC_CRIT) (recurse = true) ;
X /usr/share -> $(SEC_CRIT) (recurse = true) ;
X /usr/share/man -> $(SEC_CONFIG) ;
X !/usr/share/man/whatis ;
X !/usr/share/man/.glimpse_filenames ;
X !/usr/share/man/.glimpse_filenames_index ;
X !/usr/share/man/.glimpse_filetimes ;
X !/usr/share/man/.glimpse_filters ;
X !/usr/share/man/.glimpse_index ;
X !/usr/share/man/.glimpse_messages ;
X !/usr/share/man/.glimpse_partitions ;
X !/usr/share/man/.glimpse_statistics ;
X !/usr/share/man/.glimpse_turbo ;
X /usr/share/man/man1 -> $(SEC_CRIT) (recurse = true) ;
X /usr/share/man/man2 -> $(SEC_CRIT) (recurse = true) ;
X /usr/share/man/man3 -> $(SEC_CRIT) (recurse = true) ;
X /usr/share/man/man4 -> $(SEC_CRIT) (recurse = true) ;
X /usr/share/man/man5 -> $(SEC_CRIT) (recurse = true) ;
X /usr/share/man/man6 -> $(SEC_CRIT) (recurse = true) ;
X /usr/share/man/man7 -> $(SEC_CRIT) (recurse = true) ;
X /usr/share/man/man8 -> $(SEC_CRIT) (recurse = true) ;
X /usr/share/man/man9 -> $(SEC_CRIT) (recurse = true) ;
X /usr/share/man/mann -> $(SEC_CRIT) (recurse = true) ;
X ! /usr/share/man/cat1 ;
X ! /usr/share/man/cat2 ;
X ! /usr/share/man/cat3 ;
X ! /usr/share/man/cat4 ;
X ! /usr/share/man/cat5 ;
X ! /usr/share/man/cat6 ;
X ! /usr/share/man/cat7 ;
X ! /usr/share/man/cat8 ;
X ! /usr/share/man/cat9 ;
X ! /usr/share/man/catl ;
X ! /usr/share/man/catn ;
X /usr/share/perl/man -> $(SEC_CONFIG) ;
X !/usr/share/perl/man/whatis ;
X !/usr/share/perl/man/.glimpse_filenames ;
X !/usr/share/perl/man/.glimpse_filenames_index ;
X !/usr/share/perl/man/.glimpse_filetimes ;
X !/usr/share/perl/man/.glimpse_filters ;
X !/usr/share/perl/man/.glimpse_index ;
X !/usr/share/perl/man/.glimpse_messages ;
X !/usr/share/perl/man/.glimpse_partitions ;
X !/usr/share/perl/man/.glimpse_statistics ;
X !/usr/share/perl/man/.glimpse_turbo ;
X /usr/share/perl/man/man3 -> $(SEC_CRIT) (recurse = true) ;
X ! /usr/share/perl/man/cat3 ;
X /usr/local/lib/perl5/5.00503/man -> $(SEC_CONFIG) ;
X ! /usr/local/lib/perl5/5.00503/man/whatis ;
X ! /usr/local/lib/perl5/5.00503/man/.glimpse_filters ;
X ! /usr/local/lib/perl5/5.00503/man/.glimpse_filetimes ;
X ! /usr/local/lib/perl5/5.00503/man/.glimpse_messages ;
X ! /usr/local/lib/perl5/5.00503/man/.glimpse_statistics ;
X ! /usr/local/lib/perl5/5.00503/man/.glimpse_index ;
X ! /usr/local/lib/perl5/5.00503/man/.glimpse_turbo ;
X ! /usr/local/lib/perl5/5.00503/man/.glimpse_partitions ;
X ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames ;
X ! /usr/local/lib/perl5/5.00503/man/.glimpse_filenames_index ;
X /usr/local/lib/perl5/5.00503/man/man3 -> $(SEC_CRIT) (recurse = true) ;
X ! /usr/local/lib/perl5/5.00503/man/cat3 ;
X}
X
X
X #########
X # ##
X######### #
X# # #
X# X11R6 # #
X# ##
X#########
X
X(
X rulename = "X11R6",
X severity = $(SIG_HI)
X)
X{
X /usr/X11R6 -> $(SEC_CRIT) (recurse = true) ;
X /usr/X11R6/lib/X11/xdm -> $(SEC_CONFIG) (recurse = true) ;
X !/usr/X11R6/lib/X11/xdm/xdm-errors ;
X !/usr/X11R6/lib/X11/xdm/authdir/authfiles ;
X !/usr/X11R6/lib/X11/xdm/xdm-pid ;
X /usr/X11R6/lib/X11/xkb/compiled -> $(SEC_CONFIG) (recurse = true) ;
X /usr/X11R6/man -> $(SEC_CONFIG) ;
X !/usr/X11R6/man/whatis ;
X !/usr/X11R6/man/.glimpse_filenames ;
X !/usr/X11R6/man/.glimpse_filenames_index ;
X !/usr/X11R6/man/.glimpse_filetimes ;
X !/usr/X11R6/man/.glimpse_filters ;
X !/usr/X11R6/man/.glimpse_index ;
X !/usr/X11R6/man/.glimpse_messages ;
X !/usr/X11R6/man/.glimpse_partitions ;
X !/usr/X11R6/man/.glimpse_statistics ;
X !/usr/X11R6/man/.glimpse_turbo ;
X /usr/X11R6/man/man1 -> $(SEC_CRIT) (recurse = true) ;
X /usr/X11R6/man/man2 -> $(SEC_CRIT) (recurse = true) ;
X /usr/X11R6/man/man3 -> $(SEC_CRIT) (recurse = true) ;
X /usr/X11R6/man/man4 -> $(SEC_CRIT) (recurse = true) ;
X /usr/X11R6/man/man5 -> $(SEC_CRIT) (recurse = true) ;
X /usr/X11R6/man/man6 -> $(SEC_CRIT) (recurse = true) ;
X /usr/X11R6/man/man7 -> $(SEC_CRIT) (recurse = true) ;
X /usr/X11R6/man/man8 -> $(SEC_CRIT) (recurse = true) ;
X /usr/X11R6/man/man9 -> $(SEC_CRIT) (recurse = true) ;
X /usr/X11R6/man/manl -> $(SEC_CRIT) (recurse = true) ;
X /usr/X11R6/man/mann -> $(SEC_CRIT) (recurse = true) ;
X ! /usr/X11R6/man/cat1 ;
X ! /usr/X11R6/man/cat2 ;
X ! /usr/X11R6/man/cat3 ;
X ! /usr/X11R6/man/cat4 ;
X ! /usr/X11R6/man/cat5 ;
X ! /usr/X11R6/man/cat6 ;
X ! /usr/X11R6/man/cat7 ;
X ! /usr/X11R6/man/cat8 ;
X ! /usr/X11R6/man/cat9 ;
X ! /usr/X11R6/man/catl ;
X ! /usr/X11R6/man/catn ;
X}
X
X
X ###########
X # ##
X########### #
X# # #
X# sources # #
X# ##
X###########
X
X(
X rulename = "Sources",
X severity = $(SIG_HI)
X)
X{
X /usr/src -> $(SEC_CRIT) (recurse = true) ;
X /usr/src/sys/compile -> $(SEC_CONFIG) (recurse = false) ;
X}
X
X
X #######
X # ##
X####### #
X# # #
X# NIS # #
X# ##
X#######
X
X(
X rulename = "NIS",
X severity = $(SIG_HI)
X)
X{
X /var/yp -> $(SEC_CRIT) (recurse = true) ;
X !/var/yp/binding ;
X}
X
X
X #########################
X # ##
X######################### #
X# # #
X# Temporary directories # #
X# ##
X#########################
X(
X rulename = "Temporary directories",
X recurse = false,
X severity = $(SIG_LOW)
X)
X{
X /usr/tmp -> $(SEC_INVARIANT) ;
X /var/tmp -> $(SEC_INVARIANT) ;
X /var/preserve -> $(SEC_INVARIANT) ;
X /tmp -> $(SEC_INVARIANT) ;
X}
X
X ###############
X # ##
X############### #
X# # #
X# Local files # #
X# ##
X###############
X
X(
X rulename = "Local files",
X severity = $(SIG_MED)
X)
X{
X /usr/local/bin -> $(SEC_BIN) (recurse = true) ;
X /usr/local/sbin -> $(SEC_BIN) (recurse = true) ;
X /usr/local/etc -> $(SEC_BIN) (recurse = true) ;
X /usr/local/lib -> $(SEC_BIN) (recurse = true ) ;
X /usr/local/libexec -> $(SEC_BIN) (recurse = true ) ;
X /usr/local/share -> $(SEC_BIN) (recurse = true ) ;
X /usr/local/man -> $(SEC_CONFIG) ;
X !/usr/local/man/whatis ;
X !/usr/local/man/.glimpse_filenames ;
X !/usr/local/man/.glimpse_filenames_index ;
X !/usr/local/man/.glimpse_filetimes ;
X !/usr/local/man/.glimpse_filters ;
X !/usr/local/man/.glimpse_index ;
X !/usr/local/man/.glimpse_messages ;
X !/usr/local/man/.glimpse_partitions ;
X !/usr/local/man/.glimpse_statistics ;
X !/usr/local/man/.glimpse_turbo ;
X /usr/local/man/man1 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/man/man2 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/man/man3 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/man/man4 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/man/man5 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/man/man6 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/man/man7 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/man/man8 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/man/man9 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/man/manl -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/man/mann -> $(SEC_CRIT) (recurse = true) ;
X ! /usr/local/man/cat1 ;
X ! /usr/local/man/cat2 ;
X ! /usr/local/man/cat3 ;
X ! /usr/local/man/cat4 ;
X ! /usr/local/man/cat5 ;
X ! /usr/local/man/cat6 ;
X ! /usr/local/man/cat7 ;
X ! /usr/local/man/cat8 ;
X ! /usr/local/man/cat9 ;
X ! /usr/local/man/catl ;
X ! /usr/local/man/catn ;
X /usr/local/krb5 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/krb5/man -> $(SEC_CONFIG) ;
X !/usr/local/krb5/man/whatis ;
X !/usr/local/krb5/man/.glimpse_filenames ;
X !/usr/local/krb5/man/.glimpse_filenames_index ;
X !/usr/local/krb5/man/.glimpse_filetimes ;
X !/usr/local/krb5/man/.glimpse_filters ;
X !/usr/local/krb5/man/.glimpse_index ;
X !/usr/local/krb5/man/.glimpse_messages ;
X !/usr/local/krb5/man/.glimpse_partitions ;
X !/usr/local/krb5/man/.glimpse_statistics ;
X !/usr/local/krb5/man/.glimpse_turbo ;
X /usr/local/krb5/man/man1 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/krb5/man/man2 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/krb5/man/man3 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/krb5/man/man4 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/krb5/man/man5 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/krb5/man/man6 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/krb5/man/man7 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/krb5/man/man8 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/krb5/man/man9 -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/krb5/man/manl -> $(SEC_CRIT) (recurse = true) ;
X /usr/local/krb5/man/mann -> $(SEC_CRIT) (recurse = true) ;
X ! /usr/local/krb5/man/cat1 ;
X ! /usr/local/krb5/man/cat2 ;
X ! /usr/local/krb5/man/cat3 ;
X ! /usr/local/krb5/man/cat4 ;
X ! /usr/local/krb5/man/cat5 ;
X ! /usr/local/krb5/man/cat6 ;
X ! /usr/local/krb5/man/cat7 ;
X ! /usr/local/krb5/man/cat8 ;
X ! /usr/local/krb5/man/cat9 ;
X ! /usr/local/krb5/man/catl ;
X ! /usr/local/krb5/man/catn ;
X /usr/local/www -> $(SEC_CONFIG) (recurse = true) ;
X}
X
X
X(
X rulename = "Security Control",
X severity = $(SIG_HI)
X)
X{
X /etc/group -> $(SEC_CRIT) ;
X /etc/security/ -> $(SEC_CRIT) ;
X /etc/crontab -> $(SEC_CRIT) ;
X}
X
X#=============================================================================
X#
X# Copyright 2000 Tripwire, Inc. Tripwire is a registered trademark of Tripwire,
X# Inc. in the United States and other countries. All rights reserved.
X#
X# FreeBSD is a registered trademark of the FreeBSD Project Inc.
X#
X# UNIX is a registered trademark of The Open Group.
X#
X#=============================================================================
X#
X# Permission is granted to make and distribute verbatim copies of this document
X# provided the copyright notice and this permission notice are preserved on all
X# copies.
X#
X# Permission is granted to copy and distribute modified versions of this
X# document under the conditions for verbatim copying, provided that the entire
X# resulting derived work is distributed under the terms of a permission notice
X# identical to this one.
X#
X# Permission is granted to copy and distribute translations of this document
X# into another language, under the above conditions for modified versions,
X# except that this permission notice may be stated in a translation approved by
X# Tripwire, Inc.
X#
X# DCM
END-of-tripwire-231/files/twpol.txt
echo x - tripwire-231/files/patch-ad
sed 's/^X//' >tripwire-231/files/patch-ad << 'END-of-tripwire-231/files/patch-ad'
X--- install/install.sh.orig Fri Oct 27 17:26:26 2000
X+++ install/install.sh Tue Jul 10 22:02:02 2001
X@@ -257,7 +257,7 @@
X else
X unamHW=`uname -p`
X fi
X- if (echo "$unamOS" | $GREP -i "Linux" > /dev/null); then
X+ if (echo "$unamOS" | $GREP -i "FreeBSD" > /dev/null); then
X osokay=1
X fi
X if [ "$osokay" -eq 0 ] ; then
X@@ -488,7 +488,7 @@
X BASE_DIR=`echo $0 | sed s/$BASE_DIR\$//`
X if [ ! -z "$BASE_DIR" ] ; then
X TAR_DIR="${BASE_DIR}"
X- BIN_DIR="${BASE_DIR}bin/i686-pc-linux_r"
X+ BIN_DIR="${BASE_DIR}bin/i386-unknown-freebsd_r"
X else
X TAR_DIR="${BASE_DIR}"
X fi
X@@ -621,12 +621,12 @@
X f1=' ff=$README ; d="" ; dd=$TWDOCS ; rr=0444 '
X f2=' ff=$REL_NOTES ; d="" ; dd=$TWDOCS ; rr=0444 '
X f3=' ff=$TWLICENSEFILE ; d="" ; dd=$TWDOCS ; rr=0444 '
X-f4=' ff=tripwire ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 '
X-f5=' ff=twadmin ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 '
X-f6=' ff=twprint ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 '
X-f7=' ff=siggen ; d="/bin/i686-pc-linux_r" ; dd=$TWBIN ; rr=0550 '
X+f4=' ff=tripwire ; d="/bin/i386-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 '
X+f5=' ff=twadmin ; d="/bin/i386-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 '
X+f6=' ff=twprint ; d="/bin/i386-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 '
X+f7=' ff=siggen ; d="/bin/i386-unknown-freebsd_r" ; dd=$TWBIN ; rr=0550 '
X f8=' ff=TRADEMARK ; d="" ; dd=$TWDOCS ; rr=0444 '
X-f9=' ff=policyguide.txt ; d="" ; dd=$TWDOCS ; rr=0444 '
X+f9=' ff=policyguide.txt ; d="/policy/" ; dd=$TWDOCS ; rr=0444 '
X f10=' ff=twpol.txt ; d="/policy/" ; dd=$TWPOLICY ; rr=0640 '
X f11=' ff=twpolicy.4 ; d="/man/man4" ; dd=$TWMAN/man4 ; rr=0444 '
X f12=' ff=twconfig.4 ; d="/man/man4" ; dd=$TWMAN/man4 ; rr=0444 '
END-of-tripwire-231/files/patch-ad
echo x - tripwire-231/files/patch-aa
sed 's/^X//' >tripwire-231/files/patch-aa << 'END-of-tripwire-231/files/patch-aa'
X--- src/Makefile.orig Sat Mar 3 20:03:52 2001
X+++ src/Makefile Tue Mar 6 07:04:45 2001
X@@ -79,9 +79,9 @@
X # sparc-linux == Linux Sparc (not fully implemented)
X #
X
X-SYSPRE = i686-pc-linux
X+#SYSPRE = i686-pc-linux
X #SYSPRE = sparc-linux
X-#SYSPRE = i386-unknown-freebsd
X+SYSPRE = i386-unknown-freebsd
X #SYSPRE = i386-unknown-openbsd
X
X
END-of-tripwire-231/files/patch-aa
echo x - tripwire-231/files/patch-ba
sed 's/^X//' >tripwire-231/files/patch-ba << 'END-of-tripwire-231/files/patch-ba'
X--- src/core/unix/unixfsservices.cpp.orig Sat Feb 24 11:02:12 2001
X+++ src/core/unix/unixfsservices.cpp Tue Jul 10 21:40:37 2001
X@@ -243,6 +243,7 @@
X {
X char* pchTempFileName;
X char szTemplate[MAXPATHLEN];
X+ int fd;
X
X #ifdef _UNICODE
X // convert template from wide character to multi-byte string
X@@ -253,13 +254,14 @@
X strcpy( szTemplate, strName.c_str() );
X #endif
X
X- // create temp filename
X- pchTempFileName = mktemp( szTemplate );
X+ // create temp filename and check to see if mkstemp failed
X+ if ((fd = mkstemp( szTemplate )) == -1) {
X+ throw eFSServicesGeneric( strName );
X+ } else {
X+ close(fd);
X+ }
X+ pchTempFileName = szTemplate;
X
X- //check to see if mktemp failed
X- if ( pchTempFileName == NULL || strlen(pchTempFileName) == 0) {
X- throw eFSServicesGeneric( strName );
X- }
X
X // change name so that it has the XXXXXX part filled in
X #ifdef _UNICODE
END-of-tripwire-231/files/patch-ba
echo x - tripwire-231/files/patch-mailmessage
sed 's/^X//' >tripwire-231/files/patch-mailmessage << 'END-of-tripwire-231/files/patch-mailmessage'
X--- src/tripwire/mailmessage.cpp.orig Thu Jul 5 05:16:34 2001
X+++ src/tripwire/mailmessage.cpp Thu Jul 5 05:16:47 2001
X@@ -241,7 +241,7 @@
X time_t current_time = time(NULL);
X tm = localtime ( ¤t_time );
X
X- const TCHAR* szFormat = _T("%a %d %b %Y %H:%M:%S %z");
X+ const TCHAR* szFormat = _T("%a, %d %b %Y %H:%M:%S %z");
X
X size_t numChars = _tcsftime( szDate, countof( szDate ), szFormat, tm );
X
END-of-tripwire-231/files/patch-mailmessage
echo x - tripwire-231/files/patch-open
sed 's/^X//' >tripwire-231/files/patch-open << 'END-of-tripwire-231/files/patch-open'
X--- src/core/unix/file_unix.cpp Sat Oct 28 04:15:21 2000
X+++ src/core/unix/file_unix.cpp Wed Jun 13 09:29:07 2001
X@@ -155,10 +155,15 @@
X if( flags & OPEN_CREATE )
X perm |= O_CREAT;
X
X+ mode_t openmode = 0664;
X+ if ( flags & OPEN_EXCLUSIVE ) {
X+ perm |= O_CREAT | O_EXCL;
X+ openmode = (mode_t) 0600; // Make sure only root can read the file
X+ }
X //
X // actually open the file
X //
X- int fh = _topen( sFileName.c_str(), perm, 0664 );
X+ int fh = _topen( sFileName.c_str(), perm, openmode );
X if( fh == -1 )
X {
X throw( eFileOpen( sFileName, iFSServices::GetInstance()->GetErrString() ) );
X--- src/core/file.h Sat Oct 28 04:15:20 2000
X+++ src/core/file.h Wed Jun 13 09:07:20 2001
X@@ -96,7 +96,8 @@
X OPEN_LOCKED_TEMP = 0x00000004, // the file should not be readable by other processes and should be removed when closed
X OPEN_TRUNCATE = 0x00000008, // opens an empty file. creates it if it doesn't exist. Doesn't make much sense without OF_WRITE
X OPEN_CREATE = 0x00000010, // create the file if it doesn't exist; this is implicit if OF_TRUNCATE is set
X- OPEN_TEXT = 0x00000020
X+ OPEN_TEXT = 0x00000020,
X+ OPEN_EXCLUSIVE = 0x0000040 // Use O_CREAT | O_EXCL
X };
X
X //Ctor, Dtor, CpyCtor, Operator=:
X--- src/core/archive.cpp Sat Feb 24 21:02:12 2001
X+++ src/core/archive.cpp Wed Jun 13 09:15:25 2001
X@@ -896,8 +896,9 @@
X // create file
X
X // set up flags
X- uint32 flags = cFile::OPEN_WRITE | cFile::OPEN_LOCKED_TEMP | cFile::OPEN_CREATE;
X- if ( openFlags & FA_OPEN_TRUNCATE )
X+ uint32 flags = cFile::OPEN_WRITE | cFile::OPEN_LOCKED_TEMP | cFile::OPEN_CREATE | cFile::OPEN_EXCLUSIVE;
X+
X+ if ( openFlags & FA_OPEN_TRUNCATE )
X flags |= cFile::OPEN_TRUNCATE;
X if ( openFlags & FA_OPEN_TEXT )
X flags |= cFile::OPEN_TEXT;
END-of-tripwire-231/files/patch-open
echo x - tripwire-231/distinfo
sed 's/^X//' >tripwire-231/distinfo << 'END-of-tripwire-231/distinfo'
XMD5 (tripwire-2.3.1-2.tar.gz) = 6a15fe110565cef9ed33c1c7e070355e
END-of-tripwire-231/distinfo
echo x - tripwire-231/pkg-comment
sed 's/^X//' >tripwire-231/pkg-comment << 'END-of-tripwire-231/pkg-comment'
XFile system security and verification program
END-of-tripwire-231/pkg-comment
echo x - tripwire-231/pkg-descr
sed 's/^X//' >tripwire-231/pkg-descr << 'END-of-tripwire-231/pkg-descr'
XTripwire is a tool that aids system administrators and
Xusers in monitoring a designated set of files for any changes.
XUsed with system files on a regular (e.g., daily) basis, Tripwire
Xcan notify system administrators of corrupted or tampered files,
Xso damage control measures can be taken in a timely manner.
X
XIf "TRIPWIRE_FLOPPY" is set to "YES" in the environment or on the
X"make" command line, this port will write the tripwire database to
Xa floppy disk, which should then be write-protected and used as a
Xreference for future runs. The diskette should be formatted and
Xpresent in the "A" drive before starting the "make install" step.
X
XJoe Greco <jgreco@ns.sol.net>
END-of-tripwire-231/pkg-descr
echo x - tripwire-231/pkg-plist
sed 's/^X//' >tripwire-231/pkg-plist << 'END-of-tripwire-231/pkg-plist'
Xsbin/tripwire
Xsbin/twadmin
Xsbin/twprint
Xsbin/siggen
Xshare/doc/tripwire/README
Xshare/doc/tripwire/Release_Notes
Xshare/doc/tripwire/COPYING
Xshare/doc/tripwire/TRADEMARK
Xshare/doc/tripwire/policyguide.txt
X@dirrm share/doc/tripwire
X@unexec echo If permanently deleting this package, /var/adm/tripwire/etc must be removed manually
END-of-tripwire-231/pkg-plist
echo x - tripwire-231/Makefile
sed 's/^X//' >tripwire-231/Makefile << 'END-of-tripwire-231/Makefile'
X# New ports collection makefile for: tripwire 2.3.1
X# Date created: Tue Mar 6 06:57:58 PST 2001
X# Whom: Cy Schubert <Cy.Schubert@osg.gov.bc.ca>
X#
X# $FreeBSD: ports/security/tripwire-231/Makefile,v 1.1 2001/01/16 17:32:22 cschuber Exp $
X#
X
XPORTNAME= tripwire
XPORTVERSION= 2.3.1-2
XCATEGORIES= security
XMASTER_SITES= http://download.sourceforge.net/tripwire/
XDISTNAME= tripwire-${PORTVERSION}
X
XMAINTAINER= Cy.Schubert@osg.gov.bc.ca
X
XMAN4= twconfig.4 twpolicy.4
XMAN5= twfiles.5
XMAN8= siggen.8 tripwire.8 twadmin.8 twintro.8 twprint.8
XNO_PACKAGE= "requires local database to be built"
XRESTRICTED= "contains crypto class algorithms"
XWRKSRC= ${WRKDIR}/${DISTNAME}
XBUILD_WRKSRC= ${WRKSRC}/src
XUSE_GMAKE= yes
XALL_TARGET= release
X
X.include <bsd.port.pre.mk>
X
Xpre-configure:
X @ ${CP} ${FILESDIR}/twpol.txt ${WRKSRC}/policy/twpol.txt
X
Xdo-install:
X.if ( defined(TRIPWIRE_CLOBBER) && ${TRIPWIRE_CLOBBER} == "YES" ) || \
X ( defined(TRIPWIRE_CLOBBER) && ${TRIPWIRE_CLOBBER} == "yes" ) || \
X ( defined(FORCE_PKG_REGISTER) && ${FORCE_PKG_REGISTER} == "YES" ) || \
X ( defined(FORCE_PKG_REGISTER) && ${FORCE_PKG_REGISTER} == "yes" )
X @ cd ${WRKSRC} && PREFIX=${PREFIX} ./install.sh -f
X.else
X @ cd ${WRKSRC} && PREFIX=${PREFIX} ./install.sh
X.endif
X
Xpre-install:
X @ cd ${WRKSRC} && ${LN} -sf install/install.cfg install/install.sh .
X
Xpost-install:
X @ ${MKDIR} -p /var/adm/tripwire
X @ ${ECHO} Creating tripwire database
X @ (cd /var/adm/tcheck; ${PREFIX}/sbin/tripwire --init)
X.if defined(TRIPWIRE_FLOPPY) && ${TRIPWIRE_FLOPPY} == YES
X @ disklabel -w -B /dev/rfd0c fd1440
X @ newfs -u 0 -t 0 -i 196608 -m 0 -T minimum -o space /dev/rfd0c
X @ mount /dev/fd0c /mnt
X @ ${GZIP_CMD} < ${PREFIX}/sbin/tripwire > /mnt/tripwire
X @ ${CP} -p /var/adm/tcheck/tw.config /mnt/tw.config
X @ ${GZIP_CMD} < /var/adm/tcheck/databases/tw.db_`hostname` \
X > /mnt/tw.db_`hostname`.gz
X @ ${CP} -p ${FILESDIR}/twcheck /mnt/twcheck
X @ ${GZIP_CMD} < /usr/bin/gunzip > /mnt/gunzip
X @ ${CHMOD} 555 /mnt/tripwire /mnt/gunzip /mnt/twcheck
X @ umount /mnt
X @ ${ECHO} Do not forget to remove and write-protect the floppy.
X.endif
X
X.include <bsd.port.post.mk>
END-of-tripwire-231/Makefile
exit
>How-To-Repeat:
N/A
>Fix:
N/A
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107220510.f6M5AVU84580>