| View previous topic :: View next topic |
| Author |
Message |
cboldt
Veteran
Joined: 24 Aug 2005
Posts: 1046
|
 Posted: Sun Nov 07, 2010 9:48 pm Post subject: Gentoo-oriented tripwire policy generator |
 |
|
Anybody who has gone through the installation of tripwire, or who is contemplating doing so, may benefit from the bash script posted to BugZilla as an "enhancement." ...
https://bugs.gentoo.org/show_bug.cgi?id=344577 |
|
| Back to top |
|
 |
cboldt
Veteran
Joined: 24 Aug 2005
Posts: 1046
|
| Posted: Mon Nov 22, 2010 2:34 am Post subject: |
|
|
| Revised script has been posted at BugZilla. I assume all aspects of the script will benefit from further attention (there are probably bugs); but quite a few of the rules have been rationalized; using `qlist` makes the operation much faster, compared with `equery`; and the operation is convenient enough for me to entertain running tripwire on frequently-updated systems. |
|
| Back to top |
|
|
gw
Apprentice
Joined: 03 Dec 2006
Posts: 215
|
| Posted: Fri Jul 22, 2011 4:26 pm Post subject: |
|
|
| cboldt wrote: | | Revised script has been posted at BugZilla. I assume all aspects of the script will benefit from further attention (there are probably bugs); but quite a few of the rules have been rationalized; using `qlist` makes the operation much faster, compared with `equery`; and the operation is convenient enough for me to entertain running tripwire on frequently-updated systems. |
Hi,
I found your script quite useful and I like to thank you for your work on it.
One thing though I do not understand is the following: the script seems to check for single files and does not use recursive rules, like: everything under /bin /sbin etc. should be READONLY.
How do I then add new programs for your script to add rules for?
E.g. I have btrfs, btrfs-progs, hostapd and hostap-utils installed, but they do not appear in the policy file generated by your script.
How can I add them?
Thanks for your help.
gw |
|
| Back to top |
|
|
cboldt
Veteran
Joined: 24 Aug 2005
Posts: 1046
|
| Posted: Sun Sep 04, 2011 11:24 am Post subject: |
|
|
| Quote: | One thing though I do not understand is the following: the script seems to check for single files and does not use recursive rules, like: everything under /bin /sbin etc. should be READONLY.
How do I then add new programs for your script to add rules for?
E.g. I have btrfs, btrfs-progs, hostapd and hostap-utils installed, but they do not appear in the policy file generated by your script.
How can I add them? |
Everything in /bin /lib /sbin /usr/sbin and /usr/local/sbin is flagged Readonly by Rulename[25], and those directories are checked recursively. Your files are covered.
But, I could and probably should add the btrfs and hostap packages, so any changes in those programs is reported on a line (other than RULENAME[25]='OS Bin and Lib Directories') in the tripwire reports.
To add a package to a particular rule, just add the packagename to whatever Rulename[] / Packages[] you desire.
For example, I'd probably put hostap and hostap-utils under
RULENAME[5]='Network - Setup/Services'
and put btrfs and btrfs-progs under
RULENAME[8]='Filesystem Programs'
When a package is listed under a RULENAME, some of the installed files will be listed individually - if I recall correctly, just the executables and config files. The script checks to see if a package is installed, so one can add package names without regard to what packages are actually installed. The script is generic, but produces custom output based on the packages installed on any given system.
Sorry about the delay in reply. Obviously, I don't check the forum often! |
|
| Back to top |
|
|
cboldt
Veteran
Joined: 24 Aug 2005
Posts: 1046
|
| Posted: Sun Sep 04, 2011 11:44 am Post subject: |
|
|
| Quote: | I have btrfs, btrfs-progs, hostapd and hostap-utils installed, but they do not appear in the policy file generated by your script.
How can I add them? |
I checked package names, and added the following so any tripwire warnings would appear as violations of the named rules:
RULENAME[5]='Network - Setup/Services'
hostap-driver hostap-utils hostapd
RULENAME[8]='Filesystem Programs'
btrfs-progs
I didn't see a package called "btrfs"
I've made a few other changes since last uploading a script to Bugzilla, on April 24, 2011.
# Added "Include Executables" command line switch
# Added some, corrected some, shuffled some package names
# Added references to OpenSUSE's `zypper` package mananger
# Terse progress report appears on STDERR unless -q switch is invoked
# 110501 Rearranged Property Mask Aliases part of hardcoded header
# 110522 Grouped "Boot, Kernel and Init" and added material for openrc
Keep in mind that there are generic catch-all-else rules:
RULENAME[25]='OS Bin and Lib Directories'
FILELIST[25]='/bin /lib /sbin /usr/sbin /usr/local/sbin'
RULENAME[26]='User Bin and Lib Directories'
FILELIST[26]="/usr/bin /usr/local/bin /usr/local/games /usr/local/lib" |
|
| Back to top |
|
|
cboldt
Veteran
Joined: 24 Aug 2005
Posts: 1046
|
| Posted: Sun Sep 04, 2011 5:36 pm Post subject: |
|
|
| Quote: | How do I then add new programs for your script to add rules for?
E.g. I have btrfs, btrfs-progs, hostapd and hostap-utils installed, but they do not appear in the policy file generated by your script.
How can I add them? |
One other point crossed my mind, and that is that you can make your own rules, either as "additional" to the categories that the script assigns, or as a complete set of substitute rules. The additions and/or substitution can be done via a config file.
| Code: |
# ==============================================
# Example mktwpol.cfg configuration file entries
# ==============================================
# Augment contents of an existing RULENAME
# KEEP_DEFAULT_RULES # Effect of this should be clear
# COMMENTS_3[26]='Alarm on access time modification'
# FILELIST_3[26]='/usr/lib/xorg /usr/lib/X11'
# SEC_MOD_3[26]=' +a'
# Append two new rules, using the "next" rule-numbers
# let NEXT=${#RULENAME[@]}
# RULENAME[${NEXT}]="First added rule"
# PACKAGES[${NEXT}]="dummy1 dummy2 dummy3"
# COMMENTS[${NEXT}]="Comments for first added FILELIST"
# FILELIST[${NEXT}]="/home/klixde/bin"
# let NEXT=${#RULENAME[@]}
# RULENAME[${NEXT}]="Second added rule"
# PACKAGES[${NEXT}]="dummy4 dummy5 dummy6"
# FILELIST[${NEXT}]="/home/boris/docs"
# Define QUERY_DISTRO, QUERY_PACKAGE, and query_distro () subroutine
# Two example query_distro () subroutines are illustrated
# - insertion of $package within QUERY_DISTRO command line
# - text output of QUERY_DISTRO is viewed, returning errorlevel
# QUERY_DISTRO='nifty-packman --query installed-packages'
# QUERY_PACKAGES='nifty-packman --report-package-contents'
# query_distro () { $QUERY_DISTRO $package --silent ; }
# query_distro () { [[ "`$QUERY_DISTRO $package`" =~ "No Such Package" ]] && return 1 ; }
# Always run QUIET
# QUIET=Yes
# # Set the same EMAILTO[] for all RULENAMES
# for (( z = 0 ; z < ${#RULENAME[@]} ; z++ ))
# do EMAILTO[$z]="root@foo-bar.net" ; done
# # Set the same EMAILTO[] for selected RULENAMES
# for z in 3 5 7 8 12 23
# do EMAILTO[$z]="root@foo-bar.net" ; done
# # Use a pipeline in $FOLD to sort PACKAGES and FILELIST lists
# FOLD="tr [:space:] '\\n' | sort | tail -n +2 | fmt -u"
|
|
|
| Back to top |
|
|
cboldt
Veteran
Joined: 24 Aug 2005
Posts: 1046
|
| Posted: Wed Oct 16, 2013 11:50 am Post subject: mktwpol.sh is now in a gentoo package |
|
|
| The script for generating plain-text tripwire policy has moved from a solution to a bug-report to a Gentoo package. mktwpol.sh (and a companion script to setup tripwire from scratch) is pulled in as a dependency to tripwire, on setting the "tools" USE flag. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Portage & Programming
