1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
|
#!/bin/sh
########################################################################
########################################################################
##
## Tripwire(R) 2.3 for LINUX(R) Post-RPM installation script
##
## Copyleft information contained in footer
##
########################################################################
########################################################################
##=======================================================
## Setup
##=======================================================
# We can assume all the correct tools are in place because the
# RPM installed, didn't it?
##-------------------------------------------------------
## Set HOST_NAME variable
##-------------------------------------------------------
HOST_NAME='localhost'
if uname -n > /dev/null 2> /dev/null ; then
HOST_NAME=`uname -n`
fi
##-------------------------------------------------------
## Program variables - edited by RPM during initial install
##-------------------------------------------------------
# Site Passphrase variable
TW_SITE_PASS="tripwire"
# Complete path to site key
SITE_KEY="/etc/tripwire/site.key"
# Local Passphrase variable
TW_LOCAL_PASS="tripwire"
# Complete path to local key
LOCAL_KEY="/etc/tripwire/${HOST_NAME}-local.key"
# If clobber==true, overwrite files; if false, do not overwrite files.
CLOBBER="false"
# If prompt==true, ask for confirmation before continuing with install.
PROMPT="true"
# Name of twadmin executeable
TWADMIN="twadmin"
# Path to twadmin executeable
TWADMPATH=/usr/sbin
# Path to configuration directory
CONF_PATH="/etc/tripwire"
# Name of clear text policy file
TXT_POL=$CONF_PATH/twpol.txt
# Name of clear text configuration file
TXT_CFG=$CONF_PATH/twcfg.txt
# Name of encrypted configuration file
CONFIG_FILE=$CONF_PATH/tw.cfg
# Path of the final Tripwire policy file (signed)
SIGNED_POL=`grep POLFILE $TXT_CFG | sed -e 's/^.*=\(.*\)/\1/'`
##=======================================================
## Create Key Files
##=======================================================
##-------------------------------------------------------
## If user has to enter a passphrase, give some
## advice about what is appropriate.
##-------------------------------------------------------
if [ -z "$TW_SITE_PASS" ] || [ -z "$TW_LOCAL_PASS" ]; then
cat << END_OF_TEXT
----------------------------------------------
The Tripwire site and local passphrases are used to
sign a variety of files, such as the configuration,
policy, and database files.
Passphrases should be at least 8 characters in length
and contain both letters and numbers.
See the Tripwire manual for more information.
END_OF_TEXT
fi
##=======================================================
## Generate keys.
##=======================================================
echo
echo "----------------------------------------------"
echo "Creating key files..."
##-------------------------------------------------------
## Site key file.
##-------------------------------------------------------
# If clobber is true, and prompting is off (unattended operation)
# and the key file already exists, remove it. Otherwise twadmin
# will prompt with an "are you sure?" message.
if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$SITE_KEY" ] ; then
rm -f "$SITE_KEY"
fi
if [ -f "$SITE_KEY" ] && [ "$CLOBBER" = "false" ] ; then
echo "The site key file \"$SITE_KEY\""
echo 'exists and will not be overwritten.'
else
cmdargs="--generate-keys --site-keyfile \"$SITE_KEY\""
if [ -n "$TW_SITE_PASS" ] ; then
cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
fi
eval "\"$TWADMPATH/$TWADMIN\" $cmdargs"
if [ $? -ne 0 ] ; then
echo "Error: site key generation failed"
exit 1
else chmod 640 "$SITE_KEY"
fi
fi
##-------------------------------------------------------
## Local key file.
##-------------------------------------------------------
# If clobber is true, and prompting is off (unattended operation)
# and the key file already exists, remove it. Otherwise twadmin
# will prompt with an "are you sure?" message.
if [ "$CLOBBER" = "true" ] && [ "$PROMPT" = "false" ] && [ -f "$LOCAL_KEY" ] ; then
rm -f "$LOCAL_KEY"
fi
if [ -f "$LOCAL_KEY" ] && [ "$CLOBBER" = "false" ] ; then
echo "The site key file \"$LOCAL_KEY\""
echo 'exists and will not be overwritten.'
else
cmdargs="--generate-keys --local-keyfile \"$LOCAL_KEY\""
if [ -n "$TW_LOCAL_PASS" ] ; then
cmdargs="$cmdargs --local-passphrase \"$TW_LOCAL_PASS\""
fi
eval "\"$TWADMPATH/$TWADMIN\" $cmdargs"
if [ $? -ne 0 ] ; then
echo "Error: local key generation failed"
exit 1
else chmod 640 "$LOCAL_KEY"
fi
fi
##=======================================================
## Sign the Configuration File
##=======================================================
echo
echo "----------------------------------------------"
echo "Signing configuration file..."
##-------------------------------------------------------
## If noclobber, then backup any existing config file.
##-------------------------------------------------------
if [ "$CLOBBER" = "false" ] && [ -s "$CONFIG_FILE" ] ; then
backup="${CONFIG_FILE}.$$.bak"
echo "Backing up $CONFIG_FILE"
echo " to $backup"
`mv "$CONFIG_FILE" "$backup"`
if [ $? -ne 0 ] ; then
echo "Error: backup of configuration file failed."
exit 1
fi
fi
##-------------------------------------------------------
## Build command line.
##-------------------------------------------------------
cmdargs="--create-cfgfile"
cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\""
cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\""
if [ -n "$TW_SITE_PASS" ] ; then
cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
fi
##-------------------------------------------------------
## Sign the file.
##-------------------------------------------------------
eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_CFG\""
if [ $? -ne 0 ] ; then
echo "Error: signing of configuration file failed."
exit 1
fi
# Set the rights properly
chmod 640 "$CONFIG_FILE"
##-------------------------------------------------------
## We keep the cleartext version around.
##-------------------------------------------------------
cat << END_OF_TEXT
A clear-text version of the Tripwire configuration file
$TXT_CFG
has been preserved for your inspection. It is recommended
that you delete this file manually after you have examined it.
END_OF_TEXT
##=======================================================
## Sign tripwire policy file.
##=======================================================
echo
echo "----------------------------------------------"
echo "Signing policy file..."
##-------------------------------------------------------
## If noclobber, then backup any existing policy file.
##-------------------------------------------------------
if [ "$CLOBBER" = "false" ] && [ -s "$POLICY_FILE" ] ; then
backup="${POLICY_FILE}.$$.bak"
echo "Backing up $POLICY_FILE"
echo " to $backup"
mv "$POLICY_FILE" "$backup"
if [ $? -ne 0 ] ; then
echo "Error: backup of policy file failed."
exit 1
fi
fi
##-------------------------------------------------------
## Build command line.
##-------------------------------------------------------
cmdargs="--create-polfile"
cmdargs="$cmdargs --cfgfile \"$CONFIG_FILE\""
cmdargs="$cmdargs --site-keyfile \"$SITE_KEY\""
if [ -n "$TW_SITE_PASS" ] ; then
cmdargs="$cmdargs --site-passphrase \"$TW_SITE_PASS\""
fi
##-------------------------------------------------------
## Sign the file.
##-------------------------------------------------------
eval "\"$TWADMPATH/$TWADMIN\" $cmdargs \"$TXT_POL\""
if [ $? -ne 0 ] ; then
echo "Error: signing of policy file failed."
exit 1
fi
# Set the proper rights on the newly signed policy file.
chmod 0640 "$SIGNED_POL"
##-------------------------------------------------------
## We keep the cleartext version around.
##-------------------------------------------------------
cat << END_OF_TEXT
A clear-text version of the Tripwire policy file
$TXT_POL
has been preserved for your inspection. This implements
a minimal policy, intended only to test essential
Tripwire functionality. You should edit the policy file
to describe your system, and then use twadmin to generate
a new signed copy of the Tripwire policy.
END_OF_TEXT
# Initialize tripwire database
/usr/sbin/tripwire --init --cfgfile $CONFIG_FILE --site-keyfile $SITE_KEY \
--local-passphrase $TW_LOCAL_PASS 2> /dev/null
########################################################################
########################################################################
#
# TRIPWIRE GPL NOTICES
#
# The developer of the original code and/or files is Tripwire, Inc.
# Portions created by Tripwire, Inc. are copyright 2000 Tripwire, Inc.
# Tripwire is a registered trademark of Tripwire, Inc. All rights reserved.
#
# This program is free software. The contents of this file are subject to
# the terms of the GNU General Public License as published by the Free
# Software Foundation; either version 2 of the License, or (at your option)
# any later version. You may redistribute it and/or modify it only in
# compliance with the GNU General Public License.
#
# This program is distributed in the hope that it will be useful. However,
# this program is distributed "AS-IS" WITHOUT ANY WARRANTY; INCLUDING THE
# IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
# Please see the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
# Nothing in the GNU General Public License or any other license to use the
# code or files shall permit you to use Tripwire's trademarks,
# service marks, or other intellectual property without Tripwire's
# prior written consent.
#
# If you have any questions, please contact Tripwire, Inc. at either
# info@tripwire.org or www.tripwire.org.
#
########################################################################
########################################################################
|
